Want CNET to notify you of price drops and the latest stories?

Companies taking desperate steps against spam

Spam isn't new to the Net, but its alarming rise is challenging companies more than ever. And in some cases, the measures companies are taking are creating international controversy.

Stefanie Olsen Staff writer, CNET News
Stefanie Olsen covers technology and science.
Stefanie Olsen
9 min read
Up to their necks
Spam flood forces companies to take desperate measures

By Stefanie Olsen
Staff Writer, CNET News.com
March 21, 2002, 4:00 a.m. PT

Chris Lewis walks a tightrope every day as leader of a spam-eradication team at a major telecommunications company.

He is the guardian of roughly 45,000 employees' e-mail in-boxes, protecting against unsolicited commercial messages that are nearly doubling in number every five months--and costing an estimated $1 per piece in lost productivity. But perhaps just as important is Lewis' ability to field the bad mail without discarding the good, such as potential business leads.

Spam plumps up "Everyone in a large company is afraid to lose business, and e-mail is sacrosanct," said Lewis, whose unofficial title is "spam issues architect." "If you implement (a spam filter) that drops one piece of e-mail, it is a huge mistake. At this time, in our economy, we have to be as anal retentive as possible."

Spam is as old as the mainstream Internet itself, but its alarming rise is challenging companies more than ever. In the past six months, the volume of junk mail sent online more than doubled, according to spam filter company Brightmail. Internet researcher Jupiter Media Metrix estimates that consumers will receive about 206 billion junk e-mailings in 2006--an average of 1,400 per person, compared with about 700 per person this year.

The pace is driving companies to take desperate measures that in some cases are creating international controversy. Some American business owners, systems administrators and Internet service providers are banning all unknown e-mail from entire regions of Asia, where they believe unregulated servers are being used to relay much of the spam traffic that both originates and ends up in the United States.

The size of the Web-borne epidemic was cast in sharp relief last month when e-mail systems were paralyzed at AT&T WorldNet for more than a day, one of the first known instances of junk mail shutting down a major ISP. That deluge was believed to have been part of a denial-of-service attack. But the ballooning rate of everyday spam is making it all the more difficult to fend off sporadic assaults. This is guerrilla warfare...There's just more spam, and spammers are getting smarter.

About 20 percent of incoming messages to AT&T WorldNet are junk e-mail, nearly double the number from the previous year, spokeswoman Janet Wyles said. The spam count reaches 50 percent at some ISPs.

"This is guerrilla warfare...There's just more spam, and spammers are getting smarter," Wyles said.

Cheap and easy
The amount of junk is increasing partly because e-mail marketing is seen as the cheapest and easiest way to reach potential customers. For about $150, anyone can buy a CD-ROM on the Net with instructions on how to use spam as a path to potential riches that costs next to nothing compared with the printing and postage expenses of paper mail.

To make it even more economical, many spammers siphon bandwidth and resources from insecure mail servers, or open relays, set up overseas.

Most U.S. and European mail servers are configured to route only those messages addressed specifically to customers, as ISPs fear that security risks and other problems could result from relaying messages for any third A view from the Bloc, Brightmail's spam fighters party. So spammers have taken to using insecure servers in other parts of the world--particularly in Asia--to relay, by some estimates, as much as 70 percent of junk e-mail in the United States.

"That's a real boon for spammers, because they need someone to get the mail out," said Steve Linford, who maintains a London-based blacklist of mass e-mailers called the Spamhaus Block List. "Literally hundreds of thousands of these servers are around China, configured on a wing and a prayer."

As a result, many ISPs are blocking the entire Internet address ranges designated for China and other Asian countries. The practice recently became a diplomatic issue, leading the Chinese parliament to issue a statement rebuking such wholesale blockades based on geographic boundaries.

Nevertheless, junk mailers are crafting new ways around such blocking methods. According to Brightmail, more spammers are masking their origins by hacking into high-speed Internet cable lines to send mail through customers' dynamic IP (Internet Protocol) addresses. These temporary addresses are assigned to computers only for a specified amount of time. ISPs are often unable to trace the sender because it requires enormous resources to investigate vaporous connections throughout the network.

