Coming soon to your IM client: Spim

Experts predict that unwanted IMs have the potential to wreak just as much havoc as spam.

Instant-messaging spam – or spim, as it’s often called – is beginning its march into the corporate world. Spim isn’t nearly the headache that e-mail spam has become, largely because instant messaging isn’t as ubiquitous as e-mail in corporate settings and IM spammers are easier to catch with the closed nature of IM networks. But experts predict that unwanted IMs have the potential to wreak just as much havoc as spam.

“So far we’re told by customers that [spim] is not a big problem. But we find it hard to imagine that it’s not going to turn into a tremendous issue,” says Sara Radicati, principal analyst at The Radicati Group. Radicati reports that 26% of companies are using IM as a corporate service, and 44% say employees use IM but it isn’t a company standard.

Also: Another window for spim

Financial companies are known for their heavy use of instant messaging, but Lee Blackmore, director of IT at Stifel Nicolaus, says he was surprised to learn how widespread IM use was at the Midwestern brokerage house. He was about to ban all use of IM for fear of security breaches that the service can cause, but the company’s institutional traders put up a fuss. Instead, he agreed to let the company’s 175 traders use any IM service they like and installed IMlogic’s IM Manager to control and secure communications.

“My concern [with IM], in running the IT department, was spam, and what people were really using [IM] for,” Blackmore says. Although the traders block incoming messages from people who aren’t on their contact lists, the majority of them are allowed to use IM to communicate with people outside the company.

As corporate use of IM rises, so does the potential for abuse. With the most popular consumer IM services – namely those from AOL, Microsoft’s MSN and Yahoo – available for free, all spammers need is a list of screen names to start clogging these systems with unwanted messages. Granted, it’s much harder today to flood networks with IMs than with e-mail because bulk mailing tools and lists of user names aren’t readily available to IM spammers. But some say it’s just a matter of time.

“God help us if we can’t see this thing coming” based on the industry’s experience with e-mail spam, says Jon Sakoda, vice president of products at IMlogic, which develops software that adds security to popular IM services.

Much like e-mail spam, spim eats up network resources and drains users’ productivity, but has the added punch of creating workplace issues when messages of a sexual nature invade workers’ screens.

“There’s some real potential danger for corporations,” says Matthew Prince, CEO of consulting firm Unspam and an attorney. “Many workers believe that their employer has the duty to protect them from unsolicited and pornographic content. If [the employer] didn’t, that would be enough to constitute a hostile work environment.”

Despite the potential threats posed to corporations, some of the major IM service providers maintain that spim isn’t really an issue. Spim accounts for less than 2% of traffic that crosses Yahoo’s IM service, called Yahoo Messenger, says Lisa Pollock Mann, senior director of Yahoo Messenger.

The company makes it difficult for spammers to abuse its service by requiring Yahoo Messenger senders to have a Yahoo ID; obtaining one includes a registration process and an image verification test that automated systems can’t pass, she says. Yahoo also monitors its IM network for signs of abuse, such as a high level of message sending, and will kick off any member who violates the terms of service, Mann adds.

However, some experts dispute the IM service providers’ claims that spim won’t become a major problem. “I’m very skeptical. Years ago if someone had asked them they would have given the same answer about e-mail spam,” Radicati says.

Microsoft doesn’t track how much spim crosses its MSN Messenger service, says George Webb, business manager for Microsoft’s anti-spam technology and strategy group, but the company does consider spim a growing concern. Version 6.1 of MSN Messenger, released last year, includes a reverse list that lets users see who has added them to their contact list and block incoming messages if they choose.

Blocking incoming messages from unknown senders is the most obvious way to prevent spim. However, users who rely on IM to communicate with the outside world, such as sales and customer service organizations, risk missing crucial messages if they block unknown senders. With more people listing their screen names on business cards and on contact information, it’s clear that limiting IM sessions to known senders won’t be a viable cure for long.

A new crop of software and services has emerged over the past year to help businesses ward off spim. In addition to IMlogic, companies such as Sybari and Zone Labs sell software that filters IM traffic running across the popular consumer services for spam and viruses. Many of these products offer additional features, such as end-to-end message encryption and archiving messages for regulatory reporting purposes. Start-up Convoq is working on its own IM and collaboration service that provides security and lets users message with contacts on other IM networks.

Spim also is attracting the attention of vendors that develop anti-spam filters for corporate e-mail systems. Companies such as Brightmail and CipherTrust say they’re evaluating how to attack the problem. “We have definitely seen spam expanding beyond e-mail to mobile devices and IM. . . . We expect to deliver solutions to fight spam for all types of devices,” says Enrique Salem, CEO of Brightmail.

Anti-spam vendors hope that by adding security on top of instant messaging, companies will be more willing to take advantage of IM as a crucial communications medium.

“Large organizations actually want to use IM and provide it for all their users, since users already have the skills because they’re probably already using Yahoo or AOL Instant Messenger,” says Fred Felman, Zone Labs’ vice president of marketing. “But large organizations are reluctant to put those services in place because of the vulnerabilities.”