DIRECTORATE FOR SCIENCE, TECHNOLOGY AND INDUSTRY
COMMITTEE ON CONSUMER POLICY COMMITTEE FOR INFORMATION, COMPUTER AND COMMUNICATIONS POLICY
FOREWORD
The OECD Task force on Spam discussed this document during its meeting in March 2005, and recommended it for declassification to the CCP and ICCP Committees through a written procedure, which was completed on 6 May 2005.
The report was prepared by Mr. Suresh Ramasubramanian, Consultant to the OECD. It is published under the responsibility of the Secretary-General of the OECD.
TABLE OF CONTENTS
XXX
EXECUTIVE SUMMARY
Spam is a much more serious issue in developing countries than in OECD countries, as it is a heavy drain on resources that are scarcer and costlier in developing countries than elsewhere. In this paper, it will be seen that several issues faced by the victims of spam in developing countries are the very same ones that are faced by their counterparts in more developed countries. The only difference is that the effects of spam are magnified, and are felt much more strongly in developing countries than elsewhere. ISPs and network providers in developing countries lack the capacity and resources to deal with sudden surges in spam that occur from time to time, and this often causes their mail servers to break down or function at a sub-optimal level. Indeed, their capacity to cope with even normal (though fairly high) levels of spam is much weakened because resources such as hardware, bandwidth and software licenses tend to cost much more as a percentage of a developing country ISP’s budget. Similarly end users, both consumers and business, may lack knowledge of potential resources available to them to take effective action, and even those resources that they do have available cost relatively more.
The genesis of this paper was the emphasis given by the OECD Task Force on spam on ensuring that its work on spam also included an outreach element encompassing non-member countries. This also reflected the deep concern felt by representatives of developing economies, and strongly expressed at the ITU/WSIS Thematic Meeting on Spam held in Geneva in July 2004, about how spam and net abuse were bleeding the Internet economy in their countries of scarce and costly bandwidth, and that they were ill equipped to deal with these issues, both in terms of technical know-how, money and equipment for ISPs to deal with spam and net abuse.
Developing country representatives have often expressed the view that Internet users in their countries were suffering much more from the impact of spam and net abuse, and were becoming wary of even using the Internet. As a consequence of this widespread fear and distrust of the Internet, some people were not prepared to access even e-governance resources being made available to them by their governments.
OECD is studying the problems of spam specific to developing economies, its impact on these economies, and suggested means and measures that can be taken to mitigate the impact of spam on developing economies.
This paper will attempt to discuss the challenges faced by developing economies in fighting spam. Its main emphasis is on issues facing Internet Service Providers. Beginning with a review of the economic and technical issues of spam, it goes on to suggest several technical and legislative solutions, backed by the education and empowerment of users, giving them access to secure computing resources and making them more sensitized to net abuse issues. The paper goes on to examine what developing economies can do to combat spam on their own, and examines the various possible ways in which developed economies can contribute their expertise and resources to help developing economies fight spam.
The solutions proposed in the paper are carefully selected so as to be scalable, with the highest possible return on investment in money, and even more importantly, in human resources. The ubiquitous resource shortage and other conditions specific to developing economies (such as a current lack of regulation and enforcement) have also been kept in mind, as have the advantages available to developing economies – such as a large pool of competent human resources available at a comparatively low cost and will prove a valuable resource for developing economies that helps them increasingly mitigate spam locally, at the lowest possible cost, and with maximum knowledge of local conditions so that any antispam solution implemented – whether legislative, technical or user level – can be properly customised to reflect local conditions. Another important part of the solution – international co-operation at multiple levels (ISP to ISP, government to government, business to business) has also been discussed. Further, the paper also suggests several possible and currently operational venues and forums for such co-operation.
INTRODUCTION
Why spam is so popular – the “transfer of cost” syndrome
Unsolicited bulk email messaging, also known as spam, thrives for one major reason – the costs incurred by the spammer sending the spam are extremely low. In contrast the costs incurred by an ISP, a business or an individual to receive, store and download spam far outstrip the costs incurred by the spammer. In contrast, traditional off-line marketing methods, such as bulk postal mail and telemarketing, are based on a sender pays model, where the sender bears all the costs, and the cost to the recipient of this advertising is negligible.
The e-mail system, when formed, never envisaged the probability that it would be abused so there is a strong design legacy of operation on a trusted network, and a largely open access policy that allowed all participants on the network free access to computing resources, SMTP relay services etc., on each others’ machines, as a gesture of courtesy and goodwill. Another feature of the e-mail system when it was first developed, and which remains a legacy to this day, is the ability of users to remain anonymous. While anonymity is still an essential feature of today’s Internet, especially in the context of free speech or other legitimate reasons for anonymity, the possibilities of anonymous e-mail are increasingly being adopted by spammers.
