Security Firm: Spam Could Kill E-MailSecurity Firm: Spam Could Kill E-Mail

Spam is increasing at such an alarming rate that people may stop relying on E-mail to communicate, according to E-mail security firm Postini, which says spam volume jumped some 150% in 2002.

In another danger signal, the percentage of messages sent to Postini's clients identified as spam climbed from just 20% in January 2002 to more than 60% in December.

Postini, which processes 40 million messages daily for more than 800 businesses and Internet service providers, 60% of spam messages it's intercepting are special offers or promotions; 20% are bulk mail; 12% are "get-rich-quick" schemes; and 10% have sexually explicit content.

All of it drags down employees' productivity, overloads their E-mail infrastructure, and can cause serious legal and human-resource problems, says Maurene Kaplan Grey, an analyst with Gartner. "Postini's numbers are pretty accurate," she says. "I have no reason to doubt them and lots of reasons to believe them."

Other E-mail content-filtering firms, she says, show similar numbers. "Spam is easily 30%, 40% of total enterprise mail volume."

"These are healthy statistics," says Scott Petry, Postini's VP of products and engineering and the company's founder. "But not on the good side. We're shocked, frankly, at the increase. If you do the growth curve, E-mail will shortly follow Usenet" into disuse.

If these trends continue, he says, people will simply have to stop relying on E-mail as a communication mechanism.

The spike in spam has been fueled by the use of an E-mail collection technique called a Directory Harvest Attack, Petry says. By querying a mail server--and Microsoft Exchange servers are notably vulnerable here--a DHA can run through tens of thousands of possible addresses in a matter of minutes and collect the valid addresses it gleans from the server.

DHAs "are the hidden threat" to businesses on the spam front, Petry says. "The old world of spamming was dumb bombs. The new world of spamming is smart munitions."

Other spam techniques, such as using graphics or HTML to encode messages, or introducing minor differences in each message in order to defeat the simpler signature-based anti-spam products, are getting more sophisticated as well, Petry says.

A company has two choices, he says, in dealing with spam: "Either severely restrict who can access E-mail or put robust content filtering solutions in place."

Gartner's Grey sees the problem continuing at least through 2004, when she expects more-sophisticated anti-spam toolsets, stronger (and better-enforced) laws, and, most importantly, smarter E-mail users to begin to stem the tide. "The complete solution is to educate users into practicing safe E-mailing," she says.

She noted that this technique has worked relatively well to keep viruses at bay and sees it as the ultimate solution to the spam problem. "Don't give out your E-mail address casually on a Web site," she suggests.

Postini tracks its message processing and posts the results, delayed 24 hours, on its Web site. Wednesday morning, for instance, Postini's E-mail Stat Track claimed that more than 64% of the messages it processed for its clients were spam and identified nearly 30,000 DHAs.