From the Oct. 2006 Issue
In January 2004, a senior executive from a well-known technology company boldly
proclaimed that “spam will soon be a thing of the past.” Wow! Wouldn’t
that be nice? While significant strides have been made in the fight against
spam, it is now three-quarters of the way through 2006 and Brittany Spears,
herbal remedies, can’t-miss-stock tips, discount mortgage offers, and
the like are still showing up in way too many mailboxes. (My personal favorite
is the message that offered the lucky recipient cash for selling their organs!)
Just as annoying and far more sinister are phishing and malware scams that threaten
even the most savvy computer users with identity theft and financial loss. As
if the assault on e-mail boxes isn’t sufficient, SPIM (spam over instant
messaging) and SPIT (spam over Internet telephony) offer new challenges and
threats to data security. Spam, SPIM, SPIT … what could possibly be next?
Unfortunately, spam-free utopia has not yet arrived. Great awareness, caution
and the proper use of technology are more essential than ever to protect vital
information and electronic assets.
According to a recent article posted on Information Week’s website by
Christopher Heun, the current state of spam in 2006 is a good news/bad news
situation. Consider the following:
- Spam accounted for about 80 percent of all the e-mail traffic on the Internet
during the first quarter of 2006. (I understand it will never reach 100 percent,
- Microsoft and AOL block nearly 5 billion pieces of spam every day.
- Nearly 90 percent of messages at Microsoft’s MSN Hotmail are spam;
95 percent of these messages never reach their target.
These statistics prompted the question, “If billions of spam messages
travel throughout the Internet every day, but consumers see just a few of them
in their inboxes, do they really exist?”
The good news, due to improved filtering from ISPs, corporate environments and
personal computers, is that the amount of spam reaching individuals has been
greatly reduced. The bad news is that the amount of spam and mediums through
which it is sent continue to increase.
Compounding the bad news, the frequency and sophistication of “phishing”
is on the rise, as well. According to the “Anti-Phishing: Best Practices
for Institutions and Consumers” McAfee Research Technical Report #04-004,
security experts at McAfee define phishing as “a form of Internet scam
in which the attackers try to trick consumers into divulging sensitive personal
information. The techniques usually involve fraudulent e-mails and websites
that impersonate both legitimate e-mail and websites.” Another tact is
to dupe users into clicking on links or visiting websites that will plant malware
such as key loggers or Trojan software on machines for use in future scams.
These types of scams, which have also infiltrated instant messaging, are no
longer limited to sophisticated hackers or organized crime rings. You, too,
can follow the readily available instructions on the Internet and design your
own phishing scam!
In large part to phishing, identity theft is the fastest growing crime in the
United States. According to the NYPD Cyber Squad, the average identity theft
case costs the victim $808 and 175 hours to clean up (“Phishing: 21st-Century
Organized Crime,” CipherTrust, Inc.).
NEWER FORMS OF Spam — SPIM & SPIT
No longer confined to e-mail, spam has also infiltrated instant messaging platforms.
Users of public IM systems (e.g., MSN, AOL, Yahoo!) with public profiles may
receive unsolicited advertisements in real time. While SPIM is less common than
spam, it can also be more intrusive and dangerous. Whereas e-mail can be quickly
scanned and deleted at any time, SPIM must be dealt with in real time. And while
e-mail users generally know to be aware of spam, IM users expect to receive
messages from personal contacts (“buddies”) and are more likely
to be duped by a spimmer. Even a file or link from a known contact could be
harmful as it could be a worm replicating itself through their contact list.
SPIT has not yet proven to be a significant problem. But as the popularity
of Internet telephony grows, SPIT is sure to follow. Similar to its spam cousins,
SPIT offers a unique “opportunity” for low-cost marketing on a global
scale. At the push of a button, spammers could launch an entire telemarketing
campaign to IP telephones across the globe.
As mentioned previously, much progress has been made in the fight against spam.
Spam-preventing filters and other technology tools have improved significantly
so that the level of spam individuals actually receive has been greatly reduced.
Various types of filters for anti-spam solutions include blacklists, whitelists
and Bayesian filtering. Blacklists automatically filter e-mails based on identified
individual e-mails or domains, blocking known “offenders.” Whitelist
filtering will only deliver messages from those e-mails or domains that have
been pre-approved by the recipient. Bayesian filtering uses complex statistical
techniques to classify e-mails based on content from past e-mails. Based on
the content, each is e-mail is assigned a certain score and then tagged as spam
or probable spam. The difficulty with any one of these types of filters is that
it must be constantly monitored and updated to make sure that it is eliminating
spam effectively without trashing legitimate e-mails. Upkeep and fine tuning
are required, but this can be time consuming. And spammers are clearly aware
of the defenses end users are working to employ, so they are constantly fine
tuning their spam attacks to pass right through these defenses.
For individual computer users, any reputable ISP should provide an effective
first layer of defense. To add an extra layer of protection, a number of inexpensive
products are available. Ranging in price from $20 to $40, such products include
SpamEater Pro, Qurb, ChoiceMail One, Spam Killer, Spam Buster, iHateSpam, and
many others. For a side-by-side comparison of individual spam filters, visit
For corporations, server-based solutions include products such as GFi MailEssentials
and ChoiceMail. While they fight spam in two different ways, both solutions
eliminate the need to install and update anti-spam software on each desktop.
GFi uses Bayesian filtering, while ChoiceMail uses a challenge and response
system where each would-be sender has to be approved in order to be added to
a user’s whitelist.
Another option for corporate anti-spam is the use of a managed service such
as Postini. Growing in popularity, this model allows corporations to pay a fee
per user per month for anti-spam services. In Postini’s case, it uses
technology to block spam at the SMTP connection level by examining the behavior
of the sending machine. Messages that pass the initial test are then filtered
based on various rules or heuristics. Note: Our company has been using Postini’s
services for a year, and we’ve been very pleased with the results. It
has provided significant improvement over anti-spam products we’ve used
in the past.
Disclaimer: In spite of the many excellent products available today to fight
spam, there is no perfect spam filter. As a result, end-user education and training
is essential. Users must be taught (and reminded) on a regular basis how to
recognize spam and phishing attacks and how to respond appropriately.
The technology executive mentioned in the introduction was Microsoft’s
own Bill Gates. Needless to say, it appears Mr. Gates was overly optimistic
about the speed with which spam would be eradicated. The reality of spam is
that the high stakes chess game between spammers and their opponents will continue
for the foreseeable future. As a result, it’s critical for all computer
users to stay educated, remain alert, and take advantage of the very latest
technology tools to protect their identity and personal information.
David Cieslak is a Principal in Information Technology Group, Inc. (ITG),
a computer consulting firm with offices in Simi Valley and Huntington Beach,
Calif. He is currently an instructor for K2 Enterprises and a frequent speaker
on technology issues. He also currently chairs the AICPA IT Executive Committee
and serves on the Information Technology Alliance board of directors and CalCPA