Opening Pandora’s In-Box
What Samuel Morse was to the telegraph, what Thomas Edison was to the light bulb, Gary Thuerk is to the unsolicited e-mail advertisements popularly reviled as spam.
“I was the pioneer,” Thuerk says with quiet pride. “I saw a new way of doing things.”
Billions of messages a day touting cheap mortgages, sexual enhancement pills, quasi-fraudulent business opportunities and pornography of a startling rawness are sad proof that he was on to something.
On May 3, 1978, Thuerk sent out the first spam over the network of government and university computers known as the ARPAnet. A marketing manager for Digital Equipment Corp., he wanted to publicize open houses in Los Angeles and San Mateo where the company’s latest computers would be unveiled.
Several thousand people were on the ARPAnet then, most of them computer scientists. Thuerk wanted to send all 600 ARPAnet members on the West Coast an e-mail invitation.
That’s when he had his illumination. “It’s too much work to send everyone an e-mail,” he decided. “So we’ll send one e-mail to everyone.”
A quarter-century later, the ARPAnet has become the Internet, and e-mail in-boxes are being choked by Thuerk’s spiritual descendants.
In January, more than half of the e-mail arriving at the world’s biggest Internet provider, America Online, was spam. By March it was more than 70%. Now it’s well above 80%, or more than 2.5 billion pieces of spam a day. Other e-mail services cite similar statistics. Yahoo says it is handling five times more spam than a year ago.
The companies trap much of this spam in filters before it ever gets to members. But more than enough gets through to annoy, distress and outrage.
Some people are overwhelmed. “I have quit checking my e-mail because of all the spam,” Jennifer Rainwaiter told her e-mail company, Aristotle Inc. of Little Rock, Ark. Rainwaiter said that the last time she signed on, she found 247 marketing messages waiting for her.
Aristotle estimates that spam will cost it about 5% of its 26,000 subscribers this year. “They’re just flat quitting because they can’t take it anymore,” said systems administrator Carl Shivers.
Internet providers as small as Aristotle and as big as AOL are groaning under the weight of spam. They’re adding new computers to carry the doubled and tripled loads and constantly upgrading and redesigning their filters.
Between the beleaguered public and the swamped Internet companies, a crisis has been declared. Politicians are readying spam bills at the state and national levels. Microsoft, AOL and Yahoo, usually fierce competitors, are banding together to explore remedies. Meanwhile, technologists are exploring structural changes to e-mail that will stop spam without destroying the integrity of the Net.
All of these entities came together at the beginning of this month for a three-day workshop at the Federal Trade Commission in Washington. No consensus was reached on anything except the fact that the problem was getting worse minute by minute.
“Finding a solution here is like putting socks on an octopus,” FTC Commissioner Mozelle Thompson said during a break in the proceedings. “There are too many moving parts. But the clear message is that doing nothing is not acceptable. We’re approaching a tipping point where consumer confidence is beginning to erode.”
Any solution, Thompson and others said, must be not only effective but easy to implement. If the average person confronts too many hurdles, he or she will abandon e-mail and perhaps draw back from the Net itself.
“If we can’t solve this problem for Middle America, then the Internet will be a place only for the technologically sophisticated or those most accepting of risk,” Thompson warned.
Among the many losers in that scenario would be all those trying so hard to sell things via e-mail, including the marketers who play by the rules and the spammers who obey no laws.
Bill Waggoner says he’s in the first category, although he’s often accused of being in the second. His company, AAW Marketing in Las Vegas, sends out 16 million pieces of e-mail a day, pushing products from life insurance to vacation packages to a sexual enhancement cream.
Waggoner says he’s just a businessman fulfilling a need. “E-mail marketing is what people want,” he says. “This is America. Capitalism reigns.”
How It Began
Even the guy who invented e-mail is oppressed by spam.
“I get about 20 to 30, probably as many as 50, pieces a day,” says Ray Tomlinson, who sent a message from one computer to another in 1971.
That first e-mail was such a low-key moment that Tomlinson remembers neither the exact date nor the content of the message, which he sent to himself. But his invention was soon taken up by the computer scientists who developed the ARPAnet network, started in 1969 by the Advanced Research Projects Agency of the Department of Defense.
Tomlinson never anticipated spam. “This was a system for communication among colleagues, and your colleagues weren’t about to bother you with stuff like spam,” he says.
Not until Thuerk (pronounced “Turk”) came along, at least.
The first spam was brief and straightforward. To emphasize the urgency of the matter, Thuerk wrote in all capital letters -- a flourish adopted by many later spammers.
