1. Archive

Stemming the spam flood

At 2 a.m., the red squiggle begins to rise. Sharply.

The workers sitting in the dimly lighted room barely look up at the white screen on the wall that tracks the deluge of unwanted e-mail to millions of In boxes. They already know it's happening.

Their computer monitors are filled with e-mail meant to appeal to the lonely and insecure: Free XXX video. Debt consolidation. Breast enhancement. Viagra. Work from home. Beat cellulite.

It is the middle of the night on the West Coast, but spam attacks _ e-mail messages sent to multiple addresses often lumped together as "undisclosed recipients" _ are bubbling up from all corners of the Internet. Spam doesn't sleep.

Click and type. Cut and paste. Save. Export. That is how spam filters are created in the round-the-clock war room run by Brightmail, a company that performs filtering for Internet service providers such as Earthlink, MSN and AT&T Worldnet as well as companies trying to keep their e-mail systems unclogged.

In the war room, the steady pulse of keyboard and mouse clicks is punctuated by brief declarations.

"I got the Viagra," calls out one 20-something employee as he clicks to create a simple filter.

"I need help on the breast enhancement," announces another.

Spammers are like fruit flies. They multiply. They are elusive. Worst of all, they evolve quickly. The most aggressive spammers have become very sophisticated, constantly varying subject lines, "from" addresses and body text.

Joe Long, a war room employee, remembers when times _ and spam _ were simpler. Two years ago, he and his colleagues would sometimes be able to parry all the attacks and clear their to-do list. "That never happens now," Long said.

For in addition to becoming more sophisticated, spammers have become more prolific. These days, more and more junk e-mail is finding its way into In boxes.

Brightmail says that the volume of spam it encounters has almost tripled in the past nine months. The company adds that 12 to 15 percent of e-mail traffic is spam; a year ago, that figure was closer to 7 percent. Brightmail, which maintains a network of In boxes to attract spam, records 140,000 spam attacks a day, each potentially involving thousands, if not millions, of messages.

Statistics like these are supported by anecdotal evidence from computer users, who report that they are seeing more and more unwanted e-mail every time they log on. Hounded by spam, some computer users have simply abandoned e-mail addresses.

No one knows precisely why spamming has increased so much. One reason may be that it is an inexpensive form of marketing favored in a slumping economy. Another may be that it is relatively simple to do _ it is not much harder to send 1-million e-mail messages than it is to send one.

But some analysts say that the increase may also result, paradoxically, from the efforts to curb spam. A kind of arms race may have developed, those analysts say: The more efforts are made to block unwanted e-mail, the more messages spammers send to be sure that some will get through.

Whatever the reasons, individual complaints about e-mail are echoed by Internet service providers, some of which say that 50 percent of incoming e-mail traffic is spam.

Consumer advocates and politicians are complaining too, and they are proposing new laws to fight spam. Governmental agencies are also announcing new initiatives in the battle.

Clearly, spam is a part of electronic communications that everyone loves to hate. But it is also something that no one, it seems, can do much about.

Here are the reasons:


The Federal Trade Commission currently receives 40,000 spam complaints a day at its Web site, It has an e-mail address, ("uce" stands for "unsolicited commercial e-mail"), to which people can forward spam e-mail that they receive. To date, the FTC has collected more than 12-million such messages, which are kept in what is affectionately known as the refrigerator, a computer database in the FTC's Internet lab.

But the FTC cannot and does not regulate unsolicited commercial e-mail. There are no federal laws against spam.

Spam is a form of commercial speech. While commercial speech enjoys some protection under the First Amendment, it is also subject to regulation, but such regulation needs to be established by legislation.

So in a majority of spam cases, the FTC's hands are tied. Even pornographic spam (including that sent to children) falls outside its mandate.

"We can only do what our statute allows us to do," said Brian Huseman, who coordinates spam issues for the FTC. And that statute empowers the commission to fight fraudulent and deceptive marketing practices.

So the FTC is focusing on the spammers that fall under its jurisdiction. To date it has filed 32 spam-related fraud cases, including one against a company that sells nonexistent ".usa" domain names and another against a company that distributed programs that forced computer modems to dial international calls.

Only a fraction of spam is outright fraud; most spam e-mail is aimed at selling legitimate products. Brightmail categorizes only 4 percent of spam attacks as intentionally fraudulent.

The FTC has tried to extend its definition of "fraudulent" to encompass more than the most blatant fraud. The commission is investigating whether businesses that sell bulk e-mailing tools and lists have deceptive marketing practices. The goal is to cut off spammers' resources.

The commission also recently sent warning letters to companies that have nonworking "remove me" options at the bottom of their e-mail messages. (An FTC survey showed that 63 percent of "remove me" options either did not work or resulted in more e-mail.)

However, the FTC's definition of what constitutes fraud is very specific. For example, a false subject line ("As you requested" or "Human Resource Policy changes") or a false return address does not legally constitute fraud. The e-mail's content must be misleading in a way that affects consumers.

"Just because it's false doesn't mean it's deceptive under our statute," Huseman said.

Federal legislation

Ideally, consumer advocates want the spam equivalent of the 1991 federal Telephone Consumer Protection Act, which prohibited prerecorded telemarketing calls and junk faxes. The trade commission was also given power to enforce the legislation.

A broad antispam law has been approved in Europe. On May 30, the European Parliament passed a ban on unsolicited commercial messaging. Electronic marketing can be aimed only at consumers who have given prior consent.

