What Is The Real Cost of Spam?

securitas writes "The NY Times has a nice feature about the diverging estimates of the costs of spam (Google). The estimates vary widely from $10 billion to $87 billion per year for American workers, and even more for global costs. Critics say that research firms' estimates vastly overstate the actual cost of spam. Public institutions like Indiana University have to be sensitive to the First Amendment rights of the spammers. And at companies like Nortel Networks, security architect Chris Lewis says that the real economic burden is the 10 to 15 percent - 5,000 to 10,000 messages a day - of the spam that still gets through, which costs the company about $1 in lost productivity per message. The costs can be much higher if a top executive is upset or mad about spam. "If someone in senior management gets spammed," Mr. Lewis said, "it could take 20 or 30 hours of everyone's time, up and down the chain." A chart of the per user amount of spam and the time spent processing it, as well as the varying estimates of the per user cost of spam are included in the article."

Re:First Amendment rights my ass

[Arker]

Has nothing to do with whether it's commercial or not. The first amendment guarantees your right to speak - NOT your right to hijack servers and bandwidth all across the world in order to force people to listen to you.

Re:The real issue is not now, but tomorrow

[digital photo]

Normally, I'm disturbed by violence.

However, in the case of spammers, I really don't think there really is a limit to what is "just".

Some suggestions:

• Use tranquilizers. You don't want to damage any sensitive nerve bundles.
• I would recommend either bamboo slits or rusty nails underneath their finger and toe nails.
• Keep everything disinfected. Rotting flesh is dead, unfeeling, flesh.

I get, when I take into account the amount of email per box, something like 2000 emails a day after all is said and done. It doesn't come out to $1 per spam, but I find myself constantly having to deal with it throughout the day.

I'm reminded of this one tommy gun scene where the guy firing loads of lead comments: Keep the change, you dirty rat.

Re:84 seconds per spam?!

[IWannaBeAnAC]

Either I'm a spam processing machine, or some of these estimates are WAY overstated. After running through two filters, I end up only seeing 20 TO 40 spam's a day, and it takes me all of 20 or 30 seconds to deal with them - for the WHOLE DAY. Do these people keep their delete key in their drawer or what?

Fine, this is not much of a problem for someone who is at their computer a lot and can basically delete spam as they arrive. I get a similar amount of spam as you (maybe slightly less, but still at least 10 per day, consistently). But what happens if you go on holiday for a month? Suddenly that small handful of 'delete' presses becomes a huge mass of junk, from which it is really hard to find the important messages. And what if you were away for 6 months? The task of filtering out the junk would be practically impossible.

For someone who doesn't work with computers, who maybe checks their email once a week, spam becomes a major chore.

Compare with snail mail; I get practically no junk mail (I also have a 'no junk mail' sign on the letterbox, which I suspect is legally enforcable where I live). Sorting out the mail after a long holiday (yeah I wish!) is actually an interesting and not long task.

The way it is now, it is impossible to use email for important communication (think bills, court documents, things you really _need_ to receive), simply because of spam. Filtering isn't the answer. Email was intended to be robust; either the message would get through or it would bounce. Spam filters make this no longer true, not by a long shot.

Re:Is this real money?

[frostman]

Interesting question. I'd like to know too.

Back when I used to get spam, I got about 100-150 a day. It took me about 10 or 15 minutes of actually going through the mailbox checking and hitting DEL to clean it out.

The bummer was that if I got behind, it would seem like an enormous amount, and I'd put off going through my inbox at all. That, of course, was a bigger productivity loss.

If we say someone takes half an hour a day to both clean out the spam and grumble about it, we might guestimate the annual productivity loss something like:

$ 15 (Worker cost/ 1/2hr)
x 225 (Work days/year)
------
$ 3375 / year

...which sounds very high. On the other hand, my gut feeling is that the 1/2 hour isn't an overestimate for average workers (who only cost the company $30/hour total).

If you just ask people how much time they spend dealing with spam you'll get wildly unreliable answers, depending on how they think their answer will be interpreted.

In any case I'm convinced the productivity cost dwarfs the infrastructure cost. I just haven't (yet) seen any statistics I'd call definitive.

Re:Let's say it's $1B

[schon]

Well, if the spammers are costing more money than they are generating then they too are hurting the economy, and rules need to be made to regulate them.

The whole 'frea speach' issue is a red herring, used by spammers to make stupid people take pause before doing something.

