Paul Prentice was under siege. All through last winter and spring, the manager of security and directory services at Steelcase Inc. was frantically fighting the rising tide of spam pouring into the Grand Rapids (Mich.) office-furniture company. At the same time, he was fielding a flood of angry e-mail from executives and workers. They all begged him to get spam under control. Like many of his colleagues throughout the corporate world, Prentice hired a spam-filtering company, in his case, Postini Inc., to stem the flow.
Spam is down to a trickle in Grand Rapids these days. But what began as a campaign against junk mail has evolved into a company-wide revamp of Internet communications. The filtering system that scrutinizes each piece of mail, Prentice quickly saw, can handle lots of other jobs. Now he's broadening its mandate. The system is searching mail for competitive leaks, ferreting out inappropriate attachments such as MP3 files or porn, and even keeping an eye on personal correspondence. In short, the company is asserting much more control over employees' use of the Net. "People have already been notified that our e-mail is monitored," Prentice says.
The scourge of spam, which clogs the Internet with some 15 billion e-mail messages a day, is provoking powerful responses. It's pushing companies and individuals alike to install new tools and adopt norms for online behavior. These responses are turning cyberspace into a place with tougher rules, thicker walls, and new laws. On Nov. 25, Congress leaped into action as the Senate passed sweeping anti-spam legislation that awaits President George W. Bush's signature. While many predict that the law will leave most spammers unscathed, it marks a large and ambitious step to regulate the Internet and e-commerce.
These new laws and barricades are shaping a new stage in the short history of the Net. While in its infancy, the Internet was marked by its soaring potential, this new era is defined by limits and defenses. The last year alone has provided a sobering wake-up call. Not only has spam quadrupled but the spammers' technology and methods also have been adopted by virus writers, grifters, and thieves. Now they can deliver their poison to hundreds of millions of inboxes. Brightmail, a leading spam-blocking company, estimates that fully 13% of the spams circulating are not just advertisements, but scams. Web giants from Amazon.com to eBay Inc. are seeing spammers swipe their identities, sowing distrust among shoppers in the $3.9 trillion global e-commerce market. The result, says Aviel Rubin, director of Information Security Institute at Johns Hopkins University: "We're going to change the way we use the Internet."
Say good-bye to the unruly Internet of old. It's heading straight to obedience school, safety classes -- you name it. This is the taming of the Net. Where traditional Internet communications are unfettered, open, and chaotic, look for the next generation to be far more regulated, orderly, and closed. Mailings from work, friends, and e-tailers will plop down into separate mailboxes, and many of these addresses will be closely held secrets. Already, 70% of people online avoid giving out their e-mail addresses, according to a recent survey by the Pew Research Center.
END OF LETHARGY
For this next stage of the Net, security is quickly becoming the new growth industry. Companies that can offer safe and foolproof connections stand to rise to the top. "It's the key differentiator," says Ted Leonsis, vice-chairman of America Online. AOL and Microsoft Corp. are pouring research into state-of-the-art spam filters and child-protection guards. And financiers in Silicon Valley are stirring from their post-crash lethargy to bankroll a veritable rush of startups, each of them intent on developing the perfect fortress for customers. Sales of anti-spam software alone are expected to reach $653 million in 2003 and to double in two years, according to Radicati Group Inc., a researcher in Palo Alto, Calif. "I'd estimate that there are 1,000 businesses selling anti-spam software," says Felix Lin, CEO of Qurb Inc., a spam-fighting startup in San Mateo, Calif. About a dozen, say venture capitalists, have lined up venture funding.
Only a few of those companies are likely to land with a splash. But those that do will be contributing to a cyberworld bristling with class and privilege -- a place where insiders trade information in trusted circles while outsiders must fill in passwords and submit to iris scans. "It's a bifurcation between who you know and who you don't know," says Kevin Doerr, who heads Microsoft's 20-person spam-fighting team. The changes are akin to defenses in the physical world. With each e-mail address that's hidden, each filter installed to block intruders, the Internet's homesteader heritage fades. It's fast becoming a place with doors that lock, ringing alarms, and thousands of neighborhood-watch programs.
