Staying one step ahead in the anti-spam arms race

Brightmail's Mark Bruno gets ZDNet UK up to speed on the latest dispatch from the global war on spam

With UK government legislation doing little to impede the relentless rise of spam, businesses are increasingly turning to software to keep mail systems functioning. Brightmail, recently acquired by security specialist Symantec, is a market leader in the spam-filtering industry, and is expected to announce a major upgrade of its software in the next few weeks.

ZDNet UK spoke to Mark Bruno, Brightmail's enterprise product manager, about how his company is keeping pace with new spamming tactics, the rise of SMS spam and the significance of the Symantec deal.

How has spam evolved since you joined the industry?
Originally spam was all ASCII text and we blocked it by comparing emails against known spam signatures. Then spammers started "hashing" -- changing one of two characters of the signature to avoid us picking it up, such as replacing the letter i with the letter l or the number 1. We block these emails by doing fuzzy matching.

The use of URLs has also evolved. Spam messages used to contain phone or fax numbers; nowadays, they have URLs directing you to a Web site. These URLs shortened messages, and that gave us less to create our signatures with. We started blocking messages with URLs in July last year, to which spammers responded by masking URLs.

We constantly monitor any changes in spam by using "honey pots" -- unused email addresses which we advertise on sites that spammers are known to use. We have more than two million "honey pots" and receive about 100 billion spam emails every month.

Why has the volume of spam increased so dramatically?
Because it is lucrative and easy to do. When I joined Brightmail three years ago, 8 percent of emails were spam. Now 64 percent of emails are spam.

Spammers earn anything from a few hundred thousand to a few million US dollars a year. It doesn't require technical expertise either -- you can buy spamming software that will do the hashing and encrypting URLs, and can buy a CD-ROM with 100 million email addresses for $100.

What will the future of spam look like?
Spam will become more and more sophisticated and will be seen in new mediums. Although our main focus is corporate and consumer spam, we are also moving into technologies to fight instant-messaging and wireless spam. Right now, SMS spam isn't a big problem in the UK, but this is likely to change -- there is already a high level of SMS spam in Japan, where the technology was taken up earlier.

What do you make of the 'zombie' threat (Internet-connected PCs used for spamming after being infected by a virus)?
There is a significant problem with zombie computers. We can work out which IP addresses are sending spam, but it costs more for ISPs to chase down these people and educate them on how to clean their computer, than it costs in processing costs.

What's the best place in the system to stop spam?
Spam can be stopped at various places: recipient's desktop, mail server, gateway, router or outbound email. The companies that Brightmail works with generally stop it at the gateway or router level. ISPs are sometimes able to block the outbound email from going any further. This is the ideal situation, as the further down the network you let it go, the more network resources you use.

Symantec announced its acquisition of Brightmail in May. What is the latest news on this?
There should be movement on this in the next few weeks - probably around the same time that we announce our next product release. The US anti-competition commission has approved the acquisition, but we are awaiting approval in the UK.

Customers have been positive about the change as they will only have to deal with one vendor in the future -- and they know that we'll be around for longer.

What is the future of the anti-spam industry?
I think we'll see further consolidation of smaller anti-spam vendors. The main threat for small vendors is the large antivirus vendors, as they have well-established distribution channels. Microsoft recently bought a small antivirus vendor, but I'm not too worried about the threat from them. They are currently our largest customer and I don't see that changing.