Educause Security Discussion mailing list archives
Summary of Responses on spam
From: Tim Lane <tlane () SCU EDU AU>
Date: Wed, 11 Feb 2004 13:36:12 +1100
I recently posted an email to this and two other higher education forums on the current status of spam, what steps were being taken and the types of controls in place. Out of the 29 responses received, several requested a summary, which has been provided below. Thanks, Tim Lane Responses from Question One - Is SPAM a non problem, minor problem or major problem in your institution? (indicate % of spam received of total email). Responses predictably ranged from citing spam as a minor problem up to a major problem. Indications of spam as a percentage of total incoming emails varied from 15% to 80%, with the most common indicator being in the range of 30-50% (and growing). In some cases respondents were clearly guessing or estimating the levels of spam and in other cases spam levels had been measured with some sense of reliability for a reasonable length of time. However most of the measurement of spam appeared to be focused on mail gateway servers statistics rather than the level of spam actually received by the end user. This might be explained by the fact that the technical controls in place differed between institutions due to requirements for end user control at the application client level, therefore the amount of spam received by end users would not be an accurate reflection of total spam received but would instead be indicative of the types of controls in place. A common recurring theme from respondents was whether or not the user base wanted to have control over the level of filtering, or whether they wanted it handled centrally. Whereas most of the responses focused on the extent to which it was a problem from a technical, time and resource consumption perspective, opinioned varied on the extent to which the problem was simply a perception problem, and suggested that other types of email constituted the 'real' spam (for example the ineffective use of email as a medium for communication). This area is too subjective to comment further except to conclude that the 'annoyance' factor of spam is one for consideration within the actual cost and impact of spam. For example recent studies by the US Federal Trade Commission (FTC) indicate the 80% of spam contains fraudulent information, therefore the concept of erroneous information is another side of the human impact of spam apart from the technical side. Athough quotes of organisations receiving up to 80% of email as spam are common, the way in which email is used within Universities appears to impact the level of spam likely to be received. Summary of Responses from Question Two - Has your organisation taken steps to actively address SPAM in a way that has or will substantially reduce the impact of SPAM? All responses indicated that their organisation had taken some steps to address spam. Although respondents were presumably motivated or in a position to comment on the questions because they had actually taken steps, it could be assumed that almost all organisations are addressing spam in some manner due to the extent to which spam is prevalent. Steps taken ranged from putting up recommendations to address spam to completion of projects that had considered, developed and implemented controls for spam. The most significant aspect of the responses was that everyone was doing something that was (or will lead to) reducing the impact of spam (although obviously no controls are available that actually prevent spam being sent to the organisation from the spammer). Summary of Responses from Question Three - What types of controls (both technical and human) are being used? Controls were categorised as either technical or human. Human controls were not commented on too much and included user awareness and training on behaviour or practices that would reduce the likelihood of not receiving spam (ie throw away accounts, not replying to spam etc), together with reviews of the effectiveness of filtering such as bayesian filtering, and physically monitoring the 'junk' folders and the associated fine tuning of filters. Human controls also included not placing email addresses on public websites so as to avoid harvesting of addresses. Technical controls varied considerably depending on the technology and architecture in use however by far the most common use of any one product cited appeared to be Spam Assassin, followed by Pure Message. The main variables for controls included whether email systems were centralised and whether Users had access to opt in and opt out of various levels of spam filtering. Filtering included Realtime Black Lists (RBL's), basic subject line filtering and procmail filtering and the use of Bayesian or heuristic filtering including scoring and Content Based Filtering. Whether spam was blocked and dropped, or filtered to a junk mail and whether tagged spam was sent to the user in a junk folder or kept on the server for later deletion varied between responses. End user filtering ranged from inhouse programs written to interface with client applications for user defined filtering to just standard default filtering available within the email client application itself. The 'best practice' approaches tended to include the User awareness and multilevel filtering as per the following: 1. USER AWARENESS - User awareness of spam and how to avoid it, User awareness that you cannot stop only manage what you receive (ie via website & awareness programs) and not having harvestable addresses on public websites (ie use images). 2. CENTRALISED FILTERING - A level of centralised filtering using heuristics or bayesian, where tagged spam is sent to a junk folder with an auto expiry (especially while filtering process is being developed and refined, or is sent to the user and tagged as spam, or a combination of both based on variable scoring.) 3. CLIENT FILTERING - An additional level (to gateway filtering) of User defined filtering that includes opt in/opt out, variable level client filtering with the option of the User receiving tagged spam to a junk folder or simply choosing to delete it from the server prior to receiving tagged spam. (Note all of this additional to gateway filtering). In conclusion, accepting spam as inevitable (at least for now) and providing user awareness combined with multi level centralised as well as user based optional filtering appears to be the best practice from the responses. _______________________________________________________________________________________ Tim Lane Information Security Program Manager Information Technology and Telecommunication Services Southern Cross University PO Box 157 Lismore NSW 2480 Ph: 61 2 6620 3290 Fax: 61 2 6620 3033 Email: tlane () scu edu au http://www.scu.edu.au ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Summary of Responses on spam Tim Lane (Feb 10)