Suppressing Spam

Antigen’s Antispam Barriers
In Antigen 7.5, Sybari integrates antispam processing through a transport sink. Antigen has a good antivirus reputation in the Exchange market. An updated version that supports the Exchange 2003 SCL feature will be available in late 2003.

As with most antispam products, you can set various options in Sybari Spam Manager to suppress or identify spam as it arrives at the Exchange SMTP virtual server. The options are mailhost filtering (which lets you set up blackhole lists), content filtering (which lets you determine the type of content Antigen passes through to Exchange), file filtering (which lets you determine permitted file types), and keyword filtering (which lets you set up lists of words that Antigen looks for as it examines new messages). As Figure 2 shows, Antigen provides prepopulated lists of keywords that cover profanity, racial discrimination, sexual discrimination, and common spam words, such as "viagra." You can add words to these lists, but the prepopulated lists are fairly comprehensive and will stop most spam.

After you set up your keyword lists, you then decide how you want Antigen to treat spam. You can have Antigen drop messages immediately after it detects them as spam—an effective way of suppressing spam, but you run the risk that some messages that resemble spam might be important messages that you want to keep. The best practice is to first deploy the antispam product in "detect only" mode so that the product informs you about new spam and you can examine the notifications to determine the effectiveness of the filters. After you're happy that the filters are accurately detecting spam and ignoring other messages, you can start blocking (i.e., dropping) spam or moving messages into a quarantine directory. Figure 3 shows how Antigen informs administrators when it detects a spam message. You can configure Antigen so that it sends these notifications to as many administrators as you want.

Considering the amount of spam that can arrive at a server, you should be cautious about enabling notifications for administrators. Spam-generated messages can easily swamp a mailbox, particularly on servers that act as the initial line of defense. If you permit spam to pass through, you can configure Antigen so that it marks the spam with a SUSPECT prefix in the Subject line, as Figure 4 shows, before passing it through to Exchange’s routing engine.

Client Protection
Suppressing spam after it arrives at the client is a last-ditch effort. You've already incurred the cost of transporting, delivering, and storing the spam on its route to the client, and now the user gets to view the spam, if only to review the contents of the folder in which the client moves suspect messages. Of course, you can configure Outlook to delete any spam it detects, but again, you then run the risk of losing an important message mistakenly identified as spam. Ensure that the level of junk-mail protection you select, as Figure 5 shows, is appropriate for the traffic you receive.

Both Outlook 2003 and OWA 2003 feature client-side junk-mail filtering. Outlook 2003 supports connections to Exchange 2003, Exchange 2000, and Exchange 5.5 servers, but OWA 2003 is dependent on Exchange 2003. Outlook 2003’s Junk E-Mail filtering works only if you operate in cached Exchange mode. The logic is that Outlook must download the full content of messages before it can filter them. Attempting such downloads in a classic client-server connection would be far too expensive in network terms—you don't want to download giant attachments just to check their content. In an attempt to prevent spammers from gathering intelligence about their victims, both Outlook 2003 and OWA 2003 don't automatically download pictures in HTML-format messages unless you explicitly choose to view the pictures or establish new default settings for picture downloads.

In their messages, many spammers include pointers to small (1 × 1 pixel) graphics with the intention of forcing you to make a network connection to their site to download the image file. Because the file—called a Web beacon—is so small, you don’t experience any network delay during the download, and because the spammer typically hides the file, you don’t see it in the message. The spammer uses this tool to determine the effectiveness and destinations of its messages. Ideally, the spammer also wants to discover which email addresses on its lists are real and active so that they can sell these addresses to other spammers or include them on other lists they maintain. To do so, spammers can include instructions in the URL to pass information about you back to their server.

Figure 6 shows a captured Web beacon. In this example, I received a message that Outlook recognized as spam and filed into my Junk E-Mail folder. To see the HTML source and determine whether the message contained any Web beacons, I right-clicked the message content and selected View Source. As Figure 6 shows, the image references point to files on a remote server, and the circled file points to a small hidden file.

If you don't yet want to upgrade to Outlook 2003, you can still add antispam support to your client by installing products such as Cloudmark's SpamNet, iHateSpam, MailFrontier's Matador, and Mailshell's SpamCatcher. All these products support Outlook 2002 and Outlook 2000, and some offer versions to support Outlook Express clients—but those come with an additional cost to buy, deploy, and support. The actual per-client purchase cost is fairly low (between $20 and $30 per seat, subject to corporate discounts), but the total cost can mount up if you're deploying to thousands of seats. At this point, an upgrade to Outlook 2003 becomes more attractive, particularly when you factor in other Outlook 2003 features, such as cached-mode Exchange.

New Threats
Although we've witnessed great progress in securing messaging servers and protecting them against viruses and spam, we shouldn't become complacent. Virus authors and spam generators are constantly searching for new methods to exploit email. For example, we haven't yet seen the first attack against Instant Messaging (IM) networks. Your job now encompasses the tasks of keeping a close eye on new developments and deploying software to defend servers, and those tasks are unlikely to go away anytime soon.