Click here to download SpamFree.
Click here to download a PDF version of this page from the TUSC Client Chronicle. (1.32Mb).

Do you know "spam" costs you and your company time and money? By simply eliminating the unsolicited messages - spam - from one email account, you'll gain more than 100 hours this year, which is worth at least $10,000 annually per worker to most companies. For a corporation with 10,000 employees (and $1 billion in revenue), that results in an opportunity cost of nearly $100 million per year.¹

According to Ferris Research, the average corporate email user will spend 53 minutes 20 seconds dealing with spam each year. IDC stated that dealing with spam results in more than 500 hours of lost productivity per day in a company of just 3,000 employees.

When was the last time you received an unsolicited message, or spam? Five minutes ago? Three seconds ago? Right now? "Professional" spam companies make their money by sending unsolicited emails to millions of addresses every day. In fact, 4.9 trillion spam messages were sent in 2003.²

Percent/Category	Description
22% - Products	Email attacks offering or advertising general goods and services. Examples: devices, investigation services, clothing, makeup.
17% - Financial	Email attacks that contain references or offers related to money, the stock market or other financial "opportunities." Examples: investments, credit reports, real estate, loans.
16% - Adult	Email attacks containing or referring to products or services intended for persons above the age of 18, often offensive or inappropriate. Examples: porn, personal ads, relationship advice.
10% - Health	Email attacks offering or advertising health-related products and services. Examples: pharmaceuticals, medical treatments, herbal remedies.
9% - Scams	Email attacks recognized as fraudulent, intentionally misguiding or known to result in fraudulent activity on the part of the sender. Examples: Nigerian investment, pyramid schemes, chain letters.
5% - Internet	Email attacks specifically offering or advertising Internet- or computer-related goods and services. Examples: Web hosting, Web design, Spamware.
5% - Leisure	Email attacks offering or advertising prizes, awards or discounted leisure activities. Examples: vacation offers, online casinos, games.
5% - Fraud	Email attacks that appear to be from a well-known company, but are not. Also known as "brand spoofing" or "phishing," these messages are often used to trick users into revealing personal information, such as email address, financial information and passwords. Examples: account notification, credit card verification, billing updates.
3% - Political	Messages advertising a political candidate's campaign, offers to donate money to a political party or political cause, offers for products related to a political figure/campaign, etc. Examples: political party, elections, donations.
2% - Spiritual	Email attacks with information pertaining to religious or spiritual evangelization and/or services. Examples: psychics, astrology, organized religion, outreach.
6% - Other	Emails attacks not pertaining to any other category.
Figure 2

Spam companies get their mailing lists from a variety of sources, including, but not limited to, Web sites, online registrations and other companies. They hope to sell you something. Many of the claims are fraudulent. When you receive a spam message, you must read it to determine that it is spam. Then you delete it. This process, on average, takes about 10 seconds for every spam you receive.

Spam filtering software attempts to determine spam messages by the content. Sometimes they're right, other times they're wrong. Filtered messages are placed into a special folder, which you must read to look for false positives. You must also read your normal email and look for spam messages that the filter didn't catch. When using spam filters, each spam message still consumes about 3 seconds.

What are companies trying to sell you through spam? See figures 1 and 2. On average, employees will receive between 10 and 1,000 spam messages a day. That's a wide range, but one chairman from a major Oracle consulting firm reported he receives between 400 and 1,000 per day, which is quite reflective of others in his position. The point here is that the longer an employee has his/her email address, the more spam messages that can be expected and that the problem gets worse with time. The more Web sites the email is published on, the more spam messages that email will receive.

According to IDC, more than $120 million was spent on anti-spam products in 2003. The top vendors included Brightmail, Postini, CyberTrust, Clearswift and Tumbleweed.

Figure 3 shows the rise of spam from October 2002 to February 2004. The trend will likely continue to move up over time. It's estimated that if we don't do something to eliminate it, by 2007 70 percent of email received will be spam.

Today, it's estimated that more than 45 percent of all email is believed to be spam.³ In Japan, NTT DoCoMo's estimated that 80 percent of its wireless messages per day are spam.

If an employee receives 100 spams a day, that's four per hour (based on 24 hours) or 12 per hour (during the work day). One hundred email messages a day results in more than 37,000 per year. If you could read the message and press the delete key in 1 second, that still results in 10 hours a year. See figure 4.

