Spam Wars

Computerworld - You know from looking at your e-mail lately that it's possible to be debt-free, have perfect skin and be a babe magnet—with a little help from your new friends.

But at least employees at Stamford, Conn.-based Xerox Corp. are shielded from such revolutionary offers—though the process hasn't been easy. Last summer, Xerox's firewall team was blocking 150,000 spam e-mails a month. By early fall, it was 60,000 messages a day, seven days a week, says Linda Stutsman, manager of corporate information security and risk management.

In the past year, spam has moved beyond personal e-mail accounts, invading business systems and graduating from societal pest to corporate enemy. Companies are stockpiling their arsenals—lists of legitimate senders and known spammers, tools that pick up on spamlike content or behavior, digital fingerprints and decoy e-mail addresses—to fight this invasion. On the other side, however, new and resourceful recruits lured by spam's promise of big financial returns are constantly devising counterattacks.

"There's 10 times as much [corporate] spam this year as there was last year," says Joyce Graff, an analyst at Stamford, Conn.-based Gartner Inc. "It's mind-blowing. And the economics are on the spammers' side."

And, says Jason Catlett, president of Junkbusters Corp., a Green Brook, N.J.-based antispam organization, the problem is getting worse. "Spam is growing at a slightly faster rate than e-mail traffic," he says.

Weapons of War

The spam weapons that Graff finds most difficult to defend against are harvesting tools. For $39.95, marketers can buy a "spambot" that searches message boards and lists, culling up to 100,000 e-mail addresses in an hour. Spambots also get into the relay game with organizations' message transfer agents (MTA) by sending messages to, for example, georgebrown@whitehouse.gov, georgebuckley@whitehouse.gov and so on, until they find matches.

To combat these spambots, Graff says, organizations need to set up their MTAs so they automatically disconnect as soon as they detect harvesting attacks.

But, says Steve, a Washington-based spammer who asked to be identified by only his first name, spammers are continually finding—and sharing—new ways to hide their identities. For instance, he's created a filter-evading script that randomizes subject lines and source addresses so they're not easily identified as bulk mail. Big-time spammers buy servers that can randomize entire domains, says Steve.

Spammers scan the Internet for open relays in foreign countries so their messages will be hard to trace. Or they set up free e-mail accounts and dump them before they're caught. Spammers can blast out hundreds of thousands of messages, each with customized content and source addresses, and then quickly log out, says Mark Bruno, enterprise product manager at Brightmail Inc., a San Francisco-based vendor that got its start filtering e-mail for service providers but has since shifted its focus to corporations.