Masterclass: Putting the lid on spam
Unsolicited email is becoming a major issue for all organisations, and a major opportunity for the channel. CRN brought together a group of interested parties to discuss the potential.
CRN: Spam is clearly a problem, but why should resellers be interested in it?
Ellis: Spam is a great opportunity for resellers, a great way of leveraging other product and services sales, such as consulting, helping customers put together e-policies, advising them on how they can reduce the problems.
Most end-users would acknowledge that it is a problem, what they won't know is the best way to solve it. Last year two per cent of email was spam, but this year it is going to be something like 50 per cent.
Cheney: User awareness is pretty high. We filter customer email for spam and it ranges from a minimum of 50 per cent up to as much as 90 per cent.
There is a real opportunity to save the customer money because there is a cost in terms of lost productivity, bandwidth and utilisation. You can actually quantify the cost and you can save them money.
Tarzey: Customers don't have a choice. They've got to do something about it. So resellers can go in and talk about spam because it's high-profile, and then talk to customers about other issues.
Doherty: The risk is that, if you go in to solve the problem, there is a definite negative connotation to that. You spend a long time building up email as a powerful and productive communication tool, and spam is devaluing that.
There is no single answer to the spam problem and a lot of things that need to be done, some of it with products but others have to come from much higher levels: government and the industry itself. Just stopping the server from relaying isn't enough.
Ellis: There are practical things resellers can advise their customers to do: don't publish email addresses, don't reply if you get spammed. But you're right, there is no silver bullet and it needs to be a multi-tiered approach, and it's the job of the channel to educate users around that.
Levenhagen: Spam is really only an extension of what we've been through with direct mail and then fax, and now it's moved onto email. I think it's an evolutionary process.
We can't do without email so we have to deal with the side-effects. There are people who are in business to generate spam, and that's where the attention needs to be focused, but it's not going to go away.
Cheney: The challenge with email is that there is no mechanism to validate who sends you a message. Spam is different to a mail-shot because someone had to pay for that, and they are regulated, so you have some recourse if you don't like what they send you. The same is true with fax.
But spam has low-cost distribution and is completely unregulated. The challenge is identifying email that you can trust. There is no mechanism to authenticate who sent you a message. Until that issue is solved, spam won't go away.
Corbelli: The only way to stop spam is to throw the internet out and start again. That is not going to happen. Spam is here to stay.
Legislation is going to take years, and there are questions as to whether that can have any impact at all. Research we've done recently showed 41 per cent of businesses still do not have an anti-spam solution in place.
Tarzey: There are three ways the spam problem can be addressed. There is the technology and the legislation, and the other way is to become more educated in the market so that the commercial appeal of spam disappears.
If we were educated not to respond to it, the commercial stuff would disappear. The only reason most people send spam is because they get some commercial benefit from it.
Corbelli: Spammers are able to generate roughly $48 for every half-a-million emails they send, so that gives you an idea of how much money they can generate and how many emails they have to send out to make a decent amount of money.
As people become more educated the numbers who respond will reduce, but you are always going to get responses. The internet is still growing and new users are still coming onto it.
Spammers are getting cleverer at getting things into your in-box using things such as social engineering and the recent 'phishing' problem that we've seen with people pretending to be banks.
Ellis: It is about education and because it is a moving target, resellers can continue to add value.
Gupta: There is an opportunity for resellers and I think they are getting the message from the customers. The concern for the reseller is understanding how to solve the problems for their customers, so we are back to education and the availability of technology they can implement.
Doherty: It seems to me we are missing something here, because if we could at least dramatically improve the authenticity of mail between businesses, that surely must reduce the problem. The risk is that we keep on providing products but not solving the problem at source.
Cheney: It's about who validates who I am. We have PKI [public key infrastructure], but getting an agreement on who is going to be the authority for that is a problem.
The other problem is defining what is spam. Mails telling me to buy products definitely are, but what about the others from sites I have registered with and can't remember?
CRN: Is the legislation coming in this December going to have any effect at all?
Bell: No. I honestly don't think it is going to have any significant impact on the spam problem in the UK at present.
Bates: I find the spam problem quite curious because I hardly get any. Yet there are people in my company who get them all.
Allan: It's estimated that AOL and MSN block 2.4 million spams a day, so you may not be getting them, but it doesn't mean they aren't being sent.
CRN: How large does spam loom among general security concerns now?
Allan: We would not really class spam as a security issue, but it is being thrown into the pot. Spam does not affect the availability or confidentiality of data all that much.
It can affect availability because it can crash mail servers, but it does not impact on confidentiality or integrity of the data. It's much more of a management than a security issue.
Ellis: But you can get spam that gets you to click on a URL and on that site is malicious mobile code and spy-web, and then it does become a security problem.
Bates: Spam is part of the bigger issue of productivity. Email is a problem in a lot of companies. There is a lack of quality thinking time because we are all under a constant blizzard of communication.
CRN: Are users worried at all that if you filter email that important messages will get lost?
Cheney: It's the question we get asked most and it's a big concern.
Allan: Maybe we are being a little bit too generous and should be far more draconian, and then the authentication becomes more realistic.
Corbelli: That would depend how restrictive a business can be and still operate.
Ellis: The scale of the internet is part of its appeal, and if you start cutting back on that you start losing that benefit.
Gupta: It comes down to policy again, but you are not going to stop spam coming from outside and to the technology and legislation.
