Stomping Out Spam: The Spam Series, Part 1
Spam is jamming up mailboxes at increasing rates. More than just a bother for end users, unwanted e-mail can impact enterprise systems management by encroaching on bandwidth, storage space, and other network resources. While anti-spam legislation is on the horizon, experts agree filtering software is the most effective remedy at the moment. End user education doesn't hurt, either.
As spam continues to pour in, the market keeps exploding with more and more anti-spam products. In one recent report, GartnerGroup reviewed several anti-spam offerings and found that, "Of the 11 anti-spam products Gartner reviewed, five shipped credible versions for the first time in 2002. Another 14 were too new, untried or incomplete to include, and more products emerge each week," according to Maureen Grey, research director at Gartner.
"There are lots of hosted services, too," points out Dan Keldsen, an analyst at SummitStrategies. Some vendors, such as Brightmail, provide a choice of products or services.
Analysts expect the anti-spam market to shake out over the next few years. Meanwhile, if you're shopping around for remedies right now, it pays to learn as much as you can about just what you're up against.
"My Spam Isn't Necessarily Your Spam"
What exactly is spam, anyway? "My spam isn't necessarily your spam. An e-mail that advertises Viagra will qualify as spam to most people. A Viagra manufacturer, however, will undoubtedly disagree," notes Donald Haback, P.E., an analyst at the Matterhorn Group.
Many users regard any unsolicited e-mail as spam, states Martin Nelson, an analyst at Ferris Research. Nelson, though, offers the following as a current "industry" definition: "Unsolicited, commercial e-mail, usually sent in bulk."
How much spam is out there? Estimates range all over the map. Everyone agrees, though, that the problem is on the rise. The Radicati Group predicts that spam will proliferate from 15 billion pieces per day this year to 50 billion pieces per day by 2005.
According to Ferris Research, the average user will receive 10 spam messages per day by 2005, as opposed to merely three pieces in 2002. "But some users will receive much more, and others much less," claims Nelson.
No Suprise Here -- Economics behind Proliferation of Spam
How do spammers get most of their e-mail addresses? Methods range from junk mail and targeted e-mail lists to e-mail extractors, MX server extractors, and viruses, spyware, and other malicious code, points out Ron Franczyk, president of anti-spam vendor The Giant Company.
"Junk and targeted e-mail lists have been with us for almost as long as the Internet. Practically anyone can buy a list of more than 11 million e-mail addresses, for as little as $100," according to Franczyk.
A variation on this general theme, known as the opt-in list, stems from partnerships between spammers and legitimate Web sites. The legit sites ask visitors to check off "Don't send me" boxes. "At some point you forget to check off one of these boxes, and your name lands on an opt-in list," says Franczyk.
The economics of spam benefit the spammer. In contrast, on the enterprise side, the costs of spam can be tough to quantify. During one recent Webcast, though, about 20 percent of participants listed systems resources consumption as a top spam concern, compared to 46 percent for loss of productivity and 22 percent for "upset and unhappy users."
Moreover, some companies are starting to worry over the prospect of "hostile workplace" lawsuits stemming from spam. Lots of spam messages are solicitations for resized "body parts," for example.
Organizations also run the risk of buying or implementing more systems resources than would otherwise be necessary, just to accommodate spam, Nelson suggested during a Webcast sponsored by vendor ActiveState.
Spamware Deployment in Droves
These and other reasons are driving administrators to deploy anti-spam products in droves. In a study by Osterman Research, respondents ranked spam as a more severe problem than employees sending and receiving inappropriate content; viruses, worms, and Trojan horses; large attachments sent through e-mail; employees sending confidential data; users complaining about mailbox quotas; personal use of e-mail; and denial-of-service attacks
Some 54 percent of Osterman's subjects said their organizations have already implemented an anti-spam capability.
Ultimately, however, technology won't be enough to fend off spam, according to Nelson. Legislation and end user education are also needed. "One part of the curriculum [should be], 'Don't purchase from spammers,'" Nelson cautions. In fact, users shouldn't even respond to spam, he advises.
Moreover, if users want to post messages to Internet newsgroups or put their own names on the Web, they should never use their corporate e-mail addresses.
Meanwhile, although national legislation is still some time away, some states have already passed anti-spam laws. In California, for instance, it's now possible to sue spammers at the rate of $55 per message. In reality, though, the costs of litigation will probably be prohibitive, Nelson maintains.
Happily, however, anti-spam administrators can expect to find little user resistance when it comes to spam control. Recent surveys show that users are willing to embrace both technology and legislation to combat spam. In a study of office workers by Public Opinion Strategies, 56 percent said that their companies already use some form of technology for spam control. These employees also reported a lot less spam than others. A full 68 percent favored combining "technology with legislation."
Most products being sold today bring together multiple spam-fighting technologies. "Honey pots," for instance, are e-mail addresses specifically set up to lure spammers, while "white lists," "black lists," and interfaces to spam databases can help determine which senders will be able to get their mail through to intended recipients. Widely used databases of known spammers include RBL and DUL, for instance.
Many products -- including ActiveState's PureMessage, Mirapoint's MessageDirector, and the open source program SpamAssassin -- use heuristic techniques to analyze text, SMTP headers, subject lines, embedded images, and other message components for spam characteristics. Suspected spam can either be blocked or "quarantined" (isolated from other e-mail).
Meanwhile, MailFrontier, for instance, is pioneering a technique called "e-mail challenges," which are meant to help distinguish mail sent by human beings from machine-generated spam.
"All products use more than one anti-spam technology, but no one product uses all the available technologies," says GartnerGroup's Grey.
Analysts also point to a trend toward combining anti-spam filters with antivirus and/or Web content filtering, all within the same product. SurfControl is one such example.
Solutions for Linux and Microsoft
Some anti-spam products run as gateways, while others operate at the client level, observes Michael Osterman, principal of Osterman Research. Most products are software, but some vendors -- including CipherTrust -- produce server appliance gateways.
Situated at the edge of the network, hardware gateways operate at the SMTP level, as do software gateways from companies like Trend Micro and NAI. The hardware gateways come with embedded OSes, while the software gateways run on a variety of OSes. ActiveState, for instance, recently rolled out a Linux-based gateway. All gateways, though, are "platform-agnostic" when it comes to mail exchange.
Many client-based products, on the other hand, are Microsoft-centric. Much of the anti-spam client software available today consists of Outlook plug-ins, which offer additional filtering capabilities beyond the rules built into the MS mail client.
The onslaught of spam is spawning a growing spate of solutions. In this initial article of a new three-part series on spam, we've delved into why and how spam proliferates so quickly, and we've covered the various spam-fighting solutions currently available. Later in this series, we'll drill down further into the available technologies and present some tips and strategies for choosing and implementing anti-spamware.