Thinking of Buying an Anti-Spam Program?
Look at Windows 2003 Technologies
by Greg Welsh
If you're
a Microsoft customer, before you put money (and time) into
the purchase and installation of an anti-spam software package,
be sure that your support team or provider has explored the
full capabilities of Windows Server 2003 and Office/Outlook
2003 versions. Microsoft, true to form, has seen a growth
area exploited by early entrants who recognized a need. Unwilling
to cede the market, and driven by customer concerns about
the amount and cost of spam, Microsoft decided to wade into
the pool with its own technology. The depth of Microsoft's
research and increasing integration of its core Windows technologies
show the promise of what the company can accomplish when it
tries to help customers "do more with less" - especially
when the "more" is upgrading to current versions
of Microsoft products and buying "less" of third-party
applications.
In fact,
as I write this column for its July 1 publication date, there
are rumors that Microsoft will try to buy Network Associates,
one of the leading vendors of anti-virus and anti-spam software,
and denials that Network Associates is for sale. The purchase,
if it happens, would bolster Microsoft's goals of improving
security and reducing spam. It would also provide Microsoft
valuable intellectual property for security on platforms other
than Windows. The bottom line here is that Network Associates
and other vendors are feeling the pinch of Microsoft's commitment.
A properly
configured Microsoft environment that includes Windows Server
2003 and Office/Outlook 2003 will reduce spam in a reader's
inbox to next to nothing, and will generate very few "false
positives," the term of art for email that gets marked
as spam even though it comes from a sender the recipient considers
OK. It is extremely easy to tell the software to redirect
legitimate mail marked as spam into the inbox, and to henceforth
consider the sender "safe," so that all future mail
from that sender will be accepted. Small to medium business
that run this Microsoft combination and also invest in a third-party
anti-spam program run the risk of having to manage two software
applications that serve the same purpose, or to focus on one
and ignore the value of the investment in the other.
This
is the wrong end of the problem, naturally, and one we shouldn't
have to write about. Door-to-door solicitation has been reduced
to virtually nothing by civil laws in local jurisdictions,
cultural factors, and the force of a simple "no solicitors"
sign on the premises. Telephone solicitation is showing promises
of being on the same path to extinction - while the law that
enabled the "do not call" registry had plenty of
loopholes, the number of registrants and the flood of complaints
are signs that telemarketers may die a slow death, twisting
in the wind. Spam originators, alas, are still free to roam
the range, sail the high seas, and annoy, cheat and steal
with impunity and often without real risk.
However,
the input side of the equation is changing. Major email providers
such as Microsoft, Yahoo, AOL and EarthLink have agreed on
the basics of a sender authentication scheme that may be implemented
within months. This scheme is intended to choke spam at its
point of origin by denying illegitimate senders access to
the internet for outbound traffic. It will no doubt reduce
the number of spammers simply by making life difficult enough
for some so that they quit the game. But it will only drive
those remaining to be even more sophisticated, and perhaps
to increase the number of exploits that use "zombie"
techniques to commandeer the machines of the unwary or careless.
The "big
four" also have opened discussions on a stronger standard
involving cryptographic techniques (read: more complex to
implement and for users to understand) that could be ready
in oh, say, a year. After that it would be up to email users
to see that their system configurations, operating practices,
and communication cultures are adapted to the requirements
of the new system. While the solution may be elegant and may
work beautifully, anything that requires user buy-in and participation
has a higher barrier to entry. This will dampen its deterrent
value as spammers will learn its responses and design new
approaches to hijack machines and use social engineering to
fool people into taking steps that will aid the attackers
in their goals.
Taken
together, these two approaches will move toward reducing the
amount of spam that filters through to end-users, and may
drive some of the low-end grifters off the net. Is the real
situation such that until some sort of computer certification
requirements are enacted or turned into "de facto"
requirements, insecure machines and their owners, whether
clueless, careless, or nefarious, will continue to provide
hosting environments for spammers? Legislation won't solve
this problem if it attacks spam, because the variety of laws
governing commerce and trade are nowhere near getting spam
on the agenda of the WTO, or making spam an international
issue suitable for INTERPOL. Legislation that takes a safety-driven
approach such as we see in registration and safety testing
of motor vehicles is a nice thought, and one that can work
well over large patches of ground… but the internet
doesn't really have borders, despite some government's attempts
to regulate it with restrictive practices.
I don't
see internet service providers seeking to run security audits
of senders' or recipients' machines before accepting or delivering
mail; there's just too much George Orwell in such a scheme.
("Warning: your browser is insecure; therefore we are
unable to deliver mail to you until this problem is fixed.
For a resolution to this situation, call Microsoft.")
So, for the moment, upgrade to the latest Windows versions,
get them configured properly, make some investments in tuning
your system, watch the developments and this column for updates
on the situation.
Contact
Greg Welsh for
more information.
