Out, Out, Damned Spam

Junk e-mail accounts for roughly half of all network traffic. Here are five ways to beat it back

It was May, 1978. Lauren Weinstein was among those developing an early version of the Internet when an e-mail popped into his box. It was the first spam ever -- a pitch from Digital Equipment Corp. sent, literally, to everyone on the fledgling Net. "People thought it was a little bit annoying but sort of amusing," Weinstein says.

It's not amusing anymore. Junk e-mail accounted for an estimated 49% of network traffic in June, according to Brightmail Inc., a San Francisco manufacturer of anti-spam software. These days, spam attacks Weinstein's computer every two seconds. And the Internet pioneer, founder of the Privacy Forum in Woodland Hills, Calif., is trying to save the revolutionary communications medium he had a hand in creating 25 years ago. The open architecture that made the Internet a transformative technology also has spawned the rapidly growing junk e-mail menace. "It never occurred to us that the tools we were developing for ourselves in this highly trusted environment would ever end up in the hands of the world's population," he says.

As anger at spam has increased, so have efforts to stop it. A confusing thicket of lawsuits, state and federal legislation, industry initiatives, filtering software tools, and spam-blocking companies has emerged to deal with the threat. While Congress weighs nine anti-spam bills, 34 states have enacted junk e-mail laws. Frustrated companies such as America Online, UPS, and Microsoft are hauling spammers to court.

Some of these moves are good ideas; some are bad. None of them, on their own, can eliminate spam. But a combined legal and technological attack could go a long way toward turning the scourge of spam into an occasional nuisance. Here's how to do it:


The first step is beefing up laws against spam. Rules against snake-oil sales pitches, get-rich schemes, and other types of fraudulent come-ons already are on the books. Federal legislation sponsored by Senators Conrad Burns (R-Mont.) and Ron Wyden (D-Ore.) would go further and raise the standards for spammers by requiring them to describe their messages accurately in their subject headers, use real return addresses, and include working opt-out links.

That's a good idea, but it does little to slow spam. A more effective way to do that would be to let people choose whether they want to receive it. Both Japan and the European Union have passed tough "opt-in" laws that require commercial bulk e-mailers to receive permission from consumers before sending them unsolicited messages. Because of the power of the direct-marketing lobby, as well as constitutional free speech concerns, this approach is a nonstarter in the United States. But a Do-Not-Spam registry, modeled after the one that was recently created to block telemarketers, would run into fewer such problems. It would enable consumers to opt out of receiving unsolicited e-mail simply by logging on to a centralized Web site.

Nobody expects a Do-Not-Spam registry to be a panacea. Dishonest businesspeople would continue to hide their identities and flout the law. Only responsible bulk e-mailers -- bona fide, law-abiding companies -- would follow the rules. How big is this group? Little hard data exist, but an April study by Australia's National Office for the Information Economy found that 18% of spam comes from blue-chip corporations.


Once new laws are on the books, they must be enforced. Internet service providers and the Federal Trade Commission have hauled dozens of spammers into court since the late '90s. Every big case so far has brought a penalty. On July 21, the FTC settled with a California teen who faked return addresses on e-mails that he dangled as bait to lure consumers to legitimate-looking business Web sites. There, they were duped into giving up credit-card numbers.

Such policing is important and will have to be stepped up. But it is inherently limited. Prosecuting the small-time operators in the U.S. isn't likely to rise to the top of the docket for state and federal law enforcers with limited budgets. And using courts to crack down on bulk e-mailers is like playing whack-a-mole: knock one down and another pops up.

One solution: Give users the right to sue spammers directly and set minimum statutory damages of, say, $100 per offending message -- just as was successfully done in the 1991 law against junk faxers. This "right of private action," proposed by Senator Charles E. Schumer (D-N.Y.) and others, would torment spammers with a hailstorm of private claims. Of course, Third World violators would be tough to reach. But litigators say many bulk e-mailers are domestically based, and advocacy groups such as the Spamhaus Project already do a good job of tracking down the biggest offenders. "Only when you distribute the enforcement broadly enough will it put enough fear into spammers' hearts to make them stop," says John Mozena, vice-president of the Coalition Against Unsolicited Commercial Email, a consumer-advocacy group.


