Can Spam Be Canned?
Spam is the bane of Carmela Anderson's existence. Every week she must study the contents of hundreds of spams, looking for clues that might lead her to the senders. Every day the systems administrator of the Internet service provider she works for permanently blocks 15 to 20 addresses from sending more e-mail to its clients.A 1999 California law designed to squelch spam encourages ISPs to sue every time spammers route e-mail through their networks, clogging servers and harassing ISP customers who rarely want "The Internet Spy Guide" and other unsolicited offerings. The law also offers rewards: $50 per message, up to $25,000 per day from each spammer. That kind of money could help reimburse ISPs, which spend about $1 of every user's monthly fee to fight spam, according to a 1999 Gartner Group study.But Anderson and the owners of Redshift, the small Monterey, Calif., ISP where she works, have never taken spammers to court and have never seen much use for the state laws designed to protect them. "For us, the laws haven't really helped at all," Anderson says. "There's just too much spam, and it would cost too much to track spammers down and sue them. It's not worth the effort."Apparently that message hasn't trickled up to Congress, which is trying to enact a similar law on a federal level. After months of haggling, the sponsors of three anti-spam bills -- Heather Wilson, R-N.M., Gary Miller, R-Calif., and Gene Green, D-Texas -- have fused their ideas into House Bill 3113, which aims to eradicate spam by encouraging litigation. Called "Unsolicited Commercial Electronic Mail Act of 2000," the bill has picked up a total of 42 cosponsors and is expected to reach the House floor for a vote in early May, soon after the two-week Easter break.In its present form, 3113 closely resembles the California law, which is made up of three separate pieces of legislation that collectively give ISPs the right to sue spammers who use their networks in violation of posted anti-spam policies or who fail to announce their purpose with "ADV:" in the subject line.By offering a sweeter payoff, the federal law creates a greater incentive to sue. It carries penalties of $500 per message up to $50,000 per day per spammer found guilty. And it offers this financial carrot not just to the ISPs but to you, me and anyone else who receives spam. It also promises to eliminate a common defense spammers invoke against state laws: Spammers who live outside the state that they're being sued in often argue that the state spam laws limit interstate commerce in violation of the Constitution's commerce clause that gives only Congress that power.Ultimately, the bill "creates a large disincentive for spammers" -- one that could severely diminish the amount of spam in people's in boxes, says John Mozena, co-founder of CAUCE, the all-volunteer Coalition Against Unsolicited Commercial E-mail, and other proponents of the bill."It's going to curtail spam from a broad base of opposition," says Miller, who as a state legislator sponsored California's law that lets ISPs sue.But the people at Redshift and other ISPs say that a federal law can remove some hurdles to litigation, but not all. Spam will not disappear, they insist. A law "won't make a whole lot of difference," says David Sorkin, a spam expert and professor of law at John Marshall University in Chicago. Simply put, spam is too easy to make, say ISPs, and its creators are too hard to find and collect from. No matter the benefits, the cost of litigation remains too high."It's still easier to ban these spammers than to sue them," says Dennis Dayman, director of policy and legal and external affairs for SBC Communications, the parent company of Ameritech, Southwestern Bell, Cellular One and other regional telcos. It operates Pacific Bell in California, where Dayman says the company is looking into a handful of spam suits, but has not filed a single complaint. "These cases are very hard to prosecute," he says."As a practical matter, I'm not so sure a federal law would do us any good," says Kris Rallapalli, owner of Kepnet, a small ISP in San Jose. "Litigation would drag on for years and it would be too expensive."Of course, when anti-spam laws were proposed back in the mid-1990s, and as 15 states succeeded in passing them, few proponents of legislation imagined that the laws wouldn't be used. Indeed, an article in the San Jose Mercury News on Dec. 31, 1998, the day before the law took effect, reported that ISPs welcomed the measure, "and the opportunity to finally rid their systems of a costly problem." It went on to predict "swift enforcement" on the part of ISPs.At the time, few disagreed. "I was really psyched when the law first came out," says Nick Nicholas, former head of the e-mail abuse department of Pacific Bell Internet and the present director of policy and communications for Mail Abuse Prevention Systems