Law Barring Junk E-Mail Allows a Flood Instead By TOM ZELLER Jr.
Q year after a sweeping federal antispam law went into effect, there is more junk e-mail on the Internet than ever, and Levon Gillespie, according to Microsoft, is one reason. Lawyers for the company seemed well on the way to shutting down Mr. Gillespie last September after he agreed to meet them at a Starbucks in Los Angeles near the University of Southern California. There they served him a court summons and a lawsuit accusing him, his Web site and 50 unnamed customers of violating state and federal law - including the year-old federal Can Spam Act - by flooding Microsoft's internal and customer e-mail networks with illegal spam, among other charges. But that was the last the company saw of the young entrepreneur. Mr. Gillespie, who operated a service that gives bulk advertisers off-shore shelter from the antispam crusade, did not show up last month for a court hearing in King County, Wash. The judge issued a default judgment against him in the amount of $1.4 million. In a telephone interview yesterday from his home in Los Angeles, Mr. Gillespie, 21, said he was unaware of the judgment and that no one from Microsoft or the court had yet followed up. But he insisted that he had done nothing wrong and vowed that lawsuits would not stop him - nor any of the other players in the lucrative spam chain. "There's way too much money involved," Mr. Gillespie said, noting that his service, which is currently down, provided him with a six-figure income at its peak. "And if there's money to be made, people are going to go out and get it." Since the Can Spam Act went into effect in January 2004, unsolicited junk e-mail on the Internet has come to total perhaps 80 percent or more of all e-mail sent, according to most measures. That is up from 50 percent to 60 percent of all e-mail before the law went into effect. To some antispam crusaders, the surge comes as no surprise. They had long argued that the law would make the spam problem worse by effectively giving bulk advertisers permission to send junk e-mail as long as they followed certain rules. "Can Spam legalized spamming itself," said Steve Linford, the founder of the Spamhaus Project, a London organization that is one of the leading groups intent on eliminating junk e-mail. And in making spam legal, he said, the new rules also invited flouting by those intent on being outlaws. Not everyone agrees that the Can Spam law is to blame, and lawsuits invoking the new legislation - along with other suits using state laws - have been mounted in the name of combating the problem. Besides Microsoft, other large Internet companies like AOL and have used the federal law as the basis for suits. Two prolific spam distributors, Jeremy D. Jaynes and Jessica DeGroot, were convicted under a Virginia antispam law in November, and a $1 billion judgment was issued in an Iowa federal court against three spam marketers in December. The law's chief sponsor, Senator Conrad Burns, Republican of Montana, said that it was too soon to judge the law's effectiveness, although he indicated in an e-mail message that the Federal Trade Commission, which oversees its enforcement, might simply need some nudging. "As we progress into the next legislative session," Mr. Burns said, "I'll be working to make sure the F.T.C. utilizes the tools now in place to enforce the act and effectively stem the tide of this burden." The F.T.C. has made some recent moves that include winning a court order in January to shut down illegal advertising from six companies accused of profiting from thousands of X-rated spam e-mail messages. But so far, the spam trade has foiled most efforts to bring it under control. A growing number of so-called bulletproof Web host services like Mr. Gillespie's offer spam-friendly merchants access to stable offshore computer servers - most of them in China - where they can park their Web sites, with the promise that they will not be shut down because of spam complaints. Some bulk e-mailers have also teamed with writers of viruses to steal lists of working e-mail addresses and quietly hijack the personal computers of millions of unwitting Internet users, creating the "zombie networks" that now serve, according to some specialists, as the de facto circulatory system for spam. "We've thrown everything but the kitchen sink at this problem," said Chris Smith, the senior director of product marketing for Postini, a company that filters e-mail for corporations. "And yet, all of these efforts have yet to make a significant dent." Mr. Smith was speaking in a conference call with reporters last week to discuss Postini's 2005 e-mail security report, which echoed the bleak findings of recent academic surveys and statistics from other vendors that filter and monitor e-mail traffic. A survey from Stanford University in December showed that a typical Internet user now spends about 10 working days a year dealing with incoming spam. Industry analysts estimate that the global cost of spam to businesses in 2005, in terms of lost productivity and network maintenance, will be about $50 billion ($17 billion in the United States alone). And the Postini report concluded that most legislative measures - in the United States, Europe and Australia - have had little impact on the problem. The American law requires solicitations to be