Spam Filtering Works Better With a Management Policy

Transcription

1 Select Q&A, M. Grey, A. Hallawell Research Note 22 September 2003 Spam Filtering Works Better With a Management Policy A deployment of spam-filtering technology that does not consider business issues will fail. This research reflects our clients' questions, and our answers for management and policy "best practices" when implementing spam-filtering. Core Topic Knowledge & Content Mgmt., Collaboration & E-Learning: E-Workplace Systems and Technology Key Issue How will enterprises improve the operational efficiency of their e-workplace infrastructures during the next five years? Strategic Planning Assumption By 2Q04, anti-spam applications will include industry heuristics (0.8 probability). What industry-specific issues should we consider when implementing anti-spam technology? Most enterprises should filter blatant spam. However, some situations reject spam filtering technology. For example: In higher-education, the institution may elect to filter spam for faculty and staff (because they are employees), but not for students for fear of infringing on what some may deem to be the right to free speech. Messages containing words or phrases that trigger spam filters may not be spam. For example, in the healthcare industry, legitimate messages will often contain the names of drugs and parts of the human anatomy. In financial services, words such as "mortgage" and "loans" reflect daily business, but are often used in spam (for example, "low interest rate loans" or "refinance your mortgage now!"). Spam-filtering applications with a strong policy engine enable the IT administrator to customize technical policies that align to changing business conditions. By 2Q04, anti-spam applications will include industry heuristics (0.8 probability). How should we initiate deployment of the spam-filtering application? Deploying the technology in phases will result in a more-precise implementation that filters spam specific to department needs and reduces the risk of a "false positive" (an incorrectly identified as spam). For the first two to four weeks of production deployment, turn on the spam filtering in audit mode (where no spam is quarantined or deleted). The administrator should review the Gartner Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice.

2 audit reports to determine spam demographics (for example, what type of spam is being received by whom), from which the administrator can develop appropriate spam sensitivity levels specific to workgroup needs. For example, a customer care group needs to receive customer complaint , even when the contains language that the filter could interpret as spam. After the audit period and with policies in place, configure the application to begin filtering. Most enterprise-level spam filtering applications can apply different disposition actions to the spam, such as quarantine the message for a defined period or send the message to the recipient, but annotate it (for example, by putting the word "spam" in the Subject line). How can we reduce the number of spam-related calls to the help desk? The first action, of course, is to install an effective spam-filtering application (see "How to Select Spam-Filtering Products and Services"), along with the management and policy recommendations in this research. Interestingly, once the spamfiltering application is in a steady-state mode and collecting spam, there may be a spike in support calls. Although users will be pleased that their mailboxes aren't inundated with spam, they may ask, "Where did it go?". There is a natural distrust of anything new. Users need to be reassured that good mail has not been identified as a false positive and quarantined. Some anti-spam applications only enable the administrator to check the quarantine. Increasingly, a digest capability (listing of mailboxspecific quarantined messages) is being built into anti-spam applications. The digest can be in the form of an HTML sent to the user on a configurable basis (for example, daily or weekly), or a Web site that contains URL links to the user's quarantined messages. The user can then view or release the message to his or her live mailbox. Initially, users will access their quarantine queues frequently. As their confidence level in the new technology's capabilities is satisfied, users will rarely access the queue. Having a Web page dedicated to enterprise anti-spam efforts will also reduce call volume. The site should keep users updated on the enterprise's progress in fighting spam, include a frequently asked questions (FAQs) section, and provide user education on spam avoidance. How should users be trained on spam avoidance? 22 September

3 After the virus thunderstorms of ILOVEYOU and Melissa, IS departments focused on educating their users on how to slow down virus propagation for example, not opening questionable or executable attachments and not forwarding questionable . When training users on spam avoidance, we recommend the following: Don't reply to spam. Although the majority of spam is received from an invalid sending address (therefore, replying merely results in a bounceback), some spammers' sending addresses are valid, and the spammer will use the recipient user's reply to validate the recipient's address. Avoid entering your address on message boards, chat rooms, online directories and questionable Web sites. Spammers build mail lists by harvesting addresses from public Web sites. (A case could be made that there is no valid business need to use your business addresses on such sites. However, organizations rarely completely prohibit personal use of business .) Use a disposable address (DEA) if you need to enter an address on a questionable Web site. DEAs are valid addresses. Messages sent to them are forwarded to your real address. DEAs are available from not-for-profit organizations, such as Spamcon ( and commercial vendors such as MailShell ( If you opt-in (sign up) on a Web site to receive marketing, deselect checked boxes that opt you in to receive additional "related," but possibly unwanted, commercial e- mail. Don t buy from a spammer! People do buy from spammers, which makes spamming a profitable business. How should our enterprise protect itself from the threat of a hostile work environment lawsuit? Enterprise legal counsel is justifiably concerned that the abundance of blatant pornographic spam may result in hostile work environment lawsuits by offended, or disgruntled, employees or in-house contractors. The courts will have to determine the outcome of such actions. Nevertheless, prudence requires that the enterprise take fair and reasonable actions to minimize spam and its impact. Educate users on spam avoidance (see answer above to user training). 22 September

4 Update the enterprise's e-communications policy (often called the policy) with language that informs users and possible auditors that the company has implemented spamfiltering technology, but that it cannot guarantee that 100 percent of spam will be filtered. The policy should also state that enterprise users are prohibited from initiating spam or forwarding received spam. Employees should sign the policy to indicate that they understand it (see "Establishing and Reinforcing an Usage Policy"). Establish a generic, internal spam address to which users can send spam that gets through the enterprise spam filter. The administrator should forward true spam to the antispam vendor so that the vendor can refine its database. Consult with the legal department when developing the process for handling the threat of (or actual) hostile work environment lawsuits. What actions should legal counsel take to protect the enterprise from infringing on employee privacy issues, particularly where privacy legislation is strong, such as in Europe? Anti-spam filtering may not be a problem for global organizations, depending on how its filtering is implemented. For example, strict European Union privacy or European Works Council requirements may not be contrary to: An anti-spam implementation in which spam is only blocked or tagged Reports on individual users' activity/history that are not maintained Quarantines that only end users can view Some countries for example, the United Kingdom, under the Regulation of Investigatory Powers Act 2000 require that employees be notified that their may be intercepted. Because countries, such as the United States, allow monitoring and end-user-specific reporting, anti-spam practices, and even anti-spam products, may be different according to the region in which they are implemented. Canada and Australia are also more permissive about employee monitoring; however, certain policies and end-user notifications are required. What role will legislation play in slowing down spam? Legislation will not significantly reduce spam. Local anti-spam laws drive spammers to use offshore Internet service providers 22 September

5 (ISPs) to relay their spam outside of jurisdictions that recognize anti-spam laws, such as in the United States, the European Union and Australia. (See and for current status on pending and enacted legislation.) Legal complexities could arise in pursuing a case where the offshore ISP resides in a country without anti-spam laws. Acronym Key DEA disposable address FAQ frequently asked question ISP Internet service provider Although the target of anti-spam legislation is the spammer, legitimate marketers will be most affected as they attempt to comply with legislation that requires valid mail to be identified as such a tactic that spammers will soon exploit (see " Marketers Must Work Harder to Show They're Legitimate"). Lawsuits targeted at spammers that spoof sender addresses for the purposes of consumer fraud are more likely to come to court than lawsuits initiated against annoyance spammers (see "Amazon Lawsuits Highlight Growing Spam Threat"). ISPs, carrier-class providers and e-commerce vendors will initiate most of this action. 22 September