Spam: It's completely out of control

He is the guardian of roughly 45,000 employees' e-mail in-boxes, protecting against unsolicited commercial messages that are nearly doubling in number every five months--and costing an estimated $1 per piece in lost productivity. But perhaps just as important is Lewis' ability to field the bad mail without discarding the good, such as potential business leads.

"Everyone in a large company is afraid to lose business, and e-mail is sacrosanct," said Lewis, whose unofficial title is "spam issues architect." "If you implement (a spam filter) that drops one piece of e-mail, it is a huge mistake. At this time, in our economy, we have to be as anal retentive as possible."

Spam is as old as the mainstream Internet itself, but its alarming rise is challenging companies more than ever. In the past six months, the volume of junk mail sent online more than doubled, according to spam filter company Brightmail. Internet researcher Jupiter Media Metrix estimates that consumers will receive about 206 billion junk e-mailings in 2006--an average of 1,400 per person, compared with about 700 per person this year.

The pace is driving companies to take desperate measures that in some cases are creating international controversy. Some American business owners, systems administrators and Internet service providers are banning all unknown e-mail from entire regions of Asia, where they believe unregulated servers are being used to relay much of the spam traffic that both originates and ends up in the United States.

The size of the Web-borne epidemic was cast in sharp relief last month when e-mail systems were paralyzed at AT&T WorldNet for more than a day, one of the first known instances of junk mail shutting down a major ISP. That deluge was believed to have been part of a denial-of-service attack. But the ballooning rate of everyday spam is making it all the more difficult to fend off sporadic assaults.

About 20 percent of incoming messages to AT&T WorldNet are junk e-mail, nearly double the number from the previous year, spokeswoman Janet Wyles said. The spam count reaches 50 percent at some ISPs.

"This is guerrilla warfare...There's just more spam, and spammers are getting smarter," Wyles said.

It's cheap and easy
The amount of junk is increasing partly because e-mail marketing is seen as the cheapest and easiest way to reach potential customers. For about $150, anyone can buy a CD-ROM on the Net with instructions on how to use spam as a path to potential riches that costs next to nothing compared with the printing and postage expenses of paper mail.

To make it even more economical, many spammers siphon bandwidth and resources from insecure mail servers, or open relays, set up overseas.

Most U.S. and European mail servers are configured to route only those messages addressed specifically to customers, as ISPs fear that security risks and other problems could result from relaying messages for any third party. So spammers have taken to using insecure servers in other parts of the world--particularly in Asia--to relay, by some estimates, as much as 70 percent of junk e-mail in the United States.

"That's a real boon for spammers, because they need someone to get the mail out," said Steve Linford, who maintains a London-based blacklist of mass e-mailers called the Spamhaus Block List. "Literally hundreds of thousands of these servers are around China, configured on a wing and a prayer."

As a result, many ISPs are blocking the entire Internet address ranges designated for China and other Asian countries. The practice recently became a diplomatic issue, leading the Chinese parliament to issue a statement rebuking such wholesale blockades based on geographic boundaries.

Nevertheless, junk mailers are crafting new ways around such blocking methods. According to Brightmail, more spammers are masking their origins by hacking into high-speed Internet cable lines to send mail through customers' dynamic IP (Internet Protocol) addresses. These temporary addresses are assigned to computers only for a specified amount of time. ISPs are often unable to trace the sender because it requires enormous resources to investigate vaporous connections throughout the network.

Spammers are also increasingly forging mail headers, a tactic known as spoofing, to make e-mail appear to come from legitimate sources. U.S. corporations including Bank of America, eBay and Wells Fargo have fallen victim to junk mailers taking free rides on their names.

Corporate headaches getting worse
Brightmail, which provides filters to several major ISPs including AT&T WorldNet, has doubled its number of enterprise customers in the past six months because of corporate headaches with spam. The San Francisco-based company plans to expand its all-hours spam-fighting crew of five, known as the Bloc. The team studies sources of commercial bulk mail by seeding the Internet with decoy addresses. It then creates new rules for filters based on content and headers contained within spam.

