Invest in an Antispam System Now

Computerworld - In-boxes are cluttered with mounds of spam, and companies such as Brightmail, CipherTrust and Postini are offering products to clean up the dreck. None of them will completely rid your users' systems of unwanted e-mail, but if you aren't already running up-to-date antispam technology in your company, get some immediately. It's among the best quick-payback, attaboy-producing purchases you can make.
Antispam systems combine hard-core networking with linguistic analysis, machine learning and other near-AI techniques. Almost no buyer (or analyst) is conversant with all of those technical disciplines. Fortunately, most leading antispam vendors offer reliable products or services. Just make sure that the antispam system you choose boasts the following attributes:
At least 90% effectiveness. That is, the amount of spam that gets past your spam blocker -- a.k.a. the false negatives -- should be under 10%. Effectiveness levels above 98% are not unheard of, but figures of 93% to 95% seem to be more common. These rates should be achievable with little or no user "training" of the system.
Minimal false positives. The number of legitimate personal or business e-mails erroneously blocked as spam should be effectively zero. Otherwise, your users have to check spam quarantines for messages that might have gone astray. But if end users are even briefly checking every spammy e-mail, you've pretty much lost the benefit of antispam technology.
The ability to obtain many sample spam messages quickly. Without that raw data, vendors can't keep pace with the spammers.
Prompt and easy updates of spam-filtering rules. Ideally, such rules are updated at least hourly.
All decent spam-blocking systems filter spam according to a variety of spam-spotting rules. The best combine several approaches to filtering, such as the following:

• Blocking messages from specific senders. A lot of spam is sent from virus- or worm-infested machines that have been temporarily hijacked by spammers. These can often be identified and their mail blocked until the machines have been disinfected.
  Filters also block mail from some Internet service providers that are known to be overly spam-friendly.


• Blocking specific spam campaigns. A serious antispam vendor has access to multiple sources of spam. It will often have a broad variety of dummy mailboxes that can be found by spammers but receive no legitimate e-mail. Thus, anything sent to those mailboxes is known to be spam. If spam gets past a blocker, customers can forward it to the vendor to help them block it the next time.
  Once a message has been identified as spam, a rule can be created to block other copies of that spam. At least, that's the ideal. Spammers randomize almost every aspect of their messages, making it very difficult to know whether two spams are the same.
  However, there's one thing spammers usually can't randomize: the call to action. For example, if the spammer wants you to click on a URL, that address is likely to be found in all -- or at least many -- copies of the e-mail.


• Blocking messages that include common spam indicators. Messages about Viagra, body-part enlargement, work-at-home opportunities and so on are probably spam. So are messages about v!a-gra, wrk[ng at hmoe and the like. Indeed, some of the best indicators of spam are various techniques spammers use to obfuscate the text of their messages, such as deliberate misspellings, small fonts, white fonts, HTML comments and words within graphic images.

Not all serious antispam vendors use all of these techniques. For example, there's strong disagreement about whether campaign-specific filtering rules are needed. But it's certainly necessary to use a variety of rules in the antispam version of defense in depth.
For the most part, spammers are technically sophisticated criminals and could find a work-around to any particular rule or rule type at any time. Thus, effective antispam software has from 10,000 to 50,000 rules or more, which are combined to calculate an aggregate spam-indication score.
Challenge-response systems are an alternative to filtering as a spam-fighting strategy, but I suspect they'll never work. The idea here is that when you get an e-mail from an unknown sender, your software automatically sends a "challenge" e-mail back, which the sender then has to answer before you'll accept his first e-mail. A challenge-response system will always be prone to false positives, such as when mail comes from automated senders or from people who have their own challenge-response systems. Such a system could also annoy possible customers trying to contact you.
For the foreseeable future, you should rely on filter-based antispam systems, and you should install one now. U do-t'n haave to drrown ]n $paam anym-oore!
Curt A. Monash is a consultant in Acton, Mass. You can reach him at curtmonash@monash.com.