Postini: Spam Building Muscle

Spam and its attendant risks are only going to get worse in 2005, an e-mail
security assessment report released by Postini this week said.

Despite new technologies and laws introduced in 2004, the threat of phishing
attacks, zombied computers and directory harvest attacks
(DHA) continue to plague companies and end users.

“The spam problem is far from ‘solved,’ and I think everyone realizes this,”
said Chris Smith, Postini’s senior product marketing director. “You know,
we’ve thrown everything but the kitchen sink at this problem.”

He points to several actions taken by the tech industry and the U.S.
government to halt, or even slow down, the growing spam problem: the
CAN-SPAM Act, the controversial law that went into effect in January 2004;
the rise of new technologies like Sender ID for E-Mail and DomainKeys; and
court sentences handed down to convicted spammers.

Technologies like Postini’s managed e-mail security service, software
solutions from Symantec or McAfee or appliance-based e-mail security from
companies like CipherTrust, haven’t really put a dent in the overall spam
problem, Smith said.

Postini’s results, gathered from its more than 4,200 customers who generate
roughly 400 million e-mail connections every day, found other trends in

  • The average company gets hit with a directory harvest attack (DHA), a request sent to e-mail
    servers in an attempt to find legitimate e-mail addresses, 150 times a day.
    With an average of 250 invalid e-mail delivery attempts per DHA, this
    results in an average of 37,500 delivery attempts per day.
  • Seventy-five percent to 80 percent of all e-mail is spam and another 10 percent is comprised of some form
    of phishing , Denial of Service attack, DHA or
    virus threat.
  • The number of virus-infected e-mails has tripled in the last year,
    accounting for 1.5 percent of all e-mails.
  • More than one-third of all spam is sent by zombied computers.
  • One percent of spam is some variety of phishing attack.

Another statistical trend reported by Postini is that
the size of a company and its industry helps determine how much spam a user gets.

Postini reported that companies with fewer than 100 e-mail users received
35 spam messages per day, per user. Enterprises with more than 10,000 employees, however,
received fewer than three per day, per user.

E-mail users in particular
industries are susceptible to more spam, with publishing and advertising
industries receiving more than 25 spam e-mails per user, per day, while
employees in the pharmaceutical, electronics and food and beverage
industries receive about one spam message per user, per day.

Smith said spammers target smaller companies because
they expect the defenses there to be less stringent than at larger companies or because
smaller companies are less disciplined about protecting e-mail addresses.

How the 2004 results fare in the business world hasn’t been
determined. But Matt Cain, an analyst from the Meta Group, said that in the
vendor world it will mean more consolidation within the industry.

He said e-mail security vendors will have to be able to deliver their
product on two of three delivery models available — software, hardware or
hosted — and he expects the latter two will gain ascendance over the

As the sophistication of e-mail-delivered attacks increases, Cain also said
vendors will need to provide a more all-in-one solution to customers who are
looking for a single vendor to provide a complete e-mail security option.

“Buyers are incredibly fed up with going to multiple sources for multiple
virus and DoS and MTA and spam-blocking services,” he said.
“So from a demand perspective, they’ll increasingly look at one vendor to
supply multiple needs.”

News Around the Web