The site looks excellent and is a grand improvement. Sincere thanks to you and your colleagues for a job well done. Thanks also for your perseverance. – Tim Hess, VP of Research and Development, TogetherSoft

Email du jour: It's Spam!
To recipients, it goes best with 'delete' button

May 2, 2000

The News & Observer
By Carlene Hempel; Staff Writer

Anyone can be a spammer. All it takes is a downloaded program and a list of e-mail addresses.

But being a spam buster takes special dedication. Even the most computer savvy can feel the futility of fighting that endless stream of unsolicited e-mail that promises everything from cheap electronic equipment to a peek at Uma Thurman nude.

John Mozena compares his battle to the carnival game Whack a Mole in which the object is to hammer away at moles springing unpredictably from a handful of holes. To the spammer, the "hole" is the next server to exploit with thousands, even millions, of e-mail messages.

"Spammers know they're going to burn through e-mail accounts," says Mozena, co-founder of the Michigan-based Coalition Against Unsolicited Commercial E-Mail (CAUCE). "So when you shut down a spammer's account on one Internet service provider, he just pops up on another."

The latest weapon in the battle against spam has come from the government. A federal bill now being considered would require accurate return addresses on messages sent and would make it illegal to continue spamming recipients after they have asked to be removed from a list.

North Carolina, one of 15 states to enact anti-spam laws, allows recipients of unsolicited electronic bulk commercial mail to collect $10 per message from a spammer, up to $25,000 a day, for damages that are the result of that mail being sent. But collecting can be tricky. So far, the state Attorney General's Office doesn't know of anyone who has tried to retrieve damages.

An individual flooded with spam could probably not sue and collect, said state Sen. Eric Reeves, the bill's author, because it is not against the law to be annoying. On the other hand, a Web company that could prove damages - lost business or productivity as a result of spam crashing a server - might be able to collect the losses.

Under North Carolina's law, a spammer who uses a company's server without permission to send unsolicited bulk e-mail can be charged with computer trespass. How aggressively the law is enforced depends on the damage done, says Phil Telfer, a special deputy attorney general in the consumer protection division.

"The law was put on the books so that if someone does something that really causes some damage, there would be a remedy for it," he says.

Some anti-spam laws, like one enacted in Washington, face challenges on grounds that they try to thwart free speech and disrupt interstate commerce. Because there apparently has not been a suit in North Carolina citing the law, which took effect Dec. 1, it's unclear whether it passes constitutional muster. Reeves is confident it would.

"I think our law is constitutional because you have to be able to prove you were damaged," he says, "so this isn't going to solve the flood of unwanted e-mail. But it will solve the types of e-mail that cause you problems."

Mozena's group, CAUCE, estimates that 10 percent of all e-mail sent today is spam.

"It annoys the hell out of me," says Martin Smith, Web master and vice president of marketing for Foundobjects.com, a Carrboro-based e-commerce company. "BellSouth is my ISP for one of my e-mail accounts. I've tried every recourse possible. They have this supposed hotline that you can go to and complain about spam. Ha ha ha. It's ridiculous. They haven't done anything," he says.

BellSouth says it monitors its networks for high volumes of e-mail but can't shield individual users from receiving spam.

Internet service providers (ISPs) have it even worse. In fact, Internet site systems administrators are so aggravated by spammers that they call them "chicken-boners," conjuring an image of a guy in a trailer park with fried chicken buckets strewn all around.

Kendall Lloyd, director of networks and facilities at Total Sports, certainly has a chicken bone to pick with spammers. The Raleigh-based Web company, which provides real-time, text-and-graphic coverage of more than 4,000 sporting events at 250 Web sites, has had more than its share of troubles, Lloyd says.

"Two days ago, someone sent out a lot of spam that was golf-related, and on the 'To' line, they put '4_golf_lovers at golf.com,' and we do the mail for golf.com," Lloyd says. "So the person who receives that e-mail, they see that the 'To' was to someone at golf.com, and they immediately think someone at golf.com sent that."

It's unlikely Lloyd will find that spammer. He'll almost surely hear from the spammed, though, because people are growing bitter. "I've gotten e-mails that were mostly four-letter words for stuff that we had no relation to," he says.

Total Sports also powers beer.com, an online community for brew lovers. The site offers free e-mail accounts.

"They'll go into beer.com, set up an e-mail box, and then they'll go out and spam through some other mail server," he says. Then they put a beer.com address at the bottom of the message for recipients who want to send something back.

"I get 20 complaints a day about people doing things like that," Lloyd says. He thinks the site has been a target for computer vandals who try to break in and shut it down as punishment for the spam they think they're getting from beer.com. "They're annoyed. They say, 'I'm tired of getting mail from this server, and I'm going to blow it off the network.'"

It's a dilemma that plays out every day for any business that functions as an Internet service provider.

Like Lloyd and most Web masters, Hesketh.com Chief Technical Officer Steve Champeon is on the receiving end of the site's abuse@hesketh.com address, which is where users are told to lodge complaints.

In one week alone, Champeon manually entered 70 different spammer addresses to a filter that blocks those messages from being sent again through his servers. In the last three years, he's added 3,800 addresses to the list of sites to block.

He also has to take time to block all incoming mail from sites that have "open relay" vulnerabilities - technical loopholes that allow spammers to hijack a server and send bulk messages through it. (Ever send an e-mail, and it comes back with an error message, even though you know the address is correct? That probably means the server you're using has been deemed vulnerable, and your intended destination will not let your messages through. A list of universally blocked servers can be found at www.orbs.org — NOTE 3/11/04: This project is no longer active or available.)

It takes Champeon a couple of minutes to add each address to the filter - that's hours of work time lost to spammers. And that's not counting the countless hours and sometimes days he has spent fixing major problems caused by bulk mail.

"We pay Steve well," says Michael Tucker, chief of business development at Hesketh.com. "I would say 20 percent of his time is dealing with e-mail and spam, and we have to pay for that. If there were a way to get that money back or at least threaten someone, you bet we would."

In theory, that's just what the new anti-spam law enables him to do. But Tucker and Champeon aren't expecting much. It's hard enough trying to track down a spammer; they don't think it would be any easier to make him pay up.

"So many [spammers] are just these hideously poor stupid freaks anyway, you're not going to get the $5,000 or the $10,000 worth of damages it took," Champeon says. Then again, "you may just get enough out of him to hurt him, to keep him from doing it again."

####

This article first appeared in the News & Observer on May 2, 2000. Reprinted with permission. Reproduction does not imply endorsement.
Copyright © 2000, News & Observer Publishing Co.