Gamco Anti-Spam

Spam is a modern day scourge plaguing millions of e-mail users worldwide, it is the electronic equivalent of junk mail, wasting usersă time and money.

In the South African context, an estimated 30% of all e-mail messages can be considered as spam, indicating that organisations are faced with an ever increasing, constantly evolving spam problem.

What is ¶true spam÷?

It is extremely difficult to define ¶true spam÷ without straying into the realm of opinion and personal choice. For the purposes of the GamCo Anti-Spam service, true spam is defined as:

  • Pure spam ? any e-mail regardless of its content that is sent to multiple users who have not specifically requested the e-mail, sent by senders that donăt exist, often containing explicit, pornographic content.
  • Other: phishing, chain letters, hoaxes and urban legends.

There is another category which falls into a grey area since it comprises legitimate organisations trying to make a living, making use of so called ¶opt in÷ mailing lists. E-Mail is only sent to users if their consent has been given. It is up to the personal choice of the recipient whether or not the message is desired. In such cases, it should be up to the recipient, since blurring the definition of spam means an increased risk of deleting e-mail which an end user wishes to receive.

Why do users receive spam?

Some of the reasons, other than the most common of e-mail user providing their e-mail address to untrustworthy websites, of users receiving spam are detailed below:

E-mail address harvesting

Spammers ¶harvest÷ addresses in every conceivable place. If a user has ever registered a software product, asked a question on a technical-support bulletin board or participated in an online discussion group, their e-mail address may be pick-up by a spammer harvesting addresses.

Additionally, spammers launch harvesting attacks against companies in an effort to obtain valid e-mail addresses. A harvesting attack is launched by sending messages to the target company addressed to BobA, BobB, BobC, BobD ? BobZ @company.co.za. The receiving message transfer agent (MTA) will be kept busy dealing with the response to this message, example: ¶BobA is not at this domain ? nor BobB ? nor BobC. But, I can deliver this one for you!÷ The spammer learns from the delivery and non-delivery reporting which e-mail addresses are valid and which are not. Internationally, anti-spam vendors have reported that nearly 50% of the connections made to their service are attempts to harvest addresses, which they fortunately have technology to rebuff.

Note: a recent spam message advertises harvesting software for a nominal fee of $39.95 that will harvest general e-mail lists from mail servers. The software boasts of an ability to harvest 100,000 e-mail addresses directly from e-mail servers in an hour!

Naming conventions

Another useful tool in the fight against e-mail address harvesting is the use of lax naming conventions ? easy to guess naming conventions play into the hands of spammers. It is important to re-look at the specific naming convention applied by your organisation to ascertain whether or not this puts your organisation at risk from receiving spam as a result of a harvesting attack. It is important to have defences against harvesting attacks. If Bob.Arnold@company.com is a valid address, then Tom.Smith@company.com is probably also a valid address. Like random telephone dialling, spammers guess at addresses and try all manner of combinations. With a computer, compiling a randomized list of 1,000 user names is not difficult.

The longer a user has an e-mail address, the more likely they are to receive spam. A general rule of thumb is that if an employee has been with a company for more than a year, they will likely begin receiving spam. One solution is to change addresses, but that is annoying enough as a consumer and nearly impossible for a business user to do. Besides, ităs only a temporary tactic. The spammers will ¶learn÷ the new address and, within a year, you will be back to the same level of spam. Another solution is to deploy an Anti-spam solution.

False positive rate

The accuracy of any anti-spam product is defined by the stated false positive rate, defined as the percentage of legitimate e-mail messages that are incorrectly identified as spam.

Incorrectly filtering small amounts of legitimate e-mail creates the same (or more) productivity loss as spam itself, so it is essential to minimise as far as possible the false positive rate of the anti-spam mechanism deployed. Illustrative examples:

  • A journalist sends an announcement of a friendăs wedding to 100 of his friends who work for various companies. The message is full of excitement and CAPITAL LETTERS and, for emphasis, many exclamation marks !!!!!!, as well as an invitation to give money to a charity in honour of the happy couple. This message may be identified as spam by tools in place at nearly half the recipients companies.
  • A bookstore catering to mystery books lovers is corresponding with one of its customers. It has no trouble receiving the customerăs messages, but the shopăs replies are not getting through to the customer. Finally, the customer calls their Internet Service Provider (ISP), and finds out that the ISP is blocking messages from mysterylovers.com because it has the word ¶lover÷ in the domain name.

