In-Depth

Case in Point: Law Firm Battles Spam

Installing a spam filter helped one Atlanta firm eliminate 95% of unsolicited e-mail.

• By Mathew Schwartz
• 12/03/2003

Things have come a long way for the 350-person law firm, and Grulke. A consulting company refugee, he began work at the firm in 1999. Almost immediately, “I noticed a big increase in spam, and we got a number of small viruses—[the firm] didn't have anti-virus protection—and it got to the point where the senior managers were getting the really obscene spam.”

The mandate to Grulke: make it stop. He hunted for software to do the trick. Based on word-of-mouth recommendations, he selected NetIQ’s MailMarshal.

E-mail is a cornerstone of how people get things done at work, and spam intrudes on that. According to a recent Pew Internet Project survey of 1,380 U.S. e-mail users, 55 percent say they have a hard time seeing the wheat for the chaff, and worry they’re accidentally missing real communications. In addition, seven in 10 e-mail users said spam made e-mail “unpleasant or annoying.”

Not all organizations are buying in, however. NetIQ recently surveyed 750 organizations, each averaging 12,000 employees, about the costs of spam, and found the average organization losing more than $2.5 million a year to spam. Half, though, hadn’t installed anti-spam software; most of them fear false positives.

Yet they also fear spam’s effects on efficiency and security, as well as offensive spam legal liabilities. “It’s a lot of content directed at an asset on your network that wasn't necessarily requested,” says Clarence Morey, product marketing manager for NetIQ.

“More and more, companies are beginning to understand that spam is just the tip of the iceberg,” notes Matt Cain, a META Group analyst. Exposing users to less spam can save organizations money “by reducing [such operational costs] … as manual inbox culling by users, storage management, and help desk calls.”

As for false positives, Morey says “it’s not uncommon to see 95 percent accuracy and less than one percent false positives, and with white papers that we put out on our Web site, you can get it better than that.”

At Arnall Golden Gregory, Grulke says the rollout went smoothly. “Initially when we installed it, we had a number of false blocks, but we went overboard with the filtering.” Spam blocking also performs to his liking. “We still get some spam through, but that's because the nature of our business. We can't lock it down like I would like.” Two groups in particular need exemption from certain keywords—one deals with the Food and Drug Administration and prescription drugs, another with real estate and erecting buildings—and thus some spam trickles through.

Users also need to play along. The same filters arresting spam can net employee communications as well, especially if keywords get repeated too frequently. “Sometimes the person who sent [a message] had a little too-colorful language,” says Grulke. “We send back a message and say, 'Please clean it up and resend.'” Users get a couple of tries before the message is blocked outright.

Grulke says he spends an average of three hours per week administering the product, counting his monthly catch-ups where he studies more recent spam and finds new words to block.

For the month of October, the company blocked 473,041 distinct e-mails. “Of those, almost 297,000 triggered at least one rule, the remainder triggered more than one, and 200,000 of those messages were for a bad address.” Bad addresses almost always signify a spammer running a known domain name through every possible username in the book. By blocking it, Grulke says, “it saves our Exchange server bandwidth as well as processing time and speed of the Exchange server.” MailMarshal, he says, just runs on “an average Joe Blow server” situated in front of the Exchange server.

A few years ago, to comply with Health Insurance Portability and Accountability Act regulations, Grulke began also using MailMarshal Secure Module to automatically encrypt e-mails to a client (that had to comply with HIPAA), and quarantine suspicious, possibly HIPAA-related, e-mails before they got sent—just in case.

To keep catching spam beyond NetIQ’s XML-based filtering engine—not signature-based, but behavior-based (the company updates it quarterly)—Grulke has an additional 30 rules. “We have a few rules that we run to protect ourselves from the bad guys—large attachments or frivolous attachments, why Jesus loves me, 10 thing about [this or that].”

In summary, he says, “I love the product, it works wonderfully.”