By Steven Vaughan-Nichols

Back when I last wrote about instant messaging (IM) software and the enterprise, IDC was predicting that corporate IM use would grow from about 5.5 million in 2000 to over 181 million by 2004. Based on what business users are telling me, I think those numbers may be on the low side. But as more and more corporate users run IM programs, we can’t overlook the fact that IM is experiencing some growing pains of its own. Just as e-mail plays host to inordinate amounts of daily spam, IM spam is becoming an alarming problem.

Noted e-mail and IM analyst David Ferris, head of Ferris Research, says you can expect IM spamming to become widespread. Though current IM spam levels are not as high as what you’d usually see with e-mail, IM spam will get much worse; it’s becoming just as easy to do and it’s harder to block.

Though IM spam doesn’t eat up that much bandwidth or server performance, it can cause significant trouble on your clients’ desktops. In the same way an e-mail can bear a virus, IM spam also leaves your PCs open to viruses. Fortunately, however, there are a few things you can do to ward off IM spam: Control IM use, block IM spam addresses, restrict most users to buddy lists or company directory IM access, and use an in-house IM system.

Control IM use
The only way you can ever get a measure of control over IM spam is to control corporate IM use. At the very least, you should come up with a corporate policy for IMing. For starters, I’d go with four user level options:

  • No use: Don’t let employees have or use IM clients.
  • Corporate use: Employees can use a corporate IM client within the corporate firewall on an internal IM server.
  • Partner use: Users can access a client within the corporate intranet and extranet with your business partners, with the server hosted by either your company or a partner.
  • Unlimited user: Users may access a corporate IM client, and possibly other clients, to reach Internet IM users. At this level, you give up control so only users with a need to communicate to anyone on the Internet—sales or technical support, for example—should be given this level.

As part of this, select a single company-hosted IM client for corporate use. Only people in the unlimited group should be allowed to use clients other than the official company client.

Many users won’t like this; but let’s face it, not everyone needs IM for their work. And for those who do, most only really need it to talk to people within the company. A much smaller number of people—for example, developers and managers—need to talk to partners. And then there are those few executives, salespeople, and technical support people who might need to talk to anyone at any time. The exact details will vary from network to network, but with the right combination of user groups, access control lists, and firewall settings, establishing IM policies shouldn’t be too difficult.

After you’ve set your policies, tell everyone to get rid of their unapproved IM clients, and then use software auditing to ensure that this happens. Don’t allow multiple clients for everyone on your network. Besides IM’s own special headaches, multiple software programs of any kind always lead to technology management trouble, because each additional program requires more technical support.

Block IM spam addresses
You can also try to block IM spam, but it’s much more difficult because you can’t “turn down the volume” by blocking addresses that are known for spamming. Even though AOL and Yahoo officials tell me—and I believe them—that they kill IM addresses used for spam as fast as they find them, scripts exist that allow IM spammers to launch new accounts and start spamming again almost as soon as their old accounts are killed.

Restrict users to buddy lists or company directory IM access
Of course, this capability depends on the client; almost all provide buddy lists, and the programs I recommend below can also be linked into a corporate directory. This will block spam at the desktop, but it won’t stop spammers from getting to the network. To try to do that while allowing IMing, have your people use business-only IM names at work.

For example, one way that spammers find addresses is through public chat groups. If a business IM name never shows up in a “Steelers Rule” or “Olympic Figure Skating” chat group, a spammer can’t attack it. If your users sign on with their business IM names only inside the business or with company partners, this will help stop IM spammers from getting their messages into your network.

Use an in-house IM system
Don’t stop at managing the IM clients; make sure you manage the IM servers too. As a result, you’ll have much more control over what’s becoming an increasingly important network service, and you’ll also be able to supervise quality of service. To do that, you need to run your own IM services.

For corporate use, I like Jabber, because it’s open source, it’s based on the XML open standards, it can use SSL, and your top users can use it to chat with MSN and Yahoo users. You can also install Jabber and then selectively let clients have outside access, but this is more difficult to implement.

I’m also becoming increasingly fond of Lotus Sametime and Novell DigitalMe. DigitalMe is a free service that you can sign up for on the Novell site. Both have top corporate support and come ready to work with directory services (Jabber requires an additional module), and your users can use them to talk to AIM users.

IM spam may not be an all-encompassing issue for you now. But it’s a sure bet that it will become a problem. Address it before your CEO tells you to fix it.

This article was published by ZDNet Tech Update on Jan. 30, 2002.

Managing instant messaging

Does your organization control the use of IM? Do you see IM as a serious security threat? Do you already or will you in the future use one of Steven Vaughan-Nichols’ suggestions? Post a comment to this article and tell us how you feel about instant messaging.