These are typical problems encountered when using a poor anti-spam tool ? one that leaps too quickly to the wrong conclusions. These types of tools usually stop around 20 to 30 percent of the spam, and catch too many false positives. A slightly better class of tool uses ¶point system,÷ where each spam tactic identified in the message earns one or more points. The message is not declared to be spam, however, until a certain threshold of points is reached. In the above examples, the e-mails would not garner enough points to qualify them as spam, and thus are likely to have been received by the recipients.

By far the best option is to deploy an anti-spam tool that makes use of a multitude of methods in identifying individual messages as spam, thereby minimising the risk of false positives.

GamCoăs Anti-Spam solution

GamCo (GamCo) recognises that e-mail is a central part of doing business today and as such an organisationsă messaging platform is a critical system that must be designed with high availability, redundancy and scalability in mind.

Lost productivity is one of the largest costs associated with spam. The cumulative costs of spam add up quickly when e-mail users spend a few minutes daily dealing with and disposing of spam.

When one considers that for the cost of a cup of coffee per user per month (the cost per user of GamCo Anti-Spam!) one can remove the spam burden from e-mail users within your organisation, allowing them to focus on their work.

GamCo has partnered with Brightmail a US based company in providing its Anti-Spam service to customers. Brightmail, according to GartnerGroup., is viewed as having the dominant share of the global service provider market and is a market leader in the anti-spam space.

Tag vs. Delete Options

There are two options available on a per domain basis (i.e. all users within an organisation falling into a single domain) once an e-mail has been identified as spam:

¶Tag Only÷ option

All e-mail identified as spam will be received by the end user, but will be clearly marked as spam.

The end user can then personally delete the e-mail, or can setup automated rules in their e-mail client to delete all e-mail identified as spam in this manner.

Delete option

All e-mail identified as spam by the GamCo Anti-Spam service is deleted prior to being delivered to the end user, resulting in substantial bandwidth savings for the company, as this e-mail never traverses the companyăs leased line.

Please note: GamCo do not archive any e-mails once they have been deleted, no record of the e-mail bar its subject header and the To: and From: information is maintained.

Trial Period

GamCo recommends that all customers wishing to receive the benefits of GamCoă Anti-Spam service, for an initial period of at least one month (or longer if desired) opt for the Tag Only option, in order to satisfy themselves that no legitimate business e-mail is identified as spam.

Open Source vs. Commercial anti- spam services, i.e. free vs. paid services

It is not the intention of this document to open the Open Source vs. Commercial services debate, however, the issue of free vs. paid for anti-spam solutions requires urgent redress.

GamCo in deploying commercially available anti-spam software and expensive hardware within the GamCo network are forced to recoup this cost by billing our customers for the Anti-Spam service.

This is in fact one of the large differentiators between GamCoăs Anti-Spam service and that of other service providers offering free anti-spam services. GamCo leverages Brightmailăs Logistics and Operations Centre (BLOC) which employs teams of people to constantly monitor and identify new forms of spam presenting themselves to users. New rules are created based on their findings which are sent to Brightmailăs customersă servers (example IS) around the world every 10 -15 minutes.

Service providers running free anti-spam services generally do so by deploying Open Source anti-spam software (example SpamAssassin) which places the onus on the service provider to constantly update the spam filter rules, this in turn requires teams of people do accomplish.

Open Source anti-spam software is very effective and has achieved maturity over the space of the last few years, but has high hidden costs associated with the ongoing user support, management and administration of the implementation, which can result in reduced efficacy versus that of commercially available anti-spam software.

GamCo Anti-Spam Solution Features

Outsourced e-mail spam scanning engine: the Anti-Spam service is a fast, easy-to-use anti-spam solution that enforces your organisationăs IT Acceptable Use Policy (AUP) while protecting against spam and loss of confidential data.

