Spam attack

• Can the spam

By David Streitfeld
Los Angeles Times

Suspect spam fraud? In some cases, spam is a scam. If you suspect a message is an attempt to defraud, forward a copy, including the message header, to the FBI's Internet Fraud Complaint Center: www.ifccfbi.gov.

"I was the pioneer," Thuerk says with quiet pride. "I saw a new way of doing things."

Billions of messages a day touting cheap mortgages, sexual enhancement pills, quasi-fraudulent business opportunities and pornography of a startling rawness are sad proof that he was on to something.

On May 3, 1978, Thuerk sent out the first spam over the network of government and university computers known as the ARPAnet. A marketing manager for Digital Equipment Corp., he wanted to publicize open houses in Los Angeles and San Mateo, Calif., where the company's latest computers would be unveiled.

Several thousand people were on the ARPAnet then, most of them computer scientists. Thuerk wanted to send all 600 ARPAnet members on the West Coast an e-mail invitation.

That's when he had his illumination. "It's too much work to send everyone an e-mail," he decided. "So we'll send one e-mail to everyone."

A quarter-century later, the ARPAnet has become the Internet, and e-mail in-boxes are being choked by Thuerk's spiritual descendants.

In January, more than half of the e-mail arriving at the world's biggest Internet provider, America Online, was spam. By March it was more than 70 percent. Now it's well above 80 percent, or more than 2.5 billion pieces of spam a day. Other e-mail services cite similar statistics. Yahoo says it is handling five times more spam than a year ago.

The companies trap much of this spam in filters before it ever gets to members. But more than enough gets through to annoy, distress and outrage.

Between the beleaguered public and swamped Internet companies, a crisis has been declared. Politicians are readying spam bills at the state and national levels. Microsoft, AOL and Yahoo, usually fierce competitors, are banding together to explore remedies. Meanwhile, technologists are exploring structural changes to e-mail that will stop spam without destroying the integrity of the Net.

All of these entities came together at the beginning of this month for a three-day workshop at the Federal Trade Commission in Washington. No consensus was reached on anything except the fact that the problem was getting worse minute by minute.

"Finding a solution here is like putting socks on an octopus," FTC Commissioner Mozelle Thompson said during a break in the proceedings. "There are too many moving parts. But the clear message is that doing nothing is not acceptable. We're approaching a tipping point where consumer confidence is beginning to erode."

Any solution, Thompson and others said, must be not only effective but easy to implement. If the average person confronts too many hurdles, he or she will abandon e-mail and perhaps draw back from the Net itself.

"If we can't solve this problem for Middle America, then the Internet will be a place only for the technologically sophisticated or those most accepting of risk," Thompson warned.

E-mail inventor not immune

Even the guy who invented e-mail is oppressed by spam.

"I get about 20 to 30, probably as many as 50, pieces a day," says Ray Tomlinson, who sent a message from one computer to another in 1971.

That first e-mail was such a low-key moment that Tomlinson remembers neither the exact date nor the content of the message, which he sent to himself. But his invention was soon taken up by the computer scientists who developed the ARPAnet network, started in 1969 by the Advanced Research Projects Agency of the Department of Defense.

Tomlinson never anticipated spam. "This was a system for communication among colleagues, and your colleagues weren't about to bother you with stuff like spam," he says.

Not until Thuerk came along, at least.

'A clear and flagrant abuse'

The first spam was brief and straightforward. To emphasize the urgency of the matter, Thuerk (pronounced "Turk") wrote in all-capital letters — a flourish adopted by many later spammers.

Since the ARPAnet was built and maintained by the government, it wasn't supposed to be used for personal messages or advertisements. Still, Thuerk figured it was worth the risk.

He was right. He got some angry mail ("This was a clear and flagrant abuse," ran one typical response). He was reprimanded by the ARPAnet administrators and told not to do it again. But as advertising, it worked.

During the next three years, Digital Equipment sold more than 20 of the new systems, at about $1 million each. Thuerk gives a lot of credit to the open houses, which were the only ones the company held.

Thuerk's e-mail was a key moment in the history of the Internet, although that didn't become clear until much later.

"Unlike Pandora, Thuerk hadn't been warned about how much ill was contained in the box he opened," says Internet entrepreneur Brad Templeton, who was the first to track Thuerk down and interview him for an online history of spam. "Indeed, the discipline he got probably stopped spam from blooming for some years to come. But the online community made the mistake of feeling that a temporarily effective punishment was enough."

Just as the Internet was becoming popular with the masses, that error would come home to roost.

Spammers keep low profile

It's an article of faith in the spam-fighting world that the most spam and the worst spam is being sent by a limited number of people — maybe as few as 150.

"To paraphrase Churchill, never have so few done so much to annoy so many," says Jon Praed, a lawyer who is suing several spammers on behalf of AOL. "People view spam as infinite. That's part of what is so frustrating. But spammers are like Revolutionary War soldiers, making the British think they're fighting an army of 5,000 when it's really only five guys."

