The spam arms race

Criminal spammers have unleashed an aggressive assault on e-mail inboxes around the world -- part of an increased campaign expected to cost the global economy $100 billion in 2007.

Earlier this month, security experts began noticing several new types of spam that evaded their defense systems.

By attaching PDF files or Excel spreadsheets to e-mails, spammers cloaked their scams in professional-looking packages that tricked security software into greenlighting the illegal e-mail.

The PDF files contained digital images hawking sexual enhancement drugs. The

Excel spreadsheets promoted a penny stock and were part of a pump and dump scam aimed at raising the stock price for criminals who will cash out before share prices crash back down.

By mid-July, about 90 percent of all e-mail flying across the Internet was spam -- a nearly 30 percent increase from two months earlier, according to Commtouch, a Sunnyvale software security company.

Much of it originates in the former Soviet Union and China, but is being relayed in the United States by huge networks of home and business computers infected with programs that turn computers into clandestine spammers.

The FBI issued warnings about the uptick in spam. Internet service providers buckled down against the increase in traffic. And spam fighters went to work on a solution.

"The arms race has tilted briefly toward the spammers," Dane Jasper, president of Santa Rosa Internet provider Sonic.net, said at the time.

Operations were cranking 24 hours a day at Rohnert Park-based Red Condor, which provides security against spam for municipalities such as Santa Rosa and Petaluma.

"The spammers create their latest weapons to launch. And we constantly modulate our defense algorithms to match their offenses," said Ron Longo, president of Red Condor. "It's more than an arms race, it's a full-out battle."

These latest spam attacks are part of an ongoing struggle between criminals and security companies. Every so often criminals develop an effective new spam that blankets inboxes around the world. Security experts respond by developing new technology to stop the offending spam.

It has become an expensive, seesaw battle.

Cost to businesses

E-mail has become the most valued form of communication in the workplace and is considered nearly twice as important as a desktop phone, according to a May survey published by Brockman & Co., a Massachusetts research company. Yet the typical employee wastes 25 hours a year dealing with spam, according to the survey of 500 business professionals.

The cost of spam has nearly doubled in two years as employees increasingly lose time sorting through and deleting junk e-mail and businesses shoulder the extra expense of fighting spam, according to San Francisco-based Ferris Research. Costs are particularly high at companies with poor spam filters because employees are forced to sift through more junk.

Even worse, the $100 billion global cost of spam that Ferris estimated does not include lost business opportunities, such as a purchase order that gets trapped in a spam folder.

Nor does it include the money weaseled from people in scams, such as those who wire funds to Nigeria in hopes of getting a big payoff.

About one in four people knows someone tricked into giving out personal information -- such as a PayPal account number -- in a scam called phishing, according to the survey.

And slightly more than one-third of respondents indicated their company lost business as a result of an e-mail they never received due to an over-aggressive spam filter. Some of the lost deals were worth millions of dollars, according to the survey.

How spam is fought

Several techniques exist for identifying spam.

Security companies block certain mail servers located around the world that are pumping out spam. Software combs through e-mail messages, looking for key words such as "Viagra," "enlargement" or "gambling." When it finds such words, it increases the likelihood the e-mail is spam. If too many indicators are discovered in a given e-mail, it is either deleted or relegated to a quarantine folder.

Sonic.net uses 40 powerful processors to sift through about 3 million e-mails a day. If it were not for spam, the Internet provider would need only two processors, Jasper said. The computers reject an average of 1,600 spam messages per customer every month.

Companies such as Red Condor, which was founded in 2003, specialize in fighting spam for their clients, and are part of a fast-growing $2.5 billion industry.

Red Condor markets itself as having a low rate of tagging legitimate e-mail as spam. It advertises that fewer than 1 in 50,000 e-mails are wrongly identified.

The company has grown from 100 customers in 2005 to about 2,000 customers today.

"E-mail has evolved into an incredibly important form of communication for businesses," Longo said. "People have to get all their e-mails."

Spam fighters cannot afford to relax, because spam continues to evolve.

"People may believe that the spam war is being won because they don't see spam in their inbox," Longo said.

"But we are constantly having to update our defense mechanisms on a minute-by-minute basis."

You can reach Staff Writer Nathan Halverson at 521-5494 or nathan.halverson

@pressdemocrat.com.