I was a Netcom shell customer in 1994 when immigration lawyers Martha Siegal and Laurence Canter committed the original Usenet spam by cross-posting to every public newsgroup an advertisement for their services in the then-upcoming U.S. Government Green Card "lottery." Unfortunately for me and for 48,000-some-odd other customers, Netcom was Canter and Siegal's ISP at the time.
In "How to Make a Fortune on the Information Superhighway," (Canter and Siegal's mishmash of braggadocio, disinformation and badly-tuned advice about Internet commerce) these scoundrels claim that they received an equal number of positive and negative reactions to their escapade. I'm here to tell you they lie through their teeth.
Netcom canceled their shell account within 24 hours of that spam, but the repercussions from Canter and Siegal's misconduct-including unbearable latencies caused by endless mail bombs from outraged Usenetters-prevented me and all of Netcom's other shell subscribers from making practical use of our accounts for nearly six weeks after the miscreants were banished. They claim they made $100,000 from their villainy-and that that profit justifies their actions. What they persist to this day in refusing to acknowledge is the cost their ill-gotten revenue imposed on 48,000 other Netcom customers.
If we flash forward just over three years to the present day, we find Canter and Siegal have bequeathed us a sad heritage, indeed. Their spiritual successors have turned much of Usenet into a veritable swamp of Excessively Cross-Posted (ECP) and Excessively Multi-Posted (EMP) ads for products, services and (usually pornographic) web sites, as well as for various Ponzi schemes, chain mail trolls and other imbecile-bait.
Meanwhile, Sanford Wallace, (President of Cyber Promotions, Inc. of Philadelphia, Pennsylvania, USA, and Administrative Contact, Technical Contact, Zone Contact and Billing Contact for its online avatar, the notorious cyberpromo.com) and his equally unscrupulous fellows have taken to flooding the Internet with e-mail spams. Wallace has gone so far as to set up his own domains, with his own nameservers and high- speed Internet links, to continue spewing out the approximately 17 million pieces of spam his operation generates each day.
Adding insult to injury
Usenet spams aren't merely annoying. Beyond the simple clutter and distraction they inflict on users, they eat up large amounts of bandwidth and storage for both ISPs and their customers.
In April, 1994, when Canter and Siegal started the sorry trend, the entire Usenet hierarchy consisted of less than 6,000 newsgroups. At this writing, in mid-May, 1997, there are 21,295 newsgroups visible on Netcom's shell machines. If as little as 10 percent of Usenet traffic is spam, (and that's probably a low estimate,) that's 100 megabytes or so of junk being propagated to every news server on the Net (or, at least, to every news server that doesn't filter Usenet) every day. And, likewise, 100 megabytes of storage on those newservers that's taken up with junk and can't be used to store posts of interest to anyone but the author.
For peer-connected users, spam eats up time spent downloading headers, and much of the news client software in current use has no killfile capability. This wastes both bandwidth and connection time.
Worse still, there are many spammers who employ UNIX shell, Perl or other scripts to harvest e-mail addresses from posts to any newsgroup. Those addresses, in turn, are employed for bulk, Unsolicited Commercial E-mail (UCE), . l. Cyber Promotions. These same spammers have also taken to using web spiders to comb pages for MailTo: addresses to add to their UCE lists. This is particularly annoying because the proliferation of spiders, in general, has contributed to the considerable latency the Internet as a whole has experienced in recent months. Since the spammers consider themselves above the constraints of netiquette, their rogue spiders tend to ignore the strictures of ROBOTS.TXT files. Many of the lists compiled in these ways are in turn offered for sale via UCE-a form of meta-spam where the product being hawked is designed to enable recipients to spam others.
One of the most infuriating aspects of both UCE and Usenet spams is that the perpetrators routinely forge the mail and news headers that would otherwise permit the author to be traced. In effect, they lie about who they are and from whence their spam originates. Once upon a time, this "spamoflage" would simply point to non-existent domains and usernames. More recently, however, some UCE spammers have taken to forging return addresses of recipients or ISP postmasters who complain to the spammers' upstream providers. This results in the inevitable flood of angry e-mail from recipients of bulk UCE being directed to users and/or ISPs who are, themselves, innocent victims of the spammers' deception. Even more damaging is the trend among spammers to hijack the mail servers of hapless ISPs who fail to run their mail from inetd and to take other precautions to avoid the black hole of security which is SMTP. In these cases, the legitimate Received: path leads back to an unwitting host ISP. This makes it extremely hard to convince angry recipients that the offending message didn't "really" originate from the hijacked site.
