What you can to limit spam in your organization? And how do you properly educate users on how to recognize suspicious files and what to do to protect their personal information as well as your organization's IT network?

For answers, Advisor spoke with Mark Ramos, Granite Software president, on how to stay one step ahead of spammers.

ADVISOR: What are the latest message-borne threats to system security?

RAMOS: The line between spam attacks and virus attacks is fading rapidly. Viruses were once merely malicious. Now zombie attacks have changed the nature of viruses, from spreading more viruses to spreading more spam.

In the old days of junk e-mail, we saw spammers sending mail from a series of changing IP addresses. With today's sophisticated zombie viruses, spammers can repurpose fleets of home computers with transient DHCP-distributed IP addresses from major ISPs. Conventional public blacklists can't combat this style of spam attack, so we have to move to more sophisticated filtering and discernment mechanisms.

Alternative messaging technologies don't change the threat of spam. If you can receive a message through a channel, there's a way of receiving spam through that same channel. The means of protection aren't much different between channels: If you receive offers from people you don't know, be it e-mail, TXT messaging, or instant messaging [IM], don't respond. More than half the spam you receive isn't a call to action; rather, it's a ping to confirm a working address.

The most valuable transaction to a spammer isn't selling you something -- it's getting more information about you: your home address, your bank card numbers, your Social Security number, and your income details. Therefore you must educate the e-mail users in your organization to simply ignore such messages. Phishing, although considered a recent phenomenon, is one of the oldest practices of the grifter.

[Editor's Note: Phishing is when you receive an e-mail message from a financial institution or other major business that looks official, and requests that you provide sensitive financial and/or personal information. Legitimate organizations don't ask for this kind of information via e-mail, so such messages are almost always fraudulent. In the Pew study, 35 percent of surveyed users received phishing e-mail, and two percent provided the requested information.]

ADVISOR: What are the proven ways to handle spammer threats?

RAMOS: Anti-spam strategies chase a moving target and need multiple mechanisms to defend against spam. Currently there's a focus on text-scanning techniques, but even sifting through fields of offensive word-patterns isn't sufficient. Administrators sometimes spend a lot of time collecting new trigger words for their spam glossaries, but this method provides only marginal defense for newer spam methods.

Administrators shouldn't consider their users as a monolithic entity, but rather a series of smaller communities with differing anti-spam needs.

Typically there are a few internal communities that don't regularly correspond with new mail senders. So limiting these communities' whitelists -- the "safe" e-mail senders -- to only those addresses listed in the Sent folder is a fast and quite effective method of discerning spam from desired e-mails.

Administrators face a spam problem that can be political rather than technological. Executives with broadband at home will sometimes act as spoofers for their company's e-mail, attaching a corporate .com e-mail address to home ISP Web mail. Because domain spoofing is a tactic of spammers to bypass simple anti-spam protocols, the use of home ISP domain spoofing becomes a sore point between the IT folks and the upper management who don't want to use their business mail system at home. Taking a strong stance against work-at-home users spoofing corporate domains is an important defense against business spam attacks. IT administrators need the support of the CIO and upper management in closing the loopholes for real spoof attacks.

ADVISOR: What should tech admins do to harden their mail servers against attack?

RAMOS: IT administrators should remember to plan defenses on all the SMTP servers listed in their MX records. Too often administrators keep their primary servers up-to-date with anti-virus (A-V) software, tight port control, etc., but then forget that the backup SMTP servers require attention as well. Spammers know the weak points in mail systems, and exploit these weak points. Your failover systems must be as secure as your primary systems.

ADVISOR: Is there anything a developer can do to help prevent spam?

RAMOS: Yes, don't practice spammer techniques when sending mail via agents. If you are using an automated agent to generate and send mail, make sure the mail isn't spoofing its headers with spurious From fields. Developers sometimes fill in the From field with the To field, creating spoofed, self-addressed e-mail messages. If your own servers are sending out spoofed e-mails, it's only adding to the burden of identifying real spam.

ADVISOR: Are there any new features in IBM Lotus Notes/Domino 7 for spam fighting? Are there any new features that cause vulnerabilities?

RAMOS: A long-requested addition is whitelist support. Being able to populate a native whitelist, beyond the Sent folder, is going to largely help to reduce basic friend-or-foe tasks. But remember: As with all whitelist/blacklist implementations, there's a need for expiration dates on the entries.

ADVISOR: What can users do to help?

RAMOS: The best thing users can do to combat unwanted e-mail is to use their common sense. Don't pass personal information to anyone you don't know. Always remember that banks and credit card companies never ask you to e-mail personal information. If you're unsure of a transaction, don't complete that transaction.