Slamming Spam - Dec/Jan '04

Slamming Spam
Unclogging law firm e-mail Inboxes.
By Brett Burney

How much do you hate spam? Spam haters have become the world’s largest club. People talk more about the bane of spam than the latest absurdly unreal reality TV shows. Where we all once had a trickle of unsolicited e-mail that turned into a river, most lawyers now see spam in terms of a tsunami growing in height on a daily basis and threatening to crush legitimate e-mail correspondence. As a practical matter, can we slam spam?

The Grim Facts
First, the unnerving statistics, as reported by Consumer Reports and Massachusetts Institute of Technology’s Technology Review, might seem startling. It will not surprise anyone that spam now comprises more than 50 percent of the average Inbox, up from 8 percent in 2000. More than 13 billion unsolicited e-mail messages swamp Inboxes worldwide every day. America Online reports it routinely blocks more than 1.5 million spam messages per day and yet, it also averages 7 million complaints daily about the spam that gets through. According to Radicati Group Inc., a market research firm specializing in e-mail, the number of spam messages is doubling every 18 months. Ferris Research, a San Francisco-based marketing and technology research firm, estimates spam causes a $10 billion a year drag on the economy.

How the Spammers Find You
How do spammers get your address in the first place? There is the classic “dictionary attack” in which spammers target guessed names such as johndoe, johndoe1, johndoe2, etc. Spammers all have software to facilitate these attacks — and if they don’t receive a “bounceback” message indicating the address is invalid, then they add it to their “confirmed valid” database.

If you shop or register for something online, be wary. L.L. Bean will not sell your e-mail address, but “Joe Chen’s Bargain Computers” might. Make sure you look at privacy policies and be skeptical about companies you don’t know to be reputable. If a lawyer places an e-mail address on his or her law firm site at 8 a.m., he or she is likely to receive the first spam message by 8:10 a.m. Ditto for talking in chat rooms. Spammers use special harvesting software to scan the Internet for visible e-mail addresses. As an experiment, the Center for Democracy & Technology, a Washington, D.C., advocacy group, posted 250 new e-mail addresses on its Web site. Within six months, the addresses received more than 10,000 unsolicited e-mails.

Spammers also harvest e-mail addresses from free chat services. That was at least part of the reason Microsoft closed its chat rooms in 28 countries on Oct. 14, 2003, although it allowed them to remain open on a subscription basis in the United States, Canada and Japan, where visitors are more accountable because their billing details are on record with Microsoft.

How do the rest of the spammers find your address? Often through reselling. Sometimes lawyers are their own worst enemy as they reply angrily “Remove” or “Unsubscribe,” only to have their address added to spammers’ “confirmed valid” lists, which they will of course then sell to other spammers. Not surprisingly, “confirmed valid” lists generally are resold many times over.

The statistic that takes most people aback is the experts’ consensus that roughly 90 percent of all spam is sent by less than 200 people, a view affirmed by the Coalition Against Unsolicited Commercial E-mail, an anti-spam coalition. Jon Praed, an attorney with the Internet Law Group in Arlington, Va., told Technology Review these major-league spammers are “hackers gone bad or they are crooks gone geek.” Whoever they are, they are making law firms miserable. Managing e-mail is a daily task and as we all hit the “Delete” key scores of times, it’s easy to accidentally delete a legitimate e-mail from a client without noticing, not to mention the frustration of having to wade through the mess we find in our Inbox every morning. Spam has become a daily chore and e-mail management a daunting task.

Legislative Solutions: Spammers in the Slammer?
Many Virginians celebrated when Gov. Mark Warner, amid great hoopla, signed a tough anti-spam bill at AOL’s headquarters in northern Virginia. The law was signed in April 2003, and took effect in July 2003. Under its provisions, if a commercial bulk e-mailer sends e-mail to or from Virginia with a bogus return address, or if a spammer transmits 10,000 or more e-mail messages in a day, he or she could end up facing felony penalties, massive fines, having their assets seized and spending up to five years in jail. According to Warner, the penalties might apply even if the sender and recipient live elsewhere because so much Internet traffic passes through northern Virginia. The Virginia law also prohibits tools that automate spam transmissions and the forging of e-mail headers.

Spammers in the slammer sound great to many of us, but numerous commentators have expressed concern prosecutors will not enforce the law aggressively because they lack funding and don’t perceive spam as a serious crime. Typically, one would think murder, arson, rape, armed robbery and other significant charges would receive attention far ahead of unsolicited bulk e-mail. Another factor is it’s extremely difficult to trace the source of spam in most cases. Spammers are wily creatures who change their network addresses regularly and relay their e-mail off unsecured servers, primarily in Asia, to hide the true source of the e-mail. Even with the clout of a corporate resident such as AOL, is Virginia willing to commit the time and resources necessary to flush out the spammers and prosecute them?

As of October 2003, 35 states have approved anti-spam laws and most commentators believe they are, collectively, almost entirely worthless. Two of the most recent anti-spam laws were adopted by Texas and California.

