Spam Battle Plans

Companies are relying on multilevel spam-fighting strategies that include e-mail filtering tools, blacklist services and employee education.

Impotency drugs and underdeveloped body parts may have become big jokes in anecdotes about spam, but they're no laughing matter to Joshua Elicio, director of information security at Memorial Medical Center in Las Cruces, N.M. While words like Viagra and penis seem like obvious triggers for spam filters, it's not so simple when you're a teaching hospital where material on pharmaceuticals and anatomy are a mainstay to business.

For Michelle Boggess, electronic data security coordinator for the Health Insurance Portability and Accountability Act (HIPAA) project office at Baptist Health Care System in Pensacola, Fla., the story is much the same. "We get e-mail from the Centers for Disease Control, so we see things that those in the banking industry don't need to worry about. Anything from the CDC is 'whitelisted,' and we let [questionable e-mail] fall into quarantine rather than automatically deleting it." For spam filtering, Baptist uses IronMail from Alpharetta, Ga.-based CipherTrust Inc.

Spam Battle Plans
Credit: Plankton Art

Elicio's and Boggess' e-mail filtering challenges highlight the balancing act that IT professionals must perform as they attempt to deal with the onslaught of spam. They have to thwart the tremendous amount of annoying—and often offensive—junk e-mail that's infiltrating their companies and simultaneously ensure that critical business information gets through. Their ongoing and escalating battle requires them to continually fine-tune their spam-fighting strategies as spammers become more aggressive and creative.

"Enterprises have seen spam become a major problem in the past six to nine months," says Arabella Hallawell, an analyst at Gartner Inc. "This has become a huge problem for the IT organization. At the beginning of the year, 30% of business e-mail was spam, and now, just a few months later, it's over 50%."

"Spam was once viewed as an annoyance, but it's now doing real harm to corporations," says George Tillmann, vice president and CIO at Booz Allen & Hamilton Inc. in McLean, Va. "Spammers are no longer merely annoying marketers—they're predators."

According to Ferris Research in San Francisco, spam cost U.S. corporations $8.9 billion in 2002, a figure that's expected to rise to $10 billion by the end this year.

"When you look at the costs of spam, there are three key elements: loss of productivity, cost incurred by the help desk when fielding calls about spam, and infrastructure costs, such as adding servers, bandwidth and administration," says Martin Nelson, an analyst at Ferris.

The good news, says Hallawell, is that high-level executives, as inundated as everyone else, are responding with the necessary cash. "Budgets are being released to deal with the spam problem for three reasons: the visibility of the problem, the costs of dealing with all the spam, and the fact that a lot of the content is really obscene," she says.

Companies are spending these allocations on a variety of spam-fighting technologies and services. "We're seeing approaches become more suitable for the enterprise," says Hallawell, adding that in order to be effective, vendors should support multiple spam-detection methods, such as heuristics, lexical analysis, statistical analysis and others.

In addition, companies should employ real-time black-hole lists (groups of Internet service provider addresses identified as sources of spam) and whitelists (company-defined lists of acceptable e-mail addresses that might normally get blocked by spam-filtering programs), and they should monitor and analyze their e-mail to ensure that their strategies are working. They should also set e-mail policies for the entire organization and educate users accordingly.

Nowhere is this fine-tuning more important than with spam-blocking technologies themselves. Set filter thresholds too low, and spam continues to flow in; too high, and business-critical information doesn't.

The Wheat From the Chaff

"The biggest challenge in the spam wars is what to do about false positives," says Matthew Berk, an analyst at Jupiter Research in New York. "On the corporate side, false positives mean important e-mails don't get through, and for businesses selling to consumers, false positives mean e-mails the company needs to get to customers get blocked. It's causing great risk on one side and great frustration on the other."

Jim Hyatt, head of security and contingency services at The Vanguard Group Inc., a financial services firm in Valley Forge, Pa., understands both the risk and the frustration. "If you want to make money-management people nuts, block information on securities or investments," he says.

