Unsolicited commercial e-mail, or spam, is not just an annoying problem. It’s a costly one. The impact this unwanted traffic has on an individual organization’s bottom line can be significant. Estimates put spam costs at $198 billion by 2007 (Radicati, 2003, p. 2). Clearly, the consumption of resources and lost productivity that results from spam has grown to be a significant threat.
However, the risks posed by spam have become much more than just clogged in-boxes. Market research firm The Gartner Group characterizes spam as having evolved from a nuisance and storage cost drain to a major vector for malicious code and fraud (Gartner, 2004). Spam is being used in fraud schemes to trick users into providing personal information (phishing). Spam has also become a tool to help propagate viruses. In May 2005, a spam flood was used to help propagate the Sober.Q virus. Users received an e-mail linking them to a web page that installed Sober.Q. Evolving threats such as these are driving the requirement for proactive protection against spam.
This paper examines the different cost impacts, both direct and indirect, that spam has on an organization. In addition, the pros and cons of several different spam mitigation solutions are reviewed.
White PaperUnsolicited commercial e-mail, or spam, is not just an annoying problem. It s a costly one. The impact this unwanted traffic has on an individual organization s bottom line can be significant. Estimates put spam costs at 198 billion by 2007 (Radicati, 2003, p. 2). Clearly, the consumption of resources and lost productivity that results from spam has grown to be a significant threat.However, the risks posed by spam have become much more than just clogged in-boxes. Market research firm The Gartner Group characterizes spam as having evolved from a nuisance and storage cost drain to a major vector for malicious code and fraud (Gartner, 2004). Spam is being used in fraud schemes to trick users into providing personal information (phishing). Spam has also become a tool to help propagate viruses. In May 2005, a spam flood was used to help propagate the Sober.Q virus. Users received an e-mail linking them to a web page that installed Sober.Q. Evolving threats such as these are driving the requirement for proactive protection against spam. This paper examines the different cost impacts, both direct and indirect, that spam has on an organization. In addition, the pros and cons of several different spam mitigation solutions are reviewed.What Is Spam Costing You?Direct CostsFrom a technology perspective, spam eats up some very important resources. First, there s the bandwidth utilized to download the unwanted e-mail over the organization s Internet connection. If the billing plan for the organization s Internet access includes a usage component, then they may end up paying substantial fees for unwanted content. For Gartner customers, that unwanted e-mail has constituted 60 to 75 percent of their total incoming e-mail (Gartner, 2004). Once the e-mail reaches the organization s network, it must be processed and stored by the mail server. The processing cycles and storage resources consumed by the spam have a direct impact on the performance of the e-mail system. From a cost perspective, spam can consume enough resources to require the purchase of additional hardware to improve the performance and capacity of an overburdened system. Using the Gartner example, if 60 to 75 percent of an organization s e-mail is spam, and spam can be stopped before reaching e-mail storage and processing resources, then that organization could save some potentially significant hardware purchases.Indirect CostsWhile the direct technology costs are fairly easy to quantify, the indirect costs are often more substantial, but sometimes overlooked. The most significant indirect cost is lost productivity. IDC reported that end-users spend an average of 10 minutes each day managing spam (IDC, 2004). Based on the fully loaded cost for each employee, IDC projected that the cost to an average organization with 5,000 users would be almost 4.2 million annually. The impact on the general employee population isn t the only productivity loss. Spam has a much greater percentage impact on the time of the IT staff. Nucleus Research found that the average number of hours IT employees spent managing spam issues was 4.5 per week. They also calculated the average IT employee time on a per-mailbox basis. Their conclusion was that for every 690 employees, a full-time IT staff person would be needed just to manage spam (Nucleus Research, 2003, pp. 2-3).Another cost affecting the productivity of the general employee population and the IT staff is virus outbreaks. With spam now being used to spread malicious code, the lost productivity and recovery effort from a virus outbreak can also be attributed to spam. By Bob BlakleyThe Real Cost of SpamPage 1 of 4Untitled DocumentWhite PaperFinally, there are the legitimate e-mails that are accidentally lost or deleted amongst the volume of spam. When spam outnumbers legitimate e-mail, users become very quick with the delete key. Legitimate e-mail that s been lost can impact productivity, as well.Spam Identification TechnologySpam is a difficult issue to address, because it changes rapidly to avoid detection. Three basic types of technology are in use today to identify spam:" Public black lists" Signature-based identification" Heuristics-based identificationThe concept of public black lists is a very simple one. Create a network of thousands of e-mail users and have them identify the spam they receive. A repository is then created that lists the domains or mail servers from which the identified spam originated the public black list. E-mail from any of the names/IP