E-Mail: Seething over Spam

It was spam overload. Inboxes at a certain Fortune 50 energy company were packed with unsolicited e-mail, making it difficult for users to find important messages. Worse, the spam content was getting downright raunchy, creating a liability problem for the organization. “It was beyond foul,” says Dave Giaramita, an internal IT consultant for the company.

And every user complaint landed squarely on the shoulders of IT.

Spam currently makes up 25 percent to 35 percent of a company’s total mail volume, according to Joyce Graff, vice president and research director for e-mail at Stamford, Conn.-based Gartner. And, she notes, if 25 percent to 35 percent of your company’s e-mail is spam, that’s a 25 percent to 35 percent inflation on your e-mail bandwidth and storage capacity.

Looking to stem the flow, the energy company’s IT department turned to a product from mail security vendor Tumbleweed Communications.

But it wasn’t until the IT staff installed the new software and had it working in conjunction with other spam-prevention measures?such as blocking mail identified by “real-time black hole lists” (RBLs) as originating from servers exploited by spammers?that Giaramita realized just how bad the spam problem had been. He estimates that these measures capture as many as a quarter-million spam messages each day.

“The cost of all that spam for a company this size was enormous,” says Giaramita. He conservatively estimates that the company is saving between $100 million and $200 million per year in regained productivity and additional millions from not having to pay for the extra storage and bandwidth that that much spam requires.

Human Expense

Money isn’t the only cost associated with spam. It’s increasingly becoming an HR issue as well.

Graff notes that offensive spam makes employees feel like their employers don’t care about them because they don’t see the company trying to make the enterprise a place that’s conducive to work.

Many companies are even beginning to view offensive spam as a legal liability, following a precedent set at Chevron. In 1996, the oil company’s IT operating company spent $125 million to settle a class-action lawsuit brought on by 777 female employees in response to a degrading e-mail that circulated inside the organization.

More recently, Utah residents have filed a class-action lawsuit against Sprint because the ISP failed to mark unsolicited e-mail as such, in violation of Utah’s Unsolicited Commercial and Sexually Explicit E-Mail Act.

From Bad to Worse

The spam situation isn’t improving, either. Graff says that spam has multiplied tenfold in the past year. And spammers have more tools than ever for digging e-mail addresses off the Internet. The economic downturn has increased the use of spamming as a low-cost way for desperate individuals to earn a buck. Enemies of the United States are even using spam as a weapon in their arsenals by bombarding American corporate servers with junk mail.

Fortunately, there are multiple solutions on the market that go beyond superficial keyword searches to nail spam at the gateway. While none of these solutions is perfect, in part because spammers always find new ways to fake out the filters, many CIOs are finding that the tools are an effective means to fight spam.

Local Filters

One of the first approaches to stopping spam involves simply filtering messages at the gateway. The best tools combine a number of techniques to fight spam, including content filtering, keyword matching and heuristics?statistical probabilities used to determine whether a message is spam based on hundreds or thousands of characteristics, such as header information, punctuation and capitalization. Such tools may also use RBLs to block mail from servers known to be used by spammers (unfortunately, those same servers may also be used by legitimate senders, so RBLs alone are an imperfect solution).

The more prominent vendors offering such tools include ActiveState, CipherTrust, Elron Software and Tumbleweed Communications, with a number of smaller vendors, including Vircom and Ipswitch, also in the space.

Local filters give CIOs considerable control over their spam-fighting efforts. And unlike ISP- or ASP-based solutions, all e-mail gets evaluated within corporate walls.

But Jonathan Penn, an analyst with Cambridge, Mass.-based Giga Information Group, says that local filters can require a lot of maintenance, with IT constantly forced to fine-tune filtering rules.

Dealing with spam locally can also require a lot of processing power. If a spammer sends 1,400 messages to a particular domain, the receiving mail transfer agent (MTA) must respond to each user name with a failure notice, which can keep the MTA busy fending off spam rather than processing valid messages, according to Graff. Still, if properly implemented and maintained, these tools can be about 90 percent effective, according to estimates from vendors and users.

Another option that counts as a local solution, but that takes a different approach from the vendors of local filters in identifying spam, is Brightmail.

