What is spam

This document is a work in progress. It is an outline and rough draft of what I feel is the key information for understanding spam today. I started working on it in January, 2004, and as you can see, most of the news articles quoted and cited were published in December, 2003. I decided to publish it here now because before working on it more, I want to make it open to criticism and suggestions. Please let me know what you think should be added, deleted, or changed in any way. If someone want to re-write, or edit a section, let me know. Click here for contact info .

Click here to go back to www.spam.org

What is spam?
What is the problem?
Who are these spammers?
What is the solution?
Conclusions

What is spam?

A description:

According to Alan Schwartz & Simon Garfinkel, in their classic book "Stopping Spam", "Spam is the Internet’s version of junk mail, telemarketing calls during dinner, crank calls, and leaflets pasted around town, all rolled up into a single annoying electronic bundle." I might add: collect calls from strangers and junk faxes.

UCE, UBE:

There are different types of spam, or junk e-mail. Unsolicited Commercial E-mail (UCE) is commercial in intent, or trying to get you to buy a product or service. Unsolicited Bulk E-mail is not necessarily commercial, but may be political, religious, or just intentional harassment.

The purpose of spam:

The purpose of spam is to get you to do something, usually to spend money. Spam is sent in bulk because it is cheap to send. You can hire someone to send out 1 million e-mails for maybe $500. you can do it yourself even cheaper once set up. To reach the same number of people via US Mail would be around $600,000. To send out a million catalogs might cost $1,000,000.

So they are not even in the same ballpark. The super low cost means that spammers best return is to send out as many e-mails as possible, regardless as to whether the receiver might be interested, because it takes such a low response rate to pay the cost.

What is not spam:

Spam is always unsolicited. If you signed up for a mailing list, or had a previous commercial relationship with a company in which you gave them your e-mail address, then it is not spam, even though it is commercial, or was sent out in bulk. But, it should have a very easy way to unsubscribe, if you decide you aren’t interested anymore.

What is the problem?

Have you ever come back from a vacation, logged onto your computer, downloaded your e-mail, then spent an hour sorting thru them to delete the junk. If so, then you have been a victim of spam. In order to keep using your e-mail account you have no choice but to do this work. If you had been inundated with ads on a radio, you could switch it off and come back later, or switch to a different channel. But spam invades your personal space and you are responsible for the housekeeping.

Seven billion commercial e-mail messages crossed the Internet daily in 2003, easily breaking all previous spam records. And despite new laws, and ISP suits against spammers, the amount of junk e-mail transmitted daily is forecast to hit 9 billion in 2004, according to antispam software maker Brightmail.

Bother:

Quantity

A few years ago, when the volumes of spam were smaller, deleting one or 2 was not seen a huge problem. But the amounts are now such that it is now not only a huge bother and chore for people, but has come to the point of having a significant economic impact on businesses. Many businesses report employees spending 1 hour per day, or 12% of their time in sorting thru e-mail.

Spam accounts for almost 50% of all Internet traffic today, and is far from a victimless crime. Basex estimates the cost of spam to companies worldwide is approximately $20 billion, including lost productivity, anti-spam software, and user support issues.

"Consumers don't see a fraction of the spam that's sent out. The Pew Internet and American Life Project, a national research report released in October, said that the two major Internet Service Providers, America Online and MSN, both block more than 2.7 billion spam messages a day from reaching their subscribers. That's 67 spam e-mails per mailbox per day, or about 80 percent of the incoming messages. With that kind of volume, it's no wonder the Pew project declared that ‘spam is beginning to undermine the integrity of e-mail and to degrade the online experience.’" - 6 WAYS TO FIGHT SPAM - Bankrate 12/22/2003 by Pat Curry

This is in addition to undeliverable e-mail, sent out to bad addresses, which contribute to the overall resource use of the internet as a whole.

Offensive materials…

Resources:

Quantity of spam

Spam is now at somewhere between 50-70% of all e-mails sent, which means over half of the infrastructure and manpower used to run the e-mail component of the internet is devoted to the transmission of spam, probably 99.9% of is unwanted or at least unresponded to. This is one of the most inefficient use of resources ever…

Who pays for it, and what is the true cost?

A very small percentage of the true cost of spam is paid by the sender. The bulk of the cost of e-mail is paid by the receiver. There is the cost of the entire internet, mailservers, the cost of the connections, storage space. All these costs are eventually passed on to the end users, either directly thru hardware costs, user fees, and some governments cost thru taxes.
And even the costs of blocking, filtering, and fighting the sending of spam is mostly paid for by recipients:

FIGHTING SPAM PAYS BETTER THAN SENDING IT - TechWeb News
12/1/2003 by Gregg Keizer
Ferris Research says revenue from sales of anti-spam products will soar past what spammers take in.
http://www.informationweek.com/story/showArticle.jhtml?articleID=16401194

"There's money to be made fighting spam--more money than even spammers see on their bottom lines, a research firm said Monday.

According to estimates by Ferris Research, which tracks the messaging market, revenue for vendors selling anti-spam products will be approximately $130 million in 2003 and soar 200% in 2004 to a whopping $360 million.

