Fighting WordsFighting Words

American businesses are taking up the war against junk E-mail, which is clogging their networks, sapping worker productivity, and costing them billions. But they may be simply trading one problem for another.

Jay Wessel knows firsthand just how tricky fighting the growing onslaught of spam can be. While many businesses use filtering tools to block unwanted E-mail, Wessel, director of IT for the Boston Celtics, is one of a growing number of IT managers who realize a more-sophisticated approach is needed. That's because software that blocks unwanted messages too often holds back other messages that, in fact, should be getting through.

Case in point: One of the Celtics' sponsors is Pfizer Inc., the maker of the drug Viagra. As any E-mail administrator knows, Viagra is a favorite topic among spammers, and so it's become a popular term to filter. But if Wessel blocks all messages containing the word Viagra, the Celtics might miss important communications from a key sponsor.

The fear of such false positives has Wessel looking for a replacement for the anti-spam tools built into Ipswitch Inc.'s iMail server, which he uses today. He's hopeful a more capable anti-spam offering Ipswitch plans to release sometime this year will do the trick. "I'm ready to start turning the screws a lot tighter," he says.

Vendors, hearing Wessel's call, are introducing spam-fighting tools specifically designed for business-IT environments. CipherTrust Inc.'s IronMail appliance, unveiled last week, blocks spam at a network gateway, keeping IT departments from overtaxing their E-mail servers. MailFrontier Inc. this week will introduce an anti-spam offering that works using profiles of a company's E-mail use and leverages a peer-to-peer database of spammer IP addresses reported by customers.

Next month, Trend Micro Inc. will begin selling a spam-blocking product based on heuristic-analysis technology-which uses statistical profiles to determine the probability that a message is junk-from Postini Inc. And Sunbelt Software, maker of the popular consumer anti-spam program iHateSpam, will introduce a server-based edition for business use that will route spam to special folders in an employee's in-box; users can control how to handle the unwanted mail. In April, E-mail security company Tumbleweed Communications Corp. will launch a service that provides automatic updates of its spam-identification data, also based on heuristic analysis.

Carl Howell, systems engineer at the University of West Florida, hopes the just-released IronMail appliance will make a big difference. The longtime CipherTrust customer expects new capabilities in the software will reduce false positives by as much as 90%. The updated tool monitors outgoing messages, then allows responses coming from the recipients of those messages to get through. It also applies one of IronMail's signature methods-in which points are assigned to preset terms, letting messages through unless they register a high score-to other spam-fighting tools. Howell wants to use real-time blacklists, services that provide updated lists of spam-generating IP addresses. That's more feasible when IronMail's scoring system is used, too; otherwise, blacklists block too many valid messages, he says.

Today, between 0.5% and 1% of the messages IronMail blocks for the university are actually valid--that's potentially 300 to 600 "good" E-mails a day, given that 60% of the up to 100,000 E-mails that enter the network are tagged as spam. Howell expects false positives to drop to 0.2% or less with the new technology.

Dennis Bell, director of technical operations with Cypress Semiconductor Corp., says preventing false positives was a key consideration when he selected Brightmail Inc. to fight spam on the company's network. The software uses a "honey pot" approach, luring spammers to phony E-mail addresses, then sending updated lists of spammer IP addresses to customers. Brightmail claims to have achieved one of the lowest false-positive rates in the industry. Bell backs that boast, noting that not a single false positive has been reported to him since his company went live with the system in September 2001.

As troublesome as false positives are, spam disrupts business in so many ways that companies can't afford to pull back on their efforts. Pornographic spam offends employees and poses a legal threat to employers. In-box management has become a huge productivity drain. And directory-harvest attacks, in which spammers flood domains with millions of E-mails to create lists of valid addresses, slow network performance. Ferris Research estimates that spam and the efforts to fight it cost American companies $8.9 billion last year, and that the figure will hit $10 billion in 2003; the firm says companies should be prepared to spend up to $14 per user each year in defense.

Al Coston, network administrator with the Reinvestment Fund, a nonprofit community-redevelopment firm in Philadelphia, was getting so many complaints from its 75 employees about the pornographic messages that he decided to spend $2,000 on Vircom Inc.'s ModusGate filtering tool. The cost is minor if it prevents an employee from bringing a lawsuit against the company for creating a hostile working environment, Coston says.

But for the law firm of Gunderson Dettmer LLP, managing pornographic spam wasn't so easy. Originally, the firm used filters embedded in Trend Micro's antivirus tools to address the liability risk that such messages posed. "We had to do something," director of IT Eric Rosenberg says. Yet the Trend Micro filters weren't sophisticated enough to avoid blocking messages from clients seeking help with their own pornographic-spam issues. So Rosenberg turned to MailFrontier, a client of the firm, and its technology is keeping false positives to a minimum. The vendor's pending update promises even more precision.

Other companies hope the government will help. Twenty-six states have enacted anti-spam legislation, and the feds are under increasing pressure to do so, too. A bill introduced last month to prohibit spamming over wireless networks was just referred to a congressional subcommittee. Nearly 90% of business E-mailers want Congress to take action against spammers, according to a new survey of 1,400 workplace E-mail users conducted by Public Opinion Strategies for anti-spam vendor SurfControl plc. But the question of what constitutes spam, and what is legitimate broadcast E-mail, can be difficult to answer. (information and its parent company, CMP Media, use E-mail for correspondence, research, and marketing purposes.)

What's more, while there's support for legislation, its effectiveness could be limited. Spam can be sent from anywhere in the world at minimal cost, and it requires very little response to be profitable-even less than telemarketing or junk mail. "If it becomes illegal in the United States, the spammers will just go offshore," says Michael Osterman, principal analyst at Osterman Research.

Larger players also are getting into spam blocking. Network Associates Inc. acquired anti-spam vendor Deersoft Inc. last month. It plans to introduce a desktop anti-spam tool in June and integrate Deersoft's rules-based technology into its McAfee WebShield and GroupShield apps by year's end. IBM Lotus Software beefed up the anti-spam capabilities of its Domino E-mail server and Notes client last fall, including support for subscription blacklists, prevention of servers from being tapped by spammers as a point of origin, and the ability to limit the number of recipients that can receive a given message. And with the release of Exchange Server 2003 later this year, Microsoft will bolster its basic filtering functionality by supporting blacklists and preventing address-verification by spammers.

Because spammers are both relentless and creative, staying on top of the problem is going to require diligence. Ben Sullivan, system administrator with Fanfare Media Works Inc., which promotes businesses to new neighborhoods, has found that the scripts he and his staff have written to support their Vircom ModusGate deployment have been largely effective in combatting spam. But he knows the battle will be won as much by vigilance as technology, and he's constantly studying the spammers themselves. "They're changing things all the time, and they're getting smarter," he says. "I'm watching." -with Tischelle George