addresses on that black list is automatically blocked by anyone using that list.In theory, this is a promising concept. In reality, it has many challenges. First, users do not always correctly identify spam. They sometimes forget when they ve opted into a mailing list, or they simply click too quickly when cleaning out their in-box. As a result, many organizations have been mistakenly put on black lists. This means higher false-positive rates for users of public blacklists and many hours of frustration for organizations that have been mistakenly identified as spammers.Secondly, most spammers do not send spam from their own servers. They have many ways to send e-mail using servers owned by others; they bounce e-mail off servers that have been compromised or mis-configured; they park in parking lots and access corporate e-mail servers through wireless LANs with open access; and they send mail using networks of zombie computers and individual computers on the Internet that have been compromised. This all means that blocking e-mail based on the originating address will have limited effectiveness.The second technology commonly used to identify spam is signature-based scanning. These solutions function very much like traditional anti-virus technology. When a new spam message is identified, the software developer creates a signature that uniquely identifies that e-mail. That signature is then used by the scanning software to identify future copies of the spam message.Signature-based scanning can be very effective at identifying known spam. This is obviously dependent on the signature definitions and how rapidly the technology provider can create the signatures as new spam emerges. Also, since spam is identified by matching the signatures of previous spam, virtually no e-mail is misidentified as spam.While the effectiveness against known spam and the low false-positive rate are two big pluses for signature-based scanning, new spam remains a challenge. Just as with traditional anti-virus solutions, signature-based scanners won t stop any new spam until a signature has been developed.The final technology used for identifying spam is heuristics scanning. These scanning engines analyze the characteristics of an e-mail to determine if it exhibits the traits of a spam message. Each trait has a score assigned to it. After an e-mail has been scanned, the scores for all identified traits are added up to get a total score that is used to decide if the e-mail is spam or not. The biggest advantage of this approach is that it identifies new spam there is no need to wait for a signature from a technology vendor. This is extremely important in an era where spam is being used to spread new viruses.Heuristics scanners use rules to analyze e-mail characteristics and identify spam traits. These rule bases grow over time as spam evolves. The most effective heuristics scanners on the market today are those that have been in this business for several years and have developed large and well-structured rule bases to enable more comprehensive but efficient analysis.Each of these technologies has strengths in different areas of spam protection. When considering an anti-spam strategy, strong weight should be given to solutions that can provide a combination of the three technologies, because utilizing the benefits of multiple technologies will provide more comprehensive protection.Page 2 of 4Untitled DocumentWhite PaperSpam Mitigation SolutionsThere are many different products available on the market today for combating spam. Each of these products can be categorized into one of three basic architectural models with their own pros and cons:" Desktop solutions" Server-level solutions" Internet-level solutions.Desktop SolutionsSimilar to desktop anti-virus products, desktop anti-spam solutions install a software client on the end-user s computer that will scan for spam as the user downloads mail from the server. Spam is identified usually using only one of the previously discussed technologies, and typically is moved to a folder dedicated to this unwanted e-mail.While desktop solutions may have the lowest initial entry cost (some freeware options are available), they can prove to be very costly to manage. Just as with any other desktop software, the application must be installed on every user s computer. The software then must be kept up-to-date through the distribution of patches and updates, such as signature updates. This maintenance can require a lot of time and resources. Therefore, while desktop solutions may improve individual employee productivity, they will not necessarily improve the productivity of the IT staff. In addition, since spam isn t stopped until it reaches the desktop, organizations still incur the costs for e-mail storage and processing along with the bandwidth utilization for their Internet connection.Another hurdle for desktop solutions is the limited storage available on the end-user s computer. Creators of these desktop applications must pay close attention to the size of the files they are creating. These applications often lack the robustness that server-level and Internet-level solutions have as a result of their greater resources.Server-Level SolutionsA common approach for managing spam is at the gateway or server level. This approach centralizes the spam management and eliminates the burden of maintaining clients on every desktop. These tools usually provide either signature-based scanning or heuristics-based scanning, and integrate with the organization s e-mail server.From a cost standpoint, server-level solutions can be expensive. They require a software license and usually require dedicated hardware. The maintenance requires fewer resources than desktop solutions, but time and effort