Estimated reading time: 10 minutes, 9 seconds

Best Practices for Putting Spam in its Place

For those of us using email ten to fifteen years ago when the concept was still relatively new, no one envisioned that Unsolicited Commercial Email (UCE) or Spam as it is more commonly referred to would be something most Internet users would grow to hate. In the early days of email, it was fun to forward around stuff that had questionable value and we didn’t think anything of doing this. Almost anything that we received which we thought was neat/fun/cool, we would forward to all our friends for the laugh value.
But what started out as an occasional annoyance soon became a flood as the criminal element figure out how to send mass emails to large numbers of Internet users. Then someone figure out how to harvest email addresses off of websites and when combined with the mass mailing techniques a whole new industry was created. The criminal element could now reach a mass market of hundreds of thousands of people much easier than any of their other scams previous could and the risk of getting caught was very low. The criminal element moved into this racket with a vengeance.

Soon our inboxes were filled with large numbers of emails from people we had never met wanting us to buy all kinds of stuff or send them money so they could send us back millions of dollars in unclaimed money.

A whole new software industry was started to help users control this horrible onslaught of junk email. At first, the only options were to install spam filtering software on your email servers and configure it to filter out the junk. This proved extremely time consuming and problematic for system administrators as they would spend their whole day consumed with managing the spam email filtering system.

Then online companies who would filter the email for you before it reached your email servers came into existence. Postini, Brightmail, Appriver and MX Logic became the major players in this online service area while the antivirus vendors Symantec, McAfee, Trend Micro, and Barracuda Networks continued to offer solutions for email servers. Finally the email server companies Microsoft Exchange, Lotus Notes, and the various online email services such as Gmail, Hotmail and Yahoo. started to offer internal controls to help stem the onslaught of UCE. Even with these controls it is very difficult to not receive some type of UCE during the course of a business day. The best thing you can do is get the junk down to a manageable level of just one or two per day/week.

So what are the best practices for controlling UCE?

The best answer for that question is a multi-prong approach of prevention and active management. Prevention is doing things that keep your email address from becoming a known valid email address and active management is employing various tools and techniques to keep all users in your environment protected as best as possible from receiving spam.

The 10.1 Steps to Prevention of UCE

What can be done to keep your business email address safe from falling into the hands of the criminal element that runs the UCE industry today? Here is a simple list of 10.1 things you can use to protect your email address (business or personal) from large quantities of UCE.

1. Never give your email address out to someone you do not know or who does not have a reason for having your email address

2. Don’t forward joke or other non-business related emails to your friends from your business email account. You never know if they will remove your address or not and how far the email will circulate. (As an aside: you really should not forward anything from any email account as you never know the legitimacy of the information).

3. Ask your friends and family to send non-business related emails to your personal email address or better yet don’t include you on mass forwards.

4. Don’t use your business email address in places where it is likely to be obtained easily. Use whenever possible distribution groups or generic email addresses such as webmaster@ or domain@ as many UCE mass mailing programs will not send to these types of accounts since many are not monitored.

5.  Don’t sign up on websites for solicitations especially coupon sites and other non-vendor specific websites. Many of these websites sell email addresses to the highest bidder without determining the planned use. Note: The CANSpam act passed by Congress a couple of years ago put a stop to some of this, but some businesses will still put in the legal language on the website where you sign up (and that no one reads) that they can sell your email address to whomever they want.

6. Don’t use your business email on Facebook, MySpace, LinkedIn, Twitter, or any of the other social networking websites popular today unless you are representing your employer. Then rule 4 should be followed instead of using your actual business email account. Facebook and Twitter are the two most popular websites targeted by hackers. One reason for this focus is to obtain email addresses to sell to UCE operators.

7. Don’t list employee email address on the corporate website in an email format. The better method is to tell readers of your website how your email addresses are formatted and then provide a simple list of employees. For example, our email format is This email address is being protected from spambots. You need JavaScript enabled to view it. or firstinitial This email address is being protected from spambots. You need JavaScript enabled to view it.. This prevents automated web tools from harvesting email addresses off the company website.

8. Never hyperlink employee email addresses on the company website. This makes it really easy for UCE operators to harvest email addresses from the web.

9. Never use the Unsubscribe link in an email from a solicitor you do not know. More than likely this will go to a website which will verify your email address as a valid email address and generate more spam.

