Ham v Spam: what's the difference?

• By Christine Barry - Chief Blogger
• Oct 2, 2013
• Posted in Barracuda Networks, Barracuda Spam & Virus Firewall

This post was submitted by Barracuda Support Technician Frank Dreamer.

One of the most common calls I answer from Network Administrators is: “Why are we getting so much spam?” When I look at the examples they provide, many times I see that the email message is actually ham, not spam.

The following is a brief article to help you to identify the difference between Spam and Ham and what to do about them.

So, what is Spam?

Wikipedia describes Spam as “the use of electronic messaging systems to send unsolicited bulk messages, especially advertising, indiscriminately.”

The key word here is unsolicited. This means that you did not ask for messages from this source. So if you didn’t ask for the mail it must be spam, Right? That is true, however quite often people don’t realize that they are signing up for mailers when they download free software, or sign up for a new service, or even when updating existing software. The best way to deal with spam is to forward the message to the system administrator.

In 2003 the CAN-SPAM ACT was made law. This act defines the rules for advertisers and bulk mailers to follow. In order to legally send bulk mail and advertisements, they are required to adhere to the following guidelines:

1. The header of the commercial email (indicating the sending source, destination and routing information) doesn't contain materially false or materially misleading information;
2. The subject line doesn't contain deceptive information;
3. The email provides "clear and conspicuous" identification that it is an advertisement or solicitation;
4. The email includes some type of return email address, which can be used to indicate that the recipient no longer wishes to receive spam email from the sender (i.e. to "opt-out");
5. The email contains "clear and conspicuous" notice of the opportunity to opt-out of receiving future emails from the sender;
6. The email has not been sent within 10 days after the sender received notice that the recipient no longer wishes to receive email from the sender (i.e. has "opted-out");
7. The email contains a valid, physical postal address for the sender. (Cornell University Law School)

So what is Ham?

According to Wiktionary Ham is “E-mail that is generally desired and isn't considered spam.”

Desired? You may be saying to yourself “I do not desire this mail, how is this ham and why am I getting it? “ The answer is you requested it.

There are two ways you could have signed up for this email.

• Directly- While downloading free software such as a browser or a game or signing up for a new online service you were required to agree to and check the box agreeing to their Terms of Service (TOS) .Below or above the TOS were other check boxes. One said “Yes! I would like to receive information and offers from you and your partners.” If you checked this box, then legally you asked for this email.
• Indirectly- This is the same scenario as Directly signing up except, The box for the information and offers is pre-checked, leaving it for you to uncheck the box if you do not want to be on their mail lists.

Either way once you are on a bulk mail list they can legally send you the offers (and rarely any information worth anything) as long as they follow RFC Regulations.

The good news is that if they follow RFC Rules then it is easy to stop these emails. All you have to do is to simply “click to unsubscribe” and the mail stops. That is if they follow rules.

Malicious spammers especially will take advantage of this and offer the same format at the bottom of their emails linking the unsubscribe link to malicious downloads and/or tracking cookies; Etc...

How am I supposed to know the difference? Here are a few simple things to look for:

• Check who the email is from. An email address has two parts:
• The username- the part before the “@” sign
• The domain- the part after the “@” sign
• Mouse over the “unsubscribe” link or button
  • If the end of the address something(.com,.org,.net,.gov,etc…) is the same as the from domain name it is a good bet that this is legit ham and it is ok to click to unsubscribe.
  • If the end of the address does not match the from domain, Don’t Click It! This still may be badly formatted legit mail, but why take a chance. Instead forward the mail to postmaster@ (your domain) they will know what to do with it.
• Another option that can be exercised, especially if the mailer is from a legitimate retail or such, is to contact them directly and let them know you will not shop with them as long as they use such tactics to advertise.
  • Most Retailers do not knowingly employ spam as a means of advertising, however quite often we receive spam from them. The reason is Retailers hire Marketing firms that may employ other firms some of which for economic reasons hire less scrupulous bulk mailing firms. Letting a retailer know of this allows them to review whom they do business with.

A Hacker's greatest tools are the oldest tricks in a book written before time. Those tricks still work today.

What is VM sprawl ?

VM sprawl is defined as a waste of resources (compute : CPU cycles and RAM consumption) as well as storage capacity due to a lack of oversight and control over VM resource provisioning. Because of its uncontrolled nature, VM sprawl has adverse effects on your environment’s performance at best, and can lead to more serious complications (including downtime) in constrained environments.

VM Sprawl and its consequences

Lack of management and control over the environment will cause VMs to be created in an uncontrolled way. This means not only the total number of VMs in a given environment, but also how resources are allocated to these VMs. You could have a large environment with minimal sprawl, but a smaller environment with considerable sprawl.

Here are some of the factors that cause VM sprawl:

• Oversized VMs: VMs which were allocated more resources than they really need. Consequences:
  • Waste of compute and/or storage resources
  • Over-allocation of RAM will cause ballooning and swapping to disk if the environment falls under memory pressure, which will result in performance degradation
  • Over-allocation of virtual CPU will cause high co-stops, which means that the more vCPUs a VM has, the more it needs to wait for CPU cycles to be available on all the physical cores at the same moment. The more vCPUs a VM has, the less likely it is that all the cores will be available at the same time
  • The more RAM and vCPU a VM has, the higher is the RAM overhead required by the hypervisor.

