September 2002

Online Madness: Please make it stop! By Jeff Meredith

“Claim a free gift card, FREE money for college, claim unclaimed funds, Gauge gets it from two guys, love will find you …”

Every morning, people around the world empty their inboxes of this mountain of garbage. While they’re in the process of doing so, they may also be greeted by a pop-up ad for Orbitz, the “Amazing X-Cam” or Reliaquote. “Is your family protected if something happens to you? With affordable term life insurance, you can make sure that necessities like tuition, childcare, and mortgage payments are taken care of—even if you’re not there.”

After wading through piles of messages, some will be left wishing they were gone for the day, far from their PCs and the flashing windows that make one susceptible to photosensitive epilepsy.

Spam and pop-up ads are an increasing problem online, an assault on the usefulness of the Internet that irritates and multiplies everyday. Brightmail, a seller of spam-filtering services, estimates spam tripled from 2000 to 2001, while Gartner estimates that spam grew fivefold during 2001. Within the last two years, some estimate spam has grown tenfold. Cauce.org, an anti-spam group, offers a depressing hypothetical—if only one percent of the 24 million businesses in the US decide to send you one message per year, you would still wind up with over 657 spams per day.

Suddenly, the two-megabyte storage limit for your Hotmail account seems all the more archaic.

Surveying this discouraging landscape, I-Street found hope in the array of solutions that are being offered today. There may be no magic bullets, but producers of antivirus software like McAfee, ISPs such as Earthlink, and small startups are making anti-nuisance technology addressing spam and pop-ups a priority.

A problem, but who’s spending money to solve it?

Of course, the market for anti-spam offerings may not really take off until we see an economic recovery and a loosening of tight IT budgets. eWeek recently reported that most IT managers “continue to view spam as a nuisance, rather than a mission-critical IT problem.” According to the market research company The Radicati Group Inc., cited in eWeek’s story, the market for anti-spam products is growing 20 percent per year, but adds up to only $88 million.

Vendors are a little more optimistic. With last month’s unveiling of Version 3.0 of it IronMail e-mail security appliance, CipherTrust, a two-year old company based in Atlanta (with a regional office recently added in Chicago), feels that it is poised to gain significant business with the Fortune 500. Director of marketing Matt Anthony says that spam “has crossed the line. It’s now a very hot issue and it seems like a whole lot of the Fortune 500 has budgets for spam.”

“They’ve gone from ‘Wouldn’t it be nice to stop a little bit of spam?’ to ‘Let’s spend some money, we’ve got to solve this problem.’ One, there’s kind of a pure productivity issue going on,” said Anthony. “Two, [Gartner analyst] Joyce Graff uses an analogy that I really like. She says that a company that fails to address spam for its employees is essentially doing the same thing should they fail to empty the trash can and let trash stack up in the corner of everyone’s office. The employer is sending the message… that we really don’t care about the work environment.”

CipherTrust’s latest offering of Ironmail includes standard spam protection features such as content filtering—the ability for security and e-mail administrators to select messages that can be filtered based on keywords—and also performs matching of spam signatures from collaborative, distributed networks gathering spam across the Internet. But the cost may exceed $25,000, precluding companies that can only afford lower-end solutions.

“There aren’t any bulletproof, 100 percent measures. You can spend a lot of money going to commercial

e-mail filtering services, but that’s out of reach for most small businesses and individuals,” says Raj Goel, CTO of Brainlink International, a 22-employee company based in New York City that

services the pharmaceutical and healthcare industry. Brainlink focuses on website and applications development and security and privacy consulting.

What about those damn pop-ups? Many new programs have emerged which are designed to stop pop-ups, but Goel has another suggestion for web surfers—use the Mozilla web browser. In June, Mozilla released version 1.0 of its software, the first release in nearly five years of development that didn’t have a beta or alpha attached.

“Mozilla actually has a control for disabling unrequested windows. You’re not disabling JavaScript, you’re not crippling your browser. You’re just preventing people from shooting pop-ups at you without permission,” said Goel. “And there are other things about it that make it fantastic. My favorite feature is the cookie control—every time a site sends me a cookie, it asks my permission whether I want to store them or not. So on the sites that I care about that I need to use cookies, I’ll enable them and everything else goes away.”

While Mozilla has nifty features, the fact remains the vast majority of web surfers are either browsing with Internet Explorer or Netscape. Earthlink, the third largest ISP in the country with close to five million users, clearly recognized this in deploying its Pop-Up Blocker software. On August 19, Earthlink began allowing subscribers to download a preview release of the software at no additional charge. However, Pop-Up Blocker is only available for Internet Explorer, said Jim Anderson, Earthlink vice president of product development.

