Can Spam Be Canned?

Michael Herrick thought he had hit on an ingenious way to fight spam.

The president of Matterform Media, in the Santa Fe, N.M., suburb of Espanola, had devised a software program to disable the so-called Web beacons that spammers insert into their messages to alert them when one of their e-mails is actually opened. Giving junk e-mailers a taste of their own medicine, the program dispatched streams of data back to the senders, inscribed with personal messages.

“It can be a little satisfying saying, ‘Thanks for the spam, you dirtball,’ especially if you can say that a couple hundred times a day,” Herrick recently recalled.

The spammers weren’t amused. They responded one morning last year by sending mass e-mails containing graphic sexual photographs and a link to Matterform’s website. Herrick said recipients turned the messages over to SpamCop, a Seattle anti-spam company that then added Matterform to its blacklist, which identified Internet addresses from which spam originated. Matterform’s website and e-mail system were crippled for 12 hours. And when Herrick finally got the situation straightened out, in came hundreds of furious e-mails accusing him of peddling porn.

“It was a pretty effective bit of revenge on us,” he said.

That was one skirmish in the spam war. For anti-spam forces, it’s always been like the whack-a-mole arcade game, in which beating down a plastic rodent just means another pops up. But these days, the moles are whacking back. And anti-spam entrepreneurs who a few years ago predicted they would eradicate what they view as an Internet affliction have had to acknowledge that they underestimated the tenacity of their opponents.

“We expected the battle to be over very quickly,” said Dave Rand, co-founder of Mail Abuse Prevention System in San Jose, which began distributing free spam-blocking services in 1996, then selling them in 2001. “We were just wrong in so many different ways. The reality is it has been a continual escalation.”

A federal law that took effect Jan. 1 outlaws many of the tricks that spammers use to deliver their pitches, and authorities last month made their first arrests under the Can Spam Act. But hunting down spammers is expensive and time-consuming. In any event, many marketers have moved their operations outside the United States to escape prosecution.

On the corporate front, Microsoft Corp., Yahoo Inc. and Time Warner Inc.’s America Online are considering radical changes to the e-mail delivery system that might stop spammers; one idea is to charge a small Internet postage fee that would add up to such big bucks for bulk mailers that they would be driven out of business.

Meanwhile, techies like Herrick and Rand keep whacking away. They conduct opposition research to learn how mass e-mail marketers operate, buying spamming software and taking it apart. They set up spam traps -- known as honey pots -- to collect e-mail they can analyze for insight into the spammer mind.

Spammers conduct opposition research too. Ron Scelson, the man known as the Cajun Spammer, who boasts of shipping 30 million e-mail pitches a day for clients from his base in Louisiana, buys all the anti-spam software he can find and uses it to fine-tune his messages until they sneak by.

“I reword it to where it still accomplishes the same task without actually using the words and particular things that are picked up on,” he said last year during a conference on e-mail security. He testified before the U.S. Senate Commerce Committee last week that he had stopped using spamming tricks to comply with the Can Spam Act but would again resort to such tactics if Internet service providers continued to block his messages.

Some spammers open private e-mail accounts so they can target them with spam, tweaking their messages until they get through consistently. Others play with words in subject lines.

“It’s a continual cat-and-mouse game,” said Hans Peter Brondmo, a senior vice president for Digital Impact Inc., a San Mateo, Calif., company that sends marketing e-mails for clients such as MasterCard International Inc. and Gap Inc.

Consider the case of the Alabama Spammers, a ring that earned the nickname by using telephone lines around Birmingham to dial up to the Inter- net. The Spammers used high-powered servers and fast Internet connections to make their messages originate simultaneously from 24 accounts maintained by EarthLink Inc., the big Internet service provider based in Atlanta.

Members of EarthLink’s spam abuse team could spot an attack by the Alabama Spammers within minutes, said Mary Youngblood, who heads the team. But it would take an hour to identify and manually terminate each of the 24 connections -- long enough for the spammers to send thousands of messages selling spamming software, herbal versions of Viagra and dating services. In the meantime, she said, the spammers would have moved on to another group of EarthLink accounts.

“I would literally spend all day hunting them down,” Youngblood said.

EarthLink filed a civil lawsuit in federal court in Atlanta in February against 100 companies and individuals, who were accused of hijacking EarthLink customers’ accounts to send junk e-mail. The lawsuit accuses the defendants of computer fraud, trespassing on EarthLink’s networks and violating the Racketeer Influenced and Corrupt Organizations Act, a law intended for use against the Mafia. The case is pending.

The defendants include Herbal Groups Inc. of Chatsworth, affiliate Pathing Networks and director Pat Galvin. They deny the allegations and have filed a motion to dismiss.

“We are not spammers,” said their attorney, Gary Jay Kaufman of Century City. “My clients own and operate a legitimate herbal supplement business.”

