5 Things the Boss Should Know About Spam Fighting

Esther Schindler writes "Sysadmins and email administrators were asked to identify the one thing they wish the CIO understood about their efforts to fight spam. The CIO website is now running their five most important tips, in an effort to educate the corporate brass. Recommendations are mostly along the lines of informing corporate management; letting bosses know that there is no 'silver bullet', and that the battle will never really end. There's also a suggestion to educate on technical matters, bringing executives into the loop on terms like SMTP and POP. Their first recommendation, though, is to make sure no mail is lost. 'This is a risk management practice, and you need to decide where you want to put your risk. Would you rather risk getting spam with lower risk of losing/delaying messages you actually wanted to get, or would you rather risk losing/delaying legitimate messages with lower risk of spam? You can't have both, no matter how loudly you scream.'"

Re:WTF?

[cyber-vandal]

Because the people who appoint them don't understand IT either and believe it to be so simple that anyone can manage it.

Something for nothing and spam for free

[canuck57]

You can't have both, no matter how loudly you scream.

Trouble is how many CIO understand the technology they supervise enough to make a good business judgement?

The one thing I will tell them follows like this:

Trust your own I/T staff for maters of technical choice and direction, they have the most to gain, the most to lose and have to live with the consequences. Vendors know how to sell problems then the solutions, users know how to blame their lack of patience and personal issues on computers. I/T personnel often are the ones to eat the heat on organizational issues beyond their control. This includes the flawed systems we use today. Let I/T participate in business descisions, not to rule but nor to be a door mat for the next irrational business type having a conniption fit.

POP?

[Corporate Troll]

SMTP and POP

Now, nothing against educating management... but POP? POP doesn't belong in the enterprise. Even at home I have my own IMAP server. POP is a relic of the dialup-time where you only had access to your own computer and nobody else (seemed) to have one.

A shame that gmail doesn't support IMAP, I'd prefer it that way instead of that poor POP3 hack they use...

Re:WTF?

[winkydink]

The majority of the CIO's I know come from the Apps side of the house, not the Ops side. Please note, I said the majority, not all.

Do you really believe that a CIO understands all of the underlying technology in the IT department, even at a basic level? Trust me, most don't. It's near impossible, especially when most CIO's haven't been individual contributors for many years.

Re:WTF?

[melikamp]

The Peter Principle [wikipedia.org]

Beware the combination of spam and UETA

[grandpa-geek]

Around 2000 there was legislation adopted in many states called the Uniform Electronic Transactions Act (UETA). Under UETA a legal notice sent by email is considered delivered to the recipient when it enters the recipient's ISP, regardless of whether the recipient ever sees the email. This was the UETA drafters' attempt to create the equivalent of something called the "mail box rule" for email. AFAIK, under the mail box rule, if you give a legal notice to the post office, it is considered delivered.

There are numerous examples of legitimate emails getting caught in spam filters, and there are ways to format a legal notice to raise the likelihood that it will be caught by a spam filter.

In addition to educating our corporate managements, we also need to educate legislators about this and to get UETA amended in the various states to recognize the realities of todays electronic commerce environment.

Re:POP?

[Corporate Troll]

16MB? Wow... That's suckitude pure... My personal mailserver can cope 2Gig, and that's only because the /var is a separate partition of 2Gig. I don't know what it is at work, but I haven't reached it yet.... I get those funny videos all the time, but I delete them at once, so my space usage isn't all that big. Haven't heard complaints of the management types yet, so I think that the limits are very reasonable.

Frankly, tell IT to buy a few disks.... 16MB is about what I had as a student at the University computer in 1994.

Re:WTF?

[rucs_hack]

managers manage well by having people below them who know their jobs. That way they manage the people themselves, not micromanage everything they have to do.

A good manager should appear to have very little to do, because everything is so well organised.

A bad manager is very easy to spot. People under them feel unsupported, become over relient on rules and regulations, and everything takes so long to do that nothing gets done.

I've experienced both types of management, the bad type is painful. When I've managed (in medicine) I worked very hard to train my people to trust in their own abilities and take on and enjoy responsibility.

Nothing to do with spam in this post I realise, but then I hate spam, nasty fatty stuff.

Re:Nothing lost?

[mabu]

A good RBL-based system never loses mail. Any legitimate mail that is blocked causes the original sender to be notified. Content-based filtering systems don't work like that scheme, so people that use mail filtering do lost more legitimate mail, and the worse part is, the senders never know their mail was lost. This is why content-based filtering doesn't work and RBLs do.

Re:WTF?

[Jonny do good]

How does the CIO not understand what the IT deparment is doing and still become CIO? Can someone clue me in on the way a manager can know nothing of what they manage and still be a manager?

Because managers are there to manage, not to be technicians. The most effective managers should know something about what they manage, but they do not need to know the details. They are supposed to be "big-picture" people and leave the details to the experts they hire. When a manager knows too much about what they manage they tend to micro-manage and I am sure we all dislike that more than ignorant managers.

