ISPs turning guns on newer breed of spam

The amount of spam traversing the Internet appears to be on the decline, although the nature of that junk e-mail continues to shift from annoying to malicious – even dangerous. Therefore, enterprises are increasingly looking to stop e-mail threats before they enter their networks, and ISPs are becoming a logical place to look for help.

“We do see less spam, but the spam that remains has become much more illicit,” says Charles Stiles, postmaster at AOL, which is currently blocking about 1.5 billion spam messages per day. In 2003 and 2004, the ISP regularly blocked between 2 billion and 2.5 billion spam messages per day. “The next big headache is going to be phishing, which will take off more than it has.”

For example, Stiles says that phishers will expand their current practices of sending out e-mail disguised as messages from financial institutions to spoofing clothing companies and even carmakers, luring customers with coupons or other deals.

He also predicts enterprises will fall prey to phishing scams in which an e-mail appears to come from an employee in the company asking a co-worker for a password, therefore granting a phisher access to corporate, financial or other sensitive information. This should have enterprises particularly concerned.

Although it’s difficult to imagine any organization is without some form of spam protection today, the increasingly nefarious nature of spam is making hosted services look more attractive because, if effective, they keep virus- and phish-laden spam from entering corporate networks.

ISPs including AT&T, Verizon Business, Sprint and Savvis Communications are partnering with anti-spam companies and adding their services to hosted security offerings, therefore turning these service providers into spam fighters.

“To be competitive, ISPs don’t have any choice” but to offer spam protection, says Kenneth Emerson, director of strategic planning and CIO at Boiling Springs Savings Bank in Rutherford, N.J., which uses Perimeter Internetworking as an ISP and subscribes to a number of its managed security services, including anti-spam. “I’m not going to stay with a company that’s going to allow malicious things to come at me.”

Managed-security service providers such as Perimeter have been offering security services, including hosted firewall, intrusion detection and prevention, and distributed denial-of-service prevention as well as anti-spam and anti-virus for a few years. Now ISPs mostly known for their network services are getting into the security space.

The reason is twofold: It’s efficient to have the company that is providing an enterprise with Internet connections also cleanse the traffic it carries – instead of letting that happen at a customer’s gateway; and it gives ISPs a lucrative revenue stream to build their businesses around.

“There’s a better margin on [security] services than on offering Internet access,” says Daniel Golding, senior analyst at the Burton Group. He says adding anti-spam to ISPs’ security services makes sense, assuming these providers are already established in the market.

Partnerships important

And that’s what most big ISPs are doing. Aside from AOL, which developed its own multitiered anti-spam technology for its network, ISPs are partnering with anti-spam service providers such as Postini, MessageLabs, AppRiver, and FrontBridge (a Microsoft subsidiary).

Yet enterprises looking to outsource their spam defense could just as easily go directly to one of these vendors, so what’s the advantage of getting technology through an ISP? Price, says one analyst.

“ISPs can buy off [these vendors] in bulk and resell for pennies per month per mailbox,” says Paul Stamp, an analyst at Forrester Research. It’s the very large enterprises that tend to be interested in these managed anti-spam services – they can secure discount pricing because they have so many mailboxes to manage, Stamp says. And smaller organizations that can’t afford to pay IT workers who are dedicated to e-mail security also will see value in outsourcing the task, he says.

Midsize organizations are likely to outsource their e-mail to a hosting company, and would get spam protection as part of that arrangement, Golding says.

At Philips Medical Systems, a division of Dutch electronics giant Royal Philips Electronics, the company chose to get its spam protection from its e-mail hosting provider instead of bringing the function in-house, says Greg Weldon, director of service development with the unit, in Andover, Mass. Beyond having to tweak the system initially to prevent false positives – messages that filtering systems deem spam but are valid e-mails to the company – fighting spam has become the job of the service provider, which Weldon declined to name.

“It’s gone from being a complete nuisance to very manageable,” Weldon says.

Convenience another factor

Sprint, which resells FrontBridge’s anti-spam services as part of its security portfolio layered on top of its Internet service, says convenience is another advantage of getting anti-spam services through an ISP.

“It’s a one-stop shopping scenario, we’re one point that addresses all your network issues and applications,” says Janice George, product marketing manager for Sprint’s managed security services. “If you’re doing [spam blocking] in-house, you have to keep up with the technology, viruses. This way, with your e-mail going through Sprint before hitting the corporate network, there’s improved productivity and better use of resources.”

In Sprint’s case, using the company’s managed anti-spam service means wireless traffic also will be cleansed of junk e-mail and filtered for viruses before it hits a BlackBerry or cell phone, George adds.

Verizon Business uses MessageLabs’ anti-spam service, and over the next quarter plans to build the service into the core of its network so traffic doesn’t need to leave Verizon to be filtered, says Chris Sharp, vice president of security services. “That means much quicker delivery of e-mail,” he says.

The drawback to this outsourced model is on the outbound, because enterprises that need to monitor the traffic being sent out of their networks for regulatory or competitive reasons may find leaving this task to someone else ineffective, Forrester’s Stamp says.

“With outbound, you need a much better idea of business context” to be able to determine whether information is sensitive, he says. Even regulations that specify the type of information that can and cannot leave an organization tend to be open for interpretation, and a company may want to keep those decisions in-house.

Because e-mail is just one way that malicious code can make its way into an organization, ISPs aren’t likely to stop their protection services there.

Verizon Business, for example, plans to offer later this year MessageLab’s HTTP filtering along with the e-mail security service, Sharp says. This filtering will scour downloads – those intentionally made by employees as well as those that happen without users knowing it – for viruses, spyware and other malware.

The service provider also plans to offer its customers MessageLabs’ e-mail archiving service that was announced last week, Sharp says.