Spam wars are being fought across the world
By Kara van de Pol
There is a town in the American state of Florida that's home to the Boca Raton Spam Gang, a notorious group of Internet rogues who churn out 250 million emails every day.
If you've been online for a few years, chances are that a fair bit of their spam has landed up in your inbox.
In the time it's taken to write this paragraph, four unsolicited emails have landed: one entreating me to invest in some female Viagra; one suggesting, in virtually the same breath, that I can also have a larger member; one offering spam-blocking software and one flogging lists of millions of opt-in' email addresses for my website marketing campaign.
Even Bill Gates has confessed that his mailbox gets clogged with offers to help him get rich quick.
The moniker spam - otherwise dignified by the description unsolicited commercial email - is widely believed to come from the Monty Python's Flying Circus spam spam spam skit.
But - as local and foreign Internet users are increasingly learning - spam is anything but funny. In July, MessageLabs, a leading provider of email security services, said spam now accounted for up to 55 percent of the world's email. Some put the number of spam mails at 10 billion a day. And the flood is growing exponentially.
In South Africa, Tiscali (formerly World Online), has seen spam increase from about 5 000 a day to more than 200 000 a day in a few years. The Internet service provider says unsolicited e-mail puts a strain on servers and bandwidth, and necessitates expensive filters and extra manpower.
M-Web, which boasts about 250 000 dial-up subscribers, says between 12 000 and 15 000 complaints are sent to the firstname.lastname@example.org address every month. Mervyn Goliath, M-Web's general Manager for technology operations, says the ISP blocks 50 to 65 million messages over the same period.
How do so many messages slip through? It's hard to say, says Goliath.
This is because spam only really exists in the eye of the beholder. A message that slips through a server-side filter may be spam to one person but an absorbing newsletter to another.
Heather Stuart, Tiscali's group marketing manager, says the ISP - which has about 150 000 dial-up subscribers - blocks spam that comes from well-known spam sources or from sources that have been specifically reported.
So there's no doubt that South Africa claims its fair share of spam. But M-Web's Marguerite Joubert says only about five per cent of it originates locally. Stuart says Tiscali boots off about five spammers a month.
Most of the stuff, as is clear from the contents, is from the US. However, such is the volume of spam piped from America to South Africa that the local Internet industry even felt compelled to hold a spam summit.
Terry Murphy - MD of Systems Publishers, the company that put it all together - said it was aimed at high-level businesses people, government, Internet solution providers, major corporates and the big users of email marketing, as well as the media.
It also aimed to explain the legal rights of individuals and entities, and the recourse and remedies available under South African law.
South African law does indeed have something to say about unsolicited email.
Unfortunately, though, the country missed its chance to criminalise the practice: the Electronic Communications and Transactions Act of 2002 does not expressly outlaw spam in Section 45. Spammers face the wrath of the law only if they do not provide a valid and functioning opt-out mechanism - a remove me from your list link - or if they refuse to tell the recipient where his address was obtained.
ISPs and some legal commentators have pointed out flaws in the legislation. And the law's demand that spammers supply unsubscribe links creates a tricky paradox for the victims of spam because using remove me links goes against the advice that one should never engage with a spammer.
Even if you want to draw yourself up to your full height and angrily denounce the spammer in return, any response from you means the sender - and whoever else to whom he now decides to sell your tested and validated address - will hit you with increasing confidence and frequency.
There may be a distinction to be drawn here. If the spammer appears to be South African - that is, if he is using the .za domain - he is bound by South African law and has to supply a functioning link. Otherwise, it's best to ignore remove links.
Lance Michalson, head of Michalsons IT Attorneys and a speaker at the recent spam summit, says there are a good few problems with section 45, all of which relate to the paucity of definitions of unsolicited commercial communication and its related concepts.
Given the high cost of litigation, coupled with the fact that no organisation ordinarily wants to be the subject of a test case - and given the enormity of the spam problem - it might be necessary for the legislature to either revisit Section 45 of the ECT Act or enact a stand-alone anti-spam law.
People complain that Section 45 is toothless and won't stop spam, but isn't the real problem that we can't expect South African legislation to stem the tide? Even if the spammer's country of origin does outlaw the practice, aren't there massive practical barriers to action against unknown parties overseas? Yes, says Michalson, adding: Jurisdiction issues are very thorny and complicated.
