How to Slam Spam

By Anne Chen  |  Posted 2002-08-19

How to Slam Spam


How to Slam Spam

Are you sick and tired of the daily ritual of wading through and deleting dozens of unsolicited e-mail messages offering the usual assortment of bogus medical cures and doubtful financial schemes? Well, youve got nothing on Max Levchin, chief technology officer at PayPal Inc.

Not only has Levchins e-mail account accumulated more than 11,000 spam messages in a special queue, but now hes also begun to get unwanted advertising on his Research In Motion Ltd. BlackBerry pager pitching fad diets, home refinancing offers, pornography—you name it. With PayPal paying RIM for the amount of bandwidth Levchin and the companys 100 other BlackBerry users consume, the issue is quickly becoming a costly nuisance.

"I receive 50 percent more spam than I do legitimate e-mail these days, and its not only annoying but expensive," said Levchin, in Mountain View, Calif. "I dont hear of people quitting because they cant handle the level of spam, but a lot of our employees complain to me that their BlackBerry pagers are filled with garbage."

Even as the volume of spam-generated user complaints rises, most IT managers—Levchin included—continue to view spam as a nuisance, rather than a mission-critical IT problem. Although the market for anti-spam products is growing at a rate of 20 percent per year, it currently measures only $88 million, according to market research company The Radicati Group Inc., in Palo Alto, Calif.

But that relaxed attitude toward fighting spam may be about to change. For one thing, spam has begun to invade wireless platforms that are paid for on a per-message rate or according to the amount of bandwidth consumed.

"Spam is not only a nuisance for productivity, but theres also the risk of having enterprise users exposed to objectionable material, and its becoming increasingly expensive to manage," said Marten Nelson, an analyst at Ferris Research Inc., in Nice, France. "Spammers are quite persistent, and youll definitely see it proliferate on mobile messaging platforms where you actually pay for bandwidth."

Meanwhile, the amount of old-fashioned e-mail spam finding its way into enterprises is reaching flood level. IT managers interviewed by eWeek report that spam levels have jumped by as much as 66 percent in the last 10 months, in many cases to as much as 25 percent of total e-mail messages received. (See how users are dealing with spam.)

According to a recent survey, spam makes up the largest share of incoming e-mail messages (see spam rates), topping even job-related mail in some cases. Furthermore, a study from Executive Summary Consulting Inc. and Quris Inc. showed that 70 percent of end users said theyre receiving more e-mail this year than last year with 72 percent citing spam as the reason for the growth in volume. As a result, experts say, enterprise IT managers need to come up with solutions to slam spam now before their organizations are completely overtaken.

IT managers have an increasing number of anti-spam tools from which to choose, including managed services and filtering techniques (see three ways to fight junk e-mail). They can also use e-mail blacklists to throttle the flow of incoming spam so that servers arent suddenly flooded.

Before getting the go-ahead to invest in any of these promising anti-spam technologies, however, IT managers say they face an uphill battle obtaining upper-management support. Many line managers are rightfully concerned with the percentage of so-called false positives—or erroneously screened messages—that are produced by anti-spam tools. False positives can result in the loss of legitimate e-mail and could cost an organization a lucrative business deal.

Also contributing to reluctance to invest in spam-fighting tools is the widespread belief—even among experts—that spam can never be totally eliminated, in part because spammers constantly devise new ways to send their solicitations around the Internet. Some spammers, for example, use sophisticated techniques to disguise their identities and the origination point of their messages, two attributes that are frequently used in filtering out spam.

As a result, technology alone wont be enough to fight spam, experts say. Tools must be combined with e-mail policies such as asking end users not to opt out of spammers e-mail databases, a practice that can actually increase spam.

"There is a constant cat-and-mouse game between the spammer and the spam solutions enterprises deploy," said Nelson. "The key thing for enterprises is training end users to be aware of spam. As unsolicited commercial e-mail proliferates on different platforms, the situation will increasingly move from being regarded as a nuisance to a very expensive IT problem."

Help Is on the


Help Is on the Way

Even if some business managers dont, regulators and legislators increasingly see spam as a real problem and are moving to make it easier for consumers to opt out of unsolicited commercial and junk e-mail. Sen. Conrad Burns, R-Mont., is sponsoring an anti-spam law attacking false solicitations.