Spamhaus, the Mail Abuse Prevention System (MAPS) and about 30 other blacklists ban IP addresses or whole ISPs that are used to shepherd spam. Any company or individual can subscribe to such lists for recipes to block known spammers.

In the past, signing on with such blocking lists was thought too risky for many corporations because banned marketers or hosts could include major ISPs such as Sprint, which are used to send legitimate e-mail that could be valuable to business. But against today's growing levels of spam, companies are finding they have little choice.

Jill Vanhove, director of enterprise network services at Silicon Graphics, said she subscribed to MAPS's Realtime Blackhole List and began other filtering tactics in the past year.

"It's really a reaction to an increase of volume of spam and complaints we're seeing," she said. "We're also looking at tools to combat spam from our sponsored newsgroups."

Still, these grassroots efforts are only of limited help when fighting an exponential rise in junk traffic. Even after taking the anti-spam measures at SGI, Vanhove said she has seen the amount of incoming junk mail nearly triple in the last four months.

Many companies and anti-spam groups have appealed for help from government agencies such as the U.S. Federal Trade Commission, which recently opened a full-scale assault on deceptive marketers. In the last month, the FTC said it settled six cases against alleged con artists using e-mail to disseminate scams.

"The federal government (isn't) in a position to cure the problem, but I do think that law enforcement actions will help deter people from spamming once they realize what they're getting into," said Jennifer Mandigo, a staff attorney at the FTC who is in charge of spam issues.

Legislation wanted
For now, regulators are hampered by the absence of federal legislation and a hodgepodge of nearly two-dozen state laws that critics say allow too many loopholes. For example, California law requires marketers to place the letters "ADV" in the subject line, signifying an advertisement, but some include a variation such as "A.D.V." or "a d v" to circumvent filters.

Spamhaus' Linford advocates federal legislation requiring industry standards such as a banner on every mail server that warns against sending unsolicited commercial material. The law would make it illegal for a marketer to trespass beyond the sign.

Others are turning to self-regulation among companies, pinning hopes on such organizations as Truste and ePrivacy Group, which launched a Trusted Sender program last month. Using encryption, Truste plans to provide approval seals to companies that meet certain standards, such as an existing customer relationship, before they send commercial e-mail.

"This is a really big first step," said Fran Maier, executive director at Truste, which will release a test version of the tool next month. "With time, we hope that your e-mail client will help filter by the Trusted Sender seal."

Civil libertarian Sonia Arrison, of the Pacific Research Institute, advocates a system in which people wishing to send a message to someone they don't know must pay to have it delivered.

It would be "kind of like with paper mail; we still get a lot of junk, but not nearly the same if it were free," she said.

All of these solutions, real or proposed, carry inherent drawbacks. Many of those based on technology, such as Arrison's idea, would depend on redesigning the Internet's global e-mail architecture. Other measures are either unrealistically laborious or simply bad for business.

Spam fighters such as Lewis and his five-man team employ a wide range of tactics to fend off junk, including homemade blacklists, pattern matching, and software to ban certain content, addresses and headers. Lewis said he's been able to cut down on a large amount of spam in the past year by removing numerous e-mail aliases for employees.

But it's slow going. For every piece of mail that takes seconds to delete, there are always those that require hours in security investigations--which is how Lewis arrived at his estimate that each piece of junk mail costs his company $1.

And even as he hunts down countless offending missives, Lewis remains under equally intense pressure to keep his systems open to communication from potential partners and customers. His company refused to install spam filters until the Melissa virus forced it to take such precautionary measures, and Lewis still will not block all e-mail from China, because of business relations.

"I'd love to turn off China. But unlike some of the other people in the anti-spam community, I have to be very conservative," Lewis said. "It's a delicate balancing act for our filters because if I make a mistake, it could cost business."