RAE Reporter: It seems evident that Americans are tired of receiving unsolicited messages. This past summer, the National "Do Not Call" registry list was a runaway success, and it appears that California is very close to outlawing the practice entirely. What impact will these policy initiatives have on the electronic spam landscape? Are we likely to see a new explosion if and when telephone-based direct marketing is outlawed or further restrictive? Do we need a "Do Not Spam" list along with laws criminalizing spam, or would such approaches be counterproductive?
Gary Blawat: I think a lot of this is based more on economics and personal choice. I won't get into the political aspects of this, but only acknowledge the more people that voice personal choice the more it becomes the "Hot Issue" of the campaign.

So, then it really boils down to economics and costs versus gains in performing these activities. There is also a legal risk associated with it which needs to be considered. It is extremely cost-effective to send one message to 1 million people. If you get .5% of those to click through and 3% of those to buy, that is still 150 potential sales. Let's say the average item price is $29.95. Total sales for one mass mailing could be $4,492.50. Is that lucrative? More than likely.

The next issue is the legal risk. I believe only 36 states have spam laws. Most of the laws are pretty antiquated. Even Wisconsin's statute 944.25 is geared specifically towards "Sending obscene or sexually explicit electronic messages."

As far as federal laws, there have been laws against viruses and we still see outbreaks. The reason is simple: Detecting the point of origination and prosecuting to the full extent of the law is very difficult. These things can travel across international boundaries where we have no influence. Not to mention, the "definition" of spam is also elusive, which will always make it difficult to enforce. The bottom line is simple: as long as us humans have freedom of choice and mass e-mailing is profitable there will probably be spam. Although the smarter technologies will allow personal and/or organizational preferences.

RAE Reporter: It often seems that end-users are bearing an enormous burden in the battle against spam. While it's undoubtedly true that fighting Spam is an individual responsibility, how much of the cost of fighting spam should be borne by ISPs, operating system vendors, and other industry players? Are ISPs doing an effective job or are they dropping the ball?
Gary Blawat: I've been on all sides of this issue. This is my opinion, and it does not necessarily reflect that of CyberSoft Operating Corporation.

Operating systems vendors need to focus on strengthening the security and functionality of their products. Other industry players, such as CyberSoft, need to focus more on total e-mail security and not just spam. ISP's are in a no-win situation, because their business is hosting and bandwidth. The original business model was just supposed to be providing the service of connecting people to the internet and e-mail. Now they are in the pressure cooker from both customers and the media.

There quandary is this; if they put things in place to block spam there will be user complaints and if they don't put things in place to block spam there will be user complaints. An ISP typically has too broad of a constituency to top-level manage spam to provide an effective compromise between the organizational and/or personal level. I know engineers that consider spam to be any message from any point they didn't request an e-mail from. In the sales world, you can't consider a lot of things spam because the affiliate newsletter you received all of a sudden may give you some information to start a conversation with a client. Or, it may be an odd request from a large potential client. There could probably be a book written on the differing opinion of the definition of spam.

The market is getting competitive; larger service providers are squeezing prices and offering more services. To remain in business you have to provide better value which will come down to personal choice offerings at a minimum with no upcharge to the end-user. Solutions that offer the user level preferences such as SafeInternetEmail will be critical. Just think about the other implications if legislation requires ISP's to maintain copies of e-mail in the event it is necessary for evidence.

The last focus of this is organizations protecting their human and intellectual assets. An individual at a company that receives an e-mail that they feel is offending may turn into a harassment lawsuit, if an organization didn't take steps to prevent this. This is a headline from Forbes in their November 25, 2002 issue, "What is the relationship between e-mail and lawsuits? "Incriminating E-mails have become a litigator's favorite tool."

Everything comes down to due diligence at each level: having a clear definition of what the issue is, why the issue is important to your business, and how you are going to solve what you defined at your level.

RAE Reporter: Eric Allman, the CTO of SendMail, describes the current Spam/antiSpam environment as an "arms race" where "in the long run everyone loses (except the arms dealers). In your opinion, is this an accurate or a flawed characterization?
Gary Blawat: I would take his comment as representative of the spam environment. The more we battle it and the more we promote how we battle it and threaten the spammers, the more the techniques will evolve to go against detection. This means we will have to evolve detection to catch the new tactics which makes it a no win situation. Part of this dilemma comes from the promotion of "How we defend against spam." In a utopian world a simple standard could be evolved that allows for personal choice and everybody that sent spam on a specific topic would need to follow that or get rejected.

Part of the reason why we evolved SIE with categories is because we were told by an organization that if we could not allow porn at an individual level they couldn't use our product. We discovered this helped evolve our solution closer to the personal choice level. However, based on the current arms race mentality it is still an ongoing management issue that requires constant blocking evolution.

RAE Reporter: A recent article in Wired News reports the somewhat depressing fact that more than 6,000 people evidently responded to virility pill-oriented Spam e-mails during a four-week period, representing about a half-million dollars in sales. Given that spam is so amazingly profitable, and many people are so obviously gullible, it seems that we're never going to see the end of unsolicited e-mail. Is it feasible to fight spam by "attempting to take the profit out of it"?
Gary Blawat: We live in a free enterprise-driven country. Where there is a market there will be business. There is a lot of taboo around these items, but there are still consumers to buy them and that is what makes a market. After all, a market is end-user demand. I think the real issue comes down to distinguishing between the unethical/scam spams and the legitimate mass marketers. If I am a legitimate startup business and I want to reach a large demographic of potential customers there is no better way to do it then in a mass e-mail. If you attempt to take the profit out of it, how do you still promote legitimate free enterprise?

