S 5.54 Dealing with unwanted e-mails

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator, User

Unwanted e-mails, which are also known as "spam", are sent out en masse, harass the recipients, and disturb the actual operation of the IT infrastructure, starting with the systems transmitting e-mails to the clients of the users. Unwanted e-mails include chain letters, unsolicited advertising, begging letters, junk mail, phishing e-mails, and e-mails with attachments containing malicious code. In particular, an e-mail poses a threat if attachments are executed, if the e-mail is based on HTML, or if the mail recipients are lured to visit manipulated websites via links contained in the e-mail.

A flood of unwanted e-mails or deliberate overloading via incoming e-mails cannot only block the e-mail system but can also give rise to considerable expense for the recipient. One way in which costs are incurred is through transfer charges, especially if the unwanted e-mails contain images or multimedia files. The burden is then compounded by the costs for filtering the e-mails and/or the employees' working time needed to view the incoming spam and to delete it.

In order to protect themselves against spam, users should be restrict disclosure of their e-mail address to the necessary minimum. Users should be particularly careful when giving their address, e.g. in newsgroups, mailing lists, prize draws, surveys or similar forms. In these cases, it should be considered to set up a throw-away address in order to avoid unnecessary disclosure of a potentially personalised "main address" to the wrong hands.

Conversely, care should also be taken to check the e-mail addresses of communication partners before passing them on to others. Indeed, if an e-mail is sent to multiple recipients, it is not necessary for everyone to know who else received the mail at which e-mail address. The "BCC" function (Blind Carbon Copy), which is offered by virtually every e-mail client, can be used to avoid this.

Also, your own computer should always remain free from malware, as there is malware which reads local address books and includes them in spam mailing lists.

Basically, all users should ignore and delete spam. Under no circumstances should a reply be sent, a link in the e-mail followed, or attachments opened, as this may have negative effects. A confirmation that the e-mail was received is also a confirmation that the e-mail address can be used for the delivery of spam and that the recipient actually reads these e-mails. In addition, there is a risk that computers are infected with malware and thus become part of a botnet. All employees should be briefed on this.

The following safeguards can be implemented against unwanted e-mails:

• In order to avoid spam or at least make it identifiable for the recipients, it is necessary to automatically detect and reject or flag unwanted e-mails. For this purpose, a corresponding e-mail filter system has to be operated (for more information see safeguard S 5.109 Use of an e-mail scanner on the mail server).
• Moreover, unwanted e-mails often contain attachments that can trigger unexpected side effects, or file formats that are viewed as potentially problematic. All those involved should be aware of the problem and take appropriate precautions(see S 4.199 Avoiding problematic file formats).
• Most e-mail clients can be configured such that they move e-mails marked as unwanted to separate folders. Corresponding filter rules can be configured by the users or administrators. The user should be informed about such filter rules.
• Some e-mail clients also have integrated detection mechanisms against unwanted e-mails. The users can enable these in order to classify their mailboxes accordingly.
• Every organisation should decide whether to allow its employees to post articles in newsgroups and, if so, which form and which topics may be involved. In this context, users must be instructed to observe netiquette and, in particular, to refrain from distributing information of irrelevance to the general public.
• It might be advisable to use e-mail addresses which are not easy to guess (see also S 2.122 Standard e-mail addresses).
  
  If an address has to be given for mailing lists, inquiries, etc. another option is to set up a special e-mail address for this purpose. Any e-mail sent to this address can then be filtered, ignored or deleted. If it is not desirable for such addresses to be taken from the organisation's own domain, one possibility is to consider using providers of free e-mail accounts.
• In no case should attempts be made to retaliate with e-mail bombs or similar measures in response to spam. In fact, senders of spam should not receive any response at all. Sender details in spam mail are frequently forged. As such, responses are simply routed to innocent parties or returned as undeliverable. Responses to spam also increase the volume of e-mail traffic and, in the worst case, confirm to the e-mail advertisers that the targeted e-mail addresses are correct.
• Even if spam e-mails offer the recipient the option of choosing not to receive further e-mails, under no circumstances should replies be sent to such e-mails. Otherwise, the spammer can take the reply as a confirmation that the recipient's e-mail address is correct.
• Another effective measure which can be taken against nuisance spam is to inform your e-mail provider and the e-mail provider of the sender so that they can take appropriate action against the sender. However, due account should be taken of the fact that not all e-mail providers respond promptly to such grievances.

It should be noted that not all of these measures are advisable in all circumstances, as each of them impose certain restrictions. On one hand, for example, it might be advisable to refrain from basing e-mail addresses on user names in order to protect oneself from unwanted e-mail advertisements. On the other hand, however, abstract e-mail addresses can render communications with external parties difficult, as such addresses are harder to remember. The form of an e-mail address should always comply with internal organisational policies.

A high volume of e-mail traffic can also be generated by subscriptions to mailing lists. In general, regular checks should be made as to whether the subjects discussed in a mailing list are still worth reading. If not, the subscription should be cancelled. Users must be instructed to make regular (i.e. daily, if possible) checks of mail influx related to subscriptions to mailing lists. In relatively large organisations, mailing lists of professional interest should only be subscribed to by one staff member (e.g. the mail administrator) and then made available centrally to all other employees.

Spam should also be taken into consideration when designing websites. One way in which spammers try to add to their address pool is by using tools to perform automatic scans on websites in order to seek out e-mail addresses, e.g. for inquiries. Unfortunately, there are precious few effective ways of thwarting automatic scanning tools of this type. Therefore, careful consideration should be given to the issue of whether to publish e-mail addresses on websites and which ones should be published. Task-related e-mail addresses could be set up for this purpose. Needless to say, these will also be besieged with spam but the problem can be confined in this manner. Sufficient time should be provided for sifting incoming mails and separating the genuine e-mails from the spam.

Review questions:

• Have the users been informed about the problems posed by spam and how to deal with spam and has their awareness in this regard been raised?
• Are e-mail filter programs used upon coordination with the Data Protection Officer, the Personnel Board, and the users?
• Are there rules regarding the use of newsgroups and mailing lists?
• Are the problems posed by spam taken into consideration when designing websites?