LLC, a provider of spam-filtering technologies. "I thought, here's the legal tool that gives ISPs what they need to deal with the abuse of their property."But having a tool is one thing; finding an efficient way to use it is another. So far, few have bothered wielding California's legal weapons. More than a year has passed since the laws took effect and lawyers say only about seven spam-related suits have been brought: One was settled in small-claims court; two others were brought and settled by Yahoo, whose "Yahoo Mail" network was used by spammers; and four are pending.EarthLink and Pacific Bell, two of the largest ISPs in California, say they are looking into a handful of cases each, but neither has filed a complaint nor named the violators."We've been working on it, but we aren't sure what the burden of proof will be," says Dayman of SBC, explaining why the Pacific Bell division hasn't sued. "We don't know if it will be enough to show that the spam always came from the same home phone and that there were several credit cards and e-mails registered to that address."In other words, Dayman isn't sure if he can tie the spam to the spammer.This cat-and-mouse game of identification remains the largest hurdle to litigation. And ironically, despite his doubts, Dayman is closer to winning that game than he realizes. At least he's caught some personal information. Most serious spammers manage to completely avoid giving up such data, say systems administrators. On the Net, "It's just not that hard to hide," says Anderson at Redshift.Indeed, several options are available. Speed is one. Many spammers send thousands, even millions of e-mails from one address, then shut down quickly before someone like Anderson at Redshift blocks them, or before they're added to MAPS Realtime Blackhole List, which blocks all mail coming from ISPs that have allowed spammers to use their networks and going to networks run by RBL members.Others fake their identities. ISPs "in places like Finland and Hong Kong" let users sign up from anywhere, often with no personal, traceable information, says Steve Dougherty, EarthLink's director of technology acquisition and a manager of its e-mail abuse department.And if it's not an international address they're sending from, it's often a stolen one. Sometimes, spammers grab these addresses by hacking into people's accounts; in other cases, they impersonate staffers from an ISP, sending users an e-mail that asks for their password "to fix their account," says Timothy Walton, a Mountain View, Calif., attorney who has filed four lawsuits that attempt to broaden California's laws by allowing consumers to sue. With these addresses in hand, they can route mail through several of them -- a process known as "spoofing" -- and obscure the original IP address."Fewer than one in 1,000 spams offer a real reply address," Walton says. Dougherty doubts that spammers are that hard to find, if only because spam comes not just from professionals, but also "a rotating crop of amateurs" who naively believe that spam will make them rich beyond their wildest dreams.These amateurs can often be traced, but is it worth taking them to court? If someone's been scammed -- forking over $39.95 to some pro spammer for 50,000 e-mail addresses -- should ISPs bother trying to convince a judge that they're criminals, not victims? Dougherty doesn't think so. "Most of them don't even know what they're doing is wrong, and once we tell them, they rarely come back," he says. "That's the problem with the law -- unless it's narrowly defined, it tends to paint with a broad brush."On the other hand, Dougherty would be happy to put the professionals out of business. He estimates that there are a few thousand full-timers, but that this "10 percent of the total [does] 80 percent of the damage." And these repeat offenders know the game. They're not easy to find. "They live in the shadows," Dougherty says. "They'll move and always be there."There are, of course, exceptions. High-profile suits such as those against Sanford Wallace, the self-declared "Spam King," proved that some spammers can be found -- and sued. Together, EarthLink, Concentric, CompuServe and other ISPs won judgments in 1997 for over $2 million from Wallace and his company CyberPromo, which sold bulk e-mail software.And several sites offer tools to help. SamSpade.org will search the Whois database for domain name registrars, and Whew.com will help you find the physical address of a spammer, as will other resources found on sites like Suespammers.org. Attorney Walton says he used several of these search tools to find three of the four spammers that he's suing and none of the searches took more than 30 hours.Still, folks like Wallace and the spammers Walton is suing represent rare cases: spammers who didn't try very hard to hide. Wallace publicly defended his actions, and all but one of Walton's defendants were easily