Spammers are also increasingly forging mail headers, a tactic known as spoofing, to make e-mail appear to come from legitimate sources. U.S. corporations including Bank of America, eBay and Wells Fargo have fallen victim to junk mailers taking free rides on their names.

Corporate headaches getting worse
Brightmail, which provides filters to several major ISPs including AT&T WorldNet, has doubled its number of enterprise customers in the past six

Gartner analyst Joyce Graff says the answer to the spam problem transcends international borders and will take action by government, businesses and Internet service providers.

see commentary

months because of corporate headaches with spam. The San Francisco-based company plans to expand its all-hours spam-fighting crew of five, known as the Bloc. The team studies sources of commercial bulk mail by seeding the Internet with decoy addresses. It then creates new rules for filters based on content and headers contained within spam.

Spamhaus, the Mail Abuse Prevention System (MAPS) and about 30 other blacklists ban IP addresses or whole ISPs that are used to shepherd spam. Any company or individual can subscribe to such lists for recipes to block known spammers.

In the past, signing on with such blocking lists was thought too risky for many corporations because banned marketers or hosts could include major ISPs such as Sprint, which are used to send legitimate e-mail that could be valuable to business. But against today's growing levels of spam, companies are finding they have little choice.

Jill Vanhove, director of enterprise network services at Silicon Graphics, said she subscribed to MAPS's Realtime Blackhole List and began other filtering tactics in the past year. The adoption of blocking lists and filters is really a reaction to an increase of volume of spam and complaints we're seeing.

"It's really a reaction to an increase of volume of spam and complaints we're seeing," she said. "We're also looking at tools to combat spam from our sponsored newsgroups."

Still, these grassroots efforts are only of limited help when fighting an exponential rise in junk traffic. Even after taking the anti-spam measures at SGI, Vanhove said she has seen the amount of incoming junk mail nearly triple in the last four months.

Many companies and anti-spam groups have appealed for help from government agencies such as the U.S. Federal Trade Commission, which recently opened a full-scale assault on deceptive marketers. In the last month, the FTC said it settled six cases against alleged con artists using e-mail to disseminate scams.

"The federal government (isn't) in a position to cure the problem, but I do think that law enforcement actions will help deter people from spamming once they realize what they're getting into," said Jennifer Mandigo, a staff attorney at the FTC who is in charge of spam issues.

The call for regulation
For now, regulators are hampered by the absence of federal legislation and a hodgepodge of nearly two-dozen state laws that critics say allow too many loopholes. For example, California law requires marketers to place the letters "ADV" in the subject line, signifying an advertisement, but some include a variation such as "A.D.V." or "a d v" to circumvent filters.

Spamhaus' Linford advocates federal legislation requiring industry standards such as a banner on every mail server that warns against sending unsolicited commercial material. The law would make it illegal for a marketer to trespass beyond the sign.

Others are turning to self-regulation among companies, pinning hopes on such organizations as Truste and ePrivacy Group, which launched a Trusted Sender program last month. Using encryption, Truste plans to provide approval seals to companies that meet certain standards, such as an existing customer relationship, before they send commercial e-mail.

"This is a really big first step," said Fran Maier, executive director at Truste, which will release a test version of the tool next month. "With time, we hope that your e-mail client will help filter by the Trusted Sender seal." The federal government (isn't) in a position to cure the problem, but I do think that law enforcement actions will help deter people from spamming once they realize what they're getting into.

Civil libertarian Sonia Arrison, of the Pacific Research Institute, advocates a system in which people wishing to send a message to someone they don't know must pay to have it delivered.

It would be "kind of like with paper mail; we still get a lot of junk, but not nearly the same if it were free," she said.

All of these solutions, real or proposed, carry inherent drawbacks. Many of those based on technology, such as Arrison's idea, would depend on redesigning the Internet's global e-mail architecture. Other measures are either unrealistically laborious or simply bad for business.