That's substantially more than the senders of spam see in revenue, much less profit. Revenue generated by spammers in 2003 will be roughly $130 million, said David Ferris, head of Ferris Research, while their profit during the year will range from $20 million to $30 million.

The biggest opportunity for anti-spam vendors will be in the short run, Ferris and other analysts said, because so few businesses currently have top-to-bottom spam protection in place and because spam leads the way in hot-button topics in IT. "

"There's a tremendous amount of money to be made by anti-spam vendors." , says Maurene Caplan Grey, a research director with Gartner, pointing out that anti-spam products are a relatively easy sell. But that opportunity won't last forever. By the end of next year, Grey expects to see a vast majority--80%-of organizations with enterprise-quality spam filtering tools in place at the perimeter of the network. "The anti-spam market is changing, the technology is changing," she said. "It's hardly penetrated today, but it's soon to be saturated."

Who are these spammers?

Who is spamming now?

2003 SPAM AWARDS - PC World 12/15/2003 by Tom Spring
Top spam trends, tricks, and tips that have surfaced in the past year.
http://www.pcworld.com/news/article/0,aid,113871,tk,wb121503x,00.asp

"Seven billion commercial e-mail messages crossed the Internet daily in 2003, easily breaking all previous spam records. And despite new laws, and ISP suits against spammers, the amount of junk e-mail transmitted daily is forecast to hit 9 billion in 2004, according to antispam software maker Brightmail. Today about half of all e-mail is spam, the firm reports."

According to Roger Matus, Chief Executive for Audiotrieve, the makers of the InBoxer anti-spam filter:
"Don't throw away your anti-spam filter. Since 83.5% of spam comes from disreputable sources that may skirt or ignore CAN-SPAM, you can expect to keep seeing most of the spam you see today."

(An FTC study reported that only 16.5% of spam comes from sources that are legitimate advertisers offering legal products.) This makes legislative methods of spam prevention look like they might not be totally effective, since there are already laws in place which most spammers are breaking.

COULD THE BAD GUYS WIN ON SPAM? - eWEEK 12/5/2003
by Larry Seltzer
"Spam and mail-based attacks are coming to dominate Internet e-mail. Nothing seems able to stop them, and some days it's rare to find real mail among the spam. Could it come to the point that it's not worth dealing with e-mail's problems?
http://www.eweek.com/article2/0,4149,1403354,00.asp

On some days, life in the security business is more depressing than on others. My recent reading about Mimail.L, the latest in a long line of sociopathic worms, tipped me into the blues.

Mimail.L is particularly vile. Here are some of the actions it takes:

* It arrives as a pornographic e-mail with an attached ZIP file
purporting to contain dirty pictures. That file contains a file
with a .jpg.exe extension, so if someone runs it to see the
picture they actually infect themselves. As always, this
subterfuge works far more often than I'd like to think, but so far
it's just a run of the mill worm.

* It scours the hard disk for e-mail addresses and stores them in
a file named xu298da.tmp in the Windows folder. It then mails
itself out with the same porno message to these addresses.

* If there's a problem sending that mail, it instead tries to send
a different message without the attachment. This fallback message
says that the recipient's credit card has been charged for a
purchase of child pornography. It directs the reader, if they want
to cancel, to contact security@europe.spamhaus.org.

* The message also lists more than a half a dozen sites as places
you can get more kiddy porn, including Disney.go.com, Spamcop.net
and Spews.org, and attempts to perform a denial of service attack
on these sites.

So, not only is this a particularly offensive worm, but it
specifically attacks anti-spam sites! Do the authors of the worm
have a particular problem with these groups? Perhaps, or maybe
it's just more anti-social behavior. They also attack
Register.com, but I doubt they're opposed to domain name
registration on principal.

As I've said before, I don't think such solutions are practical without the kind of massive technical changes to the Internet that could end spam without such fees. What it really comes down to is enforcing authentication on all e-mail users. There are systems for bolting authentication onto SMTP, but if can't be made mandatory, then it doesn't matter."

What are the predictions for the future?

INCIDENCE OF SPAM, VIRUSES, AND FRAUDULENT EMAIL ATTACKS TO
INCREASE DRAMATICALLY IN 2004 - Press Release 12/17/2003
Postini, Inc. Announces Top Spam Predictions and Trends for the New Year
http://www.postini.com/press/pr/pr121703.html

Spam will increase as a total percentage of email from more than 50 to more than 75 percent. Directory harvest attacks will be on the rise while most victims won't realize they've been attacked. And anti-spam legislation alone will not be effective in stopping spammers. These are just a few of the insights and predictions gleaned from an independent analysis of the over 30 billion emails processed this year by Postini, Inc., the leading provider of email security and management services for the enterprise.

Currently, the company processes over 1 billion email messages per week, and quarantines 80 percent of the messages as spam or viruses for leading corporations and enterprises, making Postini the fourth largest processor of email after AOL, MSN and Yahoo!

Based on a comprehensive set of processing technologies and advanced heuristics and analysis capabilities, Postini has developed a full set of spam and email security predictions for 2004:

Postini's Top Ten 2004 Spam and Email Security Predictions

1. Spam will increase as a total percentage of email from more than 50 to more than 75 percent.

2. Directory harvest attacks will continue to increase dramatically while most victims won't realize they've been attacked.