The ever-egregious "Spamford" Wallace has struck a Mephistophelian deal with Apex Global Information Systems (AGIS), a very large backbone services provider, which has taken the position that spam is a form of online commerce and thus is a permissible use of its network. Complaints to AGIS's postmaster account are answered with a form letter advising the writer to take up the issue with Cyber Promotions or one of the other offenders to whom AGIS has chosen to provide access without responsibility.
"Smithers, release the lawyers!"
Naturally, all of the ill-will generated by spam has resulted in lawsuits, all of them, at this writing, apparently in the United States. Cyber Promotions has been the favorite target of these suits and, luckily, it has been losing them.
On December 13, 1996, Prodigy announced that it had reached a "resolution" of its trademark infringement suit against Wallace's company. Along with undisclosed financial damages, Cyber Promotions was permanently enjoined from using existing Prodigy accounts or from opening new ones for the purpose of sending UCE, sending any e-mail from a Prodigy account, using a Prodigy return address for any e-mail, causing e-mail to appear to originate from Prodigy or failing to honor any Prodigy member's request to be removed from a Cyber Promotions UCE distribution list.
In a complex ruling in Pennsylvania's Eastern District Federal Court, on February 4, 1997, Judge Charles Weiner handed down a decision in a case that consolidated suits Cyber Promotions and America Online cross-filed against each other. Judge Weiner held that Cyber Promotions, which he had earlier found had no First Amendment right to send UCE to America Online members, was required to send UCE to AOL only via AOL's "preferred mail" option, giving AOLers the power to block spam from Wallace's domains. AOL, in turn, agreed to notify its members from time to time that they had the option to receive UCE, should they so chose, and to give them instructions on how to unblock mail from Cyber Promotions.
Wallace had sued AOL for what he claimed was mail-bombing. (AOL redirected all bounced e-mail from its members who requested that their names be removed from Cyber Promotions' mailings to Wallace's service providers. Since there were literally millions of such otherwise-undeliverable messages, the effect of AOL's strategy was, indeed, akin to mail-bombing Cyber Promotions' service providers.) AOL had countersued, claiming, among other things, that Wallace was guilty of "unjust enrichment," because his business depended on forcing AOL to use its extensive infrastructure investment to deliver UCE on his behalf. Both Wallace and AOL claimed Weiner's ruling as a victory.
On May 7, 1997, Los Angeles Superior Court Judge Diane Wayne granted EarthLink Networks' motion for a preliminary injunction against Cyber Promotions. Judge Wayne found that EarthLink's lawyers had "made a sufficient showing of a reasonable likelihood of success on the merits" of its suit against Wallace's firm. EarthLink had sued Cyber Promotions for misappropriation of computer resources, conversion, trespass, unjust enrichment, violation of the U.S. Code Title 18 sections 2701 (the Electronic Communications Privacy Act) and 1030, (the Computer Fraud and Abuse Act,) infringement and dilution of EarthLink's service mark under both U.S. and California law, false designation of origin and unfair trade practice and competition.
Judge Wayne enjoined Cyber Promotions from sending unsolicited e-mail ads to EarthLink subscribers, using EarthLink's "computer network, systems, and equipment, e-mail system, and servers without prior express authorization," preventing EarthLink from blocking Cyber Promotions' UCE, "inserting false reference to plaintiff's accounts, equipment or domain address" in any Cyber Promotions UCE and, specifically, from "falsely representing, permitting, or causing" Cyber Promotions' UCE as being "sent by or originated from" EarthLink or an EarthLink account. She went on to note that there is "sufficient evidence" of Cyber Promotions' "past and current" UCE and its "deleterious effect" on EarthLink's systems and operations. She called Cyber Promotions' actions "trespass" and cited the case of CompuServe Inc. v. Cyber Promotions, Inc. in Ohio's Southern District Court as precedent for granting EarthLink the right to block Cyber Promotions' UCE. Wallace claimed that Zeran v. America Online, Inc., a case brought under the Communications Decency Act, applied in his firm's defense. Judge Wayne noted that Zeran wasn't citable, (the CDA had been declared unconstitutional by a Federal appeals court) but held that it addressed content, rather than use, and thus was inapplicable with regard to EarthLink's complaints against Cyber Promotions for trespass and related charges.
After further arguments, Judge Wayne also levied a $25,000 bond against Cyber Promotions to ensure its compliance with the terms of her grant of preliminary injunctive relief to EarthLink. As of this writing, no date has been set for the actual trial itself.
On May 9, 1997, in Pennsylvania's Eastern District Federal Court, CompuServe Information Services won a Final Consent Order by Stipulation against Cyber Promotions permanently enjoining Cyber Promotions from "causing, authorizing, participating in, or assisting others" to send UCE to CompuServe e-mail addresses, or to employ any "false or misleading reference" to CompuServe "in the header of or in connection with any electronic message." Cyber Promotions also agreed to pay some $65,000 in CompuServe legal fees in exchange for ad "runs" on CIS, and to a number of other tradeoffs that, on balance, are unlikely to do much good for Wallace's bottom line.
