CNA Financial Corp. received about 4.5 million inbound e-mails in August. An estimated 1.5 million to 2 million of those were unsolicited commercial electronic messages, otherwise known as "spam." During any given 24-hour period, the insurance giant blocks more than 50% of the 150,000 inbound electronic messages.This might sound like a self-inflicted wound for a financial services firm that depends heavily on electronic commerce. Instead, it's survival of the fittest in a business world gone awry with spam.
"Spam-related costs are increasing rapidly for both corporations and ISPs, mainly as a result of lost productivity, consumption of IT resources and help-desk support," says David Ferris, president of Ferris Research, a market and technology consulting firm based in San Francisco. Ferris estimates the total cost of unsolicited commercial e-mail to corporate organizations will exceed $10 billion, or about $14 per user per month in 2003, up from $8.9 billion last year.
Like other insurers, CNA needs to eliminate spam for three main reasons: Spam e-mail containing offensive content can create a hostile work environment resulting in employee lawsuits-especially if a company hasn't implemented an anti-spam solution; spam consumes labor resources, slows IT network traffic and clogs gigabytes of storage space; and the process of managing e-mail has become more cumbersome and time-consuming due to spam taking employees away from primary business activities.
Defining spam
To meet this formidable obstacle, CNA Financial, the nation's fourth-largest insurer, has taken off the gloves. It uses a combination of commercial spam-blocking software, homegrown scripts, and manual surveillance to thwart the efforts of e-mail spammers.
"Spam wouldn't present so much of a business challenge if it weren't so difficult to define spam," says Donald H. Larson, director, infrastructure engineering and operations of CNA's IT unit.
"It's pretty easy to understand that the thousands of messages that we get about how Viagra will improve our lives isn't key to our business," he explains. "At the same time, Viagra might be a key piece of information for a medical claim. So you can't just say if the message contains the word 'Viagra,' we don't want to look at it, because we might be blocking out information that is critical to our business."
CNA installed anti-spam software from ActiveState Corp., of Vancouver, British Columbia, in August 2002. Then in March 2003, CNA installed ActiveState's PureMessage product to block spam that now accounts for up to 45% of all inbound e-mail received at the Chicago-based firm.
PureMessage "is installed at the perimeter of the organization and sits in the 'DMZ' between the Internet and the intranet," explains Chris Kraft, director, product management for ActiveState. "We filter the messages going into and out of the DMZ and assign a probability to each message about whether it is or is not spam.
"We are also able from a heuristic (a branch of artificial intelligence) standpoint identify what spammers are doing today, and what they will be doing in one month or two months or in six months," adds Kraft.
At CNA, the PureMessage implementation uses a set of about 1,000 rules to analyze each e-mail message and determine the probability that an individual message is spam.
Analyzing e-mail
Using positive and negative values, the software assigns one overarching value to each e-mail. Based on that score and the user's desires, messages are deleted, quarantined, marked as possible spam or sent through to the recipient.
"We need anti-spam products that are highly scaleable and that require a minimal amount of hand-tuning or touch," says Larson. "Product flexibility and configuration are very important to us." In Larson's experience, software products that require the user to tightly define spam are too easily thwarted by spammers.
"The power of PureMessage lies in the fact that it is built upon Perl (Practical Extraction and Report Language)," observes Matthew W. Boex, system administrator/engineer, in CNA's IT unit. "It is the most powerful of any language, and you can build rules using Regular Expression (an algebraic way of describing information) in PureMessage," he adds.
The upshot is: The user can build one rule in PureMessage that might catch 85 variants of a particular message string, instead of building 85 different rules to handle the creativity of spammers, says Larson.
"The software can handle some of the noise that a more specific rule would choke on," he adds. Fewer message rules mean less time elapses before e-mail reaches the recipient.
Before the $12.2-billion insurer installed PureMessage, CNA captured only about half of the incoming spam. "Today we are blocking 95% to 98% of undesired content," Larson notes. Only about 2% or roughly 3,000 spam message are getting through to CNA's 15,000 mailboxes daily.
If there is a 90% or more probability of a message being spam, it is turned back at the company's IT gateway. If the probability is 30% or less, the message is allowed through. The rest are either delivered to mailboxes with an additional header attached to mark the e-mail as potential spam or are quarantined for manual surveillance.
