The perfect but perhaps extreme solution for SPAM

As a decision maker in IT, I get dozens of unsolicited email messages a day. That may not sound like much but that is after some rather extensive anti-spam techniques:

1. I never give out my email address except when I need to do business with someone.
2. When people call and ask if they can email me a whitepaper I say NO.
3. My spam filter blocks 95% of all email sent to my domain, and thus me.
4. I unsubscribe from every email list I end up on.
5. If a vendor does not have an unsubscribe function when they send me email I have a button I click which adds their domain to my blacklist and sends them a message that they have been blocked for not complying with the CAN-SPAM act. (I take particular joy in this … is that wrong?)

Still, I get SPAM. This frustrates me because I am in a position where I have to check email when it comes in. I get notified when a system is down via email so not checking is not wise. That means that the 20-30 unsolicited marketing messages that get through interrupt my work.

Enter the extreme SPAM filter process

Step 1: Who do I want mail from?

I want email from

• everyone in my company
• anyone I do business with
• anyone in my contact list

I don’t want email from anyone else.

Is this reasonable? Is there any compelling business reason to accept unsolicited email from everyone? In my position, I am not looking for new customers so blocking email shouldn’t affect my ability to do my job. The amount of time that is spent deleting unwanted email far exceeds any benefit I get from it. It just seems rude to ruthlessly block the world but then again, they are interrupting my day without my consent. I would love to know everyone else’s thoughts on this.

Step 2: Setting up the filter

Using Outlook 2013 I can easily set this up.

In Outlook, on the Home Tab, select Junk –> Junk Email Options.

Click the Safe Sender Tab

Add every domain you know you want to receive mail from. Frankly, this will take a while. You have to add all your domains, all the domains your devices send mail from, and all the domains of the vendors your work with. I spent some time sorting through my saved email to come up with this list. I tend to whitelist domains instead of users.

I recommend checking Also Trust Email from my Contacts and Automatically Add People I Email to the Safe Sender List.

Step 3: Applying the filter

Click on the Options tab and choose Safe List Only.

Now email from someone not white-listed in the Safe Sender Tab is sent to your junk folder.

For the next month, you are going to want to pay attention to your junk folder and continue to white-list people you need to get email from.

I also try to add vendors as contacts since I do business with them and that keeps me from having to add them to the white-list.

Step 4: Not missing something important

Looking through all the junk in your junk mail folder is annoying but you need to do this regularly until you are sure you are not missing messages.

When you find a message you need in the junk mail folder, right click it –> junk –> Not Junk. I then delete all the mail in my junk folder to make skimming it later less of a chore.

Go back to the Safe Sender List you created earlier. You will notice lots of individual email addresses like bob@domain.com. If you need email from everyone in that domain, edit the entry so that only the domain name is left. (@domain.com)

A new way of thinking about email

I added the Junk folder to my favorites and moved in under the inbox. Because you have to check junk mail regularly you essentially have two inboxes. The first “Junk” inbox won’t make your phone beep, won’t make your computer beep, and won’t interrupt your day. Yes, you have to check it but over time that becomes less important.

The Inbox becomes a priority inbox from people you actually need to hear from and have your permission to interrupt your day.

Alternatives that are less extreme

I use this method because I only get notified of email that I have specifically approved. I find that I have to check my junk mail folder more often but since those messages don’t interrupt me, I am not losing productivity when they arrive.

You could accomplish something similar using rules and changing the notification settings.

Another option is to change how often Outlook checks for email. Setting it to 30 minutes guarantees you a half hour of productivity before someone derails your day.

Well, I hope this helps you stay productive. It has helped me but took a while to “fine tune.”

IT Security Tip: When not to be helpful

If you manage IT and have a phone you probably get dozens of calls a day from sales people and researchers. Most of them are very good at keeping you on the phone.

It is in our nature to want to help people

The calls always start with a very chipper person introducing themselves and their company. Researchers often add that they are not trying to sell anything. This is followed up by a question like “What are you using for storage?” It is difficult not to answer. We want to be helpful. Why shouldn’t I answer?

Giving out information about your network is a security risk

I suspect I could call 10 IT people and get critical configuration information from five of them by pretending to be a salesperson, researcher, or peer.

• What firewall are you using?
• What VPN solution do you have?
• Do you have any issues with it you would like to see fixed?
• Do you struggle with patch management?
• What log management system are you using?

All of this information can be used to design an attack against your company.

Ask yourself who needs to know this information?

Nobody outside your organization needs to know how your network is configured.

What happens if the vendor or researcher gets hacked?

If I were a hacker, I would want to get hold of any vendor’s CRM database. That could contain a significant amount of information about a potential target’s networks. How secure is the data you provide to vendors? Why take the risk?

What to say when someone calls and asks “What product do you use for xyz?”

I am not allowed to provide that information over the phone. Repeat that as often as needed. You can add that you are constrained by policy and cannot provide them any information about the network, software, or anything else.

Bonus tip: How to get a vendor off the phone

Unless this is a vendor you want to talk to, simply tell them you are not soliciting new vendors at this time. Don’t tell them you do or do not have a solution, that is a security risk. Just tell them you are not looking for new vendors, thank them, and hang up.

I even added a short blurb at the end of my voice mail message that says “If you are a vendor, we are not soliciting new vendors at this time. Messages will not be returned.” I am polite but it is a way of letting them know I don’t want to keep getting calls. If I am looking for new vendors I might say “If you are a vendor for XYZ products, please leave a message. We are not soliciting other vendors at this time.”

Some people think that is rude. I find the decrease in SPAM voice-mail a relief.

Bonus bonus tip: Decrease unsolicited email messages

I must get 20 email messages a day from vendors asking me to meet with them to discuss how they can save me money, time, etc. I save more time by not reading their email. (Yes, I am a little bitter at the massive amount of junk mail I have to wade through.)

Outlook has a feature which many people overlook. Simply click on the Junk button and select, “Block Sender.” You will never get an email from that person again.

If you want a more extreme way of blocking junk, you can try something I have been experimenting with.

 

 

Updated 09/23/2014 for grammatical errors.