No one ever admits to being a spammer, partly because it would open them up to prosecution, but also because such a public admission might get them punched, or worse.

"Every day of the week, everywhere I go, I get called a spammer," says Scott Richter, the president of OptInRealBig.com. According to its Web site, the Westminster, Colo., company sends out 100 million e-mails a day.

Richter is on the Register of Known Spam Operations run by the anti-spam group Spamhaus. To qualify for the directory, a company has to have been banned by Internet service providers for spamming at least three times.

Keep addresses private

Just as people learned not to publish their phone numbers for fear of telemarketers, they're realizing they will be spammed if they post their e-mail addresses on Internet discussion groups and bulletin boards.

The FTC recently established that spammers' ability to harvest e-mail addresses on the Web were even more effective than they realized. In one experiment, a newly created AOL account was used to post a message in a religious chat room. Twenty-one minutes later, the address received its first spam — a graphic advertisement for a porn site.

In another test, an e-mail address was never posted anywhere, but hidden on the agency's home page. In seven months, the address received 5,150 spam messages.

The obvious moral: To avoid spam, keep your address as private as possible. The result is that an open system, where just about anyone in the world connected to a computer could communicate with anyone else, is suddenly becoming much more guarded.

"The walls have been raised," said Daryl Pitts, a Santa Monica, Calif., video-game developer who uses a new e-mail address every time he subscribes to something on the Web. Once the spam starts coming in, he shuts the address off. He has done it dozens of times in the past year.

The downside is it's much harder for people to reach him.

"People can't just walk into my life like in the good old days," Pitts said. "I have to invite them in. Our easygoing utopia, where there were no borders and no police, is gone."

Pioneer has no regrets

For all those plagued by spam, it might be comforting to think that the guy who started it has apologized, or maybe just that he feels guilty. Pandora unleashed a world of trouble, but at least she said she was sorry.

Not Gary Thuerk. Digital Equipment was bought by Compaq, which was in turn bought by Hewlett-Packard. He still works there. His office mates have all sorts of nicknames for him — the Spam Man, Father of Spam. They joke that he should enter the witness protection program. They joke that he has given jobs to hundreds or thousands of people.

"It's a very lighthearted thing," Thuerk says in his amiable way. "We're having a lot of fun with it." He has some Spam recipes tacked up to his wall, a can of the stuff on the desk.

Thuerk doesn't cruise the Net. He doesn't buy online. He doesn't visit chat rooms. He's not worried about long-lost friends not being able to find his e-mail address.

He doesn't, in other words, use the Net the way millions of others do. As a result, his in-box remains pure. "I don't get much spam," Thuerk says. "Maybe one or two a day. It's not a big nuisance."

Can the spam

Some unsolicited commercial e-mail probably is unavoidable, but it's possible to keep volume at a manageable level. Among the recommendations by the Federal Trade Commission, consumer groups and Internet service providers:

• Limit your primary e-mail address to friends and family. Use a second address when visiting chat rooms or message groups. This address will unavoidably collect a lot of spam. When it becomes too much, dispose of the address and start again.
• An alternative approach is to leave your real address on message groups but disguise it in a way that will fool spammers' address-collecting programs but not people who might want to contact you. The most frequent disguise is the addition of the words "no spam," so your address would read "janedoe@nospam.isp.com." Experts are now suggesting something a little more creative would be even better.
• Keep your address off any public Internet directory, including your service provider's. Directories are a favorite address source for spammers.
• Most ISPs let you restrict accounts so they receive only from screened "safe" addresses. This is particularly useful for children's accounts.
• Spammers often send their mail through "dictionary attacks," where they first try "doe@isp.com," then "jdoe@isp.com," then "johndoe@isp.com" and so on, through hundreds of thousands of possible permutations. When choosing a new e-mail address, resist the urge to make it as simple as possible and instead mix numbers into the letters, like 7jdo1e@isp.com. While this admittedly will be harder to remember, it is less likely to attract spam.
• Whenever you're asked to surrender an e-mail address at a Web site, uncheck any box that gives the site permission to sell your name.
• Many spam messages have links that you can click on to remove yourself from the mailing list. Some argue that clicking on these links will indeed reduce spam, while others say it will only prove to the scammers you have a working e-mail address that they can then sell to other spammers. Until there's a definite answer to this question, it's best to proceed cautiously.
• With many e-mail programs, it's possible to disable the function that allows e-mail to come through with images. This greatly reduces the offensiveness of porn spam.
• For the more technically sophisticated, it is possible to buy many types of anti-spam programs that can be installed on your home computer. Reviews of these filters are mixed; none has won universal raves.
• Don't respond to spam, no matter how enticing it seems. Spammers have one goal: to get money from you. Anything that sounds too good to be true probably is. In a recent FTC investigation, 90 percent of business opportunity and investment spam contained likely false claims.
• Let your Internet provider or, at work, your information technology department, know that you're plagued by spam. While they're all too aware of what's going on, additional feedback can only help.