Alan J. Archer's story is undoubtedly familiar to IT managers and security officers.
A contractor at the government agency where Archer works as an IT specialist is confronted with hundreds of pieces of spam among the legitimate messages in his inbox. While deleting unwanted messages, the contractor inadvertently opens an e-mail that sets a virus loose on a slew of unprotected machines on the agency's network.
Such is the worry with spam. Most of it is harmless junk mail, but the drain on an enterprise's resources and productivity and the growing threat to a company's systems and data is making spam more of a security issue than ever.
"It is intrusive; it takes up valuable employee time (just the time needed to delete unsolicited commercial e-mail can engender frustration, especially at the beginning of a day following several days away from the workplace)," Archer said in an e-mail. "Spam can take energy away from important mail, cause accidental deletion of important messages, or worse yet, inadvertent opening of virally infected messages."
A recent survey commissioned by Symantec Corp. pointed out that 79% of the 100 IT managers surveyed said spam was a problem in their company and one likely to hang around for at least another three years. Fifty percent of end users (300 were surveyed) also regarded spam as a problem.
"That fact that the 'from' field of any e-mail message is malleable is, in my opinion, the biggest issue," said Chad Masseker, president and CEO of service provider Carceron Systems LLC of Atlanta. "This has the ability to cause, at a minimum, dissent and disinformation throughout an organization or between other relationships."
The security issues are real, as well, making it a problem for IT security staff. For example, HTML messages that exploit vulnerabilities in e-mail applications like Outlook can execute code without the need for an attachment. Spam messages, meanwhile, aren't slowing down. Twenty-one percent of IT managers surveyed for Symantec said spam makes up 31% to 40% of their company's e-mail.
"It is my opinion that spam mail can (and some likely does) contain Trojans that can get installed from just opening the message," Archer added. "No need to execute an attachment anymore; the HTML code installs the Trojan and sends the information back to its progenitors."
The CAN-SPAM Act, which has been slammed by critics as ineffective, and the recent dissolution of the Do-Not-Spam list apparently don't hold the answer.
"No matter what the law, there will be 'legitimate' spammers who get their lists via 'opt-in' functions, and illegitimate spammers who gather their addresses through other, more nefarious means," Archer said. "Laws, as we know from gun control laws, do not control criminally minded folks -- they only act to define guidelines for non-criminally minded folks to work within. In other words, laws work for the lawful; they don't work for the lawless. And there are plenty of lawless folks in the world."
In the meantime, messaging giants America Online, EarthLink, Microsoft, Yahoo, Comcast and British Telecom decided this week to try to take matters into their hands by releasing 21 recommendations for e-mail and Internet service providers that included cutting off service to spammers or limiting the number of e-mails an account can send.
In a related development, a former AOL systems engineer was arrested for allegedly stealing 92 million customers' screen names to sell to a spammer in Las Vegas. The ISP discovered the theft during a spam investigation and immediately fired Jason Smethers, 24, of Harpers Ferry, W.Va.
The key to eradicating spam, the ISPs said, is to identify and authenticate e-mail senders via header information like IP addresses or digital keys.
The Symantec survey reflects the skepticism as 54% of IT managers believe legislation will have a minimal impact and 2% said it would make the problem worse.
Other numbers from the survey:
- 58% of IT managers have seen a significant increase in spam during the last 12 years, while 35.5% of end users said that was the case;
- 70% of end users do not use instant messaging, but 22% of those who do have been spammed via IM;
- 76% of IT managers don't think IM spam is a problem;
- 64.5% of end users receive less than 20 spam messages a work day;
- 82.3% of end users have never responded to an offer contained in spam;
- 16.4% of IT managers said their team spends most of its day dealing with spam