Security threats Toolkit

'Spim' threat hovers on horizon

Tags:
Email,
,
Threat,
Legal Action

Marguerite Reardon CNET News

Published: 02 Apr 2004 09:20 BST

Spam that targets instant-messaging users is on the rise, but analysts say the problem won't be as disruptive as unsolicited email.

As spammers face legal action from the Can-Spam Act, they are expected to turn their efforts to sending unwanted messages via instant messaging, a technology that allows users to send messages to each other over the Internet in real time.

"Spim," as experts have dubbed IM spam, affects only a small number of users today, but the problem is growing. However, exactly how much it's growing hasn't been clearly established. According to The Radicati Group, 400 million spim messages were sent in 2003. The firm projects that number to jump to 1.5 billion messages sent by the end of 2004, a growth rate triple that of traditional email spam.

While other experts agree that spim is on the rise, they believe that predictions of a spim explosion are overblown.

"I wouldn't characterise spim as a huge problem," said Paul Ritter, program manager at The Yankee Group. "It's definitely an issue that information technology managers need to be aware of and should take steps to address. But I am not a spim alarmist."

The Yankee Group estimates that 5 percent to 8 percent of all corporate IM today is spim, but the firm doesn't expect this percentage to increase over the next year, as millions of new users adopt instant messaging. Ritter said enhancements to IM services and new enterprise-class IM products will minimise the impact of spim.

Others agree. "Spim is not as horrible a problem as email spam," said John Levine, an expert on spam and the author of "Fighting Spam for Dummies."

Levine believes that spim is easier to control than email spam, because free IM services from America Online, Yahoo and Microsoft's MSN have closed off their buddy lists and databases to third-party consolidators such as Trillian. Since messages go through a centralised group of servers, it's much easier to track and control than email, which uses an interconnected network of servers.

"One of our concerns over interoperability between IM clients has to do with the security and privacy issues that arise," said Nicholas Graham, an AOL spokesman. "We can best protect our members when we can control the flow of traffic."

AOL, MSN and Yahoo have already taken measures to limit the amount of unwanted messages their users receive. In September, Yahoo updated its IM client to make it more difficult for hackers to access addresses. In June, AOL said it had added anti-spim capability to its latest version of code, AOL 9.0.

Still, the potential for abuse exists. Even a small amount of spim can be extremely annoying to users, because IM messages pop up on computer screens as soon as a message is sent.

"IM spam is much more of an interruption than regular email spam," Levine said. "Unlike email spam, the timing is controlled by the sender and not the recipient."

IM spam can also cause security breaches. Hyperlinks embedded in IMs can entice users with offers of free prises, special discounts or content downloads. These links can provide a doorway for viruses to enter a corporate network. Severe spim could cause network congestion, hurting application performance.

Some traditional anti-spam technologies are also being used to fight spim. Content filtering from companies such as Akonix, IMlogic and SurfControl blocks messages with keywords or suspicious content. Rate limiting and traffic shaping could also help fight spim.

"No matter how fast you can type, it's unlikely that any human could send thousands of messages every 10 seconds," Levine said.

Companies are also developing solutions tailor-made for corporate IM, which should give IT managers more control of IM traffic. For example, enterprise-class IM products from FaceTime Communications and Merak Mail Server intercept instant messages coming from outside a company and send an automated message that challenges senders to respond. Sender who don't respond are assumed to be spimmers, and their connections are terminated. The drawback to these solutions is that they can slow communication.

Both Levin and Ritter caution that to beat spim, IM vendors will need to stay ahead of the spimmers, who will likely develop increasingly intelligent tools to fool anti-spim efforts.

"I fear the same sort of escalation between spamming tools and counter tools will play out in similar ways to what has happened in the anti-spam community," Levine said.