Worcester Business Journal — Jan 13~23, 2003

Spam: cheaper by the  million for
e-mail senders, but it’s costing you

By Ed Hilow

If you find yourself spending more and more time deleting unwanted e-mail messages from your business computer, you’re not alone.

Imagine walking into your company’s office in the morning to find your employees at their desks opening piles of junk mail, and you’ve got the equivalent of what happens with commercial spam. All this junk results in costly person-hours of non-productive time. And it’s gotten worse over the last year, or so businesses say.

The low cost of sending spam - fractions of a penny per message - contributes to its explosive growth as a marketing medium. Spam is projected to grow by as much as 60 percent annually. In 2002 alone, it grew by 80 percent, according to household-name Internet service providers such as AOL and Hotmail.

Studies on the matter have different findings. A study by the Pew Internet & American Life Project estimates that little spam reaches the inboxes of workers, but another study done by New York City-based Gartner Group in a report E-Mail in 2003: The Risk Level Rises, estimates that by 2004 as much as 50 percent of all e-mail will be spam. Over the last year alone, spam e-mail has grown from 8 percent of all e-mail to 36 percent, according to San Francisco-based Brightmail Inc.

A recent study released by San Francisco-based research firm Ferris Research Inc. calculates the annual cost of spam at $8.9 billion to U.S. businesses and $2.5 billion for European businesses. Worldwide the cost could be as high as $100 billion. ISPs in both Europe and the United States bear costs as high as $500 million annually, according to the same report.

Now, there’s a push on to make spam illegal. But that’s easier said than done. Civil liberties advocates are concerned about abridgments of First Amendment rights (see "Can we can the spam?," page 13). And some internet service providers don’t want to take an active role as spam filterers because of the privacy issue.

In the meantime, businesses are either toughing it out, adopting spam filters, or something in between.

Helping the help desk

Chattanooga-based insurance benefits provider UnumProvident Corp., which has 900 employees in its Worcester office, has launched a pilot program to test new spam filtering using the same technology that provides URL filtering, which restricts employee access to certain Web sites based on content. Similarly, this would work to prevent certain types of e-mail from reaching employees’ inboxes. The decision to employ an e-mail filter was prompted by employee complaints, says Lynda Fleury, director of enterprise security architecture for UnumProvident, who works from company head-quarters. Following an assessment of the company’s computer systems, enhancements were made to security, she says. With regional offices in Chattanooga, New York City, Portland, ME and facilities in Worcester, UnumProvident employees have come to depend on e-mail as a standard of communications between the various UnumProvident locations. Over the course of a month between the company’s primary locations - Chattanooga and Portland - more than 2 million e-mails are sent back and forth each month. Fleury says that up to 95 percent is business-related, with the remaining 5 percent permitted for personal e-mail.

Since the beginning of 2001, the volume of spam has increased, says Fleury, without an apparent explanation as to why. Even if each UnumProvident employee spent only one minute a day culling out and deleting junk e-mail, over the course of a month with 13,000 employees worldwide, the staff would spend a total of 4,300 hours dealing with spam, she estimates.

With those kinds of numbers, Fleury notes that effective anti-spam software is a good investment. Looking into the various filtering products available, costs range from $150,000 to $200,000 for maintenance and support, not including the cost of hardware. Fortunately, with the suite of software products UnumProvident uses, filtering software is part of the package and is thus no additional cost for the company.

UnumProvident is currently evaluating an e-mail content filtering tool (see "The anti-spam: tricks and technology" page 15). "From a corporate perspective we really didn’t have an issue with spam until [last] spring," she says. The content filtering tool under consideration is similar to that used for Web URL blocking, which filters content by category. It notifies prospective recipients that it has blocked e-mail containing questionable content, and also notifies the sender that its e-mail contains contents that are possibly inappropriate or prohibited by UnumProvident. "We can let [senders] know if it is legitimate, they can make a phone call, and we can either adjust the filter or figure out a different way to deliver the contents," Fleury says. "The challenge that we have as an insurance company is being very, very careful on how we tune those devices so that we are allowing legitimate business communications."

