Luke Haber, Team Leader- Client Support, Information Technology and Telecomunications Services, Southern Cross University. Email: luke.haber(at)scu.edu.au
Allan Ellis, Associate Professor, School of Comerce and Management, Southern Cross University. Email: allan.ellis(at)scu.edu.au
Spam is a problem for any organisation that has an e-mail address. Universities provide their own mail systems and create thousands, even tens of thousands, of e-mail addresses and as a result, receive large amounts of spam. Many users hit the delete key for every spam message received. This can be a frustrating and time-consuming task. It is the University's obligation to protect users e-mail accounts from potential threats like spam and inform users of potential risks. While technical controls can block spam and Anti-Virus products can quarantine suspect attachments, user education and awareness is also required to reduce user interaction with spam.
User education and awareness can play a major role in the fight against spam. Spam is as much a social problem as it is a technical one. Education through an informative Web site is an effective method of raising the awareness for users, improving their understanding of the problem and therefore altering their behavior towards spam and potential spam sites. This paper evaluates Australian University Web sites on spam information and education they contain and recommends a framework for designing a spam education Web site.
WHAT IS SPAM
In Australia, the term spam as applied to email, means any
message sent to multiple recipients without permission, often
of commercial or fraudulent nature and sent with false e-mail
account information. Spam is also often referred to as UBE
(Un-solicited Bulk e-mail) [HREF1]. Despite new technical
measures and advancements in anti-spam products to filter
unwanted messages, spam in December 2006 was reported to be
more than 80% of all e-mail (The Australian, 2007).
Spam was estimated to cost globally $20.5 billion USD or $49 USD per mailbox in 2003, [HREF2]. Establishing educational Web sites could save individuals, business, organisations and companies millions of dollars through awareness programs about spam. User education and awareness can play a major role in the fight against spam. Spam is as much a social problem as it is a technical one.
WHY SPAM IS A PROBLEM FOR UNIVERSITIES
Spam is a problem for any organisation that has an e-mail
address. Universities provide their own mail systems and create
thousands, even tens of thousands, of e-mail addresses and
as a result, receive large amounts of spam. Universities are
diverse computing environments where students, staff, academics
and visitors share the Web, data, services and compete for
bandwidth. Spam is major problem as it costs dollars in download
data, consumes users (students and staff) time and ties up
the computing resources of the University.
Universities are soft targets as they have large numbers of published e-mail address's that are easily harvested by spammers when searching the Web [HREF1]. E-mail at universities is relied upon as the preferred way to communicate with students and spam threatens to erode the validity of e-mail for use as reliable communication (Cook, 2005). Universities provide a service simular to Internet Service Provider's (ISP) in supplying students and staff with e-mail accounts and Internet access. While there is no financial arrangement for the provision of these services, students and staff expect a level of service and for spam to be kept to a minimum.
As a main method of communication between staff and students, it is critical that the e-mail system is free from interference. It is the University's obligation to protect users e-mail accounts from potential threats like spam and inform users of potential risks from spam messages and spamming activities.
SOLUTIONS - TECHNICAL CONTROLS AND USER EDUCATION
The most effective technical controls currently available
to reduce spam rely on rule based filtering of message content
based on key words and blocking mail from senders with black-listed
Internet addresses using a combination of specialised software
and hardware devices [HREF3]. Within Universities, the central
IT department commonly undertakes the task of spam management
at the e-mail server level, blocking a large amount of spam
before it even reaches the users inbox.
The technical controls are costly to implement, require constant monitoring and maintenance but are essential as they can block up to 95% of the spam at the server end (Firstbrook, 2006) and spammers are always looking for new ways to beat filters and block lists. Many users hit the delete key for every spam message received. This can be a frustrating and time-consuming task. It can be overcome by training users in the use of the spam-blocking features of e-mail client software. The appropriate use of e-mail client filtering solutions can enable the end user's ability to deal efficiently and responsibly with their own spam. Not enough emphasis is placed on user education and awareness as effective spam management control to compliment the technical solutions.
While technical controls can block spam and Anti-Virus products can quarantine suspect attachments user education and awareness is also required to reduce user interaction with spam. Informative Web sites can provide an effective means of awareness and can be of great educational benefit (Patterson, 2004). If the user-base is aware of the problem and educated about controls and measures, they will be in a better position to have an action plan for deal with unwanted e-mail.