Spam fighters such as Lewis and his five-man team employ a wide range of tactics to fend off junk, including homemade blacklists, pattern matching, and software to ban certain content, addresses and headers. Lewis said he's been able to cut down on a large amount of spam in the past year by removing numerous e-mail aliases for employees.

But it's slow going. For every piece of mail that takes seconds to delete, there are always those that require hours in security investigations--which is how Lewis arrived at his estimate that each piece of junk mail costs his company $1.

And even as he hunts down countless offending missives, Lewis remains under equally intense pressure to keep his systems open to communication from potential partners and customers. His company refused to install spam filters until the Melissa virus forced it to take such precautionary measures, and Lewis still will not block all e-mail from China, because of business relations.

"I'd love to turn off China. But unlike some of the other people in the anti-spam community, I have to be very conservative," Lewis said. "It's a delicate balancing act for our filters because if I make a mistake, it could cost business." 

Early spam capades

Next month will be the eighth anniversary of the notorious spam attack on Usenet by Laurence Canter and Martha Siegel, immigration lawyers who were among the first spammers on the Internet--and arguably the most reviled. The duo blanketed thousands of the Net's oldest discussion groups, known as newsgroups, with messages touting a "Green Card Lottery."

The postings incited outrage in the newsgroup community, at the time comprising more than 6,500 groups on topics ranging from C+ programming to medieval English literature. Distaste for the relatively new practice prompted tens of thousands of people globally to clog the in-box of Canter and Siegel's company with hate mail. The crush of e-mail caused the company's Internet service provider to buckle, and Canter and Siegel were forced to sign on with another ISP. Despite the backlash, they claimed no remorse and sought to advertise their services again.

"Some people believed that spamming was acceptable, a way of making money by stealing resources from others," said longtime spam fighter Chris Lewis, reflecting on the incident. "What it did in Usenet is it galvanized the opposition."

Though the pair were wading into unregulated waters, the Web community viewed their actions as a huge breach of good taste. More broadly, the incident brought on a sense of queasiness among the grassroots Web community that the Net was morphing into a commercial engine. People started to question how long they could maintain newsgroups as "pure" forums for discussion, and marketers called on free-speech laws to support such practices.

But the newsgroup community eventually prevailed, stopping further spamming by the pair--a feat that e-mail providers find impossible on today's Internet byways.

In 1997, Canter, who co-wrote a book called "How to Make a Fortune on the Information Highway," was disbarred from practicing law by a court in Tennessee, where he stood charged with breaching consumers' privacy for posting unsolicited ads to newsgroups and mailing lists.

Usenet took the opportunity to build a wall around its community. Newsgroup administrators and others developed anti-junk tactics to rid the network of commercial messages. In a practice known as de-spamming, administrators used software to remove Canter and Siegel's postings from all machines on the network. People in Usenet came up with an objective system to determine whether a party crossed the line to abuse newsgroups for their own gain. An item was labeled spam, and removed, if more than 20 articles of the same content were posted in a 40-day period. The tactics are still in effect today.

Still, newsgroups contain spam. Although much of the "Big 8" newsgroup hierarchy--.rec or .comp--is filled with valuable material, purists believe groups such as .alt are spam cesspools.

"Looking back, I'm quite pleased with the outcome," Lewis said. "Usenet spammers don't have much success now. But unfortunately this doesn't work for e-mail."

Related news

Spammers target IM accounts

Savoring spam: A true story

Free speech or campaign spam?

FTC prepares to bust spammers

Net surfers set out to squelch spam

Anti-spam fight falls to the states

More news from around the Web

The Nigerian e-mail hoax
SF Gate 
Utah's biggest hurdle in restricting spam may be enforcing laws
The Salt Lake Tribune 
China sweet, sour on spam
Wired News 
Defunct Industry Standard magazine lives on in spam
'Spammed' resumes now online nuisance
The Washington Post

Editors: Mike Yamamoto, Evan Hansen, Julie Laing, Jennifer Balderama
Design: Ellen Ng
Production: Mike Markovich