identified as such in the subject line and prohibits the use of fake return addresses, among other restrictions. But the real soft spot in the American law, critics have argued, is that it puts a burden on recipients to choose to be removed from an e-mailers list - an "opt out" feature that bulk mailers are obligated by the law to provide. (The European and Australian systems requires bulk mailers, in most cases, to receive "opt in" authorization from recipients.) While a law-abiding bulk mailer under the American law might remove a person from its list, critics say, the scofflaw spammer simply takes an opt-out message as verification that the e-mail address is current and has a live person behind it. "Any spammer worth his salt is not going to follow Can Spam," said Scott Petry, Postini's founder and senior vice president for products and engineering, "because it would be filtered out immediately." Defenders of the Can Spam Act say blaming any one law is far too simple. "Most people say it's a miserable failure," said Anne Mitchell, who helped draft the legislation and is the chief executive of the Institute for Spam and Internet Public Policy, a research group in California. "But I see it as a lawyer would see it. To think that law enforcement agencies can make spam stop right away is silly. There's no such thing as an instant fix in the law." She and others note that filtering software has become particularly adept at catching the vast majority of spam before it ever gets to a user's in-box. Legitimate e-mail messages do sometimes get caught in such nets - a drawback that generates its own chorus of complaints. But some specialists have also suggested that the overall success of identifying and weeding out junk e-mail from in-boxes may actually help explain the current surge in spam. "The more effective the filtering technology," Ms. Mitchell said, "the more spam they have to send to get the same dollar rate of return." Those rates of return can be staggeringly high (and the costs of entry into the market relatively low). A spammer can often expect to receive anywhere from a 25 percent to a 50 percent commission on any sales of a product that result from a spam campaign, according to a calculus developed by Richi Jennings, an Internet security analyst with Ferris Research, a technology industry consulting firm. Even if only 2,000 of 200 million recipients of a spam campaign - a single day's response rate for some spammers - actually go to a merchant's Web site to purchase a $50 bottle of an herbal supplement, a spammer working at a 25 percent commission will take in $25,000. If a spammer makes use of anonymous virus-enslaved computers to spread the campaign, expenses like bandwidth payments to Internet service providers are low - as is the likelihood of anyone's tracking down who pushed the "send" button. The overlapping and truly global networks of spam-friendly merchants, e-mail list resellers, virus-writers and bulk e-mailing services have made identifying targets for prosecution a daunting process. Merchants whose links actually appear in junk e-mail are often dozens of steps and numerous deals removed from the spammers, Mr. Jennings said, and proving culpability "is just insanely difficult." The new federal law does give prosecutors some leverage to go after the merchants - but it must be proved that they knew, or should have known, that their wares were being fed into the illegal spam chain. "We wait to see a real test case of that," Mr. Jennings said. In the meantime, analysts predict, more viruses will commandeer more personal computers as zombie spam transmitters - which besides free relays give spammers a thicker cloak of anonymity. Mr. Jennings estimates that hijacked machines handle 50 percent of the spam stream, and other analysts have put the percentage higher. Analysts also expect more use of virus bombs - called directory harvest attacks - to wrest working e-mail addresses from Internet service providers. "It's the silent killer of e-mail servers," Mr. Smith of Postini said. And bulletproof services like Mr. Gillespie's and another, <http://Buprhost.com>Buprhost.com, are intent on continuing to offer spam-friendly merchants a haven from antispam complaints, starting at $89 a month. "If your Web site host receives complaints or discovers that your Web site has been advertised in e-mail broadcasts, they may disconnect your account and shut down your Web site," explains Buprhost.com, which promises no such disruptions. "The reason we can do this is that we put your Web site in our overseas server where the local law will protect your Web sites." "It's very simple," Mr. Petry of Postini said of the junk e-mail scourge. "Spam is technically very easy to send." Which is why, according to Aaron Kornblum, Microsoft's Internet safety enforcement lawyer, suits against spam enablers like Mr. Gillespie are an important, if incremental, new front to pursue. "Microsoft's efforts in filing these lawsuits is to stop spammers - and in this case hosting services that cater to spammers - from plying their trade," said Mr. Kornblum, who noted that Microsoft was working to enforce the $1.4 million judgment against Mr. Gillespie. "Our objective with sustained enforcement activity is to change the economics of spamming, making it a cost-prohibitive business model rather than a profitable one."
