Fighting The Flood

Although many spammers and the companies they represent view bulk unsolicited e-mail as an acceptable, low-cost means of doing business, those on the receiving end view it as an invasion of privacy and an insidious drain on resources.

Take Interwrx, a regional ISP in Mesa, Ariz. The company spent more than $1 million last year fighting spam and says a quarter of the 250,000 e-mails it processes every day are spam. Another regional ISP, Parsippany, N.J.-based Net Access, says 65 percent to 75 percent of its daily 600,000 to 800,000 e-mails are spam.

Spam costs these ISPs in many forms,the need for an antispam staff; additional storage, bandwidth and software requirements; the need for resources to develop homegrown solutions and additional man-hours to handle reconfigurations; and lawsuits brought both against spammers and against the ISPs.

On top of this, ISPs walk a fine line when trying to institute antispam policies. Not all users have the same definition of spam, so ISPs can lose customers if they mistakenly block e-mails that are legitimate or are perceived to be legitimate.

"Spammers don't realize and probably don't care about the cost burden this puts on us," said Scott Sampson, COO of Interwrx. "We have to spend several-thousand [dollars] on equipment and then add in the man-hours we spend fighting this, and it only costs [spammers] pennies to send out thousands of e-mails."

As of last month, 45 percent of all e-mails were identified as spam, according to antispam software vendor Brightmail, San Francisco. What's more, research firm Gartner estimates that, on average, an ISP with 1 million users spends $7 million a year fighting spam.

And it's getting worse. In the past 18 months alone, ISP EarthLink said it has seen a 500 percent increase in spam e-mails. Yahoo, meanwhile, said it receives about five times more spam than it did a year ago.

So why are spam figures reaching an all-time high, and how can ISPs, which many consider to be the front line of defense in this battle, fight these increasingly tricky hawkers?

The economy is playing a major role in the increase in spam, ISPs say. Spamming is cheap, fast and profitable. A spammer that sends out millions of e-mails may only need to receive responses from less than 1 percent to make a profit.

Developing solutions to fight spam is an ongoing process for ISPs, with spammers seeming to find a way around an ISP's blocking and tackling measures almost as soon as they're deployed. What it will take is a combination of technology, legislation and litigation to confront the problem, ISPs say.

On the technology front, about two new antispam solutions are introduced a month, but many of them are half-baked, said Martin Nelson, an analyst at Ferris Research. This forces many ISPs to either develop their own solutions or employ the services of an antispam vendor. Yahoo, for example, has a homegrown solution called SpamGuard. Out of the 10 largest ISPs, six, including EarthLink and BellSouth, use antispam vendor Brightmail, according to Brightmail President and CEO Enrique Salem.

While generally found to be effective, Brightmail is also considered to be an expensive solution to the problem of spam, ISPs say. However, this month Brightmail introduced a version of its software priced for the small- and midsize-business markets, Salem said. The vendor is also developing a program to recruit solution providers to sell its offerings, he said.

Some of the new tactics used by spammers include hiding text in graphics so it can't be identified as spam, or sending URLs as the body of a message, Salem said.

"The tricks spammers use change everyday, and with the URL problem, for example, ISPs can't spend, say, eight to 10 seconds per e-mail to figure out what's on the other end of that URL," Salem said.

Another trick of the spamming trade is to hijack other companies' servers.

"There are always open mail servers not protected by any security that spammers can find," said Blake Elman, president and CEO of Net Access. "It's essentially a theft of service, but the problem is that someone didn't tighten security, so any third party can identify [a server] as an open server and [use it to] send out 100,000 e-mails from their PC to another company's e-mail server."

The problem is, independent organizations such as SPEWS (Spam Prevention Early Warning System) that track spam activity don't differentiate between a spammer's server and one it may have hijacked, ISPs say. This puts the ISPs in a guilt-by-association situation in which not only the spammer, but all associated routes that the spammer takes, are labeled as spam-friendly. Many ISPs land on such blacklists and find it difficult to remove themselves.

And some ISPs,those that are only interested in making a buck,are indeed spam-friendly, ISP executives admit. Still, the majority of ISPs view spam as a drain on business and say they are becoming involved in a number of projects aimed at putting an end to it.

Legislation that allows ISPs to identify and prosecute spammers is critical, ISP executives say. ISPs are often shackled when spammers hide behind privacy and freedom of speech laws and are hoping that legislation will correct the problem.

Interwrx, for example, is fighting one spammer in court,not to shut the spammer down, but because the spammer claims that the ISP unjustly shut it off. And earlier this month, American Online filed a suit in Virginia against five spammers and is seeking more than $10 million in damages.

On the legislative front, California Senator Debra Bowen is attempting to pass a state bill that would charge spammers $500 per unsolicited e-mail. Not only is Bowen hoping to pass her spam penalty bill, but she thinks major credit card companies are prime targets to go after to prevent spam as well.

"Very rarely do you see spammers asking for a check," said Bowen. "The majority of the transactions are done though credit card companies like MasterCard or Visa, so I think we need to put pressure on these companies to not give merchant accounts to known spammers."

ISPs, however, argue that state bills won't be effective. What is needed is a national standard for prosecuting spammers. Even better, they say, would be international standards, since a significant amount of spam originates outside of the United States.

At the Federal level, The Federal Trade Commission (FTC) is developing a project to involve several countries in the antispam effort. This month, the FTC is holding a spam forum to discuss the international perception of spam and how to address it, said Brian Huseman, staff attorney for the FTC. Those invited come from Korea, Australia, Japan, Canada and other nations. The FTC is hoping the end result of the project will be an international standard for dealing with and prosecuting spammers.

"Some of the major issues we are going to deal with are blacklists, which are pretty controversial because the groups that blacklist, such as SPEWS, [don't have a] way of contacting them and getting removed from the list, and many of these organizations take aggressive tactics that result in false [spam] positives," said Huseman.

Believe it or not, direct marketers are also joining the fight against spam, since such organizations fear being categorized as spammers. Companies often turn to advertising agencies and order packages that combine magazine, radio, phone and e-mail advertising. These agencies in turn often contract out work such as telemarketing and e-mail to third parties. The problem with this is that these third parties may use aggressive spamming tactics that are traced back to the original company selling the product.

Many ISPs propose to address this problem by putting pressure on the companies that buy e-mail advertising to keep their advertising agencies and resellers in line with penalties for spamming.

"We approached a large credit card company because it appeared that spam was coming from them," said Brightmail's Salem. "They said the problem was they bought a package from an ad agency. This is a reputable company, but they are dealing with spammers three times removed from their campaign."