The first phase of UnumProvident’s anti-spam protocol will scan all inbound e-mail and eventually outgoing e-mail as well. However, once the anti-spam protocol is in place, privacy rights become an issue in conjunction with the contents of those personal e-mails. But given that the e-mails are property of the company, they are subject to company protocols. This, agrees the ACLU’s former Executive Director John Roberts, (see "Can we can the spam?" page 13) is one side of the coin with the other being an employee’s rights to actually receive spam.

While unable to reveal the specifics of the filtering system for security reasons, Fleury says the system will work against a predefined list of keywords and combinations of keywords to scan every e-mail and attachment. With the ability to adjust the filter, the company will adjust the threshold over the course of the testing phase.

"It is currently being put in place in a pilot scenario," says Fleury. "In the first hour the tool was up, we managed to catch 150 in-bound communications. Unfortunately, not all of them were spam; so some tweaking is still in order. The issue is, then you go back and cull through the blocked e-mail to make sure they were legitimately blocked. It’s a challenging tool to deploy, because you want to make sure legitimate business e-mails do come through." Fleury says the challenge of letting legitimate mail go through while keeping the spam out will vary from business to business. "Depending on the line of business [a company is in], it’s going to present a challenge on how you set that threshold," she says. But, she adds, the software will help reduce the overall number of junk e-mails coming through and hopefully the number of employee complaints. "The help desk staff will love it," Fleury says.

Evolving a defense against spam

Natick-based Cognex Corp., which makes machine visions systems, started feeling the effects of spam nearly a year ago, says Harri Rosenberg, senior IT manager for the company, which employs 600 people worldwide. First came an increase in calls to the help desk, and then IT personnel themselves started getting "inundated" with spam, she says. So Rosenberg launched a project looking into spam and anti-spam products. "It kind of evolved over the last nine to twelve months," she adds.

Over the course of the last 6 months, Gary Lake, a Unix administrator at Cognex, has been reviewing spam-control products, and for the last two months, has been testing one product with a small group of employees with satisfactory results, Rosenberg says. Cognex declines to provide specifics on the product, but does say it prevents spam from entering employees’ mailboxes by putting questionable e-mail in a "holding area" until it can be reviewed. Lake says one good feature of the product is that it allows Cognex to implement a company-wide filter, while allowing individual employees to further customize it for their individual needs. The product will apply filters not only to keywords, but compare senders to a list of known spammers as well.

Cognex has put money into this year’s budget to buy and implement the product. At a cost of about $7 per user, it’s expected to cost Cognex less than $5,000 to put in place, she says.

Blaster of the universe

Up until the time he received a virus that trashed his computer earlier this year, David Kowal, president of Kowal Communications Inc. in Northboro, only found spam annoying. As a veteran advertising and communications specialist, he has up close and personal experience with spam. He says he constantly receives e-mail solicitations extolling the virtues of buying e-mail lists. So not only is he getting spammed, but he is being given the chance to buy a list of e-mail addresses from a spammer - a thought that doesn’t go over well with him. "It is pretty annoying when I get all these e-mails from people who want to sell me a list of a million names," says Kowal. "From a marketing perspective, if you’re blasting the universe, you’re playing the odds on figuring that if I get a few responses, that’s great. But obviously, it’s a major annoyance." Using a combination of packaged anti-virus and spam filters effectively reduced the amount of spam Kowal Communications was receiving, for a while. But then, the spam flow gradually started to build back up - a testament to the pervasiveness and persistence of the true spammer.

While filters and lists are efficient at reducing the amount of spam, over time spammers can tweak software coding and e-mail contents, says Jeff Kosiorek, manager for marketing and communications for Littleton-based Inforonics, to get past filters. He cites an example of Microsoft Outlook, where information on how the filter works is available at Microsoft’s web site. (www.microsoft.com). While the explanation is provided for users seeking additional information, it certainly provides a spammer with a rudimentary advantage.

Spam notwithstanding, Kowal considers e-mail an important marketing tool in his work. He thinks any attempts to legislate against spam will prove ineffective. "How are you going to enforce it?" he asks. "How do you define spam? Is the press release I sent going to be considered spam? Am I going to get fined for that?" Whoever sends out the regular junk mail must be at least discriminating to a degree and is going to try and focus on their target market, he notes. But with the ability to send out massive quantities of e-mail, which are received instantly, at a fraction of the cost, it’s easy to see the temptation in using it, he says.

