Features

net.wars: A hundred lawyers at the bottom of a can of spam: a darn good start!

I don't know about the rest of you, but I'm rather encouraged that AOL, Yahoo!, Earthlink, and Microsoft have joined together to file six lawsuits against hundreds of defendants under the new CAN-SPAM Act. It's about time - both for someone to come up with a way of justifying the anti-spam laws' existence and for major ISPs to take action.

If you can remember back as far as eight years, the Net's one-time Spam King, Sanford Wallace, got a lot quieter after he was sued by CompuServe for spoofing return addresses to appear to come from the service.

Among the hundreds of defendants, most are "John Does" - people yet to be identified. However, those who are identified include a group from Ontario, Canada, who are accused of running Goldisk.net and at least four other companies, a couple of New Englanders and their alleged company, Amazing Internet Products, and Florida-based JDO Media.

What's staggering are the numbers. Yahoo! claims that Goldisk.net et al have sent its subscribers 94 million messages since January 1. AOL alleges that Amazing Internet Products is the source of mass email offering to enlarge and shrink various portions of the human anatomy, and that its messages have provoked more than 100,000 complaints already in 2004. AOL also accused the group of selling millions of AOL members' addresses.

What's really staggering about these numbers is that they are utterly believable. The latest statistics from Brightmail, a leading anti-spam vendor, say that spam is now 62 percent of all email, and that in February alone it filtered 91 billion messages overall and 2.4 billion fraudulent messages. But they're a vendor, you might say; it's just good marketing to make themselves look necessary.

Danny O'Brien, however, has no such Cthulu to grind; his stats say he's received 24,596 spams since February 26. Multiply that by 580 million Internet users, and ...

(Yes, we know. Danny gets more because his email addresses are posted everywhere. Somewhere in the middle of Chicago, surrounded by the teeming millions, someone gets no spam because he hasn't figured out how to turn his computer on yet. The average is much less. I'm exaggerating. Like no one else ever did that.)

Naturally, laws or lawsuits are not enough by themselves to conquer spam; but they are one important component of a multi-pronged strategy. As a method of deterring people from sending spam, the laws were doomed to failure. We all knew that. No one gets less spam because of the laws. No Master Spammer sends out memos saying, "We gotta make sure we don't do nuthin' illegal."

But the one thing laws are good for is standing up prosecutions. I'm not much impressed by the argument I've seen that if these lawsuits chop off the heads of a few Big Spammers thousands of little ones who are harder to trap will spring up to take their place. The Spamhaus Project estimates that 90 percent of spam is sent by 200 known spam operations. And - contrary to many people's expectations - more than 90 percent of those on Spamhaus's list are based in the US. Experts at the anti-spam conference Openwave sponsored last September generally agreed with this. It will be interesting to see how much overlap there is between the defendants the suits eventually identify and Spamhaus's list.

If the prosecutions are successful and knock these guys out of business, naturally the game won't be over: the jobs will move overseas. But in the meantime, what's needed is to put in place the other necessary elements of a global anti-spam strategy. First, technology companies are working on better spam filtering using natural language processing (which will have many other uses as well, so it's not wasted effort). Every geek on the planet is exercised about spam, and there are lots of proposed strategies. Unfortunately, most of them are impossible to deliver, because they require things like re engineering SMTP so that all of today's email clients will become obsolete at a stroke. Others are undesirable to deliver, because the social costs are too great. But there are a number of promising approaches, too.

Second, ISPs could be doing a lot more, especially now that broadband is rolling out to make it possible for any home PC to be a spam factory. It surely should not be that difficult to set an automatic level of x messages allowed within y period of time from the same customer's PC. When that level is exceeded, the ISP could notify the customer, and ask for human confirmation that the email volume is intentional. Under such a scheme, you'd have to inform your ISP if you were managing a mailing list, but that doesn't seem overly onerous.

The big strategy I'd like to see pursued, though - and at the Openwave conference the FBI representative said it was something they were working on and finding difficult but promising - is to follow the money via the credit card authorisations. Spammers by and large don't do it for fun. Eventually, somewhere in the background, some company is accepting payments for whatever service or product is being offered via spam, and almost all of those payments are by credit card. The FBI says the difficulty is that one person may set up hundreds of shell companies which are activated or shut down at will - but even so, credit card authorisations aren't generally that easy to get, and if the same person's name keeps popping up connected to companies who use spam for promotion, that should be a pretty clear indicator.