U.S. NEWS, Apr. 28, 2003

Money & Business 4/28/03
That damn spam
Unsolicited E-mail has become the bane of many corporations

By David Lagesse

Carl Shivers pulled a late-nighter last week. Not to finish up a report or polish a next-day presentation, but to baby-sit a new $40,000 computer system. It was designed to weed out spam, the commercial trash of the Internet, which threatens to overwhelm his Arkansas employer, Aristotle Inc., a small Internet service provider. Shivers watched nervously into the night as the system was buffeted with thousands of unsolicited E-mails, many of them from the usual suspects: unseemly pornographers, purveyors of the secrets to enlarging body parts, and the supposed relatives of various dead Nigerian dictators, promising a windfall.

By the next day, Shivers was breathing a little easier as the new system appeared stable while automatically detecting and blocking spam. "I feel like I've got my head barely above water again," he says.

It's a widespread anxiety. A minor nuisance just a few years ago, spam has mushroomed into a menace that some say could cripple the Internet. Reliable numbers are hard to get. Spam now accounts for anywhere from 20 percent to 70 percent of all E-mail. Whatever the percentage, anyone with an E-mail address knows spam is increasing--and increasingly annoying. Add in the time workers waste repeatedly hitting the delete key--most spend at least 10 minutes a day doing so--and the nation's annual cost is about $10 billion, according to one oft-quoted estimate. Spam is a postage-due form of marketing, with the tab falling on the recipient. It costs little to the sender, who can buy 150 million E-mail addresses for perhaps $100, and it costs only a few dollars more to blast a message to all of them.

Take that. "Spam is a scourge that benefits almost no one," says David Baker, vice president for legal and public policy for EarthLink, the nation's third-largest Internet service provider. Overwhelmed with spam, ISPs are lashing out. EarthLink has more than 100 lawsuits pending against spammers; America Online sued more than a dozen in the past week alone. Antispam activists are also lobbying Congress to ban unsolicited E-mail, much as it did with unwanted faxes in the early 1990s. The Federal Trade Commission, meanwhile, is convening a forum next week, the first gathering under a federal umbrella of all sides in the spam debate.

It's a debate because, unlike Internet viruses, spam is not so black and white. Civil libertarians worry that throttling spam will choke free speech, while filters and "blacklists," usually the Internet addresses of spammers that corporations and ISPs refer to and then cue software to obstruct, already make it more difficult for legitimate marketers to reach customers. "ISPs are overreacting," says William Park, chairman of Digital Impact, an E-mail marketing company whose clients include Hewlett-Packard and the Gap.

Online marketers say up to 15 percent of legitimate solicitations, such as those to customers or others who welcome sales pitches, get ditched. Blacklists come under particular criticism because their lists sometimes also tarnish nonspammers. The blacklist operators don't like to say which words in an E-mail trigger ire (they don't want to tip off spammers), and it can take days for a legitimate company to get off such a list.

The issue's complexity is clear in the torment of another Internet provider, Alexis Rosen, CEO of New York City's Panix.com. He rails against spam, which eats up 12 percent to 15 percent of his gross revenues to pay for antispam systems, people to run them, and customer service reps to handle spam-related complaints. At the same time, he opposes potential remedies like forcing E-mail senders to identify themselves, which antispam activists say is crucial to stemming the tide. "Anonymous speech is an essential part of democracy," Rosen says.

It's easy to disguise the origins of a message. Anyone can change the "From" field of an E-mail to mask an identity; sophisticated spammers further cover their tracks by bouncing messages through the servers of companies that are good citizens, if sloppy about computer security. Engineers are looking at reworking the Internet's plumbing to counter spam, but those changes could take years to implement, even if they get past free-speech concerns. Likewise for any legislative remedy.

So the burden falls on Internet providers, whether ISPs for consumers or corporations for employees. Surprisingly, most company networks don't have antispam software yet, as the problem at the workplace escalated dramatically only in the past year. In their search for valid E-mail addresses, spammers began "harvesting" company directories by sending E-mails to randomly generated letters in front of domains (such as jsmith @xyzcompany.com). Messages that don't bounce back indicate valid names, which are sold to other spammers.

Tricky. Meantime, the spammers constantly change their wording to fool early, text-based filters. The FTC sued last week to shut down a Web site it said was using deceptive subject lines such as "wanna hear a joke" when messages actually contained embedded images of nude women. Adult-oriented messages have increased dramatically in the past year, making ordinary citizens uncomfortable, parents enraged, and companies open to charges of hostile work environments. Attorneys now warn companies they may need to prove they've tried to block porn if a disgusted employee decides to sue.

One result of the spam onslaught is a rush to create software to combat it, much as network administrators raced to protect themselves against viruses several years ago. More than 40 companies, mostly small, now sell antispam tools, which range from simple text filters to multilayered packages that calculate the probability a message is unwanted and check blacklists and even white lists, through which a company would accept all E-mail from certain domains. Big security vendors also are releasing their first significant fixes. Symantec, for example, last month introduced a suite of antispam software for network administrators. "Everybody wants to get into the game," says Maurene Caplan Grey of market researcher Gartner.

Like viruses, which remain a danger but whose ravages have receded dramatically from the days of "Melissa" and "ILOVEYOU," spam will be solved, analysts say. Grey says corporate networks could get over the hump by the middle of next year. Others say it will take somewhat longer, particularly for ISPs, which will require a combination of technology and legislation to finesse issues of access and free speech. For example, ISPs might need sophisticated software that gives users more control over which E-mails are barred. "Users at least need to know what's been filtered and why," says Cindy Cohn of the Electronic Frontier Foundation, an Internet civil liberties group. EarthLink agrees and is readying a tool that puts a message on hold until the sender proves he or she is not a spammer's software robot by replying to an EarthLink-generated query. Or recipients can see which missives are quarantined, freeing the ones they choose.

So figure three years, maybe five, for controlling spam as a whole, says Marten Nelson of Ferris Research. Eventually, so much will get blocked that Nelson predicts spammers won't get a return on even their small investments: "Antispam vendors will win the arms race."