Spammed If You Do, Spammed If You Don’t

During the research and writing of this piece I received an average of 69 spam e-mails per day.

Did you know just how low an interest rate you can get? Care to help the Nigerian Empress Ndugndugndug smuggle $500 million out of Africa? Are you in dire need of a truly unstoppable penis?

If you’re like most of us, you probably recognize these familiar queries as spam, or unsolicited bulk e-mail.

“I don’t really see spam increasing much more, because it has reached such a huge saturation point,” says Ron Krueger, support manager for www.Pyramid.net, an Internet service provider based in Carson City.

Shear numbers aside, it’s difficult to imagine how “TEEN BARNYARD SEX” can get any worse. The magnitude of the issue has most everyone concerned. What’s happening with the spam problem? What can you do to make your inbox friendlier? What’ll happen if my wife takes Viagra? Read on for answers to not all of these questions.

Spammers vs. anti-spammers
You’re not the only one who wishes a violent end to e-mails featuring subject headings such as “MAKE MONEY FAST” or “GET BACK TO ME SOON.” You’ll be glad to know there are others, with more techie knowledge than you can possibly imagine, who fight the good fight against the terror of unsolicited e-mail.

Spamhaus (www.spamhaus.org) may be one of the world’s leading anti-spam warriors. An organization dedicated to tracking and cataloging Internet addresses of career spammers, Spamhaus notes on its site, “90 percent of spam received by Internet users in North America and Europe is sent by a group of under 200 hard-core spam outfits.” Almost all of them, claims Spamhaus, are “blacklisted” on their site, allowing Internet providers to freely access the Spamhaus list. Then providers can filter out messages originating from the worst spam-associated locations.

But career spammers are continually finding new ways to exploit the Internet. “It’s not a technical problem,” says EFN System Administrator Patrick Wade. EFN is a non-profit Internet service provider based in Oregon. “It’s a social problem. We can get technical and try to find out where spams are coming from, but then spammers work hard to get around what we come up with. It’s a cycle. For example, proxies used to not be a problem.”

Proxies are programs used by spammers to hide their tracks. Valuable to companies that use more than one computer on a network, proxies, if set up improperly, can become hidden treasure to the ever web-scouring tech-savvy spammer. Spammers use web-crawling programs, sometimes called spiders, to search the net for proxies. When a spider program tells a spammer it has found an unguarded proxy, off go millions of e-mails, and the spammer’s identity is concealed.

When anti-spam organizations fight back by publishing known spam origins, spammers return the blows, legal style. Take for example the April 2003 lawsuit (http://www.spamhaus.org/legal/answer-03-80295.html) filed against Spamhaus by Mark Felstein of EmarketersAmerica in Boca Raton, Fla. (Florida is one of the 24 remaining states where spam is still legal. Incidentally, Nevada was one of the first states to draft anti-spam legislation in 1997.)

Felstein claims that Spamhaus’ activity threatens EmarketersAmerica’s existence through the posting and trade of libelous information (their black list), sale of products which block Emarketers transmissions, “interrupting the flow of interstate commerce and international commerce” and a direct attack upon EmarketersAmerica. However, Spamhaus asserts that not only had it never heard of EmarketersAmerica before the suit, but that that corporation was formed only four weeks prior to the suit for the express purpose of filing it. Spamhaus adds that it sells no product or information whatsoever, that users may freely access Spamhaus’s list of servers in order to block entry of spam transmissions onto their own private computers and that Felstein also happens to be the sole proprietor of EmarketersAmerica as well as the personal lawyer of Eddy Marin, “America’s top spammer.”

The cast and characters are serious, and it seems they’re dedicated to battling it out. In a previous e-mail response to Felstein’s impending lawsuit, Spamhaus wrote “[l]et me know when you’ll be coming over to London to file a real lawsuit under UK law, until then you spammers simply spin on my forefinger.”

At this time, a temporary restraining order request by EmarketersAmerica to prohibit Spamhaus from continuing its activities has been denied.

Legislative action
Pressure is building in Congress and the Federal Trade Commission (California-based Ferris Research says in 2002 spam cost U.S. corporations $8.9 billion and U.S. Internet Service Providers $500 million in lost time and productivity) from both vehement anti-spam groups as well as fervent marketing, retailing and Internet provider industries. It won’t be long before spam will crawl back in the can or flip its lid wide open. There are several ways it could fall, and opinions vary widely.

Opt-In or Opt-Out?

One version of legislation pushed by marketing, retailing and Internet provider industries protects the rights of “legitimate” marketers to advertise by e-mail unless consumers specifically “opt-out.”

New federal bills, pushed by Republican Reps. Richard Burr (The Reduction in Distribution of Spam Act of 2003) and Heather Wilson (The Anti-Spam Act of 2003) contain provisions requiring advertisers to honor consumers’ requests to be removed from specific e-mail lists. Can you imagine responding to all the spam you receive, asking to be taken off each list?

