Forrester: Spam Management Best Practices

Spam is certainly not a new phenomenon, and although antispam is a 15-year-old industry that has made significant technological advances, many organizations still struggle with spam management.

Although it’s impossible to eradicate spam completely from the Internet today, organizations can alleviate the problem by adopting recommended practices, from both policy and technological perspectives.

Policy Best Practices

When addressing anti-spam policies, companies should look to:

• Take a rough axe to the blatant spam messages. A one-size-fits-all spam definition will not work for any sizeable organization, but a baseline policy is needed to articulate what constitutes “definite spam.” Forrester recommends that you block messages in the definite spam category, instead of quarantining them. Include all pornographic material, Phishing, and financial solicitation messages in the definite spam category. Depending on the nature of your business, you may find it useful to include other material in this category, such as newsletters, political campaigns, and product marketing messages.
• Adopt user- or group-specific filtering policies. On top of the baseline policy, Forrester recommend that organizations adopt user- or group-specific filtering policies, accounting for the distinct business roles of the users. For instance, you may want to deliver all marketing solicitation messages to your sales groups but block such messages for other departments. Similarly, you may elect to allow executable files for engineering personnel but drop them for others.
• Look for solutions that can integrate with other email security components. Antispam is only one aspect of your email security and management function. Other aspects include message transfer agent (MTA) functionality, content protection, and archiving. Your anti-spam solution should integrate and work seamlessly with the other components to deliver the acceptable level of management precision and performance.

Technological Best Practices

Organizations also need to implement the right technologies to address spam. Best practices include:

• Adopt connection management techniques. Connection management techniques include blacklists, whitelists, sender reputation, rate controls, and recipient verification — everything that doesn’t involve inspection of the actual content. Connection management implements a quick shock absorber for the incoming message stream and allows for the more selective application of heavyweight content analysis downstream.
• Leverage user self-management. To reduce administrative overhead, use an antispam solution that supports user-specific quarantine queues for self-management; ask users to manage the messages that are neither “definite spam” nor “definite legitimate.” User-specific quarantine requires the antispam solution to have knowledge of the user accounts, which means it must integrate with user directories.
• Manage bounce notifications. Attackers are stepping up their reconnaissance efforts as spam campaigns become more targeted. One method spammers use to collect valid email addresses is directory harvesting and bounce notification. To counter this, organizations should limit the number of external bounce notifications for unreachable addresses. An example is to only send bounce notification to certain trusted domains or rate-limit the number of notifications to a single source. You should look to antispam technologies that support the implementation of such policies.

Developing Metrics

How do you know whether your anti-spam solution is successful? These metrics can help you to assess the efficacy of your effort:

• Administrative overhead. A good antispam solution should only require a few minutes per day of human time to administer and manage.
• False negatives. Your false negative number should not exceed one spam per user per day.
• False positives. A rough measure of acceptable false positives is one in every 200,000 legitimate messages.
• User complaints and kudos. It should be obvious whether you’re doing a good job from your user feedback. In fact, sometimes the best indication of a successful antispam deployment is that you hear less or nothing from your users. The decrease of complaints in this subject area is silent kudos.

Three Tips For Developing A Spam Management Strategy

Organizations and individual users have the right to use their online resources without being bombarded by unwanted content and solicitations. The antispam market offers many options, but instead of considering a standalone point solution, companies should:

• Seek a solution provider with cross-channel intelligence. Spam isnt a standalone problem—theres a proven link between spam campaigns and Web malware distribution—so antispam shouldnt be considered in a standalone email silo. Your antispam solution should use multichannel intelligence to increase threat identification precision in both the email channel and elsewhere.
• Blend in-the-cloud and on-premise components. Certain filtering tasks are best done in-the-cloud before the unwanted traffic hits the end user organization, while others, such as encryption and deep content inspection, are sometimes best handled on-premise. Forrester has seen many successful deployments at organizations where an in-the-cloud solution (e.g., Postini or MessageLabs) was layered with an on-premise box. This way the on-premise portion only has to deal with a much-reduced traffic stream and can deliver better performance and scalability.
• Include email and antispam in a broad strategy for content security. Organizations need to implement content protection and retention for email, whether to mitigate the risks of legal liability from email misuse, guard against data breaches, or adhere to PCI, HIPAA, or other relevant regulations. The most natural place to incorporate such functionality is within the same email infrastructure used to fight spam. Look to solutions that support bidirectional content scanning, sensitive data discovery, and the ability to trigger external data protection and retention components such as encryption and archiving.

Users who have strong requirements in specific functional areas should start by evaluating vendors who have best-of-breed technologies in the areas most important to them. Such considerations include email reputation filters; industry blacklists; high-performance MTA and antispam solution; and integrated email encryption.

Chenxi Wang is a principal analyst at Forrester Research, where she serves security and risk management professionals. For free related research from Forrester, please visit www.forrester.com/csospam (free site registration required).