No Advertising, Please

Everyone is talking about spam, but not as the owner of the SPAM® copyright, the American Hormel Food Corporation, would like. After all, anyone who thinks of spam today is not usually thinking of the canned ham that first appeared on the market in 1937. In a short time, spam has become the popular name for an Internet phenomenon: unsolicited advertising by e-mail that is sent out in raw quantities and to untargeted recipients. The trend is growing.
By now, even governments have begun to see themselves obligated to dam the flood with appropriate legislation. For example, on January 1 of this year, the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM Act) went into effect. The act creates punishments for sending spam. The European Union has also issued guidelines that are likely to be implemented this year. In Germany, the current Social Democratic government is now working on a proposed law that would create fines and even imprisonment for sending spam.

High costs

These mass mailings cost companies a great deal. Market researchers at IDC have calculated that a company with 500 e-mail accounts receiving only four spam e-mails per account each day suffers an annual loss of €60,000. And that figure reflects only the productivity lost by employees. Additional costs, such as those caused by wasted server capacities or network bandwidth remain unconsidered.
But spam leaves its mark not only at companies. In particular, organizations that use e-mail and the Internet as a sales channel to their customers also suffer additional damages. Consumers increasingly regard these types of communication critically: spam e-mail ruins their enjoyment online. That’s the finding of a study in the United States conducted by the Pew Internet & American Life Project in October 2003. Some 25 percent of those questioned indicated that they use e-mail less because of the steadily increasing amount of spam. An impressive 70 percent declared that spam tarnishes their pleasure in using the Internet. And more than one half find it difficult to get to important e-mail because of the flood of advertising in their inboxes.
It’s questionable if legal regulations can offer a comprehensive solution to the problem. An investigation conducted in February of this year by Brightmail, a manufacturer of spam filters, showed a different picture. According to the study, the volume of spam increased slightly in January, despite the CAN-SPAM Act. Brightmail indicated that spam made up 60 percent of the entire e-mail traffic for that month.

Companies defend themselves

False Positive Rate
False Positive Rate

The only strategy that promises success right now seems to be with users themselves. Companies are attempting to defend themselves with antispam solutions. Such is the case at SAP, where the desire for spam filters came from end users themselves, as reported by Bernd Himmelsbach, who is responsible for the design and operation of the e-mail infrastructure at SAP. But spam has nothing to do with the environment of SAP applications. “With automatic processes, such as those triggered by an e-mail, spam e-mail usually has no influence. The system pays attention to the syntax of an e-mail and ignores anything unfamiliar.” The internal solution at SAP focuses on keeping the e-mail accounts of SAP employees free of advertising.

However, some legal questions had to be clarified before the filters could be implemented. In Germany, if the private use of e-mail mail at the workplace is not explicitly forbidden, any manipulation of e-mail traffic can mean harming personal rights. The normal telecommunication laws apply here. The situation differs in the United States, where legal difficulties can arise when an employee receives spam with objectionable content. The first lawsuits are already underway: employees feel sexually harassed by pornographic spam at the workplace and hold the company responsible. According to the plaintiffs, the company should have filtered out the spam.

Sailing around legal cliffs

Together with its internal legal experts and the data protection officer, the IT department at SAP worked with SAP Hosting to set a basic principle: use of the spam filter is voluntary. To avoid colliding with foreign laws in Germany, an opt-in solution applies, according to Himmelsbach. Each employee who wishes to use the filter must activate it explicitly. “That happens with a few clicks of the mouse; all users can activate it themselves at their own PC without any difficulties,” says Himmelsbach. In the United States, however, opt-out applies. To protect the company, the spam blocker is activated for each e-mail account. Employees are free to turn it off. In this manner, SAP can implement a uniform, global solution and still respect legal usage in individual countries.
The desire for protection against spam is hardly unique to SAP employees. Here’s what Gerhard Langer, a consulting engineer at Ampeg GmbH, a service provider specializing in security, reports about the increasing volume of spam. “A level of spam that reaches 70 percent or even 80 percent is no longer unusual today. On average, 30 – 40 percent of the e-mail received by a company is spam.” Langer also observes an interesting effect. “Older companies, those that have used the Internet for several years, are usually more burdened with spam than other companies.” The reason for this situation, he thinks, arises because employees used to treat their e-mail addresses carelessly. As widespread use of the Internet began, hardly anyone gave a second thought about providing their e-mail addresses in newsgroups or other forums.
In Langer’s experience, a spam filter is not part of a standard feature of an e-mail server, but more and more companies are interested in filters. “The problem will not solve itself, because spam earns a great deal of money, despite the immense losses caused by its scattered distribution. Because it costs next to nothing to send millions of e-mails, it’s enough when one of 100,000 recipients reacts to an advertisement.” The spam industry earned about €250 million in 2002 according to Langer.

Technological maturity

Langer by no means regards the technologies available for manufacturers today as mature. The purely heuristic search that forms the basis of many spam filters is simply too unreliable. In heuristic filtering, the system tries to classify the contents of e-mail by keywords, for example. As Langer notes, the heuristics are often designed in English, and translating them into other languages does not always work optimally. It’s also difficult for a heuristic search to distinguish between a spam e-mail and one that comes from a newsletter to which a user subscribes. Methods based upon signatures or familiar patterns, which are similar to virus detection, are better and compare the signatures with the information in a database. These kinds of searches are language independent. However, as is also the case with virus scanners, these spam filters must be updated regularly.
Langer finds the traditional approach of blacklisting unreliable. This approach blocks entire Internet domains and refuses e-mail that comes from them. The foundation here is that blacklists are published somewhat regularly by various supplies. “There are only a very few good suppliers in this area. With most lists, you can capture only a small percentage of spam.”
Langer figures that spam filters will become an IT standard in one to two years. He sees a trend of combining spam filters and virus detection into one solution. “Both work with content filters; both are required on an e-mail server.”

Spam filters pay for themselves quickly

Like everything else in IT, spam filters cost money. In addition to license fees and implementation effort, companies must purchase hardware; the system also requires maintenance and administration. But that shouldn’t frighten users when implementing defenses against spam. IDC calculates that a company that receives a spam volume of only 10 percent is already fighting losses in productivity that justify the implementation of a filter.

Jan Schulze
Jan Schulze