The Fight Against Unsolicited E-mail
For Tracy LaQuey Parker, April Fool's Day 1997 was like any other day; first task after waking and joining the world was to check e-mail, to see if any new messages had dropped into her mailbox since she last checked the night before. As she checked her mailbox, though, something weird was happening. There had been 50 or so messages last night, but now there were dozens no, hundreds... thousands of messages! 5,500 messages, to be exact, and more coming every minute! What th' -- what were these?
Major shock: it took Tracy 15 minutes to think to take a close look at the mail and figure out what was going down. Examining the content of the mail and the headers, she could see that she was somehow the victim of a spam attack not directed specifically at her, but at a domain that she owns, called flowers.com. Someone had "spoofed" the return address on a piece of "spam." Translation: spam is junk e-mail (these days called "unsolicited commercial e-mail" in deference to Hormel, which hardly considers its piglet-pink potted meat product to be "junk") sent over the Internet, usually to mailing lists of thousands, sometimes over a million, recipients. "Spoofing" the return address means changing the return e-mail address in the of the message to be something other than the address where it actually originated.
Tracy LaQuey Parker
Second, the e-mail lists used by spammers are gleaned from months or years of e-mail extraction from e-mail lists and posts to Usenet discussion groups, and naturally many of the e-mail accounts no longer exist. If you send e-mail to a bogus address you get an automatic "bounce" message that tells you the account no longer exists. If a spammer sends a message to a million addresses and 1 percent of those are no longer valid, that's 10,000 bounces.
Even a first-time spammer will realize that he's going to get some hate mail, but an experience spammer knows that he (or his service provider) will have a major problem following the bounce-ing ball, ergo the spoofed return address.
Why not just use a nonexistent address, so that nobody will have to deal with the bounces and flames? Forgetting for a moment that none of this stuff simply goes away, that somebody's having to deal with it one way or another, a really really smart spammer won't spoof the return address because the administrators of Internet systems wised up and added software to check the validity of return addresses on incoming e-mail messages. If the return address is bogus, the message is also assumed to be bogus, so it's trashed. So if El Spammo uses a nonexistent return address, his messages reach nobody.
Craig Nowak, a college student trying to make some quick money, created a message for his "C.N. Enterprises" business based in San Diego, a long way from Austin. Nowak told Wired News that "The software program we used said you could just use any random name" when entering a return address. He picked flowers.com out of the air, not knowing that he'd selected an address associated with Parker, a prominent net advocate whose book, The Internet Companion, was the first drop before the deluge of user-friendly net guides. She lives in Austin, a seething hotbed of net activity, and serves on the advisory board of EFF-Austin.
And Parker was ticked off. The spam attack encroached not only on he@ nd resources, but on the time and resources of her Internet service provider, Zilker Internet Park. Zilker, operated by the Internet consulting team of John Quarterman and Smoot Carl-Mitchell, had to bring its mail system down for a half day while Carl-Mitchell cleaned up the mess resulting from the spam attack.
It seemed to Parker that this was more than a breach of netiquette -- that there must be laws covering this sort of thing -- so she posted a message to EFF-Austin's directors and advisors wondering what recourse she might have. Austin Attorney Pete Kennedy, one of the few specialists in Internet law, also a member of EFF-Austin's advisory board, agreed to talk. The result: Parker, her husband Patrick, Zilker Internet Park, the Texas Internet Providers' Association and EFF-Austin jointly filed a civil suit against C.N. Enterprises and owner Nowak for unspecified damages resulting from the incident. The suite characterizes the spam as a public and private nuisance and a fraud, referring to Texas statutes on breach of computer security and "harmful access by a computer." By using an allegedly fraudulent return address, the suit contends that the spammer accessed and used computer system resources without the owner's consent. An important point regardless of the legal issues involved: the Internet evolved as a huge cooperative of systems and users, and in this cooperative environment respect and consent are rule of law. Spammers have trashed the balance that characterized the early Internet, before the money hit the fan.
With the NSF no longer responsible for the Internet backbone, the acceptable use policy was no longer an issue. Since 1995 commercial interests have become a significant part of the Internet, where beyond advertising on the World Wide Web, commercial interests are evolving strategies for online transactions. The market is increasingly dominant in cyberspace. Markets have high ends and low ends and spammers are considered by many to be somewhere below the low end of the market -- the term "scum-sucking bottom-dweller" comes readily to mind. Over the last six months spam has become a significant issue in cyberspace as the frequency and volume of unsolicited commercials has increased exponentially. Why the increase? A couple of reasons:
- Increasing encouragement for "get rich on the Internet" schemes, which almost always involve sending tons of unsolicited e-mail messages describing your product or service, usually either porn, ponzi schemes, or (surprise!) how-to-get-rich-online-just-send-me-a-dollar messages. The C.N. Enterprises message offered information for $19.95 about private foundations offering cash grants.
