You’ve got junk

By Yan Barcelo
Illustration: John Ueland

The spam invasion isn’t just a roadblock on the information highway, it’s costing a fortune. Is it the price we have to pay for an open Internet?

Spam, unwanted e-mail flooding our in-boxes, is to the electronic highway what billboards are to paved highways: a pollutant — only worse. Imagine driving on a highway where billboards keep falling, blocking your path. You stop the car, get out and toss the boards off the road, get back into the car, drive up to the next board, and repeat the performance, ad nauseam. In reality, billboards on paved highways don’t block your way or interfere with your tasks and are paid for by the advertiser. In contrast, on the electronic highway, spam stops you dead in your tracks, and you pay for it in time and money.

Spam is as old as the Web itself but, over the past two years, it has received unprecedented attention from companies and individuals alike. “Spam is at the top of the list of our clients’ preoccupations,” says René Vergé, director, consulting services at Montreal’s CGI Group Inc. An Ipsos-Reid survey of 1,000 Canadians aged 18 and up shows that between 2002 and 2003 the volume of spam more than doubled. In 2003, every Canadian received an average of 7,000 spam e-mails, or 19 a day. And if the trend continues, California-based market research firm The Radicati Group Inc. predicts that number will double worldwide.

The spam invasion is so overwhelming that America Online has compiled a list of the top 10 e-mail subject lines, from 500 billion spam messages processed by servers in 2003. Topping the list in category and order are Viagra and its derivatives; online pharmacies; how to get out of debt; how to “enhance” your masculinity; and how to get an online degree. Each subject line includes other similar terms, e.g. online pharmacy: also “online prescriptions” or “meds online.” Surprisingly, porn spam is only ninth on the list. And without mincing words, an August 2003 Yahoo survey reported that 77% of its respondents would rather clean their toilets than weed out spam. Why? The survey doesn’t say, but considering the problems spam may cause, maybe it’s safer to clean your toilet bowl.

If spam were just unpleasant, maybe Internet users would grudgingly come to terms with it. But it’s more than a roadblock on the information highway. According to Massachusetts market analysis firm IDC, spam is becoming more aggressive, often carrying viruses and worms. Once opened, it can have more serious consequences than hype or false advertising. Increasingly, such messages are infecting the recipient’s computer, causing countless problems.

Attacks by fraudsters, called “phishing,” are another aspect of spam aggression. For example, a certain type of e-mail that looks like it is from a legitimate supplier asks the user to confirm or update his or her client account. Watch out — it’s a trick for tapping key information like bank codes, passwords and credit card numbers. (Electronic auctioneer eBay has been prey to many such attacks via PayPal payment services.) How can you avoid this? “If you have the slightest doubt about an e-mail, don’t open it,” Vergé says. “Erase it!” If a legitimate financial institution wants to update information that concerns you, it won’t just send you a casual e-mail. Generally, Vergé says, institutions should not send e-mail requesting updated information but if they do so, they should let clients know beforehand and advise them of specific procedures to follow.

Overall assessment,  individual calculation
The heaviest toll is the cost of spam to businesses. According to a study by The Radicati Group, reducing the cost is the main priority for 52% of businesses.

Overall assessments of the cost of spam are proliferating and wide-ranging. For example, California’s Ferris Research estimates it at US$10 billion in the US (a conservative estimate), The Radicati Group at US$20.5 billion worldwide and Nucleus Research at US$87 billion in the US.

While these assessments are enlightening, the most useful calculation is one done by an individual business itself. First, figure out how much time employees spend weeding out spam. But be careful. This doesn’t mean just the time spent clicking the mouse to delete suspect e-mail. You have to factor in the time it takes to read the e-mail, whether inadvertently or intentionally, as well as time wasted tracing and recovering a legitimate e-mail that has been accidentally trashed.

A study by Washington-based PEW Internet, a survey firm that reports on the impact of the Internet, shows that 35% of Internet users spend just a few minutes a day cleaning up (7% spend no time and 28% spend up to five minutes); 25% spend five to 14 minutes; 13% spend 15 to 29 minutes and 15% take 30 minutes or more. This yields a conservative average of 10 minutes per user. What does this time cost? For an employee earning $30 an hour, the daily cost is $5, or $1,125 on an annual basis of 225 working days. Then we have to add the approximately 40 minutes a day that, according to IDC, computer technicians need to spend cleaning infected computer systems and answering related customer complaints. At $40 an hour, the annual cost adds up to $5,940 per technician.

But that’s not all. You also have to factor in the financial resources allocated to computers because of spam. The estimated volume of spam received by businesses ranges from 50% of total e-mail, according to IDC and Gartner Inc., to 80% accord-ing to Postini Inc., a US antispam services company. Assuming the volume hovers at 50% on average, businesses are spending half their e-mail processing budget (servers, bandwidth, disk space) on junk mail.

