Online Portals Won't Defeat Spam

By Mark Berniker

(Back to article)

When America Online, Microsoft Corp. and Yahoo! on Monday announced they would join hands to fight spam, many people took notice but security experts say the "Big Three" online portals lack the will or the knowhow to solve the growing spam crisis.

"The three companies getting together to fight spam is just a press release and marketing. The proof is in what happens next," said Bruce Schneier, chief technical officer for Counterpane Internet Security, a managed security monitoring company that has a detection response service that effectively is an alarm system for corporate networks.

"In the end, spam is an arms race. It's like viruses ... someone can always get around existing measures. While new measures can trap existing spam messages, there will always be a new spam idea that will get around the latest solution," Schneier said.

The anti-spam initiative from the nation's leading online portals is timed to take advantage of the spotlight cast by a high-profile, week-long forum on spam hosted by the Federal Trade Commission (FTC) in Washington. On the eve of that forum, the FTC Wednesday released its study that showed 66 percent of unsolicited commercial e-mail contained false information either in the form of "From" lines, "Subject" lines, or the message text themselves.

But while AOL, MSN and Yahoo! certainly have vested interests in eliminating spam, they may also have economic interests in turning the other cheek. America Online has well over 30 million e-mail accounts and, sources say, both MSN's Hotmail and Yahoo! Mail each have over 100 million e-mail accounts. In essence, e-mail management is a lost leader for the online portals. Adding anti-spam software to those 230 million or more e-mail accounts would result in skyrocketing costs.

Indeed, McAfee Security, a division of Network Associates and one of the biggest providers of anti-spam software, said it is in talks with a number of the leading e-mail services including America Online about providing anti-spam software, similar to its deal with Microsoft's MSN unit to provide anti-virus software protection to its Hotmail users.

"It's going to take more than just us to wipe out spam altogether," said Ryan McGee, director of product marketing for McAfee, who projects that "over fifty percent of all spam will be wiped out within five years."

"It makes sense for us to consider providing anti-spam software with the online leaders but we have yet to close any deals on the spam front. Executives are talking but there is nothing real advanced to announce," McGee said.

If any deal is consummated though, it is likely that ISPs and portals will pass those additional costs along to their customers -- much like how the Baby Bells charge for value-added services like unlisted numbers, caller ID and anti-telemarketing blocklists.

McAfee Security can offer anti-spam protection as an "added service that would cost between one and five dollars a month," McGee said.

McGee called the problem of spam an "urgent business need" and that a series of deals would be announced with both consumer and business services during the second half of the year. "None of the deals are public, but we are talking to the big players, as well as the mom and pop ISPs," he said.

McAfee's SpamKiller is a content filtering mechanism that works on the email server. Like most filtering agents, it has a "catch rates" of between 90 to 95 percent but it can also be spoofed.

"Technical solutions are never going to be perfect," said Shinya Akamine, CEO of Postini, a Redwood City, Calif.-based company that serves more than 1,200 customers primarily in the financial services, legal and management consulting sectors. Postini monitors three and half million e-mail accounts and claims to process over a billion messages every ten days. The company said that between 60 to 70 percent of the messages it monitors are spam, and claims its "catch rate" is between 95 and 99 percent.

"Everybody is recognizing the magnitude of the spam problem and is sprinting to come up with a solution. The reason the industry has failed to date is because the focus has been on content filtering," Akamine said.

"The bulk of the attacks have nothing to do with content," Akamine said.

How do spammers operate and what is being done to stop them?To find out, see Page 2. On Monday, Ferris Research said in a new report that the market for anti spam services will increase tenfold by 2008 to over $1 billion from its current level of around $120 million.

But for the ISPs and online portals to effectively win the spam war, they will need a lot more than the latest anti-spam software, security experts agreed. That is because most anti-spam software companies are trying to come up with solutions and are trying to solve the problem at the email server.

But the mail server is not the place to solve the spam crisis. In larger enterprises, mail systems are so large and distributed that managing software at the individual server level is not even practical, Postini's Akamine explained.

So while a lot of new anti-spam software companies are rushing to come out with products, many of them miss the point, the chief executive said. That is because spammers use a technique known as "directory harvesting" to attack corporate networks.

