Spam keeps on proliferating — and getting more costly
By Jonathan Krim
Washington Post
WASHINGTON — The flood of unsolicited messages sent over the Internet is growing so fast that spam may soon account for half of all U.S. e-mail traffic, making it not only a hair-pulling annoyance but also an increasing drain on corporate budgets and possibly a threat to the continued usefulness of the most successful tool of the computer age.
Associated Press
Spam continues to defy most legal and technical efforts to stamp it out. The surge has spurred calls for national legislation, but deep divisions remain regarding what constitutes spam and how best to regulate it. In the meantime, spammers, Internet providers, company network administrators and anti-spam vigilantes are locked in a ferocious electronic arms race.
Paul Judge leads the Anti-Spam Research Group, which seeks to curb the unsolicited-e-mail epidemic.
Many spammers have become so adept at masking their tracks that they are rarely found. They are so technologically sophisticated that they adjust their systems on the fly to counter special filters and other barriers thrown up against them. They can even electronically commandeer unprotected computers, turning them into spam-launching weapons of mass production.
"The spammers are evil folks," said Matt Korn, America Online Inc.'s vice president for network operations. "As hard as we're working, they are working 24 hours a day. That's the level to which this battle has escalated."
Roughly 40 percent of all e-mail traffic in the United States is spam, up from 8 percent in late 2001 and nearly doubling in the past six months, according to Brightmail Inc., a major vendor of anti-spam software. By the end of this year, industry experts predict, fully half of all e-mail will be unsolicited. (About 40 percent of U.S. Postal Service mail is business marketing.)
Many companies with legitimate products rely on the ability to reach millions of existing and potential customers through e-mail, and they argue that their solicitations are not spam. But of the total volume of unsolicited mail pouring into e-mail boxes, much is pornographic, comes from scam artists or contains viruses.
"We're seeing a slow degradation of the medium," said Jason Catlett, a computer scientist and founder of Junkbusters Corp., an anti-spam and privacy advocacy group. "Many people don't get on the Internet or abandon it because they don't like the trash that they see."
Experts say that despite the rise in the volume of unsolicited e-mail, there are things you can do to keep it under control. • Don't click the "unsubscribe" link. In a perfect world, you should be able to automatically get taken off an e-mail list by unsubscribing in this way. But spammers have co-opted the system and use the unsubscribe link to confirm you have an active e-mail account. They then sell your name to other spammers. Better to just delete the e-mail. • Use a long e-mail name. The longer your e-mail handle, with letters and numbers included, the lower the chance that a computer-generated e-mail name will match yours. Spammers use software to generate thousands of e-mail names in the hopes that they will match existing accounts. • Have multiple accounts. By using separate accounts for e-commerce and personal use, you decrease the chances that your personal address will get spammed. • Avoid chat rooms and Web-based discussion groups. Spammers are constantly harvesting the Internet for new addresses. They do so by using software to search Web pages for names. Online chat rooms and news groups are easy targets. • Limit how often your e-mail address appears on any Web page. This may be difficult, or undesirable, for many business people. • Avoid online contests and surveys. These are another prime vehicle for spammers to gather e-mail names. • Check out new filtering software. Technology is evolving, and many creative solutions are being introduced by Internet providers and other firms. — Washington Post
According to Ferris Research Inc., a San Francisco consulting group, spam will cost U.S. organizations more than $10 billion this year. The figure includes lost productivity and the additional equipment, software and manpower needed to combat the problem.
Get a grip on it
Robert Mahowald, research manager for IDC, said his firm estimates that for a company with 14,000 employees, the annual cost to fight spam is $245,000. And, he said, "there's no end in sight."
One of the battle lines in the war against spam is inside an unmarked building in northern Virginia, where a bank of computer screens tracks the volume of e-mail pouring into the system used by America Online's 35 million subscribers.
On a recent afternoon, an unexpected spike suggested the work of spammers using one of their favorite new weapons, the "dictionary" attack.
With special software, spammers can generate millions of e-mails using combinations of letters and numbers, such as JaneH79, placed in front of the @aol.com portion of the address. Enough are generated that many match real e-mail accounts.
That's when Charles Stiles and an anti-spam team take over. They work in a separate backroom because some of the Web sites they need to examine to track down owners are so sexually explicit that colleagues might find the workplace offensive.
The group first determines whether AOL's spam filters, which block 1 billion messages a day, need to be adjusted. Meanwhile, a large monitor displays the code for the network address of the computer that sent the suspected spam. The address is automatically cross-checked against a list of registered owners.
But there is an immediate problem: Some of the addresses show up on the display as "unknown." Many others are obvious fakes, making it difficult to track down the senders to get them to stop, or to sue them if they don't.
Similar scenarios play out every day at every Internet provider, from giants such as AOL, Microsoft Corp. and EarthLink Inc. to tiny firms that serve a few thousand customers. And in general, the efforts are about as effective as plugging a water-main break with chewing gum.
Although there are anti-spam laws in 26 states, the direct-marketing industry and some Internet retailers have successfully lobbied Congress against a federal law.
That posture has softened as the volume of spam — and complaints from irate businesses and home-computer users — has skyrocketed. Marketers now say that while they prefer technological solutions, a national law would be helpful and more effective than a patchwork of state regulations that vary in strength and approach.
Microsoft, AOL, Verizon Communications Inc., EarthLink and other Internet providers also are aggressively pushing for national legislation.
But prospects for getting a law passed are unclear. Industry and many anti-spam activists are divided over how to combat the problem, and even on how spam should be defined.
Marketers of legitimate products worry that their messages are getting lost in the din, threatening a thriving business.
These companies want any law to distinguish their ability to distribute such e-mail from messages that have deceptive subject lines, commit fraud or are designed to thwart detection of the sender so they cannot be stopped on demand.
"We want to make sure we can get to who the bad guys are," said Louis Mastria, spokesman for the powerful Direct Marketing Association. "Accountability is paramount."
But anti-spam activists argue that any piece of unsolicited commercial e-mail sent in bulk is spam, even if it comes from "legitimate" businesses.
"Spam is postage-due marketing," Catlett said. "It's obvious to every Internet user that if every company out there can send them junk whenever they feel like it until they're told to stop, junk e-mail will overrun them."
What worries spam opponents most is what happens if legitimate marketers step up their e-mailings to try to rise above the clutter.
"There are 24 million small businesses in the country. If just 1 percent of those got hold of your e-mail address, and each of them sent you one e-mail a year, that's 657 messages in your inbox every day. And that's just small businesses," said John Mozena, a founder of the Coalition Against Unsolicited Commercial Email.
Mozena, Catlett and others argue that only an outright ban on unsolicited commercial e-mail will make a dent in the volume of spam, as happened when junk faxes were banned in 1991.
The practical effect of such a ban would be an "opt-in" system, in which companies would have to wait for consumers to request commercial e-mail before it could be sent. This was the system adopted by the European Union last year.
Marketers and most Internet providers oppose requiring opt-in, preferring the "opt-out" system that most firms use. In opt-out, a consumer's approval to receive solicitations via e-mail is assumed unless he or she requests otherwise.