METHODOLOGY
A study of thirty-eight Australian University [HREF4] Web
sites was undertaken to evaluate the level of spam information
currently available. The study began with a keyword search
using the search engine on each University's homepage. Keywords
that were used were; "spam, UBE(Universal Bulk E-mail), UCE(Universal
Commercial E-mail), E-mail, Phishing, Virus and E-mail Filters".
The data found from each search was then run through a series
of detailed questions, with each question scored. The questions
related to specific content quality, presentation and accessibility
of the information found.
A ranking system was formulated on the total of the scores for each question (Figure A). All thirty-eight Australian universities were ranked and the total scores for each university were recorded. If information was not located, specific searches on the Information Technology (IT) Department Homepage were also undertaken where this information would also likely to be found. The University Web sites where no information could be found were marked in the results as "Not Found" and recorded an overall score of zero. It should be noted that these searches only involved publicly available pages as information could have been present behind a protected Intranet.
RESEARCH FINDINGS
Thirty-four Universities had some form of information for
users about spam. Four of the Universities were found to have
No Information Found (Figure A). Fifty percent of Universities
scored 7 to 9 points and were found to provide Good Information.
Universities that recorded a score of Good Information have
recognised the problem and the need to educate users in as
many ways possible. Standout Universities from those that
scored a rating of Good Information and recorded a score of
9/9 were: Charles Stuart University, University of Ballarat,
Deakin University, Flinders University, and Monash University.
These sites were examined in more detail and the framework
in Figure D was modelled from these Web sites.
Figure A - Overall rankings of spam information
content on university Web sites
Overall Rankings |
SCORE |
Good Information |
9 - 7 |
Adequate Information |
6 - 4 |
Poor Information |
3 - 1 |
No Information Found |
0 |
SUMMARY FINDINGS OF DETAILED QUESTIONS
Question 1 - Was the information found on the first few
search pages or was extensive searching on other keywords
required? (Score - Easy 1, Hard 0) In 79% of University
Web sites, the spam information on was easy to find, the remaining
21% required more searching by using additional words.
Question 2 - How was the information about spam presented? (Score - Dedicated Site 3, FAQ 2, Newsletter 1, Briefly mentioned 0) Of the Web sites searched, 65% of Universities had a dedicated Web site to present information about the spam problem (Figure B). A dedicated Web site was considered to be the most comprehensive way to present all the information relating to spam and have it accessible from one central location.
Figure
B - How information about was presented on University Web
sites
Question 3 - Was a non-technical explanation (layman) of the spam problem provided? (Score - Yes 1, No 0) A non-technical explanation (layman) of the spam problem was found on 82% of Universities Web sites.
Question 4 - Was additional help available or solutions provided to reduce spam? (i.e. external links to more information/help) (Score - Yes 1, No 0) Additional help available and solutions through the use of external links to Anti-spam organisations and Anti-spam companies were found on 68% of Universities Web sites.
Question 5 - Was Spam filtering information provided for e-mail clients? (Score - Yes 1, No 0) Spam filtering information for e-mail clients was provided online for 85% of University Web sites in the form of help guides and user manuals for e-mail clients. A large proportion of this material was readily available for download.
Question 6 - Was information on what the University is doing about spam provided? (Score - Yes 1, No 0) Information on what the University is doing about the spam problem was found on 85% on Web sites investigated.
Question 7 - Who provided the spam information? Was it Central IT Department , Dept/School/Faculty, Library, University ? (Not Scored) Central IT Departments provide 82% of spam information found on University Web sites (Figure C).
Figure
C – Who provided the spam information on University Web sites
Question 8 - Was Phishing and E-mail Virus information provided? (Score - Yes 1, No 0) Information about Phishing and E-mail Viruses was found on 85% of University Web sites
RECOMMENDATIONS
The objectives of spam Web sites are to educate users, raise
awareness of the problem, provide current information and
train users about e-mail filters (Figure D).
Figure
D - Suggested Spam Education Web Site Framework
Navigational issues can be overcome through a dedicated spam Web site, as a dedicated link is easier to find and provide additional follow-up information on. The information should be made publicly available, as it would also benefit the community as well as the students and staff. The spam information Web site should be first page to appear from searching for the word "spam" in a search field on a university's home page. The information should also be easy to find using the keyword spam or e-mail filter. Information should be provided centrally from an IT department as the likely anti-spam control will also be provided from here.