Without spam filtering software in place, it's estimated that on average a person will spend about 10 seconds per unsolicited email. That's the time required to determine if a message is spam. Time (to download), bandwidth and disk space (to download and store the spam, which is typically 2K to 30K per message) and bandwidth is required for each message - once to the SMTP server and again for the email client software or browser. On April 30, 2003, AOL blocked 2.37 billion spam messages from its 26.2 million email users. That equates to 88 messages per AOL email user.⁴

These are usually considered hidden costs of spam. Bandwidth often isn't paid for by the byte, but unnecessary bandwidth does slow down your networks and the entire Internet. On the other hand, wireless devices that charge by the byte (i.e., RIM, mLife, etc.) will incur extra costs.

Another consideration is that spam could cost someone his/her job - if he/she views inappropriate material while at work. If the company doesn't eliminate spam, is it the employee's fault or the employer's liability? How long will it take before an employee files a wrongful termination lawsuit? Spam affects each person who has an email account within your organization all the way up to the chief executive officer.

When spam filtering software is used, it's estimated that an employee still spends about 3 seconds per message. This is due to false positives that occur.⁵

Additionally, about 5 percent to 10 percent of spam isn't caught by filtering software. These messages will require 10 seconds on average to determine if they are indeed unsolicited.

If an employee spends 10 seconds to clean up each spam message, the process takes 1,000 seconds - or about 16 minutes a day. Beyond viewing fraudulent claims, offensive material and get-rich-quick schemes, this is costly to the company.

Costs can be calculated in terms of net costs (i.e., payroll fees) as shown in figure 5.

However, it makes more sense to calculate real costs based on revenue per employee figures. This is a better indication of opportunity costs to your company. An average company generates between $100,000 and $300,000 per employee per year. This equates to $50 to $150 of revenue per hour per employee.

On a yearly basis, lost time is very expensive to your company. Based on a company with 100 employees that's generating $20,000,000 in revenue per year or $200,000 in revenue per employee per year, receiving just 100 spams per day on average, the opportunity cost to the company is nearly $1 million per year. See figure 6.

Revenue per year	$20,000,000
Opportunity cost per company hour	$10,000
Opportunity cost per company minute	$166.67
Opportunity cost per company second	$2.78
Employees	100
Revenue per employee	$200,000
Revenue per hour per employee	$100
Spams per day	100
Seconds per spam	10
Seconds spent per day	1,000
Minutes spent per day	16.66666667
Hours spent per day	0.277777778
Dollar cost per day	$27.78
Dollars per year per employee	$10,138.89
Hours saved per year per employee	101.39
Total opportunity cost per year	$1,013,888.89
Savings per month	$84,490.74
Solution cost per employee	$240
Total solution cost per year	$24,000
Net savings per year	$989,888.89
Return on investment (in weeks)	1.14
Figure 7

To calculate the cost of spam to your company, simply enter the variable figures in figure 7. Because the cost of SpamFree is based on the number of employees in your company, the return on investment period using it is the same for all companies without spam filtering software that generated $200,000 in revenue per employee receiving on average 100 spams per day per employee - or 1.14 weeks!

How SpamFree works
SpamFree's technology is easy to describe. The industry term for the technology is "challenge-response." First and foremost, it's important to note that SpamFree is not a spam filter. SpamFree does not run in the email client, but rather on a server (before the email gets to the client).

SpamFree implements the "no solicitation" telephony feature via email. Only on the first time that you send me an email does my server ask you to verify that you're not a solicitor. Once verified, your emails come right through to me every time. With SpamFree, you will never see spam from anyone!

Another way to look at SpamFree is that senders must be on your "approved" list for you to receive their email. But rather than requiring you to provide a list of "approved" email addresses, people self-certify they are not solicitors.

"No solicitation" announcement
SpamFree takes the telephony world's "no solicitation" announcement to the email world. When an email is sent from me to you, the SpamFree server checks to see if this is the first time I've sent an email to you. If it's not (and I am a confirmed friend of yours), the email comes through (to your email client) as it normally would.

b If this is the first time you've received an email from me, then I will receive a message (from the server) telling me that "I'm trying to eliminate spam, to confirm that you are not a spammer. Please click here this one time."

For more information regarding this message, see the details in appendix A. What it's saying is that I must verify I'm not a solicitor. Using SpamFree, you will never receive emails from people who don't verify they are not solicitors. Problem solved!

There are different levels of confirmation that you can use. The lowest confirmation level is mentioned about - simply clicking a link for confirmation. You can request that the user reply to your email specifying a specific word in the subject or body. You also can request that after the user clicks on the link, he/she must type a prompted word hidden in a graphic (that is not recognizable by OCR software).

In a future implementation of SpamFree, there are plans to allow users to download their current (partial/selective or complete) address book into SpamFree during the initial setup.

