News

Unless you're one of a select breed who has managed to live a life of technological celibacy, odds are you've been offered a miracle drug, been approved for a loan or been chosen to share the wealth of a foreign military general. Depending on who you talk to, spam currently accounts for anywhere from 75% to 90% of all global e-mail traffic, so odds are pretty good that you've received one or more of those offers today—and probably just in the time it took to read this paragraph.

Like insects at a picnic, spam is a nuisance that's tolerated by end users for the greater good—the daily flow of legitimate e-mail that flows into their inboxes along with the junk. But on a global level, the statistics are astonishing and suggest that close to 100 billion spam messages are transmitted worldwide daily.

The growing incidence of spam is forcing businesses to invest more and more money each year into combating the problem—which is costing millions of dollars in network downtime, additional bandwidth costs, productivity losses and overloaded IT resources. "Two years ago, before things got way out of hand, AOL claimed that they had turned away half a trillion e-mails at the heart of their network," says Neil Schwartzman, executive director of the Coalition Against Unsolicited Commercial Email North American (CAUCE), an organization founded in the late 1990s to provide an end-user voice to anti-spam forums. "The scary part is that things have gotten significantly worse since then."

What end-users see in their inboxes is usually less than 10% of what is actually sent their way; the remaining 90% is filtered out through a growing myriad of technologies implemented by Internet service providers. Increases in ISP spam defence spending are ultimately passed down the line, which means those costs are subsidized by consumers. According to the 2007 version of an annual PricewaterhouseCoopers survey entitled "Global State of Information Security," 15 cents out of every IT dollar spent is directed toward security. Gartner Inc. forecasts that worldwide revenue for security software will top $10 billion in 2008. "As spammers get more sophisticated, so do the solutions used to fight spam," says Sara Radicati, CEO of the Radicati Group Inc., a California-based firm that provides research on messaging and collaboration, security, e-mail archiving, identity management, instant messaging and more. "I think the one difference we've seen in the past year is that the anti-spam solutions are beginning to have
a slightly bigger impact."

From a technology perspective, the spam war is being fought in the R&D facilities of companies like Vancouver-based MailChannels, whose founders include former engineers from Symantec (maker of the popular Norton suite of tools). Frustrated by the limitations of earlier generations of security products, they saw the potential to develop more innovative anti-spam techniques. In May, MailChannels released its Traffic Control software as a free online download, allowing anyone to benefit from the huge reduction in spam achieved by the program's e-mail traffic shaping technology. Also known as "traffic throttling," the technology slows down unusually high volumes of traffic being sent from an IP address, which the company has proven will cause most spammer programs to disconnect. "Despite all the money invested in anti-spam systems, Nucleus Research found last year that spam is still costing enterprises an average of $712 per year, per employee," says Ken Simpson, CEO of MailChannels, whose clientele includes Fortune 500 companies like Wyeth Pharmaceutical and Pacific Gas & Electric. "That adds up to $71 billion per year in lost productivity in the United States alone."

Another company using traffic throttling to combat spam is MessageLabs, a global security provider for managed services, including e-mail. MessageLabs uses URL blocking techniques, block lists, signaturing and SMTP heuristics to identify and eliminate hidden spam (see "Anti-spam jargon," page 25). "There's no single technique that prevents all spam, so we take a much more pragmatic approach, using multiple systems to clean out everything in the spam stream," says Matt Sergeant, senior anti-spam technologist with MessageLabs. "We guarantee our customers that 99% of all spam will be blocked, but we have been able to block between 99.5% and 99.7%, on average."

But while technology providers are winning their battles by protecting clients from the evils of spam, the world continues to lose the war. Throttled spammers simply reconnect to a system where the latest technologies aren't in use, resuming their assaults with little more than a few minutes of inconvenience. Technology is also a somewhat impotent tool in the dark underbelly of the spam world, where tightly knit "spam gangs" lurk. Spam is like the new cocaine for some highly organized criminal organizations, which are raking in millions of dollars with legal impunity. Their crimes are often overlooked in the flushed spam of end-users, but beneath the surface they are profiting from lax laws in order to build empires founded on deception, intimidation and even murder.

"These mobsters love it when you just hit delete, but treating the problem as a nuisance is doing those who are fighting the anti-spam battle a disservice," says Schwartzman. "People making serious inroads have received death threats in the past, and the day it happens to me is the day I quit."