Hosting the site within central IT would maintain the consistency of the information and ensure it would be not be unnecessarily replicated. It is critical that the spam information on a Web site be kept current as the problem is changing and evolving (Firstbrook, 2006) and the technology attempting to solve the problem is also changing. Any information should be reviewed every three months as a minimum to keep it current. Responsibility for Web site maintenance should be assigned to the group responsible for IT security at the University, as they are likely to be well informed of the current situation relating to spam.
As a minimum, Universities should at least have a basic spam education Web site, as some form of basic content is better than no content at all. Research found that 24% of studied universities had poor or no information. A basic site would contain a definition of the problem, a statement what the university is doing about the spam , and how users can setup email filters in their e-mail clients. It is recommended that Universities establish an advanced Web site for spam education. An advanced site would include the basic site plus contain additional information to further educate and empower users. A higher level of information for advanced users can be incorporated on an advanced site.
The spam Web site should contain links to a FAQ page where common questions about spam can be answered. By providing links to external Web sites users can find out more information Such Web sites as the Coalition Against Unsolicited Bulk E-mail [HREF1] and the Australian Communications Media Authority (ACMA) [HREF5] have information about where to report spam and practical solutions for users to reduce spam. Reference material and hint sheets can aid users and reduce IT support enquires. A contact point should b provided should users have problems with spam and require assistance.
A contact email address on the spam information Web site or the phone number of the IT security person should be sufficient. IT Helpdesks can assist in the education of the user base, as they are the central contact point for most IT problems and should be able to direct users to the dedicated spam site or FAQ area. In addition, information about the threat of phishing is also important for users to know, as the majority of phishing attacks are sent by spam e-mail [HREF6]. A spam education Web site is ideal place for the university to publish e-mail statistics on spam to highlight to users the volume of spam the University receives.
CONCLUSION
The more users can be educated about the pitfalls of spam
and the harm it can cause personal computers, individuals
and organisations, the greater the benefit to the University
and ultimately the community. Universities can little afford
to have students abandon the use of University provided e-mail
accounts because they receive too much spam. They also do
not want to be paying staff to be spending time on unproductive
spam issues ie.. like deleting every spam message one by one.
Universities could benefit through collaboration with each
other on fighting spam and provide a service to the community
by making the information publicly available.
Through collaboration on content and presentation ideas, the information on the spam education Web sites could be consistent across all the Australian Universities. Universities that have poor or no information about spam could use the suggested framework to create a spam education Website. Using the suggested framework, universities can create educational Web sites to share information and change behaviour of staff, students and the community. The more educated staff and students become about spam and how to avoid or reduce it, the more likely they will continue to use e-mail.
REFERENCES
The Australian Newspaper. (2007). Spam still a menace,
IT Section, January 30th Edition, p1.
Cook, D. (2005). Catching Spam Before It Arrives. Honors Thesis,
Unpublished. School of Computing, University of Tasmania,
Firstbrook, P. (2006). Benchmarking Anti-Spam Effectiveness.
GARTNER. Publication Date: 25 April 2006 ID Number: G00138490.
Available online [HREF7].
Patterson, K. (2004). An Investigation into Australian University
Websites. Master of Education Thesis, Unpublished. Southern
Cross University, Lismore.
HREF
HREF1 http://www.caube.org.au
HREF2 http://uq.edu.au/news/?article=5833
HREF3 http://en.wikipedia.org/wiki/Anti-spam_techniques_%28e-mail%29
HREF4 www.universitiesaustralia.edu.au/content.asp?page=/about/current_office_holders/avcc_members.htm
HREF5 http://www.acma.gov.au
HREF6 http://www.messagelabs.com/intelligence
HREF7 http://www.gartner.com/DisplayDocument?doc_cd=138490
Luke Haber and Allan
Ellis © 2007. The authors assign to Southern Cross University and other educational
and non-profit institutions a non-exclusive licence to use
this document for personal use and in courses of instruction
provided that the article is used in full and this copyright
statement is reproduced. The authors also grant a non-exclusive
licence to Southern Cross University to publish this document
in full on the World Wide Web and on CD-ROM and in printed
form with the conference papers and for the document to be
published on mirrors on the World Wide Web.