Spam Inc.

In 2002, spam is not just a scourge, it's big business. Our investigator reveals who's behind the assault on your in-box and why stemming the tide won't be easy.

Daniel Tynan

Ryan Dong didn't set out to become a spammer. The 23-year-old college student from Pontiac, Michigan, started his professional life working for a dot com. When the Web bubble burst, he found himself out of work and out of prospects. The computer science undergrad decided to start his own business, a recruiting site called Havoc Jobs. He began to promote the site using e-mail. And then he had an inspiration--why not make e-mail the business instead?

So in May 2001, he and a partner set up a bulk e-mail service called Havoc Systems, offering server space and bandwidth to mass e-mailers. He posted an ad on a bulk mailer's forum; within days he had more business than he could handle.

In December, he started sending e-mail himself, charging $300 to $400 per million messages. Soon, he says, Havoc was sending 50 million pieces of spam a week. To buy time before Havoc's ISP shut him down, Dong split the mailings between his personal ISP accounts. When they got shuttered, he just signed up for new ones.

Dong began selling e-mail addresses (15 million names for $129) and set up a site where other spammers could swap targeted address lists. Now Havoc sells its own spamware, software tools that harvest addresses and manage lists.

In good times, Dong says, "I can pull in $100K a year or more." But he adds, "when the ISP pulls my connections, I make nothing." On the phone, he sounds tired of switching ISPs and trying to stay one step ahead of the antispammers; he insists, "We're not there to bother [spam recipients]. All they have to do is hit delete."

Dong's story illustrates how virtually anyone can get started in the spam trade. And that's why, though spam costs us billions of dollars each year, we can do little to cut off e-mail spam at its source.

Bulkers Banquet

We are in the midst of a spam epidemic. Depending on which survey you read, anywhere from 15 to 50 percent of e-mail messages consist of advertisements for miracle cures, financial scams, porn site come-ons, and other unsolicited commercial messages. According to e-mail filter vendor Brightmail, the number of spam attacks has risen by more than 500 percent since March 2001.

And in the next few years, the situation is going to get much, much worse. A study released last fall by Jupiter Media Metrix predicts that by 2006 a typical consumer can expect to receive nearly 1500 servings of spam annually--double the number that the average user gets today.

The time and data involved take an economic toll. Spam costs businesses worldwide some $8 billion to $10 billion per year in bandwidth charges alone, according to estimates by the European Union.

So why does spam remain a thriving business? I decided to find out--and I discovered that the only things you need to get started are a credit card, a computer, and an Internet connection.

My experience as a spammer started on the Web, searching for spamware--the software that spammers use to ply their trade. For about $50 a month, I joined two private online clubs for bulk e-mailers: Bulk Barn and Bulkers Club. Though neither site officially condones spam, both traffic in the tools that make it possible.

Once I was a member, I could buy all the tools I needed. First on my list was a bulk mailer, which sends a single e-mail message to thousands of people each minute. Etoyi Technology's Email Sender Express ($40) let me send a simple text message to a list of addresses--and falsify the return address. I also wanted a tool that stores any e-mail address it finds on the Web in a database. Beijing Express E-mail Address Extractor ($98) produced 1000 e-mail addresses in just 5 minutes. To get a list of open relay servers--insecurely configured machines that anyone can use to send e-mail messages anonymously--I subscribed to InfinityMailer ($75) and found free lists of open relays, most of them located in Asia, propagating terabytes of spam to the rest of the world.

Of course, spamware doesn't come with any guarantees. The software I used often crashed or failed to perform as advertised. And open relays and bulk hosts (servers that send massive amounts of e-mail) can vanish overnight. Sending mail in larger volumes than the few dozen I sent to willing colleagues requires a bigger investment and more technical know-how.

Think Pink

While bulk barn claims to have more than a thousand active members, significantly fewer spammers are probably responsible for clogging your in-box.

Antispam activist Steve Linford oversees the Register of Known Spam Operations (ROKSO) on his Web site, Spamhaus.org. ROKSO offers visitors a detailed database that covers the biggest bulk mailers; the information was culled from such public sources as domain name registrations and court records. Linford estimates that 90 percent of all spam comes from about a hundred big-time operations. "The typical operation has five to ten stealth servers pumping spam all day long through Chinese and Korean relays," says Linford. "There's almost no way to stop them."

Sometimes ISPs turn a blind eye to spammers, according to both Linford and the spammers we spoke with. In the past, AT&T and PSInet have signed what antispammers call pink contracts (named for the canned meat) that permit particular individuals to spam, despite policies prohibiting most other users from doing the same. Both companies blamed rogue employees, and canceled the agreements.

Ronnie Scelson, a self-described spammer who signed such a contract with PSInet, tells me that backbone providers are more than happy to do business with bulk e-mailers. "I've signed up with the biggest 50 carriers two or three times," says Scelson in a thick Bayou accent. The Louisiana-based spammer claims to send 84 million commercial e-mail messages a day over his three 45-megabit-per-second DS3 circuits. "If you were getting $40,000 a month for each circuit," Scelson asks, "would you want to shut me down?"