Personally I would rather have a manager that gives me the responsibility and flexibility to make the decisions that are within the scope of my job function who knows nothing about what I do and how I do it than one that is more knowledgable but ties my hands when it comes to getting things done. The CIO should dictate the overarching business strategy to the IS department and help ensure that their work helps accomplish the goals of that strategy. The details are for the rest of the department to figure out. Remember, the IS department is a supporting function, no different from accounting, marketing, or HR... it is not the business.

I'm sure I will be flamed for this response, but it is typical of technical people (not just IT, but in all functions) to have disdain for those in charge because they don't know what we know. But it isn't their job to, or else they would have no reason to hire us. A CIO position is NOT a technical position. Expecting a CIO to know everthing going on in the IS department is the same as expecting the CEO to know it as well.

Re:Nothing lost?

[Anonymous Coward]

Yeah, thanks. Then when someone fakes my email address as the return address, I get thousands of bounce messages.

Did you miss the part about:

I like to REJECT (not bounce!) spam

If I reject the mail, then you'll only get a message back if your SMTP server was the one that was sending it. If I bounce the mail, then you'll a message even if it was forged elsewhere.

People who bounce spam are almost as bad as the spammers. Rejecting spam is much better than just deleting it because it gives the sender a chance to fix your mistake.

Re:Nothing lost?

[Anonymous Coward]

You can use rejects with either RBL or content-based filtering. You just have to have the SMTP server in the loop when you are doing the filtering. With your RBL you can reject after the envelope, but with spamassassin (or whatever) you reject after the data. Most systems aren't set up that way for various reasons, but if you have control over your MTA you can do it right.

Re:Nothing lost?

[digitig]

RBL-based systems do lose mail. A potential customer emails me and a competitor with a request for a quotation. From me they get a blacklist notification, from my competitor they get a quotation. The potential customer, upset at being accused of being a spammer, never bothers trying to email me again. I've not only lost their original email but I've lost all future email from them too.

Re:Five Things Everybody Needs To Know About Spam

[Anonymous Coward]

1. Content filtering is not a solution.

It's certainly part of the solution. For me at least. And I get a lot of spam every day.

2. The Spam problem is mostly a law enforcement issue and not a technological issue.

Yeah, just like robbery. Don't hold your breath.

3. Don't listen to the anti-virus/anti-spyware software companies.

Don't you think you're a bit too paranoid?

4. Most anti-spam methods do nothing to stop spam, except relay blacklisting.

Maybe this is your favorite solution. But black lists do not work. If you have experienced problems it is just a sign that they do not work. Spammers use bot nets, and change addresses just for that.
I use a combination of white listing and content filtering, and it is working great.

5. There are not that many spam operations. The spam epidemic is not unstoppable.

Look, spammers will never go away. Just as commercial propaganda in snail mail. Even if it's illegal.

Re:WTF?

[StarvingSE]

Managers may have lost touch with the latest techno-babble, but they should not be berated because of it. They are obviously smart individuals who were neck deep in the technology of their time. When you are a manager, you have a reasonable level of expectation that your employees will be knowledgeable of the most current technology.

Many high level concepts such as requirements, design, group management, etc can be managed by people and they don't have to have intimate knowledge of the latest technology. I am not saying that management should not learn it, but they should expect their employees to be the experts.

Why is it that there are a lot of people in IT who are so snobbish "omg!!!@!!!.... you don't know about xyz technology, you made a mistake hahahhadjhaflkdjfs luser." Are other technical/engineering fields like this? (not a knock on the parent post, just askin' in general).

So, don't use verizon.com, etc.?

[imagerodeo]

If CIOs instituted a policy of disqualifying any vendor of Internet, data or communication services that appears anywhere on Spamhaus's top 10 list from doing any business with the company, Varshavchik feels, "the spam problem will pretty much disappear, mostly overnight."

That list (http://www.spamhaus.org/statistics/networks.lasso ) has verizon.com, att.net, serverflo.com, xo.com in spots 1, 2, 3, 4. Should CIO's stop using Verizon, ATT and XO until they clean up their act?

Re:mail is broken

[nuzak]

> I think email (as in RFC822, etc) is doomed

If you really demand a uniform end-to-end authentication mechanism, X.400 is over that-a-way.

A full blown information war is being waged over email, and it's surviving quite nicely. I eagerly await your perfect solution that changes human nature itself. I tire of the pontifications of armchair architects.

1 Thing the Boss should know about Spam

[Qbertino]

Enforce one standard of encryption internal, for all employees and all clients that want to do email communication with the company. Bounce all messages that aren't encrypted.
Voila!
All Spam problems solved instantly.

Neat side effect: Your emails are safe and contract proof.

Re:Heres a way to end spam. Completly.

[Beryllium Sphere(tm)]

>The trick is to target the one vulnerability all spammers have: A website to sell their goods.

Not any more. The stock scammers can get their money without any contact information whatever in the spam.

Re:POP?

[AeroIllini]

And it's all backed up daily, I'm sure.

As a matter of fact, it is. Each backup diff file is compressed, encrypted, and stored on a server, every day.

So I take it you never work from home or the road, and are never on call.

