As we discussed last week, spam has moved away from being
the irritating, but harmless unsolicited e-mail, towards a more sinister and
threatening problem. Spammers now use worms to infect both end user systems and
serverswhich are then used to either act as a proxy for fraudulent activities
(fake websites, spam relays, etc.) or extract private data for organised
criminal activities, such as identity theft. This poses a threat for home
users, but a greater threat is posed to corporations as they have a duty to
protect the privacy of customers data.
The classic focus point, when discussing the cost of spam to
a business, is the lost productivity of staffmeaning the time them to identify
an e-mail as junk and then delete it. This doesnt sound like it would really
have much of an impact, but research that I stumbled across from 2004 (nucleusresearch)
estimated that in one year the productivity cost per employee is about $1934! Updated
research carried out at the beginning of 2005 (InformationWeek)
estimated that the annual cost due to loss of productivity is about $21.58 billion!
Now thats a lot of money. Even if your organisation filters spam somewhat
effectively, most employees will check their personal e-mail accounts a few
times per day, thus having to deal with spam on systems that are out of your
control. Interestingly, the associated costs of spam, and the number of spam e-mails
delivered varies largely depending on geographical location.
An article from the beginning of 2005this time based on UK
the total cost to UK businesses was £1.3 billion, with a cost per user of £374
($598)much lower than the previous estimate of $1934! This research also
suggested that the severity of spam varied by country, with the UK receiving
higher amounts than France, Germany, Italy and even China.
There are other business-related costs incurred because of
spam; some of these are actually caused by anti-spam systems that mistakenly
identify genuine e-mail as spam. Dana Blankenhorn discusses these here.
From the IT department's point of view, there are different
costs associated with spam. First, consider the cost of anti-spam software or
solutions. While there are perfectly good open source implementations (in fact,
many commercial products are based on these with a little additional eye
candy), the majority of companies go for a commercial solution. Ill look more
closely at various solutions and methods for fighting spam later on; but hereare a few quick costs for some commercial systems:
- Barracuda SpamFirewall 400 + 3yr Updates = $7292
- Postini 500 users = $10000 / year
- Proofpoint Protection Server 1.2.1 = $10000 / year
Not cheap, huh? Bandwidth costs
associated with spam can also be considerable; some companies estimate that as
much as 50% of their bandwidth usage can be attributed to spam (also take into
account bounces, file attachments attributed to Worm activity, etc). I wouldnt
estimate that this proportion of our internet bandwidth is used by spam traffic;
however, we can notice when a large spam attack is in progress. Our internet connection
slows considerably. Additionally, even if anti-spam solutions are used to
reject junk mail before entering it into your delivery systemthis has to be
processed, scanned (in the case of malicious junk mail or worms), and then
rejected. This all munches CPU power and generates high memory usage, meaning
more powerful (and therefore more expensive) hardware needs to be put in place.
Our company is currently in the process of replacing our SMTP gateway for just
this reason; its struggling to deal with the sporadic and often heavy spam
attacks where accounts are bombarded with junk. Traditional methods used to
block known spammers before they even start an SMTP session are now becomingineffective. This is due to the increasing use of botnets to relay the traffic.
Last, but not least, I thought I should mention another
potential cost associated with the more malicious form of spam (generally due
to worms). There have been several high-profile cases recently in which large
corporations were fined due to the leaking of customers private information,
leading to identity theft on a massive scale. With the growing presence of Trojan
and worm-based proxies, we need to be careful that the combination of an
unknown (as-yet undiscovered) malicious program, badly enforced desktop
security, and users' stupidity dont end up causing major information leaks. This
is especially important in the financial services industry as information held
is more sensitive and more useful to criminals (or rival enterprises) than in
other industries. Although we can never make sure everything is covered, we
need to make sure that firewalls and traffic filters are truly used to theirfull ability. Being complacent about security could prove very costly!
Next week, well take a look at some of the ways in which
spam is being fought against and how different methods can be used together toform an overall anti-spam policy.