Spammers and other Internet abusers adopt a wide variety of tactics in an effort to cover their tracks and avoid detection. These include techniques such as rapidly cycling through a huge list of anonymous proxy servers, or infecting thousands of PCs around the world with viruses in order to set up a “zombie army” of computers that can be remotely controlled to send out spam, perpetrate distributed denial of service (DDoS) attacks, compromise servers etc.
These techniques ensure that spammers can abuse the resources of others, namely the computing power and bandwidth of thousands of people around the world in order to send out their spam. This allows for very large amounts of spam to be injected into the global e-mail stream at negligible cost to the spammer. The spammer need not pay for anything except an Internet connection and the cost of bulk mailer software to distribute sales pitches.
SPAM ISSUES IN DEVELOPED AND DEVELOPING ECONOMIES
Impact on ISPs
Bandwidth
There is still limited availability of bandwidth in many developing countries, often associated with high costs. High volumes of incoming and outgoing spam are a severe drain on the meagre available bandwidth and therefore impact developing economies relatively more than would be the case for similar volumes of spam in developed economies.
Costs
The costs of handling, sorting and delivering this e-mail to users’ mailboxes are borne by the receiving ISP. Data provided below is the average estimate of the spam filtering costs incurred by Outblaze Limited, a large Webmail provider based in Hong Kong, China, that has over 40 million users around the world on domains such as lycos.com and operamail.com. The costs presented below are for filtering spam on just one of their mail server clusters – they have several such clusters around the world. Given that Outblaze hosts e-mail for over 40 million Webmail users, the problems created by, and costs of fighting spam are magnified, and become immediately more obvious.
The bandwidth cost that is presented below is an average estimate that has been prepared from the cost of hosting servers in a managed data-centre in various developed countries. These costs will be far higher in developing countries, especially in countries where the major form of international and even local connectivity is by satellite (for example, several countries in the interior of Africa and Asia, such as Nigeria and Nepal), rather than through surface laid / submarine copper and fibre optic cables.
It must be noted that salaries paid by ISPs to hire administrators and support staff for anti-spam and other operations will be lower in developing economies, but as a quick scan of these figures shows, that is not that much of a factor in the cost equation. It must be noted that all filtering technology used at Outblaze is based on and developed using freely available open source tools, so that the only cost is in hiring competent administrators and programmers to write and customise new filters. If licences for a proprietary spam filter had to be purchased, the costs would be correspondingly higher.
- Bandwidth costs = USD 600 / MB / month
- Bandwidth consumption for mail = 70 MB / day
- Incoming mail rejected as spam = 80%
- Percentage of accepted mail that is spam that gets past filters = 15%
- Monthly bandwidth cost of spam = USD 6 300
- Monthly storage cost of spam = USD 5 400
- Monthly salary expenses for mail / abuse administrators = USD 75 000
- Plus the costs of support for users upset at being spammed
That last item amounts to several hundred thousand dollars to a few million dollars a year at a large ISP in a developed economy, even with technical support outsourced to India or the Philippines. In fact, as the cost of spam handling finally gets passed on to the ISP’s users, up to 10% of a user’s ISP bills may go towards combating spam and providing technical support for spam-induced problems.
Thus ISPs are faced with a large cost centre, rather than a profit centre, as a result of spam. The costs of receiving, storing and downloading spam, the opportunity costs of hiring administrators solely to do spam filtering, when their talents could be devoted to other tasks within the company, are all high. However, it is a necessary cost, due to the associated savings in bandwidth, server infrastructure, and most of all, in retention of customers who would otherwise shift their services to another ISP just because it offered better filters.
In addition to costs faced by ISPs, businesses would also be faced with costs to filter spam, costs associated with hiring administrators to deal with spam, and productivity and other costs associated with spam reaching end user e-mail boxes. For developing economies these costs may be relatively the same for large businesses as in developed economies. However, factors such as the high cost of software licenses, combined with the scarce knowledge resources in some developing economies may often mean that it is difficult to locate and hire well-trained mail systems and anti-spam administrators.
These problems get exacerbated for smaller businesses that may not be able to afford either licensed software or systems administrators, trained or otherwise. A common situation noticed in developing economies is that a consultant is hired to perform initial installation and configuration of the mail server, and to set up mailboxes on it, but further maintenance of the server (such as application of security updates) does not take place at all. As a result of these resource and staffing constraints, several businesses in developing economies tend not to use e-mail very much, thus losing what can be a powerful tool to boost communications and productivity. Several businesses that are not heavy users of e-mail, tend to use e-mail addresses provided by a free Webmail site like Lycos or Hotmail, or have their ISP host their mail server for them rather than doing this in-house.
<–>
