County attacks spam on two fronts

Arlington County, Va.

To improve performance, reduce vulnerabilities and lessen aggravation, a Virginia county government is taking aggressive measures to detect and filter spam swamping the e-mail boxes of its workers.

But first it had to find out whether such junk e-mail was even an issue.

"We took a look at this problem not knowing whether we had a problem in the county or not," said David Jordan, information security and privacy officer of Arlington County, Va. Although about 3,000 of the county's 3,500 employees have active e-mail addresses, he said, "we weren't getting any complaints and that's what was odd about it."

Shortly after Thanksgiving in 2002, his team began a campaign to assess the spam problem. The team provided information about spam via the county's intranet and encouraged employees to forward what they thought might be unsolicited material.

"So we started getting hundreds of e-mail every day," he said. "It pointed out to us that maybe this was a sleeping problem we weren't aware of."

In fact the county estimated 20 to 25 percent of the incoming traffic was spam. In addition to being a nuisance to employees, Jordan said, such unwanted e-mail carries a great potential for delivering viruses.

Chris Miller, a product manager for Symantec Corp., a leader in Internet security technology, said statistics indicate that about 30 to 35 percent of received e-mail — whether in the public or private sector — is spam. He said spam has a huge impact on an organization's messaging-storage capabilities, making e-mail management and archiving difficult.

To address the problem in Arlington County, officials began using a subject line filtering mechanism. It tagged key words in spam messages, such as "hello," "hey," "hi," "what's up," "haven't heard from you," "free" and even "Viagra." The list quickly grew to 4,000 words, Jordan said. If a message uses one of those key words in the subject line, the sender would get a reply saying it's a content violation, he said. The sender could then notify the recipient regarding the blocked e-mail.

He said that also raised the issue of improving how people communicate by e-mail. "We're trying to bring our level of communication up from casual grubby to business casual," he said. "So we're respectively changing the culture here in the county in how we do business and how we're going to communicate in the subject line."

Such a mechanism only goes so far, so the county began using the Symantec AntiVirus for SMTP Gateways, an integrated, multilayered security technology that defends against spam and viruses. "We look at e-mail hygiene in a holistic way," said Miller. "We'll do a whole lot of processes to clean the mail, if you will."

He said company tests show the product is one of the fastest scanners on the market and has relatively little impact on network performance. But, in terms of effectiveness, he said the company does not make any claims because it's too difficult to rate how much true junk mail and legitimate mail is filtered. The judgment is best left to the product user.

Jordan said Symantec's product combined with the county's subject line anti-spam mechanism is filtering 5,000 to 6,000 messages a day. "The performance was surreal," he said, adding that few legitimate e-mails have been blocked.

Despite Arlington's aggressiveness, Jordan said he doesn't see many other local governments following suit because they're afraid of interrupting a legitimate e-mail that could affect a powerful agency head, who in turn could cause problems for IT departments or cybersecurity personnel.

"I think a lot are not doing a whole lot with the problem because they don't know quite how to introduce the technology," he said.