This is an article I wrote for Web Techniques Nov, 1997 issue.
    --Bill

The Trouble With Spam

In my inbox today, there's a note from "Jim" who wants to tell me about "weight loss & skin care", another from "Lee" about the "Last chance to save big on Photoshop, Pagemaker, and Illustrator!", and another from "Darcelle" who wants to know if I'm looking for a real 6- figure income. In total, I have 20 messages, totaling 250 kilobytes from people whom I don't know, yet who feel compelled to write urgently in hopes that I will send them money.

Besides the absurdity of it all, this is becoming more than a mere annoyance. If I were dialing up at 14.4k (fortunately, I'm not), it would take an average of 3 hours of online time just to download this unsolicited mail every month. And it's getting worse. In fact, at the current rate of growth, my incoming Spam (which already outweighs my personal mail by 2:1) will be over 1 megabyte per day by the end of 1997.

What Is Spam?

Email is by far the most used--and the most useful--of the basic services on the Internet. Most of us--more and more every day--use email daily to keep in touch with our colleagues, business associates, friends, family, and peer groups. For the purposes of this article, Spam is the abuse of the email network for the purpose of distributing mass advertisements at the expense of the recipient.

With apologies to Hormel <http://www.spam.com>, who clearly state on their web site, "Hormel Foods would not knowingly sponsor anyone who sends unsolicited e-mail," I use the term Spam to refer generally to commercially motivated unsolicited bulk messaging, in all its common forms on the Internet. Whatever you may feel about Spam-the-lunchmeat, the folks at Hormel are clearly good sports.

The term Spam was originally applied to mass postings on the Usenet (aka Internet News, the Internet's global bulletin board). Those lucky, misguided, or greedy enough to be the sole possessor of the worlds fastest way to "EARN BIG MONEY FAST!!!!!" would post their urgent message to thousands of newsgroups in a mass effort to annoy as many people as possible (and, in the process, collect a few $5 bills). Unfortunately, the problem has grown way past its Usenet roots.

Nowadays there are companies that specialize in sending Spam. For a fee, they will flood the newsgroups with a message, or, using gargantuan lists of addresses automatically culled from all over the net, they will send a message to tens of millions of personal mailboxes. In fact, many of the messages are solicitations offering to sell these mammoth lists of email addresses to the recipient!

How Big Is the Problem?

If you listen to the mass-mailing companies, there is no problem. After all, most of us don't pay per minute for our Internet access and all you really have to do is delete the message if you don't want it. This self-serving minimization of the problem myopic at best; more accurately, it's an outright deception.

According to the latest GVU survey (Georgia Tech's semi-annual Internet usage survey), 20% of the Internet's users are outside of the U.S. Few, if any, of those users pay a flat fee, and many U.S. users pay some time-based charges for Internet access, especially those of us who use the Internet for a legitimate business and require more than dialup bandwidth. But there is a much larger problem:

If we assume conservatively that only 50 messages per day, averaging 5K in size are being sent to an average of 20 million addresses, that is over 5 billion (5,120,000,000) bytes of extraneous traffic, not counting the associated DNS traffic, bounce messages, and other overhead involved in running a mail server. This number is extremely conservative, and represents a huge expense to the backbone providers, which cost is passed on to the rest of us in increased rates and tariffs.

The problem is compounded again by the fact that most Spams are sent from throw-away accounts: free accounts given away by national providers like Netcom, CompuServe, Earthlink, and PSI Net, which the Spammer never pays for. So ultimately, the entire cost of sending, transporting, and delivering the mail is born by you and me.

SMTP Piracy

I run a small mail server on an ISDN line, which I use for discussion-type mailing lists (a popular low-noise alternative to the Usenet). About a year ago my mail server went down unexpectedly. When I finally got logged in (it was so bogged down that it took several hours to get in), I found over 800,000 messages queued from a forged address at AOL (the message was definitely not sent from AOL). Since I run my mailing lists as a side line, it took me several days to get around to cleaning it up and I ended up loosing quite a bit of real mail in the process.

When I started looking at the mail headers of the growing amount of Spam I got, I realized that most Spam is sent using someone else's SMTP server. This practice is clearly a theft of service, and in many cases constitutes a denial-of-service attack (a class of computer crime which denies the use of a system to those who own it or pay for it).

The SMTP protocol allows any mail server to relay a message for any other mail server. This feature was intended to facilitate the delivery of mail around problem areas in the Internet, much like TCP/IP's routing capabilities. In order to send a message to millions of users, the Spammer need not send all those copies himself--a feat which would be impossible from a dialup line. In fact, using the SMTP protocol, he can send the message once to a server, along with the list of email addresses, and the SMTP server will distribute the message for him. It is considered bad form (and may be illegal) to use someone else's server for a mass mailing without their permission, but there are more and more people doing this every day.