In fact, the whole bedrock of the cyber-terrain is shifting. It no longer matters if an online offering is cool, fun, useful, and easy-to-use if it's not secure. This has grave implications for the Internet. Think of the crucial technologies just taking shape, the powerful peer-to-peer networks linking researchers and music fans, the new wireless links circling the globe, and the massive grids hitching together the computer systems of hundreds of companies. Each of these visions is built upon unhindered communication coursing between hundreds or millions of users -- each one of them a security risk. Experts say that new systems must now be engineered with the assumption that everyone is a possible hacker or thief. "If you can't trust your neighbor, a lot of the Internet's promise goes up in smoke," says Neil Iscoe, former manager of advanced technology at tech-services giant Electronic Data Systems Inc. and now director of technology commercialization at the University of Texas.
Growing distrust also spells trouble for startups. In a world teeming with spam and viruses, such companies' outgoing e-mail is likely to be filtered, zapped, or ignored. And while a handful of companies will succeed in building trusted brands, unknowns face suspicion. Consider the case of Compu-Net Enterprises, an Internet service provider (ISP) in Paris, Tenn. When spammers appropriated, or "spoofed," the company's address earlier this year and started firing off millions of e-mails under its domain name, the big Internet companies blocked mail coming from Compu-Net. Innocent customers briefly saw their communications paralyzed. No one dares block all the mail from giant rivals such as AOL or EarthLink. "The mom-and-pop businesses get ignored," says Bill Larson, Compu-Net's network administrator.
Businesses, large and small, are rethinking how they market on the Net to cope with the gathering storm of spam. Most have given up on mass e-mailings after getting lumped in with gambling solicitations and Viagra offers. Instead, look for them to gain entry to e-mailboxes by lavishing the public with coupons and freebies. US Airways Group Inc. (UAIR ), for example, gives 1,000 frequent-flier miles to passengers who sign up for the company's promotional e-mail messages. "Our big retail clients are planning sweepstakes and promotions to build their [e-mail] lists," says Chris Henger, senior vice-president for sales and marketing at Performics, a Web consulting company in Chicago. "It separates them from the spam."
In the new, tamer Net, defense is the rallying call. And it can turn traditional Net communication on its head. Consider one of the most popular anti-spam techniques. The so-called white list accepts e-mail only from a list of approved contacts. The downside? An effective white list shuts the doors on the vast population online -- a big part of the Internet's magic -- and limits contact to a cloistered group. Pavni Diwanji, CEO of MailFrontier, a Palo Alto spam-blocking software company, predicts that the Internet population will congregate into zillions of small, gated communities. Trusted members, she says, "will be able to walk in without even ringing the door." Others will line up outside while a digital guard sifts through their documents.
EarthLink Inc., (ELNK ) the No. 3 Internet service provider in the U.S., is already building this future. Its "challenge-response" system blocks every mailing that comes from outside the user's white list. It sends a form back to the sender with a simple question to answer, or even a word to type. Human senders can handle this -- the spammers' automated computers cannot. Once the Earthlink system receives a satisfactory response, it lets the mail through. This method effectively blocks most of the spam. But like all other defenses, it comes at a cost. If the sender steps away from the computer, the message is delayed. Important automatic mailings from eBay or Expedia Inc. (IACI ) can hang in limbo. The possibility of such glitches saps confidence in e-mail. Indeed, 30% of e-mailers fret that spam filters block key messages, according to the Pew survey.
How else to sidestep the deluge? By creating alternate identities. Some 12% of AOL subscribers, according to a company survey, have established a separate e-mail account for e-commerce. The idea? Web surfers' interactions in the hurly-burly online marketplace generate a lot of spam. A second, dedicated e-address leaves the personal inbox cleaner -- but makes it harder for legitimate e-businesses to connect with customers.
In time, say analysts, many Web surfers will run a full stable of identities -- some cosseted, others fast and loose. This means one address for work, another for friends, one for e-commerce, and perhaps a hidden box for porn or gambling. Many of these accounts will be throwaways: When they draw too much spam, they're discarded.
THE NEW MATH
The focus on defense, though, spells the demise of e-mail as a tool for stirring up new business. In the early years of e-mail, unsolicited mails yielded responses topping 10%, say consultants. It was a crucial tool for startups.
Now it's hell. Last summer, Elizabeth McCarthy, vice-president for marketing at Brava LLC in Coconut Grove, Fla., planned to send out e-mail pitching the company's enhancement bras. She was confident she could set Brava apart from the countless miracle pills and sexual come-ons. She spent June designing a serious, informative online brochure. And in July, she launched a trial campaign of 20,000 mailings. The response: one solitary e-mail. A frustrated McCarthy concluded that her mailing got lost, zapped, or filtered. She pulled the plug on the campaign. "Spam killed our test," she says.
