Online Portals Won’t Defeat Spam

On Monday, Ferris Research said in a new report that the market for anti spam services will increase tenfold by 2008 to over $1 billion from its current level of around $120 million.

But for the ISPs and online portals to effectively win the spam war, they will need a lot more than the latest anti-spam software, security experts agreed. That is because most anti-spam software companies are trying to come up with solutions and are trying to solve the problem at the email server.

But the mail server is not the place to solve the spam crisis. In larger enterprises, mail systems are so large and distributed that managing software at the individual server level is not even practical, Postini’s Akamine explained.

So while a lot of new anti-spam software companies are rushing to come out with products, many of them miss the point, the chief executive said. That is because spammers use a technique known as “directory harvesting” to attack corporate networks.

“Directory harvesting attacks are the core of the problem and occur on the transport layer,” the chief executive explained. “Any solution has to put tools in a customer’s hands and the technology has to work on multiple levels simultaneously.”

Directory harvest attacks occur when a spammer uses publicized or known email addresses to steal other valid e-mail addresses from corporate or ISP mail servers. The technique takes advantage of network vulnerabilities that allow the spammer to send e-mails to randomly generated e-mail addresses.

The spammer then collects all the e-mail addresses that the receiving mail server acknowledges as being valid, then presses them on a CD, and either sells them to other spammers or uses the lists themselves.

“Directory harvest techniques, which have been on the steady rise over the past year, are at the root of the spam conundrum,” Akamine said.

But Counterpane’s Schneier doesn’t see any technical solution to the spam crisis, and that may be part of the reason why America Online, Microsoft and Yahoo are being supportive of the FTC Spam Forum this week.

On that note, America Online joined with Virginia’s Governor Mark R. Warner and state lawmakers to unveil a strengthened law that allows for the criminal prosecution of spammers with penalties that include jail time, asset forfeiture, and fines.

“The only real solution to spam is legal, not technical. Every technical solution is flawed and won’t ultimately work,” Schneier said.

“If the government wants to wipe out spam, it will have to pass laws,” Schneier said.

Senator Charles Schumer (D-NY) on Monday proposed legislation to create a national “do-not-spam” registry under the FTC’s auspices and would force Internet advertisers to put an ‘ADV’ tag in the subject line of any unsolicited piece of e-mail.

On the same day, Congresswoman Zoe Lofgren (D-Calif.) proposed legislation called the REDUCE Spam Act, which stands for Restrict and Eliminate Delivery of Unsolicited Commercial E-mail. The bill would create a bounty for the first person who reports a particular spammer. The bounty would be equal to 20 percent of the fine. The bill also would establish criminal penalties for fraudulent spam.

Those two proposals come on top of the so-called CAN-SPAM Act, championed by Sens. Conrad Burns (R.-Mont.) and Ron Wyden (D.-Ore.) from earlier in the month.

The laws, if passed, would sanction the FTC as the official governing body to regulate spam, which until now has only addressed fradulent or pornographic unsolicited emails.

But when it comes to filtering, a lost message is one thing. Wrongful criminal prosecution as a result of “false positives” could stir up a whole new legal hornet’s nest, Schneier said. Therefore, there are serious questions how any new law would be policed.

Meanwhile, the level of spam continues to rise. By mid-2003, an average of approximately 10 spam messages per day will be sent to North American business users and approximately 12 spam messages per day will be sent to ISP users. By 2008 that figure will increase to over 40 spam messages per day for business users, and 54 spam messages per day for ISP users, the Ferris report concluded.

“For five percent of the business users, the increase will be more dramatic — they will receive between 130 and 400 spam messages per day by 2008,” Ferris said.

The new report also finds that global business anti-spam seat deployment will increase from 11 million in mid-2003 to over 500 million seats in 2008 with revenues from anti-spam services topping $1 billion. Corporate anti-spam services will total about $55 million in 2003 and over $850 million in 2008.

At the same time, the global ISP anti-spam seat deployment will increase from about 175 million in mid-2003 to nearly 1.2 billion seats in 2008. In terms of revenues, this translates to $66 million in 2003 and over $200 million in 2008.

Ferris lists some of the companies currently in the anti-spam software market including Cloudmark, MessageLabs, CipherTrust, Postini, Brightmail, ActiveState, Proofpoint, MailFrontier, Network Associates, HelpMeSoft, Gordano, Elron, Commtouch, and ClearSwift.

“For both corporate users and ISP subscribers, the spam problem is rapidly getting worse as spammers up their output and find new ways to bypass existing filters. For corporations, spam now represents a measurable drain on productivity that will make investments in anti-spam solutions increasingly popular,” Ferris said in a statement.

In the meantime, the Big Three portals will continue to reap the public relations benefits of unifying under a common cause.

“There are three reasons why the three leading portals: AOL, MSN and Yahoo have yet to resolve the problem of spam inside their e-mail services. First, over fifty percent of spammers have moved overseas. Second, the portals are themselves major sources of spam. The third is pure cost. If they were willing to solve the problem it would only cost them a few million dollars per year,” said one spam software expert who asked not to be named.