Crippling the Attackers
That’s why anti-spam researchers are cooking up more-systematic treatments. Referring to spam as a “plague,” Mark Petrovic, vice president of R&D at Internet service provider EarthLink, notes that today’s e-mail system was designed 20 years ago for small numbers of people who already knew one another. “The possibility of sending body part enlargement ads was unheard of,” he says. Stemming the tide of spam, he says, will “require a cooperative solution to augment the basic way e-mail works.”
The most widespread of these measures is a blacklist of the sort used by Shein and other Internet service providers. Also maintained by startups such as SpamCop and NetBlocks, and by nonprofits such as CAUCE and Spamhaus, blacklists are collections of Internet Protocol addresses, domain names, and server farms that have been implicated in spewing spam; any mail originating from these tainted places will be blocked. But blacklists are imprecise: they often fail to keep pace with spammers, who constantly falsify their network locations, while sometimes blocking legitimate users. Indeed, blacklists sometimes halt e-mail from entire countries with high spam rates. E-mail originating in China and South Korea, in particular, has periodically been blocked from much of the Internet.
The inverse of the blacklist is the white list-a preauthorized address book maintained by users. An option in AOL 8.0, for instance, causes any message from senders not on the high-priority list to be discarded. This method also tends to trash e-mail you might want, though, and requires a high degree of maintenance; every time you make a new contact, you have to add a name to the white list. Aside from these drawbacks for their users, blacklists and white lists also are “wreaking havoc” on legitimate mass e-mailers, says Paul Soltoff, CEO of SendTec, a direct-marketing firm. After all, many companies (Technology Review among them) send out electronic newsletters and other promotional materials. These aren’t as obnoxious as the come-ons that most of us consider spam, and yet they are just as vulnerable to being blocked through the widespread use of blacklists and white lists.
Another drastic anti-spam measure strikes at the heart of the Internet’s culture: imposing new costs on sending e-mail. “Paying to send e-mail may be anathema to almost everybody,” says Robert Hettinga of Internet Bearer Underwriting, a startup in Boston. “But eventually, bits of money will be attached to e-mail messages.” Just as paper mail requires postage, e-mail would require e-stamps. A charge of one-tenth of a cent per e-mail, for instance, would hardly be noticeable to ordinary users but would levy a $1,000 tax on someone sending a million messages at once. Any piece of e-mail sent without an e-stamp would be automatically blocked. Others favor imposing a cost not in dollars but in the sender’s computer time. Your PC would have to solve a quick mathematical problem for each message it transmits, barely affecting senders of normal quantities of e-mail but crippling a spammer’s microprocessor. Such a “computational cost” approach is being developed at Microsoft Research and in an open-source effort called Camram (see “Making Spam Expensive,” TR April 2003).
The World’s Shein proposes an Internet market trade association, which would be an “e-mail clearinghouse,” run by a group of e-mail providers. Such an organization would sell legitimate bulk mailers special license codes in return for royalties based on the size of the mailings they are sending. Spammers who buck the system would be tracked down and sued by clearinghouse lawyers using funds set aside from the royalty pool. “The goal is to monetize the processing of bulk e-mail,” Shein says. He derives the idea from the long-established model by which radio stations and performers pay royalties to songwriters based on the formulas of another clearinghouse: the American Society of Composers, Authors, and Publishers. Elements of such a plan are already being adopted by the big three of e-mail providers-Microsoft, Yahoo!, and AOL-who announced in April that they are banding together to develop a way of creating a white list for legitimate marketers. The group has yet to announce whether participating marketers will pay to maintain a new infrastructure, but Shein guesses that things are heading that way.
For such a plan to work, future e-mail will have to be traceable. The telephone system has survived, in part, because there have always been ways to track phone calls back to their sources and find those who abuse the network. “Filtering e-mail without being able to establish identity is essentially futile,” says EarthLink’s Petrovic. He cites the problem of spam masquerading as real e-mail. “If my wife says, I’d like to spend some time with you this evening,’ I will react differently than if a stranger says the same thing. I need to know who is talking to me before I can evaluate the meaning of the message.” Indeed, Petrovic adds, the anonymity of e-mail is central to the spam phenomenon. If we cannot determine who is sending messages, all other spam-blocking measures will ultimately fail.
