From outside the e-mail inbox, it might appear that the war against spam has reached a stalemate. Sure, the average computer user still gets a dozen or more unsolicited messages a day. But increasingly vigilant spam filters are sending a sizeable portion of that junk mail straight into "bulk" e-mail folders, if not the garbage. For many, spam has become an unavoidable, yet acceptable, nuisance. It's delivered, it's deleted, and digital life goes on.
Behind the scenes, though, the fight to keep e-mail clear of clutter is escalating. And the spam-fighting forces aren't always winning. Just ask Spamhaus, the anti-spam firm that maintains a blacklist of companies it considers spammers. The Britain-based company on Sept. 14 was ordered by an Illinois court to pay $11.7 million to U.S.-based e360insight, which said it suffered damages as a result of being included on the Spamhaus list. Spamhaus refuses to pay the penalty, insisting the court has no jurisdiction over it.
The ruling came close on the heels of a report by Panda Software saying 21% of all e-mail received by companies is spam. And the senders are getting more sophisticated and menacing in how they package mail, joining up with criminal organizations to defraud computer users of passwords and financial information, and even arguing for the right to send mass mailings in court.
PLAYING FOR KEEPS. Israeli anti-spam service Blue Security in May closed its doors after a Russian spammer nicknamed "Pharmamaster" used an army of virus-infected zombie computers to send enough spam to shut down the company's site. In the process, Pharmamaster overloaded the server hosting Blue Security, knocking out millions of blogs on LiveJournal and TypePad in the process.
Tactics like that are taking hold. Roughly 183 billion spam messages were sent each day in 2006, according to The Radicati Group, a technology and market research firm. Of those, 59% successfully landed in inboxes. If current trends continue, 465 billion unsolicited mass e-mails will be sent in 2010. Of those, 55% will make it into inboxes, the group says.
Those e-mails take a big financial toll, says Sara Radicati, the group's president and CEO. Radicati estimates that, worldwide, $198 billion will be spent in 2007 to keep inboxes from becoming overloaded with unsolicited messages. That's nearly 10 times the $20.5 billion spent combating spam in 2003, when the company first released its estimates. Much of the total will go to anti-spam filters, extra server space and network infrastructure, and IT customer-service hours.
RESOURCES DIVERTED. In 2007, an average company will spend $257 per e-mail account on combating spam, says Radicati. That's up from $49 in 2003. "We are seriously spending money and effort to keep spam in check," she says. "There's no solution to stop it. It's very, very difficult."
Time Warner's (TWX) AOL concurs. The Internet company doesn't keep exact figures on its spam costs, but Charles Stiles, AOL's postmaster, acknowledges "a lot of resources" are going into filtering spam from members' accounts. Of the 4.5 billion messages AOL processes per day, between 75% and 80% are blocked as spam. In 2005, the company blocked 556 billion e-mails as spam—up from 500 billion in 2003.
What's more, users are spending larger amounts of time and money to keep unsolicited e-mail in check. The network strains can affect the overall price of Internet connections, because ISPs must deal with the added network traffic. Spam filters or security systems that come with spam blockers typically cost between $20 and $40 a year. The filters help, sometimes blocking as much as 80% of spam, but they don't nix it all.
WORST OF THE WORST. That's unfortunate, since the spam that makes it past defenses has become increasingly virulent. Stiles says he's seeing more blatant fraud attempts in unsolicited messages. "I think what we see now are people that are really very criminal in their activities," says Stiles. "What they're sending isn't advertisements for inexpensive goods. They're trying to steal people's information, they're trying to get into their bank accounts and do a lot of damage" (see BusinessWeek.com, 4/03/06, "Phisher Kings Court Your Trust").
Mass mailers are continually upping the ante to fool filters into delivering their messages. They have begun delivering spam to the comment sections of blogs, obscuring advertising messages with "chaff text" from novels and other sources to trick both filters and computer users into opening messages, and putting text into picture format to pass by filters without Optical Character Recognition Technology.
Phishing sites don't even need to fool computer users into giving out their passwords to compromise their security, says Stiles. Sometimes, just responding to the spam is enough to trigger downloads of key logging programs that can record and forward bank passwords and other information to the spammer.
PHISHING PHRENZY. Roughly 8% of unsolicited e-mails are phishing scams, 4% are fraudulent, and 27% are illicit advertising, according to Radicati. The ad number echoes results by the National Cyber Security Alliance Online Safety Study that found one in four computer users is hit by a phishing attempt each month.
Michael Denning, a vice-president at VeriSign (VRSN), says his company has seen an increasing amount of such phishing e-mails over the past six years. As the general manager of VeriSign's Digital Brand Management Services, he now educates companies about the kind of damage such spam can have for their brands, and what they can do to stop it. "I really see [phishing spam] as a growing problem," Denning says. "I think it has paralleled the growth of the Internet. As a higher-value commerce comes online, you are going to see more fraud. I don't see the trend decreasing."
And it won't, as long as consumers turn a blind eye to spam, says John Mozena, co-founder of the Coalition Against Unsolicited Commercial E-mail. The general apathetic attitude toward spam may encourage spammers, he says. "From the overall point of view, the spammers are winning because people more and more seem to have accepted spam as a fact of life," he says. "There was a time when people were pretty angry about spam. Now, a lot of people seem to have given up the fight."
DOES REGULATION HELP? Indeed, anti-spamming legislation has made its way onto the books and is having some impact. On Sept. 14, the Federal Trade Commission announced it had shut down four spamming operations for violating provisions of the 2004 federal CAN-SPAM Act, which requires bulk e-mails to be marked as advertising and to have an opt-out method, among other things. As part of the settlement, spammer Cleverlink Trading and its partners will surrender $400,000 to the FTC.
Radicati's Sara Radicati is unconvinced that tighter legislation is the answer. "The legislation hasn't worked," she says. "Only the companies that make money from the spam filters are the winners."
Mozena disagrees. He believes a public outcry to outlaw spam on a federal level and allowing spam victims to seek large damages in court could sufficiently deter U.S. spammers (see BusinessWeek.com, 4/20/06, "Europe Catching Up to U.S. in Spam"). Given that the U.S. is responsible for the biggest chunk of spam worldwide, that would be a pretty good start.