Spam Wars

You know from looking at your e-mail lately that it's possible to be debt-free, have perfect skin and be a babe magnet—with a little help from your new friends.

But at least employees at Stamford, Conn.-based Xerox Corp. are shielded from such revolutionary offers—though the process hasn't been easy. Last summer, Xerox's firewall team was blocking 150,000 spam e-mails a month. By early fall, it was 60,000 messages a day, seven days a week, says Linda Stutsman, manager of corporate information security and risk management.

In the past year, spam has moved beyond personal e-mail accounts, invading business systems and graduating from societal pest to corporate enemy. Companies are stockpiling their arsenals—lists of legitimate senders and known spammers, tools that pick up on spamlike content or behavior, digital fingerprints and decoy e-mail addresses—to fight this invasion. On the other side, however, new and resourceful recruits lured by spam's promise of big financial returns are constantly devising counterattacks.

"There's 10 times as much [corporate] spam this year as there was last year," says Joyce Graff, an analyst at Stamford, Conn.-based Gartner Inc. "It's mind-blowing. And the economics are on the spammers' side."

And, says Jason Catlett, president of Junkbusters Corp., a Green Brook, N.J.-based antispam organization, the problem is getting worse. "Spam is growing at a slightly faster rate than e-mail traffic," he says.

Weapons of War

The spam weapons that Graff finds most difficult to defend against are harvesting tools. For $39.95, marketers can buy a "spambot" that searches message boards and lists, culling up to 100,000 e-mail addresses in an hour. Spambots also get into the relay game with organizations' message transfer agents (MTA) by sending messages to, for example, georgebrown@whitehouse.gov, georgebuckley@whitehouse.gov and so on, until they find matches.

To combat these spambots, Graff says, organizations need to set up their MTAs so they automatically disconnect as soon as they detect harvesting attacks.

But, says Steve, a Washington-based spammer who asked to be identified by only his first name, spammers are continually finding—and sharing—new ways to hide their identities. For instance, he's created a filter-evading script that randomizes subject lines and source addresses so they're not easily identified as bulk mail. Big-time spammers buy servers that can randomize entire domains, says Steve.

Spammers scan the Internet for open relays in foreign countries so their messages will be hard to trace. Or they set up free e-mail accounts and dump them before they're caught. Spammers can blast out hundreds of thousands of messages, each with customized content and source addresses, and then quickly log out, says Mark Bruno, enterprise product manager at Brightmail Inc., a San Francisco-based vendor that got its start filtering e-mail for service providers but has since shifted its focus to corporations.

Spammers also write programs that load in multiple accounts so when one account is terminated, another automatically kicks in, says Dan Clements, CEO of CardCops.com, a Malibu, Calif.-based online credit card and advertising fraud watchdog group.

It typically takes about two or three months from the time companies install antispam software until they can effectively pick up on patterns. But once they do so, some systems can weed out 90% of spam with a less than 1% false-positive rate, says Joe Fisher, senior product manager at

Some antispam systems claim to stop virtually all spam, which accounts for 34% of all e-mail. These systems contain a variety of components:

• Blacklists that compile and distribute IP addresses of known spammers. There are also whitelists, which companies can build to identify legitimate senders.

• Content-analysis tools that look for keywords.

• Behavioral-analysis tools that look for patterns such as large numbers of recipients or blind copies.

• Address-validation tools that do reverse Domain Name System lookups to ensure the sender isn't trying to cloak his identity.

• Digital fingerprints developed with algorithms and heuristics, to identify and block or filter common spam patterns.

• New products that can scan for graphics such as skin tones to combat pornography, but those tools are still in their infancy, says Mark Levitt, an analyst at IDC in Framingham, Mass.

Brightmail's probe networks, which are getting high marks from analysts and antispam watchdogs, consist of dummy accounts set up through various Internet service providers and corporate clients to attract spammers. Brightmail monitors those networks to detect new tricks of the trade and continually evolves its antispam rule book. New rules are distributed and updated in clients' systems every 10 minutes, says Ren Chin, director of product development at Brightmail.

After going through the battery of antispam indicators, a good filter will assign percentages rating the probability that messages are spam, says Graff. Depending on the comfort level of the organization, messages above a certain level can be automatically deleted, while others can be stored in spam folders for IT staff or users to review.

"This is not a perfect science," says Graff. "If some product claims to do 100%, run away from it, because they don't know what they're doing."

Xerox keeps pace with new commercial tools, but so far it has stuck with its homegrown antispam system, says Stutsman. Xerox also subscribes to blacklists. About 75% to 80% of Xerox's spam is blocked at the gate, and an additional 20% of the remaining spam is later filtered out, says Stutsman.

Staying Alert

When 25% or more of Norfolk Southern Corp.'s inbound e-mail was being identified as spam, Tony Samms knew something had to be done.

"It was a very hostile environment," says Samms, director of information security at the Norfolk, Va.-based freight, natural resources and telecommunications holding company. "Messages showed pictures of people having sex right in the e-mail."

There were also the drains on employee productivity, bandwidth and storage to consider. With close to 10,000 users and an average of 30,000 e-mails per day, spam had become a big financial problem.

So at the end of last year, Norfolk Southern installed IronMail from CipherTrust Inc. in Alpharetta, Ga. The tool sits on Norfolk Southern's gateway and uses an array of filtering strategies. Even with the filter, though, spam has managed to get into Norfolk Southern's system, so employees have been building a local deny list by sending addresses to be blocked to the information security department.

The biggest challenge has been avoiding false positives, says Samms. "We don't want to block good e-mail, so we have to be careful," he says. For instance, one employee's last name is Rape, so the company can't add that to its list of words to be filtered out.

Samms says the 25% spam rate has been reduced to about 1% or 2%.

Santa Clara, Calif.-based Macrovision Inc. has opted for a voluntary spam-fighting program, letting end users decide whether they want to use the PerlMx filters from Vancouver, British Columbia-based ActiveState Corp., which the company installed last spring. Then they customize their filter settings, so the sales representatives can keep getting newsletters peppered with terms like invest and bargain, for example, and the mailroom clerks can keep solicitations to a minimum, according to Macrovision system administrator Mike Stevens.

Stevens hasn't calculated the return on the $10,000 investment, but he says productivity has jumped. "You get your return on investment back in a relatively short time," he says.

Solomon is a freelance writer in New York. Contact her at melissasolomon7@hotmail.com.

Spam Attack! WORLDWIDE E-MAIL MESSAGES SENT ANNUALLY 1996 1999 2002 2006 BUSINESS 130 billion 920 billion 3.33 trillion 5.58 trillion PERSONAL 100 billion 660 billion 2.15 trillion 3.57 trillion TOTAL 230 billion 1.58 trillion 5.48 trillion 9.15 trillion THE ABOVE TOTALS INCLUDE THE FOLLOWING NUMBERS FOR SPAM MESSAGES 1996 1999 2002 2006 WORLDWIDE 50 billion 290 billion 1.50 trillion 2.92 trillion Source: "Email Usage Forecast, 2002-2006: Know What's Coming Your Way," IDC, Framingham, Mass.