On Feb. 18 and 19, e-mail delivery to thousands of AT&T WorldNet customers slowed to a trickle. Some messages took as many as 24 hours to arrive -- an eternity in Internet time. The reason? Spam -- those irritating, unwanted e-mail messages that clog your in-box hawking everything from hot sex and Viagra to interest-free loans. WorldNet, which processes 15 million to 20 million messages each day, was suddenly besieged by millions of junk e-mail pitches -- just as one of its sophisticated anti-spam filters went on the blink. It was the first time that spam brought a large Internet service provider (ISP) to a virtual standstill.
Many people think of spam simply as an annoyance. But over the past few months, it has emerged as one of the biggest headaches for Netizens, ISPs, and corporations alike. While the volume of e-mail sent increased 14% from November, 2001, to January, 2002, the volume of spam increased 46%, according to a survey by anti-spam technology company Brightmail, whose clients include 8 of the 11 largest U.S. ISPs. In January, Brightmail says, spam accounted for 11% to 26% of all e-mail traffic on the Internet. For some ISPs and corporations, spam makes up more than 50% of total e-mail.
It's only going to get worse. Jupiter Media Metrix estimates that each Internet user received 571 spam messages in 2001. By 2006, it expects that number to rise to 1,500. Others are even more pessimistic. David Ferris, a principal at market researcher Ferris Research, estimates that spam will double or triple this year alone. He also warns that the size of spam messages, which averages about 8 kilobytes today, is bound to increase, requiring more servers and storage space.
WASTED TIME AND MONEY. For corporations and ISPs, all of this will be costly. Ferris says most businesses are woefully unprepared for the onslaught: "Right now, it's still only an irritant," he says. "A year from now, it will materially interfere with business."
Already, the costs are burdensome. Computer Mail Services, a Southfield (Mich.) technology company, has created a calculator that projects the cost of spam. It shows that a company with 500 employees, each of whom receives five junk e-mails per day and spends about 10 seconds deleting each one, can expect to lose close to $40,000 per year in wasted salaries and 105 days in lost productivity.
For ISPs, who are on the front line in the battle against spam, the costs are even higher. An ISP with 1 million customers will lose more than $6 million annually in revenues due to higher churn and increased customer acquisition costs to replace those it loses, according to a 1999 report from market researcher Gartner. Add to that $500,000 for new hardware, software, and personnel dedicated to the war against spam. According to a 2001 European Union study, spam's costs now total about $8.6 billion a year worldwide.
MISSED MESSAGES. That figure will only grow as spam levels rise. Here's why: Most corporations use Microsoft Exchange servers or Lotus Notes to help route and deliver e-mail. These systems usually limit the amount of space each user is allocated on the network. As the volume and the size of spam messages increases, users will have to be vigilant about deleting them from their in-boxes -- and the server. That's because once individual users reach their space limits, these mail systems refuse to accept new messages. Corporate users might also begin to miss messages, mistakenly deleted in a routine clean-out of a crowded in-box or swallowed up by a crude filter.
Most corporations' filters are primitive indeed. One international company, which requests anonymity, has simply decided to block all messages from the popular free Web e-mail service Hotmail in an attempt to choke the flood of spam. Other swamped administrators are banning any e-mail that comes from Asia, the source of millions of spams. Still others "black hole" e-mail that comes from unregistered Internet domains, which spammers frequently use to make messages difficult to trace.
These strategies can have unintended consequences. When the National Basketball Assn. (NBA) started filtering e-mails from unregistered domains, messages from many legitimate companies couldn't get through, according to Steve Hellman, senior vice-president for technology at the NBA. Some companies simply hadn't updated their domain registrations. Others were screened out accidentally. At The McGraw-Hill Companies, corporate parent of BusinessWeek Online, not-so-perfect filters occasionally block legitimate mail but still let invitations to look at pornography slip through.
"GUERRILLA WARFARE." In fact, hardly any protection is entirely effective against wily spammers, who are becoming increasingly clever -- and malicious. As ISPs and corporations close one loophole, spammers discover another. Even AOL, the largest U.S. ISP, with 33 million members, relies by and large on its members to alert it to spam messages so that it can improve its filters. "The battle against spam is more like guerrilla warfare then a head-to-head battle," says Edward Plaskon, product director at AT&T WorldNet.
That's where solutions like Brightmail's come in. The San Francisco company, which numbers AT&T WorldNet and Earthlink among its clients, has designed a system that combines technology with a large dose of human intervention. First, Brightmail lures spammers into a trap using an extensive array of dedicated e-mail accounts with a statistical reach of 100 million Internet addresses. It then seeds these addresses on Web sites and in chat rooms where spammers scan for victims.
When a possible piece of spam is deposited into any of the fake accounts, it's automatically forwarded to the Brightmail Logistics & Operations Center, where spam experts verify that the e-mail is indeed junk and write rules to block it. Using the updated rules, Brightmail servers then identify and filter similar spam from incoming e-mail. It's then diverted into a special folder where users can check the spam at their convenience. At Earthlink, spam is kept for 14 days. AT&T WorldNet keeps it for just seven. AT&T's Plaskon says 18% to 20% of users choose to have spam automatically deleted.
REASON FOR OPTIMISM. Smaller companies with few resources are taking a more grassroots approach. At CollabNet, a Brisbane (Calif.) software company, the technology department writes its own filters based on information that CollabNet's 85 staff members enter into the company's intranet. Each week, the department sends out an e-mail with tips and tricks to educate staffers on what to look for, such as odd headers and key words that pop up repetitively in messages.
"That's the only way it's going to work," says Charles Bouchier, the company's information-technology director. "There are only so many things the IT department can put in place, only so much money we can spend on it. Our life doesn't revolve around stopping spam, whereas the spammers' lives revolve around sending it to us."
There's some reason for optimism over the long run. Ferris of Ferris Research says five years down the road, a key weapon in the war on spam could be digital signatures. These electronic passports verify that the message you're receiving is actually from the person the message says it's from. Sooner rather than later, Ferris predicts, corporations and savvy users won't accept mail from senders without a digital signature: "People with a good reason to contact me should be able to identify themselves," he says. "If someone won't tell me who he is, he's probably a dishonorable person."
Such tactics won't eliminate spam, of course. Just as spammers have found ways around current technology, they'll inevitably find ways to forge digital signatures, too. Vinton Cerf, the "father of the Internet," once said "spamming is the scourge of electronic mail and newsgroups." That doesn't seem likely to change for the foreseeable future. By Jane Black