/dq/media/agency_attachments/UPxQAOdkwhCk8EYzqyvs.png)
Follow UsPaul Prentice was under siege. All through last winter and spring, the
manager of security and directory services at Steelcase Inc. was frantically
fighting the rising tide of spam pouring into the Grand Rapids (Mich.)
office-furniture company. At the same time, he was fielding a flood of angry
e-mail from executives and workers. They all begged him to get spam under
control. Like many of his colleagues throughout the corporate world, Prentice
hired a spam-filtering company, in his case, Postini Inc., to stem the flow.
Spam is down to a trickle in Grand Rapids these days. But what began as a
campaign against junk mail has evolved into a company-wide revamp of Internet
communications. The filtering system that scrutinizes each piece of mail,
Prentice quickly saw, can handle lots of other jobs. Now he’s broadening its
mandate. The system is searching mail for competitive leaks, ferreting out
inappropriate attachments such as MP3 files or porn, and even keeping an eye on
personal correspondence. In short, the company is asserting much more control
over employees’ use of the Net. "People have already been notified that
our e-mail is monitored," Prentice says.
/dq/media/post_attachments/67c654391d19a4689fe48a8da973ea159c319793d6e722d2920c0f8bea9c0678.jpg)
The scourge of spam, which clogs the Internet with some 15 billion e-mail
messages a day, is provoking powerful responses. It’s pushing companies and
individuals alike to install new tools and adopt norms for online behavior.
These responses are turning cyberspace into a place with tougher rules, thicker
walls, and new laws. On Nov. 25, Congress leaped into action as the Senate
passed sweeping anti-spam legislation that awaits President George W. Bush’s
signature. While many predict that the law will leave most spammers unscathed,
it marks a large and ambitious step to regulate the Internet and e-commerce.
Wake-Up Call
These new laws and barricades are shaping a new stage in the short history
of the Net. While in its infancy, the Internet was marked by its soaring
potential, this new era is defined by limits and defenses. The last year alone
has provided a sobering wake-up call. Not only has spam quadrupled but the
spammers’ technology and methods also have been adopted by virus writers,
grifters, and thieves. Now they can deliver their poison to hundreds of millions
of inboxes. Brightmail, a leading spam-blocking company, estimates that fully
13% of the spams circulating are not just advertisements, but scams. Web giants from Amazon.com to eBay Inc. are seeing spammers swipe their identities,
sowing distrust among shoppers in the $3.9 trillion global e-commerce market.
The result, says Aviel Rubin, director of Information Security Institute at
Johns Hopkins University: "We’re going to change the way we use the
Internet."
Say good-bye to the unruly Internet of old. It’s heading straight to
obedience school, safety classes – you name it. This is the taming of the Net.
Where traditional Internet communications are unfettered, open, and chaotic,
look for the next generation to be far more regulated, orderly, and closed.
Mailings from work, friends, and e-tailers will plop down into separate
mailboxes, and many of these addresses will be closely held secrets. Already,
70% of people online avoid giving out their e-mail addresses, according to a
recent survey by the Pew Research Center.
End of Lethargy
For this next stage of the Net, security is quickly becoming the new growth
industry. Companies that can offer safe and foolproof connections stand to rise
to the top. "It’s the key differentiator," says Ted Leonsis,
vice-chairman of America Online. AOL and Microsoft Corp. are pouring research
into state-of-the-art spam filters and child-protection guards. And financiers
in Silicon Valley are stirring from their post-crash lethargy to bankroll a
veritable rush of startups, each of them intent on developing the perfect
fortress for customers. Sales of anti-spam software alone are expected to reach
$653 million in 2003 and to double in two years, according to Radicati Group
Inc., a researcher in Palo Alto, Calif. "I’d estimate that there are
1,000 businesses selling anti-spam software," says Felix Lin, CEO of Qurb
Inc., a spam-fighting startup in San Mateo, Calif. About a dozen, say venture
capitalists, have lined up venture funding.
