Spam is spinning almost out of control, seriously eroding the productivity of Canadian firms and their employees, experts say.
For the past the 12 months or so, spam has comprised around 90–95 per cent of all e-mail.
That’s more than nine out of every 10 e-mails, notes David Poellhuber, founder and president of Zerospam, a Montreal-based provider of IT security services.
And spam costs the recipients dearly.
For knowledge workers, said Poellhuber, the chief cost is a sharp decline in productivity. Spam also gobbles up valuable time of IT employees, preventing them from contributing to the company’s core business, he said.
The impact on other business resources is also devastating.
Valuable tech resources being sacrificed on the altar of spam include: Internet bandwidth, CPU cycles, disk space and internal network capacity, the Zerospam founder said.
Big bust – a “drop in the ocean”
While welcoming last week’s massive anti-spam operation by the U.S. federal trade commission (FTC), Poellhuber doesn’t believe its impact in combating spam will be significant.
The feds busted a global spam network responsible for sending billions of illegal messages, encouraging consumers to buy unsafe male-enhancement and weight loss pills.
FTC officials estimate the spammers’ take was in the millions of dollars. A U.S. District court froze the assets of the perpetrators, and these may eventually be used to pay off consumers who bought the drugs.
The FTC’s big bust – though welcome news – isn’t really going to scale down overall spam volumes, Poellhuber suggests.
“It’s a good thing anytime we see a spammer ring go down, but I think [the FTC operation] is a drop in the ocean.”
And it isn’t going to change anything for Canadian business users and knowledge workers, he says. “Let’s face it. They’re still going to have to deal with this massive outbreak of spam today.”
Outlawing spam
Experts also say there’s a need for tougher anti-spam laws in Canada.
Right now – unlike the U.S. and many other countries – Canada has no anti-spam legislation, notes Michael Geist, who holds the Canada research chair of Internet and e-commerce law at the University of Ottawa.
Geist said privacy laws, in some instances, can be used to counter spamming activity.
Other industry observers agree such legislation is long overdue in Canada.
We’re the only G8 country without specific anti-spam laws, said Poellhuber. He said several bills on the issue have been introduced – the latest one (S-235) by senator Yoine Goldstein.
In Canada, a government-initiated task force recommended specific anti-spam legislation in a 2005 report, noted Dermot Harnett, principal analyst, anti-spam engineering at Cupertino, Calif.-based Symantec Corp.
For Canada, the European Union’s legislation would be a better model to emulate than the Can Spam Act in the U.S., Poellhuber said. “We’ve seen an increase of 40 per cent of spam levels between 2003 and 2004, right after the Can Spam Act.”
He noted that the Can Spam Act permits e-mail marketers to send unsolicited commercial email as long as it adheres to three basic types of compliance defined under the Act.
That places the onus on spam recipients to opt out, while the EU legislation uses “opt in” as proof of consent, making it more stringent.
“Direct marketers don’t really like that, but Canadians are very clear,” said Poellhuber. “They only want to receive stuff they’ve given consent for and [nothing else].”
But he notes that while legislation is important in the battle against spam, tough laws alone will not solve the problem. They would help deal with domestic spam, but are unlikely to curtail overall spam volumes.
“Spam is a transnational issue,” he said. “For every one spam ring that goes down, there may be eight or nine others popping up.”
The resources – people and costs – of a global crack down on spam would be enormous, the Zerospam founder noted.
Botnets – lean, mean, spam machines
Most spam today is sent through botnets, networks of captured computers or bots that are then used for nefarious purposes.
Owners of infected computers are usually not even aware that their machines are being used to send out spam.
The recently busted spam ring in the U.S. was running a botnet of 35,000 machines, Poellhuber noted. “We’ve seen botnets ranging from 100,000 to more than a million machines.”
Infected e-mails or Web sites are a common mechanism for capturing computers and turning them into bots.
Today social networking sites – because of their huge popularity – are being used by spammers to spread malware and capture machines.
“Spam will get to any device that it can,” Poellhuber noted. “If you have an Internet-enabled chances are you would get spam on it one day.”
He said spammers resort to all sorts of tactics – such as mimicking a Facebook contact. “What’s even scarier is they try to get your credentials.”
While there’s no easy antidote, experts say education about security threats, along with a sophisticated e-mail security system could go a long way in containing the spam menace.
Spam busters
While there’s no easy antidote, experts say education about security threats, along with a sophisticated e-mail security system could go a long way in containing the spam menace.
Symantec recommends a number of best practices that could help in a work setting:
- Use an e-mail security application – This product should protect your network from spam and viruses, while still allowing legit email through
- Create a spam filter – Once you have your anti-spam app in place, determine the type of filter required. Select a filter that focuses on the most common spam criteria
- Consider alternate e-mail address options – Use a separate e-mail address when signing up for mailing lists, get different e-mail addresses for different purposes, or look into disposable address services
- Remove e-mail addresses from your business Web site – If you have your e-mail address posted on a company’s Web site, expect spam
- Educate employees on secure email practices – If you have a business, advise your employees to be on the lookout for suspicious e-mail messages, and to never fill out forms in email messages that ask for personal or financial information or passwords
- Report spam – Report suspicious online promotions of Symantec/Norton branded software to [email protected]
