Unsolicited E-mail: No Problem Come 2006?

An analyst's road map to a (mostly) spam-free existence

As anyone with an e-mail account can attest, spam is a growing problem. Different spam filters often catch the good with the bad. According to Ferris Research analyst Marten Nelson in San Francisco, however, just wait until 2006. That’s the year he predicts wide deployment of effective anti-spam technologies in the enterprise. The upshot: spam won’t be so much of a problem after that. As an analogy, think of the way that today’s antivirus software effectively stops e-mail-borne viruses. The same will go for spam.

We spoke with Nelson about the state of spam today, a potential spam-free panacea tomorrow, how organizations will get there, and the role of security managers play.

Q. Just how bad a problem is spam for organizations today?

A. Spam is bad. How bad is it? We estimate that in 2003, the financial impact on corporate organizations in the U.S. will be beyond $10 billion.

Q. That’s a big number.

A. That is a big number. There are basically three key elements. First, costs associated with lost user productivity. End users spend time—maybe just a little time—to receive spam, recognize that it is spam, take action and delete it. Yet in a few cases, users are also diverted to these Web sites that sell amazing growth hormones, for instance. Also, good mail can be incorrectly filtered to be spam—so users may have to retrieve the false positives; some systems have a “spam” folder. Personally I have that kind of system, and I have to go and scan that folder to make sure there's no real mail in there.

Second, costs driven by increased help desk usage—callers complaining about spam.

Third, costs from using computing resources, and having to purchase additional bandwidth, server capacity, resources.

So if you add all that up, and look at the penetration of corporate e-mail and how much spam they receive, it adds up to over $10 billion.

Q. How do organizations apply that number?

A. What you need to do is normalize the cost—look at the cost per user, per month, something like that. If you do that, the cost [of spam] is more like $10 per user per month, and that becomes a better benchmark for organizations to look at.

Q. So companies should keep that number in mind when evaluating products and pricing?

A. There is a need to understand the impact of spam on the organization and for IT managers to justify the cost of spam prevention tools. If you think of it that way—$10 per user per month—then to purchase a spam solution that costs $5 per month is easily justified.

Q. Anti-spam tools still aren’t perfect though, are they?

A. Yes, especially with the first-generation spam tools. [Some] antivirus solutions [had] very rudimentary filtering tools for defining your own [spam] filters, maybe based on keywords. Those are very general tools and you end up generating a lot of false positives. It made many IT administrators retract from using antivirus products with spam filters.

Q. What’s the accuracy of newer tools?

A. As IT administrators move to the second generation, a good anti-spam product should filter 80 to 90 percent of all spam, and generate very low false positives. With those numbers, I haven't seen any organization retract from anti-spam technology.

But as you say, they're not perfect—there are problems. But there are problems with all software and hardware, and you deal with it—upgrade, push your vendor. It's an evolving area.

Q. What are key drivers for deploying anti-spam technology, beyond lost productivity?

A. Cost is obviously one, the other is filtering out nasty e-mails, making sure your users are not exposed to offensive materials. That's a very strong driver. It's hard to quantify on cost, but executives and management teams are concerned about the increase in hostile material, its effect on a hostile work environment, and what that could lead to in terms of litigation.

Q. Inside companies, under whose domain is anti-spam technology? Is it a security job function?

A. That’s a good question, and I think many vendors are trying to figure it out.

Q. Do companies see spam as a security issue?

A. [So far] spam hasn't been seen as a security issue, per se, [as in] it's not about intrusion, it's not about stealing information. But it does, it steals corporate addresses. So [the security perception] is starting to happen. [Also] antivirus vendors are offering anti-spam solutions, so their points of contact in the organization are going to become aware of anti-spam solutions.

But it's a gray area. There are security aspects about spam, but there are also messaging aspects, such as the impact on the infrastructure, and that is something that the messaging manager is concerned about; he doesn't want to add additional servers, storage, and so on.

Q. Will anti-spam ever get to the point that it’s just another security control?

A. Yes, and when we talk about the anti-spam industry, I see new companies being launched or announced almost on a weekly basis, coming out with new, fantastic anti-spam solutions. However consolidation is also happening. In the next few years, [there will be] a few anti-spam vendors, but the rest will be owned by the antivirus vendors, to round out their solutions. [They have] antivirus, content filtering, intrusion detection, and they're adding spam to that. It's a natural fit if you're already scanning e-mail for other stuff, why not scan it for spam?

Q. So you think spam problems will largely be solved by 2006?

A. I actually think that technology and legislation will create an environment where the economies of sending spam will diminish. I liken it to the antivirus market. Five years ago, everyone talked about viruses. Now, I'd say 95 percent of organizations have some level, in some cases multiple levels, of antivirus protection in place. So if you're filtering 90 percent or even more in the future, spamming will not be a great business opportunity anymore, as it is today. The anti-spam solutions will almost be a commodity, and will be seen more as an insurance policy—just something you have to have.

Q. So spam will still exist?

A. Of course there will still be spam, but we won't talk about it like we do today, because most organizations will have it under control. I don't say it's going away, I just think that it will come under control, and organizations that deploy anti-spam solutions won't have the inconvenience of it. There's spam out there, but we're detecting it. Like with viruses.

Q. What about lists of approved e-mailers, or challenge/response technology?

A. The list itself that contains that names of trusted senders, that list is typically called a white list. The reverse is the black list, which you will reject mail from. Challenge/response is really the method of how to add users to that white list.

[Editor's Note: Challenge/response is a system of requiring an e-mail sender to reply to an automated message—proving they’re legitimate—before their initial, and all subsequent, e-mails are allowed to reach the recipient.]

This is a hot topic today—everyone talks about challenge/response. There are good things about challenge/response and white lists, but you can't rely on it alone. I think it works very well as sort of a last line of defense, meaning you have other methods to detect spam in your anti-spam product—[for example] fingerprints, where you take a snapshot of a spam and compare it to other incoming methods. Now if all those tests fail, meaning that spam was not detected, and you're not sure, then I think challenge/response is a good method of finding out is this a legitimate e-mail. But the problem is that challenge/response is just a method of adding a name to a white list, and [even] an e-mail address can be spoofed. As a spammer, if you know the naming conventions within a domain, it’s pretty easy to spoof that.

Q. What are common anti-spam technologies?

A. Those are probably the biggest. There are others that are math or statistical methods, like the Bayesian method, that look at the preponderance of and relationships between words—how many times does a word occur. Also if you analyze a spam message, some methods to bypass very rudimentary filters that use spaces [between l e t t e r s ] won't be caught through a normal keyword list, so these Bayesian filters are looking at spaces and other methods.

Q. Will we see a technology refinement between now and 2006?

A. I think it's a combination of refined technology and also legislation. I think today 33 states have state legislation, with various effects; they're not great. There are a number of initiatives at a federal level to create spam legislation, and sooner or later it will happen, and it may take a couple of iterations until it's actually effective and enforceable too. But I think over time, legislatures will catch up to this issue.

Editor's note: For more on spam-related regulation, see http://www.spamlaws.com/.