- Proliferation of cheap bulk e-mail software products. These products typically allow their users to send mail to packaged lists containing thousands of addresses. Some target America Online customers. There are various strategies for acquiring e-mail lists and combining those lists into megalists, but note that these strategies don't include validation of the accuracy of the addresses. (A favorite strategy for blocking spam is to modify your e-mail address as it appears in message headers by adding a word like "no-spam," so that, if your address is stripped from message headers and added to one of the growing number of spam e-mail lists, it will be invalid. Addresses like this may have accounted for many of the bounce messages that Parker received.)
The Parker case doesn't address the issue of the existence of spam, only the irresponsible rerouting of returns. Smoot Carl-Mitchell says "I would personally have less problem with spam if they would send the mail from their own system and use legitimate return addresses, use their own computer resources and not steal resources on computers they do not own to send out their massive mailings."
Smoot notes that spammers distribute their mailings over several systems, and that "most of the massive spams would not be feasible without the use of a lot of stolen resources from many ISP mail servers. It would simply take too long to mail to that many addresses."
However, for many Internet users the problem is a daily deluge of unwanted e-mail. These folks are downright hostile to spam and open to legislation that would put a stop to it. Some of these users have formed CAUCE (the Coalition Against Unsolicited Commercial E-mail) which supports an amendment to the "junk fax" legislation in Title 47, Section 227 of the U.S. Code, which says it's unlawful to "use any telephone facsimile machine, computer, or other device to send an unsolicited advertisement to a telephone facsimile machine." CAUCE supports an amendment to that legislation so that it applies to electronic mail.
The CAUCE position has occasioned a spam war: On June 1 someone sent a spam that appeared to originate with CAUCE, though CAUCE says the spam was sent "by the same person(s) who run a pro-spammer web site called the BlueList." (I couldn't find the active web site, http://www.bluelist.com, but I found it described at a site called "A Business Compass" as an "Online version of Standard & Poor's listing of more than 8,000 municipal and corporate bond offerings.")
The Federal Trade Commission is investigating spam, and for that investigation Voters' Telecommunication Watch, EFF-Austin, and EFF-Florida conducted and compiled a spam survey presented at an FTC workshop on June 12. Sanford Wallace, president of Cyberpromotions, Inc. and the self-proclaimed "King of Spam" also presented his case.
In a comment to the FTC, Jerry Berman of the Center for Democracy and Technology notes that restriction or labeling of junk e-mail involves First Amendment Issues that should be considered carefully before any legislation is passed. However, the Electronic Privacy Information Center notes that "the risks and burden are borne by the consumer. The benefit is to the business. Consumers are beginning to learn by experience that requesting subscriptions, downloads, viewing of ads, or answering questionnaires will lead to unexpected, unsolicited e-mail." This suggests that many consumers will simply restrict their online experience to avoid being added to e-mail lists, or have other private information gathered for marketing purposes (that's a whole 'nother discussion we can have another day.)
Some of the direct marketing folks argue that the solution is to allow you to opt out of a marketing e-mail list, which usually means that you get the spam, and then you get a chance to say, "Please, no more." It can also mean that you submit your name to a master list and pray for exclusion, but your prayers will only reach the spamzoids who honor that master list, and there may be multiple lists to deal with -- a needless hassle. "Opting in" is a better solution, i.e. the spammer can't send you mail without your consent in advance. But is this enforceable? And how does it work? Does the spammer send e-mail asking whether you want to receive marketing communications, or does the consumer proactively add his name to a list by, say, subscribing through a web-based form?
As Gene Crick of the Texas Internet Service Providers' Association says, " Our challenge controlling spam is that you can't legislate good manners. And the government shouldn't dictate what we can say -- even on the Internet." Crick and other civil liberties activists are concerned that government legislation against spam could amount to censorship; the real way to get at spam is to take the fight into the online trenches and make it clear to anyone expecting to make a buck using unsolicited commercial e-mail that nobody's buying. "Yes, we need tools to fight spam," says Crick, "but we don't need hasty legislation restricting a free Internet. The solutions we need are those we develop ourselves." There are a number of ways to do this, for instance, while researching this article I found instructions for an e-mail filter that will automatically reply to spammers with the following message:
Please remove me from your mailing list immediately. I do not accept unsolicited e-mail advertisements, and if this is repeated, I will send a complaint to the sysadmin where the e-mail is originating.
In a recent discussion about all this Smoot Carl-Mitchell recalled wistfully that "the Internet used to be the big happy academic research facility where we all worked together and we had this idealized world of cooperation. Look what it's become!" And to this, Tracy LaQuey Parker replied, "Utopia doesn't scale!"
Spam on the Side
The Internet will do the journalist's work for him if he hangs around on enough SEARCH ENGINES! I was gonna compile a whole list of junk e-mail resources but, mirabile dictu!, the first site I hit had links to damn near every resource you could want. Just point your browser at PC Magazine Online's "Internet Toolkit for Fighting Junk E-Mail" at http://www8.zdnet.com/pcmag/iu/toolkit/nospam.htm. And there's also a web site for the lawsuit mentioned in the article: http://www.zilker.net/nospam/, which contains a link to John Quarterman's excellent overview "Spam Considered Harmful" (http://www3.mids.org/mn/704/spam.html). -J.L.