Major Cause Of Spam: Your Employees

By Sharon Gaudin

A new study by a network security company shows that employees misusing their Internet connections on the job are forging a path for spam to flood into their companies’ inboxes.

“Employees are knowingly or unknowingly giving out their corporate email addresses to spammers,” says Rick Romkey, general manager of U.S. operations at Integralis, Inc., a network security firm with American headquarters in East Hartford, Conn. “They’re sitting at work registering for online services, signing up for mailing lists, trying to win a car off or subscribing to the joke of the week. Sometimes end users aren’t educated enough to stop giving their email out to everyone who asks…and sometimes it’s purposeful, but they’re inundating their network with noise.

“It hurts productivity in many ways,” adds Romkey.

Spam is an escalating problem that affects ISPs and consumers, filling mail servers and mailboxes with junk mail ranging from enticements for pornographic Web sites to burn-fat and grow-hair scams.

Industry analysts say spam accounts for as much as 50% of an ISPs email traffic flow. And ISP executives are having to buy more servers to deal with the deluge, while dedicating IT workers to deal with the incoming spam and customer relations workers to deal with angry users. And part of the problem, according to some, is that employees are doing more than their work with their Internet connections.

Extracurricular Activites Leave Email Trail
Seventy-eight percent of companies polled in a recent Computer Security Institute/FBI survey reported that they detected employee abuse of their Internet access privileges.

The misuse ranged from playing games in the office to downloading bandwidth-sucking movies or porn, gambling, trading stock, emailing sexually explicit or racist jokes and even sending out critical corporate information.

And that misuse is littering employees’ email addresses all over the Internet, making them vulnerable to spammers who are always looking for fresh victims.

“With email and the Net, you can’t check your common sense at the door,” says Kelly Thompson, a privacy and responsible email activist and co-founder of Forum for Responsible and Ethical Email. “You have to think critically about the things you’re signing up for, the things you’re OKing when you’re on a Web site…You wouldn’t give your credit card number to anybody without at least knowing how it’s going to be used, so you should take at least that much care with your email address.”

But some anti-spam activists and industry analysts say pointing the finger at wayward employees is akin to blaming the victim.

“I’d advocate stronger Web filtering, but not blaming the user,” says Chris Christiansen, an analyst at Framingham, Mass.-based IDC. “Nobody I know ever signed up for some of the incredibly offensive email that I get. Even the subject lines are incredibly offensive.”

And Margie Arbon, manager of market and business development at Mail-Abuse Prevention Systems (MAPS), a spam-fighting organization, agrees that employees are not to blame for the heated spam problem.

“This is a really good case of shifting the blame for spam onto the end user,” says Arbon. “I sign up for work-related things with my work email address…but that doesn’t explain the quantity of stuff that we get here. That doesn’t explain how a person may sign up for a legitimate list and end up on 50,000 other lists.”

Arbon explains that a lot of spammers scrape Web sites, figure out how major companies set up their email addresses, and do dictionary runs against servers for user names. Most spammers, she says, aren’t getting the millions of email addresses by legitimate means.

But Integralis’ Romkey says employees can’t be blamed for causing spam but they can be – and often are – part of the problem.

“Certainly, [employees] are not helping the situation,” says Romkey. “We get the funny jokes and we look at them and we giggle. I’ll forward it around. The important thing is that companies know this is happening and most of them are just sitting there taking it.”

Steps To Limit Spam In Your Network
And all of the industry watchers say the last thing most companies should do is resign themselves to simply putting up with it. As Christiansen points out, these steps won’t stop spam but they can help limit it. Here’s what they generally agree can be done:

-Create a policy limiting what employees are allowed to do on their workplace Internet connections. Be aware that companies today are asking people to spend more time at work, so they may need to do personal business online or even take a break by browsing a news site. But set restrictions;

-Have a policy about employees using their corporate email accounts when signing up for anything online. Make sure they are using personal accounts, like Yahoo or Hotmail;

-Limit certain types of attachments, such as executables and movies, that are coming into the corporate network;

-Educate employees about how spam affects the company and what they can do to limit it;

-Set up a spam filtering system for company email;

-Educate employees about reading the fine print when they sign up for anything online. They need to make sure they’re not unwittingly agreeing to receive bulk email;

-People may want to set up a separate free email account so they can use that address when signing up for anything online, and

-Become familiar with services that will give people disposable email addresses to use.

“Will this stop it all? No. But will it help? Yes,” says Romkey. “You’ve got to be proactive about this and do as much as you can before it ever reaches the company. It’s within our control to limit the amount of noise that makes its way back in.”

Reprinted from

Small Business Computing Staff
Small Business Computing Staff
Small Business Computing addresses the technology needs of small businesses, which are defined as businesses with fewer than 500 employees and/or less than $7 million in annual sales.

Must Read

Get the Free Newsletter!

Subscribe to Daily Tech Insider for top news, trends, and analysis.