The Internet is plagued by spam-electronic junk mail that industrious marketers insist on blasting out to unsuspecting e-mail recipients. The commercial costs of spam are increasing with the growth in electronic mail, instant messaging, and costly wireless bandwidth. This week's column drills into spam and makes recommendations for corporate CSOs.
Question: How big a problem is spam?
Answer: A major Internet Service Provider studies the spam problem, as it has a direct effect on expenses for storage, bandwidth, and customer satisfaction. This ISPs email traffic increased from 13 million messages in 2001 to over 33 million messages in 2002. Approximately 40% of this traffic is extracted as spam, however they estimate that the spam filter is only 70% effective. That means that 5.7 million spam messages were delivered in 2002 as regular e-mail. At an average message size of 17Kb, the ISP is spending over $US5 million annually on disk storage alone for uncaught spam!
Symantec finds 37 per cent of survey respondents receive more than 100 spam messages each week; 77 per cent are concerned about their children reading spam; and 74 per cent report that the spam tide is rising. Furthermore, 65 per cent spend more than 10 minutes per day deleting unwanted spam; 24 per cent say they spend more than 20 minutes per day deleting spam. A company of only 100 employees can estimate that productivity lost to removing spam will exceed $US250,000 a year.
Spam is increasing at a faster rate than e-mail presenting a productivity problem that security officers need to address.
Question: Why is spam so hard to identify?
Answer: Spam shows many of the characteristics of security attacks that plague the Internet, including the use of automated development tools.
Spammers can easily find the e-mail addresses to target, which they treat as though they were in the public domain. E-mail-borne viruses start with an initial distribution list and proliferate via address books. Spam producers use databases of e-mail addresses harvested from public Web sites, create mail lists with dictionary attacks and knowledge of corporate e-mail naming conventions, or purchase subscriber lists.
A virus is transmitted in a mail message that eludes signature-oriented content scanners to deliver an undesirable payload to an end user. A spam message uses the virus-like tricks of modifying subject lines, inserting non-viewable salt text into the message body, and hiding its true source to elude traffic filters. In the case of spam and viruses, traditional technology is more effective at blocking previously sent messages and older viruses, but struggle to identify new spam or viruses .
Question: What vendors offer promising solutions for spam?
Answer: Anti-spam products act to block spam delivery, quarantine suspected spam, or flag a message as spam before final delivery. Anti-spam solutions appear in multiple paths for message traffic:
Anti-spam network gateways recognise and filter spam before it reaches the mail server. Gateway solutions leverage in-line network placement to save servers and desktops extra processing and administration burdens. BorderWare and Symantec offer anti-spam gateways.
Anti-spam applications reside on the mail server to scan incoming mail for spam. These products are more easily tuned to the unique characteristics of the mail system. Trend Micro and Tumbleweed deliver solutions on the mail server.
Service businesses analyse mail across multiple organisations and apply spam domain expertise to manage anti-spam filters in the enterprise. Brightmail and MessageLabs are two companies promoting anti-spam services.
Desktop anti-spam software has not been effective in a corporate environment.
Question: What should a CSO do?
Answer: The Yankee Group suggests a number of steps to take in the war against spam:
Quantify the costs of spam in your organisation. Use ISP statistics: assume that 57% of your total number of inbound e-mail message traffic is spam (use 17% if you have a spam filter). Using an average message size of 17Kb you can now calculate spam related expenses for disk storage, bandwidth consumed, and lost time for employees to delete spam. Now assume your e-mail volume will double in 2003!
A CSO cannot wait for government regulations to take effect. Add anti-spam products or services to your messaging architecture. Use the expense analysis you conducted to negotiate fair prices. Push for performance clauses from the security vendors to be able to demonstrate guaranteed cost savings each quarter.
Eric Ogren is an Analyst, Securities, Services and Solutions at Yankee Group.