Because it is very expensive, the IT department tries to limit visual validation. "We only look at about 150 to 700 messages a day," says Boex. That represents a large reduction in time and expense from the past.
PureMessage benefits the insurer in multiple ways.
"We're not losing productivity to spam, we're not offending our employees and we don't waste time handling spam that doesn't add anything to our business," says Larson.
Without spam filtering, CNA would have to expand its IT processing power. By blocking 50% of all incoming e-mail, the company is saving the cost of processing that e-mail and the expense of buying the servers to handle it.
"At the end of the day," says Larson, "this anti-spam effort has everything to do with improving the employee work/life experience, reducing operational costs and insuring that we are really focused on the business, our agents and our business partners."
Other optionsOther options
While ActiveState is primarily for larger organizations with 1,000 or more users, small- to medium-sized organizations can choose a spam filtering service such as Perimeter Manager from Postini Corp., Redwood City, Calif.
State Fund Mutual Cos. of Bloomington, Minn., began using Postini's spam filtering service in May 2003. The largest worker's compensation insurer in Minnesota was very concerned about pornography, dirty jokes, questionable material and viruses.
"We tried using block lists to thwart spammers, and that proved to be a shaky solution," recalls David D. Kaiser, vice president of information services at State Fund Mutual. The specialist insurer also tried some personal anti-spam products loaded onto to a few corporate PCs for tests before the IT executive read about Postini.
"I was personally getting 80 to 90 spam messages a day and 100 or more on weekends before we started using Postini," says Kaiser.
The State Fund IT network was also flooded with e-mails for ex-employees by spammers using variations on their former e-mail addresses.
"While that spam wasn't being delivered, it was a load on our server because our server had to reply to those people and say the address was no longer valid," says Laura Bahr, support analyst in the information services department. "And because a lot of the addresses for spammers are incorrect, our server would try over and over again, bogging down the enterprise network," she adds.
Once State Fund implemented Postini's spam filtering service, there was an immediate 60% drop in the 1,800 messages received each day. This drop occurred after the IT network was purged of invalid employee addresses.
Of the remaining 800 in-bound messages, about 30%, or 240, a day were spam. "Postini pretty much zaps all of the spam," Kaiser says. "Even for heavy Internet users, such as myself, we've seen spam virtually disappear. These results are absolutely incredible compared with the other products that I have worked with.
"We're seeing maybe one or two spam e-mails a week (that get through the maze). Not only does the product work; we implemented it in one day and have had no problems," he adds.
The Postini e-mail and security service block enterprises from malicious e-mail attacks including spam, viruses and directory harvest attacks.
"Perimeter Manager protects e-mail systems at the perimeter of the network, saving bandwidth, server and disk capacity, minimizing administrative requirements and keeping security threats away from the corporate network," explains Kristin Potts, director, corporate marketing, Postini Corp.
Postini's heuristic and ensemble scoring methods produce up to a 99% spam-capture rate, and false positive rates as low as 1 in 80,000 messages, the company purports.
Filtering service
The Postini e-mail filtering resources sit between the public Internet and the corporate intranet. E-mail packets directed to State Fund flow first to Postini servers, and messages are processed in real time based on the enforcement policies desired by State Fund's IT department. In no way does Postini change how State Fund's 185 users access their e-mail. Few fa
The false-positives are running about 0.5% or 10 messages a week. A few questionable messages are quarantined at Postini. Only Bahr is authorized to view them to see if they are spam. If the e-mail is legitimate, it is immediately forwarded to State Fund's e-mail server for delivery.
The spam filtering service model appeals to State Fund Mutual's Kaiser because "we don't have to install any software and we have nothing to maintain or upgrade. They do everything and it is absolutely silent to us." In addition, Kaiser thinks Postini's service is very adaptive and has the ability to change with the spam writers.
An added benefit
State Fund doesn't have to hire and train a systems administrator or worry about its anti-spam system breaking down or fine-tuning it. Postini adds features and upgrades as needed.
And there's an added benefit. "Postini pages or e-mails us at another location if our T-1 line goes down. They spool e-mail for us so we don't lose anything," says Kaiser.
When Kaiser looked at the return on investment (ROI), he felt the cost of performing all anti-spam functions in house was about equal to purchasing a service by the month.
"I think the ROI is a (wash) for a medium- to small-sized company. I don't know what would happen in a really large organization," he says.
Brian S. Moskal is a Chicago-based business and financial writer.
