Internet, Email & Telephones > Spam Management

From Spam to Ham

By Lasa Information Systems Team

Lasa, like most other organisations receives its fair share of spam, ranging from the annoying to the downright offensive. So, it was decided that something needed to be done - we had to have something in place to stem the tide.

The set-up

So, what approach to take? Lasa's ICT set up is a based on a fairly standard Microsoft-based client server network. The server runs Windows 2000 Small Business Server software which uses Exchange Server to distribute mail around the 30-odd users. The network is protected by a Watchguard hardware firewall connected to the ADSL router. Clients are using either Outlook 2000 or 2003 running on Windows 2000 and XP Professional.

Influencing factors

There were a number of factors which would influence the direction we took:

• Cost - our budget was (inevitably) small
• Ease of use - it should be easy for the end user to manage spam once it has hit their mailbox and to configure
• Management - the solution shouldn't place a huge management burden on the systems administrator
• Product knowledge - what do we know already about the product? Will it do the job? Is anyone else out there using it and have they had good experience of it?
• Learning - can we use this problem as a way of generating team knowledge and skill?

The software route

Two options here - a client side solution, preferably one which integrated with Outlook, or a server based product. We tested both Spam Inspector, and SpamBayes both of which plug into Outlook. Spam Inspector needs to be trained to perform effectively and dealt with a large proportion of spam but couldn't deal with other non-spam annoyances such as virus bounce messages. It also occasionally didn't load up when Outlook was started.

The open source SpamBayes performed well and was liked by our guinea pig and elicited positive noises from other users but, as with all client-side applications would require a degree of management - keeping it updated, user training and installation. The price was right though! On the server side, we were hearing very good things of SpamAssassin and made a note to look into it further. We also researched GFI MailEssentials which would have installed on our Windows server but the cost was prohibitive.

Spam the hard(ware) way

The obvious solution here was to use SpamScreen which is a software module which would install on our Watchguard firewall. This was also the preferred option of our ICT support contractor - however, again, the price was high.

Let someone else look after it

What could be better? Just pay someone else to take care of the situation. Unfortunately this comes at a cost - market leader MessageLabs quoted us over �2000 a year and whilst this would also have scanned for viruses, it was way over our budget. NPOShield from Electric Embers who supply Lasa with mailing list services looked promising and at $35 - $40 a month was fairly cost effective. It also would have added to our defences against mail-borne viruses.

Other research

We also sent email enquiries to the Riders and UK Riders mailing lists (URLs) to obtain other recommendations, warnings, advice and so on. Articles in ICT magazines were read and digested and websites hunted down.

The decision

Options were weighed up and examined at an Information Systems Team meeting. We ended up by deciding to use an open source solution, SpamAssassin running on a separate server running Linux and a suitable Mail Transfer Agent (MTA).

Spamassassin hit a lot of our influencing factors - it was free, configuration was reportedly easy, it could be easily managed and configured for our particular usages, we got good feedback from users on the mailing lists, and whilst there is some Linux experience in the Information Systems Team it made sense to expand on this area of knowledge by involving more staff in the installation and implementation process and this article is the outcome of our fact finding experiences…

First hand experience

The next step in our project was to visit Ryan Cartwright, IT Manager at Contact A Family (CAF) who have had SpamAssassin (SA) installed on their system for around 2 years with excellent results.

CAF use a server running SUSE Linux operating system and Exim  as the mail transfer agent (MTA) which does the job of sending and receiving email. CAF receive around 4-5000 email messages a day and reckons it takes around 1 second per message to run a single item of mail through SA and be tagged. Ryan reckons that the spam he gets is around 99% correctly identified. Ryan explained to us how SA works by examining and scoring incoming mail against preset and user-configurable conditions. For example, if the body text of the message includes the word Viagra, it adds 7 to the score. Words which are common in spam emails but which might be legitimate or other spamming techniques such as including images and links in HTML (web) formatted mail are given lower scores. It then adds up the scores and if they are over a certain amount (CAF use 6.5) then they are tagged as spam in the header of the mail.

SA then "wraps" the original message in an outer email which explains the scoring and why it was tagged as spam. An advantage of the scoring approach to spam recognition is that if organisations deal with subjects which are commonly used in spam messages they wouldn't wish to score it so highly - a reproductive health advisory organisation, for example, may well be dealing with legitimate, intimate email which contains the word Viagra.

Exim can be set up to delete messages which have a high score and are therefore definitely spam but CAF don't do this. Ryan also recommended running AMAVIS Antivirus which runs in conjunction with a proprietary virus scanner such as McAfee etc. Having been examined by SA, the spam mail is then sent back to Exim which transfers it to the mail recipients' Outlook mailbox. Users can have rules set up in Outlook to transfer spam into a dedicated Spam Quarantine folder or Deleted items - some users however allow them to come into their Inbox and then delete them accordingly.

The next step

We identified a PC which had recently suffered a hard disk crash and was scheduled for replacement. It has a 1.9Ghz P4 CPU and 512Mb RAM - with a brand new 160Gb hard disk in place it was more than adequate for the task. We purchased SUSE Linux 9.1 Professional - the Personal version can be downloaded free but we were advised that it was worth paying the £40 odd to get the manuals and extra disks. SUSE comes complete with the Exim MTA and SpamAssassin so we're all set.

See the knowledgebase article From Spam to Ham The Story Continues for more on the progress we made…