, Washington Post 2003-03-13
The flood of unsolicited messages sent over the Internet is growing so fast
that spam may soon account for half of all U.S. e-mail traffic, making it not
only a hair-pulling annoyance but also an increasing drain on corporate budgets
and possibly a threat to the continued usefulness of the most successful tool
of the computer age.
Spam continues to defy most legal and technical efforts to stamp it out. The
surge has spurred calls for national legislation, but deep divisions remain
regarding what constitutes spam and how best to regulate it. In the meantime,
spammers, Internet providers, company network administrators and anti-spam
vigilantes are locked in a ferocious electronic arms race.
Many spammers have become so adept at masking their tracks that they are rarely
found. They are so technologically sophisticated that they adjust their systems
on the fly to counter special filters and other barriers thrown up against
them. They can even electronically commandeer unprotected computers, turning
them into spam-launching weapons of mass production.
"The spammers are evil folks," said Matt Korn, America Online Inc.'s vice
president for network operations. "As hard as we're working, they are working
24 hours a day. That's the level to which this battle has escalated."
Roughly 40 percent of all e-mail traffic in the United States is spam, up from
8 percent in late 2001 and nearly doubling in the past six months, according to
Brightmail Inc., a major vendor of anti-spam software. By the end of this year,
industry experts predict, fully half of all e-mail will be unsolicited. (About
40 percent of U.S. Postal Service mail is business marketing.)
Many companies with legitimate products rely on the ability to reach millions
of existing and potential customers through e-mail, and they argue that their
solicitations are not spam. But of the total volume of unsolicited mail pouring
into e-mail boxes, much is pornographic, comes from scam artists or contains
viruses.
"We're seeing a slow degradation of the medium," said Jason Catlett, a computer
scientist and founder of Junkbusters Corp., an anti-spam and privacy advocacy
group. "Many people don't get on the Internet or abandon it because they don't
like the trash that they see."
According to Ferris Research Inc., a San Francisco consulting group, spam will
cost U.S. organizations more than $10 billion this year. The figure includes
lost productivity and the additional equipment, software and manpower needed to
combat the problem.
Robert Mahowald, research manager for IDC, said his firm estimates that for a
company with 14,000 employees, the annual cost to fight spam is $245,000. And,
he said, "there's no end in sight."
The front line in the war against spam is inside an unmarked building in
Northern Virginia, where a bank of computer screens tracks the volume of e-mail
pouring into the system used by America Online's 35 million subscribers.
On a recent afternoon, an unexpected spike suggested the work of spammers using
one of their favorite new weapons, the "dictionary" attack.
With special software, spammers can generate millions of e-mails using
combinations of letters and numbers, such as JaneH79, placed in front of the
@aol.com portion of the address. Enough are generated that many match real
e-mail accounts.
That's when Charles Stiles and an anti-spam team take over. They work in a
separate backroom because some of the Web sites they need to examine to track
down owners are so sexually explicit that colleagues might find the workplace
offensive.
The group first determines whether AOL's spam filters, which block 1 billion
messages a day, need to be adjusted. Meanwhile, a large monitor displays the
code for the network address of the computer that sent the suspected spam. The
address is automatically cross-checked against a list of registered owners.
But there is an immediate problem: Some of the addresses show up on the display
as "unknown." Many others are obvious fakes, making it difficult to track down
the senders to get them to stop, or to sue them if they don't.
Similar scenarios play out every day at every Internet provider, from giants
such as AOL, Microsoft Corp. and EarthLink Inc. to tiny firms that serve a few
thousand customers. And in general, the efforts are about as effective as
plugging a water-main break with chewing gum.
Although there are anti-spam laws in 26 states, including Virginia and
Maryland, the direct-marketing industry and some Internet retailers have
successfully lobbied Congress against a federal law.
That posture has softened as the volume of spam -- and complaints from irate
businesses and home-computer users -- has skyrocketed. Marketers now say that
while they prefer technological solutions, a national law would be helpful and
more effective than a patchwork of state regulations that vary in strength and
approach.
Microsoft, AOL, Verizon Communications Inc., EarthLink and other Internet
providers also are aggressively pushing for national legislation.
But prospects for getting a law passed are unclear. Industry and many
anti-spam activists are divided over how to combat the problem, and even on how
spam should be defined.
Marketers of legitimate products worry that their messages are getting lost in
the din, threatening what has become a thriving business. Although Web site
advertising fell victim to the dot-com implosion, marketing via e-mail has been
an Internet bright spot, growing to a $1.4 billion industry last year,
according to Jupiter Research.
