Turning The Tide

Anti-spam technologies help companies realize some victories in the war against junk E-mail, but there's still a long way to go
Izak Mutlu, chief information security officer at Silicon Graphics Inc., sees that the amount of spam hitting his network has increased in recent months. But that means little to Mutlu, because spam filtering prevents most of that unwanted E-mail from landing in employee in-boxes. "We believe we have it under control and that we've seen the worst of spam," Mutlu says.

Is it possible we're starting to get the upper hand on spam? Mutlu isn't the only believer. Kevin Pollock, manager of data-center operations and network services at Fender Musical Instruments Corp., says spam was a problem at Fender two years ago. "We had a number of people trying the point solutions, individual software packages, [Microsoft] Outlook filtering," he says. But since Fender standardized on a spam-blocking technology, the problem has all but disappeared.

Little victories have been won elsewhere. A recent InformationWeek Research survey finds that spam filtering on average eliminated 68% of spam in 2004, according to respondents who use that approach, compared with 54% in 2003 (for more on the survey, see "Another Fight To Wage"). And earlier this month, America Online said that the amount of spam reported by its subscribers has dropped dramatically. In November, AOL received on average 2.2 million daily reports of spam from subscribers, compared with 11 million daily reports a year earlier.

Anti-spam technologies deserve a lot of credit for the improvements. Barracuda Networks Inc. solved Silicon Graphics' problem, Mutlu says, and Pollock credits spam filtering from MX Logic Inc. A combination of improved technologies and stiffer anti-spam laws are helping, according to AOL. "The state of the art in spam filtering has gotten much, much better," Richi Jennings, an analyst at research firm Ferris Research, wrote in a recent Weblog entry. "This is what will eventually rid us of the scourge of E-mail spam--spam will not get delivered, meaning that people won't buy from spammers, leading to the end of the economic incentive to spam."

Without doubt, there's still plenty to be depressed about. Estimates of spam as a share of E-mail traffic vary, but it's clearly a majority. MessageLabs Ltd., an E-mail protection company, says volume peaked in July at an astonishing 94.5% of the E-mail it scanned. That share has since declined to 77% but remains above the level at the beginning of 2004. Business technologists surveyed by InformationWeek on average estimate that half of E-mail hitting their companies' networks is spam.

Dealing with it is costly, too. Forty-seven percent of respondents to our survey say they'll spend more to fight spam this year, while 50% will spend the same; just 3% will spend less. That suggests spending may be leveling off, because last year, 58% were increasing spending, and only 39% were holding pat. Just 15% this year are spending "significantly more," compared with 26% last year. Still, Ferris Research projects the global cost of spam will rise from $10 billion in 2003 to $22 billion this year.

"Is this going to be the year that we solve spam? Everyone I speak with doesn't see that happening," says Lloyd Hession, chief information security officer at Radianz, which provides network services to the financial industry. Despite new laws and some high-profile prosecutions, Hession is convinced spam will get worse: "I'll bet my bonus that we're going to end 2005, and spam will be a bigger problem than it is now."

Mark Richmond, IT manager for the federal courts in the Eastern District of California, hasn't seen any indication of spammers backing off. "We've seen the opposite. Over the past four weeks, we've seen a dramatic increase," he says, noting that somehow unpublished E-mail addresses for some 34,000 federal court employees appear to have found their way to a spammer.


Though he's been inundated by spam, California CIO Clark Kelso says filtering programs are doing better.

Photo courtesy of Bloomberg News
Asked whether he has seen a decline in spam, California CIO Clark Kelso just laughs. "I've not seen any reduction in the past two years," he says. "I'm getting more spam." Yet Kelso adds, "Filtering programs are doing an excellent job."

New approaches to thwarting spam, such as better filtering and challenge-response systems, are helping. Instead of accepting messages from any source, challenge-response systems only deliver an E-mail if the sender can answer a recipient's challenge question. EarthLink Inc.'s spamBlocker software is one example of a challenge-response system. AOL, which in August acquired challenge-response E-mail service Mailblocks, will offer such a system later this year.

Other approaches include IronPort Inc.'s Bonded Sender program, where businesses committed to good E-mail marketing behavior post a bond that gets debited if recipients complain; sender-authentication schemes such as the Sender Policy Framework, Microsoft's Sender ID, Yahoo's DomainKeys, and Cisco Systems' Identified Internet Mail; and accreditation, offered by Trust-e and Habeas, to monitor compliance with industry standards.

New anti-spam offerings coming from FrontBridge Technologies Inc. this year include directory-services integration to reject messages delivered to nonexistent users, a real-time attack-prevention engine to analyze Simple Mail Transfer Protocol traffic for incoming attacks, and reputation filtering, which judges a message based on who the sender is, technical product manager Jesse Villa says in an E-mail.

Yet perhaps the biggest challenge is that spammers exhibit such ingenuity. New strategies such as challenge response may slow them for a while--until they find a way to outsmart the system (see story, "Machine Wars").

It's possible the fate of Jeremy Jaynes--sentenced in November under Virginia's anti-spam law to nine years in prison--will give some spammers pause. Business technologists hope so: 79% want more federal government action to contain the problem, including increased legal action and financial penalties, our survey finds.

This year also will bring technology to prevent spam, not just block it. "As spam has become increasingly sophisticated, more preventive approaches that stop spam at the source level are required, including reputation, accreditation, and authentication techniques," FrontBridge's Villa says.

Even people who've had a taste of success, like Silicon Graphics' Mutlu and Fender's Pollock, know not to rest. Both are looking at intrusion-detection systems this year, reacting to a shift from indiscriminate spamming to more virulent, targeted attacks and scams. That's why Gartner analyst Avivah Litan warns that even if less spam is getting through, the risk is greater. Says Litan, "It's way too early to declare victory."

--With George V. Hulme

Editor's Choice
Brian T. Horowitz, Contributing Reporter
Samuel Greengard, Contributing Reporter
Nathan Eddy, Freelance Writer
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing