Summary of Responses on spam

Tim Lane tlane at scu.edu.au
Wed Feb 11 02:35:02 GMT 2004


I recently posted an email to this and two other higher education forums on 
the current status of spam, what steps were being taken and the types of 
controls in place.  Out of the 29 responses received, several requested a 
summary, which has been provided below.

Thanks,
Tim Lane

Responses from Question One - Is SPAM a non problem, minor problem or major 
problem in your institution? (indicate % of spam received of total email).
Responses predictably ranged from citing spam as a minor problem up to a 
major problem.  Indications of spam as a percentage of total incoming 
emails varied from 15% to 80%, with the most common indicator being in the 
range of 30-50% (and growing).

In some cases respondents were clearly guessing or estimating the levels of 
spam and in other cases spam levels had been measured with some sense of 
reliability for a reasonable length of time.   However most of the 
measurement of spam appeared to be focused on mail gateway servers 
statistics rather than the level of spam actually received by the end 
user.  This might be explained by the fact that the technical controls in 
place differed between institutions due to requirements for end user 
control at the application client level, therefore the amount of spam 
received by end users would not be an accurate reflection of total spam 
received but would instead be indicative of the types of controls in 
place.  A common recurring theme from respondents was whether or not the 
user base wanted to have control over the level of filtering, or whether 
they wanted it handled centrally.

Whereas most of the responses focused on the extent to which it was a 
problem from a technical, time and resource consumption perspective, 
opinioned varied on the extent to which the problem was simply a perception 
problem, and suggested that other types of email constituted the 'real' 
spam (for example the ineffective use of email as a medium for 
communication).  This area is too subjective to comment further except to 
conclude that the 'annoyance' factor of spam is one for consideration 
within the actual cost and impact of spam.  For example recent studies by 
the US Federal Trade Commission (FTC) indicate the 80% of spam contains 
fraudulent information, therefore the concept of erroneous information is 
another side of the human impact of spam apart from the technical side.

Athough quotes of organisations receiving up to 80% of email as spam are 
common, the way in which email is used within Universities appears to 
impact the level of spam likely to be received.



Summary of Responses from Question Two - Has your organisation taken steps 
to actively address SPAM in a way that has or will substantially reduce the 
impact of SPAM?
All responses indicated that their organisation had taken some steps to 
address spam.  Although respondents were presumably motivated or in a position
to comment on the questions because they had actually taken steps, 
it  could be assumed that almost all organisations are addressing spam in 
some manner due to the extent to which spam is prevalent.

Steps taken ranged from putting up recommendations to address spam to 
completion of projects that had considered, developed and implemented 
controls for spam.

The most significant aspect of the responses was that everyone was doing 
something that was (or will lead to) reducing the impact of spam (although 
obviously no controls are available that actually prevent spam being sent 
to the organisation from the spammer).


Summary of Responses from Question Three - What types of controls (both 
technical and human) are being used?
Controls were categorised as either technical or human.  Human controls 
were not commented on too much and included user awareness and training on 
behaviour or practices that would reduce the likelihood of not receiving 
spam (ie throw away accounts, not replying to spam etc), together with 
reviews of the effectiveness of filtering such as bayesian filtering, and 
physically monitoring the 'junk' folders and the associated fine tuning of 
filters.  Human controls also included not placing email addresses on 
public websites so as to avoid harvesting of addresses.

Technical controls varied considerably depending on the technology and 
architecture in use however by far the most common use of any one product 
cited appeared to be Spam Assassin, followed by Pure Message.  The main 
variables for controls included whether email systems were centralised and 
whether Users had access to opt in and opt out of various levels of spam 
filtering.  Filtering included Realtime Black Lists (RBL's), basic subject 
line filtering and procmail filtering and the use of Bayesian or heuristic 
filtering including scoring and Content Based Filtering.

Whether spam was blocked and dropped, or filtered to a junk mail and 
whether tagged spam was sent to the user in a junk folder or kept on the 
server for later deletion varied between responses.  End user filtering 
ranged from inhouse programs written to interface with client applications 
for user defined filtering to just standard default filtering available 
within the email client application itself.

The 'best practice' approaches tended to include the User awareness and 
multilevel filtering as per the following:

1.      USER AWARENESS - User awareness of spam and how to avoid it, User 
awareness that you cannot stop only manage what you receive (ie via website 
&         awareness programs) and not having harvestable addresses on 
public websites (ie use images).

2.      CENTRALISED FILTERING - A level of centralised filtering using 
heuristics or bayesian, where tagged spam is sent to a junk folder with an 
auto expiry   (especially while filtering process is being developed and 
refined, or is sent to the user and tagged as spam, or a combination of 
both based on variable scoring.)

3.      CLIENT FILTERING - An additional level (to gateway filtering) of 
User defined filtering that includes opt in/opt out, variable level client 
filtering with the option   of the User receiving tagged spam to a junk 
folder or simply choosing to delete it from the server prior to receiving 
tagged spam.  (Note all of this additional to     gateway filtering).

In conclusion, accepting spam as inevitable (at least for now) and 
providing user awareness combined with multi level centralised as well as 
user based optional filtering appears to be the best practice from the 
responses.


_______________________________________________________________________________________

Tim Lane
Information Security Program Manager
Information Technology and Telecommunication Services
Southern Cross University
PO Box 157 Lismore NSW 2480
Ph:  61 2 6620 3290
Fax: 61 2 6620 3033
Email: tlane at scu.edu.au
http://www.scu.edu.au



More information about the unisog mailing list