How to stop SPIM abuse

How to stop IM, SPIM abuse
Written by Marty Schultz, Contributor
If your business has not figured out how to control instant messaging (IM), you are in for a rude awakening. Abuse of IM can cripple workforce productivity, and even more serious is SPIM -- spam sent through instant messaging -- which is growing like a virus. What is it, how does it work, and what can you do to stop it?

About 70 percent of all organisations used instant messaging by the end of 2003, according to market research firm Gartner Inc. Gartner predicts that by the end of 2005, instant messaging will surpass e-mail as the primary way people interact electronically.

All this IM growth is spawning rapid proliferation of SPIM, or spam through instant messaging. According to Ferris Research, more than 4 billion SPIM messages -- will be sent in 2004. That's up 100 percent from 2003. The Yankee Group estimates that 5 percent to 8 percent of corporate IMs are SPIM.

Instant messaging through popular America Online (AOL), Yahoo, Microsoft Network (MSN), ICQ and other free technologies are beginning to give companies and IT administrators major headaches. "An increasing number of employees are circumventing IT and installing public instant messaging clients. Left unmanaged, public IM puts companies at greater risk of security vulnerabilities, breaches of confidentiality, virus infection, legal liability, and violation of privacy regulations," according to research firm IDC.

We have all seen how IM abuse takes shape -- employees wasting more time "chatting" about non-work matters, decreasing their efficiency and costing the company time, money and profits. When IM is used for business matters, it can be an elusive medium unless all messages are archived for future reference.

What form does SPIM take? Just like it's popular sister spam, SPIM is most often about pornographic matters according to research firm Radicatic Group, followed by suspect advertisements for frivolous products and money making schemes. Even more worrisome is the growing trend when e-mail worms hijack a user's IM identity to send spam.

The usual defenses don't work
Only a tiny fraction all businesses have their IM under control, while a majority use popular tools to control their e-mail: filtering SPAM and preventing e-mail-borne viruses. This is a big mistake -- the Osama virus infiltrated companies through IM, rather than e-mail.

Some companies attempt to stop Instant Messaging at a firewall, but rarely is that effective. Many IM systems search for any "open port" to communicate with the Instant Message server, such as AOL, MSN, ICQ or Yahoo.

Users assume that they only receive instant messages from people they known. For example, AOL and MSN let you accept messages only from your buddy list, and ask if you want to receive a message from someone else. However, these mechanisms are not all that difficult to bypass. Just like many downloaded spyware products can determine which websites you visit, they will be able to identify your IM "buddies." Masquerading as a buddy, SPIMmers will eventually be able to break through many of the simple blocking techniques in place today.

Four step plan for SPIM defense
Companies of all sizes need to establish a proactive plan of defense to prevent IM abuse and SPIM from crippling productivity and network efficiency. This plan includes both technology and business practices.

Step One: Acceptable usage policy for IM. The first step in getting control of IM abuse and SPIM is to establish an Acceptable Usage Policy. This will prevent employees from making inappropriate use of IM, which means employees will stop wasting time and use IM as a business tool to optimise communication internally and externally. It sets a culture of efficiency, with clear ramifications for those who disobey the policy. If IM is viewed as a technology toy, it will not benefit the company.

Step Two: Monitor and archive IM. How do you enforce the Acceptable Usage Policy? Only through implementing a product to monitor and manage your employees use of Instant Messaging. Beyond the enforcement aspect, there are clear business benefits to archiving IM that include increased communication efficiency, worker productivity, and liability protection. Unlike e-mail, instant messages are easily lost and business done via IM is risky. Many industries, such as financial services with Sarbanes Oxley, now have federal mandates to track and archive all IMs.

Several tools are available to monitor and archive IM. They work by watching (sniffing) Internet traffic that travels over a company's cable or DSL modem. The tool must be able to look at multiple IM types such as AOL, MSN, ICQ and Yahoo, and store them in a database. Companies can analyse the electronic conversations based on the participants, time or date, or can scan the conversations for keywords. Searches can also be done for a specific participant, to see any (or all) of that user's conversations, or see all activity for the day.

llustrating the effectiveness of Steps One and Two, take the example of the Royal Sonesta Hotel in Cambridge, Massachusetts. The popular hotel assumed their employees were receiving SPIM. Their Internet Acceptable Usage Policy for employees prohibited all but a few from using Instant Messaging. They downloaded and installed an Instant Message Management utility to track the SPIM and found more than 30 PCs that may have received SPIM. Upon further investigation, they discovered that it wasn't SPIM after all. Some users were using Instant Message software on their PCs in violation of the Acceptable Usage Policy. The IT Director removed the Instant Messaging software from the targeted PCs, and continued to use a monitoring tool to assist in enforcing their Acceptable Usage Policy.

Step Three: Manage IM communication. Once you have established an Acceptable Usage Policy for Instant Messaging, and implemented a way to enforce it, you need to determine which Instant Messages you will permit and which you will prohibit.

Take for example Tuscaloosa County Schools in Alabama, US which serves 16,000 students. Director of Technology Tom Perrymon uses an IM tracking tool called p2pLog to monitor the IM activity of students and staff, monitoring and archiving more than 800 IM sessions daily. IM technology used includes AOL, Yahoo, MSN and Yahoo.

"We use the tool to help eliminate excessive network traffic and non-educational related use of equipment and resources," said Perrymon. "Within the first two hours of implementation we were able to monitor several students and staff abusing the district's Internet use policy. My superintendent was amazed that we now have the ability to know exactly how our equipment is being utilised. The tool tells me what I need to know as a manager to identify if students and staff are violating technology use policies and provides the necessary documentation for evidence."

IM is an important communication tool at Shay Financial Services, with 300 employees across eight offices. IT manager Manny Diaz realised a need to monitor and archive all IMs, especially in light of new Sarbanes-Oxley Act which requires publicly traded companies, accountants and financial services firms to more closely track instant messaging (IM) communications.

Like most companies, Shay Financial uses multiple IMs services including Microsoft, America Online, ICQ, Yahoo, all over PCs running Windows 2000 or Windows XP. Security is important to Diaz. He says that p2pLog's messages are logged in a Microsoft SQL database, with each message digitally signed and time stamped. Information captured includes the message, formatting information, username of sender and receiver, and related IP addresses. The resultant database and audit trail can be backed up on a periodic basis to a WORM device for permanent storage.

Diaz identifies users by e-mail name, computer name or Instant Message name. He can detect all aliases for each user, and also assign users to groups. Diaz can search by date, user or keywords. IM conversations can be exported to Excel or Notepad. Diaz says he makes use of overall usage graphs, top users and contacts, and hourly usage.

"I can set alerts for inappropriate and important keywords, as well as excessive usage," says Diaz. "At the same time, there are no privacy concerns because conversations can be viewed in aggregation and remain anonymous."

Step Four: Stop file transfers is stopping viruses. The final step in solidifying your organisation against SPIM-based viruses is to centralise, archive and virus check all files being transmitted through Instant Messaging. While there are several ways to accomplish this, most organisations have found that prohibiting files from being transmitted through Instant Messaging is the most reliable. The alternative, sending a file over e-mail, is just as convenient and easy as sending the file over Instant Messaging. Most IM management products provide a feature to prohibit files from being transmitted.

With a proactive battle plan against the threat of IM abuse and SPIM, companies can turn IM time-wasting and virus vulnerability into new and improved communication that helps your company's bottom line.

Marty Schultz is an industry expert on instant messaging technology. He is founder and CEO of p2pLog Software, an instant messaging monitoring and archiving company. Schultz was previously founder and CEO of eSped and OmTool.

Editorial standards