Figure 8 shows what happens when a new email is received using SpamFree. By default, email addresses that have been identified as spammers are immediately deleted from the server, but actions taken can be defined by setting flags.

Messages from unidentified addresses are placed into a waiting status (unidentified/waiting messages can be viewed at any time) and a user-customizable message is sent to the sender. After a user-specified period of time, "waiting" messages are deleted.

Spammers and friends can be identified by a specific email address (spammer@spam.com is a spam email address), using a wild card email address (everyone at friends.com is a friend) or specifying a wild card subject line (any email containing TUSC in the subject is OK). Each time an email is received from a friend or spammer, the email is processed accordingly. Owners can establish an unlimited number of email accounts that SpamFree manages. SpamFree can handle pop3 and imap.

Note that the no solicitation confirmation messages come from the server (spamfree@tusc.com), not the origination email address (brown@tusc.com). This further protects your email address. In other words, your email address is never sent back to anyone (including spammers), which could verify that your email address is valid.

Also, before sending a no solicitation email, all email addresses (the complete address) are validated. The domain is pinged to verify that it is a good domain. If the domain or complete email address is invalid, SpamFree immediately marks the address as spammer and the email is deleted. Other parameters in the email also are verified to make sure the email has not been spoofed (a common technique used by spammers). All future emails from that same address are immediately deleted upon arrival. Since all user information is stored in Oracle tables, data can be mass-loaded.

If the message sent to the spammer is bounced (it's not a valid email address), the email address is marked as a spammer. On a daily basis, users receive an email message (figure 9) listing all of the email addresses by status type (new friends, new spammers, waiting message, etc.).

Each email address contains a link - by clicking on it, you can instantly confirm an email address is that of a friend, which also will move all prior email messages from a spam status to good emails.

When you move your cursor over each message subject, the message content will pop up. If you move your cursor over the personal email address, the actual email address will pop up. The end of the message contains the help message for SpamFree, which indicates how to add new friends, domains, subjects, and more. See figure 10.

Government regulation?
Will the United States government regulate spam, in effect solving the problem any day now? House Bill 3113 passed in Congress on July 18, 2000. However, to date, the bill has not been passed by the Senate.

Government law states that a $500 fine ($150,000 maximum) will be issued to those companies that don't include a valid email address, falsify information on the email, don't provide the ability for people to be removed from lists or sell names to a third party. It's estimated more than 90 percent of the spam you receive falls into this category. Another component of the bill states that you will be issued a $10 fine if you don't include "ADV:" in the subject line. (Well, 99.9 percent of spam doesn't do it.)

One company noted that out of 200,000 mailboxes, 60 percent of email that people received was spam. Out of an average of 30 email messages per day per user, about 20 are spam. That's 8,000 spam messages per mailbox per year!

For some (like me), as many as 200 to 1,000 per day are spam - as of June 2003. This number was about 100 per day as of February 2003! Each spam consumes about 3,000 to 50,000 bytes of storage and bandwidth (twice - once to the server and again to the client). Multiply a modest average of just 20 spams per day or 8,000 per year and this takes up about 200MB of email storage and bandwidth consumed per mailbox!

Is the government regulation working? Obviously not! Why? Because spam is accomplishing its goal! People are reading it and making purchases. Keep in mind that this is not a law yet.

If you had a claim, how would you collect? Would you go to court? File a lawsuit? People simply have no effective way to stop it. After meeting with a number of congressional members on this issue, it's obvious to me that government cannot resolve the issue. Email isn't like a phone call, which has intelligence built into it. The phone number tells you where you're calling, which places jurisdiction rules around the call.

Individual states can mandate no solicitation rules around your phone, but they can't regulate the Internet. An email address doesn't have intelligence built into the address. There is no jurisdiction that can be wrapped around email.

Where does this leave you? You must solve the problem for your company. Will you do this with spam filtering software? Filters simply move spam to another mailbox. You still have to scan through the messages for false positives. The spam still takes up storage and bandwidth on the network. Most importantly, it takes up company time. Even if spam becomes illegal, other countries won't comply - remember Napster? Now we have Kaza, an out-of-country "solution."

Future revenue opportunities
If the U.S. government does ever get serious about spam laws, SpamFree could help track down violations and help people win awards. That's because SpamFree captures the IP address of the email sender and IP address of all click-throughs (in the event solicitors violate, it could track down offenders for our customers). Note that the domain and IP address of spammers is usually an "open" (unprotected or unsecure) email server. This is called "relaying."

Legitimate businesses don't spam. It's unacceptable. Sometimes it does cost you real money - for example, when I read my email via cell phone, I pay by the byte. Verizon Wireless had difficulty getting a company to stop sending spam text messages to Verizon customers, costing them real money. Verizon, however, did win that ruling.

Also keep in mind that spammers can tell when you open an email address (by an encoded URL on an image) and not just when you click-through to their site. So, just receiving an email can confirm your email address to spammers. However, this could lead to revenue opportunities for those who use SpamFree. It adds up to $500 to $1,000 for each breech; $10 for non-"ADV:" subject lines and so much per email account violated.

Tariffs - another revenue opportunity
Yet another revenue opportunity with SpamFree is that you could allow people to sign up for solicitation in exchange for a fee (charge a tariff). The acceptance of spam could be by category (software, tennis, etc.) or it could be wide open (i.e., I'll accept spam from anyone willing to pay me a nickel). In this situation, vendors would prepay to send solicitations to willing email addresses. This would make vendors and email account owners happy - each would get what they want. It's a win-win.

Pilot and migration
Want to enjoy the benefits for yourself? Well, TUSC is making SpamFree available under the Apache open source licensing. Click here and you'll be taken to the Web page where the download is available. If you would like assistance configuring, installing or otherwise with SpamFree, TUSC is available to help you with this on a consulting basis. Please call us at 800/755-8872.

Architecture - Oracle engine
SpamFree runs totally on Java and can be used with any email source. This includes, but is not limited to, POP3, IMAP, SMTP, Microsoft Exchange, America Online, Oracle Collaboration Suite, SendMail, Lotus Notes, Hotmail, Yahoo! and numerous other email servers. We've only tested SpamFree against an Oracle Database, but it uses JDBC to connect to it ' therefore, you can use any database engine if you so choose. There is no PL/SQL or other proprietary code in this application. It's totally portable to any platform that Java runs on and any database that supports JDBC connections.

Performance, scalability, security
Keeping in mind that SpamFree's engine is based on Oracle, SpamFree is as secure, scalable and high-performance as the Oracle Database itself.

Conclusion
SpamFree provides a solution to the problem everyone with an email account has - spam! By using it, you'll no longer receive spam messages, which will free up time and save money and resources. Best of all, SpamFree will free up time that would otherwise be spent sorting through spam - allowing your employees to focus on generating additional revenue!

Appendix A
This appendix contains additional reference information about SpamFree.

"No solicitation" letter
The following letter is the default email that will be sent to all new email addresses. Any user may customize the message to their liking:

Dear <% from_personal_address %>,

<% to_personal_address %> here...sorry to bug you, but you recently me a message. I have eliminated SPAM from entering my mailbox with this challenge-response software. Your email doesn't exist in my "friends" list yet. To add yourself, <% reply_url %> or simply reply to this message and add the word FRIEND to the end of the subject. You can remove the body of the message if you wish. This is the only time that you will be asked to confirm you are not a solicitor. To refresh your memory, the subject of your message was "<% subject %>".

Thanks for your cooperation and support to abolish SPAM!

Sincerely,
<% to_personal_address %>

A number of substitution variables are available for inclusion in the custom email message:

• <% from_personal_address %> - personal address of the person who sent you an email. This is typically the person's full name, such as "Bradley D. Brown."
• <% from_raw_address %> - raw email address of the person who sent you an email. This is the Internet email address, such as "brown@tusc.com."
• <% to_personal_address %> - your personal address, such as "Bob E. Socks."
• <% owner_address %> - your raw email address, such as socksb@tusc.com.
• <% subject %> - the subject of the email message that was sent to you.
• <% click_here %> - the system-generated link that will confirm the user is not a solicitor.

Question: What's the best way to train end users on SpamFree?
Answer: SpamFree doesn't require any end-user training. Messages are automatically sent to people who send the user a spam message. End users instantly attain spam-free email.

Question: If I don't have Oracle, how much will it cost for me to purchase it?
Answer: You do not need to purchase Oracle to use SpamFree. Although it's based on Oracle technology, you can run SpamFree on an open source database (i.e. Postgres or MySQL) if you so choose.

Question: What skills are required to administer? Can I install it myself?
Answer: Administration can be performed by any trained administrative assistant. At the current time, we prefer that we do the installation.

Question: Does SpamFree provide reports (weekly or monthly the number of spams received by the individual, department and company)?
Answer: At the current time, SpamFree provides reports to end users on the frequency of their choice. If additional reports are required, TUSC can develop any required reports.

Question: What is the price for SpamFree? Is there a maintenance fee? Is there technical support and, if so, what is the coverage?
Answer: SpamFree is FREE, FREE, FREE!

Click here to download SpamFree.
Click here to download a PDF version of this page from the TUSC Client Chronicle. (1.32Mb).