Fighting the Pox on Your Inbox

No mere nuisance, spam is engulfing corporate e-mail systems like a greedy swarm of locusts and blotting out legitimate business communications. Here’s how to ward off the plague.

Lots of people whine about how much spam they get. Then there’s Dennis McConnell, chief information officer at Nolte Associates, an engineering consulting firm in Sacramento, Calif. On a bad day, he’d get 4,000 in his inbox. “It really is unbelievable,” McConnell says. “We just weren’t able to use e-mail effectively.”

View the PDF — Turn off pop-up blockers!

All told, 95% of the e-mail sent to Nolte is spam. Of the 2.1 million messages mailed each month to the firm of 400 people, about 2 million were unwanted. Several years ago, McConnell tried a rules-based spam filter, which blocked messages by scanning for specific words in the subject line and using similar techniques. That worked up to a point, but even when it was stopping 60% of the spam, hundreds of thousands still slipped through. Plus, McConnell says, the antispam system was tying up his staff, requiring the equivalent of 16 person-hours per week to maintain rules as new spam variants popped up.

About a year ago, Nolte switched to using Sprint’s SpamShark service (provided through a partner, FrontBridge Technologies). It’s a bit pricey: McConnell says he pays between $2 and $3 per person per month, whereas other spam-blocking services typically cost half that. But McConnell insists it’s worth every penny, because Sprint’s service catches 98% of spam.

“It’s stopping 2 million messages before we even see them,” he says. Based on savings from lower bandwidth use and greater employee productivity, McConnell calculates that Nolte is seeing a tenfold annual return on its investment. And now, he gets no more than five pieces of spam a day.

What is spam’s real cost to businesses? Here’s one estimate: U.S. companies lose $21.6 billion annually in productivity because of spam, according to a February study produced by the University of Maryland’s business school and research firm Rockbridge Associates. The figure is based on a survey showing that people spend an average of 8.12 minutes per week deleting spam; the researchers then multiplied that across the 169.4 million adults in the U.S. with Internet access (at home or work) and then factored in the average weekly wage ($724 as of mid-2004).

Spamming is, unfortunately, an economically viable proposition. Someone can blast out, say, 200 million junk-mail messages in one day using a relatively inexpensive high-speed Internet connection or by hijacking an unsuspecting victim’s e-mail server. Even with a response rate of 1 in 500,000, spamming becomes an attractive option for the unscrupulous. “Spammers use the law of large numbers,” says Enrique Salem, Symantec’s senior vice president in charge of antispam products.

First-generation antispam systems were a burden to manage, requiring administrators to tweak rules and manually add blacklists of spammer domain names. Even then the products didn’t do a great job of swatting down spam. Worse, they had a high rate of false positives—legitimate e-mail that was blocked—because the rules were not very sophisticated. For example, not every message with “Viagra” in the subject line is spam, especially if you’re working at Pfizer.

The latest spam-fighting products are automated, with rules identifying new strains of spam issued to servers every 15 minutes or so. The smartest antispam systems gather data from individual e-mail accounts to figure out patterns; some aggregate feedback about junk messages tagged by actual human beings, and others use dummy accounts set up to trap spam. They’re also designed to thwart “phishing,” a type of spam that looks like an official communication from a bank or other financial institution that is intended to fool someone into providing, say, their credit card account information.

The wide array of antispam products for corporate networks includes server software from MailFrontier, Symantec, Trend Micro and others, and hardware appliances from such vendors as CipherTrust and IronPort Systems. Antispam service providers, which scrub out junk e-mail before it reaches a customer’s servers, include FrontBridge, MessageLabs and Postini.

Still, despite increasingly accurate technology, many organizations use at least two spam-filtering products to maximize the cleansing process. “Nothing catches everything,” says Paul Butler, groupware and messaging team leader for the U.S. General Services Administration. The federal agency uses Tumbleweed Communications’ Email Firewall policy-based filtering software as well as Cloudmark’s Authority server, which tags spam based on information from a network of other Cloudmark customers.

What also frustrates e-mail systems managers is that it’s sometimes hard to demonstrate the success of their antispam efforts. That’s because spammers have to elude the dragnet only a few times to make employees believe their company’s defenses are ineffective. “We catch 18 million pieces of spam per month,” says Derrick Burton, director of systems operations for Booz Allen Hamilton in McLean, Va. “But if just one gets through, someone can have the perception that it’s not working.”

Among corporate spam-busters, there are two schools of thought about managing employees’ expectations toward spam. One camp believes in empowering them to be able to scan their own spam and retrieve messages that may have been accidentally quarantined. “An employee is always going to want to know what’s being captured,” says Nolte’s McConnell. “And they need to know, so they have trust in the system.”

But others say that if given the choice, people don’t want to manage their own spam folders. Chris Zeck, manager of infrastructure engineering at engineering and construction firm Bechtel, says his group first had to demonstrate to employees that its antispam system from Brightmail (now part of Symantec) wasn’t throwing away e-mail they wanted to receive. “Once we did that,” he says, “they just told us, ‘Make it go away.'”