Be a spam slayer

1 2 Page 2
Page 2 of 2

The managed service provided by FrontBridge, for example, uses the cocktail approach. To make it into a user's inbox, an e-mail must clear three hurdles. First, its sender can't be on FrontBridge's proprietary blacklist. Then it must pass through a spam fingerprinting layer that identifies specific characteristics unique to spam. (For instance, spam often hides a stash of unspammy words in white Hypertext Markup Language, HTML, text on a white background to try to fool filters into thinking it's real e-mail; legitimate e-mail would not include white-on-white text.) Finally, it's got to survive a heuristics layer, which involves rule-based scoring. Spamlike behaviors, such as odd characters, spacing or HTML links, earn bad points, which are offset by good points awarded for characteristics that suggest legitimacy. FrontBridge updates 250 of its 10,000-plus rules daily.

Although attacking spam on multiple fronts may seem like overkill, Walter Smith can attest that it's necessary. As director of the global IT infrastructure services group at AMD, he calculated that spam was costing the computer chip manufacturer more than $1.5 million a year in lost employee productivity. He first took a crack at handling the problem internally. "Our initial approach was to use fairly simple rules to identify spam and tag junk mail," he says. "We quickly found out that simple rules and spam don't go together." Before long, two full-time employees were consumed with tweaking the rules to account for all of the variations in spam, and even then, they couldn't keep up with the spammers. Only about 30% of spam was getting tagged, and some legitimate e-mail was wrongly identified as spam.

So when AMD's e-mail firewall vendor announced an antispam product in May, the decision to use it was more or less a no-brainer, says Smith. AMD already used Tumbleweed both to scan all incoming e-mail for viruses and to prevent confidential competitive information from leaving the company. With the Tumbleweed infrastructure already in place, AMD could plug in the vendor's new spam component for an annual per-user cost of about $5, an investment that paid for itself in less than a month. Today, 90% to 95% of all incoming spam is tagged as such. And no more than a quarter of a single IT employee's time is needed for ongoing maintenance.

"Having a combination of rules, heuristics and blacklists is really key because of the creativity of spammers," says Smith. "Simple, obvious solutions don't work today. We quickly realized that stopping junk mail is not a core competency of our company. And we needed to get out of that business as soon as we could."

In attacking AMD's spam problem, the last thing Smith wanted to do was to take on the role of corporate censor. "We didn't want to be perceived as content filterers," he says. In the interest of providing a nonhostile work environment, however, AMD does delete all spam with a high probability of containing adult content. But all other spammy mail gets sent along to users, marked as suspected spam. Users then decide for themselves whether to have Outlook filter all spam, put it in a spam folder or keep it in their inboxes for manual scanning and deletion.

Now that spam is under control at AMD, Smith and his department attained the same herolike status Kesner enjoys. "It's a huge value IT has delivered to the company, and it's been huge, positive publicity for IT," he says.

Act now, think long-term

Like Smith at AMD, many CIOs would prefer to turn to the same vendor for all of their e-mail security services, including spam filtering, virus protection and denial-of-service protection. "You don't want a box for virus, a box for spam, a box for content filtering, a box for something else," agrees Maurene Caplan Grey, a research director at Gartner. "You want as few boxes as possible, and you want them to work nicely together with a central console for monitoring."

But you shouldn't blindly sign up for whatever antispam solution your current antivirus provider happens to have, warns Meta's Cain. He maintains that the spam offerings of many antivirus vendors are antiquated and not updated often enough to keep up with the spam threat. Keeping pace with spammers has become a full-time job; some antispam outsourcers update their rules daily, hourly or even more often if need be. Your best bet is to invest in a spam cocktail approach from a vendor or service provider with a track record of offering frequent updates (which suggests a commitment to staying current in the spam-antispam arms race) and to make sure that it does not conflict with other e-mail security services. (Ideally, all e-mail services should be integrated.)

While more than 90 antispam vendors stand ready to take your money today, the market will consolidate to about a dozen serious contenders by mid-2004, Grey predicts. She anticipates that the dozen antispam products that survive will be about equally effective, catching 95 to 98 percent of spam with an 0.5 percent false positive rate, even though they may use different technologies to filter spam. She advises choosing a vendor that supports multiple detection methods, and suggests looking at the extent to which vendors are using adaptive technologies (such as Bayesian filtering) that learn about spam's characteristics and can take a more proactive approach to blocking it.

Even though the antispam market is still maturing, you can't afford to wait and see how things will shake out. "Spam is too horrible a problem -- and it's going to get more malicious. Two years ago, spam was a little annoyance. If you had a blacklist in place, everything was OK. That's not the case today," says Grey. "You need to do something right now, even though none of this is completely baked."

This story, "Be a spam slayer" was originally published by CIO.


Copyright © 2003 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon