Can Spam Be Stopped?

By Zachary Rodgers

(Back to article)

It's been nearly a decade since spammers and their enemies began evolving competitively. As with the classic cheetah/gazelle model originally formulated by Darwin, each time one group becomes a little faster or more agile, its adversaries develop traits for outwitting and outrunning it.

Only, in the spam wars, the anti-spam gazelles have a little problem: the cheetahs seem to be winning.

The number of unsolicted commercial electronic messages received by the average American in 2001 was 571, according to Jupiter Media Metrix. By 2006, Jupiter says, that number will increase to 1,400, with more than 206 billion spam messages going out over the course of the year. While these numbers are notoriously difficult to calculate, every survey and ISP record points to dramatic increases in spam, sometimes as much as 300 percent year over year.

The issue of of great interest and frustration to enterprise IT execs, who are finding that the need to solve the spam problem has never been more critical - and it promises to become more of a problem. Spam leads to multiple costs for the enterprise, using up valuable bandwidth resources, jamming e-mail servers, and lowering employee productivity. There is good news: There are many efforts underway to eradicate spam.

The Spam Resistance

One reliable indicator of the problem's magnitude is the size of the anti-spam effort. The range of tools available to ISPs, enterprises and consumers in the fight against spam grew considerably during the Web bubble.

"There are a huge number of individual projects," according to Tom Geller, executive director of advocacy group SpamCon Foundation. "Some of them are technical, some are complaint focused, some are running statistics."

The list includes reporting tools; complaint generators; block-lists like SpamBag.org, Spam Prevention Early Warning System (SPEWS) and Mail Abuse Prevention System (MAPS); advocacy and legal support groups; information services like the Register of Known Spam Operators (ROKSO); and filters of all kinds. If you want to get a sense of the scale of the anti-spam community, just spend a few minutes browsing the posts on news.admin.net-abuse.email. It's truly staggering.

A Play for Self-Regulation

Simultaneously, heavyweight Web marketers and interactive ad players have been scrambling to distinguish their services from the bad guys, as well as to counteract growing calls for government controls on digital marketing.

In one of the biggest such moves, the Direct Marketing Association (DMA), through its subsidiary, the Association of Interactive Marketing (AIM), has released online commercial solicitation guidelines in an effort "to promote high ethical standards among marketers." The rules require that members let e-mail recipients know how they can refuse future mailings and allow consumers to prevent the sale or rental of their addresses.

"The guidelines demonstrate that industry self-regulation is working," said DMA president and chief executive H. Robert Wientzen. "The guidelines are fair to consumers and marketers alike." (Contrary to Wientzen's remark, it's not clear that self regulation is what all members of the DMA want, a point we'll examine later.)

The DMA rules require that members give opt-out information for sold, rented or exchanged consumer information. Additionally, every e-mail must reveal the marketer's identity, and the subject line must be "clear, honest, and not misleading." Marketers must also offer a detailed disclosure of each sender's use of customer info, offline contact information, and a statement of adherence to the standards.

ISPs, for their part, are feeling real pressure from network administrators and their customers to block spammers from their e-mail servers -- pressure that goes beyond the typical complaint and reporting methods. Many spam-supporting ISPs are even finding themselves on the receiving end of denial-of-service attacks.

Still Not Enough

All of this is insufficient for the gazelle to protect itself, however.

"Technical approaches are unlikely ever to eradicate spam," according to David Sorkin, associate professor of law at the the John Marshall Law School. "(This is) partly because of the time and resources that spammers devote to their activities and partly because of the inherent openness of the Internet and e-mail protocols. "

As Sorkin points out, the costs of implementing technical solutions can only increase with time, given the lack of deterrent these efforts pose to spammers and the continuous increase in unsolicted e-mail traffic.

There are also drawbacks to many technical solutions. Spam filters tend to block some legitimate e-mail along with the intruders, an uncomfortable compromise for anyone who relies on e-mail for personal or business reasons. This is also harmful to marketers, who may be blocked either because of a filter error or because their company's SMTP server has been hijacked by spammers for mail relay purposes.

Additionally, it's important to note that block-list services are held to no standard of accountability. This can only be bad for legitimate e-mail marketers, who may be block-listed due to an innocent sending error or a policy change on the part of the block-list service.

This happened recently when MAPS, known for its Black Hole list of documented spammers, created a new list to keep track of marketers that don't verify a user's addition to its database with a separate e-mail. Suddenly and without warning, numerous formerly legit e-mail marketers found themselves ranked alongside unscrupulous spammers on a list trusted by ISPs and online consumers. Not surprisingly, many were outraged.

"Our lists are nothing more than our opinion about their email practices, each fully backed up by documented fact," says Anne Mitchell, director of legal and public affairs for MAPS. "We simply publish that information, much like Consumer Reports or a restaurant reviewer."

None of this is good news for online marketers, all of whom are dependent, to some extent, on the accuracy of spam filters and the definitions chosen by services like MAPS to get their messages out.

An unannounced policy change on the part of a block-list or a filter error can be disastrous, in terms of both sales and PR. When that happens, it doesn't matter whether a marketer's permission policy is opt-out, opt-in, or the so-called "double opt-in" (a.k.a. "opt-in with verification"). It's a situation many find intolerable.

For these reasons and others, consumer groups and e-mail marketing interests alike are hopeful that the worst perpetrators of spam can be sued out of business. It's a daunting proposition, given the huge number of spammers and the difficulty in tracing them, but a number of precedents have already been established which may point to a future victory over spam.

"Go Ahead, Sue Me,"

As the rising tide of spam threatens to swamp e-mail recipients and drown out the messages of legitimate marketers, some are hoping that the government -- in the form of Congress and the Federal Trade Commission -- will take meaningful action.

So far, existing laws have proven to be helpful in some cases. As most marketers are by now aware, a number of spammers have been successfully defeated in court by ISPs and even by solo recipients of unsolicited e-mail.

A number of early examples involved Cyber Promotions, a major bulk e-mailer of the mid-'90s. Cyber Promotions sued AOL in 1996, after AOL received complaints of spam and blocked its messages. The spammer sued the ISP, arguing that it had a first amendment right to send junk e-mail and that AOL was in violation of the constitution. The court ruled in AOL's favor in two separate decisions. Shortly thereafter, CompuServe filed an injunction against Cyber Promotions and won.

"In 1996 and 1997, the most important were the suits by AOL and CompuServe against Cyber Promotions," said Junkbusters executive director Jason Catlett. "They established that there's no first amendment right to spam and that ISPs could take actions on behalf of their customers' privacy."

Since then, AOL has filed a huge number of injunctions against spammers, and other ISPs have followed its lead. It's hard to know how many, because ISPs rarely publicize the information and because many complaints are now settled out of court. However, these lawsuits and settlements have done little to curb the flow of spam, mainly because it's so easy for a chastised spammer to turn around and spam again.

"The real problem is that it's trivially easy to create a new identity, send millions of spams, then disappear," according to professor David Sorkin of the John Marshall Law School. Sorkin believes that a simply worded federal law making it illegal to send unsolicted bulk e-mail would help. Problem is, no such law exists.

State Laws: 19; Federal Laws: Zero

Laws with implications for spam have been passed in almost half of the United States, and have accounted for the most dramatic court actions taken against spammers so far in the U.S.

In Washington state, Bennett Haselton was handed four well-publicized victories in small claims court last December.

Haselton, who heads Web advocacy nonprofit Peacefire.org, is in the process of assembling a guide to suing spammers under Washington law.

"I'm hoping that if enough Washingtonians file lawsuits against spammers, it will become too risky and expensive for people to spam," Hasselton said. "And the amount of spam received by everybody will go down."

Haselton is now organizing a class action suit, naming one defendant and 50 plaintiffs. The strategy, if it works, is to seek higher damages for a larger base of spam recipients and thereby increase the deterrent for would-be bulk e-mailers.


While there are no national laws in the U.S. regulating unsolicited e-mail, several bills are pending before the House. H.R.718, identical to two previous bills, would require unsolicited commercial e-mail to be labelled, to include opt-out instructions, and to use accurate header information.

But many Web activists say the laws so far under consideration are too weak. Anne Mitchell, director of legal and public affairs for Mail Abuse Prevention System (MAPS), would rather see an absolute legal standard -- specifically, universal opt-in with verification, which she refers to as "confirmed opt-in." The FTC has so far implicitly supported the "opt-out" standard, a premise she rejects.

"Any scheme which gives an air of legitimacy to opt-out simply exacerbates the problem," she says, pointing out the difficulty in proving which recipients have signed up and which have simply been crawled. "And that is assuming that the lists actually honor the unsubscribe requests, which many... do not."

Standard or no standard, the issue is clearly becoming a priority to Congress, if the number of bills being introduced is any indication. But even more important than getting a federal bill passed is the issue of enforcement. How well equipped is the FTC to follow up on the thousands of reports of illegal marketing activity that would follow passage of an anti-spam bill?

Regulatory Wrangling

The Federal Trade Commission, which has historically kept out of the spam battle, underwent a shuffle in its leadership in 2001. Timothy Muris was sworn in as chairman in June -- replacing Robert Pitofsky, a chairman who had promised much and delivered little in the privacy wars. Additionally, December saw the appointment of commissioner Orson Swindle to a key security and privacy review post. Jointly, the two have announced a plan to crack down on those using fraudulent headers.

"I'm actually very impressed with what Muris and Swindle have been doing in the first months of their tenure," said Junkbusters' Catlett. "The FTC has been mumbling aloud since 1997 about their authority to prosecute spammers for fraudulent headers and data. Under Pitofsky, nothing was done, so it's very welcome to see some action even five years later."

But others lack Catlett's faith in the FTC's power to crack down on bulk e-mailers. According to MAPS' Mitchell, the FTC lacks the resources to prosecute even a fraction of those who use fraudulent headers.

"The problem... is obvious," according to Mitchell. "There is so much [spam with bogus header information], and while the FTC can expend resources tracking down and prosecuting a few mailers, it will do little-to-nothing to stem the flow."

Professor Sorkin sees the FTC as completely irrelevant to the spam debate. "The FTC is concerned with misrepresentation and deceptive practices," he said. "That's their mandate, but it's not the spam problem. They just happen to come into contact with spam as they're investigating fraud."

But Catlett is not so quick to write off the commission's role, which he admits to seeing as a primarily symbolic one. He imagines the agency prosecuting a limited number of high profile cases. The bulk of the problem, he says, could be solved with very specific laws about accurate header information and return addresses, combined with a private right of action for consumers and ISPs.

Catlett says, "I have said for years that a law giving individuals who are spammed the right to sue spammers is essential to keeping spam down to a tolerable level."

Industry Stands Quietly By?

The nation's top digital marketers, meanwhile, have already entered the complex legal debate surrounding spam. Many, such as the leadership of the Direct Marketing Association (DMA), are eagerly trying to save the reputation of ethical marketing online and if possible, to preempt the need for government regulation of the process.

As we have seen, however, efforts at self-regulation have thus far been fruitless. The bad actors, after all, aren't members of organizations like the DMA. And while the DMA's president and chief executive H. Robert Wientzen has come out strongly against legislation, there are indications that he may be at odds with his constituency.

"Hopefully there's going to end up being some real federal legislation," says Rodney Joffe, founder of Web hosting firm Genuity, president of CenterGate Research and a DMA member.

Joffe is angry that Weintzen has consistently defended the right of marketers to send unsolicited e-mail to Web users. He believes that the credibility of legitimate marketers has been seriously harmed by the lack of a federal spam law. And he believes that a large number of DMA members feel the same way.

"Basically, he's tried to hold back the tide and protect that field for marketers," Joffe said. "The problem is that he ends up representing the attitude of the little spammers all over America."

"My membership fees, a good portion of them, go toward lobbying against legislation that I support," he continued. "It's an old boys network."

So what kind of law does Joffe want? "Some kind of opt-in," he said. "There has to be a process that lets a Web user say, 'Hey, I want your information.' It can't be done by sending an e-mail that says, 'Hey, do you want my email?' In 1994, when the first spam occurred, we never even thought about issues of scale. Now we have to."

It wasn't possible to determine whether a majority of the DMA's 5,000-plus members disagree with the organization's public stance, but if Joffe's claim turns out to be even partly correct -- and the DMA's lobbying efforts change as a result -- then the chance that a federal law will pass in 2002 is that much greater.

Global Jurisdiction

If and when the U.S. passes laws aimed at stemming the flow of unsolicited e-mail, there will remain the formidable challenge of blocking spam that originates beyond international borders. Unfortunately, this is probably an issue for the more distant future.

"What has to happen in the long term is for all countries to ban spam," says Junkbusters' Jason Catlett. "This will happen in the same way that international copyright treaties ban counterfeiting and copyright infringement."

Until then, spam fighters will focus on trying to control the domestic situation. Catlett insists that the largest part of the problem can be tackled in that manner. "The vast majority of spam," he said, "is still sent from the U.S. to the U.S."

Editor's note: Zachary Rodgers is associate editor of ChannelSeven.com, an internet.com site, where this report first appeared.