Spam Solutions
by Roman H. Kepczyk, CPA, CITP (November 20, 2004-reprinted with permission) 

Email is an incredibly important tool for most tax practitioners to communicate with their clients to request additional information and to share updates regarding tax issues.  Unfortunately, the popularity of email as a marketing tool has led to an influx of unsolicited email, commonly referred to as spam, which is having a negative impact on productivity.  Most people today are inundated with tens, if not hundreds of unwanted emails on a daily basis.  Studies done in the past two years by Gartner Group and IDC analysts allude to individuals wasting 9-10 minutes each day deleting spam email, which adds up to one week per year in lost time!   

In addition to the shear nuisance of dealing with the unwanted emails, many can expose the recipient to viruses, fraudulent financial activity, identity theft, and situations with pornographic content that can create an inappropriate workplace environment leading to hostile workplace lawsuits.  To attack this issue and reduce the impact of spam on personnel, organizations must understand and implement today’s anti-spam solutions that include using email filters, blocking lists, challenge response systems, and training personnel how to minimize their exposure in the first place.  Please note that as anti-spam solutions block one avenue of attack, the spamming organizations open up another, so it is expected that anti-spam efforts will continuously evolve requiring updated solutions and new approaches that may not be invented yet. 

The first line of defense for most organizations is to use a filtering application which can remove emails containing offensive content or information that is affiliated with spam.  Most single user email applications contain some built-in spam filtering.  Whether run on a local workstation, such as Outlook, or hosted through a major Internet Service Provider such as AOL, MSN Hotmail, and Yahoo, these applications have filtering options that can block emails to varying degrees. Filters can evaluate key words or content and delete all items that meet pre-defined criteria.  Newer filters use Bayesian filters and other heuristic methods to determine characteristics associated with spam and can actually “learn” what constitutes spam, depending on emails previously identified as such by the user.  Some of the more common anti-spam products in this category would be Norton Anti-Spam 2004, SurfControl, SpamBayes (which is shareware), and Cloudmark Spamnet, which utilizes collaborative filtering.  Collaborative filtering relies on recipients identifying emails that get through the spam filter, so they can be blocked for all recipients utilizing that service (which is also becoming prevalent in the larger ISPs).  Many filtering applications also incorporate techniques that identify spam by comparing inbound email against lists of known spammers. 

According to the Spamhaus website, 90% of all spam emails originate from approximately 200 online marketing organizations.  Placing the domain names from known spammers on a real time block list (RBL, also referred to as a black or black hole list), can go a long way to deleting unwanted email.  When an RBL is placed on the firm’s server or managed by an external service provider, the majority of emails can be blocked prior to being delivered to the individual recipient.  These external and server level solutions are preferred as they centralize the administration of spam and reduce the traffic and storage issues associated with products working at the individual workstation level.  At an organizational level, many anti-spam applications are combined with anti-virus and content filtering for both inbound and outbound email.  These applications form an email security “suite” that reduces the firm’s administration.  The major players in this market would include the Symantec Suite, GFI Essentials, CipherTrust IronMail, and Trend Micro.  In addition, some of the better known external service providers would include FrontBridge, Postini, BrightMail and MessageLabs. 

Another solution to minimize the impact of receiving spam is what is known as challenge-response applications.  These solutions require that the sender verify they are valid by responding to a task, such as answering a question or responding in a certain way (which an automated spam program would not do).  Products such as DigiPortal ChoiceMail, SpamLion, and Spam Arrest would fit into this category and work by sending an email challenge to the sender that must be responded to before releasing it to the recipient.

Picking the right solution depends on the type of organization, but according to a survey done by the Association for Accounting Administration (www.cpaadmin.org) in April 2004, of the 100 respondents, 56% utilized a solution on their server, while 32% utilized a workstation solution and 34% used an external service.  The survey also found that 25% of the firms had at least two of the above mentioned solutions and 6% had anti-spam coverage at all three locations. Implementing an anti-spam solution will reduce the volume of spam that gets into the firm, but it is also imperative that firms educate their personnel on how to reduce the risk in the first place. 

Online marketing organizations that utilize spamming techniques capture their email addresses from a variety of sources.  Many utilize programs called “spambots” that search the Internet looking for anything that mildly resembles an email address.  Most organizations commonly list the names of the owners and tax managers along with biographies on the firm’s website, as well as contact information for those that write articles.  In addition by participating in chat discussions, list serves and other public email forums, they are exposing their email addresses.  To counter this, some organizations put in place a spam “honeypot,” which consists of an email address for a non-existent person within that organization.  By definition, any email sent to that address would be unsolicited, and emails from the sending organization would automatically be added to the firm’s filter list, where they could be deleted for the other recipients within the firm.

Another way to reduce the effectiveness of harvesting applications is by using disposable or “munged” email addresses for all non-critical email communications.  A disposable email address is one that could be used for newsletters and responding to offers that an individual may be interested in.  Once that email address starts to receive spam, it can be deleted and a new one setup.  In addition, some people “mung” their address, which means they add characters to their email address that an individual would understand, but not an automated computer program.  For instance, by posting REMOVETHISroman@itpna.com, any emails sent to the full address would not go through.  This approach is useful for those members that participate in email tax forums. 

Firms should also educate personnel on the dangers of email and provide training on how to minimize the risk of exposing information to spammers.  Today, it is never advisable to respond to an email offer to have your email address removed from a mailing list, unless it is from a reputable company with a privacy policy in place.  In most cases, any response to a web site verifies that the email address is valid and it is immediately shared with other spammers making the situation worse. 

Users should be taught to be suspicious of any email request to confirm any personal information.  A scheme called “phishing” fakes emails from well known companies asking the recipient to verify data.  When the user links to the website from the email, it is actually a mocked up site who’s sole purpose is to collect information that can be used for identity theft and financial fraud.  Another derivative of this email scam is fraudulent companies that provide products or services at prices that are “too good to be true.” Individuals provide credit card information and set up accounts with addresses, passwords, and personal identification numbers that the scammers immediately take advantage of. 

Most people today feel that email is too important a tool to live without.  While spam is a problem for all email users, it can be controlled by educating personnel and putting a filtering solution in place.

Roman H. Kepczyk, CPA, CITP is President of InfoTech Partners North America, Inc. (www.itpna.com) a consulting firm working exclusively with CPA firms on their internal technology utilization and their transition to a digital or “less paper” environment.  For a sample training curriculum, needs assessment or training coordinator job description, please visit the search page of his web site. 

This article is reprinted with the publisher's permission from the Journal of Tax Practice Management, a journal published by CCH INCORPORATED. Copying or distribution without the publisher's permission is prohibited. To subscribe to the Journal of Tax Practice Management or other CCH Journals please call 800-449-8114 or visit www.tax.cchgroup.com.

<Back to Home Page    ^Back to Vision Alert Index

 © 2004 InfoTech Partners North America, Inc....your technology partner  (480) 706-1728