is still required to keep the software and signatures current. Server-level solutions can help minimize e-mail storage costs if the spam is deleted immediately; however, many organizations simply move the spam to different folders. This contributes to high storage costs. Additionally, organizations still incur the bandwidth utilization cost for downloading unwanted e-mail.Internet-Level SolutionsInternet-level scanning is unique from the first two solutions in that it does not require an organization to deploy and manage technology within its network. Rather, it is a service that deals with spam at the Internet level before it reaches an organization s network. Because the spam is never downloaded to the organization s network, Internet-level scanning is the only solution that can reduce all of the previously outlined costs, including the reduction of bandwidth utilization. Furthermore, since Internet-level scanning is a service and not a technology, organizations do not need to invest any capital funds to purchase or maintain hardware or software. This also means less management burden for the IT staff.With Internet-level scanning solutions, e-mail is typically routed through the service provider s infrastructure by changing the Domain Name Service (DNS) mail record of the customer. The e-mail is then scanned and forwarded to the customer s e-mail servers. Changes to the end-user s e-mail client are not necessary.Most providers of Internet-level e-mail scanning solutions offer multiple options for handling e-mail that is identified as spam. The options usually include simply deleting the spam immediately or storing it in quarantine for a specified period. The quarantine option becomes important if the provider has a high, false-positive rate. This allows misidentified spam to be retrieved. An important note here is that the quarantine usually resides on the infrastructure rather than the organization s e-mail server. This eliminates the e-mail storage cost and provides an advantage over server-level scanning solutions.Page 3 of 4Untitled DocumentPage 4 of 4White Paper 2006 Verizon. All Rights Reserved. WP10638 01/06The Verizon and Verizon Business names and logos and all other names, logos, and slogans identifying Verizon s products and services are trademarks and service marks or registered trademarks and service marks of Verizon Trademark Services LLC or its affiliates in the United States and/or other countries. All other trademarks and service marks are the property of their respective owners.We never stop working for you.Internet-level scanning is only as good as the technology being used by that provider. Organizations considering this type of solution should ensure the provider they are considering has had the effectiveness of their service independently tested. The results should be recent and should report on the effectiveness of the service at stopping spam, as well as the percentage of false positives identified.Verizon Managed Email Content ServiceVerizon Managed Email Content Service is an Internet-level scanning service that filters out spam, viruses, and inappropriate content. It uses a combination of signature-based scanning and heuristics technology to stop not only known spam but also new spam as well. Verizon has partnered with MessageLabs to use their patented technology to provide this service. In 2005, the MessageLabs technology was independently tested by VeriTest and shown to be 99.29 percent effective at stopping spam with a false-positive rate of 0.00 percent.In addition to blocking spam, the Verizon Managed Email Content Service stops e-mail-based viruses. In fact, Verizon provides a 100 percent Virus Detection Service Level Agreement (SLA) for both known and unknown viruses. Since more than 90 percent of today s viruses enter networks through e-mail, this removes a significant threat to our customers' information infrastructure.Administration is handled through an easy-to-use, web-based portal and provides a wealth of management information, configuration tools, service statistics, and reports in real-time, enabling you to see how the service is performing for your organization. All service updates and upgrades, as well as threat protection, are done in real-time by the Verizon Managed Email Content Service requiring no involvement or resources from the client. You simply configure the service to fit your organization s environment and leave the rest to us.The Verizon Managed Email Content Service also helps ensure e-mail continuity for your organization. Even if you lose your mail server, e-mail continuity is delivered through embedded protection and recovery, automatic e-mail spooling, and even distribution of e-mail traffic. If your mail server goes off-line for any reason or experiences a surge in e-mail volume, the Verizon Managed Email Content Service simply queues the incoming messages and then delivers them when your mail server returns.Verizon Managed Email Content Service acts as your first and strongest line of defense by scanning e-mail and eliminating threats such as viruses, spam, and unwanted content before they reach their intended destination.ReferencesGartner says by end of 2004 fewer than 10 enterprise spam-filtering vendors will remain. Retrieved March 2004 from http://www.gartner.com/press_releases/pr17mar2004.html Radicati, S., and Khmartseva, M. (2003). The Messaging Technology Report, 12(8). Retrieved from http://www.radicati.com/cgi-local/brochure.pl?pub_id=323&subscr=&back_link=/products/technology.shtmlSpam: The silent ROI killer. Retrieved 2003 from http://www.nucleusresearch.com/notes.html#Volume of SPAM doubled in past two years IDC expects it is only going to get worse. Retrieved April 2004 from http://www.idc.com/IDC