The first and second instalments were published last week.
Enrique Salem, CEO of Brightmail (now senior VP Symantec, post acquisition), answers: "One of the most challenging aspects of fighting spam is that everyone's definition of spam is different, as such closing down a site which you believe is in the wrong might not be an action everybody agrees is needed. Your colleague may welcome an advertisement for a new website while you may consider it spam. Not only does it require technology to reduce the amount of spam in our inboxes, but it also requires education for end users as well as best practices for direct marketers." Back to questions
Simon Janes, international operations director, ibas, answers: "This is an excellent point and one which encompasses the whole grey area of the personal use of company IT. The short answer is maybe. There are many factors to consider such as: what is the company IT policy for both IT and e-mail usage? What is the staff expectation of privacy and security that is enshrined within that policy? Within the Data Protection Act there is an onus on the company to operate sufficient security to protect data. However, would this apply to an employee using the IT system to conduct their banking?
"This is a very real problem for system administrators and security managers alike. The only practical way forward is to conduct a thorough risk assessment, and to detail and mitigate those risks in any subsequent policy. This policy will then set out what is acceptable use and what can be expected in terms of privacy and security if personal business is conducted."
David Naylor, partner at law firm Morrison and Foerster, adds: "The short answer is that, in the UK at least, if the employer takes a few common sense precautions, it is unlikely to incur liability in these circumstances.
"These precautions include having in place a 'technology use policy' that forms part of the employment contract. The technology use policy should set out how the employer's technology resources may be used by employees, ensure that employees understand that the company's resources are primarily for business use and that they should not assume that any personal use is private. All this information should be in plain English and clearly drawn to the employee's attention."
Mark Morris, head of forensics at Logica CMG, adds: "Leaving aside what the contract of employment may say as to personal use of the internet, I do not believe that it would be realistic to suggest that the employer may be found liable in such a situation for running an 'insecure' network. I think the common sense view would be that an organisation protects its network for corporate use, not for personal use. The whole idea behind internet banking is one of accessibility and many people conduct their banking on PCs attached to a network over which they have no control." Back to questions
Graham Cluley, senior technology consultant at Sophos, answers: "This is a real nuisance, often creating as much of an e-mail tornado as the viruses themselves. All anti-virus vendors should look at their gateway anti-virus software and ensure that this option is removed, or at least disabled for viruses which forge the sender's information. I think it was one of those things that anti-virus programmers knew was easy to implement and so included, but never realised how much of a problem it would become.
"Of course, some auto-replies do not come from vendor anti-virus software but from scripts written by the company receiving a virus. These automated reply scripts seem even harder to excise." Back to questions
Alyn Hockey, director of research at Clearswift, answers: "There really is little you can do, they have your name and they will use it as a new source address for the message. Companies frequently set up lists of e-mail addresses to block mail from. It will be very unlikely that your address will be on it, so using that address gets past at least one hurdle at the recipient's mail gateway."
Mike Small, director of security strategy at CA, adds: "The simple mail transport protocol (SMTP) includes fields whose content is not guaranteed by the sender. Even worse, many ISPs offer unauthenticated access via SMTP. This means someone else can use your e-mail account to send mail." Back to questions
Enrique Salem answers: "Spam has grown incredibly over the past three years and it now comprises more than 65 per cent of all internet e-mail. Over that same time period, anti-spam technology has also improved incredibly - becoming more dynamic and proactive. However, since there is an economic incentive for spammers to continue, they do - and send out more and more e-mail to get the same response rate. What you see in ten different spam messages may appear to be the same. However, if you look behind the message, you'll find that those ten messages are in fact very different. Blocking those ten messages based on the content of what you see may seem like a simple task. However, to block based only on content is very dangerous - you run the risk of filtering out legitimate e-mail as well, which is a bigger problem than the spam." Back to questions
Mike Small answers: "When a message is sent over TCP/IP it contains the sender's IP address. Spoofing is sending a message with a false IP address. There are numerous tools available that can achieve this effect. However, it is possible to detect spoofed addresses in various ways - for example the routing of spoofed addresses will be inconsistent. Firewall software can be configured to only allow traffic with consistent routing addresses." Back to questions
Paul Wood, chief information analyst at MessageLabs, answers: "Spammers often use spoofed return addresses. They'll often just pick a legitimate e-mail address at random, and use that. However, there is a new system called Sender ID (as mentioned earlier), which takes your suggestion to the next level, checking not only the return e-mail address, but also the originating server's address. If the originating server isn't authorised to send e-mail on behalf of the domain found in the return address, then it's probably spam. Sender ID will be introduced over the next few years. The spammers may move on to creating new fly-by-night disposable-but-still-legitimate return addresses, with matching servers, but it may stem the tide a little.
"As the spoofing of e-mail addresses remains a widespread and growing problem, efforts to strengthen the existing protocols will continue unabated. For example, we may begin to see a greater take-up of domain policy systems such as Sender ID or Yahoo!'s DomainKeys. This might mean that as they vie for market domination and closer integration, other approaches such as 'challenge-response' systems, 'electronic payment' and 'cryptographic puzzles' don't generate the broader adoption that their advocates would have perhaps hoped for. These mechanisms, although beneficent, are also equally vulnerable to spoofing and scalability becomes more of an issue, as global adoption seems more unlikely. For example, you may already be replying to 'challenges' that you didn't even initiate, just to make sure you're not missing any important mails!" Back to questions
Graham Cluley answers: "Aha! A legal question. If you read the small print of your anti-virus software's license agreement you will almost certainly find that you do not own the software itself, only the media on which the software is contained. Furthermore, if you read the disclaimers (even tinier print) you'll almost certainly see that the vendor does not warrant that the product will detect or disinfect any viruses at all.
"Of course, you can still try and request a refund from your local friendly computer store, who may ignore the legalese to retain you as a happy customer and try and direct you towards another product." Back to questions
Enrique Salem answer: "Spammers have continued to evolve their techniques to evade spam filters. Three years ago we saw primarily ASCII text spam asking consumers to call a phone number and now we see very dangerous phishing e-mails that ask consumers to provide personal and financial details. Phishing is more harmful than spam and e-mail users need to know that they shouldn't respond to requests from supposed trusted vendors. Another important innovation that aims to change the economics of spam is traffic-shaping technology. This changes the game of spam by slowing down messages from known spammers, reducing their output tremendously." Back to questions
Silicon.com's Will Sturgeon reported from London. For more coverage on silicon.com, click here.
4%
4%