"Directory harvesting attacks are the core of the problem and occur on the transport layer," the chief executive explained. "Any solution has to put tools in a customer's hands and the technology has to work on multiple levels simultaneously."

Directory harvest attacks occur when a spammer uses publicized or known email addresses to steal other valid e-mail addresses from corporate or ISP mail servers. The technique takes advantage of network vulnerabilities that allow the spammer to send e-mails to randomly generated e-mail addresses.

The spammer then collects all the e-mail addresses that the receiving mail server acknowledges as being valid, then presses them on a CD, and either sells them to other spammers or uses the lists themselves.

"Directory harvest techniques, which have been on the steady rise over the past year, are at the root of the spam conundrum," Akamine said.

But Counterpane's Schneier doesn't see any technical solution to the spam crisis, and that may be part of the reason why America Online, Microsoft and Yahoo are being supportive of the FTC Spam Forum this week.

On that note, America Online joined with Virginia's Governor Mark R. Warner and state lawmakers to unveil a strengthened law that allows for the criminal prosecution of spammers with penalties that include jail time, asset forfeiture, and fines.

"The only real solution to spam is legal, not technical. Every technical solution is flawed and won't ultimately work," Schneier said.

"If the government wants to wipe out spam, it will have to pass laws," Schneier said.

Senator Charles Schumer (D-NY) on Monday proposed legislation to create a national "do-not-spam" registry under the FTC's auspices and would force Internet advertisers to put an 'ADV' tag in the subject line of any unsolicited piece of e-mail.

On the same day, Congresswoman Zoe Lofgren (D-Calif.) proposed legislation called the REDUCE Spam Act, which stands for Restrict and Eliminate Delivery of Unsolicited Commercial E-mail. The bill would create a bounty for the first person who reports a particular spammer. The bounty would be equal to 20 percent of the fine. The bill also would establish criminal penalties for fraudulent spam.

Those two proposals come on top of the so-called CAN-SPAM Act, championed by Sens. Conrad Burns (R.-Mont.) and Ron Wyden (D.-Ore.) from earlier in the month.

The laws, if passed, would sanction the FTC as the official governing body to regulate spam, which until now has only addressed fradulent or pornographic unsolicited emails.

But when it comes to filtering, a lost message is one thing. Wrongful criminal prosecution as a result of "false positives" could stir up a whole new legal hornet's nest, Schneier said. Therefore, there are serious questions how any new law would be policed.

Meanwhile, the level of spam continues to rise. By mid-2003, an average of approximately 10 spam messages per day will be sent to North American business users and approximately 12 spam messages per day will be sent to ISP users. By 2008 that figure will increase to over 40 spam messages per day for business users, and 54 spam messages per day for ISP users, the Ferris report concluded.

"For five percent of the business users, the increase will be more dramatic -- they will receive between 130 and 400 spam messages per day by 2008," Ferris said.

The new report also finds that global business anti-spam seat deployment will increase from 11 million in mid-2003 to over 500 million seats in 2008 with revenues from anti-spam services topping $1 billion. Corporate anti-spam services will total about $55 million in 2003 and over $850 million in 2008.

At the same time, the global ISP anti-spam seat deployment will increase from about 175 million in mid-2003 to nearly 1.2 billion seats in 2008. In terms of revenues, this translates to $66 million in 2003 and over $200 million in 2008.

Ferris lists some of the companies currently in the anti-spam software market including Cloudmark, MessageLabs, CipherTrust, Postini, Brightmail, ActiveState, Proofpoint, MailFrontier, Network Associates, HelpMeSoft, Gordano, Elron, Commtouch, and ClearSwift.

"For both corporate users and ISP subscribers, the spam problem is rapidly getting worse as spammers up their output and find new ways to bypass existing filters. For corporations, spam now represents a measurable drain on productivity that will make investments in anti-spam solutions increasingly popular," Ferris said in a statement.

In the meantime, the Big Three portals will continue to reap the public relations benefits of unifying under a common cause.

"There are three reasons why the three leading portals: AOL, MSN and Yahoo have yet to resolve the problem of spam inside their e-mail services. First, over fifty percent of spammers have moved overseas. Second, the portals are themselves major sources of spam. The third is pure cost. If they were willing to solve the problem it would only cost them a few million dollars per year," said one spam software expert who asked not to be named.