Network Computingwww.networkcomputing.com

But don't cry uncle or turn to the lawmakers just yet. Spam can be managed without breaking the bank or creating yet another legal morass.

For starters, assume that the spammers won't be hemmed in by the myriad federal laws now being proposed (20 or so state laws haven't done much good). We can herd e-mailers into all kinds of "wash lists" and "black lists," and then try to figure out who really opted in and out. We can tell spammers to use only "accurate" or "honest" subject lines, and then debate the spirit of those words. We can force spammers to identify certain e-mails as ads or adult content, and then try to punish those who don't comply. But short of banning all commercial e-mail or charging for each message sent, a law will do little to stanch the volume. It will only force the spammers to adapt their tactics--something they're already adept at doing.

The first line of commercial defense must be technology-based. It's a lot easier to adjust software to keep up with the spammers than it is to pass, revise and enforce laws. Just as defending against computer viruses requires companies to deploy software tools, monitor threats aggressively and adjust defenses, so too must the spam battle be fought on different, moving technology fronts.

But that battle needn't be prohibitively expensive. Network Computing, which operates its own e-mail server for 24 editors, deploys a copy of Mailshell's SpamCatcher that scores every message's content from zero (not spam) to 100 (definitely spam) and writes the score into the message header. Most users have set up a rule that collects messages with scores greater than 80 (currently 43 percent of all incoming messages) into a Junk Mail folder, whose contents are perused and deleted at the user's discretion. Lab director Ron Anderson, who estimates that only a few spam messages a day make it into the average user's inbox, says he spends 10 minutes a day monitoring the system. SpamCatcher, for Stalker's CommuniGatePro mail server, is priced by the number of messages per hour that get scanned.

That's all fine for a workgroup, but what about blocking spam at the enterprise level? Network Computing parent CMP Media uses a two-step approach. About 70,000 of the 130,000 messages received daily on two Unix servers are eliminated by Sendmail's spam-filtering tool. The remaining 60,000 messages are sent to Clearswift's MIMEsweeper, which blocks another 25,000 to 30,000 per day through content and URL filtering. Sendmail is freeware. MIMEsweeper cost us $28,000 up front, plus $6,000 for annual maintenance and updates. The software, which took four people about a month to set up and customize, now demands half of an administrator's time. Plenty of spam still makes it through, but it's a nuisance rather than a productivity drain. (Read an overview of antispam technologies and techniques.)

None of this technology is bulletproof. Longer-term technology solutions may require the use of PKI certificates so that e-mail recipients can readily authenticate senders. But save the antispam laws for explicit illegal behavior, like falsifying header information. And try to put spam into perspective. Chitchat and endless CYA e-mail strings suck up far more productivity and IT resources. If your campaign against spam forces an evaluation of your company's e-mail policies and culture, this epidemic might just produce some good.