Spammers target small firms

28 Jan 2005

Smaller companies are more likely to receive high volumes of spam than larger organisations, a new report has suggested. Certain vertical markets are also more likely to be targeted than others, the report found.

Postini, a US-based email security provider, has released a report on the state of email over the past year and found that smaller firms typically with 100 users or less received up to 10 times more spam per user than large businesses with 10,000 employees or more. Small companies typically received more than 35 unsolicited emails per user per day, whereas in larger firms this figure dropped to fewer than 3 spam emails per user per day.

Moreover, the report found that large companies generally have more comprehensive, holistic information security programmes than smaller companies, which reduce the kind of employee behaviour that can lead to being targeted by spammers. In addition, Postini said that spammers target small companies, thinking they will have less sophisticated defences
than larger organisations.

The Postini report identified several industry sectors such as publishing, property, advertising and legal as having received more than 10 times the amount of spam per user per day than organisations in banking, financial, manufacturing, electronics, food & beverage or pharmaceuticals.

In addition, the findings showed that even though there was more focus than ever on the cost and prevention of spam in 2004, threats to email systems actually worsened. According to Postini’s figures, the rate of spam was between 75 and 80pc of email and virus attacks increased threefold.

Directory harvest attacks (DHAs) were another continuing problem identified by Postini. Spammers use this method to add new valid email addresses to their databases by hitting large directories of addresses that are maintained by large organisations. The report found that the average attack consists of 250 invalid email delivery attempts, meaning that companies are typically subjected to almost 40,000 invalid delivery attempts per day. Postini called DHAs “the least visible and most underreported threat in 2004”. In addition, the problem can’t be controlled through conventional content filtering tools since these messages effectively have no content to screen.

A large proportion of unsolicited email is sent by compromised computers, Postini found. In the second half of last year, email viruses attacked computers belonging to individuals and small business users, creating so-called zombie machines that spammers can use to send email and DHAs. In most cases, the individual computer users are unaware their computers have become a conduit for perpetrating spam.

The report was less than complimentary about regulatory efforts to curb spam. The US CAN-SPAM Act came into effect on 1 January last year “and did not demonstrate any significant impact in decreasing spam during 2004,” Postini said. In more than 90pc of the lawsuits against spammers filed with the new legislation, the defendants were identified only by the name ‘John Doe’. The problem is not confined to the US; not one offender has been prosecuted under Britain’s Privacy and Electronic Communications regulations, which date from December 2003.

By Gordon Smith