3. "Phishing" fraudulent email used to steal the recipient's identity information will rise significantly as well, recasting spam as a damaging activity rather than a nuisance.

4. Legislation alone will not be effective in stopping spammers.

5. Technology will play the key role in protecting email users from spam.

6. Internet users and IT managers will face the much-anticipated "Sobig.G" variant of one of the highest volume viruses of all time.

7. Corporations will begin to adopt managed perimeter defense services to protect employees from offensive spam attacks.

8. Spam and virus protection will continue to be critical email management issues.

9. IT Managers will implement much more restrictive use policies for how employees use email in an effort to reduce the burden of spam.

10. Regulatory compliance will continue to drive the need for outbound email filtering by enterprises.

Another Prediction:
SPAM, VIRUS WRITING MAY COME UNDER MAFIA CONTROL - Security Wire
12/17/2003 by Sandra Kay Miller
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci941744,00.html

"Will the recent introduction of antispam legislation result in the creation of a "spam underworld"? Eugene Kaspersky, cofounder of Kaspersky Lab and head of its antivirus research thinks so. While people in the United States generally associate the word "mafia" with Godfather and Soprano style gangsters, Kaspersky used the words "organized crime" with no reference to any specific gangs, but as a general term. However, the Russian researcher fears that modern Internet criminals may fall under control of traditional organized crime or worse yet, become organized into a new style of
mafia -- virus writers and hackers who work for spammers to provide illegal proxy-servers."

MAFIA RECRUITING SPAMMERS, CRACKERS, AV CHIEF WARNS - Register
12/9/2003 by John Leyden
http://www.theregister.co.uk/content/55/34420.html

"Spammers, beware - organized criminals are positioning themselves to take a slice of your business. Virus writing - once the sole province of hooligans - has edged itself into the arena of organized crime with viruses like Sobig-F that are capable of setting up a spam-sending proxy network.
According to Eugene Kaspersky, head of anti-virus research at Kaspersky Labs, criminal interest in spamming is growing with the advent of forthcoming laws that make spamming illegal."

Another Prediction:
ONLINE FINANCIAL CRIME HEADED FROM BAD TO WORSE - Washington Post
12/17/2003 by Brian Krebs
Tech Policy Year in Review

"In the annals of cybersecurity, 2003 should go down as one of the worst years ever, as hackers and spammers repeatedly demonstrated just how easy it is to use the latest software security holes, worms and viruses to attack businesses and trick unwitting
Internet users into divulging their personal and financial information.

And 2004 could be worse. A hint of just how bad came this week when yet another flaw in Microsoft's ubiquitous Internet Explorer surfaced. The flaw gives criminals the ability to control what is displayed in the address bar in a victim's browser window."

IE BUG LETS FAKE SITES LOOK REAL - CNET News.com 12/10/2003
by Paul Festa
http://zdnet.com.com/2100-1105_2-5119440.html

"Microsoft on Tuesday said it was looking into reports of a potential bug in its Web browser that could help malicious hackers design convincing Web site spoofs.

The bug, according to security alerts by a bug hunter and a Danish security company, Secunia, could let hackers use a technique to display a false Web address on a fake site.

Secunia credited the bug to "Zap the Dingbat," who posted an alert to the Bugtraq security mailing list. That alert links to a demonstration of the exploit, and says Microsoft was informed of the bug Tuesday."

The flaw, first aired by "Zap the Dingbat" on
the Bugtraq mailing list, allows scamsters to hide the true
Internet address of a Web page on IE's address bar.
http://www.ecommercetimes.com/perl/story/32405.html

"Indeed, if marketers in cooperation with law enforcement officials, policymakers, and the service providers that comprise the backbone of e-commerce fail to enforce the spam law we fought so hard to pass, we could see the creation in 2004 of a government-run national do-not-e-mail registry similar to that now in place at the FTC for unwanted telephone solicitations. That would be a spike in the heart of ‘good’ e-mail marketing while doing virtually nothing to stop the ‘bad’ stuff. In short, 2004 is
going to be another challenging year for marketers who employ e-mail."
- H. Robert Wientzen,
President & CEO,
Direct Marketing Association

"We will probably also see a fair amount of confusion as to the applicability of foreign spam laws on US companies. Many countries, including members of the European
Union, and (more recently) Australia, have spam laws on the books that differ from CAN SPAM. In a borderless medium (the internet), we may find international standards to be a growing concern for email marketers."
- J. Trevor Hughes
Executive Director
Email Service Provider Coalition

What is the solution?

Legislature/legal

Lawsuits:

Need info on some of the state lawsuits.

Legislation & Government Agencies

Federal:

CAN-SPAM Act of 2003

THE FEDS TRY TO TAKE A KNIFE TO SPAM - USA TODAY 12/26/2003
by Eric Sinrod
http://www.usatoday.com/tech/columnist/ericjsinrod/2003-12-26-sinrod.htm

"The Fed’s try to take a knife to spam.

