Spammers target IM accounts
As new applications take up instant messaging to deliver junk messages, some people worry that chat services will see the deluge that has long flooded e-mail in-boxes.
Unsolicited commercial appeals on instant messenger are still uncommon, but they are becoming prevalent enough that some IM fans worry their networks are vulnerable to the seemingly unstoppable marketing deluge that has long flooded e-mail in-boxes.
None of the major IM providers interviewed for this story would talk about their spam problems in detail. But consumers and spam experts said the phenomenon is growing, with no silver bullet in sight.
"The spam problem is horrible," said Donna Hartfiel, a three-year user of AOL Time Warner's ICQ instant messenger and a self-described homemaker and PC geek. She said numerous complaints and countermeasures have so far failed to damper the flow.
"I get between 10 and 30 spams each day, mostly to porn sites," Hartfiel said. "Some are very graphic (sexually explicit) messages."
Spam schemes are not new to instant chat. Visitors to AOL Time Warner's proprietary chat rooms can expect their e-mail in-box and computer screen to quickly crowd with unsolicited messages. Last year, peer-to-peer networks were scrutinized as potential vehicles for unsolicited commercial pitches via instant messenger.
But at least two new applications illustrate a surge in the trend toward technologically sophisticated junk IM that could touch off the same sort of escalating arms race that's been under way for years in the realm of e-mail.
MassMess, launched two months ago by a 22-year-old St. Petersburg State University graduate and two friends, claims to have unleashed more than 10 million unsolicited commercial messages on Yahoo Messenger users.
Meanwhile, a steady barrage of spam on ICQ is popularly credited to a $99 shareware application, called ICQ Interest Search (ICQIS), sold on several different Web sites.
"IM spam seems to be in its beginnings," said Jason Catlett, president of Junkbusters, an anti-spam organization, and a visiting fellow at the Kennedy School of Government at Harvard University. "I've got a bad feeling about it because it looks a lot like junk e-mail did in '95."
Other spam-watchers concurred that junk IM is a nascent but growing menace.
"I think it's very early days for IM spam," said David Ferris, an analyst with Ferris Research in San Francisco. "It will get much worse."
IM vulnerable
Spammers have long considered e-mail their preferred medium for a variety of reasons. It costs little or nothing to produce. Its processes are easily automated, and despite a growing array of defenses aimed at shutting it out, delivery is all but guaranteed.
Instant messenger may be just as susceptible to marketing come-ons, according to spam watchers. They say it offers sufficient convenience and vulnerability to raise the specter of a major new front in the spam war.
Instant messaging and e-mail are distinguished primarily by IM's ability to detect whether someone else is online, a quality known as "presence."
When people log onto an IM service, their user ID and IP (Internet Protocol) addresses--a unique string of numbers that identifies someone's computer on the Internet--are captured by a central server. This server essentially shares the information with everyone, allowing people to know who is online and to trade messages in real time. Messages are generally passed between IM users through a direct, client-to-client connection.
E-mail messages, by contrast, are generally passed from a client to a server and subsequently downloaded to another client at the other end of the line. Along the way, e-mail may pass through any number of servers.
In theory, instant messaging offers the potential for stricter monitoring of abuse, since spammers currently must subscribe to the same service as their victims. IM services also typically offer a host of filtering options that can restrict messages to lists of pre-approved members, making it harder to pass through unsolicited messages.
But IM spammers have found workarounds for at least some of these countermeasures, essentially mimicking widely used e-mail spam techniques such as address "spoofing." Messages from MassMess, for example, appear to originate from the recipients themselves, making it harder to find and shut down the sender. ICQIS, meanwhile, uses anonymous servers to conceal the real source of its messages.
In another trend that may provide new opportunities for IM spammers, the back-end differences that have so far served to distinguish e-mail and instant messaging are steadily falling away.
IM services such as Yahoo and ICQ now allow people to send messages to recipients even when they are offline, much like e-mail. The promise of interoperability between competing IM services could level the differences even further, introducing more server-to-server communication alongside the primary client-to-client connections.
