Summary of Responses on spam

[Tim Lane <tlane () SCU EDU AU>]

I recently posted an email to this and two other higher education forums on
the current status of spam, what steps were being taken and the types of
controls in place.  Out of the 29 responses received, several requested a
summary, which has been provided below.

Thanks,
Tim Lane

Responses from Question One - Is SPAM a non problem, minor problem or major
problem in your institution? (indicate % of spam received of total email).
Responses predictably ranged from citing spam as a minor problem up to a
major problem.  Indications of spam as a percentage of total incoming
emails varied from 15% to 80%, with the most common indicator being in the
range of 30-50% (and growing).

In some cases respondents were clearly guessing or estimating the levels of
spam and in other cases spam levels had been measured with some sense of
reliability for a reasonable length of time.   However most of the
measurement of spam appeared to be focused on mail gateway servers
statistics rather than the level of spam actually received by the end
user.  This might be explained by the fact that the technical controls in
place differed between institutions due to requirements for end user
control at the application client level, therefore the amount of spam
received by end users would not be an accurate reflection of total spam
received but would instead be indicative of the types of controls in
place.  A common recurring theme from respondents was whether or not the
user base wanted to have control over the level of filtering, or whether
they wanted it handled centrally.

Whereas most of the responses focused on the extent to which it was a
problem from a technical, time and resource consumption perspective,
opinioned varied on the extent to which the problem was simply a perception
problem, and suggested that other types of email constituted the 'real'
spam (for example the ineffective use of email as a medium for
communication).  This area is too subjective to comment further except to
conclude that the 'annoyance' factor of spam is one for consideration
within the actual cost and impact of spam.  For example recent studies by
the US Federal Trade Commission (FTC) indicate the 80% of spam contains
fraudulent information, therefore the concept of erroneous information is
another side of the human impact of spam apart from the technical side.

Athough quotes of organisations receiving up to 80% of email as spam are
common, the way in which email is used within Universities appears to
impact the level of spam likely to be received.



Summary of Responses from Question Two - Has your organisation taken steps
to actively address SPAM in a way that has or will substantially reduce the
impact of SPAM?
All responses indicated that their organisation had taken some steps to
address spam.  Although respondents were presumably motivated or in a position
to comment on the questions because they had actually taken steps,
it  could be assumed that almost all organisations are addressing spam in
some manner due to the extent to which spam is prevalent.

Steps taken ranged from putting up recommendations to address spam to
completion of projects that had considered, developed and implemented
controls for spam.

The most significant aspect of the responses was that everyone was doing
something that was (or will lead to) reducing the impact of spam (although
obviously no controls are available that actually prevent spam being sent
to the organisation from the spammer).


Summary of Responses from Question Three - What types of controls (both
technical and human) are being used?
Controls were categorised as either technical or human.  Human controls
were not commented on too much and included user awareness and training on
behaviour or practices that would reduce the likelihood of not receiving
spam (ie throw away accounts, not replying to spam etc), together with
reviews of the effectiveness of filtering such as bayesian filtering, and
physically monitoring the 'junk' folders and the associated fine tuning of
filters.  Human controls also included not placing email addresses on
public websites so as to avoid harvesting of addresses.

Technical controls varied considerably depending on the technology and
architecture in use however by far the most common use of any one product
cited appeared to be Spam Assassin, followed by Pure Message.  The main
variables for controls included whether email systems were centralised and
whether Users had access to opt in and opt out of various levels of spam
filtering.  Filtering included Realtime Black Lists (RBL's), basic subject
line filtering and procmail filtering and the use of Bayesian or heuristic
filtering including scoring and Content Based Filtering.

Whether spam was blocked and dropped, or filtered to a junk mail and
whether tagged spam was sent to the user in a junk folder or kept on the
server for later deletion varied between responses.  End user filtering
ranged from inhouse programs written to interface with client applications
for user defined filtering to just standard default filtering available
within the email client application itself.

The 'best practice' approaches tended to include the User awareness and
multilevel filtering as per the following:

1.      USER AWARENESS - User awareness of spam and how to avoid it, User
awareness that you cannot stop only manage what you receive (ie via website
&         awareness programs) and not having harvestable addresses on
public websites (ie use images).

2.      CENTRALISED FILTERING - A level of centralised filtering using
heuristics or bayesian, where tagged spam is sent to a junk folder with an
auto expiry   (especially while filtering process is being developed and
refined, or is sent to the user and tagged as spam, or a combination of
both based on variable scoring.)

3.      CLIENT FILTERING - An additional level (to gateway filtering) of
User defined filtering that includes opt in/opt out, variable level client
filtering with the option   of the User receiving tagged spam to a junk
folder or simply choosing to delete it from the server prior to receiving
tagged spam.  (Note all of this additional to     gateway filtering).

In conclusion, accepting spam as inevitable (at least for now) and
providing user awareness combined with multi level centralised as well as
user based optional filtering appears to be the best practice from the
responses.


_______________________________________________________________________________________

Tim Lane
Information Security Program Manager
Information Technology and Telecommunication Services
Southern Cross University
PO Box 157 Lismore NSW 2480
Ph:  61 2 6620 3290
Fax: 61 2 6620 3033
Email: tlane () scu edu au
http://www.scu.edu.au

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.