"Spam creates a whole hierarchy of pain for us," he continues. "First, if inappropriate e-mail gets through to workers, it creates an unfriendly work environment. Second, we're in the financial services business, so we have to monitor and retain e-mails. Third, there's the volume: We get 100,000 e-mails a day, of which 10% to 11% is spam, and of that, 20% to 30% is offensive."

Vanguard is using ClearEdge from Bellevue, Wash.-based Clearswift Ltd., as well as Unix sendmail, to filter spam before sending e-mail on to its Lotus Notes servers. To deal with false positives, Hyatt has two full-time people to monitor quarantined e-mail and test and fine-tune Vanguard's spam-filtering systems.

Teach Your Users Well

As an additional defense against spam, Hyatt has put in place an information security awareness program to educate Vanguard's 10,000 employees.

At Memorial Medical Center, user education includes taking a tough stance on e-mail policies. "With regards to spam, we were amazed at what was coming in—60% of our e-mail was junk," says Elicio. "We looked at network utilization, and from a Web and e-mail filtering perspective, we were in critical mode in regards to our T1 service and our network usage for bandwidth. We decided to take a hard stance on people surfing and e-mailing."

A hard stance indeed: Memorial defines junk as anything unnecessary to the work process, including personal e-mails. The moves it has made have cut e-mails coming into its Microsoft Exchange 5.5 servers from 6,000 a week to 2,100, 700 of which are filtered out as spam. Furthermore, says Elicio, "we've made a great difference as to what kind of e-mail is going out"—a key consideration for HIPAA compliance.

Memorial's approach to spam is two-tiered. First, the hospital runs e-mail and Web filtering software from Scotts Valley, Calif.-based SurfControl PLC. Second, it aggressively educates employees on e-mail policies, including where to forward any spam that gets to the desktop so it can be analyzed.

"There isn't a silver bullet for spam, but most of the junk e-mail has stopped, and it's primarily legitimate e-mail being processed," says Elicio. "And because of education, we're seeing a huge drop on e-mail usage and Web activity, so our bandwidth usage is back to normal. Before, we were always in crisis mode: We were going to have to spend $35,000 on new servers, upgrade from our T1 to a T3, and upgrade router hardware and Internet access. Thanks to these steps, we didn't have to."

Many companies, however, simply can't institute such tight e-mail policies. "In the consulting business, e-mail is how you communicate with clients and each other, and it's difficult to distinguish what's personal vs. what's business," says Booz Allen's Tillmann. "Second, if you're going to place someone in Kuala Lumpur for eight weeks, you can't tell them they can't use their e-mail for personal correspondence." Booz Allen's 12,500 employees spend more than one day per week at a client site on average.

Booz Allen saw its spam numbers go "ballistic" in 2000 and initially put filtering on local machines, says Tillmann. By the end of 2002, that wasn't enough, and the company moved to take action at the corporate level. Booz Allen uses San Francisco-based Brightmail Inc.'s Anti-Spam Enterprise Edition 4.0 running on Sun Solaris servers to filter messages at the server level, and Netscape and Microsoft Outlook options provide filtering at the desktop level.

Like many other companies, Booz Allen quarantines e-mail that gets filtered as spam—2.5 million e-mails per month, roughly 45% of its e-mail traffic. This raises another issue related to to spam: storage costs.

"My e-mail database is over a terabyte, so there's a tremendous amount of data spinning on disks that's spam. But while it may be tempting to ratchet up the filtering, we can't because we're a little nervous about not letting the right things get through. The last thing I want is to have a million-dollar consulting assignment go south because I filtered out a customer e-mail."

Gilhooly is a freelance writer in Falmouth, Maine. You can reach her at


Spam's Impact on Corporations

Year Cost per mailbox Worldwide losses Corporate spam messages per day Percentage of all messages per day
2003 $49 $20.5 billion 6.9 billion 24%
2004 $86 $41.6 billion 10.9 billion 31%
2005 $134 $74.6 billion 17.0 billion 39%
2006 $189 $123.7 billion 24.4 billion 45%
2007 $257 $198.3 billion 33.4 billion 49%

Source: The Radicati Group Inc., Palo Alto, Calif. Figures are projected for companies with 10,000 users.

Copyright © 2003 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon