Internet providers constantly trying to find ways to limit unwanted e-mail
December 26, 2000
In the bloodied trenches of the Internet, the 5-year-old e-mail spam war rages with increasing sophistication. As one side develops new shields and weapons, the other counters, as they pass the advantage back and forth.
"It is a war," said Steve Weaver, information services director of Internet Nebraska. "So many people are doing it. Half of my mail is spam. I get 150 pieces of spam a day."
In this instance, spam refers to unsolicited commercial e-mail, not spiced pork and ham. The e-mail term comes from a Monty Python skit in which a group of Vikings sang "Spam, spam, spam" in an increasing crescendo, drowning out others' conversation, much as uncontrolled spam would swamp the Internet.
For local Internet and e-mail provider Internet Nebraska, the daily dose of spam requires double the server capacity. But daily minor skirmishes pale compared with the full-scale spam battles.
"We had a significant incident last week," Weaver said recently. "In one day we got 2.1 million pieces of spam from one guy." The e-mail message encouraged people to earn their university diploma in three days.
"I spent two full days last week getting our mail server back and running," he said. "Our mail server was completely destroyed by that. It can't take that kind of load."
Much of the spam loosed today offers insidious get-rich-quick schemes, herbal cures and Viagra. More malignant messages entice children with pornographic views or illegal schemes.
After years of discarding it, Weaver has become desensitized to the offerings. "When I get spam, I just delete it," he said. "It's like getting a letter from Ed McMahon."
Other people, however, are militant in their efforts to stop the nuisance. They can't beat it completely, but they can limit it. For businesses, the stakes are more than inconvenience, and the costs are rising.
Ferris Research of San Francisco estimates the average corporate e-mail user will receive 40 spam messages daily within three years, up from three messages daily today. Employees in 2003 will spend 15 hours deleting spam at an estimated cost of $400 apiece. Currently, it takes 2.2 hours at a cost of $55 apiece.
Much e-mail is time-sensitive, regarding legal notices and the purchase of stock, said state Sen. Pam Redfield of Omaha, who last year introduced a bill in the legislature to regulate spam inside Nebraska. When spam delays urgent e-mail, it can affect finances and safety, she said. In Ralston, law enforcers use e-mail to get information about automobile registration.
Severe spam attacks are not uncommon. Verizon Communications got its system back in full operation Wednesday after being slowed by a wave of tens of millions of junk messages. Attacks on Nov. 19, Nov. 20 and Dec. 5 delayed e-mail for as many as 200,000 Verizon Internet customers on the East Coast.
In Lincoln, Alltel went through a series of attacks from one particular spammer earlier this year. Several times over a period of months, a man flooded its servers with advertisements about printer supplies. He switched to a new Internet provider each time they shut down his connection.
"He flooded us so many times we issued a restraining order," said Brent Guess, Alltel Internet security manager. "When we're getting flooded, we start looking at where all this spam is coming from and we block the connection." The first priority is saving the servers.
Like most e-mail providers, Internet giant America Online, with 26 million customers worldwide, takes several approaches to limiting spam. Protection starts with giving individual members the tools they need to customize their e-mail control settings, said Nicholas Graham, spokesperson for the company in northern Virginia.
Mail controls can be set to block e-mail addresses of known spammers. Controls also can be set to accept e-mail only from specific sources, blocking all others, he said.
But even before e-mail gets to individuals, it passes through sophisticated bulk mail filters. "We filter out millions and millions every week," Graham said.
Many Internet providers subscribe to services that compile lists of known spammers. Most also allow customers to filter their e-mail by subject, limiting, for example, anything that says: "Make money fast" for the subject.
But spammers have their own tricks, disguising their e-mail so it appears to come from legitimate subscribers. Or they can send bulk e-mail to automated relay hosts at universities overseas.
Newer software, however, can identify forged domains and trace rerouted messages. All the information needed to trace an e-mail is contained within the e-mail header, although sometimes it can be difficult to see.
AOL urges subscribers to forward internal spam to TOSEmail@aol.com and external spam to TOSSpam@aol.com. Alltel customers who receive spam should submit it to firstname.lastname@example.org. Alltel, like most legitimate Internet providers, terminates the services of customers caught spamming.
"We don't have a major problem in our own customer base with individuals sending spam," Guess said. The individuals that do send spam from Alltel are those who jump from Internet provider to Internet provider, opening an account for five days before moving on, he said.
Sending spam has become fairly easy. There are so many tools on the Internet that amateurs can download.
"Before," said Weaver, "somebody trying to send a mass e-mail had to know what they were doing." Now, for the price of a $2,000 list they can send a message to 2 million people.
Amateurs often use software that generates random e-mail. Somebody with the e-mail address of John@alltel.net is an easy target.
Alltel recently installed a new e-mail tool to block that spam. After the system receives so many invalid e-mail addresses, it classifies the sender a spammer and blocks reception.
Professionals, however, supplement random e-mails with actual and suspected addresses harvested off the Internet. Many spam e-mails offer to remove people from a list if they respond. Often, the return mail only confirms the address is valid; spammers can then sell that address for more money.
The best protection is to never get on a list. Be savvy when supplying personal information to Web sites, the companies advise. Only submit information to Web sites with a privacy clause listing what the information is used for and whether it will be sold or traded.
AOL's Graham strongly suggests that members who chat should create a screen name different from other e-mail addresses that they use. Spammers use software to harvest names from chat rooms. On AOL 6.0, customers can have as many as 7 screen names per account.
Efforts to stop spam in the Nebraska Legislature last year ended unsuccessfully on questions of free speech and free commerce. Redfield expects better success this year.
The issue of free speech does not apply when the speech of one person adds to the costs of another, she said. With e-mail, the customer pays for the download times and the inconvenience. The provider passes these costs on to the customer. Conversely, when companies send advertisements through the post, the advertiser pays all the costs.
"Free speech isn't free when a recipient has to pay the cost," Redfield said. "In all other commercial speech issues the commercial entity pays the freight." But with spam the burden rests on the recipient, who pays extra for server access.
She didn't need to look far to prove her point.
"We actually had an ISP (Internet service provider) in Ralston who has been shut down both times while down at our hearings."
© 2000, Lincoln Journal Star