Internet Newsletter for Lawyers
September/October 2003, by Delia Venables

Spam Wars - Next Big Threat for Law Firms
and...
Approaches to Spam Control
by Delia Venables

Stop Press: With the current rapid spread of the "SoBig" virus, the demarcation between spam and viruses has become less clear cut. Although most firms and chambers remained virus-free in the sense that dangerous attachments were stripped out, and/or their users were educated not to execute them, many were still overwhelmed by the sheer volume of such messages. Most spam control programs would also have identified these.

A recent study by email filtering company MessageLabs found that, of the 137 million emails they handled in June on behalf of their customers, 55% were unsolicited junk mail, or "spam". A year ago, the proportion was just 2.3%. Worse still, the number of emails flying around the internet continues to rise at an alarming rate.

So far, it is individual email users who are receiving the most spam. They are the ones who have been freely surfing the web, buying software and other goods, taking part in online "discussion" groups and putting their email address on their own web sites. In my own case, I get at least 80 spam emails a day as well as perhaps 20 "real" ones.

Most firms and chambers have been more careful with their email addresses and the problem is not yet so extreme - but it will probably become so since, once an email address is on even one spammer's list, it is likely to be sold on to a myriad of others. Legislation (so far) is having no effect whatsoever, since the spammers operate from many different countries and are also adept at changing the "sending" address so it is very difficult to find out where the emails have come from.

The main categories of spam seem to be for Viagra and lurid "enhancement" offers, cheap prescription drugs generally, pornography of many different types, financial advice and offers (generally "scams") and slimming and beauty products. I thought about producing a picture of the titles of a representative sample but they are not suitable for a respectable newsletter! Most people reading this will know the sort of things I mean.

I generally know when I should cover a topic here when I get a large number of enquiries from readers asking for information. Suddenly, over the last few months, enquiries about spam have multiplied almost as fast as the spam itself! I set out to find out what firms and chambers are doing about spam, right now. My first stage was to email the 150 Intranet/Multiple Use subscribers of this newsletter, thinking that they are the users most likely to have investigated this topic so far. I asked whether they have a problem with spam and if so, what they are doing about it. I had replies from around 50 firms and I am very grateful to them for the information they gave.

Quite a few firms told me that they do not have a particular problem yet although they could see that the problem was getting worse. Others who are part of government departments or public bodies generally indicated that the problem was coped with at a "higher level" - they are probably the lucky ones! Others already have a major problem. I was told by one firm that a member of staff received over 1,200 spam emails in a single month. Eventually, the firm concerned changed this particular email address but even now, a year later, 800 emails a month arrive for the old address.

Many firms are already using various services and software tools to try and reduce spam, partly because of the time wasted by individual staff members deleting these but partly also because the content of many of these would be genuinely upsetting for some people.

I am planning a second article on spam in the next issue where I hope to give feedback from the many readers who have not yet had a chance to respond and, in particular, their experience of the products mentioned, or others they have come across.

Approaches to Spam Control

These are the general approaches that emerged from my investigations:

Care with your email address

You can set up procedures to prevent the firm's email addresses getting "out" into the wild, i.e. educate your staff not to use their email addresses in a way which enables them to be put onto spam email lists. Several firms have included instructions of this sort in their staff manual. Advice of this sort could include the following:

  • Do not use the firm's email address for any private purpose; if people want to respond to discussion groups or make purchases online, they should use a private email address from hotmail or yahoo (and then of course they will have the same problems but at least it will not be the firm's problem). Preferably, staff should not access non work oriented sites from the firm's system at all although this will depend on the existing acceptable email and internet access policy. It is worth bearing in mind that the majority of staff and partners probably now have access to a computer at home so the "need" to surf the web for private purposes at work has reduced somewhat over the last year or two.

  • Never respond to spam and never use the "unsubscribe" option often included with such emails since this just serves to prove that it is a real email address.

  • Do not send copies to people unnecessarily and do not send private pictures, jokes or other attachments within the firm. Whilst these are not "spam" in the normally accepted sense, they also clog up the firm's system and require significant disk resources since all firms' emails are regularly backed up (often in multiple copies).

