Technology: Spam

By Gary Bolles  |  Posted 11-01-2003

Technology: Spam

The Fact Sheet is available in Adobe Acrobat PDF format. To download the free Adobe Acrobat Reader plug-in, click here.
To download the accompanying fact sheet on Spam, click here.

Sure, spam is all over the news. But what does it really mean to your organization?

CIOs have two recurring e-mail nightmares. In the first, the CEO receives an unwanted message, usually containing something rated NC-17. "That's when senior management says, 'I've seen the last body part in my e-mail I ever want to see. Fix it!,' " says Gartner Inc. research director Maurene Caplan Grey. In the second, the CEO doesn't receive a critical message he's been waiting for all week. Either event can be career-threatening for the CIO. There's no question that most executives want e-mail to be the strategic communications backbone of their business. But that's increasingly difficult as spam inundates in-boxes. CIOs don't need much more detail on the damage being inflicted on users, e-mail systems and storage space by the rising tide of unsolicited e-mail, because they're living it. "Spam creeps up on you, like shocks going bad on your car, and all of a sudden you realize how bad the ride is," says David Jordan, the chief information security officer for Arlington County, Va.

Yet spam's already mind-numbing numbers just keep growing and growing and growing. Paul Judge, CTO of antispam vendor CipherTrust Inc., says spam comprises up to 61 percent of all in-bound corporate e-mail. Antispam service provider Brightmail Inc. claims that out of the 70 billion messages it processes every month for the 300 million users in its worldwide network, over 50 percent are spam. The country's biggest e-mail provider, America Online, claims it stops an average of more than 1.5 billion spam messages a day, spiking at times to more than 2.5 billion. Says Michelle Boggess, electronic data security coordinator for Pensacola, Fla.-based Baptist Health Care, a $743 million not-for-profit: "Some of our users were getting spammed so heavily that they were spending large amounts of their own time picking through e-mail." The deluge creates a huge drain on worker productivity.

But spam is in the eye of the beholder. There are any number of generally accepted industry, organizational and personal definitions of spam, all of which may be in conflict. Brightmail CEO Enrique Salem defines spam as all unsolicited bulk e-mail. Jeff Ready, CEO of spam-filter vendor Corvigo, suggests three categories for spam: the messages you want, the messages you don't want—usually bulk marketing e-mail—and "other." That third category typically includes e-mail newsletters and opt-in messages that users may or may not want on a given day, but can't be bothered to unsubscribe to, making it especially difficult for corporations to screen out every questionable message.

In many companies, though, the biggest risk isn't letting through unwanted messages. It's the danger of blocking the ones people need. One so-called "false positive" that deletes a critical e-mail or relegates it to some little-used, out-of-the way folder could severely affect the success of your company's business. To avoid this and other risks of poor spam management, it's the CIO's job to get educated. "I don't think ignorance is an excuse for not being accountable," says Cynthia Luman, vice president of computer operations at CSX Technology Inc., a subsidiary of CSX Corp., a transportation and logistics service provider.

Tell Your Users:

  • Start sending spam messages to a specific internal e-mail box, so we can get a handle on how big the problem is.
    Ask Your E-Mail Administrator:
  • What's your estimate on our current spam message volumes?
    Ask Your CEO:
  • How much does this issue matter to you?

    page 2

    The first step has little to do with technology. It's a people problem.

    At its most basic, e-mail is simply a communication between a sender and a receiver. If the IT department has any hope of fixing the spam problem, it has to focus first on the receiver. Your company's e-mail use policies need to be crystal clear, defining the kinds of communications allowed for every position in the organization. If you don't want administrative assistants to be e-mailing their mothers all the time, or salespeople to forward every dumb joke they receive to all 500 of their pals in the company, then make sure they know it's against the rules.

    Your corporate culture will determine how far those policies can go in strictly mandating e-mail use. Financial-services organizations often have locked-down standards that give users little wiggle room, while universities are constrained by very specific—and very liberal— notions on the part of users about how broadly their rights are defined.

    Train users in what's acceptable in terms of internal and external communications. Some companies' workers regularly copy everyone on every e-mail they send, creating dozens of long message threads that qualify in some recipients' minds as "unsolicited bulk e-mail." Employees should also learn to reduce the frequency with which they provide their e-mail addresses to unfamiliar Web sites, a habit that virtually guarantees their inclusion on spam lists.

    Your Webmasters should also be involved. Brightmail CTO Ken Schneider says e-mail addresses listed on HTML pages such as your company's "contact us" page are the single largest source of target addresses for spammers. Marketers can simply point a software "spider" to look for e-mail addresses on your site, then drop them into spam lists. Remove text e-mail addresses wherever possible, and consider using digital GIF images to confuse the spiders.

    Ultimately, well-designed and managed e-mail policies can significantly reduce the amount of spam targeting your users, as well as increase overall productivity by promoting more effective internal communications—whether users initially want to help or not. "You have to protect them from themselves as best you can," says Julian Field, teaching systems manager in electronics and computer science at the University of Southampton in Southampton, England.