The first incidence of widespread commercial spam can be traced to two American lawyers. Their "Green Card spam" in 1994 marketed immigration law services to more than 6,000 Usenet discussion groups. They later argued that their actions were an expression of free speech. That laid the foundation for a wave of notorious spammers like Sanford Wallace, who emerged shortly afterward and took e-mail spam to global heights. But in the words of the late Jim Nitchals, a respected hero of the anti-spam movement, "speech isn't free when it comes postage due." Spam went from being a fairly innocuous problem to being a new method of transmission for spyware, viruses and phishing, all launched, in one way or another, with criminal intent.

Most spamming campaigns deceive their targets by coercing up-front fees for non-existent rewards, or by selling bogus merchandise. Legislators around the world have started to stand up and take notice, but even legislation that can bring the world's top spammers to justice may not be enough to scratch the surface. Approximately 80% of spam in North America and Europe can be traced to fewer than 200 spammers, but they are often merely the IT-for-hire that helps implement the elaborate schemes of much more sophisticated criminals. In a sense, many spammers are the technology equivalent of street-corner crack dealers, feeding the real profits along to a cocaine drug lord operating under layers and layers of deniability. The spammers themselves are intelligent and extremely technologically savvy, but they are still the low men on the totem pole of spam profiteering.

The scariest part for Canadians is that there is currently no criminal law in this country that allows for the prosecution of even the lowest levels of the spam chain. Under the Competition Act, it's prohibited to make representations to the public that are false and misleading. Yet the Competition Bureau's Project FairWeb, an Internet surveillance and enforcement program, is powerless to do anything more than levy fines, mandate refunds, and order offenders to cease and desist—all of which amount to nothing more than the cost of doing business for a lucrative criminal enterprise.

Industry Canada assembled a National Task Force on Spam in 2004 made up of representatives from government, the technology community and consumer organizations like CAUCE. A year later, the Task Force issued a 60-page report to then Industry Minister David Emerson. In 2006, a new Conservative government was sworn in, and the Industry portfolio passed to Maxime Bernier. Just 18 months later, a cabinet shuffle brought in Jim Prentice, who has now served as Industry Minister for less than a year. Not surprisingly, no new anti-spam legislation has emerged during that time, although some of the recommendations made by the Task Force on Spam have led to the implementation of best practices for ISPs and legitimate e-mail marketing businesses, the creation of consumer awareness programs like Stop Spam Here (stopspamhere.ca) and the development of memoranda of understanding with foreign countries that share the spam burden. "Many of the recommendations have been adopted by business, government and Internet users," says Courtney Battistone, a communications officer at Industry Canada. "Industry Canada continues to work closely with the private sector in developing and implementing effective, non-legislative solutions to network threats."

Battistone adds that co-operation with international organizations and governments is key to Canada's efforts to combat spam and related threats, noting that Canada is an active participant in multilateral organizations including the Organisation for Economic Co-operation and Development and its Task Force on Spam. She also notes that Canada participates in various international forums addressing online threats, including the London Action Plan, Asia Pacific Economic Cooperation, the Internet Governance Forum and the International Telecommunication Union.

Nevertheless, the bark of the Task Force on Spam has remained without a legislative bite since 2005, as branches of government and various law enforcement agencies have failed to produce a legal blueprint that will deliver a knockout punch to spammers. In the interim, results of a recent nationwide Deloitte survey commissioned by the Canadian Association of Police Boards suggest that cybercrime is surpassing drug trafficking and is very close to becoming the No. 1 crime in the country.

A ray of hope is on the horizon, however: Senate Bill S-235, a private member's bill better known as the Anti-Spam Act (ASA), introduced by Senator Yoine Goldstein this past May. Currently in its second reading, the ASA is the most encouraging proposal put forward so far, and clearly defines a set of rules and regulations that unsolicited e-mail must adhere to. The ASA also calls for fines ranging from $500,000 to $1.5 million, as well as possible jail terms for spammers of up to two years.

Private members' bills rarely become law, but spam is an issue that the government is being increasingly pressured to deal with—which means Senator Goldstein's proposal may well defy the odds. "What we are looking at is a bill that a few of us from the task force have reviewed and are very impressed with," says Schwartzman. "In other words, we still don't have a law, but we do have one proposal that is extremely good."
While Canadian legislators are finally headed in the right direction, don't expect your daily spam-flushing routine to come to an end any time soon. Prosecuting spammers will certainly send a message—and perhaps even put a dent in the volume of spam traffic from time to time. But with the big guns of organized crime still at large, it will only be a matter of time before they recruit new spammers and develop more sophisticated techniques. "Laws won't make spam disappear, much like laws against murder have not prevented the incidence of that crime," admits Schwartzman. "But we've got proxies for American spammers in this country operating with impunity, and providing law enforcement with the tools they need will, at the very least, start to scare these people away."