Unfortunately, the answer is, very easily. Your work e-mail, if it's posted on your company's Web site, is probably even more vulnerable than your personal address. Your personal e-mail is likely to be culled from newsgroups, but savvy e-mail marketers are more likely to troll company Web sites for e-mail contacts.
For home use, you can change your e-mail address, or simply get an alternative "spam catching" address from a free e-mail service and use it when you post to newsgroups or fill out forms on the Web. But businesses can't have employees changing their e-mail address every time the spam piles up. Nor would it be good business practice to remove employees' e-mail addresses from the company Web site.
Relying on legislation to halve the size of your inbox has proved a waiting game, although plenty of states are trying to whittle away at spam. In California, the unsolicited e-mail I receive is required by law to have a label of "ADV" or "ADV:ADLT" in the subject line, only three of the last 50 spams I received were appropriately labeled. Obviously, e-mail transcends state boundaries--much of it originates overseas--which makes such the legislation difficult to impose. In some cases, it's weak by design. If, for example, you live in Delaware and receive a spam e-mail from out of state, your state's anti-spam law only applies if there's "a reasonable possibility" that the sender knows you are in Delaware. Just keep deleting.
Where it all starts
Perhaps the best explanation for the growing volume of spam comes from a spammer; a recently received e-mail proclaims, "E-mail marketing is spreading around the whole world because of its high effectiveness, speed, and low cost." The first point--spam's effectiveness--might be hard to swallow, but the rest goes without saying.
Not only is it quick and cheap, but the targeting of business Web sites for e-mail marketing campaigns is getting more sophisticated. And it's the employees who largely shoulder the burden of filtering spam, sapping company productivity.
A lot of e-mail marketers get their start with courses and software from the likes of the Internet Marketing Center. IMC encourages the people who take its courses to be responsible e-mail marketers and avoid practices such as renting sloppily gathered e-mail lists. But regardless of how well-targeted these e-mail campaigns get, it's still a given that most of these e-mails will end up in the trash along with the Viagra sales pitch--only your employees will have to read more than just the message headers to determine that they're cold calls.
Ed Brooks, for one, knows about cold calling. Before launching his Internet marketing firm, Beyond the Site Marketing, he did just that for telephone services. Now he applies that experience to marketing products on the Internet.
First, Brooks uses specialized software that costs less than $100 to gather e-mail addresses from Web sites. He types a search term into his application, which uses 36 search engines to gather URLs; then he determines how many levels he wants to go into the URLs. He can tell the software to exclude order pages, FAQ pages, etc., and to determine whether the search phrase is located in keywords or only in body text. Then he tells it what types of e-mail addresses he wants to gather: "You can filter out customer service addresses, support (staff) addresses, things like that."
With returns of up to 1,000 Web pages per search engine, Brooks can generate a list of 36,000 Web pages.Even though Brooks says he manually checks each site he finds to determine its relevancy, all that work doesn't mean his e-mail recipients don't label him a spammer. To Brooks, Web sites are open invitations. "I'm just responding to their request to have people contact them."
As a result of this open invitation, your employees could spend valuable work time sending requests to be removed from such lists. Brooks says he honors all removal requests, but acknowledges that many others don't, and that spammers of the worst ilk just consider such requests proof that there's someone at the other end.
After trolling Web sites and gathering e-mail addresses, it's time to send the message. E-mail automation programs, which cost anywhere from $100 to $400, can handle that task with ease. Typically, these programs do three things: process e-mail lists, send e-mail, and handle incoming responses, most often with an automated reply.
Some of these programs work better with databases than others. While some require the sender to manually import, export, and update the e-mail lists, more sophisticated programs can directly query SQL databases.
A feature that Brooks says is particularly important is sequential mailing. That is, you can program the software to send a different e-mail every few days to the same address list, like a series of follow-up sales calls.
But even if you enlist an anti-spam product or service, someone still has to sift through the mail that's been filtered to make sure nothing business-related has been snared in the spam net. "Some firms do that by establishing a spam folder for each user and then writing the filters," says Bob Johnston, CISSP, manager of credentialing services at the ISC2, the International Information Systems Security Certification Consortium. But other companies balk at the delays in delivery times that putting spam filtering software on a mail server can cause. "That's why many firms choose not to implement the spam filters--it takes too long."
Sweetening the pot
Spam-fighting methods have had to mature because spammers figured out how to bypass simple content filtering, which looks for words such as "free" and "credit card." These days, spam filtering providers collect spam in databases with the help of honeypots, a term also used to describe the luring of hackers into attacking a simulated network service.
To establish a honeypot network, spam filtering providers set up e-mail addresses on a variety of mail providers for the sole use of receiving spam so they can better understand it and create new filters for it. The profiles of the fictional people associated with these e-mail addresses are given a variety of interests, and posts are made to newsgroups in their name. What's key is that these e-mail addresses aren't subscribed to anything, so it's a virtual guarantee when a message is received that the address has been harvested without permission, and that what's received is spam.
While such analysis might seem more suited to a spam filtering service provider, CipherTrust thinks enterprises might want to use the tool themselves. You can manually set up a honeypot in the current version of the company's IronMail software, but Director of Research and Development Paul Judge says the next version will feature an automated process for setting up honeypot addresses.
But honeypots won't be enough. Nor will the fuzzy algorithms that can detect if a message is spam even when random data at the end of the message derail efforts to read its signature.
A variety of clever spam-fighting techniques are out there, but for now, you still have to dedicate someone to sift through the filtered mail to make sure no legitimate correspondence is dropped. For now, the battle of wits between spam filter developers and savvy spammers is far from over.
How does your organization fight spam? Are you winning the battle? TalkBack below or e-mail us with your thoughts.