In truth, McCarthy hadn't adjusted to the new math that spammers have brought to e-mail. Sending out 20,000 ads was the cyber equivalent of knocking on two or three doors. For spammers, one in 20,000 is cause for rip-roaring celebration. That comes to 5 per 100,000, 50 per million. A spammer working that ratio could send out 10 million e-mails in a few hours and, theoretically, harvest 500 responses within days -- a veritable gold mine. Alan Ralsky, a spammer in the Detroit suburb of West Bloomfield, Mich. -- and one of the rare ones to speak publicly -- says that sheer volume of messages pays off. "Even a blind squirrel," he says, "can find a nut."
Spammers looking for a quicker payoff are retooling their spam-spewing machinery for theft. With each month, the spoofs appearing to come from eBay, Citibank, and others are becoming slicker -- and endangering confidence in e-commerce. Last spring, the early spoofs encouraged customers to enter their bank data on crude copies of company sites. They were full of misspellings and bad grammar and were topped by Web addresses unrelated to the company. These days, the fake sites are nearly perfect. They come complete with privacy logos established by the industry -- supposedly to ensure security. Worse, the spam thieves are using authentic company Web sites. They simply gather data by serving up their own forms, which appear to pop up from the company site.
These spamming thieves hop over borders with a click of the mouse. Secure Science Corp., a security startup in Los Angeles, has tracked a recent flurry of scams targeting eBay and Citibank customers. They involve computers in Delaware and Russia that stay up only for a couple of hours so that authorities don't have time to track them down. But they gather plenty of bank data. And, according to the FBI, they sell the credit-card numbers at clandestine Web sites for $1 apiece. "These sites move constantly," says Bill Murray, spokesman for the FBI's cybercrime division. "They're up for a day, and they move."
Even if they're not pushing scams, many spammers are busily adapting to all the filters and obstacles that corporations and consumers put in their path. Ralsky says he has three Lithuanian computer whizzes who devise ways to break through filters. And with the spam revenue pouring in, many of the biggest operations are beefing up their computer assets and using them to bombard the defenses. Ralsky, for one, says business is booming.
High-powered spammer programs, say experts, sidestep filters by customizing each of the tens of millions of messages they send. This can confuse filters, which are often programmed to look for certain word combinations. Spammers also unleash torrents of e-mails at anti-spam companies and consumer groups, hoping to cripple their servers with so-called denial-of-service attacks. Two groups that organized "block lists" to sideline spam, Compu-Net and Infinite Monkeys & Co., both withdrew from the battle last summer after suffering withering spam attacks. "The spammers are winning the war to control the inboxes," says Compu-Net's Larson.
Equally menacing, spammers have extended the battlefield to the entire Internet. As recently as two years ago, ISPs could block most spam by targeting the domains that were generating it. But in the past year, spammers have released viruses which turn computers around the world into mail-serving zombies. Instead of a handful of domains, the spam can come from just about anywhere. The SoBig worm launched in August, say industry experts, represented an escalation of the battle. It harnessed the contact lists of its victims and sent millions of spams to all their friends and families. "They're dismantling the defenses," says Karl Jacob, CEO of Cloudmark, a San Francisco spam-blocking company.
This is leading companies such as AT&T (T ) to create premium services. The idea? To encrypt mail and provide companies with guaranteed delivery -- a cyber answer to FedEx Corp. (FDX ) "Today's Internet is coach class," says Hossein Eslambolchi, chief technology officer at AT&T. "What we're building is first class and business class." AT&T expects to start selling a service next year that will let corporations pay a subscription fee to make sure their e-mail winds its way past security and gets safely to the intended recipients.
Betrayal. That's what pioneering computer scientists feel when they see what has happened to the Internet. They built a miraculous system with a foundation of trust, and it's being overrun by scoundrels. "It's a downgrading of the Net and its culture," says David Farber, professor of computer science at Carnegie Mellon University. "And I don't see any gangbuster alternative. That's what bothers me."
Already, scientists are working on new, improved Internet standards to make communications on the network more secure. But by the time they settle on new protocols -- late this decade at the earliest -- the rest of the world probably will already have improvised a secure Internet for these troubled times.
It sounds like grim work, focusing on fences and digital locks instead of fun and games. But if tech companies develop a host of safe and secure spam-free systems, they will bolster the Internet's position as a pillar of the global economy. Security is the missing link. If it takes the spammers and virus-pushers to ignite an effective response -- who would have guessed it? -- that clutter of obscene ads may yet prove to be good for something.
By Stephen Baker in New York