Most Internet SMTP servers imprint each message with enough information to see where it came from and where it's going to. This information is normally recorded in the Received: header line.

Here are some Received: lines from today's crop of Spam. Each of these (and most of the Spam I get every day) is abusing someone else's SMTP relay to send their bulk email:

Received: from Bad.HELO.Input ([38.28.33.31]) by planet.eon.net 
	with SMTP id <425012-18576> Sun, 29 Jun 1997 17:45:27 -0600

Received: from alterdial.uu.net by alterdial.UU.NET with SMTP 
	(peer crosschecked as: ascend1-74.theone.net [207.215.171.74])
	id QQcvxx26845; Sat, 28 Jun 1997 16:25:28 -0400 (EDT)

Received: from George.compuserve.com (hd8-093.hil.compuserve.com 
	[206.175.199.93]) by arl-img-9.compuserve.com (8.6.10/5.950515)
	id UAA13630; Thu, 26 Jun 1997 20:24:21 -0400

Received: from mail.centralnet.ch (1Cust125.Max9.Phoenix.AZ.MS.UU.NET 
	[153.35.229.253]) by centralnet.ch (8.8.5/8.8.5) with SMTP id UAA07289; 
	Fri, 27 Jun 1997 20:37:18 GMT

The Issues

The Spammers are fond of arguing that they have a right to send their commercial messages. They cite the first amendment, and the ease with which a user can remove themselves from the list.

The first amendment of the U.S. Constitution reads (in part), "Congress shall make no law . . . abridging the freedom of speech . . . " Assuming it applies to the Internet (a debatable presumption that may well have an impact on the net in the future), privately owned networks, even those which reside in the U.S., are not under the jurisdiction of the U.S. Congress, a fact which should be evident by the way the NSF prohibited all commercial traffic on the Internet up to the day they divested their interest. In other words, you have no right to use my server to send your message, any more than I have a right to go into your bar and impugn your mother's chastity.

What about all the messages which tell you that you can remove yourself from the Spammer's list just by replying with the word "remove" in the subject?

Each time a Spammer sends a mailing, they use a "fresh" mailing list. If your name was in the last list, it will be in the next one too. In fact, there are some unscrupulous Spammers who use their "remove" responses as confirmation that the email address is valid. They then sell that address to other Spammers at a premium.

Recently, the Spam community has established a trade organization called the Internet Electronic Mail Marketing Council (IEMMC <http://www.iemmc.org>). The IEMMC maintains a "opt-out" list, which lists users who prefer to not receive unsolicited commercial email. In theory, this should cure the problem by allowing those of us who don't like to receive Spam to sign up for this list, but it has a number of drawbacks:

In experimenting with the IEMMC opt-out list, I have learned two things: 1) By putting a new address on this list, I do not receive Spam at that address. 2) By putting an existing address on this list, I do not receive any less Spam at that address. In fact, I still receive Spam from users claiming that they have filtered their list using the IEMMC opt-out list. In short, the list doesn't work for its intended purpose.

The other major drawback with the opt-out concept is that it requires the recipient to go to their web site and fill out a form. On the surface, this may not sound like a problem to many of us, but there are still a huge number of people who use the Internet for email and news, but don't have a web browser. In fact, the design of the IEMMC web site requires a graphical browser and does not work with character-based browsers like Lynx.

How To Avoid Getting On Spam Lists

In short, the only way to stay off the Spam lists is to never use your email address in public. Don't sign up for any mailing lists, don't post your email address on your web site, and especially don't send any messages to a Usenet newsgroup or a public discussion list. Does that sound extreme? Yes, it is. The only alternative is to accept the Spam or try to stop it in other ways.

How To Stop Spam

We've seen that the "remove" messages don't work, opt-out lists don't work, and even filters don't work (because so much Spam uses forged headers). So how do we stop it?

Normally, I am dead-set against legislative solutions to Internet problems. In the past all the legislative solutions to problems have been more about the Government trying to restrict our use of the net, then about solving any real problems. In this case, however, we've tried everything else and the problem continues to grow.

I remember back when I got my first fax machine and it immediately started spewing reams and reams of ads. I remember one day when I was expecting a contract from a major client, and instead having my fax machine run out of paper printing a huge ad for office- supplies! In that case, as in this, the only solution was a federal law prohibiting the sending of unsolicited commercial messages by fax.

Summary

Unsolicited commercial email costs all of us. Not only in terms of time and money, but in the usefulness of our email. To allow this to continue unabated, is to allow a few small commercial interests to steal the bandwidth, resources, and in some instances the very computers that make the Internet possible.

There is an organization called the Coalition Against Unsolicited Commercial Email (CAUCE <http://www.cauce.org>), which has been working in Washington to introduce legislation that would amend the fax law to include electronic mail. I urge you to take a look at what they are doing, and support them if you can.