End-User Advice on Spam and Viruses
Spam and viruses continue to plague all enterprises. Most organizations are now aggressively blocking spam at the perimeter and effectively blocking 85%-95% of spam. The threat of viruses continues unabated. As part of the overall spam- and virus-blocking effort, IT organizations (ITOs) need to educate users about threats and best practices.
META Trend: As ad hoc electronic communication grows in importance (e.g., e-mail, instant messaging, Web conferencing), organizations will be challenged to create a hygienic and low-cost infrastructure. Through 2006, special attention will be focused on spam blocking and policy enforcement (e.g., regulatory compliance). By 2007, rising electronic communication volumes will frustrate users coping with information overload and drive organizations to employ common filters, queuing services, and categorization engines to ease communication burdens.
The spam blight continues unabated, and we do not expect legislation or well-publicized litigation against spammers to have much impact on volume through 2005/06. Even when organizations do an effective job of blocking spam, users still routinely receive multiple spam messages because of the sheer volume entering the firm. Therefore, enterprises must use all means available to help users stem the flow of spam. They must warn users of its implicit hazards such as fraudulent messages seeking personal information and messages that contain viruses that can cause users’ PCs to send out spam. Organizations must develop mail hygiene policies and communicate best practices to keep users informed and aware of the dangers spam presents to business operations. At a high level within ITOs, enterprises must make basic decisions about which features to expose to users from the core spam-blocking engine such as end-user-controlled trusted-sender lists and quarantines. Organizations must determine if users should be instructed on how to apply additional spam-blocking features in the e-mail client, as well as the use of alternative mail systems such as POP3 and HTTP public mail accounts.
Despite broad efforts to protect against mail-borne viruses and worms, enterprises are still struggling to stop outbreaks effectively. We estimate that up to 45% of large organizations have been economically impacted by a virus attack during the past 12 months. E-mail remains the primary channel of attack. Viruses are starting to appear faster than organizational ability to patch vulnerabilities or disseminate signature files for thousands of PCs. For example, the notorious winter 2003/04 Bagle virus released nine variants in less than a week. Like many other current viruses, Bagle self-propagates by exploiting e-mail addresses mined from desktop files using its own SMTP mailing engine. Antivirus vendors have noted that the level of virus activity in early 2004 indicates that the year will prove to be the most prolific ever for virus writers. During recent outbreaks, as many as one in five messages might be a virus. Viruses also have increasingly disruptive payloads. Mydoom not only launched denial-of-service attacks on commercial Web sites, but also deleted files from user desktops. In addition, Mydoom created a remote access back door, enabling hackers to steal personal information (e.g., credit card numbers, passwords) to remotely control PCs or upload malicious code. Therefore, organizations must maintain extreme vigilance against viruses to ensure stability of the messaging infrastructure. A sample policy document that addresses spam and virus threats follows. All instructions will not be appropriate for each organization. Firms need to carefully determine which of these points will apply to their enterprises (see Figure 1).
Limit the Use of Corporate E-Mail Addresses. Users should be careful about disclosing e-mail addresses. Optimally, an e-mail address should be shared only with people known to the user. When using an e-mail address in a public forum, users should add additional characters to the address that can be easily stripped by a human. This prevents e-mail harvesting programs from capturing and exploiting the address. A sample might look like john.doe@nospam.corporate.com. (An alternative method is to ask users to use a free public mail account such as Hotmail for newsgroups and Web sites, but we are wary of this approach because e-mail hygiene controls typically do not work on port 80 or port 110.)
Keep E-Mail Addresses Off Web Pages. Users must avoid putting e-mail addresses on Web pages to protect them from spam robots used by spammers to harvest addresses.
Use Separate Chat IDs. If public chat rooms are entered, users must employ a screen name not associated with their e-mail addresses. Chat rooms are routinely harvested for e-mail addresses by spammers.
Never Contribute to a Charity From E-Mail. Messages with appeals from charity should be treated as spam. If a charity is appealing for donations, the recipient should call the organization and determine how to make a contribution. No information should be sent via e-mail.
Be Wary of Attachments. If the message sender is unknown, or if it is a strange attachment, users should delete the message immediately and run up-to-date antivirus software to check the computer for viruses.
Check the User Quarantine. Our corporate spam-blocking service filters a large amount of spam. Occasionally, it filters legitimate e-mail. To ensure that all legitimate messages are received by users, we established a user-quarantine service, which users should periodically check for legitimate e-mail. This is a private, personal account for each user. We send out a weekly reminder to check the quarantine. Users should bookmark the URL and check the quarantine anytime there is suspicion that legitimate mail has not arrived. Consistent with our overall e-mail policy, users are prohibited from releasing any pornographic or salacious messages from the quarantine.
Employ the Trusted-Sender List. Some mail from large organizations such as newsletters or marketing updates has many characteristics of spam and may be erroneously blocked as spam. Our corporate spam-blocking service enables users to add senders to a list that will allow messages from the sender to pass unfiltered through our blocking service. From within the quarantine, users should move legitimate mail senders who have been erroneously blocked to the trusted-sender list.
Send Spam to the Blocking Service. Occasionally, spam will make it through the corporate filter. When spam is received, users should forward the message to spam@corporate.com. The message will then be added to the corporate blocking service, and any repeats of that spam will then be blocked.
Alternative Mail Accounts. Users may have established alternative mail accounts for personal or business purposes such as Hotmail or Yahoo. Because messages sent from such mail systems do not come through our spam- and virus-filtering services, they present a risk to the organization. Users should not access such alternative mail accounts from within the corporation.
Do Not Respond to Spam. Users should not reply to spammers - not even to "unsubscribe" - unless the sender is legitimate. They should not open or forward chain e-mail or reveal personal information. Users should never buy anything from spam mail.
Review Privacy Policies. Users should review the privacy policies of Web sites and business partners. When signing up for Web-based services such as online banking, shopping, or newsletters, they must review the privacy policy closely before revealing e-mail addresses. If the policy has a liberal practice of sharing or selling addresses to other organizations, users should opt out of the sharing program or avoid the service altogether.
Do Not Reply to Messages Requesting Personal Information. Spammers now send fraudulent e-mail to users in an attempt to get them to disclose confidential information such as social security numbers or passwords. Most legitimate organizations will not ask for personal information via e-mail. If a trusted organization (e.g., bank, broker, insurance) asks for personal information, call - do not write - and report it. Users should not use the phone number provided in the e-mail. In addition, our IT group will never request users to update or disclose user names and passwords via e-mail. Users should immediately report any such requests to the IT department.
Bottom Line: Enterprise spam- and virus-blocking strategies should include end-user education to minimize basic exposure.
Business Impact: Spam and viruses have a detrimental impact on organizations by clogging user mail accounts, taxing system resources, and threatening message system stability. Aggressive actions, including end-user education, are mandatory.
META Group originally published this article on 6 May 2004.