February 1, 2005
Law Barring Junk E-Mail Allows a Flood Instead
By TOM ZELLER Jr.
A year after a sweeping federal antispam law went into effect, there is more
junk e-mail on the Internet than ever, and Levon Gillespie, according to
Microsoft, is one reason.
Lawyers for the company seemed well on the way to shutting down Mr. Gillespie
last September after he agreed to meet them at a Starbucks in Los Angeles near
the University of Southern California. There they served him a court summons and
a lawsuit accusing him, his Web site and 50 unnamed customers of violating state
and federal law - including the year-old federal Can Spam Act - by flooding
Microsoft's internal and customer e-mail networks with illegal spam, among other
But that was the last the company saw of the young entrepreneur.
Mr. Gillespie, who operated a service that gives bulk advertisers off-shore
shelter from the antispam crusade, did not show up last month for a court
hearing in King County, Wash. The judge issued a default judgment against him in
the amount of $1.4 million.
In a telephone interview yesterday from his home in Los Angeles, Mr. Gillespie,
21, said he was unaware of the judgment and that no one from Microsoft or the
court had yet followed up. But he insisted that he had done nothing wrong and
vowed that lawsuits would not stop him - nor any of the other players in the
lucrative spam chain.
"There's way too much money involved," Mr. Gillespie said, noting that his
service, which is currently down, provided him with a six-figure income at its
peak. "And if there's money to be made, people are going to go out and get it."
Since the Can Spam Act went into effect in January 2004, unsolicited junk e-mail
on the Internet has come to total perhaps 80 percent or more of all e-mail sent,
according to most measures. That is up from 50 percent to 60 percent of all
e-mail before the law went into effect.
To some antispam crusaders, the surge comes as no surprise. They had long argued
that the law would make the spam problem worse by effectively giving bulk
advertisers permission to send junk e-mail as long as they followed certain rules.
"Can Spam legalized spamming itself," said Steve Linford, the founder of the
Spamhaus Project, a London organization that is one of the leading groups intent
on eliminating junk e-mail. And in making spam legal, he said, the new rules
also invited flouting by those intent on being outlaws.
Not everyone agrees that the Can Spam law is to blame, and lawsuits invoking the
new legislation - along with other suits using state laws - have been mounted in
the name of combating the problem. Besides Microsoft, other large Internet
companies like AOL and Yahoo have used the federal law as the basis for suits.
Two prolific spam distributors, Jeremy D. Jaynes and Jessica DeGroot, were
convicted under a Virginia antispam law in November, and a $1 billion judgment
was issued in an Iowa federal court against three spam marketers in December.
The law's chief sponsor, Senator Conrad Burns, Republican of Montana, said that
it was too soon to judge the law's effectiveness, although he indicated in an
e-mail message that the Federal Trade Commission, which oversees its
enforcement, might simply need some nudging.
"As we progress into the next legislative session," Mr. Burns said, "I'll be
working to make sure the F.T.C. utilizes the tools now in place to enforce the
act and effectively stem the tide of this burden."
The F.T.C. has made some recent moves that include winning a court order in
January to shut down illegal advertising from six companies accused of profiting
from thousands of X-rated spam e-mail messages. But so far, the spam trade has
foiled most efforts to bring it under control.
A growing number of so-called bulletproof Web host services like Mr. Gillespie's
offer spam-friendly merchants access to stable offshore computer servers - most
of them in China - where they can park their Web sites, with the promise that
they will not be shut down because of spam complaints.
Some bulk e-mailers have also teamed with writers of viruses to steal lists of
working e-mail addresses and quietly hijack the personal computers of millions
of unwitting Internet users, creating the "zombie networks" that now serve,
according to some specialists, as the de facto circulatory system for spam.
"We've thrown everything but the kitchen sink at this problem," said Chris
Smith, the senior director of product marketing for Postini, a company that
filters e-mail for corporations. "And yet, all of these efforts have yet to make
a significant dent."
Mr. Smith was speaking in a conference call with reporters last week to discuss
Postini's 2005 e-mail security report, which echoed the bleak findings of recent
academic surveys and statistics from other vendors that filter and monitor
A survey from Stanford University in December showed that a typical Internet
user now spends about 10 working days a year dealing with incoming spam.
Industry analysts estimate that the global cost of spam to businesses in 2005,
in terms of lost productivity and network maintenance, will be about $50 billion
($17 billion in the United States alone). And the Postini report concluded that
most legislative measures - in the United States, Europe and Australia - have
had little impact on the problem.