While he uses e-mail to attract potential clients, Kowal uses a more targeted approach versus the shotgun scenario. He believes e-mail should be on an opt-in basis and from a marketing firm perspective; it should be "on a very selective basis" as well.

His own strategy is to check out a prospective client’s web site first. Only if he thinks it’s a good match will he send an e-mail, which he follows up with a phone call. If there’s no interest, he moves on.

Dissatisfaction guarantee

Marlboro-based Vanquish created software that uses digital-bonding technology to authenticate the sender of the e-mail. If the receiver recognizes or wants to open the e-mail, they can. But if the receiver does not recognize the sender or does not want to open it, they can penalize the sender, which means a small fee is charged to the sender. "It’s a dissatisfaction guarantee for the receiver," says Philip Raymond, CEO of Vanquish. It’s analogous to sending out certified mail, he says. As a sender, you are less likely to spend money sending certified mail, which has a cost, to recipients who may not want it. "You force the sender to assess whether he really understands his audience, or whether he’s ... buying a massive list of people he knows nothing about, and then trying to sell them [something]," Raymond says. "That’s our game." Inforonics does custom software development and applications. While the company itself doesn’t have a formal anti-spam protocol, it does have anti-spam software on a user level as part of its e-mail system, as well as enterprise-wide antivirus software. Inforonics is looking at products on enterprise-level anti-spam software. Kosiorek spends anywhere from 25 to 50 minutes a week dealing with spam in his own inbox. Over the last quarter, spam has increased, says Kosiorek. "There’s probably three spam e-mails for every one [legitimate] e-mail."

At least one of Inforonics’ own customers has been mistakenly identified as a spammer by its ISP and by several prominent search engines. While not wanting to specifically name the client, Kosiorek notes the customer does a large majority of customer relations management and communications through the internet and e-mail. During the course of an advertising campaign, it sent out thousands of e-mails targeted specifically to its customer base, but the ISP saw all these emails coming from a single source and raised a red flag, thinking it was a spammer. This is an example of a false positive in which a filter dumps legitimate messages.

Inforonics had to step in to act as a liaison between the client company and the company’s ISP to explain it was doing legitimate business. Kosiorek also raises the question of how one defines spam. While Inforonics does not offer anti-spam software as part of its services to clients, it is something the company may have to consider down the road, if the complaints continue, he says.

Cheaper than talk

The cost to send direct mail - even at bulk rates - is still thousands of times more expensive than e-mail. According to Vanquish’s Raymond, e-mail costs as little as 3/10,000 of a cent per e-mail.

"E-mail is expensive," adds Raymond, "but not to the sender. The cost is distributed to the infrastructure," he explains. "It means the average ISP [may] sell you an account for $15 [a month]. The average user sends about 20 or 30 [e-mails] a day, so the average user is sending well under 500 messages a month, while they [the ISP] can afford about 40,000 messages [per user a month]. But when someone goes ahead and attaches 200,000 headers to their message, you’re forcing your ISP to multiply that message and send it through his pipe and now he’s just spent $60 sending something that he’s charging you $15 a month for. And in most states the [sending ISP] can’t even suppress or filter it. They’re a common carrier, they must carry it."

Carry it they must, says Thomas Desilets, marketing manager of Shrewsbury Light and Cable, which serves as an Internet Service Provider for the Town of Shrewsbury and 4,000 cable subscribers in town who share among them 12,000 e-mail addresses. He says the company’s ISP system is robust enough to handle the increasing volume of e-mail customers get, and that he isn’t aware of costs going up as a likely result of more spam in the system. And while the overall volume of e-mail messages has definitely increased, he says, he can’t cite how much of it is spam, because of customer privacy issues.

"As an ISP, we have an obligation to give [customers] whatever e-mail is addressed to them," he says. As are UnumProvident and Cognex, Shrewsbury Light and Cable is currently testing some software, which it’s testing internally within the town’s ISP service before making the decision to release it to customers. The software reads the mail electronically, looking for telltale words, phrases and other criteria, and then flags or puts a tag in the e-mail’s header. It’s still up to the customer to decide what to do with the flagged e-mail, Desilets says. For the Town of Shrewsbury, the company has decided to add a spam filter, he says, but for the wider world, spam deterrents will likely remain at the customer level, he says.

Ed Hilow can be reached at editorial@wbjournal.com