Title 47, Chapter 5, Subchapter II, Section 227 of the U. S. Code makes it illegal to transmit unsolicited commercial faxes. Some Net lawyers (none of whom, to my knowledge, are actual lawyers, mind you) contend that Section 227's definition of a fax machine as "equipment which has the capacity (A) to transcribe text or images, or both, from paper into an electronic signal and to transmit that signal over a regular telephone line, or (B) to transcribe text or images (or both) from an electronic signal received over a regular telephone line onto paper" can be stretched to include e-mail-capable (particularly MIME- compliant e-mail) computers.
I'm not a lawyer and am not able or willing to give legal advice, but it's pretty clear to me that the definition of a fax machine doesn't stretch that far. However the Coalition Against Unsolicited Commercial E-mail (CAUCE) is promoting an amendment to Title 47 which would add language specifically extending Section 227's prohibitions on junk faxes to UCE. Republican Congressman Chris Smith of New Jersey has announced he will introduce the CAUCE amendment in the near future. Meanwhile, on May 21, 1997, Republican Senator Frank Murkowski of Alaska, a member of the Congressional Internet Caucus, introduced the "Unsolicited Commercial Electronic Mail Choice Act of 1997." Murkowski's bill would require the Subject: header of all UCE to begin with the word "Advertisement," permitting both ISPs and end-users easily to filter out UCE. Murkowski's bill would also require that all UCE contain a valid street address, telephone number and return e-mail address.
One problem both bills share is that the U.S. government can't compel non-U.S.-based spammers to comply with such legislation. Additionally, the Smith amendment to Title 47 worries many civil libertarians (including yours truly) because it amounts to a U.S. government-mandated limitation on free speech. And the Murkowski bill suffers from problems of definition. As a member of the computer trade press, I'm constantly receiving press releases via e-mail. I welcome many of them, since they alert me to announcements about new products or policies that interest me. On the other hand, invitations to "invest in the opportunity of a lifetime" and the like don't interest me at all. The Murkowski bill may require both types of e-mail to adopt the "Advertisement" flag, meaning that I get to choose to continue being spammed or give up receiving press releases. Both bills also represent attempts to exert U.S. government authority over the trans-national Internet.
At least eight U.S. states are also considering legislation to regulate spam. In many cases, these same states are attempting to regulate Internet content in other contexts, such as bans on pornography, bomb-making instructions, hacking tutorials and other adult, unsavory or subversive data.
That's a bad thing.
The Net escaped from U.S. government control back in the eighties. Every government attempt to regulate it has been to restrict its content to subjects and language appropriate for grade-school children. That is only in part because so few legislators are themselves Internet-literate. Unfortunately, it's mainly because it's the nature of politicians to meddle with things they don't understand, to insert themselves into other people's business and to grandstand at every available opportunity.
We should not be encouraging them. Remember the Communications Decency Act? That was ruled unconstitutional last year, but the Supreme Court has agreed to hear the Justice Department's appeal of that decision later this summer. I think the Justices will be smart enough to uphold the original decision.
But, they might not be.
Spammer, regulate thyself?
One of the most widespread complaints about spammers is that they ignore "remove" requests. Many of them don't bother supplying a remove mechanism. Those that do frequently ignore helpless users' requests to be deleted from their lists. Worse, many Internauts suspect that their entreaties to be removed are treated, instead, as confirmation that their address is a valid one, making it a valuable entry for lists to be brokered to other spammers.
On April 23, AGIS proudly announced a solution to the UCE problem. AGIS' "solution" was to initiate the formation of what it calls "an industry wide trade association for the purpose of promoting ethical bulk mail practices." It promises to require bulk e-mailers to join this association to purchase Internet connections from AGIS, and to set up a web-based global "remove list," supposedly permitting users who don't wish to receive UCE to register once to be removed from all the major spammers' distribution lists.
As that great philosopher of Western civilization, Rocket J. Squirrel, put it, "That trick never works!"
First, according to many ISPs, the bulk of spam originates from small-time operators who purchase individual Net accounts, spew their UCE, get kicked off by their provider and move on to their next account with another ISP. Second, many of these same idiots actually offer giant lists of e-mail addresses to other idiots, making the small-time operator problem self-perpetuating. Third, by attempting to legitimize spammers, AGIS is merely encouraging them to continue abusing the Net. Finally, there's the entire non-AGIS professional spam community, which may well decide to move its collective operations offshore in any event, especially if the Smith amendment to Title 47 or the Murkowski bill go through.
