The second statistic is about the effectiveness of businesses in handling spam. Apparently employees at businesses with 24 users or fewer see nearly 600 spam messages a month. What’s surprising here is that this is more than five times the spam that’s seen, on average, by employees at companies with 10,000 users or more.

Both of these statistics come from MessageLabs, one of the two dominant players in the world of spam filtering today. Spammers aren’t targeting small businesses, MessageLabs wrote in the March issue of its Internet Threat Watch. Instead, employees at small companies are less likely to have effective spam filtering measures.

This might seem like a self-serving finding from MessageLabs, which markets its service primarily to large corporations. But the conclusion is more or less in line with my own experience. Spam filtering is not something that you can set up and forget: An antispam system that works well today will slowly lose its potency as the spammers learn how to evade the filtering techniques that you’ve implemented. Large organizations can dedicate the time and money to staying current with their antispam technology, but small companies generally can’t. As a result, the level of spam seen by employees at small organizations slowly creeps up after each new system is deployed until the amount of spam becomes unbearable, then the next system is rolled out.

Recently I had the chance to speak with antispam specialists at MessageLabs and Postini (the other dominant player in the world of antispam). I asked both companies what they thought would be the greatest problems facing spam-fighters in the coming year. To understand the answers, it’s important to understand that spam has a lifecycle, and this lifecycle highlights many of the world’s persistent computer security problems.

Bot Economics
Most of the spam that reaches your mailbox was sent from a bot—an ordinary home or office PC that wouldn’t be notable other than the fact that it has a high-speed Internet connection and that it’s under the control of a malicious third party. I’ve seen estimates that there are between 1 million and 100 million infected computers in the world today. I have no idea how these estimates are made, whether they are reliable, and what they actually mean. But it’s clear that there are a lot of machines infected with bots, and that the existence of these machines represents a failure of today’s antivirus and antispyware approaches.