I've started businesses and if it wasn't for cold-calling (telemarketing) or e-mail I would have very few cost-effective alternatives for promoting my products or services. So the key here is to stop the illegitimate spammers without penalizing the businesses that rely on e-mail or telemarketing to gain awareness. Even those setting and trying to enforce mass e-mail volume limits will find themselves abused by scam companies. I think the rule of thumb we all need to follow is common sense, "If it looks too good to be true, then it probably is."

Personal and organizational responsibility is the key because there is no magic wand for issues like these. We also have to remember, that there is a cost associated with policing and enforcing this type of policy. It could be the end to our current e-mail freedom which has been discussed many times by industry publications. Just like it takes 37 cents to mail a letter which covers the infrastructure costs for our USPS, it could take 3, 5, or 10 cents per e-mail to cover the infrastructure costs to route and police what would be needed to support this. This would lead to free enterprises offering competing services to what is established and so on and so on.

RAE Reporter: It has been claimed that most of the millions, perhaps billions of spam messages circulating through the Net comes from just 100 or 200 individuals. Why is it impossible to simply track these 100 or 200 people down?
Gary Blawat: It is almost impossible to track them down due to forged information, open relays, changing domain names, or internationally hosted web sites. Equate this to any criminal organization -- we all know they generally exist, (and) it is difficult to pinpoint a specific prosecutable target and then gather evidence to solidify your case. If records are vague and the identity is falsified it makes it difficult to find the lone individual. This is also influenced/complicated by "interpretation" and enforcement of the laws at state and federal levels.

RAE Reporter: Please explain how SafeInternetMail's spam-detection approach differs from other entries in the market. What exactly is a "bayesian" filter and what special advantages does it provide in terms of identifying and blocking spam? How does it differ from SpamAssassin's? How difficult is it for the average user to train the filter?
Gary Blawat: SafeInternetEmail's approach differs due to several factors. The most important aspect of SIE is how we leverage our pattern detection engine that has been used in the defense sector for years. As a full pattern-recognition language we can create heuristic lexical patterns that cannot be done in other solutions. Since we can create heuristic patterns we can then break things down into categories which allows for user/organizational choice.

Next, we have decomposition tools that break e-mails into the lowest common state that which makes it easier for applying lexical patterns. This phase also takes a hash of each message and then places it in the spam or good databases depending on whether or not it is blocked. Lastly, We have a self-adjusting bayes implementation that is self-adapting to the types of e-mails processed through the system. This means all user activity is considered to determine probability on tokens identified in spam.

A bayesian filter is a method of classification. By assigning a probability score to a token, or for simplified purposes consider a token a word based on e-mail determined to be good versus e-mail determined to be spam, you can block messages without knowing the actual content. In our server solution the Bayes filter is trained by e-mails known to be spam and definitions created by the system to be spam. This way, bad e-mail is determined by definition blocked as spam while tokens are completely independent and compared against e-mail processed by the server as good (released) email.

Based on this method there is no need to adjust thresholds which is different than many other products. At a system admin level after two weeks of live e-mail you just need to enable the Bayes filter. At the user level, if allowed, users just need to manage their blocks by selecting their categories and releasing any messages that may have been blocked on system-specific settings.

The other aspect of SafeInternetEmail is that it is a complete managed solution. We have lexical analysts that are continually reviewing spam through our feeder accounts and making categorical definitions that are posted often.

RAE Reporter: Cybersoft recently reorganized into two divisions: one that continues to develop security software for business, academic, and government clients, and one that develops software such as MessageAuthority for the consumer market. What prompted this decision and what are the special challenges of this move? What have you learned in the last year vis a vis marketing to the small-office, home-office (SOHO) market?

Gary Blawat: The reorganization into two divisions was to target the commercial market and the defense industry. The defense industry has been CyberSoft Operating Corporation's core business. The bottom-line for the decision is that we were a very defense industry-centric and highly engineer-geared organization. It was time to diversify our offering so we could grow the business.

The largest challenges really came in terms of reformulating the core technology and leveraging partnerships to meet the new market demand. A strict strategic focus was necessary so we didn't lose sight of the market needs as the product evolved. This lead us to adhere to some common ideals that touch all the markets we are attacking. First, drill down to the end-user level and keep them in mind. A product that is too technical will not be used. Second, support responsiveness. Take responsibility for solving the problem even if it was an end-user mistake. Each support opportunity is potential product enhancement or a future product referral. Third, make pricing and product messaging real. Clear value combined with clear messaging allows the client to understand the product and make reasonable return on investment calculations for their organizations. This is critical in technically lean organizations.

RAE Reporter: What trends, challenges, and/or new problems are we likely to emerge in the next year vis-a-vis the so-called "Spam Wars"? Will we ever reach a day when e-mail boxes are truly spam-free and if we do, is it likely that we'll live in a world where "the only e-mail you'll ever receive will be from somebody you already know?"
Gary Blawat: As far as patterns go, the prediction is already that spam messages will be reduced to simple messages which we have already seen. The other aspect of that is what will be the next "hot item." Will it be the new improved Pasta Pot or the miniature RC dogs?

The simple answer to your last question is no. Technology that allows e-mail from somebody you already know has been around for a long time. It is often referred to as a white-list. However, this doesn't solve the problem because spam is in the eye of the beholder. Some individuals do want to receive messages from somebody they do not know. In the future, the amount of spam you see will be dramatically reduced in volume due to technologies such as SIE, but it will be as common as Chevrolet and apple pie. The spam wars are actually a subset of electronic message security.

Our goal is to evolve the product to be effective in protecting an organization against e-mail viruses, harassment, spam, and loss of intellectual property.