Spam laws lax--but you can master mass mail

Anti-spam laws are too late and too little. To protect your servers from a mass mail meltdown you need a combination of methods using commercial products and services.

The recent upsurge in spam is forcing enterprise managers to treat it as a serious threat rather than simply an annoyance. While viruses seem to be well under control by enterprise IT departments, spam is a danger that has, until recently, been underestimated by many corporations. The proliferation of spam, also known as unsolicited commercial e-mail (UCE), has taken on alarming proportions.

"My clients who are able to measure spam tell me that between 30 to 50 percent of their message traffic is spam," says Joyce Graff, VP and research director at Gartner. "That's clogging up the 'works' and putting a lot of additional stress on people's networks." In fact, according to Brightmail, a leading vendor of anti-spam services, unique spam attacks rose to over 5 million by August, 2002, up from 1.5 million in August of 2001. (According to Brightmail, a unique spam attack is defined as a group of similar spam messages such as the Nigerian hoax or the University Diploma.)

Spam doesn't only stress network capacity and employee morale, but can also become a serious privacy issue. There has been an explosion of directory harvest attacks (DHAs), the attempt to collect corporate e-mail addresses by, for example, sending thousands of test e-mails to an enterprise server and looking for those that don't cause bounce-backs. Such attacks are widespread, according to Postini, a vendor of anti-spam services. More than half of the e-mail some of its customers have received were actually DHAs, a serious drain on resources.

Throwing the book at spam

The other front in the war against spam is legislation.

A number of laws limiting spam are making their way through the federal system. For example, last May, the Senate Committee on Commerce, Science, and Transportation sent S.630, known as the CAN SPAM Act of 2001, to the floor. This bill would prohibit senders of UCE from disguising the source of their messages, and mandates the inclusion of an opt-out clause in all commercial e-mail. The House, meanwhile, has submitted H.R. 718, the Unsolicited Commercial Electronic Mail Act of 2001, which would impose criminal penalties for intentionally transmitting 10 or more spam e-mails. Under the law, ISPs would not be liable and, in fact, could sue for damages. That is, if they could actually find the sender.

While these bills drag through the House and Senate, a number of states have been enacting their own anti-spam legislation. Meanwhile, the Federal Trade Commission is attacking deceptive spam: unsolicited e-mail that initiates a credit card scam, touts pyramid schemes, or makes other fraudulent claims. For example, in April 2002, the FTC sent warning letters to 77 online marketers who included fake "unsubscribe" links.

But that isn't enough for beleaguered IT staff members. "I tell my clients to ignore any legal protection offered against spam," says Matt Cain, an analyst at Meta Group. "We believe that organizations have to recognize this as a threat, and deal with it, and not rely on any type of legislation."There are a variety of solutions available. Gartner's Graff suggests that enterprises with fewer than 5,000 users should seriously consider outsourcing to a service company, such as Brightmail or Postini, that offers a client-server solution by intercepting e-mail, filtering message headers and content, and then passing the validated e-mail to the customer's corporate e-mail system. These vendors can also prevent DHA by stopping the attacks before they get near the enterprise server.

Cain feels that most companies would benefit from employing dedicated anti-spam servers, "either replacing the SMTP server or sitting directly behind the SMTP gateway." This includes hardware appliances such as the IronPort gateway, while a number of software solutions are available that can do header and/or content analysis, identify and abort DHAs, or block messages that follow spam-like patterns.

There are a number of new techniques being introduced that work much better than the "blacklists" that simply list domains to exclude. For example, Graff suggests software solutions that use a point system to identify the spam tactics used in a message, thus minimizing the number of false positives generated. Some vendors are introducing algorithms that try to predict which messages will be spam, much in the same way that algorithms are used to predict new strains of viruses.

A startup called Habeas is trying things from another angle: certifying e-mail so the recipient can be sure it's not spam. Habeas uses what it calls Sender Warranted E-mail: Users embed a copyrighted three-line haiku poem and trademark information into their e-mail headers. This way, a filter set to recognize the unique header can disregard all other e-mail, which is purportedly spam. Anyone who tries to send spam using these headers can be prosecuted for copyright and trademark infringement (a more cut-and-dried prosecution), although you would still have to find that perpetrator. While this will not stop UCE, it does give a company a way to easily filter out unwanted e-mail.

While there is no total solution to spam, companies can come close by using anti-spam services or products to employ a combination of strategies, including content filtering, pattern blocking, address validation, and domain blocking, among others. Although some care has to be taken to prevent false positives, a proactive anti-spam defense campaign can prevent unwanted commercial e-mail from overloading your servers and irritating your employees.

How is your company fighting spam--and are you winning the battle? TalkBack below or e-mail us with your thoughts.