I was having a discussion with some associates of mine this week that work in IT support for a medium sized business across town from my office.  Since we were talking about email servers the discussion inevitably came around to the topic of spam prevention.

Firstly I was pleased to hear that the business they work for has recognised that spam costs them money and that implementing spam protection is necessary for their organisation.  Unfortunately that had not extended to allocating much of a budget to the project.  I asked my associates whether the business would be willing to allocate some more funding towards a decent solution, and learned that the business owners wanted to try out some free solutions first instead.

Why pay for something that I can get for free?

You could secure your front door against intruders every night for free just by jamming a chair against it, or by sliding a heavy book case in front of it.  An intruder won’t be able to open it, which was your goal when you implemented the solution, but on the other hand it is very cumbersome to manage because you need to slide the book case aside to get out of the house, and you can’t lock it from the outside.There are solutions to both of those problems as well, but most people just buy a proper lock for their front door instead.  It does exactly what you want and saves you time and energy every day for a relatively minor upfront investment.

Is my time free too?

As we discussed their ideas for a free solution in more depth I learned that they planned to implement a series of preventative measures using a combination of:

• Manually configured block lists for certain IP addresses and domains
• Connection filtering using the RBL service from SpamHAUS
• A free and open source content filtering program
• A free anti-spam program that integrates with the email client on end user computers

My first thought was “How are you going to find the time to set all of that up, let alone manage it?“.  I asked them that very question and the answers were not very encouraging.  As we discussed it further I learned that the implementation of the system was going to span several servers as well as require a visit to each end user computer.  Once it was implemented each part of the solution had its own configuration and management interface (in some cases just editing text-based configuration files).  Furthermore each part had its own logging system, and none of the parts had any kind of reporting features.

It may be free, but its going to cost a lot

It quickly became clear that this solution was going to be very costly simply due to the amount of time it would take to implement and maintain it.  Any email issues such as false positives that need investigation by the IT department will mean checking at least four different systems and sets of log files to begin troubleshooting.  With no centralised configuration, logging, or reporting there would be no way to easily tune the system to reduce false positives, or to quickly locate a quarantined item.  Furthermore the first time the business owners ask how well the anti-spam system is performing the IT staff will either have to shrug and say they don’t know, or will have to cobble together a manual report using each component’s log files.

Small investment, big return

There is a reason we pay for locks to be installed on our front door instead of dragging furniture back and forth in front of it all the time.  For a small upfront investment we save time over the life of the solution, and in business time is money.  In the end the free solution simply costs more.