Bouncing Email A "$5 Billion Problem"
from the create-a-problem,-create-a-market dept
The fallout from bounced email generated by spam with forged sender addresses costs companies $5 billion a year, apparently -- or so says a forthcoming study from IronPort, who as a seller of anti-spam systems, certainly has little motivation to exaggerate. They contend the costs come from employees freaking out when they get bounced spam messages they didn't send, then call in their company's IT support to check things out. Maybe it's a nuisance, but to say it "costs" companies $5 billion per year is a little ridiculous -- like when the BSA talks about how much piracy "costs" the software industry. Of course, if anybody knows the problems spam can cause, it's likely to be IronPort, given its questionable history.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
How can email advertising be so effective?
Spam would die if people would stop responding.
The fact that Spam is effective and that email delivered virii work at all is that people are stupid. It is so hard for me to understand and imagine that people continue to fall for these Spam/virus emails.
Spam will end when stupidity ends.
So Spam will continue forever.
You can only insulate/isolate yourself from the onslaught of advertising, lure to give away your money, Spam, Virii. There is no hope.
Spam is here to say like TV commercials, Highway billboards, Banner Ads and unreasonable Shipping&Handling cost.
[ link to this | view in chronology ]
bounced email
email at that time was 96.44%. In the 1980's USPS designed E-Comm. With that system you emailed your letter to your local P.O.
and it was transmitted to distant P.O. Thus saving time and postage.
However politics killed it .
[ link to this | view in chronology ]
"No, you probably don't have a virus; someone who has you in their address book has the virus and the virus picked your e-mail to spoof as the sender, but just to safe make sure your dat files are up to date and run a start up a virus scan before you go home tonight."
Then I'll also have to help set up the scan later and help check the results in the morning. The total time per incident can run as high as 20 minutes for each of us. So maybe not $5B worth, but I can imagine that it does add up to quite a bit.
[ link to this | view in chronology ]
Re: It does add up
One issue is expecting 100% efficiency from any system. Email has expedited communications far more than snail-mail or other telecom forms ever have.
Implying there is a 5 billion dollar cost to be recovered ignores that fact to promote vendor/product hype.
[ link to this | view in chronology ]
Sophisitcated spam
I agree to some extent that many are ignorant of the ways in which spam perpetuates itself and their important role in that. However, even seasoned Internet users have been duped into opening email attachments they think are being sent by one of their regular contacts. Trickier spammers are defeating filters by spoofing all of their headers. It would look legitimate to most people. Only automatic applications can detect the things we can't without opening a message. Some deals are so carefully crafted that you don't realize you've made a credit-card purchase from a non-existant company until you call the "customer service" number to complain that your product has not beed delivered.
Spam and virus control software constantly improves to protect users, while the perpetrators constantly improve their devious techniques to egt their messages into your inbox, where they further convince the user to click on something--thereby delivering a naughty payload or generating a "sale" or even just a hit on a webserver somewhere that will boost some rank that will get them more advertising dollars.
My mom isn't stupid, but she's not net savvy enough to know or see that the bankofanerica link she sees in a mail is not a legitimate bankofamerica link. So I have to educate her and place many protections on her PC to mitigate the possibility of exposure. If you know a lot of stupid internet users, why don't you help to educate rather than just call names.
If a friend of yours, any random non-geek friend, suffered identity theft because of some cunning email spam scam that duped them into divulging sensitive info, would you call them up and say, "God, Carol, you're so fucking stupid!! You realize, don't you...? that YOU are part of the reason these scams continue to thrive?! You need to wise up! Moron!" ??
I'd hope not. But maybe you're content to just watch the lemmings jump off the cliff, glad that they're learning their lessons about internet security.
[ link to this | view in chronology ]
$10 Billion in time wasted on forums?
[ link to this | view in chronology ]
SPF is the key...
[ link to this | view in chronology ]
That's $5 billion to Symatec and programmers.
[ link to this | view in chronology ]
That's $5 billion to Symatec and programmers.
[ link to this | view in chronology ]
Irony meter pegged
a problem, then fabricate bogus study about how much the problem
costs, then fix well-known and long-standing issues with own
products and pronounce oneself a hero. Film at 11.
[ link to this | view in chronology ]
tu me manque
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Who's to blame? I know who's to blame.
1. Antivirus software manufacturers. Most antivirus software has a function to report the virus to the sender, and the software is installed post-delivery. Therefore the notification is delivered to a spoofed sender. I have yet to come across a virus which uses the mail address of the owner of the infected computer! Virus software manufacturers should completely abandon this feature, as it's completely useless. Even if it's not turned on by default, it should be removed.
2. Mail server manufacturers. Some mail servers still send bounces post-delivery, i.e. the bounce is sent to the purported mail from address. This is wrong. A bounce should be delivered before the message body is accepted, not as a separate e-mail but as a 550 command! This should also be mandatory, not optional. Mail servers should have their functionality to deliver bounces to purported senders removed.
3. Incompetent administrators. Many companies believe, that they can hire just anybody to manage their mailserver. They think, that buing software or using a free distribution is all that's required of a mail server administrator. Wrong. The mail server administrator should know the issues well and know how to fix them. The administrator should know how to replace or fix faulty software that causes bounces. The administrator should also upgrade the software to the newest version. I've come across too many mail servers running on archaic Postfix or Exim versions!
4. Users themselves. If mail server administrators were informed of the problem, they'd at least have a chance to fix it. But they're not informed, and often don't realize this is a problem. If more users forwarded such messages to their local administrators, and more local administrators would send notifications of this misconfiguration to the faulty mail server owners, then the problem at least has a chance to be resolved (if the mail server administrator is competent, see item 3.).
And finally, SPF is NOT THE ANSWER! SPF is like cutting your leg off, because your toe itches. It breaks e-mail delivery, it makes the usage of such functionalities as pre-delivery forwarding impossible, making it impossible for example to use many forwarding services and antispam limited-usage addresses (single-usage or time-limited-usage). Many domains decide not to publish SPF records, because if they did, they'd screw their deliverability completely (such as mail forwarding providers). Therefore, spammers can easily abuse such domains (as mail.com for example), because SPF records cannot be published for such domains (if they did, the provider would go bankrupt). Therefore I advise you NOT to use SPF, if you want your mail to get delivered and if you want to receive legitimate mail. Too much legitimate mail is lost because of SPF.
[ link to this | view in chronology ]