The new Texas law makes it illegal to send unsolicited e-mail that uses misleading subject lines or transmits unlabeled obscene material. The law also requires mass e-mailers to remove names from their lists within three days of being notified. Unsolicited advertising must carry the annotation “ADV:” in the subject line, and messages with sexual material must say “ADV: Adult Advertisement.” Violators can be fined $10 for each mislabeled, unsolicited e-mail message, up to $25,000 per day. Critics call the law weak and point out that senders of junk faxes can be fined up to $500 per fax in small claims court, 50 times the penalty for a spam violation.

California’s new anti-spam law, signed in September 2003, is scheduled to take effect Jan. 1, 2004, but already has been called vulnerable to legal challenges, including on First Amendment grounds or arguments based on the law’s interference with interstate commerce. Also, many of the anti-spam bills now pending in Congress would preempt more stringent state laws. The new law outlaws sending most commercial e-mail messages to anyone in the state who has not explicitly requested them. That makes it the most wide-reaching law of any of the 35 other state laws meant to regulate spam or any of the proposed bills in Congress. The law, which also prohibits companies inside the state from sending unsolicited e-mail to anyone outside the state, imposes fines of $1,000 for each message, up to $1 million for each campaign. Proponents of the law say it will be more effective than many anti-spam laws because it gives people the right to file private lawsuits rather than depending on state prosecutors. Skeptics believe only a federal law, backed by well-funded federal resources, is likely to have a true impact on spam.

Congress, alas, is still a lumbering ineffectual giant that has, in the past, tended to listen to the lobbyists for marketing groups. While they have not gotten as far as the United Kingdom and Italy, both of which recently passed regulations to criminalize spam, there is certainly movement afoot, as voters have made it clear they are outraged by the torrent of spam and want government intervention. A number of spam bills died in Congress last year, but approximately seven are under consideration this year and the public outcry might increase the chance one of them will succeed in becoming law. The residual worry is opponents will succeed in watering down any anti-spam legislation to the point it can’t be a truly effective weapon.

Suing Spammers
Lawsuits against spammers continue to proliferate. In August 2003, Amazon.com announced it filed 11 “John Doe” lawsuits against marketers who allegedly used its name when transmitting spam. Federal suits were filed in the United States and Canada seeking injunctions against the use of Amazon.com’s name in e-mail forgeries — the suits also seek millions of dollars in punitive damages. In addition, the company announced it’s working with the New York Attorney General’s office to identify the spammers.

Also in August, EarthLink filed a suit that targets two separate operations — one based in Vancouver, British Columbia, and the second in Birmingham, Ala. — against the so-called Alabama Spammers, an unidentified group it alleges uses EarthLink to transmit massive quantities of spam. Earthlink is asking the court for an injunction and $15 million in damages against the defendants, who are accused of engaging “in a massive scheme of theft, spamming and spoofing,” with the use of stolen credit cards and unauthorized use of Internet access accounts. The suit was filed in the Northern District of Georgia, Atlanta Division, and claims the Alabama Spammers used stolen or bogus credit card information to buy hundreds of dial-up Internet accounts and then used those memberships to send spam. EarthLink said the name “Alabama Spammers” refers to the group’s frequent use of phone lines in Birmingham, Ala., to illegally connect to EarthLink Post Office Protocol accounts in that area. EarthLink said as many as 100 individuals could be involved in the spamming ring in Alabama and British Columbia, and they have sent as many as 250 million e-mail messages on its network. The suit gives EarthLink the ability to issue subpoenas to domain name registrars, mailbox companies and other third parties to help identify the spammers.

In the end, finding spammers is an expensive, time-consuming process that often leads to a dead end. Even when they are found, few spammers have significant assets. EarthLink, Microsoft Network and AOL all have filed numerous suits against spammers, but for the most part, in spite of 35 state laws on the books and the barrage of suits, spam continues to grow as a percentage of the mail in everyone’s Inbox. How can this scourge be halted effectively? There are some methods today, and there is the promise of better methods in the future, especially if Congress finds the courage to employ them nationally and to back them with stiff penalties.

Today’s Best Hope: Filters
In an astonishingly short period of time, most of corporate America has adopted some sort of filter to screen unwanted e-mail. Though wildly imperfect, filters have become the nation’s No. 1 weapon in the fight against spam. One way to measure the effectiveness of a spam filter is to weigh the percentage of junk e-mail blocked versus the false positive rate (the percentage of legitimate mail inadvertently blocked). A 95 percent filtration rate is considered excellent, and some companies claim a higher rate. But be wary of such claims since corporate users generally report something more like a 70 percent filtration rate. Unfortunately, the higher the filtration rate, the higher the false positives. It’s generally considered unacceptable to have a rate of 0.1 percent or higher, which translates into losing one of 1,000 legitimate e-mails.

