Canning the spam nuisance

Educating users is key in stopping the tide of unwanted emails.

Everybody who uses the internet regularly has been on the receiving end of a spam message at some time or other. The term refers to unsolicited email and Usenet messages sent in bulk to unsuspecting and generally very busy staff, and is the scourge of the internet.

1. Spam with everything

Two types exist: external spam falls into six categories - commercial advertising including pornography, chain letters, 'make money fast' schemes, virus hoaxes, religious rants and harassment.

Internal spam, although less serious, can still cause annoyance and loss of productivity. Office jokes, for example, are sometimes sent to many more people than originally intended.

It is extremely important to educate the end-user on this subject, since email filters have little or no impact.

2. Usenet spam

Some Usenet newsgroups are beset by spam. Many advertisements are often posted simultaneously to many newsgroups, none of which the spammer will ever read. This type of spam makes a newsgroup extremely difficult to follow, regardless of how interested you are in the topic. Spam strangles the dialogue.

3. The cost of spam

The cost implications of spam can be split into three categories: disk space overhead, download costs and time-wasting. Ensure that users delete spam as soon as they receive it, as this will reduce the costs associated with clogged disk space. Download costs are trivial compared to the man-hours which can be wasted by users dealing with spam. The exception is if a company has been targeted in a denial-of-service attack which strangles the system with huge volumes of spam.

In a UK-based survey Novell found spam recipients spend, on average, 10-15 minutes per day dealing with spam email.

4. Don't take on the spammers

It isn't really worthwhile attempting to take on commercial or external nuisance spammers. They are in such abundance that tracking or reporting them takes more time and effort than it's worth. The goal is to minimise spam-related disruption and loss of business productivity. Allowing users to spend time 'fighting' spam is a waste of resources.

5. Anti-spam strategies

Define and implement a company policy on unwanted email, if you don't already have one. Educate your users so they don't innocently become internal spam nuisances. Make sure you have effective well-configured spam filtering on your firewall, mail server or workstations to reduce the volume of spam that users will receive.

A common problem with spam is that many users are unaware of what it actually is, or the problems it causes. Educate them on the fact that scroll-down quizzes and the like are written by someone who in fact wants to ruin their day.

6. Minimise exposure to spam

Anyone whose email address appears on a web page, whether a company website or a personal site, will have their addresses grabbed by web search engines which look for 'mailto:' codes in HTML documents. These addresses are sold on to spammers.

Educate users to understand the consequences of being active on the internet.

Consider issuing separate email addresses to staff who use the internet regularly.

7. Give out a new address

An extreme strategy, although at times unavoidable, is to consider issuing targeted employees with new addresses. This is far easier and, in the end, more productive than trying to track down the culprits.

8. Deal with junk email efficiently

Urge users not to spend time reading spams all the way through, even if the messages are amusing or marginally more interesting than what they should be doing. As soon as it is obvious that an -mail message is unsolicited they should simply delete it. Users should subsequently resist the temptation to forward such spams within the office.

9. Dealing with pornography

Many spams advertise pornographic websites; if downloaded, this can have legal implications for your company. Again, educate users on what this means and make sure they understand how to use any filters they have - such as blocking options in their email client.

10. Anti-spam resources

There are many resources on the internet that can be used to report, or gain advice on spam mail.

- Cauce.org provides a wealth of information on the subject of spam mail: www.cauce.org/.

- Network Abuse Clearinghouse is a service that sends reports of abusive behaviour to system administrators on your behalf: www.abuse.net/.

- Spam Hater is freeware. It analyses spam, suggests reply addresses and works with several email programs: www.cix.co.uk/net-services/spam/spam\_hater.htm.

- FAQs on deciphering fake email headers can be found at: www.doofus.org/spam/lessons/.

11. Benefits of a company policy

Having a company policy aids the education process. If users know that company policy dictates they must delete spams, rather than send them around the office, they are more likely to do so. Importantly, users know what is expected of them and what they can expect of management and IT in addressing the problem.

12. Harassment

If someone uses email to harass, stalk or threaten any of your employees, do not hesitate to refer the matter to the police.

13. Minimising internal spam

Urge staff not to send emails without subject headings. This wastes the recipient's time as the email has to be read to determine whether it is relevant. Use meaningful headings such as 'Are you free on Friday?' rather than 'Meeting' in order to persuade people to read the message.

Every time you send an important email, ensure you consider who actually needs a copy and send it to those people only. If you send it to people who don't need it, you're wasting their time.

Every time you send a trivial email containing jokes, gossip or invitations to events, keep the recipient list small and consider whether it needs to be sent at all.

14. Complain, complain, complain

If your system, or users, suffer a mailbomb or denial-of-service attack, persistent harassment or an unmanageable volume of spam from a particular source, complain to the ISP that the spammer is using. The administrators of responsible sites will want to know if someone is using their system to send spam, since spamming violates most ISP's terms of service or acceptable use policy.

15. Tracking down the spammers

Many spams are sent from forged addresses using mail relay or stealth methods, which makes it harder to identify where you should send complaints.

In order to identify the real site which sent the spam, you will need to become an expert in reading email headers. There are tracking tools which can help.

If the header is forged, look at the body of the message to see if there is a return email address or web page, which is likely to be genuine.

Try complaining to the webmaster at that site.