unmasked: One sent marketing-related faxes and e-mails to 4,000 people who attended a marketing conference; another, Friend Finder Inc., is an established online dating service that allegedly sent an unknown number of e-mails to persons it deemed interested. Both spammers identified themselves in the e-mails. A third, Newport Internet Marketing, apparently tried to hide by simply misspelling its own name: "It sends spam under the name 'Neuport,' but was listed at Dogpile.com [a meta-search engine] as 'Newport,'" Walton says.Only one case, relating to pornographic spam sent from an America Online account, required serious digging. And in that case, Walton still hasn't found the defendant. He's charging "John Does 1 through 200" in the meantime.In comparison, the majority of the 3,000 to 4,000 e-mail addresses sitting in Redshift's spam database "are anonymous," Anderson says. "We don't know where we can find the senders."What's more, there is little reason to believe that locating spammers leads to a recouping of the money ISPs spend on processing their mail. EarthLink spends over $1 million a year fighting spam; the median amount spent annually by Internet service providers to filter spam is $387,000, according to a 1999 Gartner Group study.California law and House Bill 3113 are based on the argument that these costs should be paid by spammers. Otherwise, by transferring costs from sender to receiver, spam acts like a collect call ISP clients have no choice but to accept; it "trespasses on one's chattel or property," says David Kramer, an attorney with Palo Alto's Wilson, Sonsini, Goodrich & Rosati who drafted the California law that lets ISPs sue.But California's spam cases so far haven't done much to shift those costs. Rallapalli won $600 from a spammer in small-claims court. Yahoo earned an injunction for $44,000 from Information Technologies Corp. and settled with Worldwide Network Marketing on confidential terms that did not disclose whether or not monetary damages were awarded. Walton's four cases are far from judgment. Even Kramer, who worked on the California law, admits that it has afforded "only a marginal improvement."Kramer insists, however, that a federal version would plug some of the loopholes that spammers have squirmed through. For example, under present California law, it's not enough for an ISP to simply put its spam policy on its homepage. An ISP must send a warning e-mail and receive a second offensive message from the same source in order to show that spammers know their messages are going to an ISP in a state that outlaws them.According to Kramer, 3113 would eliminate that defense, "letting ISPs sue any spammer without demonstrating that they were served with notice of the ISP's policy," he says. "It shifts the burden." It also defeats the "commerce clause" defense that was used last month to strike down Washington state's first judgment against a spammer. And it prevents spammers from gaining the advantage of an early warning. "They won't have time to hide," says Nicholas at MAPS.Plus, the federal law could turn up the scrutiny on spammers. By mirroring a Washington state law, 3113 lets all receivers of spam sue, and gain $500 per message, up to a maximum of $50,000 per day. Anecdotally, this has benefited proactive anti-spammers like Bruce Miller, a Washington state resident who says he "collected $3,900 from four spammers." Proponents of the federal bill expect thousands more to do the same."I think we will see quite a number of cases brought against spammers," says Ray Everett-Church, a co-founder of CAUCE, who helped draft 3113. "When you've got a law that says, 'If you do X, damages are presumed to be Y and action can be granted in terms of Z,' then it's much easier to process."Still, ISPs and users have heard all this before. Even if the law passes, which is not a given -- influential lobbyists such as the Direct Marketing Association and Harvard law professor Lawrence Lessig are among the opponents -- and even if spammers are sued in droves and pay in kind, the law may not empty our in boxes of spam. In fact, more may be on the way.As the number of Net users grows worldwide, an ever-expanding pool of spammers comes online. Most will be "dumb amateurs," says Dougherty at EarthLink, people who say they believe that "people actually want their product." Others will become professionals, sending out millions of messages, then ducking for cover like new-economy con artists -- or like "u6," a savvy porn spammer who recently found my in box, and promises to remove me if I send mail to email@example.com."There's always going to be bulk e-mail because it's easy to do," Dougherty says. "Million dollar fines might put a little bit of a chill on it, but not much." Back at Redshift, Anderson has to agree. "Hopefully the law will scare people," she says. "That would be nice. But that's the only way it would affect us."