The Spam police
Tactics used by self-appointed spam fighters come under fire.
One Friday afternoon in January, Internet Billing Company - one of the five most visited business-to-business sites on the Web - suddenly found online transaction requests from its customers were being blocked.
The reason was that iBill's name popped up on an antispam group's blacklist that as many as half of the ISPs in the U.S. use to block e-mail and IP traffic from alleged spammers.
Amazingly, no one had ever accused iBill of sending spam. However, someone complained to the antispam group Mail Abuse Prevention System (MAPS) that one of iBill's thousands of customers had spammed them. MAPS not only placed the accused spammer on its Realtime Blackhole List (RBL), it listed iBill's entire block of 254 IP addresses as well.
ISPs and spam police
The spam police force
How the blacklist system works
Q & A with David Rand
Network World's e-mail policy
"We didn't know what was going on," says Marty Essenburg, iBill's CIO at the time, who estimates that the four-day blacklisting cost iBill $400,000 in lost revenue. "There was no warning. It was automatic, and we had to sit back and play catch-up. They hurt our revenue stream, and they tell us how to do business."
IBill, a $500 million company, is just one of the legitimate businesses caught in the crossfire between antispam activists who create the blacklists and the bulk e-mailers who see the Internet as an inexpensive alternative to mass marketing via snail mail. Most everyone agrees that spam or unsolicited e-mail, such as online pornography, weight-loss programs and get-rich schemes, is a serious problem. Spam accounts for as much as 50% of an ISP's e-mail traffic flow and forces ISPs to add hardware, technicians and customer representatives to handle the deluge and its fallout of consumer complaints.
AOL Time Warner says it spends up to 15% of its users' monthly fees fighting spam. AT&T spends $35,000 per month, and WorldCom has 30 people dedicated to spam. The large ISPs can afford internal spam fighters to investigate complaints and enforce acceptable use policies; midsize to smaller ISPs tend to use blacklists.
But critics charge that MAPS and other self-appointed sheriffs of the Internet have overstepped their bounds, wielding great power without any authority. "MAPS is a nuisance. They're like vigilantes,'' Essenburg says.
"They are private sheriffs," says Jonathan Zittrain, co-director of the Berkman Center for Internet and Society at Harvard University. "They don't have any duties of due process. They can just list anybody."
Kelly Thompson, until recently a senior manager with MAPS, and currently vice president of the Forum for Responsible and Ethical Email (FREE), rejects that charge. "Vigilantes usurp the authority of the police. When there are no police, we are our own cops," she says.
With no government agency in charge of policing the Internet, a community developed to tackle the problem, each with a different function (see chart). "People see a niche to be filled and say, 'I have an interest and I can do that.' There might be somebody more qualified to do it, but if they're not doing it, it still needs to be done," Thompson says.
The antispammers see themselves as crusaders in the battle to eradicate spam.
MAPS founders Paul Vixie and Dave Rand (see the question and answer with Rand) are Internet veterans; others are ISP operators or people who have been personally affected by spam.
As much effort and ammunition as the antispammers throw at the problem, the spammers answer with new tactics and renewed vigor. Observers say the volume of spam is increasing, the blacklists are getting longer and more mail is getting blocked.
"I wouldn't say it's getting any better right now. It's an incremental arms race now with spammers finding more and varied ways of getting their mail through," says Julian Haight, owner and administrator of SpamCop.
Guilty until proven innocent
Antispammers say tough times call for tough measures.
"My goal is not to do no harm first," says Haight, who for two years has blacklisted companies for a week after a single complaint.
"We list you immediately, and then we can talk about it . . . I look at it as what we need to do to effectively filter out the spam. If you're innocent until proven guilty it's not an effective [way] to filter out the spam," he adds.
Today, Haight says he's changing his policy. Instead of blacklisting companies or huge ISPs such as AOL or WorldCom for a single complaint, users can decide how strict or lenient they want the blacklist to be, based on the ratio of good e-mails to bad.