    Ask Your Human Resources Department Chief:

  • Can we review our e-mail policy together, and focus on both interpersonal and technological realities?
    Ask Your CTO:
  • Where are our employees' e-mail addresses most vulnerable on the Net?
    Tell Your Users:
  • We need your help in reducing the risk of spam to the organization.

    page 3

    Is antispam software simply the cost of entry?

    Increasingly, antispam software is being seen as a kind of tithe on the free Internet, a necessary cost of access to an open peer network. In fact, Gartner's Grey says that by the end of 2004, at least 80 percent of all corporations will have "relatively complete" spam protection.

    The charts are available in Adobe Acrobat PDF format. To download the free Adobe Acrobat Reader plug-in,click here.
    To download full image,click here.

    But filtering through the broad range of antispam software options can be daunting. Analysts and users say the best place to start is by building on what's already in-house, as well as by looking at the products your Internet service provider is using. "It's a better solution if it fits into the infrastructure that's already there," says J.F. Sullivan, director of product marketing for antispam vendor Sendmail Inc.

    Some applications work as standalone products, separate from your messaging and security infrastructures, though this approach can increase management costs. Others, including those offered by security software providers, offer integrated applications, but they may not cover all of your needs. Mark Shields, director of IT for $1.2 billion Kyocera Wireless Corp., recommends looking at an outsourced offering as a way to stop spam before it enters your network. But with close to 120 antispam vendors today, according to Sendmail's Sullivan, there's likely to be substantial consolidation just ahead, so choose vendors for their ability to merge seamlessly with your existing infrastructure.

    Remember that spam is an arms race, and spammers are developing increasingly clever methods for evading traps. That means any single approach will always let messages slip through. The best filtering processes include a multilayered approach with coordination among your ISPs, the corporate messaging infrastructure and desktop security. "Any single- layered type of approach is going to be subject to defeat," says Chuck Egress, group product manager at Symantec Corp.

    Ask Your Existing E-Mail and Security Vendors:

  • What can you offer me that will help give me the broad and deep coverage I need?
    Ask Potential New Vendors:
  • How can I be sure you'll remain independent?
    Ask Your CTO:
  • How can we build a multilayered approach that can ensure us the best possible protection?

    page 4

    Measure the value of your antispam efforts to be sure that you won't be second-guessed on the cost involved.

    How much is spam costing your company? Poll users for their spam-management time estimates, then multiply by the average wage of your employees. Don't forget to include the time spent by your mail administrator, and for spam-related help desk calls.

    Next, determine what your company's standard volume of unwanted e-mail looks like. "That gives you a baseline so that now you can say to upper-level management, 'Here's where we were, and here's where we got to,'" after putting the antispam plan into action, says Kyocera's Shields. Make sure you know the cost of processing and storing messages at your current volume levels.

    Symantec CTO Rob Clyde also suggests looking at how many IT projects have been delayed or postponed because of security concerns such as spam and viruses. Systems that monitor e-mail content can help avoid "hostile workplace" and related lawsuits, says Kurt Williams, vice president and CIO of Summit Electric Supply Corp. Inc., so factor the avoidance of such risk into your equations.

    But the best ROI will come from looking at Internet risk management holistically, including spam, viruses and security breaches such as distributed denial of service campaigns. "On the network service side, spam doesn't feel a whole lot different than DDoS attacks," says CSX Technology's Luman. She should know: She says her company fends off 3.5 million such attacks every month.

    Of course, letting through, say, a single nasty virus has vastly greater implications than letting through one spam message. Still, the lines begin to blur when spam reaches overwhelming volumes, and when marketers apparently use spam and virus characteristics to send still more spam, as with the SoBig worm. "The way in which companies think about e-mail has to fundamentally change," urges Gary Steele, CEO of vendor Proofpoint Inc.

    Once in place, however, users are generally positive about antispam efforts. "Our system has already paid for itself in the eight months that I've had it," says Darryl Killingsworth, CIO for defense contractor Manufacturing Technology Inc., based in Fort Walton Beach, Fla. "It's very rare in the IT arena where you get praise from your end users for what you do." And it's especially gratifying when the right messages continue to get through. "As far as we know, we have not had a false positive," says Baptist Health Care's Boggess of the IronMail server protection from CipherTrust. "Everything people needed to get, we have received."

    Just don't think the spam problem will go away tomorrow. "It's actually technology itself that's driving the opportunity for more attacks, and more widespread attacks," says Symantec's Clyde. "It has in it the seeds of tomorrow's problems. As we continue to have more connectivity, the problems are going to increase. That's just a fact of life." New technologies such as message-oriented Web services, for example, will only increase the security risk if they aren't built carefully.

    But antispam measures also will continue to improve, though nobody is suggesting that spam can be completely stopped. Instead, the CIO's goal should be to reduce the amount reaching users' desktops to a reasonable level, making it as manageable as possible. "There's no silver bullet in spam, and I don't think anybody should be thinking there is," says Arlington County's Jordan. "There's no cure."

    Ask Your Hr Department:

  • How much time are users spending on spam?
    Ask Your Finance Department:
  • Can we calculate the cost of a single lost e-mail message?
    Ask Your CTO:
  • Where are we potentially creating new insecurities in our messaging infrastructure?