The American law requires solicitations to be identified as such in the subject
line and prohibits the use of fake return addresses, among other restrictions.
But the real soft spot in the American law, critics have argued, is that it puts
a burden on recipients to choose to be removed from an e-mailers list - an "opt
out" feature that bulk mailers are obligated by the law to provide. (The
European and Australian systems requires bulk mailers, in most cases, to receive
"opt in" authorization from recipients.)
While a law-abiding bulk mailer under the American law might remove a person
from its list, critics say, the scofflaw spammer simply takes an opt-out message
as verification that the e-mail address is current and has a live person behind it.
"Any spammer worth his salt is not going to follow Can Spam," said Scott Petry,
Postini's founder and senior vice president for products and engineering,
"because it would be filtered out immediately."
Defenders of the Can Spam Act say blaming any one law is far too simple.
"Most people say it's a miserable failure," said Anne Mitchell, who helped draft
the legislation and is the chief executive of the Institute for Spam and
Internet Public Policy, a research group in California. "But I see it as a
lawyer would see it. To think that law enforcement agencies can make spam stop
right away is silly. There's no such thing as an instant fix in the law."
She and others note that filtering software has become particularly adept at
catching the vast majority of spam before it ever gets to a user's in-box.
Legitimate e-mail messages do sometimes get caught in such nets - a drawback
that generates its own chorus of complaints. But some specialists have also
suggested that the overall success of identifying and weeding out junk e-mail
from in-boxes may actually help explain the current surge in spam.
"The more effective the filtering technology," Ms. Mitchell said, "the more spam
they have to send to get the same dollar rate of return."
Those rates of return can be staggeringly high (and the costs of entry into the
market relatively low).
A spammer can often expect to receive anywhere from a 25 percent to a 50 percent
commission on any sales of a product that result from a spam campaign, according
to a calculus developed by Richi Jennings, an Internet security analyst with
Ferris Research, a technology industry consulting firm.
Even if only 2,000 of 200 million recipients of a spam campaign - a single day's
response rate for some spammers - actually go to a merchant's Web site to
purchase a $50 bottle of an herbal supplement, a spammer working at a 25 percent
commission will take in $25,000. If a spammer makes use of anonymous
virus-enslaved computers to spread the campaign, expenses like bandwidth
payments to Internet service providers are low - as is the likelihood of
anyone's tracking down who pushed the "send" button.
The overlapping and truly global networks of spam-friendly merchants, e-mail
list resellers, virus-writers and bulk e-mailing services have made identifying
targets for prosecution a daunting process. Merchants whose links actually
appear in junk e-mail are often dozens of steps and numerous deals removed from
the spammers, Mr. Jennings said, and proving culpability "is just insanely
The new federal law does give prosecutors some leverage to go after the
merchants - but it must be proved that they knew, or should have known, that
their wares were being fed into the illegal spam chain.
"We wait to see a real test case of that," Mr. Jennings said.
In the meantime, analysts predict, more viruses will commandeer more personal
computers as zombie spam transmitters - which besides free relays give spammers
a thicker cloak of anonymity. Mr. Jennings estimates that hijacked machines
handle 50 percent of the spam stream, and other analysts have put the percentage
Analysts also expect more use of virus bombs - called directory harvest attacks
- to wrest working e-mail addresses from Internet service providers. "It's the
silent killer of e-mail servers," Mr. Smith of Postini said.
And bulletproof services like Mr. Gillespie's and another, Buprhost.com, are
intent on continuing to offer spam-friendly merchants a haven from antispam
complaints, starting at $89 a month.
"If your Web site host receives complaints or discovers that your Web site has
been advertised in e-mail broadcasts, they may disconnect your account and shut
down your Web site," explains Buprhost.com, which promises no such disruptions.
"The reason we can do this is that we put your Web site in our overseas server
where the local law will protect your Web sites."
"It's very simple," Mr. Petry of Postini said of the junk e-mail scourge. "Spam
is technically very easy to send."
Which is why, according to Aaron Kornblum, Microsoft's Internet safety
enforcement lawyer, suits against spam enablers like Mr. Gillespie are an
important, if incremental, new front to pursue.
"Microsoft's efforts in filing these lawsuits is to stop spammers - and in this
case hosting services that cater to spammers - from plying their trade," said
Mr. Kornblum, who noted that Microsoft was working to enforce the $1.4 million
judgment against Mr. Gillespie.
"Our objective with sustained enforcement activity is to change the economics of
spamming, making it a cost-prohibitive business model rather than a profitable one."