Time to put a stop to spam

Technology defenses can only go so far, according to J. William Gurley, who writes that governments must go further to combat what has become a major bane of corporate networks.

5 min read
One likes to believe in the freedom of music,
But glittering prizes and endless compromises
Shatter the illusion of integrity.

--Rush, "The Spirit of Radio"

Between 5 p.m. Friday and 8 a.m. Monday I received 151 pieces of spam, or e-mail junk mail, in my corporate in-box. As you might guess, my e-mail address is completely--and I fear permanently--polluted.

What I once considered to be just a mild nuisance is now a genuine drain on daily productivity. I probably spend 20 to 30 minutes a day evading spam, and this is up from maybe one or two minutes a year ago.

Spam is fast becoming an epidemic. Brightmail, one of the leading providers of spam-fighting technology systems, estimates that the percentage of incoming e-mails considered junk has more than doubled since September to well over 15 percent of all e-mail. Research house Gartner estimates that spam increased at least fivefold in 2001.

Left unchecked, spam will undoubtedly cost corporations billions of dollars in lost productivity and squandered IT resources. Overzealous and overly clever electronic marketers are desperately compromising this highly efficient, new corporate communication medium of e-mail.

Nature of the threat
Why is spam such a problem? The most relevant answer to that question is pure economics. The cost to send an incremental e-mail is fast approaching $0.00. With no variable costs, the e-marketer is encouraged to send as many solicitations as it possibly can--there is no diminishing marginal return as you might experience in direct mail or telemarketing.

Moreover, e-mail lists can be replicated with mind-numbing simplicity, and as a result, there are several places on the Web where you can buy a CD of more than 10 million e-mail addresses for under $200. Lastly, thousands and thousands of e-mail servers are unknowingly being used as hosts for spam assaults due to a problem known as "open relays." By bouncing their offers off these ill-programmed hosts, parasitic solicitors simultaneously reduce their costs as well as their likelihood of being caught.

Left unchecked, spam will undoubtedly cost corporations billions of dollars in lost productivity and squandered IT resources.
The first and most common spam prevention advice is to educate employees with regards to proper e-mail user behavior. This is like telling someone that learning to swim will be helpful in the event of a tsunami.

For starters, if your e-mail address has ever been posted anywhere on the Web, you likely already have a significant spam problem. Web "spiders" electronically crawl the Web and assemble e-mail address lists that are fast-included on the above-mentioned CDs. Other spammers simply "guess" as to what your e-mail address might be by appending a common name to a popular domain. I would hate to see how much spam john@aol.com has to comb through.

Another common trick is to include in a spam solicitation instructions for "unsubscribing" from a list. When users do unsubscribe, the spammer knows this is a live address--now your address is sold for a premium to direct marketers. Remember, it only takes one misstep for your address to be completely compromised due to the ease of electronic replication.

Once you realize the futility of the "user behavior" defense, you or your corporation will likely seek out a technical solution to this problem. Several companies sell e-mail filter technologies, which help identify unwanted e-mails by recognizing key phrases or by helping you manage a list of perpetrators. With these mundane solutions it is impossible to keep up with the spammers--it's like cutting the lawn with nail clippers.

More sophisticated solutions run large data centers and analyze messages sent to a large number of locations on the Internet. With this global knowledge, these companies are better suited to recognize spammers using large lists across several ISPs and domains. Brightmail is generally considered the leader in this category.

While these technology solutions can help reduce the problem, I am not convinced that they can solve the problem outright. The reason is something known as a "false positive." These nondeterministic solutions are built to make a best guess as to whether or not an e-mail is indeed spam.

A possible way out?
The problem with this educated guessing is that eventually you make a mistake. If one or two pieces of spam are allowed to pass, no real harm is done. However, if you mistakenly identify a "real" e-mail as spam and delete it, you have a major problem in the corporate world. Imagine what happens when your company misses a key sales opportunity because the SpamNoMore software guessed incorrectly. The software is removed--that's what happens. This zero false-positive hurdle creates a real dilemma, and any company that can solve it will likely make millions.

The cost to send an incremental e-mail is fast approaching $0.00. With no variable costs, the e-marketer is encouraged to send as many solicitations as it possibly can.
With legislation as a possible solution, one could wonder why we even need a technology solution. Consider that our government could depend on each and every company to protect itself from murder and theft by requiring them to defend all of their locations with armed guards.

It is simply more efficient to make these things illegal and rely on our public police for enforcement. The same is true for spam. With the exponential rise of spam, its obvious impact on corporate productivity, and its relative uselessness within the corporate setting, members of the Senate and Congress should act swiftly and vigorously to put an end to spam.

There are proposed bills in front of the House and the Senate, but they all fall short of what is truly needed. Ironically, most government officials have moved to Web-based contact forms on their Web sites instead of disclosed e-mail addresses. Clearly, they know of the problem; let's just see if they have the guts to take care of it.

Of course, legislation is just the first step, with enforcement being the second. The government must not only pass desperately needed legislation, but also simultaneously and ruthlessly prosecute offenders. Additionally, as spam is a global problem, not a U.S. problem, our government will need to work with other countries to completely stop the abuses.

E-mail is fast becoming the preferred communication medium for many corporations. Moreover, e-mail is also the baseline for many new cross-company work-flow applications. We simply cannot allow a bunch of Viagra ads to put a dent in the evolution of the global economy.

For more information on stopping spam, please see the following resources: Spam.abuse.net, CAUCE.