Mail spooling: While it is true that the GamCo Anti-Spam service will spool an organisations mail if their mail server is down for a limited period, this is not a business benefit of the service, since queued mail will only be stored by the GamCo Anti-Spam service for 3 days on a first in, first discarded basis if the mail server outage lasts longer than 3 days.

Shared platform solution: the Anti-Spam service is available on a shared platform, leveraging the benefits of economies of scale for our customers, delivering cheaper, more sustainable solutions.

Mail server protection: integral to the servicesă anti-spam capabilities.

Scalability: GamCoă Anti-Spam service has been designed with the principles of maximum scalability in mind, such that GamCo can easily respond to increases in demand for the Anti-Spam service. This has the added benefit of reducing support of the service, since problematic components are merely replaced at a moments notice.

Reporting services: detailed reports are available to clients. These provide excellent management information and illustrate e-mail usage patterns and savings. Reports are made available 24 hours a day via the GamCo Customer Zone.

Fault Tolerance: The GamCo Anti-Spam solution has been designed to be a fault tolerant and highly scaleable service. However, in the event that the GamCo Anti-Spam service is unavailable to users for the purpose of scanning incoming e-mail for Spam messages, end users will continue to receive un-scanned mail. In other words, both valid e-mail in addition to Spam messages (which would have ordinarily been ¶tagged÷ or ¶deleted÷ by the GamCo Anti-Spam service) will be delivered to the end user, until such time as GamCo engineers restore the service. Note: This process will be seamless to the end user.

Fully supported, high availability solution: support staff are available 24 hours a day to ensure the system is always available. GamCo is responsible for ensuring that the environment and service components are fully redundant and thus offer maximum availability.

Incoming e-mail size limit: In order to ensure that all customersă e-mail is processed quickly GamCo have imposed an incoming e-mail size limit of 20 MB for any incoming messages. Any e-mail that is larger than this will not be accepted by the GamCo Anti-Spam servers.

GamCo Anti-Spam Solution Benefits

Enhance network protection and enforce your organisationăs AUP: as e-mail becomes the most important channel for business communications, scanning of e-mail is increasingly recognised as a necessary component of network protection for businesses.

Increase leased line cost efficiency: According to GamCoă current observations, Anti-Spam has been shown to block 80-90% of incoming mail identified as spam, translating to a direct cost saving on bandwidth and leading to more efficient use of the Internet line.

Outsourced and cost effective solution: the solution is entirely outsourced; hence costly software and hardware purchases are avoided, as well as costs to hire internal staff to provide a similar solution are avoided. Software licenses are negotiated in bulk, and hardware is shared amongst clients to reduce costs thus offering a solution that benefits from these scale economies.

Best practice spam recommendations

While GamCo Anti-Spam has a strict definition of spam and takes great care to distinguish messages which are legitimate from those which are not without impinging on the end users personal choice, it is prudent to take certain precautions when proactive steps are taken against spam.

It is imperative that all parties within a company agree on the definition of spam. GamCo Anti-Spam uses the following guidelines to distinguish spam from legitimate e-mail communication and recommends that companies formulate an e-mail acceptable usage policy (AUP) based on the principles outlined by Brightmail in the diagram below.

Brightmail spam evaluation criteria

There is unfortunately no single ¶silver bullet÷ solution to the Spam problem, thus Brightmail employs a multi-layered approach, using different filters to combat each of the Spam types, making it more difficult for spammers to reach their victims.

In order to keep up to date with the latest spam attacks, Brightmail employs automated rule creation and delivery technologies, delivering updated Brightmail rule sets to GamCoă Brightmail servers approximately every 5-10 minutes.