Since the ARPAnet was built and maintained by the government, it wasn’t supposed to be used for personal messages or advertisements. Still, Thuerk figured it was worth the risk.
He was right. He got some angry mail (“This was a clear and flagrant abuse,” ran one typical response). He was reprimanded by the ARPAnet administrators and told not to do it again. But as advertising, it worked.
“The whole idea was tell as many people as possible,” he says, perfectly summing up the spammer’s credo. “Any other method -- making phone calls, writing real letters -- would have been much more expensive and taken much more time.”
Over the next three years, Digital Equipment sold more than 20 of the new systems, at about $1 million each. Thuerk gives a lot of credit to the open houses, which were the only ones the company did.
Thuerk’s e-mail was a key moment in the history of the Internet, although this didn’t become clear until much later.
“Unlike Pandora, Thuerk hadn’t been warned about how much ill was contained in the box he opened,” says Net entrepreneur Brad Templeton, who was the first to track Thuerk down and interview him for an online history of spam. “Indeed, the discipline he got probably stopped spam from blooming for some years to come. But the online community made the mistake of feeling that a temporarily effective punishment was enough.”
Just as the Internet was becoming popular with the masses, that error would come home to roost.
The second major event in the history of spam occurred in April 1994, when two immigration lawyers sent a message touting their services to 6,000 Internet bulletin boards.
It took Laurence Canter and Martha Siegel about 90 minutes to spam millions of people. The uproar lasted for months. The Internet was a commercial-free zone, many argued; Canter and Siegel were cut off from their Internet provider and widely chastised.
The couple’s response: Get used to it, because we’re going to do it again.
Since cyberspace was no longer controlled by the government, there was no one with the power to stop them or those who immediately followed them. Like looters in a city without police, the spammers went forth without fear.
As electronic advertisements quickly lost their novelty, they gained a name. The term “spam” comes from Hormel’s canned meat by way of a popular Monty Python skit. The setting is a cafe that insists every order come with a helping of the pink delicacy.
“Have you got anything without spam?” asks a despairing customer.
“Well, there’s spam, egg, sausage and spam,” the waitress says. “That’s not got much spam in it.”
In the background, a group of Vikings keeps breaking into song, repeating the word “spam” over and over and over.
According to Templeton’s research, the word was first used by programmers to mean flooding a chat room or computer with so much data as to cause it to crash. Spontaneously and almost immediately, it was applied to the new mass advertisements that were sent over and over and over.
Canter and Siegel claimed they got a thousand clients from their spam and made an easy $100,000, with essentially no expenses. Even if that’s true -- they were widely accused of exaggerating their profits -- they didn’t reap many long-term benefits from what one contemporary commentator described as “global hatred.” A company they formed called Cybersell and a book titled “How to Make a Fortune on the Information Superhighway” failed.
Siegel died in 2000; Canter is now a software programmer in Northern California. He didn’t answer phone calls and e-mail queries, but in general he seems pretty proud of his spam. His Web site trumpets him as an “early world figure in bringing e-commerce to the masses.”
It’s an article of faith in the spam-fighting world that the most spam and the worst spam is being sent by a limited number of people -- maybe as few as 150.
“To paraphrase Churchill, never have so few done so much to annoy so many,” says Jon Praed, a lawyer who is suing several spammers on behalf of AOL. “People view spam as infinite. That’s part of what is so frustrating. But spammers are like Revolutionary War soldiers making the British think they’re fighting an army of 5,000, when it’s really only five guys.”
No one ever admits to being a spammer, partly because it would open them up to prosecution but also because such a public admission might get them punched, or worse.
It’s dangerous enough to admit to being an online direct marketer. Direct marketers say they’re hired to do mailings by legitimate companies. They say their material isn’t obscene or fraudulent. They say they’re sending only to people who have requested material or sometimes to people they’re sure would like to hear about their offers. They say they honor requests to take names off their lists. They say they’re against spamming.
The distinction between the marketers and the spammers is elusive to some people. Laura Betterly, president of Data Resource Consulting in Dunedin, Fla., says she has received death threats at 3 a.m., been signed up for dozens of newspaper and magazine subscriptions she didn’t want and gotten a call from a “bed-wetting prevention group” that said they had heard her plea and could help.
“That was funny, at least,” says Betterly. She says she’s not trying to portray herself as a victim. Nor is she trying to hide. For one thing, the attention helps. After the Wall Street Journal wrote a feature about her last fall, her business soared. A lot of people hate marketers’ pitches, but a lot of people want to find someone to make them.
