• United States

Word up

Aug 09, 20047 mins
Enterprise ApplicationsMalwareMessaging Apps

How do you set your spam filters to block key words when the Viagra mail has to get through?

IT execs at spam -magnet industries come up with creative ways to block spam while keeping legitimate e-mail flowing.

Believe it or not, Dan Lukas, lead security architect at Aurora Health Care, makes no attempt to halt e-mail with “Viagra” in the subject line.

Waxing and waning

Here’s why: Junk e-mailers learned long ago that when properly capitalized and spelled, Viagra (along with cousins Levitra and Cialis) is a dead-bang, Katie-bar-the-door, raise-the-drawbridge-and-flood-the-moat signal for any self-respecting spam filter. Hence the increasingly bizarre variants of such words in spam subject lines: v-i-a-g-r-a, Ci@lis, L*V*TR* and so on.

“It’s gotten so that an e-mail that just says ‘Viagra’ is extremely likely to be legitimate,” says Lukas, whose duties include spam fighting at Milwaukee healthcare provider Aurora, which has about 35,000 employees.

The hassles of spam affect all industries and are well documented. According to the International Telecommunication Union, the annual cost of spam has topped $25 billion, with a preposterous 80% of all e-mail sent consisting of junk. In corporations, spam takes a toll on worker productivity, bandwidth and storage, and can harm a company brand and lead to lawsuits.

But for some businesses – those whose products, services or terminology have been hijacked by junk e-mailers – the problem is even more complex; IT needs to make sure employees send and receive legitimate information without being inundated by spam.

Companies involved directly or tangentially in industries such as healthcare, pharmaceuticals, financial services, credit reporting, entertainment and employment services all face extraordinary spam-filtering challenges.

They tend to use a baseline of industry-standard strategies, tactics and technologies, plus some extra special tricks – such as allowing “Viagra” subject lines through.

Layering it on thick

“Regardless of industry, you have to take a layered approach – you need to identify the information that’s coming in, where it’s coming from, what its content is and where it’s going,” says Stephen Singh, a vice president and chief network architect at Fidelity Investments in Boston.

At Aurora Health Care, “We hit spam from a couple of different angles,” Lukas says. The company uses four McAfee WebShield e500 gateway appliances – two each for incoming and outgoing mail. In addition to virus-scanning, the appliances use customizable Bayesian filtering algorithms, which Lukas says he’s “dialed down to catch more stuff than the default,” because of the company’s spam-sensitive industry.

Aurora end users also get the opportunity to do some of their own spam filtering. The McAfee appliances attach a value to each message, and any e-mail that fails to meet a given threshold is deemed spam and dropped. However, borderline e-mails – those just below the threshold – can be marked as potential spam and placed in a separate folder in recipients’ Lotus Notes e-mail. There users can decide whether to accept the messages.

According to Gartner analyst Betsy Burton, this user-tunable component is increasingly popular and important, especially in spam-sensitive companies. “We’re seeing more multi-level approaches to spam filtering,” Burton says. “That’s important because while a lot of junk is what you might think of as ‘classic spam,’ some spam is in the eye of the beholder.”

Fidelity’s Singh says that while the financial-services firm does not yet offer individual spam filtering at the desktop, such a plan is “under consideration.”

Users willing to accept extra junk

Overall, Aurora blocks 50,000 to 60,000 spam messages each day for its 35,000 employees. Lukas estimates the company receives 90,000 to 100,000 spams daily; he concedes that a big chunk of junk continues to reach end users but adds that in the healthcare industry, “A little bit of aggressiveness can bite you.” Better to grin and bear a bit of extra junk to ensure that all legitimate e-mail comes through.

While the major pharmaceutical companies declined to comment on how they deal with Viagara-type spam, experts say it’s probably a mix of light and heavy filtering, depending on the user. Gartner’s Burton points to educational institutions as another example. Because of the tradition of wide-open information flow in academia, she says, “Professors and students are going to want to receive all sorts of stuff that you probably don’t want administrators to get.”

Even without user-customizable filtering, businesses can accommodate individual users – until the company gets too big. Venture capital firm Ardesta that invests in firms specializing in nanotechnology and micro-electromechanical systems. Because words such as “investment” and “opportunity” are so prominent in its legitimate e-mail traffic, the Ann Arbor, Mich., company could face a spam nightmare, according to Jeffrey Rinvelt, IT director. “We really get hammered,” he says. “You want to be accessible, but you don’t want [e-mail] to become unusable.”

Moreover, the 70 users Rinvelt supports have widely varying demands regarding spam. Those close to the front lines are loath to miss a single message and thus are willing to put up with a heavy load of junk mail.

Rinvelt uses Sunbelt Software’s iHateSpam content filter because he says the product makes it easy for him to offer users their own filtering profiles. “Some users want to be aggressive, some more passive,” he says. “I set them up on an individual basis.” Naturally, in larger companies this becomes unworkable.

No DIY, please

For nearly all corporations, even small to midsize businesses, the spam problem has become too big for do-it-yourself solutions. Pacific Crest Securities, a boutique investment bank and brokerage firm in Portland, Ore., with offices in Boston and San Francisco, learned that lesson the hard way.

Until last year, “We tried to let people use [Microsoft] Outlook tools” to deal with junk e-mail on an individual basis, says Joe Williams, systems administrator. Each of Pacific Crest’s 100 or so employees, primarily research analysts and investment bankers, “maintained their own spam list,” he says.

Top 10 bottom feeders

According to Commtouch Software, an anti-spam vendor, in the first half of 2004, the 10 most frequently mentioned products or services in spam were:
Drugs 29.5%
Mortgage/refinance 9.7%
Organ enlargement 7.1%
Shopping 6.9%
Software sales 6.1%
Financial 5.9%
Work from home/jobs 4.1%
Dating 3.2%
Pornography 3.1%
Weight loss 2.6%
Other notable entrants included beauty and health products (2.5%), debt “solutions” (2.5%), university degrees (2.4%) and vehicle warranties (1.9%).

The idea had curb appeal; the company had more than its share of tech-savvy power users, and in a spam-sensitive industry, it seemed wise to let individuals decide how to separate the wheat from the chaff. However, sometimes power users outsmart themselves. “People tried to fine-tune their filters” through custom whitelists and blacklists, Williams says. Trouble ensued. “All of a sudden, guys weren’t getting mail,” he says. “Every time we checked it out, it was [because of] a rule they’d added on their own.”

Nearly a year ago, Pacific Crest realized it was time for IT to seize control of the anti-spam effort. The company opted for Brightmail’s product, which immediately eliminated the problem of employees losing legitimate e-mail. (Symantec recently purchased Brightmail.) “For a while we quarantined everything and checked for false positives,” Williams says, adding that Brightmail eliminated the problem.

For the most part, the tactics that help any company fight junk e-mail apply to all industries. However, IT managers in sensitive industries need to go that extra mile to come up with approaches that can accommodate the special needs of their end users.

Ulfelder is a technology and automotive writer in Southborough, Mass. He can be reached at