January 23, 2004 -- (WEB HOST INDUSTRY
REVIEW) -- Is spam on the lam in the US, or are unsolicited bulk
emailers simply smirking at what is being called "groundbreaking"
federal legislation?
According to the industry, the answer is
yes - on both counts. The recently-passed legislation will force
spammers to find new ways to remain in deep cover and to keep doing
business. But these alternative game plans are readily available and
are already being deployed, experts say.
The bottom line for hosts? Be prepared for anything - and don't look to the legislation as a cure-all.
Citing industry estimates placing the
cost of spam at $10 billion a year for US companies, Congress passed
the law late in 2003, with President Bush signing it in December. Among
other provisions, the "CAN-SPAM Act of 2003" requires unsolicited
commercial email messages to include the sender's address and opt-out
instructions. It will also allow the Federal Trade Commission to create
a "do not spam'' resource for spam victims. Proponents praise the law
for creating an enforceable standard of acceptable e-marketing
practices on a nationwide scale. Previously, anti-spam legislation was
enacted by the states in patchwork fashion.
But hosting industry players remain, at
best, only mildly optimistic about the effectiveness of the
legislation. To begin with, Spam is ubiquitous these days. Emeryville,
California-based email message management company Sendmail Inc. (sendmail.com)
estimates that 40 percent of enterprise information technology
professionals are spending two hours or more a day dealing with spam.
And most spammers operate jurisdictionally outside of the US anyway, so
the law is irrelevant to them. Besides, if a spam victim opts out, what
is to stop criminal spammers from taking advantage of the knowledge
that they now have "real" addressees to use as targets for more spam?
At least, that's the case being made by
those in the forefront of anti-spam technologies, such as Marina del
Rey, California-based FrontBridge (frontbridge.com) and UK-based SurfControl (surfcontrol.com).
Susan Larson, vice president of global product content for SurfControl,
predicts that this legislation will benefit spam-friendly hosting
operations in foreign countries at the expense of their US-based
spam-monitoring hosting counterparts. "The push towards overseas spam
operations will have interesting economic ramifications for spammers,"
Larson says. "Just as with other industries, the ability to have
operations hosted in other countries - especially countries with
struggling economies - will significantly lower the costs for doing
business."
In the meantime, industry watchers should
expect spammers to continue tinkering with their methods for
circumventing anti-spam technologies, says Dan Nadir, vice president of
product management for FrontBridge. "One particularly insidious
approach happens when a spammer will use a generic subject line, such
as 'follow up,' in order to get the user to open the email," he says.
"Once opened, the user recognizes the spam and then deletes it.
However, embedded within the email itself is a pixel-sized tag that
notifies the spammer that the email has been opened and that the
address is, in fact, legitimate." Another common approach, Nadir says,
is to disguise the "From:" address as a local user or domain, which
both confuses the user and bypasses anti-spam systems that rely on
"trusted" senders.
And if all of that sounds like the
cyber-equivalent of Mad magazine's Spy-versus-Spy cartoon, well, that's
because it is. Often, spammers thwart their antagonists using non-tech
or low-tech means that rely on old-fashioned human craftiness.
"Unsophisticated keyword filters are
easily fooled by spammers with a technique known as content
manipulation," says Scott Chasin, chief technology officer for
Denver-based MX Logic Inc. (mxlogic.com),
an email security company. "By inserting legitimate business
communication or terms into messages, spammers have a better chance of
fooling filters. Spammers also bypass signature-based filters using a
technique called 'uniqueness generation' whereby they insert a string
of meaningless characters and numbers or random, non-spam words in a
message. Additionally, spammers often manipulate the color of a
message, hiding the illegitimate content that can fool spam filters by
making it the same color as the background of the message." For every
solution, there appears to be three or four solutions to the solution
that spammers are coming up with.
The legislation has brought up concerns
over not only its potential lack of effectiveness, but its chilling
effect on perfectly respectable Web-based marketers who use email
marketing in an above-board way. For example, the law was never
designed to hurt marketers who mail customers using opt-in promotional
features on their Web sites. But that may be the end result, some say.
"There may be disputes arising from
unhappy email recipients who may have forgotten that they opted in to
an email list," says Jonathan Wilson, vice president and assistant
general counsel for Web host Interland, and chair of the American Bar
Association's Internet Industry Committee. "The act will not have much
impact, however, on the truly 'bad actors' in the spam world. The bad
actors are those who know that they are peddling a worthless or illegal
product with illegitimate methods and who simply don't care. Those bad
actors already spoof their originating domains and use dummy email
accounts or hacked servers to send their spam. The legislation does not
give law enforcement or private litigants any practical tools to track
down the bad actors and bring them to justice."
Not all forecasts for the future of
anti-spam measures are so pessimistic, with some industry experts at
least acknowledging that the new law is a start. "Will this law stop
all spammers?" asks Matt Blumberg, CEO of New York-based Return Path
Inc. (returnpath.com), an email performance-management company for corporations such as IBM, Gateway, Sprint and Dell.
"Unfortunately, no. Will it have a
positive impact in the war on spam? Absolutely. The most egregious
spammers will find a way to continue flooding us all with unwanted
email - most likely by moving more operations overseas. But this
legislation should help lessen spam by giving the federal government
the authority it needs to hand out fines and jail time to offenders; by
setting clear minimum standards for legitimate mailers to follow; and,
perhaps most useful of all, by providing a way for the average consumer
to identify and report spam."