| How Spam Is Changing the Picture |
| CLOSED COMMUNITIES: E-mailers are starting to withdraw into small, trusted enclaves. Only certified friends make it past the guard. This is safer but risks balkanizing the Web and slowing the growth of promising new technologies, such as peer-to-peer file sharing. |
| MULTIPLE IDENTITIES: Netizens are creating separate e-mailboxes for friends, work, spam-ridden e-commerce sites, and even porn. Some 12% of AOL users have alternate accounts. What to do with spammy accounts? Replace them, just like dirty oil filters. |
| DESPERATE E-MERCHANTS: E-merchants are paying for spots in mailboxes, so the flow of coupons and sweepstakes could grow. U S Airways now grants 1,000 bonus miles just for signing up for e-mail bulletins. |
| MIGRATING SPAMMERS: Spam will become more common in instant messaging and in text messages on cell phones. Cell spam is already on the rise in Europe. And now such messages come with pictures. |
| COMPANIES CRACK DOWN: While putting in new spam and virus filters, employers will expand surveillance of workers’ e-mail. Already, companies screen e-mail for sexual content, competitive leaks, and MP3 files. They’ll probably keep an eye on instant chat. |
| FIRST-CLASS MAIL: Premium services will encrypt mail and escort it past spam filters. AT&T, for one, plans blue-ribbon offerings. That will help corporations communicate safely with suppliers, workers, and customers. |
Only a few of those companies are likely to land with a splash. But those
that do will be contributing to a cyberworld bristling with class and privilege
– a place where insiders trade information in trusted circles while outsiders
must fill in passwords and submit to iris scans. "It’s a bifurcation
between who you know and who you don’t know," says Kevin Doerr, who heads
Microsoft’s 20-person spam-fighting team. The changes are akin to defenses in
the physical world. With each e-mail address that’s hidden, each filter
installed to block intruders, the Internet’s homesteader heritage fades. It’s
fast becoming a place with doors that lock, ringing alarms, and thousands of
neighborhood-watch programs.
In fact, the whole bedrock of the cyber-terrain is shifting. It no longer
matters if an online offering is cool, fun, useful, and easy-to-use if it’s
not secure. This has grave implications for the Internet. Think of the crucial
technologies just taking shape, the powerful peer-to-peer networks linking
researchers and music fans, the new wireless links circling the globe, and the
massive grids hitching together the computer systems of hundreds of companies.
Each of these visions is built upon unhindered communication coursing between
hundreds or millions of users – each one of them a security risk. Experts say
that new systems must now be engineered with the assumption that everyone is a
possible hacker or thief. "If you can’t trust your neighbor, a lot of the
Internet’s promise goes up in smoke," says Neil Iscoe, former manager of
advanced technology at tech-services giant Electronic Data Systems Inc. and now
director of technology commercialization at the University of Texas.
Growing distrust also spells trouble for startups. In a world teeming with
spam and viruses, such companies’ outgoing e-mail is likely to be filtered,
zapped, or ignored. And while a handful of companies will succeed in building
trusted brands, unknowns face suspicion. Consider the case of Compu-Net
Enterprises, an Internet service provider (ISP) in Paris, Tenn. When spammers
appropriated, or "spoofed," the company’s address earlier this year
and started firing off millions of e-mails under its domain name, the big
Internet companies blocked mail coming from Compu-Net. Innocent customers
briefly saw their communications paralyzed. No one dares block all the mail from
giant rivals such as AOL or EarthLink. "The mom-and-pop businesses get
ignored," says Bill Larson, Compu-Net’s network administrator.
Businesses, large and small, are rethinking how they market on the Net to
cope with the gathering storm of spam. Most have given up on mass e-mailings
after getting lumped in with gambling solicitations and Viagra offers. Instead,
look for them to gain entry to e-mailboxes by lavishing the public with coupons
and freebies. US Airways Group Inc, for example, gives 1,000 frequent-flier
miles to passengers who sign up for the company’s promotional e-mail messages.
