New Tools Emerge for Keeping Spam in the Can
Spam has grown out of control and is choking many corporate e-mail systems. About 24 percent of e-mail coming into corporate systems is unsolicited junk mail, a percentage projected by Radicati Group to grow to about 50 percent over the next few years. Currently, an organization of 10,000 employees pays an additional $487,600 for the additional Exchange servers required to handle spam, according to Marsha Khmartseva, analyst with Radicati Group. This cost is projected to grow to more than $2.5 million by 2007. A typical company with 21 Exchange e-mail servers now devotes about five of those servers to handling junk e-mail.
“It’s definitely a bigger problem than it was even six months ago,” agrees Michael Wilson, senior network engineer and technical supervisor for Cincinnati Equitable. “About 25 to 30 percent of all the e-mails we get are spam. Personally, I get between 50 and 100 messages a day of spam. Ironically, that’s just from signing up for some security mailing lists!”
Ferris Research estimates that on average, North American business users receive approximately 10 spam messages per day, up from three a year ago. Next year, this average may jump to 18 per day. The average may seem relatively low to many beleaguered corporate e-mail users, admits Marten Nelson, analyst with Ferris Research. “There are people that receive hundreds. This is mainly driven by job function. Those people whose e-mail addresses are exposed to the Internet are likely to receive a lot more spam.”
For many, what starts out as a manageable trickle eventually grows into a roaring torrent of junk e-mail. Michelle Boggess, electronic data security coordinator for the HIPAA project office at Baptist Health Care System, says the amount of spam coming into her organization gradually crept up until it was decided that enough was enough. This flood eventually crested to about 60 percent of the messages coming into the health care system’s 2,500-user Lotus Notes system. “We were close to having to make a decision to upgrade our e-mail system,” says Boggess.
Upgrade costs may run high in terms of handling extra bandwidth, extra processing, additional mail servers, and additional storage, says Dr. Paul Judge, CTO of CipherTrust, and chairman of the Anti-Spam Research Group of the Internet Research Task Force. “Not only do companies have to pay to receive that spam, they have to store these mail messages for up to seven years in some cases. They pay for the hard disk, they pay to put that spam on tape, and put that spam in storage. So if they’re not able to block it at the gateway of the enterprise, then the costs increase even more.”
Before spending money on new equipment and software to handle eve more junk e-mail, Boggess’ organization opted instead to try out spam identification and filtering software – CipherTrust’s IronMail – in an attempt to slow down the spam influx. The organization was able to postpone an e-mail server upgrade. Now, “thousands of messages – identified as spam through either the dictionary or the domain name – get dropped or quarantined daily,” she says.
Boggess’ organization, however, has to handle much questionable e-mail gingerly. E-mail coming into a healthcare organization is likely to include names of body parts – usually a red flag for pornography. “We let a lot of things fall into our quarantine queue that a lot of other facilities might just block initially from coming in completely,” says Boggess. “We have to individually handpick those out." While a small handful of unchecked spam e-mails do still arrive in end-users mailboxes, these are typically “the end-users doing online shopping, and using their work e-mail addresses,” Boggess adds.
Wilson reports Cincinnati Equitable is doing some basic subject filtering with McAfee’s GroupShield for Exchange, but hopes to install a more robust spam control environment in the near future – if new products on the market are up to the task. “Most of the spam-filtering software that has been available for retail hasn’t exactly been ready for primetime,” he says. “Too many incidences of false positives and false negatives. The volume of messages that we receive is too much for an administrator to go through and try to sort out from stuff that’s quarantined. If we have an automated solution, we will need something that has effectiveness rates approaching 99 percent.”
Current antispam products include a variety of antispam methodologies, from blacklists and whitelists to statistical analysis. “A year or two ago, most antispam products where using one technique, maybe two,” says Nelson. “The most common was the use of blacklists – lists of domain names from which e-mail should be rejected. It wasn’t very effective or efficient, and generated a lot of false positives. Spammers have become smarter and developed techniques to get past those blacklists, it has started an arms race between spammers and the spam vendors. Antispam vendors now incorporate a cocktail of different methods. They test incoming messages against a large set of different rules. What’s critical is the algorithm that vendors use to tie all these techniques together.”
Exchange Server 2003 includes what Microsoft calls a "third gate" of spam protection. The new feature integrates with third-party antispam products that employ algorithms to "score" a message based on the probability that the message is spam. Exchange 2003 will accept the score, called a "Spam Confidence Level", while providing IT administrators the ability to set the scoring threshold that directs messages either to in-boxes or to junk-mail folders. At the user level, Outlook 2003 also includes antispam capabilities. Outlook 2003 can block HTML content and e-mail from blacklists, and create whitelists of legitimate e-mail addresses. “Allow-deny” lists can also be managed at the enterprise level.
Some leading vendors in the antispam space include Cloudmark, MessageLabs, CipherTrust, Postini, Brightmail, ActiveState, Proofpoint, MailFrontier, Network Associates, HelpMeSoft, Gordano, Elron, Commtouch, and ClearSwift. The antivirus software companies are also extending their products to provide antispam capabilities.
The third-party tools round out Exchange Server’s antispam capabilities much in the same fashion as antivirus software. Nelson describes Exchange Server’s capabilities as “very rudimentary spam filtering tools." The real value comes from “the way Microsoft has chosen to work with the vendors, to create an interface where their products can be integrated. It’s like the antivirus business, where Microsoft and IBM really don’t have their own virus products, but work with the specialist vendors.”
Cincinnati Equitable’s Wilson considers Exchange Server 2003’s new antispam features “definitely an improvement over the ‘nothing’ that’s part of Exchange 2000." However, in his company’s case, the expenses of an Exchange Server migration outweigh any benefits gained from enhanced antispam features. “We’re definitely interested in improving our antispam filtering capabilities, but I don’t know if that justifies an upgrade to Exchange 2003 right away. We’re definitely more interested in spending the money on a spam-filtering software than to have to go through upgrade licensing.”
Along with technology solutions in products such as Exchange and Outlook, Microsoft is also promoting more thorough industry-wide action against spam. Recently, in a letter to the U.S. Senate Commerce Committee, Microsoft chairman and chief software architect Bill Gates urged stronger antispam legislation, along with the establishment of an “independent trust authority or authorities” that would certify legitimate e-mail with an electronic “seal." Microsoft is also leading an initiative called “The Penny Black Project” – named after Britain’s Penny Black stamp, issued in the 1830s. Prior to the Penny Black, postage recipients had to pay for delivery, based on weight and distance. Penny Black shifted the cost of delivery to the sender with a nominal universal fee. Similarly, the Microsoft project may eventually propose one of several techniques to shift e-mail delivery costs to senders via electronic “tickets,” based on variables such as CPU cycles, memory cycles, or Turing tests (proof that a human was involved).