Establishing such traceability would require fundamental changes to the basic protocol that governs all e-mail transmission. Called the Simple Mail Transport Protocol, or SMTP, it is the 20-year-old language that virtually all e-mail software speaks in order to move messages around the Internet. If all network providers switch to an “authenticated SMTP,” as EarthLink’s Petrovic calls it, only an e-mail with a verified return address and from a valid domain name would be able to get to its desired recipient.
The Legal Front
Technology alone will never win the war. Ninety percent of spam is sent by fewer than 200 people, according to Mozena of CAUCE, the anti-spam coalition. That represents an astounding degree of concentration, but virtually everyone who fights spam for a living agrees it is roughly correct. The implication is clear: spam is a crime-fighting problem akin to the prosecution of the small number of malicious hackers who crack into networks. “These are human beings generating these messages,” Mozena says. “It’s not as if the Internet is broken. You can’t address social problems solely with technical means.” He believes that the spam plague is a criminal-justice dilemma that can be eradicated only with the active participation of legislatures and courts.
New laws, though, have yet to make much of a dent. Last year, the European Parliament passed a directive suggesting that member countries require marketers to ask permission from users before sending pitches through e-mail. So far, Austria, Denmark, Finland, Germany, Greece, Italy, and Norway have enacted such “opt-in” anti-spam legislation. But since so much spam is sent from the United States through Asia-based servers, these laws have had little effect. In 2000, the U.S. House of Representatives voted 427 to 1 to pass an anti-spam bill. But instead of including a strict opt-in provision, the bill required consumers to request the removal of their addresses from each marketer’s e-mail list. After privacy advocates denounced this “opt-out” bill as useless, it died without reaching the Senate. At least two spam bills are now alive in Congress, but there is still no consensus among lawmakers on whether the government can effectively outlaw spam-or even that it should.
In April, the Federal Trade Commission held a conference to help decide how best to approach this crisis. Brian Huseman, an FTC staff attorney, says the commission has prosecuted spammers who have sold bogus wares, failed to live up to their claims, impersonated legitimate organizations, or engaged in other deceptive practices. But since the agency is mainly charged with prosecuting fraud cases, it is powerless against spam that sells legitimate products. “There is no federal law that prohibits unsolicited commercial e-mail,” Huseman says.
Until such a law is passed, lawyers will continue to rely on precedents from similar cases, says Jon Praed of the Internet Law Group. He believes that indiscriminate mass e-mailing is “already illegal in all 50 states” based on centuries-old Common Law that prohibits unauthorized use of someone else’s property-in this case, computer networks.
Armed with this argument, AOL pursued porn spammer Jay Nelson, both before and after he and his cohorts violated the 1999 court order. Since spam cases can be prosecuted anywhere damage occurs, AOL chose its hometown district court in Alexandria, VA. In October 2002, the judge held the coconspirators in contempt and awarded AOL $6.9 million in damages and fees on top of the original $1.9 million finding, according to court documents. That figure was topped in May when EarthLink won a $16.4 million judgment against Howard Carmack, a Buffalo, NY, spammer; a week later, he was arrested on charges of identity theft. Praed says spammers cannot skirt the payments by filing bankruptcy, and that the plaintiff can “hound” the guilty parties until the money is collected, preventing them from buying houses and cars. “We need to make the spammers realize they made a mistake and to discourage others from doing it,” he says.
Detroit-based spammer Alan Ralsky, however, remains active. Instead of spending more time and money bringing Ralsky to court, Verizon last October decided to settle its case against the man that some call “the spam king.” In return for Ralsky’s paying an undisclosed sum and promising to avoid Verizon’s network, the lawsuit was dropped-leaving Ralsky firmly in business.
Furious anti-spam activists posted Ralsky’s home and e-mail addresses online, and soon he was deluged with piles of printed catalogues and junk mail. Yet he appears undeterred and continues to add to his list of 250 million e-mail addresses. According to his own statements, he is finding new ways to obscure his identity, laundering his Internet location data through servers in Romania and obscure parts of China. Spamhaus and CAUCE consider the 57-year-old Ralsky one of the top five spammers worldwide. “I’ll never quit,” he told the Detroit Free Press. “I like what I do. This is the greatest business in the world.”
The war on spam won’t be won until guys like him are somehow forced to change their minds.