Since the first spam, sent in 1978 by Einar Stefferud, this particularly irritating form of advertising has grown to where, according to a May 2003 article in Information Week, unprotected e-mail users waste an average of 200 minutes processing spam for every 1,000 messages they receive—adding up to an unbelievable 3.5 hours of lost productivity per person per month. And if the loss in productivity is not a sufficiently compelling reason to apply resources to the war on spam, just consider the ramifications of the offended employee shocked by the contents of a message bringing a hostile work environment suit against the company.

So if you’ve made the decision to filter incoming e-mail, your next step is to determine exactly how. A basic search on the Internet will reveal a confusing plethora of alternative options, products, methods, and services. How do you decide which is the best choice for your environment? Regardless of whether you decide to utilize a service, purchase an add-on for your e-mail server, buy a client-based product or filter at the periphery of your network, a basic understanding of spam control methodologies will facilitate your decision making process. Here’s an evaluative summary of a few of the methodologies most frequently employed.

Content filtering
(Example products/services: ESafe, GFI MailEssentials and SpamKiller)

This method scans the subject line and/or message contents for specified individual words and phrases. Most products that offer this form of filtering supply a canned list of words that can then be customized to meet your specific needs. While this method is appealing in its simplicity, it’s too crude to be seriously considered as a total solution. If the list of words and phrases is sufficiently comprehensive to block most spam, it will also block many legitimate messages, especially if used in a multilanguage environment. Word lists require a great deal of maintenance. Many spammers succeed in thwarting content filtering by disguising certain key words and by embedding all text within file types the scanner cannot read. Content filtering is a useful method when used as one aspect of a total solution.

Heuristic filtering
(Example products/services: SpamAssassin, SpamKiller and ScanMail eManager)

Heuristic filtering takes content filtering to the next level by scanning message subject and contents for patterns. Most products utilizing heuristic scanning apply rules to each message to determine its degree of compliance with known spam words/phrases and scores are applied accordingly. A message is then classified according to its total score. Some applications allow the strength of the heuristics applied to be selected by the user—the stronger the heuristics the more spam will be blocked—but this also increases the risk of blocking more legitimate messages. In general, heuristic filtering is more sensitive and effective than content filtering, but it cannot protect against all forms of spam.

Tarpitting
(Example products/services: VisNetic MailScan, Merak E-Mail Server, Alligate)

Tarpitting is an entirely different approach designed to thwart spammers. Instead of inspecting the contents of a message, tarpitting looks at such factors as the number of recipients or the number of unsuccessful delivery attempts. If a message has more than a specified number of recipients, for example, a delay is inserted between the delivery times of the message to each recipient. This delay has the effect of “tarpitting” the spammer, causing them to assume that the connection has stalled and cease sending. This use of tarpitting is particularly effective against spammers attempting to use your e-mail server as an open relay. Another example of tarpitting counts unsuccessful attempts to deliver a message. When this count exceeds a specified amount, the sender’s IP is blocked for the remainder of the session.

Blocking
(Example products/services: ESafe, SpamCop, MailProtector)

Similar to content filtering, spam blocking simply prevents messages from being delivered to the intended recipient if it was sent from a specified e-mail address, domain, server, IP address, or range of addresses. Some products offering this feature have a predefined list of known spammers that can be updated by download. This is another simple solution that requires almost daily maintenance because regardless of how many senders are added to the blocked list, new spammers are constantly spawned and old ones learn to disguise their identity. As with content filtering, blocking is useful only as an adjunct to other forms of spamicide.