Mitch Wagner asks in Internet Week, What does it really cost to deal with spam? Here’s my take. I’m a freelance tech consultant here in New York City. I have about 25 clients, from 5 to 25 employees. All of my clients have a spam problem. Some of them have asked me to do something about it. One client is a small advertising agency with 15 employees. If each of those employees takes 100 seconds a day to delete spam (entirely too small of a number, but one we can work with to make a point), that’s 1500 seconds a day. That’s 104 hours a year (given five work days a week, and 50 work weeks a year). The billable rate for some of the art directors at this ad agency is $250 an hour. So that lost income could be as high at $26,041 a year. It’s at least more than two weeks of lost man hours, the equivalent to an employee’s vacation time. And that’s a small company losing labor or paying opportunity costs they would not otherwise have had to pay. Let’s look at it from another angle: technical assistance. Although I have been able to keep the software costs down by using Unix tools on OS X, installing Exim with Spamassassin on a mail server, including converting the mail accounts over from the old system, tweaking, changing client settings, and modifying the DNS records and all that, still cost that company about $2400 in my billable time. For a small, struggling company with 15 employees that’s a lot of money, and a cost they would not otherwise have had. And it’s on top of the four other solutions I tried, and the hours I spent and billed for, in an attempt to reduce the load on the mail server. It’s a 350MHz iMac on a slowish ADSL line: it can’t handle a dictionary attack of thousands of messages a minute. And they can’t afford to upgrade just to handle spam. I’ll have to do that installation repeatedly for various clients. Sure, the time it takes will improve as I repeat the installation, but there are still costs involved, costs they would not otherwise have had. And another cost: one of my clients has a very Christian employee. Like everyone else in the office, she receives high volumes of unsolicited pornographic spam. The company has taken the precaution of consulting with and paying for legal counsel, to see what can be done to protect itself from possible lawsuits stemming from offended sensibilities. Whether or not there is a case there, or anything to worry about, that lawyer had to be paid. It’s a cost they would not otherwise have had. I don’t think these costs are small. They are concrete, actual costs which can be expressed in the fiscal ledgers, in billable hours, in productivity. If there are any numbers that need to be examined for false claims, I would look at the spammers’: — What is their actual response rate? What do they tell their clients it is?
— How much more money do they make from selling spamming software and email addresses than doing the actual spamming itself? What do they tell their clients about this?
— How many of the email addresses they sell are valid, verified, opt-in addresses? What number do they tell their clients? See, from my perspective, the spamming scam is based upon a series of lies, many of them self-inflicted: — Deniability. If someone somewhere along the chain says an address is verified, no due diligence is performed, and this claim is accepted as truth.
— Respectability. Spammers are unwilling to judge themselves by the company they are keeping, while everyone else does. Mortgage vendors side-by-side with teen sex pornographers next to toner refillers next to multi-level marketing scams. It’s a bad lot. No respectable person would be a part of it.
— Legitimacy. While no professional marketer uses the fake Reply-Tos, fake headers, fake From addresses, fake unsubscribe options, disguised URLs, misleading copy and false claims, spammers have no problem with such tactics because that is what they’re selling. It’s not the product being touted in the spam that makes any money, it’s the method for sending of the spam itself.
— Accountability. Spammers claim to respect bounces, but do not actually do so. Spammers claim to use legitimate mail services, but in truth use unwitting open relays. Spammers claim a high level of success, but in truth make more money selling the spamming tools than sending the spam itself.
— Equivalency. Spammers claim their product is the same as sending paper junk mail. Paper junk mail is paid for by the sender, spam is paid for by the recipient. Spammers claim their commercial messages are covered by the First Amendment. That remains to be seen. In order to combat spam, I would encourage legislation with the following: — That a recipient must specifically and knowingly agree to receive commercial emails. — That any act of collecting email addresses for any reason must:
a. On a web site, always have the check box for “no” selected as the default next to any statement such as, “Do you want to receive marketing messages from us?”
b. Indicate exactly and truthfully what purpose that email address will be put to in non-legalese, large-type fashion, including the frequency and content of such future messages.
c. Include on the same page explicit and working instructions for unsubscribing.
d. Always include a follow-up message to the user to verify that they have indeed chosen to subscribe and have not been falsely subscribed by another user, and specific information on how to unsubscribe in the future. — That marketers be prevented from inheriting permission to send commercial messages. That is, if an Internet user has signed up with one marketer, that marketer cannot resell that address and accompanying permission under the false rubric of “partners” without identifying those partners to the user in advance. Such permissions cannot be tied to the user receiving other, unrelated services. New permission to send commercial messages to the user must be obtained when new “partnerships” are formed, and such permission can only be granted when initiated by the consumer, not by the marketer. In other words, a marketer cannot keep barraging consumers with constant, “Do you want to subscribe messages?” — That email addresses which are bought in bulk must be verified as belonging to valid recipients who have knowingly requested to receive marketing email. This must be the responsibility of both the seller and the buyer. — That all email marketers provide an easy-to-find, non-onerous, working and online method for unsubscribing.
— That a small number of bounce messages be sufficient to be considered as the equivalent to an unsubscribe request. — That no mail shall be relayed through a remote mail server without the specific permission of the administrator or owner of that mail server, whether that mail server be domestic or foreign, protected or unprotected. That it is possible to relay through a mail server shall not be accepted as implied permission to do so. — That all commercial messages should be required to include full and valid contact information for the marketer and the company whose products are being marketed. These should include a valid email address, a valid phone number and a valid postal address. — That all commercial email must include the abbreviation “ADV:” in the subject line of each message. — That commercial email must include valid header information showing the true origin, route and destination of each message. I would encourage that penalties for violation of the above criteria include per-incident fines, and that the above criteria apply to American citizens whether they are operating at home or abroad, or using Internet resources at home or abroad. The sooner the sending of unsolicited commercial is regulated, the more pleasant (and cheaper) the workplace will be.
Posted April 26, 2003