Standing up against spam

by 19 Aug 2009

Junk email isnt just a problem for individual users the sheer volume of spam now poses a challenge for businesses that extends far beyond the IT department. Angus Kidman looks at how spam can impact upon productivity and business performance, and what HR can do to fight back

If you’ve got an email account, chances are you already know what spam is. Viagra, debt control, weight-loss techniques: any mass-mailed email message that’s trying to sell you something qualifies as spam. And with volumes of spam growing by the day, getting it under control has become a major issue for companies of all sizes.

“Spam is such a hot-button issue right now because everyone with an email account is affected, but the larger issues for corporations are security, loss of confidential information and network resources,” says Art Costigan, managing principal for Global Network Security Consultants.

“The financial impact of spam that’s easy to recognise is the bandwidth usage because this is a tangible cost that can easily be calculated,” explains Daniel Zatz, senior security consultant for Computer Associates Australia. “Indirectly, however, a substantial cost is also user productivity.”

“This is hard to measure and can sometimes be misleading. While users who get lots of spam email complain about the wasted time deleting them, in general the time wasted is because curious users will actually read the emails.”

Why you need to care

While virtually everyone recognises the nuisance impact of spam, HR professionals have been relatively slow to recognise it as an issue which falls within their domain of expertise. Most solutions to help to control spam have been marketed squarely at IT directors.

“The growing problem of spam and increasingly sophisticated email security threats are placing greater demands on IT managers, who are also under pressure to reduce costs,” says David Guyatt, CEO of anti-spam software developer Clearswift.

Since most of these software products are installed on company-wide servers rather than on individual PCs, staff may not even realise that anti-spam systems are being used. As a result, awareness levels of these solutions can be low both within HR and on a wider scale.

Yet spam can carry other risks apart from mere inconvenience and wasted time. “We have witnessed a number of occurrences where a business’ internet links have received spam denial of service attacks – they have been inundated by spam, which gets rejected by their mail servers, but their mail server and internet link struggle under the load of the tens of thousands of messages being sent down the line,” says Andrew Johnson from anti-spam software provider MailGuard.

Corporate machines can also be used unwittingly as spam distribution devices. “ISP defences have been so effective that the spammers are now going direct to corporate networks,” says Garry Sexton, Asia-Pacific vice-president for Brightmail. “The enterprise space is the next frontier, and it’s undefended.”

Statistics abound concerning the potential impact of spam. UK research firm mi2g estimates that 700 billion pieces of spam are sent every month. Figures suggest that between 50 and 60 per cent of total email volumes are now spam, and up to 30 per cent of spam features pornographic material.

A study sponsored by software company SurfControl estimates that one hour a day of non-business internet use (which would include deleting spam) could cost a 25-person company $125,000 each year. A similar study backed by NetIQ estimates the total impact of spam at $US2.5 million ($3.3 million) a year.

A less visible cost is that of ‘false positives’ – messages which are identified (either manually or automatically) as spam and then deleted, but which actually contain real business communications. A survey by the Internet Industry Association estimates that the cost of false positives could be above $US50 ($66) per user per year – a small figure for each individual business, but a large burden on the overall economy.

“These types of surveys validate the need for an anti-spam solution, but more and more, companies are beginning to understand that spam is just the tip of the iceberg,” says META Group vice-president Matt Cain, highlighting the potential to integrate spam control with other internet management systems. “Content security solutions help organisations save money by reducing operational costs associated with spam such as manual inbox culling by users, storage management and help desk calls.”

What you can do

Awareness of spam-related issues is slowly improving. Johnson from MailGuard, whose local customers include Autobarn, Bakers Delight and Multiplex, says demand has been rising steadily over the past year, and customers are becoming more sophisticated in their demands.

