Anti-Spammers Get Serious

AOL's latest lawsuits join new efforts in Washington and technological attempts to stop the scourge, which is growing costlier every month

By Alex Salkever

America Online is mad as hell and isn't going to take it anymore. On Apr. 15, the country's biggest Internet service provider (ISP) announced a round of five lawsuits against notorious spammers. The suits seek at least $10 million in civil damages and court orders to halt the junk-mail barrage. AOL (AOL ) has also sent out over 100 cease-and-desist letters to alleged spammers. On the technology side, it has upgraded its spam-blocking systems to try to prevent much of the unwanted e-mail from hitting customer inboxes and gumming up AOL's servers. "Spammers take note: You can run, but you can't hide," says Randall Boe, AOL's general counsel.

This is the second round of lawsuits that AOL has filed against spammers in the past two years. And it's just one of a handful of anti-spam efforts coalescing this spring. On Apr. 11, U.S. Senators Ron Wyden (D-Ore.) and Conrad Burns (R-Mont.) reintroduced the CAN-SPAM (Controlling the Assault of Non-Solicited Pornography & Marketing) Act. The bill mandates stiff financial penalties and heavy jail time for anyone who spams using invalid or fake e-mail addresses.

Even the staid professional body that sets technology standards for the Internet is getting involved. In March, the Internet Engineering Task Force (IETF) started an anti-spam working group. This brain trust of spam-fighting notables will recommend ways that ISPs and other operators of key Internet infrastructure can reduce junk traffic. At the same time an increasing number of ISPs and big companies are adopting anti-spam technologies to help their employees evade the never-ending barrage.


  Behind the multipronged attack is the growing realization that spam is now not just a nuisance but also a major unwanted cost. What's more, spam may well be on the brink of making e-mail nearly unusable.

According to CEO Enrique Salem of BrightMail, one of the largest anti-spam service providers, his company processed 55 billion messages in March, 2003. Salem says in 2001 when BrightMail launched, about 8% of the messages it processed were spam. In January, 2001, that tally hit 41%, meaning 4 out of every 10 messages traveling over the Internet early this year were probably Spam.

But wait. Salem says by March, the percentage had hit 45%. Using that math, with spam increasing at 2% per month, by yearend 63% of all messages on the Net will be spam.


  That's probably a very low estimate, as Salem and others attest that spam growth is accelerating noticeably each month. For the most popular targets -- big ISPs such as AOL, Yahoo! (YHOO ) and Hotmail -- well over half of all the messages they process are already spam.

Add this up, and it's clear that soon spam will represent more than 90% of all traffic on the Net. Plus, the mere cost of processing it will dwarf the cost of moving valid e-mail. These costs will come in extra equipment required to handle the onslaught, extra employee hours to manage it, and extra efforts by lawyers to sue known spammers. According to messaging consultancy Ferris Research, spam will cost U.S. corporations $10 billion in 2003.

Witness the situation at Broadway Net, a small Manhattan ISP with 3,000 customers. It spent $3,000 last month to purchase a new mail server largely due to traffic increases fueled by spam overload. Mail administrators at Broadway Net estimate that they spend two hour per week dealing with spam on average and far more when bad things happen, such as the weekend a spam outfit hosed Broadway's servers with 77 megabytes of traffic (the usual level over a weekend is 4 megabytes). Most of the mail had a bogus address in front of the valid Broadway Net suffix, Mail addressed to nonexistent e-mail accounts within the Broadway Net domain wind up in the postmaster's inbox. As a result, the mail administrator spent many hours sifting through reams of unwanted spam and pulling out valid e-mails.


  Broadway Net also swallows indirect costs resulting from the spam epidemic. On occasion, valid direct-marketing e-mail from real commercial customers at Broadway Net get rated as spam. In these instances, the domain can be placed on spam blacklists. Those lists provide domains commonly used to send spam, and mail administrators who subscribe the blacklists may choose to screen out all mail from that domain. So Broadway Net's postmaster has to contact the blacklists and get domain removed. "I spend a lot of time dealing with this, more than I should really," says the ISP's postmaster, who chose to remain unidentified.

The proposed CAN-SPAM law should provide some limited help. It aims to levy stiff penalties against spammers operating inside the U.S. who send marketing e-mail with fake or invalid return addresses. That could help against the 50% of the major spammers who still operate within the country. Wyden spokesperson Carol Guthrie is optimistic that the bill will pass this year.

Unfortunately, spammers will likely adapt by moving their operations offshore, a trend already under way in large part due to the types of lawsuits AOL, Microsoft (MSFT ), and other big ISPs have pursued. Only a few years ago, 90% of the big-time spammers operated inside the U.S.


  Where laws fail, technology could to a certain degree slow the spam flow. A handful of anti-spam systems are available today. Blacklists are the crudest but are widely used by aggressive postmasters. "Whitelists" are becoming more common. That means each individual user has a list of people from whom they will accept e-mail (see BW Online, 3/13/03, "Marketers vs. Spam? Hey, It's a Start").

Whitelists work hand-in-hand with mandatory-response systems that request a second e-mail from a sender to verify they're a live person and not a bogus address concocted by spam software. Some of these systems include recognition requests that humans can easily answer but machines cannot, such as simple math equations or even sequences of rhyming words.

More advanced still are sophisticated content filters that judge whether a message is spam by looking for clear signs, such as a plethora of exclamation marks and pornographic words. But these systems struggle with simple deceptions such as inserting a period between each letter of the word sex to create something humans easily understand but content filters won't know is junk mail.

On the bleeding edge now is software that records a specific signature for the content of each e-mail. ISPs using the software can share the signatures over the Net, providing each other with early warning and a means of defending against mass spam mailings.


  Even further out are ways to put a difficult-to-forge digital postmark on each message, allowing mail administrators to track the origins and trajectory of the message. Today this is impossible as the existing e-mail system makes it very easy to falsify a sender's identity or to take advantage of vulnerable mail servers to send millions of messages from a valid domain without notifying the owner. And while most current e-mail clients can handle digital signatures that would make forged e-mails easy to spot and eliminate, few have adopted their use.

That could change in the near future if spam gets much worse. "The missing link for spam deterrence is our inability to be able to track and locate the senders of the message," explains Paul Judge, the CTO of secure e-mail provider CipherTrust and chairman of the IETF anti-spam taskforce.

Forging that missing link should be a key priority not only for e-mail providers but for every big company that suffers increasing productivity losses due to the flood of spam. With some luck, the confluence of congressional action, serious litigation, and technological advances will provide a better means to can spam. Even better, maybe it'll serve as a wake-up call to the companies and ISPs that still think the best way to deal with this scourge is to hit the delete key hundreds of times a day.

Salkever is Technology editor for BusinessWeek Online and covers computer security issues weekly in his Security Net column

Before it's here, it's on the Bloomberg Terminal.