"It shouldn't be harder in theory to spam over IM than e-mail," said Alex Diamandis, vice president of marketing for wireless IM start-up Odigo.
From Russia, with spam
Several programmers are putting that thesis to the test, with mixed results so far.
MessMass, a tiny mass-messaging firm based in Kupchino, Russia, has successfully targeted ICQ and Yahoo Messenger users with an onslaught of commercial pitches.
Advertising products and services ranging from pornography to casinos to financial schemes, MassMess charges $100 for a 300,000-message campaign (its most popular seller), and $300 for 1 million messages.
For $650, customers can buy their own messaging utility, complete with a million-strong database of active users, and for $300 the company sells contact names that customers can use to create their own databases. The company culls its Yahoo IDs from chat rooms and Yahoo directories, among other sources.
In an IM discussion, conducted under the pseudonym Elton Goston, an individual claiming credit as a MassMess founder said the company has pulled in several dozen paying customers so far.
But Goston said the company has faced setbacks as well, having switched its primary to target to Yahoo after ICQ engineers figured out how to shut down MassMess's access. AOL Time Warner acknowledged that it had disabled MassMess from connecting to ICQ users, but the company declined to say how.
Goston--whose primary Yahoo Messenger account was disabled after CNET News.com queried the company about MassMess--said his experiences so far have led him to conclusion that instant messaging may have inherent advantages at blocking the efforts of mass marketers over the long haul.
"Some day it will be very hard to send messages in bulk," Goston wrote, adding that Yahoo will act "not too fast, but someday it will definitely. Then we'll switch to e-mailing or whatever, maybe opt-in mailings. We've got some ideas."
Yahoo would not comment directly on MassMess except to say that the service was apparently in violation of Yahoo's terms of service. The portal added that it could take action against individual spammers by shutting down their accounts.
ICQ spam war
Although ICQ may have succeeded in deterring MassMess, spammers are lining up to zing the service with messages via ICQIS.
ICQIS.com, registered to Ibragimov Ruslan in an undisclosed Russian location, has been unplugged. Ruslan did not respond to e-mailed queries.
But existing copies of the site describe the tool in terms that make its purpose clear.
"This tool allows you to send messages to thousands of online ICQ users," reads one copy. "Target audience may be filtered by their interest, country, city, occupation, age, gender, language. The best application for instant business--site--promotion. Messages are sending absolutely anonymously, hiding your real IP address."
The tool has won raves from some of its corporate users.
"I like the program so much, I am going to recommend it to all my friends seeking the same results I have gotten in the last 24 hours," according to one testimonial posted on the ICQIS Web site. "Your program has delivered as promised. It's simple and straight forward...From my point of view, this program is the best thing that ever happened to a new designer of Internet pages."
Longtime ICQ users are less enthusiastic about ICQIS and have taken to the service's message boards to complain about the spam onslaught.
AOL Time Warner said it has taken steps to counter IM spam, pointing to its ICQ anti-spam guidelines.
Hartfiel, part of a group organizing to stem ICQ's spam glut, said the service had been responsive to tips she's sent in reporting the availability of ICQIS software; those pages have been pulled offline.
But she said that ICQ's anti-spam tips have not proven practical. The most effective solution--to disallow people not on the ICQ user's buddy list to contact him or her--cuts out too much of the service's functionality, she complained.
Part of the problem may be that AOL Time Warner publishes the service's application programming interfaces in an attempt to encourage developers to build programs that interact with ICQ. While that may help software developers create applications that increase the service's popularity, it may also have the opposite effect by lending that same helping hand to spam toolmakers.
Analysts said IM spam likely will be difficult to stamp out, especially as it takes root among overseas operators.
MassMess "reminds me of (Sanford Wallace firm) Cyber Promotions establishing itself as a spam factory, which took about two years of litigation to shut down," said Junkbusters' Catlett. "And that was in Pennsylvania. This thing may be a difficult junk factory to stop."