These companies want any law to distinguish their ability to distribute such
e-mail from messages that have deceptive subject lines, commit fraud or are
designed to thwart detection of the sender so they cannot be stopped on demand.
"We want to make sure we can get to who the bad guys are," said Louis Mastria,
spokesman for the powerful Direct Marketing Association. "Accountability is
paramount."
But anti-spam activists argue that any piece of unsolicited commercial e-mail
sent in bulk is spam, even if it comes from "legitimate" businesses.
"Spam is postage-due marketing," Catlett said. "It's obvious to every Internet
user that if every company out there can send them junk whenever they feel like
it until they're told to stop, junk e-mail will overrun them."
What worries the anti-spam community most is what happens if legitimate
marketers step up their e-mailings to try to rise above the clutter.
"There are 24 million small businesses in the country. If just 1 percent of
those got hold of your e-mail address, and each of them sent you one e-mail a
year, that's 657 messages in your inbox every day. And that's just small
businesses," said John C. Mozena, a founder of the Coalition Against
Unsolicited Commercial Email.
Mozena, Catlett and others argue that only an outright ban on unsolicited
commercial e-mail will make a dent in the volume of spam, as happened when junk
faxes were banned in 1991.
"Almost none of them [state laws] do more than regulate the manner of
spamming," said David E. Sorkin, who teaches technology and privacy law at the
John Marshall Law School in Chicago. "I view them as counterproductive. . . .
You may ameliorate some of the symptoms, but you are not dealing with the
problem itself. Then legitimate marketers will start to think it's okay, so
volume goes way up."
The practical effect of such a ban would be an "opt-in" system, in which
companies would have to wait for consumers to request commercial e-mail before
it could be sent. This was the system adopted by the European Union last year.
Marketers and most Internet providers oppose requiring opt-in, preferring the
"opt-out" system that most firms use. In opt-out, a consumer's approval to
receive solicitations via e-mail is assumed unless he or she requests
otherwise.
Amazon.com Inc., the largest Internet retailer and an active lobbyist on the
issue, also does not support an outright spam ban.
"We don't do unsolicited commercial e-mail," said Paul Misener, the firm's vice
president for global public policy. "But we get really concerned when there are
hard-line rules aimed at one medium. We send out thousands of e-mails every
day. What if we make a mistake? Accidents happen, and the real harm is
minuscule."
Only one state, Delaware, bans unsolicited commercial bulk e-mail. But Steven
Wood, a lawyer with the state attorney general's office, said the state has yet
to have a successful prosecution because it is so difficult to track spammers
down. Most states do little enforcement on their own. Instead, their laws are
used by companies as grounds to sue spammers.
Some in the industry also worry that an outright ban on spam would violate
free-speech provisions of the Constitution. But many legal experts argue that a
properly written ban would stand a good chance of passing constitutional
muster, as the junk-fax law did.
Like junk faxes, spam imposes a cost on users, occupying space in e-mail boxes
and on networks and the computer servers that power them. That cost can
outweigh protections on commercial speech, as long as restrictions are not
based on the content of the e-mail, lawyers said.
Analysts say the best chance for legislative action is the return of a bill
sponsored in the last session of Congress by Sens. Conrad Burns (R-Mont.) and
Ron Wyden (D-Ore.), which would outlaw e-mail with deceptive subject lines and
forged code that masks a sender's identity.
Burns said he hopes to join forces with House members, such as Rep. Heather A.
Wilson (D-N.M.), who also have proposed spam legislation. Burns said he is
optimistic his bill will pass this year and that President Bush will sign it.
So far, the White House has been silent on legislation, although the Federal
Trade Commission plans a three-day symposium on the problem late next month.
Bruce P. Mehlman, assistant secretary for technology policy at the Commerce
Department, said the administration would wait to see what is proposed.
"Consumers are choking on spam, and it is clogging the arteries of the
Internet," he said. "Personally, I believe we need to find ways to help
consumers protect themselves . . . provided they would be effective, have
minimal impact on innovation and preserve consumer choice. The best anti-spam
solutions may well be technologically based and market-driven."
Even on their best days, Charles Stiles and the AOL anti-spam team are reduced
to playing defense.
They filter out as much as they can, act on customer complaints and try to
contact as many spam originators as possible. AOL, like all major Internet
providers, also offers users additional spam-fighting tools.
But some in the anti-spam community are more aggressive, waging a daily
electronic war that is largely invisible to the average computer user.
At the quieter end of the battlefield, activists such as Chip Rosenthal, a
computer consultant in Texas, create e-mail accounts for the express purpose of
attracting spam.
"If they hit one of my spam traps, I launch probes" to figure out the location
of the senders' computers, Rosenthal said.
Sometimes, Rosenthal identifies unprotected computers that were unwittingly
taken over by a spammer, launching spam without the owners' knowledge.
But Rosenthal is part of a loose network of anti-spam advocates whose primary
goal is to collect and publicize "blacklists" of spammers' Internet addresses.
These are then incorporated into spam filters used by small Internet service
providers, company system administrators and individual users, blocking any
e-mail that comes from those addresses.
The most complete of these blacklists is kept by the Spamhaus Project, a
British-based organization that serves as a clearinghouse for not only
spammers' addresses and contact information but also biographical sketches of
what is known about the most notorious, who have nicknames such as Dr. Fatburn,
the Ballman and CPUguys.
Spammers sometimes attack the blacklist builders, such as Julian Haight, who
runs SpamCop.net.
Haight said an unknown spammer recently sent thousands of e-mails, disguised to
look as if they came from SpamCop, to network owners, claiming they were
originating spam, were about to be blacklisted and should call Haight's
telephone number if they had questions. Haight said his inundated phone was
nearly rendered useless by the ruse.
But the anti-spam community has its own rogue elements who use the detailed
blacklist information to launch attacks against spammers by flooding their
computers with . . . spam.
In a celebrated incident last year, one of the country's largest bulk
e-mailers, Alan Ralsky of Michigan, found his home address, telephone number
and pictures of his house posted online in a coordinated effort to make his
life miserable after the Detroit Free Press wrote a story about his business.
The anti-spammers also signed him up for hundreds of catalogues, advertising
fliers and contest mailing lists that jammed his mailbox.
Ralsky could not be reached for comment. His attorney, Robert Harrison, said he
doubted Ralsky would talk to the media again.
"They hit me with spam, too," Harrison said.
On top of everything else, the anti-spam team at AOL has to keep an eye on its
own members.
Although spammers disguise their movements by ricocheting e-mail blasts off of
several computers, or use networks based overseas, the originators could be AOL
account holders.
Like all Internet providers, AOL monitors its networks for unusually high
volumes of outgoing mail and will shut down those with abnormally high numbers.
In the past, spammers could automate the process of creating new accounts,
which is especially attractive with free, Web-based e-mail systems such as
those run by Yahoo Inc. and Microsoft. Both companies recently changed their
registration steps to make that more difficult.
But the reality is that mass e-mailing is too lucrative for spammers to be
discouraged by most obstacles thrown in front of them.
Each e-mail sent costs a fraction of a cent. A gray market for spamming
products, including software that disguises the sender's address, or "scrapes"
Internet sites for e-mail addresses that are then sold as lists, is
flourishing.
Random dictionary attacks are especially effective because they enable the
spammers to confirm which addresses are legitimate by monitoring which ones
don't bounce back. The working addresses are then added to lists that are sold
and resold within the spammer community.
Internet providers, as well as third-party software companies, also are giving
their customers ever-improving software to help filter spam from their
individual e-mail boxes. But many users still encounter annoying "false
positives," in which important e-mail, or e-mail with seemingly innocuous
keywords, gets blocked.
And even for legitimate network owners, the allure of having thousands of
e-mail addresses at their fingertips is difficult to resist.
AOL has, on rare occasion, entered into marketing deals in which retailers have
paid the company to distribute solicitations to members.
"Like other companies, AOL has reserved the right to occasionally present
e-mail offers on behalf of trusted partners," said spokesman Nicholas J.
Graham. "This has taken place, however, only a handful of times in the past
several years. Additionally, AOL has also always allowed members to completely
opt out from any such mailings at any time."
Recently, a vendor of an anti-spam product was accused of spamming.
Seattle-based Spam Arrest LLC is one of a handful of firms offering what some
see as a promising new technology. When someone sends an e-mail to a user of
Spam Arrest, he or she gets an automatically generated e-mail back asking to
verify that the sender is a live person.
After the sender confirms by identifying a word or picture on the screen, the
original e-mail is allowed to get to its destination. This thwarts
auto-generated e-mail.
But the software also allows Spam Arrest to capture senders' e-mail addresses,
and it recently sent them a solicitation for the Spam Arrest software.
"It was a one-time mailing," said Spam Arrest chief executive Cameron Elliott.
"We'll probably choose not to do this again."