Running the Grey Mail Gauntlet

A while ago over at Security Insights, McAfee CTO Chris Bolin blogged about grey spam. As far as content-based analysis goes, it is a tricky area for anti-spam vendors.

Mass email can roughly be categorised into three groups:

• Real spam: the dubious pills, the get-rich-quick scams, phishing, etc. Everyone hates that, but if you have a good anti-spam solution in place you should end up seeing a very small percentage of what was sent to you.
• Mass-marketing mail: the kind of stuff your bank sends out to each one of its customers. Some of that is useful; some of it you might not care about. Usually if you ask, your bank will stop emailing you.
• Grey-mail spam: This lies somewhere between the top two. This is the stuff that cannot really be classified as spam. They have valid email addresses and even valid telephone numbers. But it doesn’t matter to you; these emails are just irritating. You really don’t want any of them.

For vendors providing anti-spam solutions, grey mail is a difficult thing to tackle. Any attempt to add too many detection rules risks false positives for good sites like Amazon. It might even place the vendor at risk for legal action from some marketing companies. This makes this form of spam very attractive to many unscrupulous mass-mailing marketeers; they’re willing to run the grey-mail gauntlet.

Don’t get me wrong: I think email marketing has its place and that it can be a very powerful tool, but it should be done ethically. There are many mail-marketing firms that play by the rules, but they can get a bad name because of the bigger group that simply doesn’t care, as long as they can make a few bucks.

To a great extent, remediation for grey spam falls outside the scope of a content-analysis engine. Although the latter can help, it needs input from the customer. Only the cutomer can determine what is unwanted and what is allowed in this case: one person’s spam is another person’s ham. Chris has listed a number of things you can do to protect yourself, but if you are already receiving grey mail, here are two good techniques for combating this:

• Blacklists
• Bayesian

Blacklists: Because grey spam tends to have a defined structure, known sender email addresses, etc., you can use blacklists. These blacklists should be created and updated by the customer and not the vendor.

Bayesian: Spam filtering might be another solution, but the problem is that it needs to be trained correctly. The training itself might be too much work for the ordinary home user. Luckily some email clients do a good job of making it easier for a person to use.

Handling false positives: Normally content rules will receive rigorous testing to avoid false positives. When customers introduce blacklists or Bayesian techniques, they are creating custom content rules. As these rules will be ad-hoc, there is a higher chance for false positives. To help with this issue, some form of quarantine system needs to be introduced. The single person at home or in a small company with fewer than 10 employees might use the rules-and-folders functionality in a decent email client to handcraft a solution. However, for any company with a large number of employees, something more structured is required. McAfee offers the product Quarantine Manager to complement some of its other mail-product offerings.

Expect to read more postings on this topic from some of my colleagues at Avert Labs.