One of the primary disadvantages of rule-based filtering techniques is the amount of maintenance required to keep the filters up to date. An InformationWeek Research survey of 550 major businesses finds that IT departments spend 8% of their time administering anti-spam systems. Additionally, many companies combine their antivirus and anti-spam strategies, since viruses are often transmitted via spam anyway. Combining that with the use of various blacklists results in a serious drain on IT staff. One escape route, popular in the security world, is to outsource the E-mail service, using managed spam services. "It's just smarter to give it to the experts and let them provide the service," says John Dean, CIO of office-furniture maker Steelcase Inc., which has just begun outsourcing spam and virus filtering for its 16,000 worldwide employees to Postini Inc. Steelcase is moving away from using Trend Micro Inc.'s antivirus and anti-spam technologies on its in-house E-mail servers, which are mostly IBM mainframe-based E-mail systems running Fisher International Inc.'s Tao and Technology Nexus AB's Memo. "The impact has been tremendous," Dean says. "We're blocking 90% to 95% of the spam and viruses."

Anti-spam software that deploys statistical analysis techniques to "learn" about spam patterns in E-mail messages can lessen the amount of management required. Bayesian techniques, which combine analysis with statistical probabilities, can sometimes identify spam based on stored analysis of previous spam. The more spam it identifies, the better it gets at recognizing new spam. A January Gartner study cautions, though, that such artificial-intelligence systems work best on the desktop, where they can focus on learning a single user's definition of spam. If deployed on a mail server or gateway, care should be taken to not "stray into the realm of opinion or personal choice" when deciding which E-mails are spam and which aren't.

Newer Anti-spam Techniques
Content filtering and blacklisting are the business technologists' front-line defense against spam, but new techniques are necessary. This isn't a level playing field--spammers have your identity information, but you don't have theirs.

Secure messaging is one area that shows promise for defeating spam. Secure messaging makes use of whitelists to validate incoming E-mail, but it also requires that senders have valid digital credentials--some form of encrypted ID. The ID might validate the domain name people are sending E-mail from, or it may validate the user sending the E-mail. Some businesses already use public key infrastructure and S/MIME (Secure Multipurpose Internet Mail Extensions) to ensure that only authenticated E-mail passes through corporate E-mail systems. Secure messaging would simply extend the security to incoming E-mail from the public Internet. Using digital identities over the public Internet has proven difficult, though, because there are no universal standards for digital identities.

Updating the 20-year-old protocols that form the basis for the Internet's E-mail infrastructure would make deployment of a digital identity standard easier, and make it harder for spammers to hide from authorities. IPv6, SMTP2, and DNSSEC are emerging standards that could replace the aging TCP/IP (IPv4), SMTP, and DNS protocols now in use. They offer better support for authentication and routing than current protocols.

In the telephone world, caller ID gives you the option of answering a call only when you know who the caller is, thus avoiding contact with telephone spammers. In the E-mail world, the same technique has been proposed, and is known as challenge-response. With challenge-response, incoming E-mail is compared to a user's whitelist of known, valid E-mail addresses. If the incoming E-mail isn't on the whitelist, an E-mail is sent to the sender, and he or she is challenged to respond. The challenge isn't just a simple E-mail message, because that could be answered by a robot. Instead, the challenge E-mail contains something that requires a human to interpret, such as a hazy GIF image containing a word that the user has to read and then type into the response. But there are some major problems to challenge-response. It can play into the hands of spammers since a response from the user validates the existence of the E-mail address, and it also generates twice as much E-mail traffic.

Educating end users on how to recognize and avoid spam deserves more attention than it's getting. Often, a small percentage of a business' users are receiving the majority of the spam. While that can sometimes occur because of factors beyond a user's control, it also occurs because of people who haven't been judicious about where or how they reveal their E-mail addresses. Replying to opt-out queries inside of a spam message is a typical ploy used by spammers. Responding just tells the spammer that your E-mail address is valid. To avoid these types of end-user errors, a companywide spam policy telling employees what to do is a smart option to consider.

Anti-spam products have moved to the mainstream with astounding speed, driven by pressing need. And spam has found a firm place as a part of our culture. Even Consumer Reports magazine featured a June cover story comparing spam filters for various E-mail clients. Heightened end-user awareness along with tougher laws and better anti-spam techniques are key elements to make the war against spam easier.