“Unsubscribing is almost always useless,” said EFN’s Wade, “because that tells the spammers it’s a real address. Even if they do take you off, which isn’t always the case, they can sell your ‘live’ address to someone else.” The concept of “opt-out” makes anti-spam groups want to gag.

Ray Everett-Church, counsel for Coalition Against Unsolicited Commercial E-mail, expressing the sentiment that any legitimization of unsolicited bulk e-mail is a step in the wrong direction, said of the two bills, “They’re both equally ineffectual. It’s like two flavors of Swiss cheese.”

For those who like cheddar, the flip-side is the “opt-in” approach, favored by anti-spam organizations such as Spamhaus and CAUCE. So far there’s nothing to represent “opt-in” in federal or state legislative processes. It’s the idea that everyone has the undeniable right to receive only that which they wish to receive. The “opt-in” concept sets a precedent that spam will not be allowed unless someone goes through the trouble of signing up for it.

E-marketing businesses would remain, but in order to receive a marketing e-mail, an individual would have to sign-up their Internet address with a particular group or company, be sent a reply e-mail asking if their sign-up was intentional, send a confirmation to that reply, and the previous “spammers” would then and only then find themselves in the realm of “legitimate Internet marketing.”

Of course to the e-marketers who currently send out 100 million e-mails a day, who use the argument that some individuals do reply to their electronic deluge, that solution smells like limburger.

Do-not-e-mail registries

Borrowing steam from the recent enactment of a federal Do-Not-Call List (10 million sign-ups in the first four days) state and federal legislation has popped up in a similar effort to taper unsolicited e-mail.

The idea is that individuals would pay to be on a do-not- e-mail list and all e-marketers would be required to check the list, being prohibited by fines of up to $25,000 from e-mailing people on it.

U.S. Senator Charles Schumer’s bill SB 1231 to initiate a national No-Spam Registry has been read twice and referred to the Committee on Commerce, Science and Transportation, but appears to have only one co-sponsor and has seen little action since June 6, according to the U.S. Senate Web site, as compared to federal “opt-out” resolutions such as Rep. Richard Burr’s bill HR 2214 with 33 co-sponsors and activity in the House as recent as July 8.

While a do-not-e-mail registry sounds attractive, anti-spam experts fear it could be a disaster. First, one reason that do-not-call registries seem to work is that most solicitation calls are made from inside the country. Abusers are and will be easy to track and prosecute. Some say that the great majority of spam is already shuttled off-shore before it comes back in, through unsecured, trail-obscuring proxies. Secondly, a do-not-e-mail registry would consist of a list of e-mails. A big, fat, juicy, long list.

As to whether a spammer would use the list, well, the answer is yes, but perhaps not for the reason you think.

“They’re never going to follow the rules,” says Steve VanDevender, a university systems administrator in Oregon. “There are spammers out there who have several millions of dollars worth of legal judgments against them, which they’ll probably never pay, and they’re still blasting away millions of spams a day. For some of them spamming is almost a sociopathic outlet. It’s very hard to prove where a spam came from, and they’ll get e-mail addresses any way they can. The list,” he said ironically, “would be a prize.”

Under Nevada law, it’s illegal to send unsolicited commercial e-mail unless it is labeled or readily identifiable as an advertisement. It must include the sender’s name, street address, e-mail address and opt-out instructions. That’ll give you a clue about how much spammers care about the law.

The local fight
Pyramid.net support manager Krueger says little spam originates from northern Nevada, but he’s certainly seen the strain junk e-mail coming from other locales can put on a local system.

“I’ve never seen any major spam coming from northern Nevada,” he says. “I’ve seen a couple small-timers here and there. By that I mean, their spam would go out to maybe 100,000 addresses, instead of millions. I haven’t really seen much of that.”

Pyramid.net uses a variety of methods to attack spam. He says the company that makes their mail-server software, iMail, recently added a cadre of improved filters to the program.

“It’s really nice, they built it from the ground up,” Krueger says. “It has a whole lot of different options as to how tight we want to make it, things we want to do. It uses keywords and blacklists. Before that, we had some custom filters that we had written and blacklists, and those two were working pretty well on their own. On a normal day, we’d probably filter out about 30,000 e-mails. Now I think it’s like twice that much, and we’re still not getting it all.”

Before the spam-filter upgrade, Pyramid.net also recommends an application called ChoiceMail One, which allows individual users to filter out the vast majority of spam messages on their own. ChoiceMail is essentially a filtering program. When an e-mail is received, ChoiceMail replies with an email inviting the sender to register on the owner’s list. Since most spam is automated, there’s no one to register, and the e-mail never reaches the user’s inbox.

ChoiceMail, though, does require that the user check his or her blocked-messages folder periodically—especially if the user gets frequent time-sensitive e-mails. Many people—most, in fact—don’t like or feel comfortable maintaining their filters. They want the spam to stop, but they also want somebody else to deal with it.

Another spam-blocking program that Krueger says shows promise is iHateSpam from Sunbelt software. With this program, users help create the blacklists that decide which mail gets punted.

Krueger says spam’s been a problem for almost half the 10 years he’s been working in the technology industry. But it’s really exploded in the last year, he says, due to the bursting of the Internet bubble.