“Over the past 10 months or so, we have noticed a number of clients trialling our service with the success factor based on stopping a certain percentage of spam from going to their business,” he explains. “They are often citing productivity concerns – the average person spends a minute per spam per day – with the other concern with spam being in the signal to noise ratio – the fact that, as there are so many spam, there is the very real risk of deleting or missing genuine and often business and time critical emails.”

“There are a number of technologies available to deal with spam ranging from signature-based scanning, similar to virus scanning – to weighted keyword scanning, or searching for keywords in an email that spammers use such as Vi@_gr_@ – to bayesian filters, which learn what a good email looks like so they knows how to identify spam emails,” explains CA’s Zatz.

While useful, none of these approaches is perfect. “The problem with all of these technologies is that while they will stop the vast majority of spam emails, none of them are foolproof and they can all be bypassed,” says Zatz. “Spammers are getting more creative about ways to bypass each of these technologies.”

Stopping all spam is rarely a realistic goal. The NetIQ survey found that most IT professionals were content with a detection rate of around 80 or 90 per cent.

“The best technology developed so far to filter spam is the human brain,” explains Zatz. “Spam filters either at the gateway or on users computers are a great way of filtering out the vast majority of spam emails and can definitely prove to be a good investment, but always remember that these filters won’t stop 100 per cent of the spam so use of the human brain is also essential.

A clear area where HR executives can contribute is in developing and promoting overall workplace internet usage policies. The study by SurfControl found that 38 per cent of companies had no policy in place, while even in those that did, 19 per cent of employees were not aware the policy existed.

Efficient spam control usually works in conjunction with other tools to manage internet usage policies, such as filters to track visits to inappropriate web sites. That was certainly the case at the Department of Human Services in Victoria, which has been using a combined MAILsweeper/WEBsweeper system to protects its 8,000 users since 1999. The protection system filters around 900,000 emails a month, identifying and quarantining likely spam candidates.

“Since we deployed MAILsweeper and WEBsweeper there have been significant benefits in managing potentially inappropriate email and internet accesses, freeing resources for use by more appropriate traffic,” says Grant Hazelhurst, who helps manage the system.

While the software helps ensure that mailing requirements are met, having well-developed policies and ensuring that all users are aware of those policies is an equally important step. Hazelhurst says that deploying the management system has offered major benefits in efficiency. “This is due to the actual enforcement of the policy, as well as the visibility of the policy itself.”

Legal options

As well as technical solutions, legal options to prosecute spammers are also increasing. Last year, the Federal Government passed legislation making it an offence to send spam. Those laws come into force from 11 April. The government has also been involved in global campaigns such as ‘Operation secure your server’, which encourages companies to make sure that their existing internet-accessible servers aren’t being used by hackers to send spam.

However, legislation will only ever be a partial solution. For one thing, laws enacted in Australia will have no practical impact on spam which originates overseas.

This is especially the case with the growing percentage of spam that is believed to be the work of professional criminal syndicates. “This is not the activity of hobbyists but organised criminals,” mi2g noted in a recent white paper on spam.

“We’re dealing with the underbelly of mankind,” says Chris Poulos, managing director for protection software developer Trend Micro.

A second problem is that legislation to date has failed to keep pace with the rapid proliferation of spam. “The legal stuff will always track six to twelve months behind the real world,” says Dennis Muscat, managing director for Internet service provider Pacific Internet.

The only clear direction in future spam control is that attempts to control the spam plague are likely to increase in intensity. Microsoft chairman Bill Gates recently got extensive publicity after proclaiming that a concerted industry effort could kill off spam within two years. While technical types continue to argue about whether that’s feasible, the bigger question is whether anyone can afford to wait until 2006.

“There’s a limit to how many worms, ‘phishing’ schemes, and fraudulent messages consumers and companies will take, and two years to solve problems like spam is too long,” security consultant Stephen Cobb remarked earlier this year.

Completely eliminating spam may well be out of reach for now, but a combination of smart technology, sensible policies and user education can significantly reduce its impact on businesses.