BW Online | August 20, 2002 | Strategies for Winning the War on Spam

BW MAGAZINE Get Four Free Issues Register Subscribe Customer Service

ONLINE FEATURES Book Reviews BW Video Columnists Interactive Gallery Newsletters Past Covers Philanthropy Podcasts Special Reports BLOGS Auto Beat Bangalore Tigers Blogspotting Brand New Day Byte of the Apple Economics Unbound Eye on Asia Fine On Media Green Biz Hot Property Investing Insights Management IQ NEXT: Innovation NussbaumOnDesign Tech Beat Working Parents TECHNOLOGY J.D. Power Ratings Product Reviews Tech Stats Wildstrom: Tech Maven AUTOS Home Page Auto Reviews Classic Cars Car Care & Safety Hybrids INNOVATION
& DESIGN Home Page Architecture Brand Equity Auto Design Game Room SMALLBIZ Smart Answers Success Stories Today's Tip INVESTING Investing: Europe Annual Reports BW 50 S&P Picks & Pans Stock Screeners Free S&P Stock Report SCOREBOARDS Hot Growth 100 Mutual Funds Info Tech 100 S&P 500 B-SCHOOLS Undergrad Programs MBA Blogs MBA Profiles MBA Rankings Who's Hiring Grads

BW EXTRAS BW Digital BW Mobile BW Online Alerts Dashboard Widgets Podcasts RSS

RSS Feeds

Reprints/ Permissions Conferences Research Services

AUGUST 20, 2002

SECURITY NET
By Alex Salkever

Strategies for Winning the War on Spam
A flood of craftily disguised e-mail, much of it obscene, is deluging workers at their desks. If employers don't act, lawyers will

STORY TOOLS

Printer-Friendly Version

E-Mail This Story

Security Net Archive

POLL INSTANT SURVEY >>

PEOPLE SEARCH

Search for business contacts:

PREMIUM SEARCH
Search by job title, geography and build a list of executive contacts

Tech White Papers

Most Recent

Most Popular

By now, most workers are pretty used to getting spam in the office. Come-ons for penile implants, anabolic steroids, and scam letters from alleged heirs to Nigerian fortunes are all part of a day's work for anyone whose e-mail address appears somewhere on the Internet. Content, especially pitches for pornography, is often shockingly graphic.

True, the subject line and return address usually offer a clue that these misguided missives ought to be deleted. How hard is it to figure out when the word "bestiality" appears in the subject line and the return address is doggyfun@yahoo.com?

The problem now is that more and more spam comes from addresses that aren't obviously bogus or is dressed up to look like my colleagues sent it. In the past week, e-mail with my co-workers return addresses has asked me to invest in dubious diet treatments and engage in a menage a trois. Of course, this e-mail wasn't from my colleagues.

FOOLED AGAIN. I opened them because, when I looked in the address line, it appeared that the sender was someone I knew and trusted. And the messages bore subject lines such as "Meeting Times" -- generic enough to make me think they applied to me. Only after checking the headers and routing information was I able to discern that they actually originated from anonymous e-mail accounts.

Spam that appears to come from colleagues is relatively new -- and it indicates that the senders have achieved a new level of sophistication. Apparently, the spammers' software now scans the Web for the e-mail addresses of individuals at big corporations. It also notes the format and matches it with the names of people at the same corporation in order to send what appear to be internal e-mail.

That's why it's becoming harder to avoid spam of all kinds -- including the pornographic variety that seems to be ever more common. And that's why corporations had better start thinking more seriously about weeding it out.

HOSTILE ENVIRONMENT? What's the big deal, other than the nuisance factor? Well, corporations could face potential legal problems. Several of my female colleagues have complained that the spam they now receive is so vulgar they find it alarming. Could employers who don't take action to block spam face charges of sexual harassment for not correcting what might easily be determined to be a "hostile work environment"? It's possible. America is a litigious place, and trial lawyers are a creative lot.

Estimates of spam as a percentage of total e-mail traffic range from 10% to 50%. For those of us with public e-mail addresses easily located on the Internet, the daily dose can go well above the 50% mark. Some days I spend an hour or more erasing spam. As of July, 2002, so-called "adult spam" represented 8% of the total being sent, according to antispam software-and-services provider BrightMail.

The volume of spam has quintupled over the past year, BrightMail estimates. That means even if smut as a percentage of total spam has remained the same, we're being subjected to five times more of it. But BrightMail claims that the percentage of porno spam has doubled in the past year.

CUNNING AND DEVIOUS. That matches my own anecdotal evidence: I hear people complain almost every day that spam has gone from a couple of nasty e-mail messages to a steady daily stream. Worse, the same people relate that the nature of this spam is not only harder to detect but is also increasingly explicit.

What to do? First, to stop bogus e-mail that appears to come from colleagues, companies could build filters into existing mail-management systems. The goal would be check that the return address matches the one the purported sender is known to use. For the legions of people who use multiple e-mail accounts, info-tech departments could create a simple mail registry that would allow a mix-and-match approach to screening.

Second, any business that hasn't done so should seriously consider some of the new antispam systems. Dozens of outfits large and small offer spam-protection software. By and large, most aren't practical because they block too much legitimate mail. Spammers will always try to exploit weaknesses, either human or technological, to deliver their unwanted payloads.

TRIAL RUNS. The most promising antispam model would involve a combination of automation and human intervention. Antispam software-and-service companies, such as BrightMail and Message Labs, filter mail using lists that they gather themselves or download from either for-profit outfits or nonprofit antispam efforts. The nonprofit shops generally rely on submissions of spam from the public to identify known spam domains. Nothing is foolproof, some level of human intervention will always be needed to prevent bona fide messages from being filtered out.

The best course of action? Corporations should try out antispam technologies in closely controlled trial runs with limited numbers of users. That will help them make sure that the system performs as advertised. Many antispam service providers will allow free trials for a limited number of users. Getting customers online with antispam services isn't terribly difficult or time-consuming, as these services simply monitor e-mail traffic and don't deal with more complicated parts of company networks.

Finally, it's inevitable that antispam measures will invariably screen out some valid e-mail. That may mean a crucial message gets lost in the shuffle some day, but speaking personally, I'm more than willing to let that happen. For corporations, such a sacrifice may become imperative if the legal consequences of not stopping spam become too costly.

Antispam technology is improving rapidly. Soon, filtering should become easier and more reliable. Eventually, it'll be part of every corporate-security system, just as antivirus and firewall programs are today. I look forward to the day when I don't have to deal with junk e-mail made to look as if one of my colleagues had suddenly turned into a wacko fetishist.

Salkever is Technology editor for BusinessWeek Online and covers computer security issues weekly in his Security Net column
Edited by Patricia O'Connell

Get BusinessWeek directly on your desktop with our RSS feeds. XML

Add BusinessWeek news to your Web site with our headline feed.

Click to buy an e-print or reprint of a BusinessWeek or BusinessWeek Online story or video.

To subscribe online to BusinessWeek magazine, please click here.

Learn more, go to the BusinessWeekOnline home page