• Idle VMs: VMs up and running, not necessarily oversized, but being unused and having no activity. Consequences:
• Waste of computer and/or storage resources + RAM overhead at the hypervisor level
• Resources wasted by Idle VMs may impact CPU scheduling and RAM allocation while the environment is under contention
• Powered Off VMs and orphaned VMDKs eat up space resources
•  

How to Manage VM sprawl

Controlling and containing VM sprawl relies on process and operational aspects. The former covers how one prevents VM sprawl from happening, while the latter covers how to tackle sprawl that happens regardless of controls set up at the process level.

Process

On the process side, IT should define standards and implement policies:

• Role Based Access Control which defines roles & permissions on who can do what. This will greatly help reduce the creation of rogue VMs and snapshots.
• Define VM categories and acceptable maximums: while not all the VMs can fit in one box, standardizing on several VM categories (application, databases, etc.) will help filter out bizarre or oversized requests. Advanced companies with self-service portals may want to restrict/categorize what VMs can be created by which users or business units
• Challenge any oversized VM request and demand justification for potentially oversized VMs
• Allocate resources based on real utilization. You can propose a policy where a VM resources will be monitored during 90 days after which IT can adjust resource allocation if the VM is undersized or oversized.
• Implement policies on snapshots lifetime and track snapshot creation requests if possible

In certain environments where VMs and their allocated resources are chargeable, you should contact your customers to let them know that a VM needs to be resized or was already resized (based on your policies and rules of engagement) to ensure they are not billed incorrectly. It is worthwhile to formalize your procedures for how VM sprawl management activities will be covered, and to agree with stakeholders on pre-defined downtime windows that will allow you to seamlessly carry any right-sizing activities.

Operational

Even with the controls above, sprawl can still happen. It can be caused by a variety of factors. For example, you could have a batch of VMs provisioned for one project, but while they passed through the process controls, they can sit idle for months eating up resources because the project could end up being delayed or cancelled and no one informed the IT team.

In VMware environments where storage is thin provisioned at the array level, and where Storage DRS is enabled on datastore clusters it’s also important to monitor the storage consumption at the array level. While storage capacity will appear to be freed up at the datastore level after a VM is moved around or deleted, it will not be released on the array and this can lead to out-of-storage conditions. A manual triggering of the VAAI Unmap primitive will be required, ideally outside of business hours, to reclaim unallocated space. It’s thus important to have, as a part of your operational procedures, a capacity reclamation process that is triggered regularly.

The usage of virtual infrastructure management tools with built-in resource analysis & reclamation capabilities, such as Solarwinds Virtualization Manager, is a must. By leveraging software capabilities, these tedious analysis and reconciliation tasks are no longer required and dashboards present IT teams with immediately actionable results.

Conclusion

Even with all the good will in the world, VM sprawl will happen. Although you may have the best policies in place, your environment is dynamic and in the rush that IT Operations are, you just can’t have an eye on everything. And this is coming from a guy whose team successfully recovered 22 TB of space previously occupied by orphaned VMDKs earlier this year.

Why am I getting "undeliverable" email about emails I didn't send?

Summary

• Spammers often use a real address as the "from" address when they send out mail.
• They may send to millions of addresses, and any bounced messages then get sent to you (these bounced emails you get are called backscatter).
• While it is annoying, it does not mean your account has been hacked.
• For details about how to block backscatter, visit the Answers article on backscatter.

Details

Spammers often use a real address from their list as the "from" address when they send out mail. The “from” address looks like a "real" address (because it is), and if the recipient recognizes that address, he or she is more likely to read the spam. Another perk for the spammer is that using random addresses as the "from" address keeps people from just blocking all mail from the spammer's real address (because they never see it), and it cuts down on the hate mail that the spammer receives.

When a spammer sends a message to millions of addresses, hundreds of the addresses will not work because they no longer exist or the mailbox is full. So, hundreds of "Non Delivery Reports" (NDRs or "bounces") will be sent to whoever's address was used on the spam messages "from" line. These bounces are called "backscatter".

Getting backscatter doesn't mean that your account has been hacked. When sending email, you can actually set any "from" address. For example, when you send mail from your home machine you say that it's "from" you@yourdomain.com, but the mail didn't originate at your email. So, the spammer can send mail from anywhere in the world and say that it's "from" your email address.

Unfortunately, spammers tend to send out a few million messages "from" one address, and then go onto another "from" address. So, people often receive a few hundred of these bounce messages all at once, and then everything goes back to normal until next time. Once a spammer gets your email address, it's impossible to prevent your email address from being used in this way.

For details about how to block backscatter, visit the Answers article on backscatter.

Understanding Dark Data

Understanding Dark Data: What is the Dark Data? What should a company do with that much data without apparent utility? Discover with Ahmed Banfa the keys of Dark Data