Bouncing Email A "$5 Billion Problem"
from the create-a-problem,-create-a-market dept
The fallout from bounced email generated by spam with forged sender addresses costs companies $5 billion a year, apparently — or so says a forthcoming study from IronPort, who as a seller of anti-spam systems, certainly has little motivation to exaggerate. They contend the costs come from employees freaking out when they get bounced spam messages they didn’t send, then call in their company’s IT support to check things out. Maybe it’s a nuisance, but to say it “costs” companies $5 billion per year is a little ridiculous — like when the BSA talks about how much piracy “costs” the software industry. Of course, if anybody knows the problems spam can cause, it’s likely to be IronPort, given its questionable history.
Comments on “Bouncing Email A "$5 Billion Problem"”
How can email advertising be so effective?
I am continuously amazed at the fact that email advertising is evenly remotely effective.
Spam would die if people would stop responding.
The fact that Spam is effective and that email delivered virii work at all is that people are stupid. It is so hard for me to understand and imagine that people continue to fall for these Spam/virus emails.
Spam will end when stupidity ends.
So Spam will continue forever.
You can only insulate/isolate yourself from the onslaught of advertising, lure to give away your money, Spam, Virii. There is no hope.
Spam is here to say like TV commercials, Highway billboards, Banner Ads and unreasonable Shipping&Handling cost.
bounced email
USPS did study years ago that showed USPS mail arrives 99.86%
email at that time was 96.44%. In the 1980’s USPS designed E-Comm. With that system you emailed your letter to your local P.O.
and it was transmitted to distant P.O. Thus saving time and postage.
However politics killed it .
As a support tech I’ve taken several of those very calls, usually from an exec high up enough that I must interrupt whatever it is I’m working on to answer him. So it’s 5 real minutes of my time that would be spend doing something else productive, and 5 minutes of his time (which is often much more expensive) explaining what’s going on. It usually goes something a little like this:
“No, you probably don’t have a virus; someone who has you in their address book has the virus and the virus picked your e-mail to spoof as the sender, but just to safe make sure your dat files are up to date and run a start up a virus scan before you go home tonight.”
Then I’ll also have to help set up the scan later and help check the results in the morning. The total time per incident can run as high as 20 minutes for each of us. So maybe not $5B worth, but I can imagine that it does add up to quite a bit.
Re: It does add up
Recovering the cost of your time, and the exec’s time, by eliminating spam assumes there would not be some other ‘noise’ that would then take up that time (like tweaking a spam filter to allow mail through that was blocked).
One issue is expecting 100% efficiency from any system. Email has expedited communications far more than snail-mail or other telecom forms ever have.
Implying there is a 5 billion dollar cost to be recovered ignores that fact to promote vendor/product hype.
Sophisitcated spam
Ajax 4Hire,
I agree to some extent that many are ignorant of the ways in which spam perpetuates itself and their important role in that. However, even seasoned Internet users have been duped into opening email attachments they think are being sent by one of their regular contacts. Trickier spammers are defeating filters by spoofing all of their headers. It would look legitimate to most people. Only automatic applications can detect the things we can’t without opening a message. Some deals are so carefully crafted that you don’t realize you’ve made a credit-card purchase from a non-existant company until you call the “customer service” number to complain that your product has not beed delivered.
Spam and virus control software constantly improves to protect users, while the perpetrators constantly improve their devious techniques to egt their messages into your inbox, where they further convince the user to click on something–thereby delivering a naughty payload or generating a “sale” or even just a hit on a webserver somewhere that will boost some rank that will get them more advertising dollars.
My mom isn’t stupid, but she’s not net savvy enough to know or see that the bankofanerica link she sees in a mail is not a legitimate bankofamerica link. So I have to educate her and place many protections on her PC to mitigate the possibility of exposure. If you know a lot of stupid internet users, why don’t you help to educate rather than just call names.
If a friend of yours, any random non-geek friend, suffered identity theft because of some cunning email spam scam that duped them into divulging sensitive info, would you call them up and say, “God, Carol, you’re so fucking stupid!! You realize, don’t you…? that YOU are part of the reason these scams continue to thrive?! You need to wise up! Moron!” ??
I’d hope not. But maybe you’re content to just watch the lemmings jump off the cliff, glad that they’re learning their lessons about internet security.
$10 Billion in time wasted on forums?
More like $5 Billion in wasted time fighting spam and another $10 Billion in time wasted on the clock by IT people on various forums complaining about it… think about it.
SPF is the key...
IF the big 6 (AOL, MSN/Hotmail, Yahoo, Earthlink, Netzero, google/gmail) all required a *strong* spf policy to send mail to them, the rest would fall in line, and spoofing would be *MUCH* less likely/effective… beyond this, if spoofing were less of an issue, good ol’ rbl lists would be *MUCH* more effective…
That's $5 billion to Symatec and programmers.
That's $5 billion to Symatec and programmers.
Irony meter pegged
Since Ironport’s own products do this. Pretty good scam: cause
a problem, then fabricate bogus study about how much the problem
costs, then fix well-known and long-standing issues with own
products and pronounce oneself a hero. Film at 11.
tu me manque
comme ca
If this is the case for email companies, they should probably be bankrupt today so might as well as close their business. Contrary to this prediction, more companies are reaping more money in this technologicaly-crazed world so I’m just wondering if such research reports are true. I guess a tangible effect should be more appreciated than this “vague” research report.
Who's to blame? I know who's to blame.
There are a couple of entities to blame for this situation.
1. Antivirus software manufacturers. Most antivirus software has a function to report the virus to the sender, and the software is installed post-delivery. Therefore the notification is delivered to a spoofed sender. I have yet to come across a virus which uses the mail address of the owner of the infected computer! Virus software manufacturers should completely abandon this feature, as it’s completely useless. Even if it’s not turned on by default, it should be removed.
2. Mail server manufacturers. Some mail servers still send bounces post-delivery, i.e. the bounce is sent to the purported mail from address. This is wrong. A bounce should be delivered before the message body is accepted, not as a separate e-mail but as a 550 command! This should also be mandatory, not optional. Mail servers should have their functionality to deliver bounces to purported senders removed.
3. Incompetent administrators. Many companies believe, that they can hire just anybody to manage their mailserver. They think, that buing software or using a free distribution is all that’s required of a mail server administrator. Wrong. The mail server administrator should know the issues well and know how to fix them. The administrator should know how to replace or fix faulty software that causes bounces. The administrator should also upgrade the software to the newest version. I’ve come across too many mail servers running on archaic Postfix or Exim versions!
4. Users themselves. If mail server administrators were informed of the problem, they’d at least have a chance to fix it. But they’re not informed, and often don’t realize this is a problem. If more users forwarded such messages to their local administrators, and more local administrators would send notifications of this misconfiguration to the faulty mail server owners, then the problem at least has a chance to be resolved (if the mail server administrator is competent, see item 3.).
And finally, SPF is NOT THE ANSWER! SPF is like cutting your leg off, because your toe itches. It breaks e-mail delivery, it makes the usage of such functionalities as pre-delivery forwarding impossible, making it impossible for example to use many forwarding services and antispam limited-usage addresses (single-usage or time-limited-usage). Many domains decide not to publish SPF records, because if they did, they’d screw their deliverability completely (such as mail forwarding providers). Therefore, spammers can easily abuse such domains (as mail.com for example), because SPF records cannot be published for such domains (if they did, the provider would go bankrupt). Therefore I advise you NOT to use SPF, if you want your mail to get delivered and if you want to receive legitimate mail. Too much legitimate mail is lost because of SPF.