The Winner - InformationWeek
Software // Enterprise Applications
04:16 AM
Bug Bounty Programs: The 7 Myths, Hackers, & Impact
Dec 07, 2016
Despite thousands of large and small organizations running bug bounty programs, there is still a l ...Read More>>

The Winner

Below is the winning letter from the "What Should We Do About Spammers?" contest in Bob Evans' Dec. 6 column, Business Technology: Ends Don't Justify Means, Despite Appeal.

Back To Basics


The solution to spammers starts with the basics. But first, let's see what has been tried.

1. Keyword Filters
This does not work since spammers are pretty creative in finding a million ways to spell V I@Gra.

2. Spam IP Database Block Lists
This was a good idea at first, when many companies were unknowingly running open relays. However, this doesn't pose much of a threat for spammers. They just move on once an IP is identified. Even worse, many mail servers get tagged as a spam sender even though they didn't send any spam. Their only crime was having an IP address in the same block as a spammer.

3. Blacklists
Blocking spam by address is virtually useless. Any spammer can spoof the [send from:] without any problem.

4. White Lists
Only allowing E-mail from known senders is a little drastic. E-mail is supposed to make communication easier, not more difficult. Let's not throw the baby out with the bath water.

5. Bayesian Filters
This started as a great concept. Training a filter to identify spam is a great idea. However, it will not cut down on the amount of spam received by our mail servers. It also takes user maintenance to constantly "train" the filter to understand how spam is evolving. Additionally, many companies are hesitant to aggressively sort spam since they are afraid of losing that one big important E-mail.

6. Legislation
Congress tried to legislate spam out of existence. It appears that these efforts have been in vain. Spam is a technological problem that requires a technological solution.

So we need a technological fix--but not at the client level. E-mail protocols need to be rewritten. IMAP, POP3, SMTP, and HTTP need to be made more secure. Any E-mail protocol should not allow anonymous senders or spoofing. It should be easy to interpret exactly where the E-mail message came from. This will come at the cost of ending a completely open E-mail system; however, it is this open and trusting environment that has created this spam mess.

What then should we do until the future? At my company, we have been using greylisting. You can read more about it here.

From the project Web site:

"Greylisting is a new method of blocking significant amounts of spam at the mail-server level, but without resorting to heavyweight statistical analysis or other heuristical (and error-prone) approaches. Consequently, implementations are fairly lightweight, and may even decrease network traffic and processor load on your mail server.

Greylisting relies on the fact that most spam sources do not behave in the same way as "normal" mail systems. Although it is currently very effective by itself, it will perform best when it is used in conjunction with other forms of spam prevention."

By implementing greylisting support for all incoming E-mail, we have been able to reduce spam by 95% in our corporate environment. That works out to about five spam messages per client per day. This is not a great solution, but unfortunately it is about the best that there is currently available.

Current E-mail protocols are broken. We're still embracing the same standards that existed 35 years ago. It is time to take a fresh look at E-mail standards and limit the damage that spammers can do.

Benjamin Vogel

Return to the story: Business Technology: Ends Don't Justify Means, Despite Appeal

Continue to the other letters: Readers Get Creative About Stamping Out Spam

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll