Although Richter practices a highly reviled occupation on the Net, he says he never makes false claims in his ads and argues that there’s nothing wrong with unsolicited bulk commercial e-mail messages, or spam. He also confidently says that bulk e-mailers are relatively immune from new laws and lawsuits. “We can set up in another country within an hour,” he says. “There are people in other countries who would love to sell us bandwidth.”
Richter’s insouciance and general visibility–his phone number is posted on his Web site–suggests an unpleasant fact about the eternal cat-and-mouse game that the Internet’s spam war has become: the nefarious mouse is winning, and it’s not even a close race. In the past two years spam has congested the Internet, threatened to overwhelm Internet service providers and sent Web surfers of sensitive disposition scampering away from their computers in embarrassment. Spam is now approaching 60 percent of all e-mail, according to the research firm Gartner Group. Ferris Research says spam puts a $9 billion annual drag on productivity, as workers peck away at the delete button every time another Nigerian dictator with a sob story crashes their in box.
The forces who say they hate spam–politicians, tech companies, beleaguered e-mail users and anti-spam vigilantes who spend their own time and money trying to clean up the Net–haven’t managed to make a dent in the problem. Current approaches aren’t working; even though home users and many companies started filtering their e-mail two years ago, the overall amount of junk mail has ballooned exponentially. Filtering and antivirus companies always seem one step behind the rapidly evolving methods of clever spammers. And most individual lawsuits against spammers have been defeated, settled or concluded with the penalties levied against spammers unpaid, and their e-mailing operations still open for business. Meanwhile, efforts in Congress to stop unwanted e-mail have been neutered, ironically, by mainstream companies who claim to fight unsolicited e-mail but want to preserve the Net for advertising.
Can anything be done? Reports from the front lines of the spam war show how traditional anti-spam tools are outmatched and suggest some promising solutions.
Filtering: Even when spam never finds its way to individual e-mail accounts, it creates havoc for Internet companies. Servers at AOL and Microsoft sag under the weight of a billion blocked spam messages each day; smaller ISPs that get fewer messages suffer even more. Barry Shein is the founder of The World, a small Internet service in New England. One day last week Shein arrived early at work to spend three hours personally sifting through his jammed e-mail servers and deleting thousands of messages his filters caught. With so many flagrantly illegal spam techniques, Shein wonders why no one is slapping handcuffs on spammers. “Imagine being dragged out in front of your house and beaten every day in front of your neighbors, and the police won’t respond to it,” he says. “That’s what this feels like.”
Using e-mail filtering tools helps companies and individual users block spam, but it’s not perfect. CipherTrust, an Atlanta-based anti-spam firm, uses a combination of technologies in its products: it hunts for specific words, blocks the addresses of repeat offenders and analyzes info at the top of a message to look for telltale spam signs. On his laptop, CipherTrust engineer Steve Davis reviews the dozens of unwanted messages sent to his own protected e-mail account that morning. Messages promoting work-from-home schemes (“Attention Moms!”) and junior-college programs (“Degree Programs That Fit Your Life!”) get successfully blocked.
But another message, masquerading as an important upgrade from Microsoft and carrying a virus, gets through the CipherTrust filter. The message is similar to a legitimate customer-service message, and thus impossible to detect by software that looks for betraying words or phrases. It was not sent by any known spammer, and CipherTrust hasn’t seen any other messages exactly like it, so software designed to find patterns doesn’t catch it either. In other words, an in–genious spammer somewhere in the world knows exactly what filters look for and has found a new way to evade them. “We are trying to hit a target that is coming at us from all directions and moving at the speed of the Internet,” Davis says.
The virus that made it through, incidentally, represents a new and deleterious kind of spam: it seeks to turn a PC into an unwitting bulk e-mail generator that remotely does the spammer’s bidding. In the past few weeks more and more of these so-called spam zombies have been turning up on college campuses. After a recent football game at Texas Christian University, network administrator Bryan Lucas returned to his office to find campus servers pumping out a hundred thousand e-mails for prescription drugs. He tracked the problem back to the laptop of the football team’s bewildered punter, who unknowingly downloaded the spam software. Lucas says this is the fourth such incident this semester, and that colleges are fat targets for amoral spammers. “We’re perfect victims. The students have good computers hooked up to high-speed networks. Most other universities wouldn’t even catch it.”
Prosecution and litigation: Sending out bulk e-mail is legal and protected by the First Amendment. But such zombie attacks are clearly illegal, so why aren’t spammers who indulge in these and other fraudulent methods going to jail? Network admins like Lucas say it’s impossible to trace the original spammer back through hijacked computers to other Internet locations that have probably long been abandoned. And at overworked law-enforcement computer-crime divisions, e-mail fraud takes a back seat to kiddie porn and identity-theft cases. New York Attorney General Eliot Spitzer arrested Buffalo-based spammer Howard Carmack earlier this year on charges of opening EarthLink accounts with stolen credit cards (the case is pending). But that’s the only well-known example of an e-mail fraudster taking a perp walk.
Private action against spammers, both in and out of the courtroom, has not been effective either. For the past five years Detroit-based Alan Ralsky, 58, has used e-mail to pitch diet pills, hair tonic and other sundries, working mostly off networks based in China. Anti-spam vigilante groups constantly try to persuade those networks to kick him off, but when they do, he simply transfers operations to another Chinese company. Last week an exhausted Ralsky spent 70 hours over four days doing just that. “The chess game is on,” he says, nursing a bad cold.
Verizon tried to stop Ralsky for good in 2001, suing him in Virginia for $37 million for twice paralyzing its network with junk e-mail. Last year, after mounting legal bills on both sides, the parties agreed to settle the case; Ralsky paid an undisclosed sum and agreed only to stop spamming Verizon customers–leaving him free to resume what he calls “the best business in the world.” Other civil suits have led to large fines, but spammers often don’t pay the penalties and survive with operations intact. ISPs are still committed to the courtroom, though, and continue to file suits in pursuit of big judgments that will scare bulk e-mailers out of the business.
Legislation: Another possible solution is a new federal get-tough-on-spam law. The problem here is that not everyone buzzing around Capitol Hill agrees on what spam is. Companies like Microsoft think honest firms should be able to openly advertise to anyone who has used their products in the past. “I don’t think you can put that in the same bucket with outright fraudulent, criminal behavior perpetrated through spam,” says Microsoft attorney Tim Cranton. Through organizations like the Direct Marketing Association, Microsoft and other businesses have lobbied against more stringent measures that would allow individual PC owners to sue bulk e-mailers, and would limit spammers from sending messages to anyone who did not deliberately sign on to receive them.
The result of those lobbying efforts is a bill called the CAN-Spam Act, which recently passed the Senate 97-0, and is awaiting a vote in the House. It would enforce certain etiquette (e-mailers must be truthful in subject lines and honor remove requests) and lay the groundwork for the creation of a Do Not Spam list similar to the Do Not Call list. It would also allow ISPs, states and the Federal Trade Commission (but not individuals) to sue spammers.
Almost everyone involved with the spam debate admits CAN-Spam will do little. After voting for the bill, Sen. John McCain said “the odds of defeating spam by legislation are extremely low, but that doesn’t mean we should stand idly by.” Anti-spam activist Steve Linford of Spamhaus.org worries that the law lays too much responsibility on the doorstep of the strained FTC and that the volume of commercial e-mail will actually increase when big companies boot up their own ad messages after the government blesses commercial e-mail. “CAN-Spam basically says ‘You can spam’,” Linford says.
New approaches: The best way to solve the intractable problem may be changing the very architecture of e-mail itself. Internet-standard-setting bodies are looking at ways of revising the code for delivering mail so ISPs can check whether incoming e-mail is faking its origin. But those changes would take years to trickle down into every network around the world. In the shorter term, “challenge/response” systems offer some relief; they let users send direct messages only to people who have the sender in their address books. When you e-mail a stranger, the system sends back a puzzle that only a human, not an automated spam program, can solve; give the correct response, and the e-mail goes through. Another system, dubbed micropayments, would charge a tiny amount for each e-mail sent and would add up to large sums only for bulk e-mailers. These solutions conflict with the original open and free-of-charge spirit of the Internet, but ultimately they’re among the few reliable ways to foil out-of-control spammers and fraudsters. The bathwater might be gone, but in an age of ever-increasing junk-mail volumes, the greater challenge is to save the baby.
title: “Soaking In Spam” ShowToc: true date: “2022-12-15” author: “Marie Roberts”
Although Richter practices a reviled occupation on the Net, he says he never makes false claims in his ads and that there’s nothing wrong with unsolicited bulk commercial e-mail messages, or spam. He’s also confident that bulk e-mailers are immune from new laws and lawsuits. “We can set up in another country within an hour,” he says. “There are people in other countries who would love to sell us bandwidth.”
Richter’s insouciance and general visibility–his phone number is posted on his Web site–suggests an unpleasant fact about the eternal cat-and-mouse game that the Internet’s spam war has become: the nefarious mouse is winning, and it’s not even a close race. In the past two years spam has congested the Internet, threatened to overwhelm Internet service providers and sent Web surfers of sensitive disposition scampering away from their computers in embarrassment. Spam is now approaching 60 percent of all e-mail, according to the research firm Gartner Group. Ferris Research says spam puts a $9 billion annual drag on productivity.
The forces who say they hate spam–politicians, tech companies, beleaguered e-mail users and anti-spam vigilantes who spend their own time and money trying to clean up the Net–haven’t managed to make a dent in the problem. Current approaches aren’t working; even though home users and many companies started filtering their e-mail two years ago, the overall amount of junk mail has ballooned exponentially. Filtering and antivirus companies always seem one step behind the rapidly evolving methods of clever spammers. And most individual lawsuits against spammers have been defeated, settled or concluded with penalties unpaid and bulk e-mailing operations open for business.
Can anything be done? Reports from the front lines of the spam war show how traditional anti-spam tools are outmatched and suggest some promising solutions.
Filtering: Even when spam never finds its way to individual e-mail accounts, it creates havoc for Internet companies. Servers at AOL and Microsoft sag under the weight of a billion blocked spam messages each day; smaller ISPs that get fewer messages suffer even more. Barry Shein is the founder of The World, a small Internet service in New England. One day last week Shein arrived early at work to spend three hours personally sifting through his jammed e-mail servers and deleting thou–sands of messages his filters caught. With so many flagrantly illegal spam techniques, Shein wonders why no one is slapping handcuffs on spammers. “Imagine being dragged out in front of your house and beaten every day in front of your neighbors, and the police won’t respond to it,” he says. “That’s what this feels like.”
Using e-mail filtering tools helps companies and individual users block spam, but it’s not perfect. CipherTrust, an Atlanta, Georgia-based anti-spam firm, makes software that hunts for specific words, blocks the addresses of repeat offenders and analyzes message headers for telltale spam signs. CipherTrust engineer Steve Davis reviews the dozens of unwanted messages sent to his own protected e-mail account that morning. Messages promoting work-from-home schemes (“Attention Moms!”) and junior-college programs (“Degree Programs That Fit Your Life!”) get successfully blocked.
But another message, masquerading as an important upgrade from Microsoft and carrying a virus, gets through the CipherTrust filter. The message is similar to a legitimate customer-service message, and was not sent by any known spammer. and doesn’t fit any known pattern. In other words, an ingenious spammer somewhere in the world knows exactly what filters look for and has found a new way to evade them. “We are trying to hit a target that is coming at us from all directions and moving at the speed of the Internet,” Davis says.
The virus that made it through represents a new and deleterious kind of spam: it seeks to turn a PC into an unwitting bulk e-mail generator that remotely does the spammer’s bidding. In the past few weeks more and more of these so-called spam zombies have been turning up.
Prosecution and legislation: The European Union has banned e-mail marketing without prior consent, and an anti-spam bill is making its way through the U.S. Congress. But many experts doubt these measures will have much of an impact. Even zombie attackers are avoiding capture because it’s so difficult to trace the origin of spam back through hijacked computers and abandoned Internet locations. And at overworked law-enforcement computer-crime divisions, e-mail fraud takes a back seat to kiddie porn and identity-theft cases.
New approaches: The best way to solve the problem may be changing the very architecture of e-mail itself. Internet-standard-setting bodies are looking at ways of revising the code for delivering mail so ISPs can check whether incoming e-mail is faking its origin. But those changes would take years to trickle down into every network around the world. In the shorter term, “challenge/response” systems let users send direct messages only to people who have the sender in their address books. When you e-mail a stranger, the system sends back a puzzle that only a human, not an automated spam program, can solve; give the correct response, and the e-mail goes through. Another system, dubbed micropayments, would charge a tiny amount for each e-mail sent, and would add up to large sums only for bulk e-mailers. These solutions may conflict with the original spirit of the Internet, but they’re among the few reliable ways to foil spammers and fraudsters. The bathwater might be gone, but in an age of ever increasing junk-mail volumes, the greater challenge is to save the baby.