"Our big retail clients are planning sweepstakes and promotions to build
their
and marketing at Performics, a Web consulting company in Chicago. "It
separates them from the spam."
| How Spammers are Fighting Back |
||||||||||
|
||||||||||
/dq/media/post_attachments/90280f48662ec79064a36e095bf8a62f62cdcd89453417b962e7b723ea65b090.gif){kind=small}
In the new, tamer Net, defense is the rallying call. And it can turn
traditional Net communication on its head. Consider one of the most popular
anti-spam techniques. The so-called white list accepts e-mail only from a list
of approved contacts. The downside? An effective white list shuts the doors on
the vast population online – a big part of the Internet’s magic – and
limits contact to a cloistered group. Pavni Diwanji, CEO of MailFrontier, a Palo
Alto spam-blocking software company, predicts that the Internet population will
congregate into zillions of small, gated communities. Trusted members, she says,
"will be able to walk in without even ringing the door." Others will
line up outside while a digital guard sifts through their documents.
EarthLink Inc., the No. 3 Internet service provider in the US, is already
building this future. Its "challenge-response" system blocks every
mailing that comes from outside the user’s white list. It sends a form back to
the sender with a simple question to answer, or even a word to type. Human
senders can handle this – the spammers’ automated computers cannot. Once the
Earthlink system receives a satisfactory response, it lets the mail through.
This method effectively blocks most of the spam. But like all other defenses, it
comes at a cost. If the sender steps away from the computer, the message is
delayed. Important automatic mailings from eBay or Expedia Inc can hang in
limbo. The possibility of such glitches saps confidence in e-mail. Indeed, 30%
of e-mailers fret that spam filters block key messages, according to the Pew
survey.
How else to sidestep the deluge? By creating alternate identities. Some 12%
of AOL subscribers, according to a company survey, have established a separate
e-mail account for e-commerce. The idea? Web surfers’ interactions in the
hurly-burly online marketplace generate a lot of spam. A second, dedicated
e-address leaves the personal inbox cleaner–but makes it harder for legitimate
e-businesses to connect with customers.
In time, say analysts, many Web surfers will run a full stable of identities–some
cosseted, others fast and loose. This means one address for work, another for
friends, one for e-commerce, and perhaps a hidden box for porn or gambling. Many
of these accounts will be throwaways: When they draw too much spam, they’re
discarded.
The New Math
The focus on defense, though, spells the demise of e-mail as a tool for
stirring up new business. In the early years of e-mail, unsolicited mails
yielded responses topping 10%, say consultants. It was a crucial tool for
startups.
Now it’s hell. Last summer, Elizabeth McCarthy, vice-president for
marketing at Brava LLC in Coconut Grove, Fla., planned to send out e-mail
pitching the company’s enhancement bras. She was confident she could set Brava
apart from the countless miracle pills and sexual come-ons. She spent June
designing a serious, informative online brochure. And in July, she launched a
trial campaign of 20,000 mailings. The response: one solitary e-mail. A
frustrated McCarthy concluded that her mailing got lost, zapped, or filtered.
She pulled the plug on the campaign. "Spam killed our test," she says.
In truth, McCarthy hadn’t adjusted to the new math that spammers have
brought to e-mail. Sending out 20,000 ads was the cyber equivalent of knocking
on two or three doors. For spammers, one in 20,000 is cause for rip-roaring
celebration. That comes to 5 per 100,000, 50 per million. A spammer working that
ratio could send out 10 million e-mails in a few hours and, theoretically,
harvest 500 responses within days –a veritable gold mine. Alan Ralsky, a
spammer in the Detroit suburb of West Bloomfield, Mich.–and one of the rare
ones to speak publicly–says that sheer volume of messages pays off. "Even
a blind squirrel," he says, "can find a nut."