Finally, after years of consternation and debate, we finally have a federal law on the books that will attempt to grapple with the growing problem of unsolicited commercial email, not so affectionately known as "spam." President Bush has just signed into law the CAN-SPAM Act of 2003 (the Act). The Act likely will go into effect on January 1, 2004, will preempt all existing state statutes on the regulation of spam, and will authorize the Federal Trade Commission (FTC) and the states' attorneys general to enforce its provisions.
Problem solved?
Not so fast.
New standards for spam
The Act will not ban spam outright, but rather will create a set of standards that must be followed. For unsolicited commercial e-mail, the new regulations would:

prohibit senders from falsifying or disguising their true identity;

prohibit the use of misleading subject lines;
prohibit the harvesting of e-mail addresses by either (1) automatic means from an Internet Web site or proprietary online service maintained by a third party that bans this practice; or (2) an automated system that generates possible electronic addresses by combining names, letters and numbers in numerous permutations;
prohibit businesses from knowingly promoting themselves through false or misleading e-mails;
require the inclusion of a legitimate return e-mail and physical postal address for the sender;
require the inclusion of a functioning opt-out mechanism, clear and conspicuous notice of the opportunity to opt-out and require senders to honor any such opt-out request;
require clear and conspicuous notice that the message is an advertisement or solicitation; and
require messages with sexually oriented material to be so clearly identified.

Potentially liable parties
Potential liability under the Act is quite broad, as the Act implicates not only the individuals actually distributing the spam e-mails, but also extends to companies who procure their services. In fact, if a company knowingly permits a third-party spammer to act on its behalf, it is subject to prosecution under the Act. Thus, companies or individuals enlisting the services of e-mail distributors had better take care to ensure that e-mails being sent on their behalf by distributors are in compliance with the law.
Criminal and civil penalties
Violators of the Act can be subject to stiff criminal penalties, which include fines and up to five years in prison. Civil damages can amount to as much as $250 per spam e-mail, which can add up fast, as spam e-mails frequently are distributed to many thousands people at a time. Moreover, aggravated violations can cause civil damages to be tripled. The Act empowers federal and statute authorities, as well as Internet access providers, to institute civil actions against offenders.
"Do-Not-Spam" Registry
The Act further calls upon the FTC to develop a national "do not spam" registry comparable to the FTC's well-known "do not call" registry for telemarketers. The FTC has been given six months to submit a comprehensive plan to Congress for implementing the do not spam list, but the FTC has not been provided any real guidance as to how this registry is to be structured. The FTC is to implement the plan three months after review by several congressional delegates. The FTC is further charged with developing rules within 270 days to govern the transmission of unwanted mobile service commercial messages.
Home free?
At least we now will have one nationwide law governing spam, instead of the patchwork of varying anti-spam laws that have been adopted by more than half of the states. Furthermore, the new federal law clearly has teeth in terms of its criminal and civil penalties.
So, are our spam worries over? Of course not. Having a law on the books is one thing; effective enforcement of that law is another matter. Spammers frequently are offshore, making legal action and prosecution difficult. Even worse, spammers are very crafty in terms of how they send e-mail and how that move around on the Internet, thus making it very difficult to ascertain who actually is the true send of particular spam. Accordingly, while having the new federal law on the books certainly is a step in the right direction, technological methods of blocking spam, like anti-spam filters, still need to be employed.
This article first appeared on Law.com."

Damages for falsifying the "from" line or other routing information would be unlimited. The legislation authorizes the
creation of a national "do not e-mail" registry. For more information, go to thomas.loc.gov.

The New Federal CANSPAM law passed overwhelmingly in December, and went into effect on Jan. 1^st, 2004. It supercedes, and in some instances weakens state laws which had been enacted in 36 states, some of which were stricter. For instance, the California & Delaware laws that prohibit sending any unsolicited commercial e-mails are considered the stiffest. For more information on state laws, go to www.spamlaws.com.

"No legislation alone will solve the spam problem," said Brian
Huseman, a staff attorney for the U.S. Federal Trade Commission (FTC), the federal agency charged with enforcing the antispam regulations. "One of the reasons is because it's very difficult to apprehend spammers and it's very resource-intensive for law enforcement officials to not only pinpoint spammers but to also build the case needed for punishing them."

Along with the systemic difficulties in apprehending and punishing those who send spam, the differing approaches that the laws in the U.S. and Europe take to combat spam also make fashioning an international approach to the borderless nature of spam problematic.

The bill, which is to become law on Jan. 1, caps a four-year
effort by Congress to set a policy for Internet-related commerce - an area in which Washington policy makers have been hesitant to interfere.

Antispam laws made little legislative progress until this year,
when pressure from companies like Time Warner and Microsoft and an emerging body of state laws prompted marketing groups to drop their opposition to any regulation of e-mail and join negotiations for a national law. Spam, once a minor nuisance, has grown exponentially to more than half of all e-mail traffic, driving up the technology-related costs that had to deal with it.

WASHINGTON -- The U.S. House of Representatives on Monday gave its final approval to the Can Spam Act of 2003, sending the bill to the White House for President Bush's promised signature. Passage of the bill is likely to benefit American Express Company, among several other private and public companies, according to a recent Opt-In News report by analyst Kathy Elek. To view the article, go to http://www.optinnews.com/read-article.php?id=2028

US FEDERAL E-MAIL LAWS ALLOW LEGITIMATE CRM - Wise Marketer
12/9/2003 by Robin Clark
In the US, new Federal legislation designed to help stop the
continuing onslaught of unsolicited commercial e-mail is
threatening to change the working practices of many businesses that conduct e-mail marketing campaigns, or use e-mail to keep in touch with their customers and sales prospects. But legitimate customer relationship management (CRM) seems to be exempt...

The US House of Representatives has passed the Senate Bill S877, with amendments (entitled 'Controlling the Assault of
Non-Solicited Pornography and Marketing Act of 2003'). Congressional findings pointed to the fact that e-mail is relied
upon by millions of Americans, and that e-mail abuse has grown to account for more than 50% of all messages (up from only 7% in 2001).

The official findings also make mention of the fact that there are costs associated with the problem, and that deleting it sometimes causes normal (wanted) e-mail to be discarded as well. As a result, "there is a now substantial government interest in regulating commercial electronic mail on a nationwide basis" (Section 2(b)(1), Senate Bill 877).

Exclusions The bill makes much of 'affirmative confirmation' (the new official name for 'opt in'), putting the often-used technique of 'negative opt-in' (where users have to take some specific action to be opted out) in the line of fire.

___________________________________

REPUBLICAN CONGRESS LEGALIZES SPAM - A Clue 12/5/2003
by Dana Blankenhorn
http://www.a-clue.com/archive/03/cl031208.htm#story5

"It's called an act "against spam,"
<http://www.nytimes.com/2003/11/26/technology/26spam.html>, but the new U.S. anti-spam bill actually legalizes spam.

The bill, as passed, puts some minor roadblocks in front of
"e-mail marketers," but if they "promise" to respect unsubscribes, if the offer is legal, and if they capture names through a "legitimate" transaction (which could be with a third party "list broker") they're free to spam all they want.

We're already seeing major companies become much more aggressive about "harvesting" your e-mail address. Kinko's sent me a spam recently, offering a discount if I gave them the e-mail address they already had. My credit card company (which prides itself on being ethical) just sent me a spam allowing me to "view my statement" and even pay online. (No, they didn't ask for prior permission.) Companies are asking for (and will soon demand) your e-mail address whenever you do business with them.

Consumers can fight this abuse easily with cheap software like
Mailwasher <http://www.mailwasher.net>. Just add the corporate spammers to your personal blacklist, and make sure you wash all your mail before allowing it into your inbox.

The bigger problem is faced by the Internet infrastructure. While "normal" hoser spam (fake addresses, fake offers) was made illegal (guaranteeing it will simply move beyond the reach of U.S. law) there are hundreds of big companies, sending spam without permission, who will be able to take spam blocklists to court for stopping their "legal" e-mail. The flood of "marketing" to be unleashed will also further delay the delivery of regular (one-on-one) mail. It will dramatically raise the bandwidth costs of every ISP and their customers, meaning higher prices for basic Internet service and web hosting (even if you never use e-mail marketing). One result may be that you will be charged an extra fee (call it the Bush Tax) for having an e-mail address, as opposed to mere HTTP access. "

State:

California:

YOU MAY ALREADY BE A LOSER - Reason 12/8/2003
by Walter Olson
Correcting California's antispam mistake
http://www.reason.com/hod/wo120803.shtml

see notes for more
The "CAN-SPAM" Act, which recently sailed through both houses of Congress and is expected to land soon on President Bush's desk, has drawn bitter criticism from many antispam activists because it 1) doesn't ban unsolicited commercial email as such; 2) reserves enforcement for public agencies and internet service providers rather than giving individual email users a right to sue; and above all, 3) would replace and override antispam laws now in effect in 37 states, most notably a new California law which would let individual email users sue for $1,000 over each unsolicited email. One activist group has dubbed the federal bill "the 'YOU-CAN-SPAM' Act because it legalizes spamming instead of banning it."

But whatever CAN-SPAM's other merits, its override of the new California law is well justified. That measure signed into law two months ago by then-Gov. Gray Davis and set to take effect Jan. 1 unless Congress overrides it would load punitive burdens on businesses not just in the Golden State but across the country, while shutting down uses of email that are in fact welcome to most recipients. If experience with similar laws is any indication, it would also unleash bounty-hunting lawyers who'd concentrate their efforts not on the fly-by-night spam operations that clog most users' inboxes, but on extracting money from legitimate concerns that weren't intending to break any law.

The trouble with the new California law starts with its broad
definition of spam. Most unwanted bulk email is sent blindly to thousands, even millions of recipients. Under the Senate version of CAN-SPAM, as few as 100 emails sent within 24 hours can constitute bulk mailing. Amazingly, California lawmakers set no threshold at all: they explicitly contemplate liability for "a single [uninvited] transmission or delivery to a single recipient". (Think twice before sending an email to someone whose business card you picked up at a convention.) Again unlike the federal version, the California law specifies that its ban on "commercial" solicitations applies to emails from nonprofit entities and to those seeking the uncompensated "gift offer" of goods or services. Implication? It could break the law to send a single uninvited email urging a Fresno or Fontana neighbor to volunteer time or pretzels for a community association's block party.

