Postini: Spam Building Muscle

Spam and its attendant risks are only going to get worse in 2005, an e-mail security assessment report released by Postini this week said.

Despite new technologies and laws introduced in 2004, the threat of phishing attacks, zombied computers and directory harvest attacks (DHA) continue to plague companies and end users.

"The spam problem is far from 'solved,' and I think everyone realizes this," said Chris Smith, Postini's senior product marketing director. "You know, we've thrown everything but the kitchen sink at this problem."

He points to several actions taken by the tech industry and the U.S. government to halt, or even slow down, the growing spam problem: the CAN-SPAM Act, the controversial law that went into effect in January 2004; the rise of new technologies like Sender ID for E-Mail and DomainKeys; and court sentences handed down to convicted spammers.

Technologies like Postini's managed e-mail security service, software solutions from Symantec or McAfee or appliance-based e-mail security from companies like CipherTrust, haven't really put a dent in the overall spam problem, Smith said.

Postini's results, gathered from its more than 4,200 customers who generate roughly 400 million e-mail connections every day, found other trends in 2004:

• The average company gets hit with a directory harvest attack (DHA), a request sent to e-mail servers in an attempt to find legitimate e-mail addresses, 150 times a day. With an average of 250 invalid e-mail delivery attempts per DHA, this results in an average of 37,500 delivery attempts per day.
• Seventy-five percent to 80 percent of all e-mail is spam and another 10 percent is comprised of some form of phishing , Denial of Service attack, DHA or virus threat.
• The number of virus-infected e-mails has tripled in the last year, accounting for 1.5 percent of all e-mails.
• More than one-third of all spam is sent by zombied computers.
• One percent of spam is some variety of phishing attack.

Another statistical trend reported by Postini is that the size of a company and its industry helps determine how much spam a user gets.

Postini reported that companies with fewer than 100 e-mail users received 35 spam messages per day, per user. Enterprises with more than 10,000 employees, however, received fewer than three per day, per user.

E-mail users in particular industries are susceptible to more spam, with publishing and advertising industries receiving more than 25 spam e-mails per user, per day, while employees in the pharmaceutical, electronics and food and beverage industries receive about one spam message per user, per day.

Smith said spammers target smaller companies because they expect the defenses there to be less stringent than at larger companies or because smaller companies are less disciplined about protecting e-mail addresses.

How the 2004 results fare in the business world hasn't been determined. But Matt Cain, an analyst from the Meta Group, said that in the vendor world it will mean more consolidation within the industry.

He said e-mail security vendors will have to be able to deliver their product on two of three delivery models available -- software, hardware or hosted -- and he expects the latter two will gain ascendance over the former.

As the sophistication of e-mail-delivered attacks increases, Cain also said vendors will need to provide a more all-in-one solution to customers who are looking for a single vendor to provide a complete e-mail security option.

"Buyers are incredibly fed up with going to multiple sources for multiple virus and DoS and MTA and spam-blocking services," he said. "So from a demand perspective, they'll increasingly look at one vendor to supply multiple needs."