Is it time for a law against spam?

Up to a third of all e-mails are 'spam' - junk fliers that are sent out in their millions and clog up in-boxes everywhere. Charles Arthur seeks refuge from rubbish
Click to follow
The Independent Online

"Send Over 90 Million Spam Free E-mails per Month!!!!!!!" "Buy Manufacture Direct Inkjets & Laser Cartridges." "Income Beyond Your Wildest Dreams!!" That's a tiny selection of the junk mail that awaited me this morning – 23 out of 100 or so messages. Do I want to send 90 million e-mails per month, learn more about middle age or buy inkjets? No, I don't, but that doesn't matter to the people who send those messages. They hope that if they send millions of "spam" e-mails out, a few people will buy what they're offering. And since it costs them pennies, if that, to send out their messages, they effectively have a free ride to try to push their rubbish on the world.

The problem is that, if everyone starts sending 90 million e-mails a month to people who don't want to receive them, then e-mail is rapidly going to become useless. And for some people, it's already heading that way.

Spam has been around for years. Some date its origins to 1994, others put it earlier. The name derives from the Monty Python sketch set in a café where the menu offers "Sausage, beans, spam, spam, spam, spam..." On the net, it's become synonymous with endless rubbish (despite the efforts of the Hormel corporation, which owns the trademark to the canned meat product). But it's also become endemic, to the point where it induces apoplexy in quite net-savvy people: Dave Farber, chief technologist of the US Federal Communications Commission, grumbled on his private mailing list, "I hate to say it, but [it's] near time for a law that requires a legal address and a way of removing from all future mailings from a source."

Could laws work? Legislation looks like a weak option. The European Commission is considering laws that would block companies in the EU from sending e-mails without having specific permission from the potential recipients. (They'll also be allowed to e-mail people who have bought things from them.) The state of Washington on the west coast of the US (as it happens, Microsoft's home state) has had laws against unwanted junk e-mails for some years.

But a few successful lawsuits (such as those by Bennett Haselton – see www. haven't stemmed the flow. If anything, it has got worse: the best estimates suggest that the volume has increased between five- and 10-fold over the past year.

Laws won't work, as respondents to Dr Farber pointed out, because spammers ignore laws. They often send their mail via servers located in the Far East, which can be hijacked – because they are wrongly set up to allow anyone to send mail through them – and so remain outside the ambit of their home countries' legislation.

It is a huge problem. The latest analysis, published on Friday by Brightmail, a company that specialises in blocking spam, says that between 15 and 30 per cent of e-mail handled by all ISPs is spam. America Online, the world's biggest ISP, says that unwanted e-mail is the biggest cause of complaint from its subscribers. It handles – and bins – millions of spams every day before they even reach its customers; but more slips through.

Embarrassingly, AOL recently blocked a number of e-mails from Harvard University, which was sending them to would-be undergraduates rather than letters because of the disruption caused by the post-September anthrax attack. Neither AOL nor Harvard knows what it was about the messages that got them blocked. "This wasn't exactly the instant response we intended,'' William Fitzsimmons, Harvard's dean of admissions and financial aid, told The Boston Globe.

Some people are working on systems that would require the sender of an e-mail to confirm their existence before it would be allowed in. One such idea, called TMDA – for Tagged Message Delivery Agent – would require "unknown" senders to confirm that they exist before the mail will be let through. That will solve the problem of people using faked "From" addresses. However, it isn't for the average user; it runs in Unix and sits on the mail server itself, rather than on your PC.

The estimated cost of spam to British business is in the billions. In November, MessageLabs suggested that it cost £470 per employee per year, based on a survey of 200 companies which found that 28 per cent of e-mail was junk – either pornographic, spam or a virus. MessageLabs suggested it would take the average person 10 minutes to deal with this, and for someone on £25,000, voila, £470 per year.

The maths may be right, but the numbers are clearly wrong. Anyone who takes 10 minutes sorting their mailbox needs help, such as training in how to set up filters to remove unwanted e-mail.

For there is one rule that automatically bins 95 per cent of spam: delete anything that comes from someone you do not know and does not have your name in the "To:" or "Cc:" part of the message. The vast majority of spam is sent by "blind carbon copy", or "Bcc" – meaning that you won't actually see your address in the message. (Thankfully, this also means you don't see the other five million addresses that the spam was sent to, and the header of the e-mail is about 5,000 lines shorter.)

Make sure that messages such as mailing lists, which are always sent by Bcc, are allowed. After that, bin everything. It works – although some spammers do use programs that send out e-mails individually. You have to weed those out by hand.

But the problem is that if you're receiving spam, you're going to continue receiving it at that address. Spammers are not rich. Most are eking out what could barely be called a living by trying to hawk useless products. Or they're trying to obtain your credit card number, or get you to call a phone number that will turn out to charge you £1 per minute or more. About the only valuable thing that they have is their mailing list of millions of addresses, and even that is filled with hundreds of thousands of non-existent or faked ones that people have created specifically so that spammers can't send e-mail to them.

But they can always sell their mailing list, which is why you see so many spam e-mails offering mailing lists for "cut-down prices" of $25 (it's always dollars; the vast majority of people doing this are in the US). It only takes a few dozen people to buy the mailing list for the spammer to make a profit. After all, they probably bought it for $25 themselves. What can you do? Only one thing – change your e-mail address.

And spam is now crossing the Atlantic. In mid-December, Virgin Wines and the supermarket chain Sainsbury's sent out a spam to hundreds, perhaps thousands of people, touting mobile phones and wine respectively. However, the e-mail addresses they were sent to belonged to people who were old hands on the internet – and had been using those addresses solely on Usenet and its newsgroups. They knew that there was no way they could have signed up for anything using those addresses with either Virgin or Sainsbury's.

Virgin admitted the mistake, though Sainsbury's did for a while insist that it had been a careful "permission-based marketing" exercise. Not that careful, clearly, and it annoyed many people. The problem is that, with many companies seeking any sort of marketing edge, there are plenty who will be taken in by smooth talk insisting that a collection of e-mails is of people who have signed up to receive them. That's rather than what they are more likely to be, which is a random set of addresses grabbed from the net, because doing that is a lot faster and cheaper than actually finding people who want to sign up.

The Data Protection Act might apply in such cases, but pressing home your case would be hard. So far, nobody has brought any sort of lawsuit in a UK court for spamming. But with e-mails and, most recently, SMS becoming a major target for spam, there isn't much reason to be optimistic.