I DON'T SEE ANYONE DANCING - DM News 12/1/2003 by Tad Clarke

The California law, which would have gone into effect Jan. 1, made it necessary for Congress to step in. It would have created a multitude of problems, including banning ad-supported e-mail newsletters something unintended, but uncorrected, by the bill's author. A national anti-spam law will overrule three dozen state laws and create one unified code for everyone to follow. Anti-spam activists contend that the new law will do more damage than if Congress had done nothing at all because it will encourage companies to send more e-mail. This will be hard to prove, but since spam is increasing every day I'm sure we'll be hearing them say, "I told you so," very soon.

Still, something needed to be done, especially with studies saying spam makes up 50 percent of all e-mail and costs businesses $10 billion a year in lost productivity, server space and software to filter out. On top of that, 15 percent of "good" e-mail is being silently sidelined as ISP’s and companies tighten the noose on their spam filters. That's not good for anyone if we're to get beyond this mess of porn, cheap mortgage rates and sexual aid crud filling our in-boxes. The law also will include a provision requiring the Federal Trade Commission to recommend how to set up a national do-not-spam list even though the FTC has said such a list won't work because rogue spammers will simply ignore it. Just watch the fireworks fly if a spammer ever hacks into that list.

Technical

Stopping incoming spam

6 WAYS TO FIGHT SPAM - Bankrate 12/22/2003 by Pat Curry
http://www.bankrate.com/brm/news/advice/20031222a1.asp

There are some tactics that e-mail users can use, and that the Pew Project says many people are already putting into place. Here are six you can try:

Protect your address
Be choosy about handing out your e-mail address. A $50 e-mail harvesting program is one of the primary tools in a spammer's business. Designed to crawl through chat rooms, Usenet groups and Web sites, including company directories, it looks for the ubiquitous @ symbol that denotes an e-mail address. Almost 70 percent of the e-mail users surveyed by the Pew Project say they avoid putting their addresses on the Internet for just that reason. If your ISP has a member directory, opt out of it.

One alternative is to spell out your address without using the @ symbol to keep it from being harvested.

"The trick is to make it readable by a human but make a squeegee look at it and say, 'I don't know what that is,'" Strickler says. "It's not a perfect system, but the harder you make it, the less likely you'll be a victim."

Be creative in your e-mail address
Among the latest tools used by spammers are dictionary attacks. These are the electronic version of a telemarketer's auto-dialer, which puts together every possible combination of numbers and keeps dialing until someone picks up the phone. A dictionary attack puts together logical combinations of letters and numbers and blasts out millions of e-mail messages with the hope that a fraction of them will actually find their way to mailboxes.

Never, ever respond to spam
They've all got "opt-out" messages with instructions on how to be deleted from the subscription list. By responding to those messages, you've only confirmed that you have a valid e-mail address, Strickler says. That information is regularly sold between spammers, and will increase the flood exponentially.

Don't open spam messages
A special tag in the file lets the spammers know if it's been opened. "That's like a giant Nielsen rating," Strickler says. "They want you to open it because it flags you as a real, live person."

Use disposable e-mail addresses
Many people set up free accounts with services such as Juno and Hotmail to enter sweepstakes, fill out surveys, or order products online. Once that junk e-mail address gets too full, they can just shut it down. Williams compared these accounts to having a public versus an unlisted phone number, with the unlisted number only being given to the people you really want to talk to.

Use an anti-spam filter
Most major ISP’s provide their customers with this service. If yours doesn't, you can purchase your own from such providers as McAffee or Symantec (the makers of Norton Anti-Virus).
A combination of these strategies should help you reduce the deluge to a more manageable trickle. Strickler compares it to catching a cold -- you can't avoid them completely, but you can do a lot to reduce the risks.
"Getting off e-mail lists is functionally impossible," Strickler says. "But there are things you can do to ward it off."

Main Methods to remember

Safeguarding your e-mail address

The best way to ensure you get little or no spam is to stay off of spammers e-mail lists. The best way to do this is to know the ways in which the obtain addresses, and only willingly share your e-mail with those with which you want to correspond…

As a standard practice, don’t post your personal e-mail address on the web, or let anyone else post it. Instead use a contact form for the initial contact if you want new people to contact you. Your business card can have the webpage address. If you want to take it one step further, reply to these people with an e-mail return address which is an autoresponder, and will reply to them instantly with a link to the contact form.

Filtering and Blocking

Anyone can easily do a block sender on most e-mail programs. There are two problems with this:
1.- Most spammers send out each new e-mail using a different sending address, so that blocking that address is like locking the barn door after the horse gets out. You were never going to get an e-mail from that address anyway.
2.- This does nothing to solve the wasting of internet resources issue. The e-mail goes out and is received by your server anyway. You just don’t see it.

There is a seemingly endless supply of filtering software available today, as supply meets the almost limitless demand…. (add more here)

One method is whitelisting, or only accepting e-mails from known sources. This can really stiffle open communication, and lead to many missed opportunities.
AOL has recently incorporated much stricter filtering and blocking in their e-mail delivery. They depend heavily on a whitelisting technique of requiring the senders address to be in your address book to ensure delivery. One downside of this is that it plays right into the hands of the virus writers, who love to have big address books to play with.

