Protecting Your Customers from Spam
Protecting Your Customers from Spam
Everyone hates spam, and there seems to be no escape from it. As a web host, however, you’re closer to the front lines of this battle than your customers. In this article, I’ll detail some of the steps you can take to keep this unsolicited annoyance from getting out of hand.By some estimates, spam, also known as unsolicited bulk email, has already gotten out of hand generally across the Internet. Ferris Research estimated that the cost of spam to the United States economy came to more than $10 billion in 2003. That takes into account the consumption of computing resources, help desk personnel time, and worker productivity (after all, the few seconds spent deleting each of those emails adds up). When Intermedia.NET launched its new SpamStopper service, it cited 2006 research which estimated that spam “represents over 66% of all email sent, and more than 10% of lost productivity.”
The federal anti-spam laws have done little if anything to stem the tide. As Scott Chasin, chief technology officer for anti-spam company MX Logic notes, “Predictions of the impending death of spam are premature. While significant advances in anti-spam technology have made it possible to relieve email users of unwanted commercial email before it hits their in boxes, spam still makes up the majority of all email traffic — imposing a significant burden on the Internet and on the effectiveness of email.”
The situation may sound bleak, but it isn’t hopeless. You will need to be proactive in the battle, however, since there is no automated program that is 100 percent effective against all spam. Even if there were, spammers (and especially phishers) are clever; as fast as anyone comes up with ways to filter spam, they come up with ways to get around the filters. For example, when spam filters started blocking emails that contained words used frequently in spam, spammers just started using variations of the words or corruptions of them that would still get the point across.
Sure, you need to have automated programs guarding your customers’ in boxes, but you also need to engage in manual monitoring. Check uploaded files for common spam scripts, watch server loads, and keep an eye on your customers, especially new ones, for unusual behavior. Register your email with spam fighting sites, such as Spamcop.net or Abuse.net.
If you do find yourself with a spam problem on your hands, you need to have an action plan in place. Create one now, before you have to use it. Don’t attribute to malice what can be explained by ignorance (yes, there are still people who are ignorant of spam, or at least of how to handle it).
Protecting Your Customers from Spam – Know Your Customers
Bart Shaefer, CTO of iPost, pinpoints a major step any web host can take to keep spam from becoming a problem. “The first and most important thing Web hosting vendors should do is perform due diligence checks up front — before agreeing to provide service.” He should know how important that is; his company serves other firms that send legitimate opt-in-only mailings, and it handles huge volumes of email.
So how do you perform due diligence? You can start by doing the same things you might do to check a prospective employee — use Google or another search engine to see what you can learn about the person and his or her company. Don’t skip over doing a credit check; spammers often have no credit or bad credit. But this is just the beginning.
Check your customer’s IPs and domains against black lists; there are many public ones you can use. Be wary if a domain is not registered. Check for address and telephone number matches. Since customers can get a little touchy when you ask a lot of questions, make it clear why you’re going to so much trouble. Legitimate customers don’t want to be associated with spammers any more than you do!
One source you should go to when checking out your customers is the Spamhaus Project (www.spamhaus.org). Among other things, this organization maintains the ROKSO database: the Registry of Known Spam Operations. Spammers on this list have lost their accounts with at least three ISPs for spam-related offenses. These people are hard-core; just 200 “spam gangs” send 80 percent of the spam received by Internet users in North America and Europe, and most of them are listed in the ROKSO database, according to Spamhaus. To quote the organization’s web site, “The vast majority of those listed here operate illegally and move from network to network (and country to country) seeking out ’spam-friendly’ Internet Service Providers (‘ISPs’) known for lax enforcing of anti-spam policies…These are the spammers you definitely do NOT want on your network.”
Google Groups is another place to check; specifically, search the news.admin.net-abuse newsgroup. But use it carefully. Many postings aren’t real; they’re forgeries designed to hurt legitimate parties, sometimes created by spammers in an attempt to shift the blame from those who are truly at fault. Also, make sure you don’t confuse spammers with those who have received spam and are simply reporting an offender.
Protecting Your Customers from Spam – Technical Preparation
Before I go any further in this discussion of ways to prevent spam from becoming a problem on your network, I’d like to mention the role of education. You may understand the importance of the steps you are taking to fight spam, but your staff and your customers may not. Start by explaining to your staff what kinds of checks to perform on new customers and why; they need to know what issues (such as bad credit and/or being on black lists) raise red flags.
Don’t neglect your customers in your educational campaign either. You can include articles on your web site that explain what spam is and how to fight it, either with your own tools or others. Make sure both your customers and your staff understand good emailing habits (as both senders and receivers). You should also make sure your customers know what to do if they are accused of spamming.
You might be reading this and feeling somewhat frustrated. “I have instant account activation; my customers appreciate it, and it reduces hassles all around. Now you’re telling me I have to get rid of it?” If that’s what you’re thinking, you need to take another look and decide whether it’s really working in the way you intended. Spammers use web hosts with instant account activation to get set up quickly, send lots of spam, and then go on their merry way. Is it really worth the convenience to risk being a magnet for spammers?
Another magnet for spammers is open relays. Don’t let your servers be used in this way. Make sure you have SMTP authentication turned on. Also, if you provide your customers with form mail scripts, use a secure one; if your customers use their own form mail scripts, make sure they’re using a secure one (or at least know what to look for).
Make sure you’re keeping up with the various tricks spammers use to avoid detection. According to a research brief from Trusecure, an information security company, “We are beginning to see more and more cases of ’spam jacking,’ hackers who exploit poorly configured systems to take control of them and send mass amounts of spam. In most cases these organizations don’t even know they have been compromised, or that there are very simple mitigating measures that can be taken to protect themselves.”
Protecting Your Customers from Spam – Have an AUP
Another big step you can take to help prevent your web hosting business from becoming a victim of spammers is to have an Acceptable Use Policy (AUP). You could include a stiff penalty for spamming, although it may be questionable whether that will bother a truly hard-core spammer. Still, such a policy will help you keep your customers honest.
If you don’t yet have an AUP, Spamhaus has a resource that will let you generate one automatically (http://www.spamhaus.org/isp/create_aup.lasso). It also has a number of examples of good AUPs on its web site (http://www.spamhaus.org/aups.html). With these tools, you should be well on your way to writing a good policy
Not only do you need to have a good AUP; you need to make sure your customers are aware of it. For example, Shaefer notes that iPost confirms its “solicited mail only” policy verbally with every customer before completing a service agreement. If you choose to include any special clauses directed at preventing specific abuses, you might want to verbally confirm those as well. For example, one company’s AUP bans the use of its systems for “drop boxes” in spam sent somewhere else.
Finally, you need to enforce your AUP. That means you need to be proactive. “This does not mean instantly terminating a customers because of a complaint, because forgery is so common in spam that many complaints are misdirected,” according to Shaefer. “However, it does mean evaluating the accuracy of every complaint, investigating those that appear legitimate, and taking action if a pattern of abuse emerges.”
Dealing with spam is not an easy task. It isn’t going to go away overnight. But by taking these steps, you can reduce the problem for you and your customers to something more manageable.
Article Source :
Protecting Your Customers from Spam