As we discussed last week, spam has moved away from being

the irritating, but harmless unsolicited e-mail, towards a more sinister and

threatening problem. Spammers now use worms to infect both end user systems and

servers—which are then used to either act as a proxy for fraudulent activities

(fake websites, spam relays, etc.) or extract private data for organised

criminal activities, such as identity theft. This poses a threat for home

users, but a greater threat is posed to corporations as they have a duty to

protect the privacy of customers’ data.

The classic focus point, when discussing the cost of spam to

a business, is the lost productivity of staff—meaning the time them to identify

an e-mail as junk and then delete it. This doesn’t sound like it would really

have much of an impact, but research that I stumbled across from 2004 (nucleusresearch)

estimated that in one year the productivity cost per employee is about $1934! Updated

research carried out at the beginning of 2005 (InformationWeek)

estimated that the annual cost due to loss of productivity is about $21.58 billion!

Now that’s a lot of money. Even if your organisation filters spam somewhat

effectively, most employees will check their personal e-mail accounts a few

times per day, thus having to deal with spam on systems that are out of your

control. Interestingly, the associated costs of spam, and the number of spam e-mails

delivered varies largely depending on geographical location.

An article from the beginning of 2005—this time based on UK

statistics (Personneltoday)—suggested

the total cost to UK businesses was £1.3 billion, with a cost per user of £374

($598)—much lower than the previous estimate of $1934! This research also

suggested that the severity of spam varied by country, with the UK receiving

higher amounts than France, Germany, Italy and even China.

There are other business-related costs incurred because of

spam; some of these are actually caused by anti-spam systems that mistakenly

identify genuine e-mail as spam. Dana Blankenhorn discusses these here.

From the IT department’s point of view, there are different

costs associated with spam. First, consider the cost of anti-spam software or

solutions. While there are perfectly good open source implementations (in fact,

many commercial products are based on these with a little additional eye

candy), the majority of companies go for a commercial solution. I’ll look more

closely at various solutions and methods for fighting spam later on; but here

are a few quick costs for some commercial systems:

  • Barracuda
    400 + 3yr Updates                 =          $7292
  • Postini – 500 users                                                       =          $10000 / year
  • Proofpoint Protection
    Server 1.2.1                                =          $10000 / year

Not cheap, huh? Bandwidth costs

associated with spam can also be considerable; some companies estimate that as

much as 50% of their bandwidth usage can be attributed to spam (also take into

account bounces, file attachments attributed to Worm activity, etc). I wouldn’t

estimate that this proportion of our internet bandwidth is used by spam traffic;

however, we can notice when a large spam attack is in progress. Our internet connection

slows considerably. Additionally, even if anti-spam solutions are used to

reject junk mail before entering it into your delivery system—this has to be

processed, scanned (in the case of malicious junk mail or worms), and then

rejected. This all munches CPU power and generates high memory usage, meaning

more powerful (and therefore more expensive) hardware needs to be put in place.

Our company is currently in the process of replacing our SMTP gateway for just

this reason; it’s struggling to deal with the sporadic and often heavy spam

attacks where accounts are bombarded with junk. Traditional methods used to

block known spammers before they even start an SMTP session are now becoming

ineffective. This is due to the increasing use of botnets to relay the traffic.

Last, but not least, I thought I should mention another

potential cost associated with the more malicious form of spam (generally due

to worms). There have been several high-profile cases recently in which large

corporations were fined due to the leaking of customers’ private information,

leading to identity theft on a massive scale. With the growing presence of Trojan

and worm-based proxies, we need to be careful that the combination of an

unknown (as-yet undiscovered) malicious program, badly enforced desktop

security, and users’ stupidity don’t end up causing major information leaks. This

is especially important in the financial services industry as information held

is more sensitive and more useful to criminals (or rival enterprises) than in

other industries. Although we can never make sure everything is covered, we

need to make sure that firewalls and traffic filters are truly used to their

full ability. Being complacent about security could prove very costly!

Next week, we’ll take a look at some of the ways in which

spam is being fought against and how different methods can be used together to

form an overall anti-spam policy.