Re: That Spam I Sent You

If Congress can't stem the tide of junk E-mail, what can CFOs do? More than you'd think.
John GoffJune 12, 2003

It’s hard to put a price-tag on what junk email is costing U.S. businesses. One company that specializes in blocking junk email claims spam costs U.S. businesses $10 billion each year in lost productivity. Of course, it’s not real likely that a company that specializes in blocking junk email would come out with a survey showing that spam costs U.S. businesses $800 annually. There’s no percentage in it.

Still, it certainly seems like spamming has increased substantially over the past few months. What used to be a nuisance at home has become a real problem at work. I didn’t start getting a lot of spam at the office until about three months ago. Now, I get forty to fifty junk emails a day.

And apparently, I’m not the only one. According to a study conducted by MessageLabs, unsolicited commercial e-mail accounted for 51 percent of all messages received in the workplace during the month of May. MessageLabs says that’s the first time spam has comprised the majority of electronic messages in Corporate America’s inbox.

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

The problem with spam? Mostly, the sheer volume of the stuff. Two or three daily emails requesting help in transferring funds out of Kenya is one thing. But four dozen junk emails a day is a different matter entirely.

Spammers have gotten so good at masking their intentions, in fact, that legitimate business emails can get overlooked, or even erased. Prior to the recent deluge of spam, it was fairly easy to identify an email with the subject line like “Hey Big Fella, Are You Big Enough?” But now, business users get hit daily with emails with subject lines such as “Re: Our Meeting Today,” or: “You Left Your Jacket in My Office.”

Worse, some e-mail subject lines also contain the names of people you’ve sent legitimate emails to — a practice that would seem to border on invasion of privacy. Really, how do all these spammers figure out who you just sent an e-mail to? Senders of unsolicited e-mail say their practice is no different than the sending of junk mail. But how often do you see junk mailers rifling through your mail box for return addresses?

Admittedly, senders of junk mail often try to snooker you into opening their letters by using misleading word play. But the come-ons for spam tend to go beyond misleading word play. In fact, a recent analysis of 1,000 unsolicited commercial emails (conducted by the FTC) found that 33 percent of the spam messages contained outright falsities in the “From” line. Of those, half claimed to be from someone with a personal relationship with the recipient.

Trying to figure out what to do about commercial spam — or how to keep it from shifting in transit — is no easy matter. In a Congressional hearing in late May, lawmakers took up the issue of junk commercial electronic mail.

At the meeting, senators and speakers offered suggestions about how to fix the problem. Microsoft Chairman Bill Gates supported the drafting of a federal spam law, one that allow legitimate marketers to be certified by the government. Not-so-legitimate marketers, Gates suggested, should be required to attach labels to their e-mail identifying them as unsolicited so an Internet user could delete them without opening them.

Of course, several states already require senders of commercial spam to being every subject line with “ADV:” But in the FTC’s study, only two percent of the junk e-mail complied with the law.

Sen. Mark Dayton (D-Minn.) believes lawmakers ought to go after spammers’ wallets. At the hearing, he recommended that Congress pass legislation affixing a small surcharge on e-mail. “I think it’s worth looking at some very, very small charge for every e-mail sent, so small that it would not be onerous for an individual or business that has regular [e-mail] use, but it would be a deterrent for those who are sending millions and even billions of these e-mails,” Dayton said, in a very long sentence.

An interesting idea, although scores of legitimate businesses — online retailers, pure-play etailers, financial services companies, publishing companies, and others — send a fair amount of their own e-mail to consumers. An e-mail tax could hurt those businesses, although they might end up saving money if their employees get less spam in the long run.

Sen. Dayton has also proposed setting up a national Do-Not-Spam registry, akin to the national Do-Not-Call registry the FTC will be launching this summer to combat excessive phone solicitation. But at the hearing, Federal Trade Commission (FTC) member Orson Swindle reportedly scoffed at the idea of a Do-Not-Spam list. “You’re talking about an incredibly large database that would be difficult to secure,” he reportedly told lawmakers. “If I’m a spammer, I think that [list] is a target-rich environment.”