Many other countries are working on special anti-spam laws. Britain has just passed its version of the EU's Privacy and Electronics Communication Directive, which comes into force on 11 December, and the Australian government has just tabled the Spam Bill 2003. But in the US, the position varies from state to state. There is no national law to regulate spam, although a few proposals are before Congress.
In practice, say the cynics, anti-spam legislation represents nothing more than a symbolic gesture. While it may be
reassuring to some, it falls far short of a practical solution. Bulk mailers are simply too slippery and ingenious. This leaves spammers and ISPs locked in an arms race.
Spamming techniques, assisted by automated intelligent software agents, are constantly changing, says Goliath.
Spammers are also masters of disguise (they have to be, or they wouldn't survive), which makes things even harder for ISPs. They know few ISPs will tolerate a user account being used to generate spam, so they obscure their true identity as far as possible, faking sender addresses, flitting from host to host and moving around the websites they use to advertise their products.
Another common trick is to relay messages from the mail server of an innocent third party, which means both the receiving system and relay system are flooded. And any complaints are directed to the innocent site.
A related trick is IP (Internet Protocol) spoofing. Hackers find an IP address (the unique identifying number) of a trusted host computer and then modify the packet headers so that it appears the message is coming from a host that has, say, not been blacklisted.
Then there are tricks to get past filters. Spammers constantly change subject lines: they drop in strings of random text or invent new spellings of common wares. One email doing the rounds advertises Valiumm Xanaxxx Prozaccc.
So what can ISPs do about the scourge?
Tiscali says it has three lines of defence. First barrier is Trend InterScan Emanager, which supplies a filter list that's updated daily. Second, it uses Netscape Mail server filters to block mails from certain addresses, or spam that eManager does not catch. And third, as a back-up to server-side protection, Tiscali offers a customisable online spam filter as part of its My.Tiscali self-administration tool.
M-Web's Goliath says spam still gets through because of the rapid rate at which it mutates to defeat automated processes.
In M-Web's case we are especially cautious about simply blocking mail with a wildcard filter method as this carries the risk of introducing false positives - for example, blocking legitimate email.
We are, however, in the process of putting the finishing touches to a brand new spam architecture that has a much higher filter success rate than presently deployed systems. The implementation of this system is planned for early November 2003.
But the best advice, everyone agrees, is to stay off spammers' lists in the first place. Spammers are not especially sensitive to social opprobrium; even if one spammer strikes you off his list, he is likely to have shared your address with others.
ISPs agree that people on these lists are snared in a few ways.
First, if you add your name to a long list of addresses and forward chain mails - the kind that promise Microsoft will give you $1 million/beseech you to help pay for a baby's heart surgery/assure you they want to deposit their lottery winnings in your bank account - then you are not only amazingly gullible, but probably get more than your fair share of spam.
Second, if you have ever - even for a few weeks - had your address posted anywhere on the Web, you'll almost certainly be on the lists.
This goes for personal home pages, your company's website, chat rooms, newsgroup postings, forums and online directories.
It's maddeningly easy for spammers to collect all these addresses: they simply use programs called bots to trawl the Web and look for text strings in the format email@example.com. Once the harvesting is done, mass-mailing software fires off messages.
Third, you may be on the lists even if your email account is new and you have never exposed your address. How so?
Because if so much as one other subscriber at your ISP is on the lists, a spammer can use a dictionary attack to have a
stab at possible name combinations.
If mike@ISP.co.za is on a list, then it won't be long before peter@ISP.co.za - whether that address actually exists or not - will be receiving spam.
One deliciously cunning weapon in the war on spam is offered by programs such as Mail Washer (www.mailwasher.net). Not only does it check mail, filter spam and delete viruses before they're downloaded, but it offers a means to exact a modicum of revenge against spammers - by spamming them in turn with message failed bouncebacks.
The aim of this is to get your dead address removed from their lists.
Alan Ralsky, who runs what many believe to be the largest single bulk emailing operation in the world, reportedly has about 250 million addresses at his fingertips. The response rate, Ralsky says, is about 0,25 per cent. But, he adds, when you're sending out 250
million emails, even a blind squirrel will find a nut.
Three months ago, Wired, a leading technology site, reported that a security flaw at the Amazing Internet Products website had revealed an alarming 6 000 responses to an email with the subject Make your penis HUGE.
Among those who placed orders for the company's Pinacle herbal supplement (at $50 a bottle) were a top fund manager, a company president, a school coach, a veterinarian, and a number of women.
Shame on them all.