Besides, the concept of "ethical bulk mail practices" is uncomfortably close to the idea of "ethical rape." In both cases, the essence of the act is its non-consensual nature. Remove the "unsolicited" part from UCE and you have, in effect, traditional Internet announcement lists.
What's a mother to do?
There are things you can do to protect yourself and your users from being victimized by UCE. In general, they fall into one of two categories: address filtration and enhanced mail daemon security.
In the category of address filtration, you'll find good information and tools at the Scott Hazen Mueller- maintained Internet spam boycott site at http://spam.abuse.net/spam. Although the tone of the site is a tad intemperate for me and much of the legal opinion in the FAQ is suspect, Scott maintains a pretty useful group of links to tools and tutorials on filtering, such as Nathan Waddoups' Spamhandler Pro package (a Perl script, a set of recommended changes to .procmailrc and a text list of UCE promulgators' addresses) and advice on how to apply the Usenet Death Penalty to sites that harbor Usenet spammers.
Like AGIS, for instance.
The spam boycott site also provides directions on filtering IP addresses (such as those of AGIS) to block all traffic to and from particularly offensive sites. This is a weapon of pretty awesome dimensions-a kind of Internet Doomsday Device-and it ought to be employed only with the greatest fear and trembling, because, if applied too easily, too often and by too many providers, it could potentially invite the breakdown of the Internet into an incommunicado group of island networks.
That would be a bad thing.
As for enhanced security, the spam boycott site includes directions on how to protect your SMTP mailer by running it out of inetd and using smap (from the Trusted Information Systems Firewall Kit, available from www.tis.com/docs/products/fwtk) to deny spammers access to port 25. Regardless of anything else you do, you really should implement this patch to prevent unauthorized users from hijacking your SMTP mailer via Telnet.
Finally, you should already have promulgated a user policy on spam and you should make sure that every one of your users gets a copy of it when he/she first signs on and every six months or so afterward. Your policy ought to forbid your users from sending UCE and from Excessive Multiple- and Cross-postings to Usenet, and it ought to detail the penalty for violating that ban. It ought to include clear directions on how to complain to you about any UCE they receive (such as making sure that they know to include the full headers of the spammail about which they're griping) and tell them what you'll do about it (such as investigating and, if warranted, officially complaining to the spammer's provider). And it ought to include directions on how your users can set up their own filtering mechanisms in Netscape Communicator, Eudora Pro and other MTAs and/or point to URLs where your users can find those directions.
Full disclosure and final caveats
I cannot tell a lie: I, too, have committed spam.
When I put "Perls of Wisdom" on this web site last January, I gathered up all the e-mail addresses of all the folks who had ever written to me and put them on a notification list. That was legitimate and fair...after all, they wrote to me, first. What was illegitimate and unfair was that I also added the addresses of industry press people, without first asking them if they objected. (This poses a conundrum-is it okay to send unsolicited e-mail to people asking if they'd like to receive unsolicited e-mail?) Worse, still, I also added the addresses of people who subscribe to some of the same lists as me and, worst of all, I filtered the addresses out of several Usenet groups that have to do with HTML authoring and added them to the list, too.
Now, mind you, I wasn't selling anything. My site is ad-free and doesn't even include a guest book. And the people whose names I added without permission were clearly people I could reasonably assume would be interested in an article about the Perl language. I also made it a point to include my real return address, and I promptly honored all requests to be removed and apologized to anyone who objected to my mailing. Nonetheless, it was a bad thing that I did, and I suffered considerable criticism for it.
Here's the interesting part: I have since sent out two other mailings to the survivors of that list. Each time I did, some subset of the remaining recipients has sent me a blustering "How dare you?" letter-if I recall right, there were four of them, last time. I can only conclude, since they didn't object to my earlier mailings, that they forgot that they were on my list.
My own list, originally 2,500 addresses, is now down to about 2,000 (most of the reduction is from bounced mail, rather than unsubscribe requests, by the way). I have a friend who also maintains a notification list for his family's firm. They're in the distance-learning business and they have a list of some 25,000 people who have, at one time or another, expressed interest in being kept up to date on their course offerings. Every time my friend sends out a notification of a new course offering, he gets back a considerable number of "How dare you?" letters, himself, and all of them are from people who originally asked to be on his notification list!
Take this as a cautionary tale. This kind of mistake is not uncommon, especially when the list manager sends out infrequent mailings. So, make sure that your user is really being spammed before reacting - and especially before overreacting.
In the post-Canter-and-Siegal Internet, spam has become an inescapable fact of life. I wish I had a panacea to offer, but I don't. You should beware of those who think that they do, because, as Grossman's misquote reminds us: "Complex problems have simple, easy-to-understand wrong answers."
(Copyright© 1997 by Thom Stark--all rights reserved)