One of Linford's tactics is to put pressure on ISPs to shut down spamware sites. "If you eliminate spamware, a lot of the problem goes away," he says.

Of the major backbone vendors, WorldCom is the lone holdout in refusing to prohibit spamware operations--even though selling spamware is illegal in WorldCom's home state of Virginia. Linford says the reason is simple: For backbone ISPs, data traffic equals revenue, and nothing produces traffic like spam.

"We don't tolerate transmission of spam on our network," says WorldCom spokesperson Peter Lucht. "But spamware is content, and we're not in the business of policing Internet content. If something illegal on our network is brought to our attention, we'll contact legal authorities and deal with it appropriately."

Who's Spamming Whom?

Defining what e-mail is spam isn't as easy as you might think (see our sidebar, " The Seven Signs of Spam," for more details). And as larger, better-established businesses turn to e-mail as a sales tool, distinctions between legitimate marketing and "pure" spam get fuzzy.

Take, for example, the case of MonsterHut, an e-mail marketing firm based in Niagara Falls, New York.

MonsterHut, which sent 440 million e-mail messages last year, "is not a spam house," asserts CEO Todd Pelow. "We are a 100 percent permission-based e-mailing organization." But when it comes to commercial e-mail, precisely what constitutes permission is not entirely clear.

Pelow admits that MonsterHut provided hosting services to a spammer last fall, but he says it quickly terminated the account once the spammer's intentions became known. When MonsterHut's ISP, PaeTec Communications, received more than 40,000 complaints, it tried to cut off MonsterHut's service. However, MonsterHut then sued, convinced the court that it didn't violate a send-no-spam clause of its contract with PaeTec, and won an injunction preventing a shutdown. Finally, in May, PaeTec won its appeal and immediately took down the site.

"Despite the court's decision and PaeTec's utter disregard for a legal contract, MonsterHut maintains that we never spammed anyone," Pelow said in a statement following the ruling.

Pelow claims that the PaeTec lawsuit effectively shut down MonsterHut's operations, but New York's Attorney General Eliot Spitzer isn't taking his word for it. In late May, the state sued to "prevent MonsterHut from continuing its fraudulent, deceptive, and illegal practices...over any ISP in New York," Spitzer said.

In court filings, the state said it considers the term "permission based" synonymous with "opt-in," where consumers have to ask for it before they get spam. The lawsuit states, in part, that "MonsterHut's promises that its lists are 100 percent permission based...are plainly false."

Yet according to the Direct Marketing Association, a trade group representing marketers, simply sending unsolicited commercial e-mail is not spamming. Pat Faley, the DMA's vice president of ethics and consumer affairs, says marketers may rely on assurances from list vendors that you've consented to receive mail.

If a marketer sends you mail and you don't unsubscribe, the DMA's guidelines consider you to have opted in. That's not a problem if you're dealing with a well-known business, since legitimate companies unsubscribe anyone who asks. But spammers aren't sending ads for well-known companies, and the DMA's position places users in a nasty catch-22 that goes against the usual advice not to respond to spam messages for fear of confirming your e-mail address to the spammer. For consumers, such rules could herald a tsunami of "legitimate" spam, as companies flood in-boxes with ads.

Organizations that follow such guidelines are heading down a dangerous path, however, warns senior analyst Dan O'Brien of Forrester Research, an Internet research firm. "Almost every company we've talked to is incorporating e-mail in its marketing plans," he says. "But we're in an age of overflowing in-boxes. If you're a corporation sending out unwanted messages, you're a spammer, too."

It's Raining Spam

Major internet service providers feel the cost of spam most keenly. All have suffered spam floods that overloaded their servers and shut down subscribers' e-mail service. ISPs, in turn, pass the cost of fighting spam to consumers in the form of higher access fees.

EarthLink's Steve Dougherty works with a team of techs blocking around-the-clock "spam storms" before they hit customer in-boxes. Dougherty says that EarthLink spends at least "seven figures" per year fighting spam, and even then manages to filter out just 60 to 90 percent of it.

Other ISPs subscribe to "blackhole lists" of the IP addresses of known spammers, such as the lists maintained by the Mail Abuse Prevention System (MAPS). When MAPS receives a complaint about mail abuse, it adds the spammer's IP address to its list after an investigation; ISPs can set their mail servers to reject messages coming from these addresses.

Yet these efforts resemble a huge game of whack-a-mole: Knock the spammers down in one place, and they pop up elsewhere. Smart spammers mask their real addresses by routing mail through open relays and won't use the same IP twice.

Even when one ISP shuts them down, spammers can usually find another that's friendlier to bulk mail services. Sometimes, says Linford, the larger spam cartels act as each other's ISPs, ignoring any complaints that might come in.

