COLUMBIA, S.C. – What's the big deal about spam? All you have to do is delete it. Of course, that can be a lot of clicking. "We've captured almost 70,000 spam-related messages since Oct. 1," Tom Phillips, exchange systems administrator at $4.5 billion Boeing Employees Credit Union in Seattle, said in mid-November. BECU is not alone. Credit Union Times spoke with about a dozen credit unions large and small around the country and found that all had invested significant time and resources to dealing with the problem of unsolicited commercial e-mail, or were planning to. BECU, for instance, has about $130,000 invested in a robust e-mail filtering system called PureMessage from Sophos. It uses a variety of checks and filters that includes DNS (domain name system) address lookups, keyword and other checks and real-time block lists. "No single check will cause an e-mail to be labeled as spam," said Phillips, whose staff serves 1,440 internal e-mail users, including shared mailboxes with publicly available e-mail addresses. "The server scans inbound messages and assigns percentage points to the message. Once the message hits a spam threshold, it is placed into quarantine," he said. "If the message doesn't reach a specified percentage, it is delivered. White-listing like this helps us get newsletters and business-to-business e-mail through that otherwise may have been caught as spam." Blocking or deleting the good stuff is a real problem for credit unions large and small. "One of the many problems related to spam is the fact that if a user is constantly flooded with spam, there's a good chance that in the midst of blocking or deleting it, important messages also may be accidentally blocked or deleted," said Brian Griffith, Information and Technology Manager at Pacific Community Credit Union in Fullerton, Calif. He said the volume of unwanted e-mail arriving in the mailboxes of the 45 to 50 users at his $150 million CU has doubled over the past year, and that the growing sophistication of spammers – for instance, using punctuation and spaces in subject lines to thwart basic filters – is thwarting the ability of the Symantec anti-spam software now deployed at Pacific Community. "Because of this, we are now looking into implementing a spam e-mail filtering server," Griffith said. "We expect to spend around $4,000 to $5,000 to implement it and another $1,000 per year for support services." Other credit unions, such as Campus Federal in Baton Rouge, La., are relying on the spam filters in the widely used Microsoft Exchange 2003 to keep unwanted e-mail at bay. The $275 million CU may upgrade that defense later in 2004 if more is needed to be done to keep up, said Duz Hamilton, the $275 million CU's Executive Vice President-operations. Keeping up can indeed be a problem as spam grows in both volume and sophistication. Navy Federal Credit Union, for instance, already is using the second generation of the anti-spam software deployed at the world's largest credit union. The $20 billion CU has been using the solution for more than a year and has not had problems with legitimate e-mails being blocked, said Ardin Goss, executive vice president of information services. Since the software is handled centrally, deployment at 4,000 or so employee PCs wasn't necessary, Goss said, adding, "Before we treated it, spam was a growing nuisance. "We've had some success in defeating the obvious spam and have been able to block the e-mails that would create threats such as denial of service. While we still receive unwanted e-mails, the amount that gets through has not continued to grow significantly." Fight Back With Time and Money Of course, significantly is a relative word, especially when the problem already is huge. And it takes time as well as money to combat. "Some of our e-mail users receive 300 or more a day. It's definitely a huge problem," said Joe Grech, senior vice president of Heritage Trust FCU in Summerville, S.C. "Unsolicited e-mail impacts employee productivity, and it is growing rapidly." Heritage Trust is in the process of spending about $10,000 in hardware and software to filter out spam for the 200 users at the $390 million, 68,000-member CU, with the bulk of the investment going forward devoted to staff time needed to monitor and update the system. "Our vendor told us someone would need to spend several hours a day making adjustments on this to keep spam out. It will definitely be an ongoing task as more spam comes in," Grech said. The CU already uses a solution called Guinevere to filter out attachments that can harbor computer viruses and worms, although it also has kept out legitimate e-mail. "Our users don't always like it but it has saved us so many problems with viruses coming into our environment," Grech said. Blocking desired e-mail has not been an issue at ESL Federal Credit Union in Rochester, N.Y., where the $2.6 billion CU is concentrating its efforts right now on anti-virus protection using Symantec solutions, said Mike Armbruster, senior vice president and chief information officer. He said ESL staffers spend about 30 minutes a week dealing with spam flowing into the PCs of its approximately 500 e-mail users, but added, "We do see spam volume on the rise. We are looking at additional spam control options for potential use in the future." Another big CU that recently had to find a new solution for spam control is $2.3 billion Pennsylvania State Employees CU in Harrisburg. "Over the last year, spam had been a problem increasing each month to where we were receiving approximately 4,000 spam e-mails per night. We were using a software solution, but it did not accurately assess which e-mails were spam and which weren't," said Pete Radell, PSECU network administrator. The CU then installed a $25,000 CipherTrust spam appliance from IronMail. "We used to have a problem with non-spam e-mails being filtered out. We no longer have the problem," Radell said. Another credit union deploying a sophisticated filter is $2.5 billion Wescom in Pasadena, Calif., which is currently upgrading its MimeSweeper for SMTP to the CS MAILSweeper for SMTP anti-spam filter. The investment? "The software license was $12,000, plus $6,000 for server hardware and $2,821 for the annual support contract," said Rob Guilford, Wescom's senior vice president for information technology. The CU also sent a network administrator for training, and three staffers maintain it for the 650 e-mail users at Wescom. "There is ongoing maintenance to fine-tune the sensitivity and block out new, `innovative' spam," Guilford said. "Ten levels of sensitivity are available, based on if a word or phrase appears once or twice or three times, and so on. We have had to fine-tune the sensitivity levels. For instance, we initially screened out e-mail with the word `free' and too many valid e-mails were screened out and required retrieval," Guilford said. "We are now pretty close to optimally screening out the spam," he said. Making a List, Checking it Thrice Another option in high-end spam screeners is the use of DNS block lists, which are independently maintained lists of known spammers. Mountain America Credit Union, for example, employs a Symantec anti-virus and spam filter system that automatically checks e-mail against three such lists, said Alex Barker, network services supervisor at the $1.3 billion CU in Salt Lake City, Utah. He said the system – which involved a $5,000 investment for hardware, Windows and Symantec licensing – now blocks 3,000 to 4,000 spam messages a day that otherwise would end up in the 172,000-member CU's 650 employee e-mail boxes. Barker said situations have occurred where a valid e-mailer has the same SMTP server as a known spammer and thus could not e-mail the CU. "It's easy to run reports that show what e-mail was destined for a certain recipient if you ever get calls saying that they were expecting an e-mail from someone and have not gotten it," Barker said. "You solve this painlessly by adding either the entire domain or just the e-mail address of the sender you never want blocked to a `white list,' which will allow that inbound e-mail," he said. Other tactics call for the system administrators to review the entire content of potential spam e-mails, which, if feasible, can relieve the problem of filtering out valid e-mails. That's what's done at $400 million AltaOne Federal Credit Union in Ridgecrest, Calif., which has 151 e-mail accounts. "At this point, we've had no issues with e-mails being filtered that should have been received," said Connie Miller, network supervisor at the 38,000-member CU. The CU recently installed a new e-mail server in place and is able to better monitor traffic, which Miller estimates is 3 percent to 5 percent spam. "Spam for the credit union is not significant considering the number of employees. AltaOne has always stressed that the e-mail account provided to an employee is a business tool and should be used for business purposes only," the network supervisor said. "The majority of the spam we receive tends to go to our younger employees." -

[email protected]