A divorced mother of two in her early 40s, Betterly started Data Resource in August with two friends and $15,000. Such low costs are part of the appeal of becoming an e-mail marketer. The biggest expense is getting lists of e-mail addresses. As early as 1995, it was possible to buy a disk with 2 million names on it. Six years later, a disk was offered for sale that had 209 million addresses.
By October, Betterly and her colleagues were drawing salaries, by the beginning of November breaking even. Now the company has nine people and is moving from Betterly’s home into an office.
She sends 750,000 e-mails a day, on average -- all, she says, to people who have surrendered their address to a Web site and given it permission, knowingly or unknowingly, to sell it.
Data Resource says it has 85 million e-mail addresses, which can be broken down by age, interests, location and other variables. So a promotion for a new music club, for instance, can go to young people living in a certain area. This is information that people want, Betterly says. “We pass on very good values to the consumer,” she told the audience at the FTC.
So where is all the nasty spam coming from?
“I’d love to know,” Betterly says. “I’d like to see it stopped.”
Waggoner says the same thing. “It’s 14-year-old kids who are doing all the spamming,” he says. When he’s called a spammer, “it makes me very angry.”
Waggoner says that 15 million of the e-mails his seven employees send out each day are confirmed “double opt-in” -- messages that the recipients have affirmed they want. He also says he sends an additional 1 million unsolicited messages a day, but he denies these are spam.
“I’m not going to sell a product that’s a scam of any type,” Waggoner says. So what about his penis-enlargement pills? “I haven’t used them, but I haven’t heard any complaints.”
Scott Richter is yet another direct marketer who says people are very confused. “Every day of the week, everywhere I go, I get called a spammer,” says Richter, the president of OptInRealBig.com. According to its Web site, the Westminster, Colo., company sends out 100 million e-mails a day.
Richter, Waggoner and Betterly are all on the Register of Known Spam Operations run by the anti-spam group Spamhaus. To qualify for the directory, a company has to have been thrown off Internet service providers for spamming at least three times. Richter, Waggoner and Betterly all say they’re on the list by mistake.
The Damage It Is Doing
The vast increase in spam in recent months is attributed to the fact that so much is being successfully blocked by Internet providers.
A spammer used to send 100,000 e-mails touting, say, generic Viagra in the hopes of getting one reply. If 90,000 of those e-mails are now being blocked, he needs to send out a million e-mails just to find that one customer and keep his response rate the same.
“We’re all collateral damage,” said Paul Graham, a software programmer and anti-spam activist. Since it’s as easy and as cheap to send a million e-mails as to send one, “spammers don’t and can’t bother to target advertising. They send 12 million spams about bestiality to find the one person who wants to see it.”
Pornography is the deepest pit of spam. Aristotle, the Arkansas e-mail company, surveyed its customers about spam in March. More than 700 wrote in to complain. Many mentioned porn.
“No other method of communication is able to throw things like that in your face, entirely unsolicited and unwanted,” wrote Cheryl Nichols. Said Debbie Strobel: “I can’t even have my children around when I am checking my e-mail now.”
Even when they’re not quitting outright, many Internet users are shifting their habits because of spam.
Just as people learned not to publish their phone numbers for fear of telemarketers, they’re realizing they will be spammed if they post their e-mail addresses on Internet discussion groups and bulletin boards.
The FTC recently established that spammers’ ability to harvest e-mail addresses on the Web were even more effective than realized. In one experiment, a newly created AOL account was used to post a message in a religious chat room. Twenty-one minutes later, the address received its first spam -- a graphic advertisement for a porn site.
In another test, an e-mail address was never posted anywhere, but hidden on the agency’s home page. In seven months, the address received 5,150 spam messages.
The obvious moral: To avoid spam, keep your address as private as possible. The result is that an open system, where just about anyone in the world connected to a computer could communicate with anyone else, is becoming much more guarded.
“The walls have been raised,” said Daryl Pitts, a Santa Monica video game developer who uses a new e-mail address every time he subscribes to something on the Web. Once the spam starts coming in, he shuts the address off. He’s done it dozens of times in the last year.
The downside is it’s much harder for people to reach him.
“People can’t just walk into my life like in the good old days,” Pitts said. “I have to invite them in. Our easygoing utopia, where there were no borders and no police, is gone.”
What Is Being Done
In 1998, California took an early lead in anti-spam legislation. One law required all unsolicited messages to be identified by an “ADV” in the subject line; another said Internet providers could ban spam from their networks.
Hopes were high. “These bills will protect Californians from the spam that clogs the arteries of the information superhighway,” said Pete Wilson, who was then governor. “This is excellent,” said spam fighter Paul Vixie.