The first amendment guarantees the right to say whatever you want, but it does not guarantee the right to use other people's resources to say it.

There is NO first amendment issue regarding spam.

Re:First Amendment rights my ass

[kaltkalt]

There are dozens of exceptions. I'll give you a few:
1. You are not allowed to advertise fraudulently.
2. You are not allowed to reveal national secrets.
3. You are not allowed to violate a gag order given by a court.
4. You are not allowed to perform someone's song publicly unless you pay a fee.
5. You are not allowed to yell "fire!" in a crowded theater. (sorry, couldn't resist)
6. You are not allowed to speak on my lawn. Ever.
7. You are not allowed to show obscene material in public. You are not even allowed to LOOK at kiddie porn.
8. You are not allowed to give away trade secrets of your employer.
9. You are not allowed to incite illegal activity.
10. Defamation is not protected speech. If you defame me, you cannot use the first amendment as a defense.

Oh, there are plenty of others, but those are 10 nice, good ones. BTW I've read the First Amendment, as well as thousands of supreme court cases interpreting it. Now, if you're one of those people who believe the Constitution is not meant to be applied to real-life facts, then what can I say. Sorry, but you live in the real world.

Stupid System Administrators

[sirket]

I have said this before, and I will say it again:

If people would set up their email servers correctly, I could eliminate 99% of the spam from my systems. Unfortunately, a bunch of administrators seem to feel that they do not actually have to configure their systems correctly. If I want to be able to receive mail from them, then I need to open my server up and allow misconfigured servers to talk to it. Guess who has the majority of (usually intentionally) misconfigured servers. You guessed it, spammers.

Getting rid of spam is simple. Stop bitching about it and fix your own damned mail server.

Do you:

1. Have a postmaster account?
   
2. Have an abuse account?
   
3. Have reverse DNS?
   
4. Have matching forward and reverse DNS?
   
5. HELO with your server's Fully Qualified Domain Name (FQDN)?
   
6. Use a FQDN at all points during the transaction?
   
7. Have an A Record in DNS for those FQDN's?
   
8. Have proper MX records?
   
9. Use strict RFC821 envelopes?
   
10. Reject unauthorized command pipelining?
    
11. Reject non-existent sender domains? (joe@doesnotexist.com)
    
12. Reject invalid HELO names (Either non-FQDN's, HELO names that do not resolve, HELO names that do not resolve to the IP address of the connection, or hosts that use a numeric HELO without brackets)
    
13. Accept email for postmaster@a.b.c.d (Where a.b.c.d is the external address of your email server and e.f.g.h is the internal, non-NAT'd address). Many hosts fail this test (Though this is not something that you, as the receiver, would be checking.)
    

Just my two cents.

-sirket

Re:A dollar a message

[dubl-u]

think of the _interruption_ time it involves.

According to an IBM study quoted in McConnell's Rapid Development, it takes the average programmer 15 minutes to recover fully from an interruption.

Re:A dollar a message

[laing]

Well, it's not an easy thing to set up. There are links from the spamassassin.org web page to the many different ways to use it. One of them points to the spamassassin milter page: http://savannah.nongnu.org/projects/spamass-milt/

Unfortunately there isn't much there in the way of installation instructions. I think the developers of SpamAssassin are planning to release a commercial version soon (which I would gladly buy to support them and their efforts.) Perhaps the commercial version will be easier to install.

A brief summary of what needs to be done:
Install SpamAssassin and (optionally) razor.
Install the perl module Sendmail::Milter
(You'll need a version of perl that supports threads like 5.6 or later. If you don't have one, install it first.)
Add a few lines to your sendmail .mc file:
INPUT_MAIL_FILTER(`myspamfilter', `S=local:/var/run/mperl.sock, F=T, T=S:1m;R:1m')dnl
Use m4 to make a new sendmail.cf file.
Create the proper configuration files for spamd and spamass-milter per the documentation.
Restart sendmail and start the daemonized version of SpamAssasin (spamd).
Start spamass-milter.

Sit back and watch the spam bounce off your server.

Some Actual Numbers

[ticklemeozmo]

In 45 days time, here are my company's official spam stats.

Total email processed: 271,217
Total junk email identified: 239,560

88.32779% of email sent to our company is identified as spam.
That's over 6000 a day.
That's over 67 per account per day.

Before we installed a spam filter (you may feel free to ask me which), each person had to sift through their hypothetical 10 emails and delete almost 9 spams.