It’s hard to find any e-mail user that isn’t tired of battling spam. The seemingly endless influx of junk e-mail has corporations and individuals alike looking for new and ever more-effective ways to block unwelcome spammers.
But while the war on spam moves along at a slow but steady pace, a potentially more disruptive form of direct marketing is gaining ground. That new threat is spam over instant messaging, or spim for short. So far the issue of spim has not been widely recognized as a problem, but as the recent outbreak of the ‘Osama Found’ AOL Instant Messenger worm revealed, spim is a threat that corporate IM users should be thinking about now, not in the future.
Who’s Canning the Spim?
Spim is not a new issue. It has been around in one form or another for years. But recently, with lawmakers and ISPs closing in on shady direct e-mail outfits, spammers are looking for new ways to get their unwanted messages across. New legislation like the U.S. anti-spam laws passed in December 2003 target spammers and allow for stiff penalties such as fines and even jail time. Why risk such consequences when the CAN-SPAM Act covers only e-mail? Instant messaging isn’t even mentioned in the legislation.
So if spim has been around for a while, why is it only now starting to get serious consideration? The main reason is that its growth is accelerating at an alarming rate, as Francis deSouza, CEO of IM management software vendor IMlogic explains. ”We started noticing spim a couple of years ago while reviewing compliance requirements for a customer. At that time the amount of spim was less than a couple of percent. Today it is still below 10 percent of all IM traffic, but even that represents a significant issue for companies with large numbers of IM users.”
DeSouza’s findings are borne out by recent research of the spim issue by The Radicati Group, which estimated that spim will account for around 5 percent of all public IM traffic by the end of 2004. In terms of the actual number of spim messages, that equates to more than 2 million messages this year alone.
As startling as these numbers seem, they still pale in comparison when set against the numbers associated with spam e-mail, yet many industry analysts are as concerned about spim as they are about spam. Spam, although very annoying and costly in terms of e-mail storage, bandwidth usage and potential threats, is a passive medium. Widely deployed spam filters prevent the majority of spam messages from getting through to the corporate network, and users are well-educated in identifying and subsequently deleting, without opening, the spam that does get through.
In contrast, the nature of IM is such that when an instant message is received, the recipient will invariably open it. In the case of indiscriminate spim — that in which the user does not recognize the sender the reader may not click on a link embedded in the message, but they will still have stopped what they are doing to read the IM message. The result is a loss in productivity, but spim can be more than of a threat than just a little disruption.
Everyone Trusts a Buddy
If the spim message is received from a recognized user who has been infected by a spim worm, such as ‘Osama found’, the click-through rate for links embedded in the message is very high, as the recipient invariably trusts any message that is received from a user in their buddy list. This high click-through rate is particularly attractive to those responsible for spim, which explains their growing interest in exploiting spim as a medium for their messages.
”Buddy lists imply a trust relationship between two users,” explains Rahul Abyankar, director of product management for IM management software provider FaceTime Communications. ”Users maintain their buddy list and are more selective about who is included on the list. E-mail address books tend to include many more contacts and are less well-maintained. The result is that a user is extremely likely to open an instant message from someone who is in his or her IM buddy list.”
With e-mail spam, click through rates are extremely low, being measured in factions of a single percent. Spim, however, offers much higher rates. To put this in perspective, a spam e-mail may need to be sent to 10,000 users in order to generate even five clickthroughs. Spim may be able to achieve the same clickthrough rate with only 10 or 15 messages. Given such efficient statistics, it’s no wonder that spammers are looking to become spimmers in short order.
Reining in the Spim
While the news about spim is not encouraging, there are things that can be done to ensure that it is kept in check.
For those organizations that allow the use of public IM systems like Yahoo! Messenger, AOL Instant Messenger and MSN Messenger, a number of companies such as Akonix, and the aforementioned FaceTime Communications and IMlogic, produce IM management systems that allow for the detection and prevention of spim. They achieve this protection through a variety of methods including signature detection, challenge response systems and rule based blocking capabilities.
One of the most interesting approaches to preventing spim is a challenge response system like that implemented in FaceTime Communications IM Auditor and IM Director products. When a user first receives an instant message from an unidentified source, the software responds with a challenge that requires the sender to retype a certain word issued by the software. As spim is most likely to be sent by automated ”bots”, the reply will not be forthcoming and the message will be blocked. If the sender is legitimate, and the challenge receives the correct response, the sender’s message is allowed through and that user is added to the list of approved senders.
This method of verification is considered effective as it still provides for the spontaneous communication made possible by IM systems, but prevents incoming IM from automated senders.