Kaufman said unprincipled spammers sometimes improperly hawk Herbal Groups’ products, which are mostly sold via TV, radio, print and direct mail ads. Other times, he said, an Herbal Groups affiliate will use an e-mail list that includes people who don’t want to receive commercial e-mail; when that happens, the company stops dealing with the affiliate.

The Spammer Toolbox

For all the complaints about spam, the marketing method has flourished because it delivers: More than 6 million people -- or 5% of e-mail users -- have bought products or services pitched in unsolicited messages, according to a recent survey by the Pew Internet & American Life Project.

But 77% of respondents in the Pew survey said spam had made their online experience unpleasant and annoying, and 29% said spam had caused them to use e-mail less.

So the spam war rages. Anti-spam software is big business: The Radicati Group, a consulting and research firm in Palo Alto, estimates that companies globally will spend $979 million on anti-spam software and services this year, up 50% from 2003. The software filters are trained to look for suspect words -- “Viagra” or “sex,” for example -- and can hunt for technical characteristics, such as forged return addresses, that are common in spam. Then the filters divert those messages into junk mail folders.

Fighting back, spammers try to fool the filters by misspelling trigger words or replacing letters with characters; for instance, “VIAGRA FOR SALE” might become “V!AGRA FOR $ALE.” They also insert improper computer code so that a filter sees “Viagra” but an e-mail recipient sees “Viagra.”

Sometimes spammers bury suspect words among hundreds or thousands of others in the hope that the filters will be duped. That’s why junk e-mail may include such nonsensical phrases as “bridegroom stipulate earthquake twit Brendan togs,” which was hidden in a pitch for a virility patch in font so small that it looked like a gray line.

Spam fighters have reported seeing marketing messages laden with news stories on Iraq bombings, Shakespearean sonnets and excerpts from “The Hitchhiker’s Guide to the Galaxy” -- efforts to make the e-mail seem legitimate.

Spammers also camouflage words by making the text the same color as the background.

Those tactics prompted software engineers at Yahoo to call one group of junk e-mailers from Ontario, Canada, the Color Spammers. After foiling their attempts to conceal white text in a white background, the engineers realized that the spammers had switched to hiding gray text in a gray background. So the Yahoo team updated the company’s SpamGuard filter program and blocked gray-on-gray -- along with red-on-red, blue-on-blue and other color combinations.

That worked for a while. Then the spammers caught on and entered what Yahoo lawyer Matt Robinson calls their “shades of gray period,” using only a subtle difference between the text and background colors that was too small for recipients to detect. Yahoo next trained SpamGuard to recognize all similar color combinations.

The Color Spammers were beat back once again, Robinson said, until they figured out how to route their messages through unsecured Internet connections, to hide their identities by registering Internet domains in China and to fake their e-mail addresses.

“They’re using every trick in the book,” Robinson said.

The tricks allowed them to flood Yahoo’s network with 94 million messages from January to early March. The distinctive style -- the same number of sentences and paragraphs, for instance, and the same “earthy-tone” backgrounds -- told Yahoo that the messages were from the Color Spammers.

The company sued in San Jose in March, accusing several individuals of violating the Can Spam Act and state and federal computer fraud laws. The individuals could not be reached for comment.

Blocking the Blockers

On occasion, hard-core spammers go directly after their adversaries, hoping to make life so miserable that they give up the chase.

Ron Guilmette did. For a year and a half he published blacklists on his Monkeys.com website. Working from his home in Roseville, Calif., he offered the lists for free to Internet service providers that wanted to shut accounts reported to be sending junk mail.

Then, last summer, Guilmette became a victim of a coordinated assault on blacklist operators. A computer virus instructed infected computers to bombard his website with requests for data, overwhelming it with queries and forcing it to shut down.

Guilmette’s site weathered a 10-day attack in August. Then, in September, his site was hit with a mass e-mail assault like the one that hit Matterform Media. (This is called a Joe Job because its first widely publicized use came against the operator of Joe’s CyberPost in 1996.) He finally thought he was in the clear, but when another siege commenced later that month, Guilmette succumbed after three days.

“I can’t fight the kinds of attacks that have been directed at me recently any more than I can fight against the sun coming up tomorrow,” Guilmette wrote on an Internet message board when he shut down his anti-spam service in September. “I underestimated both the enemy’s level of sophistication, and also the enemy’s level of brute malevolence. I always knew that spammers had no principals [sic] and no ethics, but up until recently, I had no idea that they could or would stoop this low.”

In New Mexico, Matterform Media is still at it. The company recently rolled out a $39.95 service called SpamCrime that automatically sends unsubscribe requests to spammers intercepted by its filter. If they continue to send junk e-mail, SpamCrime reports violators to law enforcement officials for prosecution under the Can Spam Act, which requires marketers to honor requests to remove names from e-mail lists.

“It’s very gratifying to know we’re creating tools that help folks,” Herrick said. He added: “In an arms race, it’s nice to be a weapons supplier.”