Battle to beat spam

If the 1998 movie You've Got Mail was released today, it would probably be called You've Got Spam - and Some Mail. Spam continues to threaten the email productivity and data security of businesses worldwide and employers stopped considering it "just a nuisance" long ago.

At best, spam is a huge time waster; at worst it can compromise an online banking connection or result in a business network being used as a repository for alien files or graphics.

"One of the most ironic things about spam is that your own computer can be sending it to you.

"A spam can release code that turns your own computer into a spam server," says Brett Roberts, platform strategy manager for Microsoft New Zealand.

Roberts says spammers store spam on "host" computers because if they sent millions of emails from one location they would soon be shut down by an ISP.

But the galling idea that you might be sending yourself spam is nothing compared to the shock people get when a spammer uses online banking details and other private business and personal communications through installing software that can read keystrokes.

One business manager says he was hit hard by a spammer who spammed millions of organisations using the domain name of the manager's New Zealand business.

For weeks, whenever the business tried to send legitimate emails they were returned because the business domain name had been blacklisted by an online anti-spam service.

"We had to jump through so many hoops to get ourselves off that list. If I could catch that spammer I would personally feed their computers to them," says the manager.

Roberts says worst-case scenarios are surprisingly common. "The worrying thing is the apathy. The security technologies are not expensive, it's just people aren't implementing them. From a software vendor perspective, that's frustrating."

Globally, a report from research firm Ferris Research puts the business cost of spam for this year, which includes anti-spam software, management time, and lost user productivity, at US$50 billion ($68.6 billion).

However, Richi Jennings, one of the report's authors, says although global spam volume has jumped fivefold since 2003, the costs of fighting spam haven't even doubled.

"Deploying competent spam-filtering software makes good business sense," says Jennings.

According to Ferris, using anti-spam filters in software server products is cheaper than using them at the "desktop".

"The former typically costs $132 a year for each user, while the latter runs at around $217. Any time an IT department has to roll out software to everyone's desktop, you're talking serious money," says Jennings.

Roberts, who estimates 95 per cent of Windows operating system security breaches are avoidable because the Windows update website has a patch available, says eliminating the worst of a spam problem is deceptively simple.

"Get a firewall, load antivirus software and keep it up to date, and regularly patch and update your operating systems and software," he says.

Other well-touted advice is user education and employee training. However, many employers say all the policies in the world won't stop some people from opening spam. Common traps include spam that looks like legitimate email; spam that addresses the employee by name - and spam opened by mistake.

Roberts says spammers have become masters of covert social engineering. "Most human beings love to please. So if you get an email with a subject line that says 'I love you' or 'You sent me this by mistake' chances are it will be opened."

Roberts says the most common way to combat these is to turn on anti-spam software in business software.

"If you do that you will automatically improve your spam situation. For example, the security filters in later Microsoft Outlook products will refuse to open an attachment if it looks like spam," he says.

Other options include installing email security software on servers or desktops - brands include Brightmail, Symantec, and Mail Marshall - or using an internet service provider that filters spam before downloading email.

Unfortunately, while these measures will significantly reduce the spam a business encounters, legitimate emails can be knocked out along the way - a security versus productivity trade-off businesses need to consider. Some prefer an ISP that tags email as possible spam, or email software that puts suspected spam in a special folder, rather than deleting it.

Experts say while some spam will always get through, businesses should be more proactive about mounting a counter-attack.

Those sitting back waiting for the elusive "silver bullet" to be found and fired are likely to be hit hardest.