Doherty: You choose to put an SSL [Secure Socket Layer] certificate on your web server. I passionately believe email improves productivity because it cuts down the business cycle. Technology is the answer, but not in isolation.
Bell: We've missed a trick with the legislation. We had the opportunity to control business-to-business marketing by making it all opt-in, so you would not get any unsolicited communications, which wouldn't control all the spam but would help with some of the filtering.
But the business community in the UK lobbied the government really hard to make the regulations as weak as possible. In Europe, a lot of countries still have this requirement to opt in. If we had gone down that route the legislation would have been much more effective.
CRN: So our legislation is to opt out rather than opt in. Is that right?
Bell: For business-to-business communications, yes.
Gupta: But that's right because how would a buyer know for example about another company doing a better price?
Bell: Because you can opt in to receive that. I get bombarded regularly by product emails, but that's not my job. But I now have to tell them that I don't want to receive that email. It would be so much easier if I could go to them and ask to receive emails.
Ellis: There are a lot of basic things you can do to reduce spam; it's not just about selling products.
Doherty: Spam is one part of it but there is education and you get more credibility with the client if you take the approach of being there to help solve all of the customer's problems.
Cheney: Once you are on a spammer's list you are not going to come off it, and they propagate and sell the lists. The only effective way is to change your address or put some technology at the front of it to try to filter this stuff.
Tarzey: Can't you solve a lot of the problem by banning the use of POP3 [Post Office Protocol 3] and putting everything through SMTP [Simple Mail Transfer Protocol]?
Cheney: There are two types of spammers: those who make no attempt to disguise their addresses and those who use quite sophisticated techniques to try to obfuscate their spams to fool the filters.
They are now actively targeting corporate domains to try to harvest email addresses. They are great places to target because the addresses can't be changed very easily.
They run scripts that extract the names from your Exchange or Notes server which will very kindly tell you whether or not an email address exists or not. Our spam volumes have doubled just in the past six weeks.
Doherty: Most organisations don't bounce emails anymore; that's standard practice.
CRN: But don't a lot of smaller businesses in particular just want to stop it without having to get involved with the complexities? And do people do anything about it until they need to?
Doherty: We hear that all the time, and a lot of SMEs can almost identify who they do want to receive emails from.
CRN: Are there any potential legal implications for resellers if they try to stop spam?
Bell: You can't guarantee that you will keep anyone spam-free, so you do need to make sure your terms and conditions cover you, so that you are not making that guarantee.
Allan: The emphasis needs to be on the free market. I'd guess that if an ISP could show it has better anti-spam properties it would sell better. But that's assumed now. You have no idea whether it's better or worse that anyone else's.
Cheney: In the consumer market it's a tick-box. The question is will you change your ISP if the spam gets worse?
Ellis: Business is different because you could be talking about hundreds or thousands of staff, and it then becomes a real drain on productivity, resources and infrastructure. I firmly believe the best ISPs will survive and those who take a proactive approach to spam will do better as long as they market that message.
Cheney: I don't think businesses look to ISPs to filter spam. They tend to talk to the guys who put the pipes in.
Allan: We work through BT and we see considerable drive through the ISP because they own the pipe.
Ellis: It's up to the ISPs to differentiate themselves and customers to make that choice.
CRN: Will the spam market develop along similar lines to antivirus?
Tarzey: There are some similarities between the antivirus and the anti-spam markets. Spam will become more commoditised, but at the moment it's a race to be the best, so it's a short-term opportunity in that sense.
The difference, though, is that while viruses can come in through all sorts of routes, spam can only come in through email. You must put antivirus on all your servers; you don't need that with spam.
Cheney: I think a lot of spam filtering will be outsourced because you need to change the rules every day, and it sits outside the network so it's much easier to outsource it and deal with it there, whereas antivirus sits inside the network.
Levenhagen: It is a very real opportunity, and customers and resellers are looking for solutions. They are feeling the pain of the problem.
Ellis: It is quite a personal thing really, particularly if it's making you unproductive. People feel quite strongly about it and because of that it is a good opportunity.
Levenhagen: And a lot of the guys who get it hold the purse strings. If the chief executive is getting a lot of spam, he's likely to be much happier to part with some money to fix it than he would for some other part of the IT infrastructure.
Tarzey: I think appliances will be popular in this market because they are cheap and effective. A hosted solution allows you to suck it and see, and then if you need something more robust in the future you can make a different investment. Resellers can sell software, appliances or a hosted solution.
Corbelli: Companies of a reasonable size will probably use both and have something that manages some of the problem and something on the server to filter content at a different level.
Levenhagen: This is good news because that's where the money is for the reseller. There's a level of intelligence that is required to advise at that level.
Ellis: Not everyone will want to outsource, but certainly bigger customers will want to take a multi-layered approach.
CRN: How should resellers address the spam issue with customers?
Doherty: It's about education of the customer. There is definitely an opportunity there, but it's not the right approach to go in and say, 'Spam is a problem, you need to buy all this new kit from me.'
We advise customers to subscribe to some sort of service, but in addition to that, put products in that you have control over. Have a clear policy, that users are educated and that they opt out of mailing lists if that's what they want to do.
Make sure email addresses are not obvious and switch off relay so you don't send failure messages. It's a whole combination of things and really it comes down to how big a problem it is for you and how badly you want to stop it.