Regardless of the size of the business, spam is expensive. A company that has 100 e-mail users, five computer technicians and a $100,000 e-mail management budget accrues annual spam-related expenses of approximately $190,000. For an organization with 1,000 users, the cost escalates to some $1.5 million. And that’s not counting the catastrophe that can result if a computer system is infected by a virus-carrying spam. The cost of something like that is probably incalculable and the consequences are difficult to quantify.

Antispam, pro-spam legislation
Many people were counting on antispam laws such as the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (US Can-Spam Act) to pull the rug out from under spammers’ feet, but in vain. Postini says only 1% of messages comply with provisions of the act that stipulates that the sender must indicate a valid personal e-mail address, provide an unsubscribe mechanism and assign an accurate heading to the e-mail indicating whether it is advertising. Spam- mers don’t adhere to the rules for a very simple reason: once they’ve done their dirty business, catch them if you can.

 “The act hasn’t halted the growth of spam, as the figures show,” says David Poellhuber, president of ZeroSpam, a Montreal e-mail filtering service. “What it actually did was legitimize the practice. Now people can send bazillions of spam, as long as they don’t falsify their address of origin and offer a cancellation mechanism. But what is the security of these mechanisms? In many cases, they simply serve to feed the victim’s name into a database that will target him for even more spam distributions.”

In Canada, people pinned little hope on Bill S-23 — the proposed antispam legislation. The draft legislation proposed that legal action be the responsibility of the individual, unlike in the US where the Federal Trade Commission handles complaints. The US provision is impractical, as the FTC has accumulated more than 1.5 million complaints to date. But to hear Poellhuber, the Canadian approach would have been no better because it failed to take into account that spam-related damage is relatively small and difficult to quantify, while investigation methods are extremely complex and expensive. There is a deep asymmetry between the damages in- curred and the costs involved in prosecuting spammers.

A finely balanced choice
The inefficacy of antispam laws leaves businesses and individuals no choice but to create their own antispam systems. There are several technological solutions, but nothing is mapped out in advance. “Unlike antivirus technologies, antispam solutions do not involve binary decisions between black and white, but must take a large grey area into account,” says Betsy Burton, consultant with Gartner Inc. There are major pitfalls involved in characterizing and delimiting this area. Within a volume of spam, it is fairly easy to identify in e-mail servers an initial key set of known senders. The filtering technique used here consists of a “blacklist” of addresses and Web domains that send the most spam. At the other end of the spectrum you find legitimate e-mail confirmed on a “whitelist” of recognized company correspondents.

The grey area lies somewhere between these two extremes and can let disguised spam e-mail pass as legitimate messages. To identify spam, software designers use a variety of lexical and statistical analy-sis techniques. For example, based on vocabulary and syntax typically found in spam, filters are applied that uncover terms and formulas such as “boost your performance,” “sexual” and “low price,” all in suspicious proximity. The software then applies a spam probability index to the message. If the index is high, the message is deleted. If it is fairly low, the software identifies it as potential spam in the user’s in-box, leaving it up to the user to decide.

But spam designers are always one step ahead of the protection software designers. Spammers, like hackers, rack their brains to concoct messages that can fool filtering programs. To bypass the latest statistical filtering techniques, spammers insert long text chains in their messages, sometimes even quotes from Shakespeare, to outsmart term proximity analyses. Or certain key words in their messages will be misspelled so they can get through the filtering software but still be understood by Internet users, who have no problem figuring out the meaning of words like “Viaggraa,” “Viagar,” or “Via%Gra*.”

The Achilles’ heel of antispam software is the very real possibility of identifying a legitimate message as spam. In the jargon, this is called a “false positive.” A message containing all the suspect terms listed (“boost your performance,” “sexual,” “low price”) could very well be legitimate. Rebecca Wetzel, consultant at NetForecast, relates a telling story. She e-mailed an article about spam to a magazine editor three times. Finally, after not getting any response, she called the editor and discovered he never received the text. The antispam software had rejected her e-mail three times. “In a bid to wipe out spam,” says Wetzel, “are we actually destroying e-mail as a legitimate and reliable means of communication?”

By using a primitive filtering tool, many businesses risk cutting themselves off from important communications and business opportunities. An estimated 75% of businesses have installed some antispam software. But according to Gartner Inc.’s Burton, most of them take a day-to-day, tactical approach, as opposed to an overall policy approach. “I’d say that only 20% of the Fortune 1000 companies have implemented an authentic spam filtering policy,” she says.