In contrast, more than a dozen spam-related bills have been introduced in Congress over the past two years, and most of them have languished. Of the handful that have made progress, the most recent is the Controlling the Assault of Nonsolicited Pornography and Marketing act (a contorted title that yields the acronym Can Spam), which was unanimously approved by the Senate Commerce Committee in May. The Can Spam bill would, among other things, let the FTC impose civil fines up to $10 per unlawful message, require valid "remove me" options on commercial e-mail and authorize state attorneys general to bring lawsuits.

Now it must be voted on by the full Senate, and two other independent spam bills are moving slowly through the House of Representatives. But interest groups are lobbying to tone down the strongest aspects of spam legislation.

Those lobbyists are not spammers. They are some of the country's largest corporations and commercial associations: Citicorp, Charles Schwab, Procter & Gamble, the National Retail Federation, the Securities Industry Association and the American Insurance Association. The groups argue that many of the bills would unfairly restrict e-mail marketing and put electronic commerce at a disadvantage.

"We would like the bill narrowed so only pornographic, fraudulent and deceptive spam are targeted," said John Savercool, the vice president of federal affairs for the American Insurance Association. "We think that is where the consumer angst is."

But Sen. Conrad Burns, R-Mont., a sponsor of the Can Spam bill, says that consumer frustration goes beyond pornography and fraud. "I get enough applications for credit cards, offers to consolidate my debt and advertising for Viagra in my mailbox," he said. "I don't need it on my computer, too."


With little happening in Congress on antispam legislation, 25 state governments have taken the lead and passed a variety of spam-related laws. They range from Delaware's 1999 outright ban on unsolicited commercial e-mail to more indirect limitations. Most states ban false return e-mail addresses, require "remove me" provisions or demand labels on sex-related messages.

But laws, whether federal or state, may serve as a deterrent only when they are enforced. And enforcement of these state antispam laws is more the exception than the rule.

Despite hundreds of thousands of consumer complaints to state agencies, only Washington state has filed a lawsuit based on antispam legislation. Other states that do not have antispam laws, like New York, have sued or charged spammers by using laws on deceptive marketing and computer hacking. The cases are still pending.

Legal experts say the problems with local spam laws are manifold. First of all, most do not prohibit spam. "Even if the laws were enforced effectively, they wouldn't address most of the spam problem," said David Sorkin, a professor at the John Marshall Law School in Chicago who runs a site called "The implied message is that if you weren't lying about it, it would be okay to spam people."

Second, spam transcends state (and national) boundaries, and many of the state laws stipulate that they take effect only if a spammer can "reasonably know" that the recipient is a resident of a particular state.

Third, spammers are elusive. Lawsuits generally need to nail down a physical presence to proceed. When the FTC sent warning letters to spammers with false "remove me" options, more than 20 percent of the letters came back because the addresses registered with the domain names were false. Telemarketers are easier to identify because telemarketing is expensive, and, as a result, such companies need assets. All a spammer needs for business is a computer, an Internet connection and an inexpensive CD containing spamming software and tens of millions of e-mail addresses.

"Most of the spammers are not wealthy people," said Stephen Kline, a lawyer for the New York state attorney general's office. "It's tough if you are going after someone with very few assets to get restitution for consumers or justify the costs."

So most spam-related lawsuits have been brought by companies and individuals who are motivated more by a sense of a crusade than by the prospect of a financial reward. In March, Morrison & Foerster, a California law firm, filed a lawsuit against Etracks, an e-mail marketer, for sending e-mail to its servers. Etracks says that it works with permission-based marketing, a contention that Morrison & Foerster disputes.

Some ISPs, including CompuServe and AOL, have filed suit against spammers to prevent them from sending unsolicited e-mail to users of those services. But using lawsuits to combat spammers is like trying to catch swarming fruit flies by hand. For every one you manage to catch, there are 10 more undeterred ones pestering you.


To date, the most effective weapon against spam is technology. "Spam requires a technology solution because it is a technology problem," said Ken Schneider, chief technology officer at Brightmail.

But even technology is limited, since spam is e-mail and e-mail is designed to flow easily. Only 5 percent of businesses will be able to filter 90 percent of spam in 2002, said Joyce Graff, research director at Gartner Research.

Businesses have tried to throw up all types of defenses. Many reject mail coming from computers that are known to have been hijacked for spam. Some ISPs reject e-mail sent in bulk. That often results in the rejection of legitimate noncommercial messages sent to addresses on mailing lists.

Other technological approaches limit e-mail to preapproved senders or senders who respond with a password _ approaches that slow down the transmission of e-mail. Users can also buy personal In box protectors.

Brightmail, which has one of the most sophisticated services, says the best spammers are always a step ahead of its defense mechanism. They evade Brightmail filters by randomizing the characteristics that filters look for.

"It's very difficult to fight," said Long, the war-room worker. "You get entrenched fighting it one way, and they go put a new tool against you."

Spam may be an inescapable element of online existence.

"Is spam going to be something we will all learn to live with, like increased airline security?" asked Enrique Salem, the chief executive of Brightmail. "Or will it disappear?"

For spam to disappear, a combination of coordinated international regulatory action, aggressive enforcement, software and human oversight is needed, Salem said.

The bad news is that until that magic combination comes about, spam will continue to clog In boxes.