MUSC Medical Links Charleston Links Archives Medical Educator Speakers Bureau Seminars and Events Research Studies Research Grants Catalyst PDF File Community Happenings Campus News

Return to Main Menu

Never-ending spam battle consumes resources

by George Spain
Information Services
In the communication war that never ends, spam busting is the battle that never stops.
 
MUSC gets around 970,000 e-mail messages a day. Of these, some 630,000 are “blacklisted” and rejected. Another 150,000 or so are deleted based on their content (this is a level two defense, more on this later). The rest, amounting to about 200,000 messages, are delivered to the recipient. Of these, however, Information Services (IS) e-mail administrator Paul Arrington suspects that at least 50 percent is spam.
 
“We can't guess. We don't want false positives. That would mean useful information is being stopped at our door,” said Arrington.
 
There are two defensive nets set out to trap spam before it gets to an e-mail account. The first level of defense is the blacklist, spam sites listed by their originating Internet Protocol (IP) addresses. It's a large list, but this is the easiest kind of spam to detect and reject even before the full text of the message arrives.
 
An increasingly popular form of spam attack now comes from “zombie computers”—home or small office computers left without critical updates by their owners. These computers are captured by spammers who relay e-mail from a seemingly innocent address. Since zombie networks can include thousands of different computers (which means different IP addresses), blacklisting them is next to impossible.
 
A second, more esoteric, level of netting spam is the scanner. Scanners are software traps that briefly read the incoming message and, based on key words and phrases, redirect the message to a holding directory where they are given more scrutiny before delivery. One especially sneaky form of spam, image spam, keeps the scanners running overtime. These e-mails contain no text for the scanners to scrutinize, only images and usually appear as gif files. [Note: during the recent holidays, an additional scanning server (there's now a total of four) was put into service, reducing some of the delay caused by spam].
 
As he talked, Arrington sat in front of a computer screen that scrolled line by line through a seemingly endless list of notices that suspect messages were being sent to the holding directory.
 
“Right now we're running about 8,000 messages behind,” he said without looking up.
 
Those 8,000 messages are about an average day, so how do they affect mail delivery?
 
“We get complaints of slow mail delivery,” said Help Desk manager Christine Williamson, “but the IMAP and GroupWise servers are running efficiently. Any slowdown can be attributed to spam.”
 
Scanners are only as good as the algorithms used to drive them. Now, the scanning software employed by Information Services is open source, meaning that it is free software available to all. How good is it?
 
“The way I understand it, we're blocking about 50 out of every 100 messages that need blocking. We should be blocking 87 out of every 100,” said Arrington.
 
Obviously, the software could be better. Like many things, though, you get what you pay for. The good stuff costs money.
 
Several companies offer e-mail scanning packages that promise to reduce spam and viruses. IS launched a study to find out which offered the best services for the money. Staff tested four: McAfee, Barracuda, Sophos and Sonic Wall.
 
Of the four, the e-mail staff is optimistic about Sophos. The package comes with scanning and filtering software and staff support. Arrington estimates that Sophos would stop 80 percent of what is now passing through the second level of defense. In addition, “Sophos was the only software that runs on machines that we use now and are familiar with,” he said.
 
Sophos is such a good bet that Bill Rust, technical services manager at IS, has requested that the package be pursued through Purchasing as a best value. This would expedite the acquisition and installation, but Rust expects that implementation is still eight to 12 weeks away.
 
With Sophos, hundreds of people on the support staff do what Arrington and one other mail administrator now do, which is to maintain and publish updates on a continuing basis.
 
“You can watch them (e-mail administrators) at meetings…they're constantly glancing at their portable computers scanning e-mail as they're participating,” said Williamson.
   

Friday, Jan. 12, 2007
Catalyst Online is published weekly, updated as needed and improved from time to time by the MUSC Office of Public Relations for the faculty, employees and students of the Medical University of South Carolina. Catalyst Online editor, Kim Draughn, can be reached at 792-4107 or by email, catalyst@musc.edu. Editorial copy can be submitted to Catalyst Online and to The Catalyst in print by fax, 792-6723, or by email to catalyst@musc.edu. To place an ad in The Catalyst hardcopy, call Island Publications at 849-1778, ext. 201.