Brightmail's Francois Lavaste suggests that antispam efforts may worsen the problem. As ISPs block spam and response rates go down, he says, spammers simply send out more messages to make up the difference. "The only way for spammers to maintain revenue is to increase the volume of spam," he says. When one of his high-speed connections gets shut down, Scelson says, he sends five times the spam through his backups.

Here's the ugly truth: Spam may be annoying, offensive, expensive, and a waste of resources, but it's generally not illegal. There's no federal statute regulating bulk e-mail, and while 24 states have some form of antispam legislation, only Delaware bans spam outright.

If we had federal laws to stop inexperienced but legitimate marketers from spamming, claims Linford, antispam organizations would be able to drive the hard core underground and filter them.

Meanwhile, the Federal Trade Commission has prosecuted approximately 30 cases involving spam, says staff attorney Jennifer Brannan, but only where the spam involved deceptive marketing practices, which falls under the commission's purview.

In the absence of aggressive government action, angry Netizens on antispamming crusades hunt down those responsible and try to get ISPs to cut them off. ISPs themselves have been suing spammers for clogging servers with mail or violating antispam contract provisions.

Others believe that the best hope for eradicating spam is to educate the public to ignore it. "No one will admit to ordering Viagra or getting a diploma via spam," notes Jupiter Media Metrix analyst Jared Blank. "But spam wouldn't exist if it weren't so successful."

With the barrier to entry for new spammers so low, and with the potential profits sky-high, the spam problem is likely to get worse before it improves. After all, as Jason Catlett, president of the antispam organization Junkbusters, explains, "it only takes one sucker in 10,000 to make a spam operation economical."

PC World Contributing Editor Daniel Tynan eats spam for breakfast, lunch, and dinner.

Spam Tips: The Seven Signs Of Spam

It's easy to spot spam, but hard to automate a system to deal with it. Our suggestions may help you deal with some of the more common tricks spammers use--but for other tricks, there is no good solution.

Phony subject line: Random characters can fool filtering software. Other spam just tries to fool you--"re: your order" is especially modish. Partial solution: Don't filter on exact subject line text; pick a few keywords instead.

Dictionary spam: If a message's "To:" field is crowded with e-mail addresses containing names similar to yours, you've got dictionary spam, where spammers send messages to every address that looks like yours at several different e-mail domains. Solution: Add a couple of extraneous alphanumeric characters, hyphens, or underscores (like dant_47@hotmail.com instead of just dant@hotmail.com) to the normal e-mail address you use. For more details, see " Spam Begone."

Spurious content: If an e-mail says you can get rich working from home while enlarging your breasts, it's spam. Solution: You could create new filters for spam topics as they emerge, or just use spam filtering tools.

Bogus unsubscribe links: Legitimate marketers honor unsubscribe requests. Spammers (at worst) use them to verify your address and send more spam. Partial solution: only unsubscribe from sales mail that comes from companies you know and trust, and forward the rest to the FTC at uce@ftc.gov.

Secret scripts: Some HTML spam contains JavaScript that launches your browser and loads a page, often with ads from porn sites. Partial solution: If you use Eudora or Pegasus Mail, you can disable your e-mail reader's ability to view HTML e-mail messages. Outlook and Outlook Express users, however, can't disable that feature.

Fake return address: Most bulk e-mailers can generate random false return addresses--sometimes even using your own e-mail address. Solution: Filter e-mail that appears to have been sent from your address into a "from myself" folder, and then manually delete all the ones that you didn't actually send.

Forged headers: Spammers falsify routing headers--the breadcrumb trail left by mail servers as e-mail passes through--to hide their location. Solution: Sorry, there isn't one.

Want More Spam? All The Spam You Can Eat

You say you love spam and can't get enough? Want a full plate of it every day? If you do, don't use spam-filtering software or set up mail filters. Follow these instructions instead.

Be generous with your address: Always post your primary e-mail address to newsgroups, online forums, and every page of your Web site. That makes it much easier for e-mail extractors to harvest your address. It's like picking low-hanging fruit.

Don't read the fine print when you sign up: So they say they'll give you a free Web hosting account and spam you? It doesn't get any better than this.

Make it obvious: Use a simple name combo for your e-mail handle (like Bob123@yourisp.com). Dictionary spammers will fill your in-box in no time.

Support your local spammer: Send that check or money order for herbal Viagra or the home wealth-building kit today. You may never see any products, but you'll keep the spam industry strong and vibrant.

Go ahead, open it: HTML mail can run JavaScript, launch your browser (especially handy for porn spam), or send a "Found a live one" message back to the spammer.

Use a domain registrar that has poor privacy policies: Spammers love guaranteed-to-work e-mail addresses, and some registrars would love to sell you out.

Share your friends' addresses: When a site asks for names or e-mail addresses of your friends and family, do them a favor and sign all of them up. They'll be glad you did.