“Given the market penetration of Internet Explorer, the fact that most are already using it, we thought that was critical. A nice easy way to block pop up ads while you’re still using the browser you’re most comfortable with,” said Anderson.

New York City-based SurfSecret Software, which just released Popup Eliminator 3.0, has a similar IE-orientation. Founder and CEO Jon Orringer said the program is available for Netscape and Internet Explorer. “There isn’t enough demand for the other ones like Opera right now,” said Orringer.

SurfSecret’s software utilizes a tool called SmartSensor, which is touted as making sure you get the pop-ups you want and blocking the ones that you don’t wish to receive; unsolicited pop-ups are stopped in their tracks, said Orringer.

McAfee may be known for its commitment to stopping viruses, but its latest suite of tools, McAfee Internet Security 5, is also focused on blocking pop-ups that eat up bandwidth. However, the company’s underlying ideology is that users must be notified of the features working in the background and be able to disable them if they wish.

“Our approach is basically to block them all [pop-unders, pop-overs, etc.] and it focuses on anything that’s smaller than your current browser window,” said Michael Turner, product manager for McAfee Consumer Products. “An alert pops up the first time it’s going to start blocking the pop-ups that reminds you that you have this functioning. Some people may turn on a particular protection and not be aware of it… you have the option to turn it off or keep using it.”

How intrusive? The perils of automated weed-out vs. personally tailored Eliminating spam and pop-ups isn’t exactly easy in a world where friend and foe are hard to distinguish. The consequences of false positives—refusing legitimate email and pop-ups—can be costly. “You don’t want to throw the baby out with the bathwater,” said Anderson of Earthlink, who eyes the future cautiously. Anderson knows that users are increasingly becoming aggravated as they surf and scan through unwanted messages, but the “challenge is how do you prevent the annoying behavior without disabling things that people want to see?”

“We’re looking at what other ways can we extend it beyond pop-up ads. Things like cookie management, not just pop-up windows but flash animations and other kinds of experiences that customers may or may not find useful and may find annoying,” said Anderson. “To the degree that you disable animation entirely - then when a customer goes to a site where there’s a legitimate animation that they want to see and you’ve disabled them, then they’re going to have an experience that’s substandard.”

There’s indeed a fine line between real trash and what appears in your junk mail folder. Keyword detection by e-mail filters is a risky gambit at best, says Geoff Kuenning, an assistant professor of Computer Science at Harvey Mudd College and expert on spam.

“There has been interest in recent times trying to automate the detection of keywords. The real trouble there is if you’re going to train something, somebody has to do the teaching – someone has to tell the AI [Artificial Intelligence] program what is a piece of spam, what is not a piece of spam,” said Kuenning. “If you have someone willing to put in the effort, it can work well. But most of us don’t have time to sit there. We want to delete our spam, we don’t want to do training.”

If you fashion yourself a trainer and have the patience, IronMail will allow you to get the job done. CipherTrust has tried to take rulemaking to a very granular level, allowing for both organizational rules and those applying to individual users, said Anthony.

“One of the big challenges we’ve found in terms of creating a security product that can be successful is actually making it manageable enough to where someone can live with it day in and day out and keep their security level high without ten people spending all their time configuring things,” says Anthony.

CipherTrust has come up with an automated spam management feature that can be tailored to one’s wishes. “You’re sitting at your desk and the Nigerian prince wants to send you $30 million … you forward this to Spamabuse@YourCompany.com. Typically, what that means is that you’d be hoping that someday an administrator would have enough time to look at that e-mail and figure out why it didn’t caught before and hopefully catch it the next time. What IronMail does is it automatically generates a new rule or policy that would’ve caught that e-mail,” said Anthony.

What makes your address a popular target For one, if you’ve posted your e-mail address on an online forum or bulletin board, it undoubtedly has been copied by spammers. Bots have found you and handed you off to their friends. If you have been illegally added to an e-mail list, don’t bother with the cancel your subscription feature. That will only tell scam artists that your e-mail

address is valid and invite an even greater deluge of unwanted mail. When you register for an online site, make sure you’re not giving away the keys to the kingdom – make sure you’re not giving the site the right to sell your e-mail address and look out for the checkboxes that are marked by default.

As a final resort, some companies may look to changing email addresses, but changing your longtime online identity on account of spam is indeed a tough pill to swallow. But it’s something you might have to consider if you’ve played into the hands of unsavory marketers.