“Spam is not expensive anymore,” he says. “Back when the Internet was really starting to boom, advertising rates were crazy. You could spend serious amounts on advertising, and it was the same with spam. If you wanted to pay a company to send out a bunch of spam for you, it cost you quite a bit of money. After the whole crash of advertising on the Internet, spam became a cheap form of advertising. You could spend $200 and advertise to millions of addresses. That’s why we’ve seen such an explosion. They turned to volume to make money.”

The technician says the light at the end of the tunnel is oncoming spam. He doesn’t believe the spam issue will be solved anytime soon. He expects that one day the problem will be fixed by making the form of advertising useless. People will become complacent, paying as little attention to the electronic junk mail as they do to the paper junk mail that comes in their real world mailboxes.

“There’s only one way to end a form of advertising, like spam,” he says. “That’s to make it ineffective. Someone is buying the products they sell with spam. Advertisers can track that. They know if you bought the product because you just went to the Web site or because of the mail you got.

“If you just click on the ad, they know that, they’re tracking that. They got the ad in their e-mail, they’re clicking on it through their e-mail. The only way that spam will ever go away is not to buy the product.”

D. Brian Burghart contributed to this article.

Do’s and don’ts
DO: Use “plus addressing” if you care about who’s giving out your e-mail address. Here’s how it works: Get an account, with an e-mail of, for example, nospam@efn.org. What’s different with plus addressing is that nospam1, nospam2, nospam3 and so on will also be sent to you, only they’ll each come into individually labeled folders. Next, when you sign up for a Victoria’s Secret card and they ask for your e-mail, you give them one of those plus addresses, such as nospam14. If you ever get a spam e-mail sent to the nospam14 folder, you know which organization sold or shared your e-mail, and therefore where not to buy your panties.

DOn’t: Register software or other products, or buy products that require you to enter your e-mail, without reading the fine print. Many of these companies put you on mailing lists, which theoretically could circulate forever. Send your e-mail address into the world at your own spam peril.

DO: Check the address of incoming e-mail. Some e-mail from sites that look just like Ebay or Paypal may ask you to re-enter your account or credit card information because they misplaced it. You might notice that the return address isn’t www.paypal.com,but instead it’s something nearly identical, like www.penpaI.com. A general ground-rule is that once you’ve entered personal information, a company is never supposed to ask you for it again.

DOn’t: Reply to spam e-mails. If you do, some spammers will know they have a “live” one, and keep spamming, sell or share your e-mail address.

DO: Use spam filters built into your mail program. Outlook Express, for example, has filters to keep out all e-mails containing certain words. If you get a lot of spam, go to the “Tools” menu, pull down to “Junk Mail Filter” and raise the “sensitivity” of your filter. If you’re afraid certain messages won’t get through, add desired incoming addresses to your address book, and they’ll make it to your inbox. Outlook Express also provides you with a box to enter domain names, such as “Excite,” or “Hotmail,” so that all e-mails originating from those domains are allowed passage (Pull down the “Tools” menu and select “Rules.")

DOn’t: Publish your e-mail on the web as a hot link. Each time you do gives web-crawling programs that much more of a chance to find your address.

DO: Use this great timesaver: When you come to work in the morning, or whenever you’ve got a loaded inbox, select or highlight ALL the e-mails in your inbox. Then, instead or going through and eliminating spam one at a time, use the “Apple” key (on PCs it’s the “control” key) and the mouse to de-select just the legitimate e-mails. When you’ve selected all the good e-mails, hit “delete” and the spam will disappear all at once. At work this cut my daily spam time down from a half-hour to about five minutes.

DO: Read our bizarre spam terminology below.

Spam terminology

MAINSLEAZERS: For money, they’ll do an e-mail marketing campaign for your company. They’ll send spam out for you, your company gets a black eye and the mainsleazer moves on to another unsuspecting client. Bad mojo.

E-MAIL WORMS: Spammer viruses that can install unauthorized proxie software onto a host system. Then millions of e-mails can be sent through the system. Your system.

SPIDERS: Web crawling programs that search the net for unguarded proxies. Wasn’t there one of these in The Matrix?

DICTIONARY ATTACKS: Spammers use software opening a connection to a victim’s mail server. They automatically submit millions of random addresses and record which addresses succeed. These are then added automatically to the spammer’s list, and can be resold to spammers worldwide.

CHICKEN-BONERS: People spamming from some inexpensive location, such as a trailer park.

SPOOFING: Showing a fake route or return address in order to conceal where an e-mail originated.

PHISHING: Spamming and scamming to get account and credit card numbers. Don’t give ‘em out!

419 SCAMS: Spam e-mails named for the Nigerian legal code supposedly making them illegal (even though the government is suspected to be involved) “introducing” you to a wealthy foreigner who’s having trouble getting money out of his or her country. The individual needs your account information and promises a huge cut if they can smuggle money into your account. Give ‘em your data and it’s your money that gets the chop.

RATWEAR: Software designed to exploit open proxies.