Need a good section on blacklisting.

Opt-out

You actually can opt-out of the list of reputable companies and e-mail newsletters. But these are probably list that you opted into, and want to stay on. It is usually a bad idea to try to opt out of a list that seems to come from an illegitimate source. First, it will just be confirm that is a deliverable address, and second, if in fact they do take you off their list, your name will be passed on to the next one. Once on one of these lists, unless you have a really good filter, you might as well just get a new e-mail address and start over.

Identifying the spammer

More info on reading Headers, etc., see www.spam.org

This identification will allow you to better report the spam to authorities if that becomes necessary. Spam can always be easily reported straight to the FTC by simply forwarding the spam to UCE@FTC.GOV

Read more about this to see if it might be effective:
AVECHO: CALLER ID FOR THE INTERNET TO STAMP OUT SPAM
- PR Newswire 12/10/2003
http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=SVBIZINK2.story&STORY=/www/story/12-10-2003/0002073087&EDATE=WED+Dec+10+2003,+10:25+AM

"COLCHESTER, England -- A UK firm today is calling for the creation of caller ID for the internet to curb spamming and other illegal activities online. This caller ID methodology is known as truePIN and supports new US and European regulations to combat spam. It is widely recognized that these new regulations alone are not an
effective way to stop spam."

Without doubt, a good technical solution to dealing with the anonymity possible today in sending out e-mail will be a key component in the long term solution to the spam problem.

Stopping Outgoing spam:

Open Relays

Need more info on open relays

HACKERS STEAL FROM PIRATES, TO NO GOOD END - New York Times
12/8/2003 by John Schwartz
The people who design rogue programs that take over computers from afar are now applying the tactic that made music pirating programs so effective--and the Internet may never be the same.
http://news.com.com/2100-12_3-5116130.html

"The rogue programs, known generically as "Trojan horses," have enabled pornographers and others to mask their identities by using unwitting people's computers as relay stations. It had been assumed that diligent investigators could ultimately shut down a system by identifying the server computer used as the initial launching pad. But now a researcher has determined that a new kind of Trojan horse could make the systems virtually unstoppable.

Joe Stewart, a computer expert at Lurhq, a security company based in Chicago, said that he discovered this new phase in the evolution of Trojan horse programs while taking apart a program called Backdoor.Sinit, which has been circulating on the Internet since late September. Sinit, Stewart said, does something unexpected: It uses the commandeered machines to form a peer-to-peer network like the popular Kazaa program used to trade music files. Each machine on the network can share resources and provide information to the others without being controlled by a central server machine."

A THIRD OF SPAM SPREAD BY RAT-INFESTED PCS - CNET News.com
12/3/2003 by Munir Kotadia
http://zdnet.com.com/2100-1105_2-5113080.html

" Nearly one-third of all spam circulating the Web is relayed through PCs that have been compromised by malicious programs known as Remote Access Trojans, according to Sophos, an antispam and antivirus company.

Graham Cluley, a senior technology consultant for Sophos, said Wednesday that the increasing use of broadband Internet connections and a general lack of security awareness have resulted in about one in threespam e-mails being redirected through the computers of unsuspecting users. ’There are lots of people on cable modems and broadband connections that haven't properly secured their computer,’ he said. ‘They don't know it, but their PC is being used as a relay for sending spam to thousands and thousands of other people. We believe that 30 percent of all spam’--or unsolicited commercial e-mail messages—‘is being sent from compromised computers.’"

Policy

Reporting to ISP

Internet Service Providers can make up their own rules and regulations. A responsible ISP will have developed a responsible use policy, and hold their users to it. They can have requirements which are stronger or equal to the legal requirements. Reporting to the ISP first requires identifying where the spam came from. (See "Identifying the spammer" above)

Economic

As stated above, the costs of sending e-mail to that of other advertising is so low that it is extremely tempting to get involved in . Unscrupulous advertisers won’t be switching to mailing out pamphlets anytime soon. One way to cut off the unwanted flow is to try to increase the cost of it to the sender.

Conclusions

What is the best plan for the future, and who will see that it happens?

One Opinion:
BILL TO STOP E-MAIL SPAM WILL DO JUST THE OPPOSITE
- Detroit Free Press 12/10/2003 by Mike Wendland
http://www.freep.com/money/tech/mwend10_20031210.htm

"The anti-spam bill passed by Congress on Monday is destined to be about as effective as those sexual enhancement products touted in the junk e-mail that clogs the world's in-box.

In fact, what it most likely means is you'll get even more spam come next year -- from more people and on more devices, like cell phones, pagers, and those ubiquitous personal digital assistants that people carry around for mobile communications.

Congress calls it the CAN-SPAM Act; that's shorthand for Controlling the Assault of Non-Solicited Pornography and Marketing. But the anti-spam movement, which pleaded in vain with the politicians to put some real teeth in the legislation, calls it the Yes, You Can Spam Act."