Critics say antispammers practice guilt by association, blacklisting not just the spammer, but legitimate businesses - such as iBill - that are associated with an accused spammer.
"There's a lot of times when 'legitimate' is a difficult word in this business," Thompson says. "We perceive that spam-friendly behavior as a direct threat to our network, and it's our responsibility to protect our network. If you happen to be on the same Web server [as a spammer], that's unfortunate and that's not what we are intending to do."
Essenburg says when he asked why iBill was blacklisted instead of the one accused customer, "MAPS says they listed iBill because they could . . . to stop the customer and get them where it hurt by going through iBill."
MAPS' Web site says it will blacklist an ISP that sells connectivity to a spammer; sells software or services to a spammer; hosts a spammer; or handles online transactions for a spammer.
"Collateral damage" or "casualties of war" are what antispammers call cases such as iBill's.
The face of collateral damage
Ron May, MIS manager for SearsCarpet.com, a franchise carpet and upholstery cleaning service in Columbus, Ohio, knows all about collateral damage. May says SearsCarpet.com's e-mail server was blacklisted by MAPS without warning, stranding 25 telecommuters who couldn't send mail for two-and-a-half weeks and bouncing back 40% of outgoing e-mail messages.
During a seven-week period, May's small IT department spent $25,000 in staff time trying to get off MAPS' blacklist and reconfigure 150 user workstations. All because a hacker used an open relay on May's network to send out millions of spam messages.
MAPS spokeswoman Margie Arbon says MAPS' policy is to notify businesses before putting them on the RBL, but in the case of an open relay, the company's name immediately goes on a separate list.
"I've been in IS for 20 years and never had a problem so hard to fix," May says. "There's no appeals process once you're blacklisted. The MAPS folks were arrogant and pompous to deal with. They're out of control."
Arbon says workers at MAPS help people as much as they can, but there are limits as to what they can do. She says MAPS receives 100 complaints a day, 50 of which are deemed legitimate.
The person who filed the complaint is asked to contact the originator of the spam and explain the problem to him first.
If that doesn't work, MAPS, with three full-time investigators, steps in to look into the complaint and contact the alleged spammer.
But the accuracy of the MAPS' blacklist has been called into question.
David Nelson, a senior industry analyst at Giga Information Group, says a recent study found that Brightmail, a for-profit blacklisting and filtering service, blocks 94% of spam with 1% false positives. However, MAPS was found to block 24% of spam with 34% false positives.
Thompson refutes those numbers. "I'm not aware of anybody who shouldn't have been listed and has been listed," says Thompson, who was drawn into the spam wars after a small network she ran in 1996 was shut down for several days because of a spam onslaught.
Double secret probation
But Black Ice Software, a small fax, voice and imaging software developer in Amherst, N.H., would dispute that statement.
CEO Jozsef Nemeth says MAPS contacted him in March 2000 requesting Black Ice change the way it conducts business with its customers. When someone downloads Black Ice software, the company sends an e-mail thanking the person and listing technical support information.
Black Ice later sends periodic e-mail marketing materials to those customers, which includes a provision that lets recipients unsubscribe.
MAPS told Black Ice it had to switch to an "opt-in" system or its e-mail would be considered spam and it would be listed on the RBL. Opt-in means Black Ice would have to e-mail the customer to confirm that the customer wanted to receive the marketing material.
"A customer provides you an e-mail address, and then you e-mail them and ask, 'Are you sure you want to give me your e-mail address?' And you need to wait to get e-mail back saying yes. That's ridiculous," Nemeth says.
When Nemeth refused to go along with MAPS, his company was slapped on the RBL, even though Black Ice could hardly be classified as a major bulk e-mailer. "We found our e-mail bouncing back and had customers calling to complain they couldn't reach our FTP server to download the software they had purchased," Nemeth says.
After lawyers for both sides failed to reach agreement on the opt-in policy, MAPS sued Black Ice for allegedly violating California antispam statutes.
