Computer Crime Research Center

pentag.jpg

Soaking in Spam

Date: May 19, 2004
Source: Newsweek
By: Brad Stone

The Net is buckling under the weight of billions of unsolicited bulk e-mail ads. Current weapons aren't working, but there's hope. A report from the front lines.

Nov. 24 issue - Scott Richter doesn't mind telling you how successful he is. His 28-employee company, OptInRealBig, clears $2 million in sales each month. He drives a Lexus convertible and a Lexus SUV, owns a half-million-dollar home outside Denver and just returned from vacation on the Caribbean island of Anguilla.

But the 32-year-old former restaurateur has made his small fortune in an unpopular way: sending out 80 million e-mail advertisements a day. He hawks diet pills, porn sites, sexual aids and miracle "As Seen on Oprah!" products. He's also impulsive and resourceful. After September 11 he sent out e-mails offering American flags for sale; during the Iraq war he churned out ads for copies of the Pentagon's Most Wanted playing cards.

Although Richter practices a highly reviled occupation on the Net, he says he never makes false claims in his ads and argues that there's nothing wrong with unsolicited bulk commercial e-mail messages, or spam. He also confidently says that bulk e-mailers are relatively immune from new laws and lawsuits. "We can set up in another country within an hour," he says. "There are people in other countries who would love to sell us bandwidth."

Richter's insouciance and general visibility, his phone number is posted on his Web site, suggests an unpleasant fact about the eternal cat-and-mouse game that the Internet's spam war has become: the nefarious mouse is winning, and it's not even a close race. In the past two years spam has congested the Internet, threatened to overwhelm Internet service providers and sent Web surfers of sensitive disposition scampering away from their computers in embarrassment. Spam is now approaching 60 percent of all e-mail, according to the research firm Gartner Group. Ferris Research says spam puts a $9 billion annual drag on productivity, as workers peck away at the delete button every time another Nigerian dictator with a sob story crashes their in box.

The forces who say they hate spam politicians, tech companies, beleaguered e-mail users and anti-spam vigilantes who spend their own time and money trying to clean up the Net haven't managed to make a dent in the problem. Current approaches aren't working; even though home users and many companies started filtering their e-mail two years ago, the overall amount of junk mail has ballooned exponentially. Filtering and antivirus companies always seem one step behind the rapidly evolving methods of clever spammers. And most individual lawsuits against spammers have been defeated, settled or concluded with the penalties levied against spammers unpaid, and their e-mailing operations still open for business. Meanwhile, efforts in Congress to stop unwanted e-mail have been neutered, ironically, by mainstream companies who claim to fight unsolicited e-mail but want to preserve the Net for advertising.

Can anything be done Reports from the front lines of the spam war show how traditional anti-spam tools are outmatched and suggest some promising solutions.

Filtering: Even when spam never finds its way to individual e-mail accounts, it creates havoc for Internet companies. Servers at AOL and Microsoft sag under the weight of a billion blocked spam messages each day; smaller ISPs that get fewer messages suffer even more. Barry Shein is the founder of The World, a small Internet service in New England. One day last week Shein arrived early at work to spend three hours personally sifting through his jammed e-mail servers and deleting thousands of messages his filters caught. With so many flagrantly illegal spam techniques, Shein wonders why no one is slapping handcuffs on spammers. "Imagine being dragged out in front of your house and beaten every day in front of your neighbors, and the police won't respond to it," he says. "That's what this feels like."

Using e-mail filtering tools helps companies and individual users block spam, but it's not perfect. CipherTrust, an Atlanta-based anti-spam firm, uses a combination of technologies in its products: it hunts for specific words, blocks the addresses of repeat offenders and analyzes info at the top of a message to look for telltale spam signs. On his laptop, CipherTrust engineer Steve Davis reviews the dozens of unwanted messages sent to his own protected e-mail account that morning. Messages promoting work-from-home schemes ("Attention Moms!") and junior-college programs ("Degree Programs That Fit Your Life!") get successfully blocked.