Discouraging stuff. In fact, if lawmakers, tech CEOs, and regulators aren’t entirely sure how to fix the spam problem — and the FTC this week told Congress it needed even greater powers to go after spammers — you have to wonder: can mere finance chiefs do anything to help combat the flood of unsolicited commercial email engulfing employees?

The Spam Files

Actually, they can. While it’s next to impossible to eliminate spam (a grisly image if ever there was one), IT experts do say finance chiefs can bring pressure to bear on chief technology officers to go to battle against spammers everyday. In many cases, CIOs will get very diligent about blocking junk e-mail after receiving complaints from senior executives. But once other projects come along, they tend to forget about the spam problem.

And as experts point out, combating spam is an ongoing process, not a one-time fix. A company may come up with an effective way of reducing junk e-mail, but rest assured, spammers will eventually find a way to beat it. Think of it as a digital arms race.

Indeed, a CTO who tells a CFO that “the spam problem is fixed” is probably being less than forthright. That’s why finance chiefs should insist on reports (at least once a quarter) indicating what’s being done to limit incoming junk e-mails — and the success rate of the program.

Beyond insisting upon vigilance, tech experts say CFOs need to ask their CTOs specific questions about their anti-spam strategies. At the very least, a finance chief should expect the company CTO to be actively pursuing at least two of the following four approaches:

  • Creating a White List. A white list contains all the outside sources that a company will accept e-mail from. If someone not on the list sends an unsolicited e-mail, the e-mail bounces back. But note, the bounced e-mail typically contains a message explaining a company’s policy for handling unsolicited e-mail. That message should contain a link for senders who want to get on the company’s white list. The white list concept has been gaining adherents at a number of corporations over the past six months.
  • Creating a Black List. The opposite of a white list, this list contains the URLs of all senders a company will not accept e-mail from. Essentially, the list is built by collecting the e-mail addresses of spam sent to employees. Black lists can be somewhat effective, but remember, spammers are a clever lot. If you block all e-mails coming from “Poughquag” spammers will eventually glom on, and will change their email address to “Poughquag1.” You block “Poughquag1” and pretty soon, your employees start getting spam from “Poughquag2.”

You get the idea. But bear in mind, some spammers won’t spend the time circumventing a black list, and will instead, move on to easier targets. It’s kind of like stealing an automobile. All things being equal, a thief will generally jack the car which is easiest to steal. The Club people have made a pretty good living off the concept.

  • Filtering. Filtering offers a simple way to block pornographic messages, which accounts for about 20 percent of all unsolicited e-mail, according to anti-spam specialist Brightmail. The easiest approach is to simply block any e-mail messages which contain embedded images. Interestingly, the FTC found that 41 percent of spam with “adult” images contained false Subject or Address lines.

The problem with filtering: legitimate commercial e-mails often contain embedded images — things like company logos and the like. Obviously, you don’t want these e-mails blocked.

  • Refusing Spiders. No, we’re not getting weird here. Spiders are agents that go through Web sites and hunts down particular items. Google, for example, employs spiders in finding matches for a user’s search request. Refusing spiders on your corporate Website might keep spammers from grabbing employee names off the site and then bombarding those workers with junk e-mail. But if it’s important for your company’s Website content to show up in search requests — and that’s a yes for many companies — refusing spiders is probably not a great strategy.
  • Complaining to ISPs. Admittedly, internet service providers can only do so much in going after junk e-mailers. Essentially, they’re just an innocent relayer of the stuff. Still, ISPs maintain entire departments that do nothing but investigate spam complaints, and executives at ISPs tend to pay particular attention to corporate complainers. What’s more, the FTC says it uses a database of millions of junk e-mails when it attempts to prosecute spammers. And where do they get those e-mail addresses? In part, from complaints passed on by irate spam recipients to ISPs. In other words: it pays to make a nuisance of yourself.