People work from home and the road all the time. I've done it myself. You bring your laptop home with you, and tunnel into the company network via a VPN. People on call are issued Blackberries, and special accounts that expand to fill their needs. These people are in the extreme minority.

Maybe you can have some sort of draconian company policy that totally disallows attachments (even then, 16 MB is easily filled with mere days of email), but what about emails from vendors and customers? Do you just strip them out and say, "tough luck"?

It's really not a problem. Emails with attachments are typically transfered to personal folders on my hard drive, in Outlook. They show up right there next to all my other mail, in the only place I ever check my mail (on my laptop). The only difference between online and offline mail is which folder they're in.

And data to/from suppliers is strictly controlled, and usually goes through a separate network system that can track submission, review, approval, and scheduling. In the rare case it's sent through email, it gets put on my hard drive with everything else.

The only thing that's different from a 2GB mail system is that you have to create and maintain folders separate from your inbox. Oh, the horror of it all! I must be organized to use my allotted space efficiently!

Get a grip. If you have 2GB of email that you are currently working on RIGHT NOW, then you need an administrative assistant. If you're done with it, sweep it into an offline folder. It's not rocket science.

Re:1 Thing the Boss should know about Spam

[SanityInAnarchy]

Other neat side effect: You now have 3 clients instead of 300.

I would say use PGP internally and enforce it, and include it in your spam rules. That way, clients who send encrypted/signed messages can be sure they get through, but clients are not required to use encryption.

Re:Five Things Everybody Needs To Know About Spam

[Phroggy]

1. Content filtering is not a solution.

Yes and no. It's not the "right" solution, but when all other available solutions have been exhausted, content filtering is better than the alternative. You're absolutely correct that it eats up resources - you can't just enable content filtering and walk away; you have to constantly keep writing new rules that will no longer work next week.

E-mail getting delayed 6 hours isn't strictly a problem with content filtering. Sure, if you eliminated content filtering, you'd probably also eliminate the 6 hour delay, but the right answer is fixing the system so that content filtering can be done without incurring a 6 hour delay. This is usually a problem of business management - the IT people want to fix the problem, but management doesn't want to pay for it, so the company loses bajillions of dollars (far more than the cost of the upgrades that IT wants) because of their unreliable e-mail service.

I personally do not use Bayesian filtering on my mail servers. Because Bayesian filtering is most effective with user participation (users have to train the filter by identifying both spam and non-spam messages, the contents of which will vary between users), I think this technology is best left to e-mail clients, not servers. Spammers have been actively fighting against Bayesian filtering for some time now, by including legitimate-sounding text at the bottom of their spam, which confuses Bayesian analysis by making the spam appear more legitimate, and legitimate messages appear more spammy (which makes false positives more likely, which make people spend more time digging through their spam folder looking for false positives, which makes people more likely to see spam that has been filtered out).

2. The Spam problem is mostly a law enforcement issue and not a technological issue.

This is absolutely 100% correct. However, since I can't actually enforce the law myself, and the government isn't (to the extent of making any noticeable difference), I have to fight it as if it were a technological issue. I will confess to not doing my part in writing my Congresscritters; one of these days I will get around to that (despite the criticism, CAN-SPAM is a very good start, because it clearly defines nearly all current spam as being illegal, so now it's just an enforcement problem, which Congress is responsible for funding).

3. Don't listen to the anti-virus/anti-spyware software companies.

Hopefully most people don't view Norton Anti-Spam et al as anything more than a Band-Aid on top of the problem, but when solving the problem is beyond your control, a Band-Aid isn't a bad idea. Of course I would point out that Mozilla Thunderbird comes with a free Band-Aid that works just as well, but most people can't be pried away from Outlook, so they have to buy something.

4. Most anti-spam methods do nothing to stop spam, except relay blacklisting.

I certainly agree that IP blacklisting should be the first defense against spam, but the term "relay blacklisting" doesn't quite cover what I assume you're referring to. For the sake of clarity, let me explain:

When an SMTP server accepts a message addressed to a local user on that system, the message will be delivered locally to that user's mailbox. However, if the server accepts a message addressed to someone else, the server will figure out where it's supposed to go, and attempt to send it there. This is called relaying. Normally, when you send a message from your e-mail client, you are sending it to a server (perhaps at your ISP) that will relay the message for you; this saves your e-mail client the trouble of having to deal with issues like figuring out where the destination server is and correctly dealing with situations like when the destination server is temporarily unavailable. Relay servers are good; they help make e-mail more reliable.

Note that a relay server uses exactly the same SMTP protocol to relay your me

Re:The Silver Bullet

[Sorthum]

A horrible solution, Challenge Response is... Let's assume, for a minute, that it's all handled server-side and the user doesn't have to deal with misdirected bounces. Realize that with the advent of botnets, bandwidth and computational power is something spammers have in spades-- far more so than legitimate mailers.

Let's also consider mailing lists. I manage a site that has tens of thousands of users, running on two MX boxes and one outbound SMTP box. I'd have to get a whole new RACK to handle the load you're suggesting...