[unisog] The Impact of Spam on your Institution
wyang at gcfn.net
Tue Feb 10 20:44:57 GMT 2004
Back when I was still at a university, I did a study on this problem in
1997-8; the results are as relevant today as they were then.
My biggest problem was that the term "spam" was (and still seems to be)
poorly defined. Depending on whether spam is unsolicited bulk e-mail
(decent enough definition), unwanted e-mail (common user definition), or
unsolicited commercialk e-mail (a definition that raises legal questions
in public institutions in the U.S.), you'll probably find that the
impact varies significantly, today.
It seems to me that one needs to build metrics that are based on actual
cost, not on ratios of spam to non-spam. How expensive is it to hit the
delete key, really? If, as some analysts suggest, 50% of all e-mail on
the Internet is spam, then there may be a case to be made there... but
frankly, I've always thought that part of the cost of having e-mail
that makes it easy to communicate is that some social miscreants are
going to mis-use it to peddle anatomy enhancements, financial services,
and bulk mailing services. I find the 50% metric very hard to believe:
this e-mail account, which I've had for about a decade and has been
actively used in USENET, on the web, and on mailing lists over the
years, only gets about 15% spam by message counts. The marginal cost
for that 15%, however, is less than 1% of my operational cost. I can
cut that by orders of magnitude by using technical measures, and that
seems adequately effective to address the overarching policy problem.
I've found that user support drives most of the cost. When I measured
the problem of spam based on the amount of time my organization had to
divert to user support, I found that unwanted e-mail ended up becoming
10% to 30% of our monthly operating budget and that unsolicited bulk
e-mail made up closer to 5% and 10% of our monthly operating budget.
Implementing some technical controls (regardless of their efficacy)
reduced that cost significantly by giving users a feeling of control.
Technical controls: bayes filtering.
procmail filtering based on "spam fingerprint" recipes
current default sendmail anti-spam measures
Human controls: human review of bayes results
use of unique/disposable e-mail addresses whenever
an address is solicited by a vendor
Ultimately, I found the delete key was among the most cost effective
solutions, along with giving up my expectation that e-mail is going to
exist without a fairly high volume of junk mail. The problem appears to
be technically unbounded ("whack a mole"), and beyond the legal and
policy ability of any set of organizations without mandating a complete
re-write of the e-mail infrastructure of the Internet, with the
corresponding problems that would create.
wyang at gcfn.net
Tim Lane wrote:
> Hi All,
> I am interested in understanding the impact of SPAM on other
> institutions (ours is growing to be a major problem despite some
> technical controls in
> Specifically, if anyone was able to answer the following questions that
> would be very appreciated: (I will be sending a summary of responses
> from this and other forums later in the week):
> 1) Is SPAM a non problem, minor problem or major problem in your
> institution? (perhaps incidcate % of spam received of total email).
> 2) Is or has your institution actively addressing SPAM in a way that has
> or will substantialy reduce the impact of SPAM?
> 3) What type of controls (both technical and human) are being used?
> Thanks I would really appreciate any feedback on this.
> Tim Lane
> Tim Lane
> Information Security Program Manager
> Information Technology and Telecommunication Services
> Southern Cross University
> PO Box 157 Lismore NSW 2480
> Ph: 61 2 6620 3290
> Fax: 61 2 6620 3033
> Email: tlane at scu.edu.au
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3237 bytes
Desc: S/MIME Cryptographic Signature
Url : http://www.dshield.org/pipermail/unisog/attachments/20040210/40250511/smime-0003.bin
More information about the unisog