Brightmail has a network of more than 200 million mailboxes the company set up on the Internet whose sole purpose is to capture unsolicited e-mail. Brightmail has also developed software that aggregates the messages coming into the different mailboxes on its network, generates a unique fingerprint for each message and then automatically generates a rule to block that particular spam message based on its various characteristics. Additionally, Brightmail runs an operations center where a staff of 30 monitors activity across its network and tests each signature to ensure it’s not generating false positives. The company downloads those rules to its customers every five to 10 minutes.

ASP-Based Solutions

If you’re content to relinquish control of determining what is and isn’t spam to a third party, and if you’re not worried that the third party’s spam filtering infrastructure will go down, an outsourcer may be right for you.

“For small and medium-size businesses, [spam-filtering] is a tremendous amount of work to do yourself, even with a reasonably good tool, and the better tools are expensive. If you outsource, you get the best tools for a lot less effort,” says Graff.

Many of the spam-blocking services from outsourcers such as Big Fish Communications, eDoxs.com (which resells Brightmail’s technology), MessageLabs, Postini, Syntegra and United Messaging use the same techniques as local filters. The only difference in the outsourced model is that you don’t have to buy any hardware or software. You do, however, have to change a few of your network routing and domain name system records so that your messages first stop at these service providers, says Giga’s Penn.

The advantages of outsourcing your spam filtering include not having to devote your IT staffers to what can be a time-consuming task and not having to give up processing power while your server determines which messages are spam and which are legit.

Steve Paskach, vice president of IT for Quadion, a small, privately held manufacturing company based in Minneapolis, chose to outsource his spam management to MessageLabs because, he says, “The level of service and effectiveness that this solution will give me for the price is actually a better value for the size of my organization.”

But if your company is big and processes huge amounts of mail each day, an outsourcer’s infrastructure may not be scalable enough to handle your mail volumes.

“A lot of outsourcers have a total mail volume for all of their customers that’s a fraction of what we push,” says the energy company’s Giaramita.

ISPs

Industry experts agree that ISPs should do more to prevent spam from entering corporate networks. And, in fact, some are stepping up to the task. AT&T Worldnet, BellSouth, Comcast, EarthLink, MSN and Verizon Online rely on Brightmail to filter spam. But unfortunately, there’s not much more they can do.

Expecting ISPs to be responsible for preventing spam puts them in the difficult position of distinguishing for each of their customers what is spam and what is legit. Ditto for the ASP model. If ISPs mistakenly identify a legitimate e-mail containing the word breast as spam due to a superficial keyword search, they’ll wind up hampering cancer groups’ efforts to organize fundraisers, according to Graff. And when ISPs generate those kinds of false positives, they risk angering their customers. (If a customer suspects that its ASP has mistakenly blocked a legitimate message, the ASP should be able to find it, as long as it logs every message that comes in.)

Enterprises can rely even less on mail server vendors like Lotus and Microsoft to prevent spam. It doesn’t make sense to expect server vendors to build spam filtering software into their products, primarily because spam is most efficiently and effectively licked at the gateway, not after it has entered the network at the server. Plus, running spam filtering rules on the user’s e-mail client drains the application of processing power. That’s why both Lotus and Microsoft leave filtering up to their partners and have no immediate plans to create products with robust spam filtering capabilities built in. “There’s not a great deal we’re doing in the core [Microsoft Exchange] product aside from the hooks we provide in the APIs for antispam vendors to use,” says Jim Bernardo, product manager for Microsoft Exchange.

Can We Win This War?

The war on spam must be fought on several fronts. Litigation remains a viable, albeit costly, option, and many ISPs?most notably AOL?and several businesses have taken spammers to court.

Some states are trying to legislate the problem, and several, including California, Washington and Pennsylvania, have passed laws banning spam. The problem with local laws, according to industry observers, is that because spam is a global problem, a law in California won’t hold water when spam is generated in a foreign country.

But until that global law gets passed, or until the unauthenticated SMTP protocol that lets spammers get away with their lawless activities is overhauled, technical solutions like filters and RBLs, whether locally managed or outsourced, remain a CIO’s best bet in fighting spam.