Technology research and consulting services company the Yankee
Group believes the commercial costs of spam are increasing with the
growth in e-mail, instant messaging and costly wireless bandwidth.
It's time for companies to fight back.
How big a problem is spam?
Security software company
Symantec found that 37% of the people it surveyed received more
than 100 spam messages each week; 77% are concerned about their
children reading spam; and 74% report that the spam tide is rising.
Furthermore, 65% spend more than 10 minutes a day deleting unwanted
spam; 24% say they spend more than 20 minutes a day deleting spam.
Removing spam could cost a company of only 100 employees more than
£151,000 a year in lost productivity a year.
Spam is increasing at a faster rate than e-mail, presenting a
productivity problem that security officers need to address.
Why is spam so hard to identify?
Spam shows many of the
characteristics of security attacks that plague the Internet,
including the use of automated development tools.
Spammers can easily find the e-mail addresses to target, which they
treat as though they were in the public domain. E-mail-borne
viruses start with an initial distribution list and proliferate via
address books. Spam producers use databases of e-mail addresses
harvested from public websites, create mail lists with dictionary
attacks and knowledge of corporate e-mail naming conventions, or
purchase subscriber lists.
A virus is transmitted in a mail message that eludes
signature-oriented content scanners to deliver an undesirable
payload to an end user. A spam message uses the virus-like tricks
of modifying subject lines, inserting non-viewable salt text into
the message body, and hiding its true source to elude traffic
filters.
In the case of spam and viruses, traditional technology is more
effective at blocking previously sent messages and older viruses,
but struggle to identify new spam or viruses.
Isn't there a law against spam?
Businesses in the US
have a right, protected by the First Amendment, to distribute
unsolicited e-mail advertisements. However, the right to free
speech does not grant the spam producer the right to annoy
recipients. Governments are responding to consumer complaints by
investigating anti-spam laws that preserve the ability of the
public to escape the attention of spammers.
The US Can Spam Act of 2001 requires each spam message to carry a
valid return address to so that recipients can opt out of receiving
further messages. It also enables ISPs to enforce violations of the
law with a penalty of $10 per illegal spam.
The Unsolicited Commercial Electronic Mail Act of 2001 articulates
penalties to spam producers that do not provide ironclad opt-out
procedures. Furthermore, the bill provides recipients and ISPs with
the right to take action against spam producers that violate
provisions in the bill.
A new bill submitted in Massachusetts facilitates spam filtering by
requiring spammers to insert keywords in the subject line. For
instance, the keyword "adult" would allow easy filtering of the 10%
of all spam produced by adult sites.
The European E-Privacy Directive states that spam is illegal unless
there is a pre-existing business relationship between sender and
recipient and that recipients have agreed to receive spam. The
recipient opt-in approach presents a sharp contrast to the opt-out
approach that exists in the US.
What vendors offer promising solutions for
spam?
Anti-spam products act to block spam delivery,
quarantine suspected spam, or flag a message as spam before final
delivery. Anti-spam solutions appear in multiple paths for message
traffic
Anti-spam network gateways recognise and filter spam before it
reaches the mail server. Gateway solutions use in-line network
placement to save servers and desktops extra processing and
administration burdens. BorderWare Technologies and Symantec offer
anti-spam gateways.
Anti-spam applications reside on the mail server to scan incoming
mail. These products are more easily tuned to the unique
characteristics of the mail system. Trend Micro and Tumbleweed
Communications deliver solutions on the mail server.
Service businesses analyse mail across multiple organisations and
apply spam domain expertise to manage anti-spam filters in the
enterprise. Brightmail and MessageLabs are two companies promoting
anti-spam services.
Desktop anti-spam software has not been effective in a corporate
environment.
What should chief security officers do?
The Yankee
Group suggests a number of steps to take in the war against
spam:
Quantify the costs of spam in your organisation. Use ISP
statistics: assume that 57% of your total number of inbound e-mail
message traffic is spam (use 17% if you have a spam filter). Using
an average message size of 17Kb you can now calculate spam-related
expenses for disc storage, bandwidth consumed, and lost time for
employees to delete spam. Now assume your e-mail volume will double
in 2003.
Don't wait for government regulations to take effect. Add
anti-spam products or services to your messaging architecture. Use
the expense analysis you conducted to negotiate fair prices. Push
for performance clauses from the security suppliers to be able to
demonstrate guaranteed cost savings.