Black Ice is now suing MAPS on the grounds of interference with business relationship, unfair business practice and unlawful restraint of trade. Black Ice hopes to recoup its $400,000 legal fees and collect $500,000 for damages.
Since the initial listing, Nemeth says Black Ice has lost $15,000 per month in banner advertising and sales revenue, and has had to lay off four employees.
"[MAPS] came to my store and mugged me. They wanted to set a legal precedent, and wanted a small company with limited money to fight them," Nemeth says.
"He could have easily avoided that by simply changing his policy," Thompson says. "Just go ahead and confirm subscriptions."
Thompson also says, "I'm not telling you how to run your business. I'm telling you what you need to do to stay off the RBL. You're free to adopt any policies you want. And I'm free to make decisions about whether I'm going to accept or reject your traffic," Thompson says.
Black Ice isn't alone in standing up to MAPS. Harris Interactive, which conducts the Harris Poll, bulk e-mailers YesMail and Exactis, and Web hoster Media3 Technologies have taken on MAPS in court. YesMail and Exactis won temporary restraining orders that kept them off the blacklist.
Even the most ardent antispammers concede that the problem isn't going away anytime soon.
Haight points out that as open relays are being closed, spammers are turning to new methods. Those include exploiting Web sites' Common Gateway Interface (CGI) scripts meant to help users send e-mail to the site's own Webmaster and exploiting a hole in the Wingate Proxy, a home networking feature in Microsoft Windows software, to send out millions of e-mails.
"Spam is like crime. You can hire more cops, but you'll still have robbers and more desperate people doing desperate things," says Bill Hoffman, an AT&T spokesman.
Steve Linford of Spamhaus is pinning his hopes on Congress passing a tough antispam law, because more than 90% of spam originates in the U.S.
Several states have passed spam legislation, but none have withstood legal scrutiny, running up against constitutional issues such as free speech. No federal bills have been passed, and those on the table lack support from key Internet players because they are considered too weak.
"In the political process, laws get watered down and compromises are made," says David Sorkin, Internet law professor at John Marshall Law School in Chicago. "Sometimes compromise legislation is worse than no legislation at all. It legitimizes it . . . I don't think any approach on its own is likely to work."
And that's one thing that most agree on. Eradicating spam will only happen if it's attacked from all sides. "You have to approach it on all fronts at the same time,'' Haight says.
Here's a list of steps, culled from those in the battle against spam, that need to be taken:
- Consumers must stop making spam profitable by refusing to buy anything from spammers or respond favorably to their e-mails.
- E-mail users need to learn how to figure out the spam's point of origination and then send complaints to the ISP hosting the spammer.
- Network administrators need to use filters to block spam.
- Congress needs to pass strong legislation.
- Network administrators also need to close open relays and other exploitable holes in programs such as Wingate proxy and CGI scripts.
Reaction: Here's what some Fusion users are saying about this article: What do you think? Add your comments to the thread
ISPs and spam police
Both fight spam, but they don't go about it the same way.
The spam police force
Organizations to help you fight spam.
How the blacklist system works
File an e-mail complaint with the Mail Abuse Prevention System hotline if you think you have received spam.
Q & A with David Rand
David Rand is a founding member of Mail Abuse Prevention System (MAPS). He sat down with Network World feature writer Sharon Gaudin to talk about battling spam.
Click on these to help you prevent spam.
Spam rebel with a cause
Kearns: Find out if your mail provider is using the RBL services of the cyber-goons at MAPS, and if so - protest loudly. Network World, 7/2/01.
Forum on the Kearns column
Users bash, praise Kearns.
ISPs fight spam from the front line
There is little doubt that you have a grueling job when your business card reads 'senior abuse administrator.'
Network World, 05/24/01.
The spam-tastic year 2000
Unwanted spam gave one e-mail user plenty to complain about in 2000.
PC World, 01/03/01.