4. Enlist your users to help maintain your whitelist.
Your users are constantly developing relationships with new clients, vendors and other contacts, which means that if you rely on a whitelist of trusted senders, it needs to be continually updated. Lucio Gonzalez, a system specialist and e-mail administrator at South Texas College in McAllen, appreciates it when employees at the college tell him about their new contacts -- for example, when the college gains new suppliers.
He adds them to his whitelist, and messages from these senders get through more quickly and don't risk being flagged as spam. Periodic reminders to your users to keep the IT department informed of new contacts will save everybody time and hassle.
Better yet, suggests Andrew Lochart, vice president of product marketing at e-mail security vendor Proofpoint, let users set their own spam filter parameters. In his words, spam, like beauty, lies in the eye of the beholder.
Although few people want the male enhancement or online pharmacy ads, some business travelers, for instance, might want their weekly notices from Delta Air Lines or Hertz. Such flexibility ultimately benefits both an end user and an e-mail administrator by reducing efforts by both of them to recover false positives.
5. Choose blacklists and reputation lists wisely.
If your organization relies on a blacklist or reputation list to stop spam, Jennings urges you to consider carefully which one to use. He points out that many spam filter products let the customer configure the product as to which blacklist, if any, to use.
When choosing a blacklist, Jennings recommends that you check the management policies of the lists. For example, some blacklists and reputation lists are driven purely by user complaints, says GWU's Briggs, and relying on them will invariably lead to false positives.
Not sure where to start? Ask your spam filter vendor for recommendations, suggests Jennings.
It's also important to keep up with the status of your blacklist or reputation list. Jennings cites the example of ORDB, a blacklist that was shut down in 2006, but which nonetheless still received queries from systems following the shutdown. These queries, according to Jennings, overwhelmed the servers that had housed ORDB, preventing the former ORDB administrators from doing other work. (In other words, the queries amounted to a denial-of-service attack, unintentional though it was.)
In early 2008, to stop these queries, the operators brought ORDB back online but set it up to flag every IP address reported to it as a spam source -- the only way, they believed, to gain the attention of e-mail administrators and get them to stop querying ORDB. Had these administrators been more alert to begin with, they would have investigated, discovered that ORDB was going away and redesigned their procedures accordingly, without requiring drastic measures from the ORDB operators.