Spammers looking for a quicker payoff are retooling their spam-spewing
machinery for theft. With each month, the spoofs appearing to come from eBay,
Citibank, and others are becoming slicker–and endangering confidence in
e-commerce. Last spring, the early spoofs encouraged customers to enter their
bank data on crude copies of company sites. They were full of misspellings and
bad grammar and were topped by Web addresses unrelated to the company. Worse,
the spam thieves are using authentic company Web sites. They simply gather data
by serving up their own forms, which appear to pop up from the company site.
Clandestine
These spamming thieves hop over borders with a click of the mouse. Secure
Science Corp., a security startup in Los Angeles, has tracked a recent flurry of
scams targeting eBay and Citibank customers. They involve computers in Delaware
and Russia that stay up only for a couple of hours so that authorities don’t
have time to track them down. But they gather plenty of bank data. And,
according to the FBI, they sell the credit-card numbers at clandestine Web sites
for $1 apiece. "These sites move constantly," says Bill Murray,
spokesman for the FBI’s cybercrime division. "They’re up for a day, and
they move."
Even if they’re not pushing scams, many spammers are busily adapting to all
the filters and obstacles that corporations and consumers put in their path.
Ralsky says he has three Lithuanian computer whizzes who devise ways to break
through filters. And with the spam revenue pouring in, many of the biggest
operations are beefing up their computer assets and using them to bombard the
defenses. Ralsky, for one, says business is booming.
High-powered spammer programs, say experts, sidestep filters by customizing
each of the tens of millions of messages they send. This can confuse filters,
which are often programmed to look for certain word combinations. Spammers also
unleash torrents of e-mails at anti-spam companies and consumer groups, hoping
to cripple their servers with so-called denial-of-service attacks. Two groups
that organized "block lists" to sideline spam, Compu-Net and Infinite
Monkeys & Co., both withdrew from the battle last summer after suffering
withering spam attacks. "The spammers are winning the war to control the
inboxes," says Compu-Net’s Larson.
Equally menacing, spammers have extended the battlefield to the entire
Internet. As recently as two years ago, ISPs could block most spam by targeting
the domains that were generating it. But in the past year, spammers have
released viruses which turn computers around the world into mail-serving
zombies. Instead of a handful of domains, the spam can come from just about
anywhere. The SoBig worm launched in August, say industry experts, represented
an escalation of the battle. It harnessed the contact lists of its victims and
sent millions of spams to all their friends and families. "They’re
dismantling the defenses," says Karl Jacob, CEO of Cloudmark, a San
Francisco spam-blocking company.
This is leading companies such as AT&T to create premium services. The
idea? To encrypt mail and provide companies with guaranteed delivery–a cyber
answer to FedEx Corp. "Today’s Internet is coach class," says
Hossein Eslambolchi, chief technology officer at AT&T. "What we’re
building is first class and business class." AT&T expects to start
selling a service next year that will let corporations pay a subscription fee to
make sure their e-mail winds its way past security and gets safely to the
intended recipients.
Betrayal. That’s what pioneering computer scientists feel when they see
what has happened to the Internet. They built a miraculous system with a
foundation of trust, and it’s being overrun by scoundrels. "It’s a
downgrading of the Net and its culture," says David Farber, professor of
computer science at Carnegie Mellon University. "And I don’t see any
gangbuster alternative. That’s what bothers me."
Already, scientists are working on new, improved Internet standards to make
communications on the network more secure. But by the time they settle on new
protocols – late this decade at the earliest– the rest of the world probably
will already have improvised a secure Internet for these troubled times.
It sounds like grim work, focusing on fences and digital locks instead of fun
and games. But if tech companies develop a host of safe and secure spam-free
systems, they will bolster the Internet’s position as a pillar of the global
economy. Security is the missing link. If it takes the spammers and
virus-pushers to ignite an effective response –who would have guessed it?–that
clutter of obscene ads may yet prove to be good for something.
By Stephen Baker in New
York in BusinessWeek. Copyright 2004 by The McGraw-Hill Companies, Inc