10. Never click on a link in an email from someone you do not know. Many of these links will connect to websites which are not legitimate or simply are used to confirm a valid email address. In some cases, such as a phishing email, you may believe the email is legitimate when in reality it takes you to a website which is not under the control of the entity you are lead to believe the email is from. This is very common with eBay, bank, and other financial institution websites. The latest trend is to use government organizations such as police, IRS, FBI, etc. to entice you to non-legitimate websites.

10.1. Never download pictures from an email where you do not know the sender. Many UCE emails contain picture links and these links are then used to verify that the sender has a valid email address. In addition, some of these pictures may contain embedded viruses or Trojans which could infect your computer.

Active Management of UCE
Active management encompasses using various electronic tools to manage UCE on your network either before it reaches your email server or after it reaches your email server. There are several ways to do this and each of these ways can be used independently or collectively to help reduce spam volumes. If you have a large spam problem, you might want to employ several of these techniques together to ensure that if one level of filtering misses the UCE, another level will catch it. For some of you, this will be easier than for others. The newest version of Microsoft Exchange (Exchange 2007) has built in filtering tools to help classify UCE and put it in the junk folder automatically for the user. Let’s look at some ways to improve filtering out UCE from your environment:

1. Use an email filtering service to filter email before it enters your network. These services do a very good job of eliminating UCE before it reaches your servers as well as eliminating viruses and other malware from email. It also keeps your employees honest by preventing them from accessing malicious emails that might be detrimental to their computers. By keeping UCE from your email server the user is protected from themselves because you remove the temptation of seeing what the junk email contains. MX Logic, Postini, and AppRiver as several vendors who pre-filter email before it reaches your servers.

2. Use the filtering service built into or provided with your antivirus software to filter email on your server. This helps stop viruses and other components from reaching your user’s inboxes. Combine this with an outside email filtering service and you will probably catch 99 percent of the UCE entering your environment.

3. The UCE filter in Exchange/Outlook will move UCE to the junk email folder in Outlook. This will allow users to separate legitimate email from junk email and easily get rid of the junk by deleting it from the junk email folder. Exchange 2007 and Outlook will do a very good job of filtering UCE. When combined with either of the other two methods above you will get a 99-percent reduction in UCE and if you use both of the other two methods above, you are likely to reach 100-percent UCE reduction.

Using any of these three options will reduce UCE significantly, however, when used in combination you can easily reduce UCE to zero in the Inbox with possibly a little bit in the junk mail folder. It is certainly desirable to use at least two of these active management options. These services stop a very high percentage of the UCE on the Internet and allow you to deal with only the legitimate emails in your inbox versus having a large number of junk messages.

UCE has become a problem, but there are tools out there which return your inbox to its beneficial purpose and remove the unbeneficial components that have come with the invention of email. It eliminates the unintended consequences with using email. It frees up your time for other more important tasks besides clearing your inbox of Viagra advertisements, male enhancements, and the latest diet craze.

John Anderson CPA.CITP

John D. Anderson, CPA.CITP, CIA, MCP, MSA; is the Information Technology Services Group Manager at Weidmayer, Schneider, Raham & Bennet, a large, local CPA firm in Ann Arbor, MI.  His experience includes Citrix, Windows 200 Server, Internet Information Services, Lotus Notes/Domino, Cisco Pix, SonicWall, and Trend MicroNeaTSuite products as well as dozens of accounting software packages used by CPA firms and their clients.  He joined the firm after completing a Masters Degree in Accounting from Eastern Michigan University.

He speaks at national computer user meetings and is very well respected for his activity on ARNE [the Accountants Resource Network], an Internet bulletin board system sponsored by Thomson Reuters.

Read 6832 times
Rate this item
(0 votes)

Visit other PMG Sites:

Template Settings


For each color, the params below will give default values
Tomato Green Blue Cyan Dark_Red Dark_Blue


Background Color
Text Color


Background Color


Select menu
Google Font
Body Font-size
Body Font-family
PMG360 is committed to protecting the privacy of the personal data we collect from our subscribers/agents/customers/exhibitors and sponsors. On May 25th, the European's GDPR policy will be enforced. Nothing is changing about your current settings or how your information is processed, however, we have made a few changes. We have updated our Privacy Policy and Cookie Policy to make it easier for you to understand what information we collect, how and why we collect it.