    Email addresses on your web site

    You can limit or change the way that email addresses are displayed on your web site, so that they cannot be picked up by "robots" roaming the web (also known as automatic email harvesters or "bots"). Options include these:

  • Instead of email delia@venables.co.uk you could use email Delia Venables (where the real email address is still present as the link). This enables a human being to access the email address without difficulty but does not indicate to a robot harvester, which is looking for the "@" sign, that there is an email address lurking!

  • You could remove email addresses entirely but use instead a reply form which requires the user to put information into a pre-set form. This prevents even a Human Being from knowing what your email address is (and is very annoying to the Human Being).

  • You could decide to have no email address or contact form on the site at all so that no-one can contact you.
    (You think I am making this up?)

    For a small site, the first or second options might be effective but for a larger site, with multiple email addresses, this kind of avoidance method is probably inadequate and other methods, below, will be needed.

    Facilities available within Outlook and Exchange

    You can use the facilities available within Outlook, Outlook Express, Exchange and other email programs to identify spam and either delete it directly or dump it into a junk email folder. This type of approach still uses your own computer resources in terms of telephone time and disk storage and it also requires you to look at the junk folder from time to time to check that no "good" emails have been put here by mistake (false positives). The process is however not very effective when the junk email is coming from a myriad of different addresses or indeed from invalid addresses since your system will not know that these are junk.

    An additional problem is that the filter on particular words is also not as easy as it sounds since the email spammers are learning to find their way round these controls, e.g. viagra comes out as (say) v i a g r a or vi@gra.

    To be effective, and not to require you to spend hours every week becoming an expert on the latest types of spam, it is really necessary for the program to have access to large databases of spam sources and spam words, kept up to date by someone else. This takes us to the next section.

    Software for individual email users

    There is a special type of spam control program which is suitable for individual email users who generally use a type of email program called POP3 (Post Office Protocol) i.e. not organisations with Exchange or similar networked email servers. With a POP3 system, the user is not online all the time but "logs in" to their ISP intermittently and collects their email. Although originally designed for a dial up line, this solution can also be used with an ADSL line but not with a networked email system. It is possible for the client (i.e. your personal email program, whether Outlook, Eudora, Pegasus or others) to examine the headers of the email on the ISP's server without downloading the whole email and to delete it directly on the ISP's server if desired.

    The software applies all sorts of tests to the email based on sender, sender's domain, country of sender, and key words of various types found in the header or the text. These tests are carried out by linking up with databases on the web of known spammers (blacklists) and, equally importantly, by learning from the emails which you said were spam on a previous occasion. These systems do take a few days to become effective but are, after that process, very good at getting rid of most spam.

    Having carried out this process with the spam control program, the user then "gets" their email in the usual way, but will find only the ones not deleted left, to come down into the normal email box.

    An extra bonus of some of these systems is that they can generate a "bounced" email back to the sender, thus indicating to the sender that this email address does not exist although I am a little dubious about this process - it seems as if one is then also contributing to the spam emails clogging up the internet.

    I personally use a program called Mailwasher for my email (recommended by James Prior, of Opsis Ltd) and it is rapidly becoming indispensable. Another program in this category is iHateSpam. This can be integrated into Outlook, Outlook Express or Exchange, thereby providing a seamless process of filtering and obtaining mail.

    Using a spam removal service

    You can enquire of your ISP whether they have a spam-removal service available - and most commercially oriented ISP's, do have such services available now, often combined with a virus removal program. The advantage of using a service of this kind is that the email can be removed before it ever reaches your own system. Generally, there are some parameters which you can set to determine blacklists or whitelists (senders whose emails you want to receive even though they fail other tests) so that the user does retain some element of control.

    From the responses to my enquiries, the big winner in this part of the market is MessageLabs, particularly as provided by the ISP Star Internet. A whole series of firms said how effective they find this service, often combined with virus protection, pornography control and other inappropriate content control.

