May 2, 2002
Spam Costs Small Businesses
By STACY FORSTER
Some small business owners are finding spam isn't just an annoyance, it's a threat to their financial health.
While there are no hard numbers to quantify the cost of unsolicited commercial e-mail, popularly known as spam, on small businesses, the damage can be seen in lost customers, diminished productivity and, for people like Sam Juliano, more than a few sleepless nights.
Mr. Juliano operates GroundStrike Collections, a small business in Austin, Texas, that sells delicate Limoges porcelain boxes via the Internet. When he posted a new e-mail address on the company's Web site last summer, barely a week went by before receiving its first piece of spam. Now, Mr. Juliano's inbox account overflows with thousands of pieces of spam.
He's tried setting antispam filters -- both through the server that downloads his e-mail and Netscape Messenger -- to regulate mail going into his inbox. But to his dismay he found that legitimate orders were accidentally being deleted along with the unwanted spam. He later learned through feedback to the company's Web site that angry customers made purchases elsewhere.
Adding insult to injury, another spammer found a back door into Mr. Juliano's Internet site's feedback response system. Soon after, the spammer was using the Web site's feedback form to send thousands of pornographic advertisements that looked as if they originated at GroundStrike. He worked through the night to try to prevent further porno spams from being sent from his server but finally, in desperation, he pulled the plug on his server's Ethernet connection to put an end to it.
"For a little company like ours, if you lose a few customers like that, it's devastating," Mr. Juliano says.
While spam is annoying for most e-mail users, it goes far beyond mere inconvenience for business owners such as Mr. Juliano. Coping with spam sucks time and resources away from running a business. And many who once found success with direct e-mail marketing now find themselves lumped in -- and dumped out -- with spammers who hawk online pornography, illegal gambling schemes or shady investment deals. Others find their systems under constant attack from spammers who exploit loopholes in to their servers to use their resources and send offensive spam to customers.
The cost of lost productivity and depleted resources adds up. Ben Isaacson, executive director for the Association for Interactive Marketing, says e-mail users in the workplace can easily spend one full workday per employee each year deleting spam from their inboxes.
Mr. Juliano thinks that estimate is conservative. He spends at least an hour a day culling legitimate customer mail from spam. That eats away at productivity, especially for a small firm with few employees, says Jason Catlett, president of Junkbusters Corp., a privacy advocacy firm in Green Brook, N.J. "The filtering system for a small business is typically the CEO sitting at the screen cursing as he hits the 'delete' key," Mr. Catlett says. "That's a colossal waste of time."
Companies can reduce the amount of spam they receive if they're more careful about displaying e-mail addresses on their Web sites, Mr. Catlett says. Instead of posting separate e-mail addresses for each employee or department, a "Contact Us" page can describe how e-mail addresses are constructed at the company, he suggests, to make it easy for a human to figure out an address but impossible for a spammer's scavenger program to simply grab it.
Spam is an even bigger burden for information-systems managers at small businesses, who might dedicate about 10% of their time to e-mail management, Mr. Isaacson says. Moreover, the price of a software solution costs upwards of $5,000. "For larger companies, costs for managing spam can scale to more than $100,000 with a dedicated staff just for managing e-mail," he says.
Aaron Gee, chief technology officer for BestNet of Palm Coast, an Internet service provider in Palm Coast, Fla., that serves many small businesses, says he spends nearly a quarter of his time dealing with spam, and the company's servers reject upwards of 60% of incoming mail because it originates from spammers. When the GroundStrike Collections Web site was exploited by spammers, Mr. Juliano had to take it offline for a number of hours to remedy the situation, costing him hundreds of dollars in potentially lost sales.
Unsuspecting business owners often don't even know how easily e-mail can pass through their systems. Many spammers will troll the Internet looking for servers that have a back door for entry into their systems, and when they do, they take advantage of those servers to relay thousands of messages to e-mail users.
Keith Park, president of Prometheus International, a global cigar-accessories company based in Bell, Calif., found out his server had been hijacked purely by accident -- a client mentioned that he never received an e-mail Mr. Park said he had sent. Mr. Park quickly investigated, and after a considerable amount of digging learned that a diet-pill company in Texas was using his e-mail servers to send millions of spam messages.
"It was almost getting to a meltdown," Mr. Park says. After taking a week to clear out the servers, everything worked normally. Still, he says, "it was really frustrating."
When a company does come under attack, it's largely up to the ISP to keep tabs on activity coming through the servers, especially because many companies of all sizes don't know they're vulnerable, says Mr. Isaacson of the Association for Interactive Marketing.
Businesses can get a better handle on spam if they work with their ISPs to address the underlying problem, which is to block potential senders from ever reaching its servers. Often businesses will simply buy more servers to speed up their e-mail rather than try to stop unwanted messages from getting into the system, Mr. Gee says.
It's also easy to determine which domain names or ISP enable spammers, Mr. Gee says. By setting up traps to catch spammers -- creating dummy e-mail accounts that give the ISP a way to trace an e-mail's source --- a company can develop a list of offenders and block them. BestNet hosts the domain America.com, and with a couple hundred blocks in place, the ISP is able to bounce about 60% of unwanted messages.
Still, many businesses are surprised to realize how they can be unexpectedly attacked. At Prometheus, Mr. Park considers himself lucky because he was still able to conduct business and receive e-mail, he just couldn't send messages to customers. He improvised by using personal e-mail accounts to contact clients.
The company later spent about $5,000 to install more firewalls and reconfigure its e-mail server so that when messages are being relayed from another source -- such as the diet-pill company -- the server will stop sending them.
"It was scary that someone could just come in like that," and disrupt his company, Mr. Park says. "I can do business without the phone line, but I can't do business without e-mail."
Write to Stacy Forster at firstname.lastname@example.org
Updated May 2, 2002 4:11 p.m. EDT
<< Back To WebGuy.com