If any spammer changed his ways as a result of the laws, there’s no evidence of it. You could live in California a long time and never see a message with an “ADV.”
“Some spammers don’t realize what they’re doing is illegal,” said Deputy Atty. Gen. Ian Sweedler. “Some don’t want to accept it’s illegal. And an awful lot believe they’re not going to get caught or prosecuted.”
More than half the states have their own spam laws. The most recent and the toughest measure was enacted by Virginia, which two weeks ago said that it would seize spammers’ ill-gotten assets and impose prison terms of up to five years.
But only three states -- California, New York and Washington -- have filed lawsuits. Spam may be affecting many, but it touches few deeply. It’s not the highest-priority crime out there, especially in a time of budgetary distress.
“I don’t think any of the state laws have had significant effect,” said David Sorkin, an associate professor of law at John Marshall Law School in Chicago. A national law, which seems likely this year, might help a little more, he said.
More state laws are nevertheless likely. State Sen. Debra Bowen (D-Marina del Rey) has introduced a bill to make it illegal to send unsolicited mail either from California or to a California e-mail address. Recipients of spam could sue for $500 per e-mail.
For all those plagued by spam, it might be comforting to think that the guy who started it has apologized, or maybe just that he feels guilty. Pandora unleashed a world of trouble, but at least she said she was sorry.
Not Gary Thuerk. Digital Equipment was bought by Compaq, which was in turn bought by Hewlett-Packard. He still works there. His office mates have all sorts of nicknames for him -- the Spam Man, Father of Spam. They joke that he should enter the witness protection program. They joke that he has given jobs to hundreds or thousands of people.
“It’s a very lighthearted thing,” Thuerk says in his amiable way. “We’re having a lot of fun with it.” He has some Spam recipes tacked up to his wall, a can of the stuff on the desk.
Thuerk doesn’t cruise the Net. He doesn’t buy online. He doesn’t visit chat rooms. He’s not worried about long-lost friends not being able to find his e-mail address.
He doesn’t, in other words, use the Net the way millions of others do. As a result, his in-box remains pure. “I don’t get much spam,” Thuerk says. “Maybe one or two a day. It’s not a big nuisance.”
(BEGIN TEXT OF INFOBOX)
Closing the in-box
Some unsolicited and unwanted commercial e-mail is probably unavoidable, but it’s possible to keep volume at a manageable level. Among the recommendations by the Federal Trade Commission, consumer groups and Internet service providers:
* Limit your primary e-mail address to friends and family. Use a second address when visiting chat rooms or message groups. This address will unavoidably collect a lot of spam. When it becomes too much, dispose of the address and start again.
* An alternative approach is to leave your real address on message groups but disguise it in a way that will fool spammers’ address-collecting programs but not people who might want to contact you. The most frequent disguise is the addition of the words “no spam,” so your address would read
“email@example.com.” Experts are now suggesting something a little more creative would be even better.
* Keep your address off any public Internet directory, including your service provider’s. Directories are a favorite source for spammers.
* Most ISPs let you restrict accounts so they receive only from screened “safe” addresses. This is particularly useful for children’s accounts.
* Spammers often send their mail through “dictionary attacks,” where they first try “firstname.lastname@example.org,” then “email@example.com,” then “firstname.lastname@example.org” and so on, through hundreds of thousands of permutations. When choosing a new e-mail address, resist the urge to make it as simple as possible and instead mix numbers into the letters, like email@example.com. While this will be harder to remember, it is less likely to attract spam.
* Whenever you’re asked to surrender an e-mail address at a Web site, uncheck any box that gives the site permission to sell your name.
* Many spam messages have links that you can click on to remove yourself from the mailing list. Some argue that clicking on these links will reduce spam, while others say it will only prove to the scammers you have a working e-mail address that they can then sell to other spammers. Until there’s an answer to this question, it’s best to proceed cautiously.
* With many e-mail programs, it’s possible to disable the function that allows e-mail to come through with images. This greatly reduces the offensiveness of porn spam.
* For the more technically sophisticated, it is possible to buy many types of anti-spam programs that can be installed on your home computer. Reviews of these filters are mixed; none has won universal raves.
* Don’t respond to spam, no matter how enticing it seems. Spammers have one goal: to get money from you. Anything that sounds too good to be true probably is. In a recent FTC investigation, 90% of business opportunity and investment spam contained likely false claims.
* Let your Internet provider or, at work, your information technology department know that you’re plagued by spam. While they’re all too aware of what’s going on, additional feedback can only help.