    MessageLabs was originally set up as a corporate virus protection service but now, spam seems to be equally important in its portfolio of services. In fact, it is very sensible for a user to have virus control, spam control and any type of content control (e.g. for pornography) from the same source, thus minimising complication and also cost. It uses a combination of publicly available blacklists, heuristics (complex rules) and mathematical (Bayesian) probability to identify spam. The user can also set up blacklists or whitelists which can be combined with the main service thus providing a reasonable element of control. Generally, legal firms accept all email (but to a defined junk folder) so that it can be checked from time to time but the ordinary user is protected from it.

    You can also use a spam-removal service such as MessageLabs directly (i.e. not as a service from your ISP), whereby incoming email is diverted to the service and the spam removed before being sent on to the firm's system.

    Spam control as part of a firewall

    There are a number of products which combine hardware and software in a ready made firewall appliance, sometimes referred to as "Internet in a Box" solutions.

    These include MXtreme from Borderware, sold by Peapod Solutions (PSL), which offers content filtering, secure web mail, encryption, virus scanning and mail box hosting. This type of system is delivered more or less "ready to go", and also provides regular updating of virus and spam criteria without user intervention. It comes in a variety of sizes to suit particular sizes of firm.

    Another such product is Firebox from WatchGuard. This also comes in a number of versions.

    Software for networked spam control

    You can purchase and run software on the firm's own system - generally in association with the Exchange server - to identify spam and either delete it or put it in a junk area of the system for regular checking. This is generally very complex software with a large price tag, and requiring a considerable expertise to manage the process but it does leave the user in complete control of the process.

    The two big names in this area of the market are Clearswift, with its MAILsweeper product, and SurfControl.

    Both of these companies started with control of surfing (i.e. to prevent employees from accessing unsuitable sites) as their prime task but have now broadened their services to include also the removal of viruses and spam.

    The products carry out the same processes as described in previous sections but do it totally "in house" so that the firm or chambers is not dependent on any external body. These products are described in more detail in some of the additional articles described below.

    Spam control, virus protection and surfing control

    Note that these are all separate concepts! Whilst a spam control program may well find and mark a virus for deletion, this is not their main purpose in life and they will not be as up to date in this respect at programs designed specifically for virus protection like Norton, Symantec, Network Associates or Sophos.

    However, if you already use virus protection service or product, or a surfing control product, it is well worth enquiring as to whether they also have a spam control module which you can add, since, if they do, this is likely to be a cheaper and less complicated solution than having each of these separately.

    Legal remedies

    Most countries, including the EU, are trying to set up methods of preventing spamming by law. I hope to cover this further in a future article but in the meantime, there is a good site called Spam Laws at www.spamlaws.com, set up by US Law Professor David E. Sorkin. The site groups laws by USA (Federal and State), Europe (EU and by country) and other Countries, and provides links to legislation or proposed legislation in these countries.

    More Information

    Several readers of the newsletter have very kindly provided articles on this topic. These are available in Microsoft Word format.

    • Dean Hill-Jowett, IT Manager of Edwards Geldard, in "Prevention before Cure", believes that there are problems with all the software and services available for spam reduction because of their complexity, their cost or the firm's loss of control over how email is handled. He thinks that the best approach is to prevent email addresses from being found by spammers.

    • Simon Bennett, IT Director of Tarlo Lyons, describes how spammers operate, how they get your email address and what spam is costing you, as well as some of the things individual firms can do to prevent their email addresses being "found" by spammers. He also covers several of the software products available including MAILSweeper, BRIGHTmail, iHateSpam and MessageLabs.

    • Charles Black, founder and MD of ISP Nasstar and also a barrister, describes the way that spam has grown, the costs to the user, and some of the remedies. He looks at filtering services from Blackspider Technologies, MessageLabs and Nasstar and describes the processes which are used including Bayesian probability techniques, lexical analysis, "honeypots" and public blacklists.

    • Peter Sweeney, of Systems Integrator jmc.it, describes how the problem of spam has developed and methods which the firm can use to stop it. In particular, he looks at SurfControl, which is the software jmc.it recommends for stopping spam and which keeps the process of spam filtering within the firm. He describes how it works and how the facilities available to the administrator to manage the process. He also gives advice on how to keep out of the spammers' lists all together.

    Feedback Please

    I intend to continue to develop this topic in the next issue, so please give me your comments and views. Email me at delia@venables.co.uk!

    Back to Contents.