One filter used by some of America’s corporate giants comes from San Francisco-based Brightmail Inc., which says its filter processes about 10 percent of the world’s e-mail. Brightmail has an extremely low false positive rate, about one out of every 1 million spam messages. Although Brightmail claims a filtration rate of more than 90 percent, once again, consumers report the rate is actually significantly less. It’s a great help, certainly, but not a complete solution. Brightmail is a server-based solution, and it isn’t available for a small or solo office that doesn’t have its own e-mail server.

Although there are many kinds of filtering software, law firms with Microsoft Exchange servers rely more and more on Symantec’s filtering product. The old version was called Symantec AntiVirus/Filtering for Microsoft Exchange and provided very basic methods for identifying spam addresses and unwanted content. The software was time-consuming to manage and had a long list of flaws. The new version is called Symantec Mail Security for Microsoft Exchange and promises to do a better job of managing unsolicited e-mail.

Some of the new features include separate scanning of inbound and outbound mail, comparison of attachment type to the file extension, support for external “blacklist” databases (known spammers) and support for “whitelists” to allow all e-mail from a known good address regardless of content. Unlike the old version, it also can be configured to give or prohibit user notification of blocked e-mail. As many lawyers have complained, having the long list of notifications in their Inbox is almost as irritating as the spam itself, especially if they are retrieving their e-mail via a Personal Digital Assistant. It’s akin to spam about spam.

Consumer Reports picks for the best spam filters are:

1. Stata Labs SAProxy: According to Consumer Reports, this free program outperformed all other spam filters, but be forewarned, it requires some degree of computer skill and comes with complicated installation instructions.
2. Mailshell SpamCatcher
Universal: $20.
3. Blue Squirrel Spam Sleuth: $30.
4. Symantec Norton Internet Security 2003 (Spam Alert): $70.

Our own experience is greatest with Symantec’s products, which we have no problem recommending, especially with all the enhancements of the current version. At an enterprise level, this is an excellent approach to reduce spam. Anecdotally, some of our solo- and small-law firm clients speak well of Sunbelt Software Inc.’s iHateSpam, which costs $19.95 (see “Shootout” on Page 36 of this issue).

An ongoing problem for law firms has been legal newsletters, which often are blocked as spam (because of length or content) even though lawyers have subscribed to them. As whitelists become more prevalent in filters, this problem might erode, although lawyers will have to take the additional step of placing the sender on the whitelist.

Although woefully inadequate, filters are seen by many technologists as a formidable weapon made more potent with modifications. Have you ever heard of Bayesian filters? Named after the 18th century English mathematician Thomas Bayes, his theories of probability have been successfully incorporated in filters that learn from the users themselves. If you typically open penile enlargement e-mails (to pick a common subject), it will regard those as normal e-mails. If you routinely delete them, it will learn to block them. Because individuals train Bayesian filters, they increase their effectiveness over time and foil spammers because the probability of messages getting through is skewered and uncertain.

Microsoft research has taken this concept one step further by creating a “naïve Bayesian filter,” which learns probabilities for words, phrases and other characteristics that distinguish spam. For example, many filters have no trouble blocking “Viagra” but can’t block “V*I*A*G*R*A.” Undoubtedly, you have seen many variations on this theme, and the more modern filters are learning to recognize this trick.

Unfortunately, spammers are able to get around each new defense. More and more, they are getting all of us to open their e-mail because it says something innocuous, such as “Confirming your order,” “Requesting Information” or the like. Lawyers are finding it’s dangerous to delete too quickly, lest they delete a client or potential client’s e-mail message.

Battlefields of the Future
Can we change the economics of spam as a countermeasure? Right now, experts estimate it costs spammers between $200 to $500 to send a million e-mails, with roughly 100 “paying” responses expected from each transmission. One suggestion from technologists is to create an “e-stamp,” perhaps that costs a nominal amount such as one-tenth of a cent per e-mail. The amount would be negligible for most users, but would impose a $1,000 tax on anyone sending a million e-mails. E-mail without the stamps automatically would be blocked.

Another technical suggestion is to impose a time cost by forcing a transmitting computer to perform a quick mathematical problem before the transmission goes through — not enough to disturb a normal user, but enough to confound the computers of spammers. Microsoft research is currently working on this approach.

Microsoft now blocks more than 2.4 billion spam messages daily and has assembled a crack team of experts to come up with innovative and more effective ways to fight spam. Bill Gates himself has lamented the number of “Get Rich Quick” e-mails he receives every day. The sad truth is no one is immune to spam and half of us will continue to receive messages promising to add three inches in length to a body part we don’t possess. In the meantime, hang on to that trusty old “Delete” key, and press, press, press so you, too, can be a part of the annual $10 billion loss of productivity caused by spam.

ABOUT THE AUTHOR

Sharon D. Nelson and John W. Simek are the president and vice president of Sensei Enterprises Inc., a legal technology and computer forensics firm based in Fairfax, Va. They can be reached at (703) 359-0700, sensei@senseient.com or www.senseient.com.