How to Avoid Scammers, Spammer and the Rest of the Bad E-guys
BY John Fried
Before anything else, you need to know who the bad guys are and how to keep them the hell out.
The first e-mail message was sent sometime in the early 1970s by Ray Tomlinson, an English computer engineer working for the Defense Department's Advanced Research Projects Agency. Nobody remembers what it said: possibly "testing" or "QWERTY." Tomlinson wasn't thinking about history; he was just trying to create a quick, informal way for a closed universe of research scientists to communicate with one another.
Ease of use was the point, not security. Defense scientists 30 years ago, after all, did not have to worry about armies of malicious nerds with laptops and cable modems. The openness of e-mail, though, the thing that makes it so revolutionary, is also what makes it so vulnerable to viruses, worms, ID theft, denial-of-service attacks, and a host of other threats.
Scammers are constantly cooking up new ways to use your e-mail system against you. Phishing attacks, for instance. Your employees or customers get an official-looking e-mail saying there is a problem with, say, their credit card account. Would they please click on the link below, then type in their account or Social Security number? MessageLabs, a security firm that tracks phishing attacks, says the number of phishing e-mails grew to 4.5 million in November 2004 from 337,050 that January.
Then there's spam. The Radicati Group estimates that 45% of all e-mail is spam; other experts think it may be as much as 80%. According to Ferris Research, an e-mail and communications consulting firm, the worldwide cost in lost productivity and resources devoted to fighting spam will be $50 billion in 2005, more than a third of that coming from U.S. companies. It's not all bad news, though. Anti-spam laws have started to show some teeth. In April, Jeremy Jaynes, who was reportedly sending out 10 million junk e-mails a day, was convicted of felony charges in Virginia and sentenced to nine years in prison. Couldn't have happened to a nicer guy.
As you may have noticed, though, spam, viruses, and the rest haven't gone away. You still have to protect yourself. Which defense is best for you is a function of how big your business is and how much control you want over your security. Many fixes can help not only with keeping your system safe but also with archiving messages and making sure your system complies with your policies and the law. One solution may not be enough. "You cannot expect to buy a single layer of security protection and sleep at night," says Sara Radicati, of the Radicati Group. Your choices fall into three main categories.
Letting somebody else do it is an attractive option if you have a modest (or nonexistent) IT staff. The tradeoff is loss of control: You're trusting an outsider with a key part of your business.
Managed providers offer a range of security services that include spam filtering, virus protection, encryption, mail monitoring for compliance with regulations or company policy, and even archiving. Fees are typically per user, per month or year, and the price generally drops the more licenses you buy. Most vendors offer 30-day free trials.
Postini's Perimeter Manager Small Business Edition (starts at $25 per user per year) includes protection from spam, phishing, and viruses. It also provides defense against directory harvest attacks, in which cyber miscreants try to get your employees' e-mail addresses by bombarding your server with messages sent to every possible firstname.lastname@example.org, email@example.com, etc.--and seeing which ones bounce back. Perimeter Manager handles only inbound e-mail, however. If you need to keep tabs on internal or outbound mail, too, you can upgrade to Postini's enterprise edition (starts at $33 per user).
SingleFin's Global Gateway Service includes e-mail, Web, and instant messaging content filtering, as well as archiving ($12 a month, or free for businesses with fewer than 10 users). A light version of the suite, which simply marks spam and forwards it along to you and also filters viruses out, is free for any number of users. MessageLabs offers anti-virus, anti-spam, content, and policy control services. Pricing is based on company size. A business with 250 to 499 employees, for instance, pays a monthly $3.83 per feature per user. Other big players worth checking out in managed services are Frontbridge, Symantec, and McAfee.
Not refrigerators or microwave ovens. These are security hardware systems--literally boxes that contain e-mail watchdog and filtering systems. They are the fastest-growing segment of the security industry, according to the Radicati Group. They are generally easy to install and customize and they leave your own tech people in charge. Appliances are, however, not cheap.
IronPort's C-series comes in four sizes, depending on the number of people in your business. The midline C10 (around $9,000) is designed for companies with up to 1,000 employees and features anti-spam and virus protection, as well as content filtering for policy enforcement and monitoring.
CipherTrust's IronMail appliance (starts at $5,995 for the S-10 model, which is designed for companies with 100 or fewer users) has strong compliance tools. Other companies that make security hardware include Borderware, Barracuda Networks, Mirapoint, and Alladin.
Security software is plentiful and comparatively cheap. Most security experts, though, say this stuff is most effective when used in combination with an appliance or a managed service. They also warn that given the constant evolution of viruses and other threats you (or your IT staff) may be constantly managing patches and updates.
WebRoot's Spy Sweeper Enterprise ($300 for a one-year subscription with 10 licenses) and PepiMK Software's SpyBot Search & Destroy (free) will keep your business computers clean of spyware programs, which can steal your data or even turn your computers into spam-generating "zombies."
Symantec's Norton AntiSpam 2005 ($320 for a 10-user pack) will clean your computer of junk mail; Computer Associates' Server Protection Suite ($1,055 for five users) offers a range of security tools, including anti-virus, anti-spam, and spyware protection; Clearswift's MIMEsweeper ($2,628 for 100 licenses) series has a variety of monitoring software solutions; Sophos' PureMessage Small Business Edition ($2,850 for 100 users) offers protection from viruses and spam; TrendMicro's NeatSuite for Small and Medium Businesses ($59.34 per user for 25 to 100 users) has anti-virus, anti-spam, and content security.