Spam and Malware
I’ve been doing the IT thing for a bit now. In recent years, I’ve found more job satisfaction in finding solutions for complex problems (usually with budget constraints), workflow optimization, and consulting work. Inevitably, I wind up doing the occasional repair or virus/malware removal job. Malware removal is probably the type of work I like the least. Malware removal on older machines (say 4+ years) is especially tedious, given the number of reboots typically required. While awaiting system reboot, there is plenty of time to contemplate the source of the malware “infection.”
I would say that in the small business world, where company e-mail addresses are used for personal and business purposes, the bulk of malware code introduced to PCs comes from unsolicited e-mail. It’s amazing how easy it is to trick an unsuspecting user into clicking on a link. People are so rushed in their work that they miss obvious characteristics of spam e-mail that should be dead giveaways: Spelling and grammatical errors; attachments in .zip format; missing content such as letterhead/company logos, etc.
Since I’ve finally got spamassassin working on the new e-mail server, I’m seeing that our heavy users receive an average of 6 – 8 spam messages an hour during the day. That explains some malware I’ve had to clean up in the last 18 months. I guess it’s all the more reason to bring our e-mail in-house.
In conclusion, I would recommend that every small business adopt the following guidelines for use of company e-mail:
- Request that users only utilize their company e-mail addresses for company business. Keep the jokes and topless beach photos to your personal e-mail accounts.
- Implement some sort of server-side spam filtering technology. While client-side filtering allows users to more easily find messages they are looking for, downloading the spam to the e-mail client still leaves the end user vulnerable to malware.
I suppose you could get a little bit more draconian about it and remind users that everything the send/receive via e-mail is the company’s intellectual property…