When the number of unwanted messages in Richard Brown's e-mail inbox that was touting things like prescription medication, mortgage loans, university diplomas and pornography outnumbered legitimate business correspondence by as much as five to one, he knew something had to be done about the spam flooding his company.
"We get spam probably more than one per minute," said Brown, president and sole IT administrator of Data West Corp., a Durango, Colo.-based utility billing software company. "If I want to see when something went wrong -- like a server crash -- the easiest thing to do is look at the spam list. There's so much spam coming in, it's literally all the time."
While spam has probably annoyed anyone with an e-mail address at some point, the annoyance can become a significant business problem for small and midsized businesses (SMBs). The desire to have open communication lines for new and existing clients through e-mail leaves SMBs -- which lack the IT staff and infrastructure dollars of larger companies -- especially vulnerable to spammers prowling the Internet for new addresses to target.
"It's one thing to be an expert in e-mail and run your own exchange server, but it's quite another thing to be an expert in spam, or malware in general," said Richi Jennings, lead analyst for spam services at San Francisco-based Ferris Research Inc. Spammers constantly change tactics, and there are "literally hundreds" of antispam products available to choose from, making it difficult for IT staffers to keep up, Jennings said. "It's really hard, if you're not a really large organization with dedicated IT people who know what they're doing," he said.
Ferris estimates that 80% to 90% of all e-mail messages sent over the Internet are spam, including some that are sent to nonexistent addresses or are blocked by filters. Ferris estimates spam will cost companies $50 billion worldwide in 2005, in terms of antispam protection spending, help desk requests, time lost to deleting unwanted messages and wasted bandwidth and electricity.
There are three basic antispam solutions for SMBs to consider, Jennings said: software add-ons for desktops or servers, hardware appliances and third-party hosting services.
Antispam software filters out spam and blocks it from ever reaching the e-mail server. Well-known antispam software companies include Trend Micro Inc., Symantec Corp., Sophos PLC and McAfee Inc.
Data West's Brown chose Trend Micro's Client/Server/Messaging software suite to filter the deluge of spam at Data West. This software suite is designed to meet the specific needs of SMBs by seeking to offer simple installation, configuration and support, as well as the ability to bundle several protection services in a single software suite. The software suite for SMBs starts at $230 for five-user licenses and goes up to $4,400 for 100-user licenses.
Brown spent less than $1,000 to purchase licenses for about a dozen desktop PCs and spends a few hundred dollars each year for updates and maintenance.
"We have one computer hooked up to the Internet," Brown said. "Everything goes through there. With the blocker hooked up, spam just gets filtered out so it doesn't clog up our mail server. This way we just block it at the source, and nobody is aware it's happening, other than me."
Spam is now only an occasional nuisance slipping into the inboxes of Data West employees, with the majority of unwanted messages filtered into a quarantine folder that Brown checks at his leisure every few weeks.
Appliances generally come with software bundled into a hardware device and are designed to fit into a company's server rack, often between the firewall and mail exchange server. Jennings said some antispam appliances include Tumbleweed Communications Corp.'s MailGate, McAfee's SpamKiller and Barracuda Networks Inc.'s spam firewall.
"Appliances are valuable because you don't have to deploy software on top of your server, which oftentimes doesn't mesh well," said Teney Takahashi, market analyst at Palo Alto, Calif.-based The Radicati Group Inc. "Appliances are designed from the ground up to handle e-mail."
Antispam appliances will generally cost around $2,000 to several hundred thousand dollars, plus support fees to pay for updates, Takahashi said.
Companies that have sufficient staff to keep track of periodic updates and can afford a one-time up-front payment may find appliances attractive choices. Many appliance companies, like Barracuda Networks, are starting to finance their products, Jennings said. However, they usually require management from IT staff and could leave companies without a redundant system vulnerable in case of a fire or butter-fingered IT staffers.
"If you're buying an appliance you have to think about availability," Jennings said. "If the box dies, if you drop it on the floor, how quickly can you get a replacement? It depends on how important quick mail delivery is to you."
Third-party hosted antispam solutions, sometimes called managed mail providers, are another possible choice requiring no on-site hardware or service. This option includes antispam outsourcers like IBM's SMB-dedicated Express Managed Security Services. Jennings said other managed mail providers include MessageLabs Group Ltd., Postini Inc., FrontBridge Technologies Inc. and MX Logic Inc., which filter and clean e-mail off site before passing it along to a company's e-mail server.
Another option is to rely on antispam services offered by Internet service providers, like Yahoo, or smaller regional ISPs. These ISPs will often charge an additional monthly support fee for extra antispam protection.
Jennings and Takahashi both recommend third-party hosted solutions for smaller companies, in order to receive reliable, specialized antispam services on a set-fee schedule.
"Hosting costs more in terms of license fees, though all hosting companies would argue that from a total cost of ownership perspective it probably costs the same or less than appliances because there's so much less skin, less effort from an IT perspective," Jennings said.
Managed antispam solutions can cost between $1 and $10 per user per month, Takahashi said. SMBs should make sure the updates, maintenance and other support services are spelled out in the service-level agreement.
The two criteria generally used to rate the effectiveness of antispam measures are the percentage of total spam messages that get blocked -- generally in the range of 90% or more -- and the rate of "false positives" or legitimate messages that get blocked, which is usually well under 1%.
Some companies will advertise false-positive rates that seem super effective on the surface, like .001%. However, Jennings noted, for an SMB user who receives 100 legitimate e-mail messages per week, that translates into one false positive every 10 weeks. For someone receiving 1,000 messages per week, that's one false positive per week. And that single false positive could impact business if it is an important sales lead or client question, Jennings said.
False positives have never been a problem for Brown. When he first installed the Trend Micro software, he checked the quarantine folder full of blocked messages every day to ensure no legitimate messages had been blocked. Now he checks it less than once per week.
"Usually if somebody sends you something and you don't get it, you hear about it," Brown said.