Taking a more aggressive approach, the Federal Trade Commission is enforcing established fraud statutes against e-mailers that use misleading subject lines or blatantly untrue statements, such as e-mail advertising miracle fad diets or instant sexual prowess. And in May, New York State Attorney General Eliot Spitzer went after bulk e-mailer MonsterHut Inc. on charges that the company spammed consumers with 500 million e-mail messages and falsely claimed that consumers asked to receive these messages.

Many corporations, however, cannot afford to wait until anti-spam legislation is passed. Deluged with unsolicited e-mail, theyre looking for technologies and services that will help stem the flood now. Naturally, a number of vendors have jumped at the chance to address the market.

Content filtering vendors such as Tumbleweed Communications Corp., in Redwood City, Calif., Trend Micro Inc., in Tokyo, and Vircom Inc., in Montreal, use similar technologies to filter spam. Others, including Postini Corp., in Redwood City, and Brightmail Inc., in San Francisco, provide managed services that take into account e-mail blacklists and filter e-mail based on frequently updated rules. IronPort Systems Inc., of San Bruno, Calif., and Inc., of Santa Clara, Calif., have taken the opposite approach by identifying and accepting only e-mail from legitimate senders and automatically filtering everything else out.

Even members of the open-source community are looking to cash in on the opportunity to fight spam. Craig Hughes, project manager for the open-source project SpamAssassin, co-founded Deersoft Inc., also in Palo Alto, this year to offer commercial versions of the popular spam-filtering program.

While such products offer viable ways to fight traditional e-mail spam, few are focused on stopping spam delivered to mobile platforms, such as RIM pagers. As a result, some IT managers are, for the time being, steering away from such devices. At regional health care system Pitt County Memorial Hospital, in Greenville, N.C., Michael Pridgen, distributed systems team lead, said his organization has been spared from spam by using alphanumeric pagers—which dont receive e-mail—instead of RIM pagers.

"Were not ready to deal with spam on cell phones and pagers just yet," Pridgen said. "I perceive issues with actually using newer technologies. Receiving spam on mobile phones is something we will eventually need to budget for and try to get a handle on in the near future."

Meanwhile, Pridgen is doing his best to stem the 30,000 spam messages his e-mail servers receive per week by enforcing user policies and deploying a gateway product that filters e-mail. Among other things, the policies require that users not reply to spam or try to remove themselves from commercial e-mail databases.

The organization runs Groupwise 6 from Novell Inc. on a Microsoft Corp. Windows 2000 server and has seen spam grow exponentially during the past six months, Pridgen said. The organization moved to deploy the ModusGate SMTP gateway relay from Vircom after IT found itself spending hours every week writing new rules to filter incoming mail containing specific words such as "sex," "porn" and "refinance." Pridgens spam policies also encourage users to filter their own in-boxes by writing rules within their e-mail clients.

ModusGate enables Pitt County Memorial to turn over much of the burden of warding off spam to organizations such as Mail Abuse Prevention System LLC, which develop constantly updated blacklists of known spammers. The gateway then automatically blocks mail from those sources.

Even ModusGate is not a completely hands-off solution for Pitt County Memorial, however. Because Pitt County Memorial is a medical provider, it needs to ensure that e-mail messages containing certain words common in the lexicon of unsolicited commercial e-mail—such as prescription drug Viagra—can get through. Thats because, Pridgen said, e-mail is a lifeline for communications among the 4,500 physicians and regional hospital employees, and his organization cannot afford for medical documents to be filtered and deleted. So Pridgens staff, in some cases, must edit and customize the blacklist used by ModusGate.

False Positives

Certainly, concerns over false positives are one reason many enterprises are still letting spam flow into e-mail in-boxes relatively unchecked. While many vendors say false positives number less than 0.001 percent of filtered-out messages, experts such as Ferris Nelson said that, for a large corporation that receives more than 40,000 e-mail messages a day, even that small percentage adds up.

One way of dealing with false positives is to use a solution that allows all messages designated as spam to be sidelined into a folder that IT managers or end users can access later. At telecommunications equipment maker Cypress Semiconductor Corp., in San Jose, Calif., concerns over false positives led the company to subscribe to such a solution: a managed service from Brightmail.

