falsepositives by huanghengdong


									                False positives: How anti-spam filters can
                                 cause loss of business

By David Kelleher

Every email user across the globe can relate to it. That tiresome feeling of sifting through what often
seems like endless amounts of emails at the beginning of each day, in a constant and ongoing fight
against spam. As costs, in terms of time and money, increase for businesses dealing with spam, it’s
important for IT directors, especially within SMEs, to find effective ways to deal with the daily dilemma.

Spam is an exponentially-growing problem and with conservative estimates suggesting that 100
billion spam messages clog the internet on a daily basis, the majority of companies are more than
happy to use spam filters to lower the volume of spam hitting their email server. Working their way
through hundreds of junk messages every morning is a chore many employees will be happy to stop

The most effective way to deal with spam is to install anti-spam filters that remove junk messages
from all inbound email. The majority of anti-spam products on the market use a variety of technologies
to achieve this and these products are regularly updated to counter new and derived forms of spam.
Top end products can remove upwards of 98% of all spam received, making life somewhat easier for
email users and IT administrators.

Unfortunately, inasmuch as spam filters are a godsend for many companies, there is always a risk –
albeit small – that the filters will occasionally block and prevent valid email messages from arriving at
their destination. These are known as ‘false positives’.

Many anti-spam solutions allow the administrator to adjust the sensitivity of the filters. The higher the
sensitivity level of the filter is the greater the chances of spam being caught. However, this will almost
certainly increase the number of false positives – and false positives can be extremely costly in terms
of credibility and cost.

One company in the US learned at its own expense how one missed email can land a business in
deep trouble. A law company in Colorado failed to turn up in court and was order to pay the opposing
counsel’s costs. The firm’s IT team had increased the sensitivity of their email filters because spam
was still reaching end-users. Although this solved the problem it created another because emails from
the United States District Court for the District of Colorado, including a notification of the date of the
hearing, were also blocked. Unfortunately, that single email cost the firm several thousand dollars.
This is one example of how a false positive can impact a company in financial terms. But the damage
is not limited to direct monetary losses. An email from a client may be blocked with the result that a
long-awaited business deal falls through because the client feels the company neglected his email
and did not bother to reply. It will take considerable PR effort to get the customer back.

False positives impact productivity too. A high rate of false positives means that staff have to spend
time checking deleted or quarantined emails for ‘genuine business message’. According to Ferris
Research, it costs $3.50 to recover an erroneously deleted email. That may not seem a lot, but in a
company with 500 staff, a single misidentified email per month per member of staff equates to an
annual cost of $21,000.

Most anti-spam filters based on more primitive technologies are known to generate a higher rate of
false positives. This often happens because the rules that these filters are based on are too stringent
or not well-defined enough. For example, some anti-spam filters ban all email originating from mail
servers which appear on up-to-date blacklists. The risk of accidentally blocking potentially important
messages is sometimes enough to deter many companies from implementing any anti-spam
measures at all – which is in itself the epitome of bad practice. But no one can blame them for
preferring to put up with spam rather than losing potential business because of a few false positives.

So how do you deal with false positives?

Whilst you can delete all mail that is tagged as spam as it lands at your server, this is probably not the
best way to deal with the problem. This will only increase the risk that important emails will be lost
without any chance of recovery. A better approach would be to quarantine tagged mail into a junk
folder so that users check it on a regular basis. Although this can be time-consuming, properly
configured anti-spam filters can reduce the number of tagged emails thus making it much easier for
users to check the quarantine folders.

Spam filters can never get it 100% right. Some junk emails appear to be genuine enough to not only
bypass the filters but the end-users as well.

Maintaining a low level of false positives depends a great deal on the anti-spam filters used and how
these have been configured. There is no single solution on the market that will delete all spam and
never delete a good email. Choosing a proven anti-spam product however, coupled with proper
configuration and integration with the email server, will go a long way towards reducing the number of
false positives and, ultimately, negative repercussions for the company.

David Kelleher is Communications and Research Analyst at GFI.

To top