SPAM PROBLEM WILL BE SOLVED SOON BY THE NETWORKING INDUSTRY, NOT BY NEW LAWS, SAYS NETSEDGE RESEARCH GROUP - Business Wire
12/10/2003

"LOS ALTOS, Calif. -- The federal government cares a lot about spam but can do little to solve the problem. This week's efforts by Congress to push its Internet spam bill through will have insignificant results on e-mail spam. "New laws haven't been the key to any Internet breakthrough to date," said Peter Christy, principal at NetsEdge Research Group, "and it won't for Spam either. Spam can and will be solved by the actions of the Internet community."

A new NetsEdge Research report -- "2004 -- The Year That Spam Gets Solved" -- discusses and analyzes the disruptive changes in the spam control market that will turn the tide against the spammers. This report analyzes the considerable technical and business developments that have occurred in the last 6-12 months and the catalyst events that are expected to take place which will change the network of spam blocking from filter based systems to a network-centric approach. The analysis shows how new
network-oriented spam control subsystems will soon be available and dramatically turn the tides in the spam war, providing much greater effectiveness and efficiency than the existing content filtering solutions.

’If Spam filtering was really working, you would expect to see Spam volume diminishing because Spamming was less productive, rather than continuing to grow,’ said Christy. ‘Effective Spam solutions will change the economics of being a Spammer and drive a lot of them out of the business. That will clearly be the outcome
of network-centric solutions.’"

CAN SPAM ACT LIKELY TO INCREASE RECORD LEVELS OF SPAM
- Messagelabs Press Release 11/30/2003
http://www.messagelabs.com/news/pressreleases/detail/default.asp?contentItemId=614&region=

"As a global company that scans 30 million emails a day for 7,500 companies worldwide, we believe this legislation is another tool in the arms race against spam. Yet, if signed into law as is, it could increase already growing volumes of spam and adversely
affect consumers and businesses in a number of ways:

1. 1. The legitimate marketers, who helped craft the legislation, and known spammers have publicly voiced excitement about this legislation and cited an increase in orders for online marketing campaigns that use spam.

2. For years, computer users have been advised against opening or replying to unsolicited emails. By opening emails and their various attachments, users run the risk of infecting their computers with mass mailing viruses such as Sobig.F that have been responsible for the doubling of spam over the last six months. By replying to mails sent by malicious spammers, users are validating their email addresses, thereby setting themselves up as a live target to receive additional illegal or legal spam.

3. A do-not-spam registry, if it were to be created, poses significant privacy and security challenges and risks. We have every reason to believe that a national database with multiple layers of security protecting millions of email addresses could be
compromised at some point in the future.

"Unfortunately, considering that two thirds of all spam is now being sent illegally through open proxies created in part by viruses specifically designed to establish networks of spam-relay machines and that increasing amounts of spam and online scams are being sent from cyber cafes in Russia, China and elsewhere where criminals are immune to U.S. laws--we don't believe this legislation will prove effective at protecting consumers or businesses from the growing problem of spam."

MICROSOFT PLOTS AGAINST SPAM - Technewsworld 12/1/2003
by Mark Street & David Neal
"Microsoft is promoting the use of whitelists -- lists of trusted
addresses -- as a credible way of identifying users. However,
spammers are becoming increasingly adept at spoofing identities.

Microsoft (Nasdaq: MSFT) hopes to take the lead against spam by
instigating a network of authentication authorities to identify
the authors of e-mails. The software giant said better user identification is essential
and it would like to see the emergence of numerous certification
authorities to deal with the issue."

"Have you ever noticed that you don't get any junk mail though FedEx? Security Center Editor Larry Seltzer suggests that while making senders pay for messages would likely solve the spam problem, we just can't figure out the right way to do it." –from "Should Senders Pay For the Mess We Call E-Mail? ", By Larry Seltzer September 18, 2003.

I think that what has become clear is that there are 2 key points which are now keeping spammers in business:
1. The low cost of sending bulk e-mail, and
2. The possibility of senders remaining anonymous.

Eliminating one or both of these would most likely solve or greatly relieve the spam problem. How to do it is still up for discussion. Increasing the cost may be done in one of two way:
1. Increase the cost of sending e-mail for everyone, or
2. Increasing the cost of non-compliance with rules and regulations thru fines, etc.

The anonymity issue may be the key in the long run. It is fairly obvious which e-mails are causing the problems, and existing regulations and policies would deal with most of the problem, again, is the actual senders could be held personally accountable. This is a mainly technical solution, and then enforcement.

Taking the long term view

What government can and can’t do:

Don’t depend on users to solve the problem, all we want to do is use it to communicate with people. Most people have no interest or inclination to understand all the technical details.

Don’t depend on such band aid methods as filters. Though necessary to maintain functionality today in many cases, filters in the long run seem to be doing more harm than good. Spammers work in more and more complicated ways to get around filters, and send even more e-mail, as they know that a smaller percentage is getting thru to the end user. This puts more and more strain on the internets resources and wastes more bandwidth.

Consider it a worldwide problem, and develop rules and regulations that will work internationally

What Internet and computer companies can do:

Work on security issues which allow spammers to hide and remain anonymous.

What the rest of us can do:

Best Practice

Protect yourself by keeping off the illegitimate lists.

If you send bulk e-mail, …keep informed of legislation, regulations, acceptable use policies, and accepted "good practices".

Complying with regulations and accepted practices

Complying with the new CANSPAM legislation

Complying with accepted "good practices"