Within the rules module, there are five types of filters, each designed to combat different types of spam in the different categories, i.e. source, content or call to action, each being necessary in order to combat the complex spam attacks that spammers now resort to. The filters have the following functionality and have proved highly effective in the war against unsolicited e-mail:

Filter TypeSpam CategoryMethodologyPurpose
Open Proxy ListSourceProactively seeks out (only) open proxies based on Probe Network information.Blacklists open proxies from a list that is highly accurate as it is re- built every hour.
Body HashContentReduces the body of an email message to an essential fingerprintTraps spam characterised by a common message body and complex, highly randomised headers.
BrightSig2ContentStrips Spam messages of random HTML code and incorporates fuzzy analysis to identify the underlying ¶DNA÷ of an evolving Spam attackDefuses HTML-based spam attacks that evade most filtering techniques. Allows Brightmail to group seemingly random spam messages into a common attack that can be efficiently filtered.
HeaderSource and ContentUsers expression filters that target the headers and subject lines of Spam messagesCreates tight, targeted filters that identify telltale spam characteristics with almost no false positives.
HeuristicSource and ContentScores messages against a large set of heuristic filters. If a message achieves more than a specified score, it is considered to be Spam.Enables the proactive identification of spam based on inherent characteristics. The application of weights to each rule, guards against false positives.
URLContent and Call to ActionMatches embedded URLs that often appear in Spam messages with a list of Spam URLăs compiled by the Brightmail BLOCIdentifies and filters spammerăs untended URL, which is often the sole purpose of prevalent ¶all to action÷ spam messages.

Table 1 GamCo Anti-Spam Spam evaluation criteria

Source: Brightmail Anti Spam Enterprise Edition 5.5 Reviewerăs Guide

Pricing

Anti-Spam ServiceUnitsSet-up CostMonthly Cost
10 -100 usersPer UserFreeR 5.00
100 - 750 usersPer UserFreeR 4.00
750 - 1,500 usersPer UserFreeR 3.50
1,500+ usersPer UserFreeR 3.00

Pricing Details

  • Terms and conditions apply, these are available on request.
  • All pricing excludes VAT and is valid for 30 days from the date of quotation.
  • Costs may fluctuate with the R/$ exchange rate.

Glossary

Blacklists and White Lists÷: The use of blacklists as the only anti-spam tactic is entirely unsatisfactory. Used as one data point in a point system, blacklists can be helpful. An enterprise can also create a white list of domains that are always allowed to receive e-mail, no matter what their content is;

Content Analysis÷: Includes one or more of the following capabilities:

A set of rules to search for known spammer tactics;

A set of rules to search for known chain letters, hoaxes and urban legends;

The ability to look for words and phrases in a targeted ¶words list÷ (for example, porn, financial services);

The ability to do contextual analysis;

Heuristics÷: Heuristics look at a message for common Spam characteristics, allocating a point for each characteristic detected. If the total number of points is greater than the threshold ? the message is identified as Spam and dealt with accordingly.

While heuristics are a powerful tool, one draw back is that spammers purposefully design their messages to avoid heuristics.

Sample heuristics:

  • Forged received line
  • Content type
  • Message is usable
  • Yahoo redirect
  • Forged MUA
  • Body 25% uppercase
  • Excessive CC field lines
  • Excessive numeric
  • ¶one time message÷
  • ¶opt out÷

Heuristics are a trained set of sample messages, where improper training can lead to a high number of false positives. Most heuristics force a trade off between effectiveness and accuracy, and thus cannot be used as primary anti-spam technology;

Phishing÷: attacks involve the mass distribution of ăspoofedă e-mail messages with return addresses, links, and branding which appear to come from banks, insurance agencies, retailers or credit card companies. These fraudulent messages are designed to fool the recipients into divulging personal authentication data such as account usernames and passwords, credit card numbers, social security numbers, etc. Because these emails look ¶official÷, up to 5% of recipients may respond to them, resulting in financial losses, identity theft, and other fraudulent activity.

Open Proxy List (OPL)÷:OPL is a highly accurate method of blacklisting open proxies, based on information garnered from the probe network. Using this method only open proxies and not open relays are blacklisted, thus reducing the percentage of false positives. Additionally only individual servers (and not collections of servers) and blacklisted. The OPL is rebuilt from scratch every hour, implying very high accuracy.

Source filtering÷: Most spam is relayed in order to hide the identity of the spammer. There are two types of elays: proxies and mail relays.

Other Options

Gamco
Contact Us
support@gam.co.za
+27 11 318-1230
*.*