An authentic company policy primarily involves a systematic effort to define what constitutes spam for the business. Each department must customize the definition based on its own characteristics. For example, an e-mail sent to the engineering department containing terminology typically found in certain types of financial spam (“get out of debt,” “rock-bottom prices”) could be considered highly suspect. But addressed to the finance department, the same e-mail could be from a financial correspondent and present an actual cost-saving opportunity. The antispam policy and its application must be customized and flexible enough to protect the engineers and give the finance department access to information.

“Another crucial dimension of the company’s approach,” says Vergé, “is antispam training.” Employees must be taught about spam-related issues and how spammers do their work, and they must learn good habits. An employee should never answer a spam message or post the company’s e-mail address on websites, which are a common target of spammer-acti-vated search robots. If an employee absolutely must register on a website, disposable addresses are available from a number of ISPs, best known are Yahoo and Hotmail (but remember, these pro-viders are also the ones most targetted by spammers).

Obviously, the human and political aspect of antispam protection must not obscure the fact that selecting a technology is a complex matter. That there are more than 100 software providers and outsourcers doesn’t simplify things. The available services fall into three major areas.

First, there are providers of software installed on the workstation itself, a market dominated by the big names in anti-virus applications: McAfee SpamKiller 2004 and Norton AntiSpam (owned by Symantec). These solutions are geared to individual purchasers and small businesses. They are not practical for midsize and large businesses that do not want to be bogged down with managing and updating a multitude of separate functions.
The second sector covers applications loaded on centralized e-mail servers. These are intended for large firms. Gartner Inc. identifies about a dozen vendors in this field, notably Brightmail (bought by Symantec in June 2004), CipherTrust, Sophos, Proofpoint, MailFrontier, Trend Micro, Tumbleweed Communications, Cloudmark, MX Logic, SurfControl and Mirapoint.

Choosing from such a wide range of products requires discernment. A top provider of detection and filtering techniques may offer inadequate management, quarantine and verification mechanisms, or the opposite could be true for a small provider. Only an analysis of actual needs will define which functions are high priorities. For example, a company that must meet the highly varied expectations of its various departments should, in addition to filtering techniques, have a verification process carried out by employees. On the other hand, a company with more standardized requirements will prioritize detection and filtering techniques.

The third and last sector encompasses outsourcers that manage all of a company’s protection mechanisms, often combining spam and virus protection. The players Gartner mentions are MessageLabs, Postini and FrontBridge Technologies. In Canada, ZeroSpam falls into this category.

The advantage of outsourcing is that it moves e-mail traffic and management out-side the company. If the provider is up to date, its detection and analysis filters will quickly include the latest sneaky spammer strategies. However, as Vergé points out, an outsourcer that applies general detection and management policies will not necessarily be attuned to a client’s specific needs. Also, selecting an antispam solution, says Vergé, is further complicated by the fact that technologies change quickly and the market needs to be streamlined.

First, antispam-only solutions are poised to give way to multiple solutions integrating antispam, antivirus, sender authentication, message encryption and other functions. This is known as secure e-mail boundary (SEB). “Two years down the road, simple antispam products will no longer exist,” says Vergé. “They will be SEB-integrated.”

As well as assessing actual provider value, a business seeking its own antispam solution must answer other questions: in particular, whether a potential provider has a clear vision of how its product will evolve — specifically toward the SEB concept. Is the product doomed to disappear or will it triumph in the wave of consolidation that is starting to sweep the industry? Lastly, the company must see to it that the solution it selects is compatible with its ISP’s security technologies, its own e-mail facilities and employee workstations.

All things considered, don’t expect the results to be too spectacular. According to IDC, for a company with 5,000 e-mail addresses and an annual spam-related productivity loss of US$4.2 million, the implementation of an antispam solution could cut employee spam processing time in half and trim its productivity loss by US$796,000. Fortunately, says Vergé, savings on this scale greatly exceed the cost of installing and managing an antispam solution. As an indication, for a company with 5,000 addresses, the monthly cost of a ZeroSpam outsourcing solution would be about 50¢ per employee, or $30,000 a year.

But a business can beat the results announced by IDC, as seen when ZeroSpam was applied to the spam problem of Avantages Services Financiers Inc. in Montreal. By the time the company enlisted an outsourcer, it was getting more spam than legitimate e-mail. “We no longer have any kind of problem at all,” says Michel Marcoux, Avantages president. “And if by chance we receive a spam e-mail, we send it back to ZeroSpam, which adds it to its filters.”

Fairy tales like this do exist, but it’s better to be realistic. “We don’t want to eliminate spam altogether,” says Vergé, “we just want to reduce it to a manageable level. Like viruses, spam is the price we have to pay for an open Internet network.”

Yan Barcelo is a Montreal-based writer