How big a problem is spam?
Security software company Symantec found that 37% of the people it surveyed received more than 100 spam messages each week; 77% are concerned about their children reading spam; and 74% report that the spam tide is rising.
Furthermore, 65% spend more than 10 minutes a day deleting unwanted spam; 24% say they spend more than 20 minutes a day deleting spam. Removing spam could cost a company of only 100 employees more than £151,000 a year in lost productivity a year.
Spam is increasing at a faster rate than e-mail, presenting a productivity problem that security officers need to address.
Why is spam so hard to identify?
Spam shows many of the characteristics of security attacks that plague the Internet, including the use of automated development tools.
Spammers can easily find the e-mail addresses to target, which they treat as though they were in the public domain. E-mail-borne viruses start with an initial distribution list and proliferate via address books. Spam producers use databases of e-mail addresses harvested from public websites, create mail lists with dictionary attacks and knowledge of corporate e-mail naming conventions, or purchase subscriber lists.
A virus is transmitted in a mail message that eludes signature-oriented content scanners to deliver an undesirable payload to an end user. A spam message uses the virus-like tricks of modifying subject lines, inserting non-viewable salt text into the message body, and hiding its true source to elude traffic filters.
In the case of spam and viruses, traditional technology is more effective at blocking previously sent messages and older viruses, but struggle to identify new spam or viruses.
Isn't there a law against spam?
Businesses in the US have a right, protected by the First Amendment, to distribute unsolicited e-mail advertisements. However, the right to free speech does not grant the spam producer the right to annoy recipients. Governments are responding to consumer complaints by investigating anti-spam laws that preserve the ability of the public to escape the attention of spammers.
The US Can Spam Act of 2001 requires each spam message to carry a valid return address to so that recipients can opt out of receiving further messages. It also enables ISPs to enforce violations of the law with a penalty of $10 per illegal spam.
The Unsolicited Commercial Electronic Mail Act of 2001 articulates penalties to spam producers that do not provide ironclad opt-out procedures. Furthermore, the bill provides recipients and ISPs with the right to take action against spam producers that violate provisions in the bill.
A new bill submitted in Massachusetts facilitates spam filtering by requiring spammers to insert keywords in the subject line. For instance, the keyword "adult" would allow easy filtering of the 10% of all spam produced by adult sites.
The European E-Privacy Directive states that spam is illegal unless there is a pre-existing business relationship between sender and recipient and that recipients have agreed to receive spam. The recipient opt-in approach presents a sharp contrast to the opt-out approach that exists in the US.
What vendors offer promising solutions for spam?
Anti-spam products act to block spam delivery, quarantine suspected spam, or flag a message as spam before final delivery. Anti-spam solutions appear in multiple paths for message traffic
Anti-spam network gateways recognise and filter spam before it reaches the mail server. Gateway solutions use in-line network placement to save servers and desktops extra processing and administration burdens. BorderWare Technologies and Symantec offer anti-spam gateways.
Anti-spam applications reside on the mail server to scan incoming mail. These products are more easily tuned to the unique characteristics of the mail system. Trend Micro and Tumbleweed Communications deliver solutions on the mail server.
Service businesses analyse mail across multiple organisations and apply spam domain expertise to manage anti-spam filters in the enterprise. Brightmail and MessageLabs are two companies promoting anti-spam services.
Desktop anti-spam software has not been effective in a corporate environment.
What should chief security officers do?
The Yankee Group suggests a number of steps to take in the war against spam:
Quantify the costs of spam in your organisation. Use ISP statistics: assume that 57% of your total number of inbound e-mail message traffic is spam (use 17% if you have a spam filter). Using an average message size of 17Kb you can now calculate spam-related expenses for disc storage, bandwidth consumed, and lost time for employees to delete spam. Now assume your e-mail volume will double in 2003.
Don't wait for government regulations to take effect. Add anti-spam products or services to your messaging architecture. Use the expense analysis you conducted to negotiate fair prices. Push for performance clauses from the security suppliers to be able to demonstrate guaranteed cost savings.
This was first published in January 2003