But another message, masquerading as an important upgrade from Microsoft and carrying a virus, gets through the CipherTrust filter. The message is similar to a legitimate customer-service message, and thus impossible to detect by software that looks for betraying words or phrases. It was not sent by any known spammer, and CipherTrust hasn't seen any other messages exactly like it, so software designed to find patterns doesn't catch it either. In other words, an in genious spammer somewhere in the world knows exactly what filters look for and has found a new way to evade them. "We are trying to hit a target that is coming at us from all directions and moving at the speed of the Internet," Davis says.

The virus that made it through, incidentally, represents a new and deleterious kind of spam: it seeks to turn a PC into an unwitting bulk e-mail generator that remotely does the spammer's bidding. In the past few weeks more and more of these so-called spam zombies have been turning up on college campuses. After a recent football game at Texas Christian University, network administrator Bryan Lucas returned to his office to find campus servers pumping out a hundred thousand e-mails for prescription drugs. He tracked the problem back to the laptop of the football team's bewildered punter, who unknowingly downloaded the spam software. Lucas says this is the fourth such incident this semester, and that colleges are fat targets for amoral spammers. "We're perfect victims. The students have good computers hooked up to high-speed networks. Most other universities wouldn't even catch it."

Prosecution and litigation: Sending out bulk e-mail is legal and protected by the First Amendment. But such zombie attacks are clearly illegal, so why aren't spammers who indulge in these and other fraudulent methods going to jail? Network admins like Lucas say it's impossible to trace the original spammer back through hijacked computers to other Internet locations that have probably long been abandoned. And at overworked law-enforcement computer-crime divisions, e-mail fraud takes a back seat to kiddie porn and identity-theft cases. New York Attorney General Eliot Spitzer arrested Buffalo-based spammer Howard Carmack earlier this year on charges of opening EarthLink accounts with stolen credit cards (the case is pending). But that's the only well-known example of an e-mail fraudster taking a perp walk.

Private action against spammers, both in and out of the courtroom, has not been effective either. For the past five years Detroit-based Alan Ralsky, 58, has used e-mail to pitch diet pills, hair tonic and other sundries, working mostly off networks based in China. Anti-spam vigilante groups constantly try to persuade those networks to kick him off, but when they do, he simply transfers operations to another Chinese company. Last week an exhausted Ralsky spent 70 hours over four days doing just that. "The chess game is on," he says, nursing a bad cold.

Verizon tried to stop Ralsky for good in 2001, suing him in Virginia for $37 million for twice paralyzing its network with junk e-mail. Last year, after mounting legal bills on both sides, the parties agreed to settle the case; Ralsky paid an undisclosed sum and agreed only to stop spamming Verizon customers leaving him free to resume what he calls "the best business in the world." Other civil suits have led to large fines, but spammers often don't pay the penalties and survive with operations intact. ISPs are still committed to the courtroom, though, and continue to file suits in pursuit of big judgments that will scare bulk e-mailers out of the business.

Legislation: Another possible solution is a new federal get-tough-on-spam law. The problem here is that not everyone buzzing around Capitol Hill agrees on what spam is. Companies like Microsoft think honest firms should be able to openly advertise to anyone who has used their products in the past. "I don't think you can put that in the same bucket with outright fraudulent, criminal behavior perpetrated through spam," says Microsoft attorney Tim Cranton. Through organizations like the Direct Marketing Association, Microsoft and other businesses have lobbied against more stringent measures that would allow individual PC owners to sue bulk e-mailers, and would limit spammers from sending messages to anyone who did not deliberately sign on to receive them.

The result of those lobbying efforts is a bill called the CAN-Spam Act, which recently passed the Senate 97-0, and is awaiting a vote in the House. It would enforce certain etiquette (e-mailers must be truthful in subject lines and honor remove requests) and lay the groundwork for the creation of a Do Not Spam list similar to the Do Not Call list. It would also allow ISPs, states and the Federal Trade Commission (but not individuals) to sue spammers.

Almost everyone involved with the spam debate admits CAN-Spam will do little. After voting for the bill, Sen. John McCain said "the odds of defeating spam by legislation are extremely low, but that doesn't mean we should stand idly by." Anti-spam activist Steve Linford...
Add comment  Email to a Friend

Copyright © 2001-2024 Computer Crime Research Center
CCRC logo