Last year, help desk technicians at Cypress Semiconductor were receiving 20 calls a day from the companys 4,000 users complaining about the amount of spam they were receiving. At the time, Dennis Bell, director of technical operations, estimates one in seven e-mail messages entering the company was spam. Last September, Bell decided his IT staff was spending too much time writing rules to filter spam from his companys Unix-based Sendmail e-mail server from Sendmail Inc., in Emeryville, Calif., running on a Sun Microsystems Inc. e250 server. Bell decided to install the Brightmail Messaging Security system, which constantly updates rules identifying new spam and then pushes them out to the computers of customers running its software. There, the spam is filtered and blocked when it hits the users mail gateway.

"Spam was on the cusp of becoming a real problem, with a drumbeat of complaints and [human resources] getting involved," Bell said. "But I really had to justify the cost and push for a solution. Luckily, the time savings from having to delete spam and the productivity gains are more than enough of a return on investment."

Today, Cypress Semiconductor receives 350,000 e-mail messages per week, with approximately 90,000 of those messages identified as spam. Even as the volume of spam has increased from 15 percent of all incoming mail to almost 25 percent during the last 10 months, Bell said he has yet to receive a complaint from any of his users regarding false positives. In fact, the help desk reports a 90 percent reduction in help desk spam calls.

One reason Bells team is avoiding complaints about false positives is that Brightmail saves messages identified as spam rather than discard them. Any message identified as spam is put into what Brightmail calls a gray mailbox. Every Sunday night, an automated program counts the number of messages each user has in his or her gray mailbox and automatically sends them a Web-based link. Users can click on the link to view the messages that have been quarantined. While most employees checked their gray mailboxes every week for the first month, Bell said hardly anyone uses it anymore.

Avoiding false positives can be costly, however. Since all filtered messages are stored for at least 30 days, Bell said he is now storing gigabytes worth of gray mail.

"Every incident of a false positive can be devastating," said Ferris Nelson. "The chance of filtering out an e-mail involving a contract worth millions of dollars is just too high for many enterprises."

This is certainly the case at PayPal, where Levchin has avoided deploying spam-filtering technologies because he considers mass blocking to be an expensive proposition. While PayPals IT department has tested a dozen spam solutions, including SpamAssassin, user fears of false positives have persisted. The company uses mail servers from Sendmail and IronPort Systems IronPort 850 gateway for outbound mail. Employees use the mail client of their choice.

While it is not currently using a spam-specific solution, PayPal encourages employees to develop anti-spam rules within their e-mail clients. Levchin said he has written personal filters sophisticated enough that the amount of spam that does enter his in-box is manageable. To avoid having users receive spam via instant messaging, Levchin has deployed an enterprise-class IM product inside PayPals firewall and decided not to support Web-based IM platforms such as those from America Online Inc. and Microsoft.

Its not surprising that Levchin and others at PayPal remain dubious about the accuracy of anti-spam blacklists and other spam-filtering technologies. PayPal, which sends out millions of e-mail messages daily informing its 18 million users of financial transactions taking place, has itself been wrongfully included on blacklists and blocked by ISPs, Levchin said. To avoid being blacklisted in the future, the company is looking into using Bonded Sender, a bonded e-mail marketing program from IronPort Systems.

For now, said Levchin, thats the best he can do until technology improves enough to reduce the risk of false positives. As the cost of receiving spam on corporate BlackBerry pagers and traditional e-mail grows, however, Levchin knows eventually hell have to do more. "Spam is one of those passive priorities where we cant afford to spend too much time on it right now," Levchin said. "Id love to see it go away, and as spam gets noticeably expensive for us, we will need to take some sort of real action."

Senior Writer Anne Chen can be reached at

Related stories:

  • Trio Take Different Tacks in Fighting Spam
  • Anti-Spam Bills in the Works
  • Pre-Approval for Mass E-Mailers on Tap
  • Service, Tool Take Meat Out of Spam
  • Review: Mail-Filters.Com Can Ban Spam
  • New E-Mail Technologies Put Spam in the Cross Hairs

  • Rocket Fuel