There have been some excellent blog posts about how ‘One size does _not_ fit all’ with spam, including this one by Paul Cunningham. Your anti-spam solution should not only be able to adapt to the most common spam and malware out there, it should also be adaptable enough to protect you from the very specific types that only you or your company receives.
I am a software company executive, and our company specializes in software to protect your email from spam and malware. We obviously use our own program to protect our email system. Because I want to be sure that our core filtering engine works very well, I configure my personal settings in a way that is a little odd for most users: I turn off all custom settings! This means that I have no Trusted Senders or Recipients (addresses, IPs, domains, etc.), no Blocked lists (addresses, IPs, whatever!), no language filtering and no other specialized settings turned on. This is not something I would recommend for everyone.
Even with the above settings, which would be considered quite lax by most system administrators, very little spam gets through. When something does, I report it to our Security Operations team. The response I get more often than not is, ‘You know Mike, you don’t exactly get the same type of spam that the rest of the company gets.’ I did some investigation (I work in security after all, so let’s just say that trust is not my forte), and it turns out to be true.
Here are some examples of the specialized spam I receive:
– Spear Phishing: Lots of executives receive these, for obvious reasons. I am targeted because of my position, often with a request that is not out of context, and usually with a link. The emails might contain a little bit of ego stroking. Mine usually come in two varieties: i) innocuous links that lead to legitimate sites, ii) dangerous links that lead to compromised sites.
– Newsletters: the bain of my existence. I subscribe to a lot of legitimate ones and often start receiving extra ones. After a while, I start forgetting whether I was actually legitimately subscribed, or just got added to the list. Most of the time it seems that the content is relevant, and these can be the hardest to judge. Sometimes it is clearly not relevant. After consulting our Security Team, I either unsubscribe if the newsletter is deemed legit, or I report as spam if it is not.
– Requests to be included in Business, Company or People Directories: these again can often appear legit, but most often are not. They can also be part of a scam, where the request includes a fee to be added to some kind of international business directory. These pop up from time to time in different forms and should all be considered spam and dangerous. For People Directories (e.g. Jigsaw, Spoke, SpokeO, etc.), the requests are often specific to my position in the company and also appear legit. These can be enraging because you get added automatically and it is up to you to remove yourself. You can bet that you will have to go through a few hoops to accomplish that.
– Requests to attend seminars and conferences: I am referring to ones that are not sent by organizations with which I have done business before and therefore use my email address incorrectly. The spammer organizations assume that I will be interested in their seminar or conference topic and have subscribed to their list, which might include a link to unsubscribe. These can be difficult to decide on as well, because the context and information might be appropriate for me. Marketers would call this targeted and effective. In most cases, unfortunately for them, I call it spam.
Are spammers making you feel special in any kind of way? Is there a form of spam that seems to specifically target you? Please share your experience.
Leave a Comment