To discourage spammers from moving offshore, the White House needs to take the lead in harmonizing international law and beefing up global enforcement. The 30-nation Organization for Economic Cooperation & Development is working on the problem, but the Asia-Pacific Economic Cooperation forum is a vital player and needs to be at the table. The good news is that other countries are also working on this issue. EU commissioners will visit Washington in August to lobby Congress to strengthen our laws. State regulation, on the other hand, isn't working. While well-intentioned, these measures create a patchwork legal regime that increases corporate compliance costs.


In the Net's infancy, peer pressure deterred spam, with improprieties drawing immediate social rebuke. But the online population boom upended that cozy virtual village. "Like in any large city, some people are going to engage in unlawful behavior," says Charles D. Curran, AOL's assistant general counsel.

Cyberspace needs a new code of conduct, and it's up to industry to help write it. Internet mail protocols -- the technical rules that govern how messages are transmitted -- need revamping. Designed when the Net was small, they allow spammers to cover their tracks by forging headers, faking domain names, and bouncing e-mails off servers across the globe. New norms can be imposed by grafting changes onto Net protocols. Microsoft, Yahoo! (YHOO ) AOL, and others are studying ways to build a so-called trusted-sender system that would give priority to known or identified e-mailers. Think of it as an exclusive gated community that would be almost spam-free.

Here's how it would work: Spammers make their mail look legitimate by faking domain names. But it's much harder to forge a domain's IP address -- the individual computer identifier that tells where an e-mail originated. Under trusted-sender rules, recipients' servers wouldn't accept mail unless they verified that the message originated from a valid domain, and the sender's IP address matched the number associated with the domain. If they want to be trusted senders, large e-mailers such as ISPs, corporations, and institutions would provide their IP addresses to a central registry. Fraudulent spammers would be zapped by the receiving server.


Even with more cops and more spam-free zones, some bulk e-mailers will find ways to sneak their pitches into in-boxes. So consumers and companies will have to take the offensive.

The best professional filters, such as Brightmail, can block 95% of spam. At FrontBridge Technologies Inc., a San Francisco-area Internet-security company, computers check incoming e-mail against 10,000 criteria used to define spam; 500 of those rules are rejiggered every day, depending on what spammers are up to at the moment. Because teams of human "spam analysts" keep tabs on the trash bin, big filtering systems rarely lose a real message amid the junk. When the San Diego law firm of Gray Cary Ware & Freidenrich installed a FrontBridge filter in December, "My greatest fear was that some critical client would get their e-mail rejected," says Chief Technology Officer Don P. Jaycox. But after six months, "The false-positive rate is almost immeasurable."

Good filtering is expensive. But assuming that Gray Cary's 420 lawyers each spent 15 minutes a day deleting spam, Jaycox figures the firm was losing $186,000 in billable hours every month. In that light, the $100,000 a year the firm spends to stop spam seems reasonable.

Effective filtering for the masses is a bigger challenge. A community of spam vigilantes constantly is improving free programs such as SpamAssassin. And AOL and Microsoft are rolling out adaptable programs that "learn" how to define spam based on what people delete. The newest filters also protect against beacons -- signals that let spammers know when a spam has been opened by a live user. And some computer users are compiling "white lists," which allow e-mail from known senders to go into a premium in-box. But these consumer-level filters depend on technology alone. Without a living, breathing safeguard, chances are good that a filter will occasionally zap the wrong e-mail.

That's why many people will have to surf smart. By now, most computer users know that replying to most spam only generates more spam. Such smarts can go a long way toward eliminating junk e-mail. People who don't take action will suffer. Indeed, the recent flooding of many in-boxes is a sign that spammers are having to work harder. As e-mail filters get smarter, and as laws and lawsuits multiply, junk mail is harder to deliver. To maintain their already thin margins, spammers are upping their output, jamming more junk mail into the fewer in-boxes that remain vulnerable. "It increases the pain for the rest of us," Mozena says.

In the end, spam's greatest vulnerability is its economics: It costs very little to send out millions of e-mails, and nothing to send out a million more. Making junk e-mail even marginally more expensive for senders -- by suing spammers, levying fines, or making it harder for it to find an audience -- can be enough to tip the scales. Such efforts won't make spam extinct. But they can kill the majority of it -- and hopefully turn spam back into a tolerable, perhaps even amusing, annoyance.

By Lorraine Woellert, with Stephen H. Wildstrom, in Washington

— With assistance by Stephen H Wildstrom

    Before it's here, it's on the Bloomberg Terminal.