Experts downplay 'spim' threat

Spam aimed at instant messengers is on the rise. As corporations adopt IM, how big a threat will unsolicited messages prove to be?

Marguerite Reardon
Marguerite Reardon Former senior reporter
Marguerite Reardon started as a CNET News reporter in 2004, covering cellphone services, broadband, citywide Wi-Fi, the Net neutrality debate and the consolidation of the phone companies.
3 min read
Spam that targets instant-messaging users is on the rise, but analysts say the problem won't be as disruptive as unsolicited e-mail.

As spammers face legal action from the Can-Spam Act, they are expected to turn their efforts to sending unwanted messages via instant messaging, a technology that allows users to send messages to each other over the Internet in real time.

"Spim," as experts have dubbed IM spam, affects only a small number of users today, but the problem is growing. However, exactly how much it's growing hasn't been clearly established. According to The Radicati Group, 400 million spim messages were sent in 2003. The firm projects that number to jump to 1.5 billion messages sent by the end of 2004, a growth rate triple that of traditional e-mail spam.

While other experts agree that spim is on the rise, they believe that predictions of a spim explosion are overblown.

"I wouldn't characterize spim as a huge problem," said Paul Ritter, program manager at The Yankee Group. "It's definitely an issue that information technology managers need to be aware of and should take steps to address. But I am not a spim alarmist."

The Yankee Group estimates that 5 percent to 8 percent of all corporate IM today is spim, but the firm doesn't expect this percentage to increase over the next year, as millions of new users adopt instant messaging. Ritter said enhancements to IM services and new enterprise-class IM products will minimize the impact of spim.

Others agree. "Spim is not as horrible a problem as e-mail spam," said John Levine, an expert on spam and the author of "Fighting Spam for Dummies."

Levine believes that spim is easier to control than e-mail spam, because free IM services from America Online, Yahoo and Microsoft's MSN have closed off their buddy lists and databases to third-party consolidators such as Trillian. Since messages go through a centralized group of servers, it's much easier to track and control than e-mail, which uses an interconnected network of servers.

"One of our concerns over interoperability between IM clients has to do with the security and privacy issues that arise," said Nicholas Graham, an AOL spokesman. "We can best protect our members when we can control the flow of traffic."

AOL, MSN and Yahoo have already taken measures to limit the amount of unwanted messages their users receive. In September, Yahoo updated its IM client to make it more difficult for hackers to access addresses. In June, AOL said it had added antispim capability to its latest version of code, AOL 9.0.

Still, the potential for abuse exists. Even a small amount of spim can be extremely annoying to users, because IM messages pop up on computer screens as soon as a message is sent.

"IM spam is much more of an interruption than regular e-mail spam," Levine said. "Unlike e-mail spam, the timing is controlled by the sender and not the recipient."

IM spam can also cause security breaches. Hyperlinks embedded in IMs can entice users with offers of free prizes, special discounts or content downloads. These links can provide a doorway for viruses to enter a corporate network. Severe spim could cause network congestion, hurting application performance.

Some traditional antispam technologies are also being used to fight spim. Content filtering from companies such as Akonix, IMlogic and SurfControl blocks messages with keywords or suspicious content. Rate limiting and traffic shaping could also help fight spim.

"No matter how fast you can type, it's unlikely that any human could send thousands of messages every 10 seconds," Levine said.

Companies are also developing solutions tailor-made for corporate IM, which should give IT managers more control of IM traffic. For example, enterprise-class IM products from FaceTime Communications and Merak Mail Server intercept instant messages coming from outside a company and send an automated message that challenges senders to respond. Sender who don't respond are assumed to be spimmers, and their connections are terminated. The drawback to these solutions is that they can slow communication.

Both Levin and Ritter caution that to beat spim, IM vendors will need to stay ahead of the spimmers, who will likely develop increasingly intelligent tools to fool antispim efforts.

"I fear the same sort of escalation between spamming tools and counter tools will play out in similar ways to what has happened in the antispam community," Levine said.