Spam costs mount up

Staff photo by Jeff Pouland
enlarge

Jason Bullock is an information technology services intern at Thomas College in Waterville. Christopher Rhoda, vice president for information technology services at the college, said it costs between $3 and $10 to protect each student with anti-spam software every month.

Webster's Dictionary gives two definitions for the word spam.

"I feel as though spam is an intrusion on my privacy," said Lagasse, chief technology officer at Kennebec Savings Bank in Augusta.

No, he's not talking about canned meat here. He's talking about Webster's second definition, loads of unsolicited e-mail -- 30,000 pieces a day.

Those 30,000 unwanted e-mails represent 85 percent of all the messages transmitted on the bank's server.

Time and money spent on managing spam has become a real problem for many businesses.

For Kennebec Savings Bank, the cost is between $3,000 and $4,000 a year, plus $8,000 for the purchase cost of necessary security software. This can place the bank's total expense at $14,000 a year.

Banks aren't the only organizations in Maine fighting an avalanche of junk e-mail.

Dick Thompson, chief information officer for the state, said state government is inundated with 50,000 pieces of spam daily.

"It's a very big part of our job, it's something we work on every day," he said.

Thompson's office has even created a position called an "information technology security officer" to deal specifically with the issues related to spam.

In Waterville, Christopher Rhoda, vice president for information technology services at Thomas College, has stopped trying to estimate how many pieces of unwanted e-mail his school's server receives.

He said it costs between $3 and $10 to protect each student with anti-spam software every month.

Multiply that number by the 1,000 students enrolled at Thomas College, and the number spent on security software could be up to $80,000 over two semesters.

In a 2003 study, Ferris Research found spam costs U.S. corporations about $9 billion every year.

This year, the San Francisco-based firm raised that estimate to $19 billion -- a figure that includes staff time and expenditures on filters and other software products.

There are generally two types of spam that networks have to deal with. "One is annoying and the other is malicious," said Rhoda.

Businesses trying to sell products are the most common type. They're the Internet version of telemarketers. Robert Demyanovich of right2communicate.org said businesses have the right to contact individuals by e-mail if offering a legitimate product.

"What gives anyone the right to prohibit you from informing a company about your products or services?" he asks on the Web site. He says that this kind of mass e-mailing is within the context of free commerce.

But the other type of spam offers more danger. They're called "phishing scams," in which a spammer attempts to trick the e-mail's recipient into giving out personal information, sometimes credit card numbers.

Senders will often disguise themselves as a bank or other financial institution, telling the recipient that the person needs to update their information for their account.

Sari Greene, director of the Maine Anti-Phishing Coalition, said people should never respond to such a request, even if it's just to tell the sender to take their e-mail address off the list.

"Legitimate companies are not going to request personal information from you," she said. "If you get one, just delete it."

Greene's group is a coalition of 21 Maine banks that raises public awareness about identity theft and fraud, educating the public and banking employees against the dangers of such scams.

The first tier is a filter that stops questionable e-mails before they get to their destination. The other tier is a validation system in which unknown e-mail addresses are returned to the sender and asked to be confirmed. The system is called challenge response. "This basically tells us that there is a live person on the other end of the e-mail," said Lagasse.

But Richi Jennings, lead analyst for e-mail security practice at Ferris Research, said he thinks the challenge response system isn't all that great. While he agreed that it cuts down on spam, he said it makes the whole process longer for legitimate e-mails to get through, thus adding to the time and money spent on spam.

"It seems like a really good idea at first, but it's actually quite a bad idea," he said.

What is more efficient, in his opinion, is a system that looks at the content of an e-mail as well as the reputation of the sender, based on a large database of blacklisted addresses.

These systems are constantly being updated to include new addresses, and are therefore more accurate, said Jennings.

Because spammers can disguise their addresses, all recipients can do is learn how to best react to the e-mail they receive.

"The problem is that all of these efforts are reactive, not proactive," said Rhoda.

Lagasse and Rhoda agree that e-mail's domain name services protocol, or DNS protocol, needs to be rewritten.

"By doing this, (spammers) would have to become registered users," said Lagasse.

Currently, spammers are able to send e-mails and hide their addresses so that they can't be tracked. Changing the protocol would open the opportunity to put an end to one of spammers' favorite tricks.

Another critical component to solving the problem, said Lagasse, is a cooperative effort between countries, because many spam messages originate from Europe and Asia. "To effectively eliminate spam, there would have to be international cooperation in developing laws that will effectively deter spammers," he said. "Until then," he said, "I see us having to revisit this problem again."

Reader Comments
Share your thoughts about this story.