In dealing with spam, that flood of unwanted and unsolicited e-mail that can sometimes clog in-boxes, there are only three basic ways of tackling the problem, even though one is unrealistic. The unrealistic one is not having e-mail at all; no e-mail address, no spam. Since that is not an option, the two other options are to tackle the problem in-house or to find an outsourced anti-spam solution. Both are excellent means of controlling spam but the decision to go with one or the other will be based on considerations that have little to do with the spam e-mails themselves.
Why is spam such a problem?
The biggest problem with spam e-mail is the volume of the stuff. While exact figures for the amount of spam piling up in-boxes are hard to come by, most analysts suggest about half of all e-mail messages coming into corporate e-mail servers can be classified as spam. While that number is certainly high, the problem with spam e-mail is not just the volume.It costs CPU power to receive and process a message, regardless of whether the e-mail message is a large or small message. So if half of my e-mail messages are spam, I have to invest in more servers, bigger servers, more load balancers… Jonathan Penn>Text “The real issue with spam e-mail is in the message processing,” suggested Jonathan Penn, an analyst with Forrester Research in Santa Clara, Calif. “It costs CPU power to receive and process a message, regardless of whether the e-mail message is a large or small message. So if half of my e-mail messages are spam, I have to invest in more servers, bigger servers, more load balancers and those kinds of things to handle all that traffic.”
Spam e-mails not only eat up processor and server cycles which can be better used elsewhere in the company, but spam e-mails an also take up valuable storage space. Because of new regulatory requirements both in the U.S. and Canada, companies often have to keep copies of all e-mail messages for auditing and reporting purposes. If half or more of all e-mail might be classified as spam, then having to store all that unwanted e-mail can become expensive.
Finally, spam e-mails pose a security risk. Sara Radicati, president of The Radicati Group Inc. in Palo Alto, Calif. argued spam e-mails are becoming a popular gateway for getting spyware, Trojans and viruses onto corporate systems, as well as a conduit for phishing and fraud attacks on individuals and corporations.
Outsourced anti-spam solutions
There are several reasons why an outsourced anti-spam solution can be appealing for a company. The most obvious one is cost. Tackling spam e-mails internally can be an expensive and time-consuming proposition for an IT staff, especially one that is small and has enough work on its hands trying to keep the company’s network running and making sure employee desktops and systems are operating properly.
Forrester’s Penn said third-party anti-spam providers are better able to keep up with the latest virus, spam and e-mail threats than many IT departments. As well, a third-party provider can keep up with the latest solutions and equipment and roll them out for all users of the service.
“With a service, it is just a matter of writing a cheque,” Penn added.
That was the reason why Jack Kunkle, chief technology officer and security analyst with Muhlenkam & Company in Pittsburgh, Penn. decided to go with Ann Arbour, Mich.-based Greenview Data Inc.’s SpamStopsHere.com anti-spam solution.
Muhlenham & Company is a major mutual fund investment firm with some 150,000 shareholders.
“These shareholders go out and put our e-mail addresses into their address books and correspondence and when they contract a virus or a spamming engine hits them, spam starts to come to us,” Kunkle added. “So we soon found ourselves getting hundreds of thousands of spam messages a day that we had to sort through.”
With an IT staff consisting of two people, one of whom was Kunkle, trying to handle the spam internally was not an option. Anti-spam solutions that were to be deployed internally, while excellent in stopping most spam e-mails, required a lot of management and tweaking to make sure the solutions worked properly. If one did not keep on top of the solution at all times, there was a risk an important e-mail with sensitive information or an urgent investment request could be classified as spam and not make it to the appropriate analyst.
“I just don’t have the time to do that,” Kunkle said. “So I pretty quickly stopped exploring that route and I thought a better model was to have someone to do it for me.”
SpamStopsHere.com works by having a company’s e-mail traffic routed first through one of its three large server rings (Houston, Tex., New York and Washington, D.C.) where the e-mail is filtered for spam. Only legitimate e-mail is then allowed to reach a company’s e-mail server. The spam e-mails are never allowed to get to the client.
“SpamStopsHere.com would immediately take all the spam filtering requirements off my desk and I had a happy staff that was now more productive and focused on the business instead of tackling spam issues,” Kunkle said.
Going in-house
A concern some have about turning to outsourced anti-spam solutions is the question of security. Since the incoming e-mail first goes to the company hosting the anti-spam service, some worry the e-mail could be read by outside parties. SpamStopHere.com, like other similar services, has strict privacy policies in place. It does not keep backups or copies of e-mail messages and all employees of the company sign confidentiality agreements. Kunkle said he went through a rigorous due diligence process and tested the service extensively to satisfy his security concerns before deciding to sign on.
Forrerster’s Penn added many companies decide to tackle spam e-mails internally for other reasons besides security.
“Companies may want to bring it in-house for control,” Penn said. “Companies may want to blend an anti-spam solution with other solutions such as scanning all in-bound and out-bound e-mail for inappropriate content, or companies may have particular encryption policies for certain kinds of data, or there are compliance issues that need to be followed.”
The Toronto Catholic District School Board decided to use Symantec Corp.’s Brightmail Antispam Internet gateway product as part of its anti-spam efforts.
According to Joe DiFonzo, senior coordinator of technical services with the Toronto Catholic School Board in Toronto, the Board decided to go with an in-house anti-spam solution because it already had the staff in place to handle the workload and the Board wanted to make sure that any solution chosen could be ‘tweaked’ to make sure no important e-mail was mislabeled as spam and blocked.
“We wanted to avoid getting calls from people asking where an e-mail went or why an e-mail was caught as spam when it is not spam, or calls as to why they are getting spam,” DiFonzo said. “People can get quite annoyed with that.”
Another reason for going with an in-house solution, and with Brightmail in particular, was the ability to monitor and track where spam e-mails are coming from. By knowing where unwanted e-mails are being sent from, the Board’s IT department can then block those addresses to prevent unwanted e-mails from that location getting through. In this way, the Brighmail system gets tweaked to be more accurate in its blocking of unwanted e-mail.
A better way?
Some suggest monitoring where spam e-mails come from, instead of focusing on the content, is one of the best ways to tackle the problem.
Larry Karnis, president of XPMsoftware in Brampton, Ont. said his company’s PerfectMai
