21st: Spam bombers

Tired of receiving dozens of get-rich-quick offers and promos for "bulk mailers" in your e-mail? Meet the software designers who have made it all possible.

Published October 4, 1997 7:00PM (EDT)

I figured Neil Albala as a hard man to get a hold of. I knew he was the author of Floodgate and Goldrush, two of the Internet's first commercially available "bulk e-mail" software programs. But I also knew that the very words "bulk e-mail" are an invitation to a flame war.

Bulk e-mail is a euphemism for "spam" -- that all-too-familiar influx of junk e-mail that clogs electronic mailboxes the way kudzu strangles a forest. On the Net, anti-spam vigilantes tend not to look kindly upon programmers who write software that facilitates the transport of "unsolicited commercial e-mail." Incidents of harassment -- phone calls, lawsuit threats -- are common. Albala, I had been told, practically "invented the bulk e-mail business"; my guess was that he would be lying low.

I guessed wrong. To my surprise, Albala answered my first e-mail query promptly -- and then proceeded to upset my expectations once again. I had assumed that he would be gratified at how healthy the bulk e-mail business seems right now, if my own stuffed e-mail box is any evidence. But when I asked Albala how he saw the future, he sounded downright glum.

Bulk e-mail, says Albala, is under siege. A flurry of spam regulation bills looms on both federal and state legislative levels. A string of recent court decisions is steadily eroding spammer freedom. Blocking software installed at large Internet service providers like America Online and CompuServe is "making it almost impossible for people to get the mail out." And worst of all, this spring, sales of Floodgate, which retails for about $400, suddenly plummeted.

"It's the end of an era," says Albala.

Most spam-ridden users today might snort at that idea. Spam stats are hard to come by, but a wealth of anecdotal evidence suggests that bulk e-mail is booming. A steady stream of complaints dot Usenet newsgroups, mailing lists and online conferencing systems. A systems administrator at one Internet service provider reports that 25 percent of his own mail is spam -- and the numbers keep rising. Indeed, over the course of reporting this story, my daily spam count nearly doubled, as if just the act of thinking about spam exerted a magnetic attraction on "Lotto Buck$ 4 U!!!" e-mail messages.

Albala's troubled bottom line has another, more likely explanation: competition. Floodgate may have been the first spam software product, but over the last year, a slew of increasingly powerful "address extractor" and "bulk mailer" programs have joined it in the market, flaunting gaudy, inflammatory names like Extractor Pro, Stealth Mass Mailer, CyberBomber, E-Mail Blaster and Web Weasel.

And those are just the most public weapons in the spam arsenal. A thriving not-so-underground spam economy flourishes in the interstices of the Net. There is a steady demand for "cloaking software" -- programs that disguise, or hide, spammer identity -- as well as for arcane little programs like "mailing list cleaners" that cull "bad" addresses from mailing lists. And finally, of course, there are the address lists themselves -- for prices ranging from $19.95 to several hundred dollars, you too can purchase 25 million e-mail addresses.

Indeed, as I looked more closely at my daily dose of spam, I noticed that a significant portion, if not the majority, of my junk e-mail advertised tools designed to create more junk e-mail. Welcome to the ultimate post-industrial "service economy"! On the Net, everyone is in business selling business supplies. And the trickle-down effect of a vigorous spam software marketplace is, inevitably, more spam.

One can hope that before we're completely overwhelmed, we'll see the development of equally powerful anti-spam tools. But right now, spamming technology has the upper hand, and it is feeding on itself in a mad, spiraling frenzy.

And the spammers rejoice. Contrary to my initial assumption, I found that as a class, the authors of spamming tools and marketers of spamming services are a brash and highly visible crew. They stand united by a firm belief that any publicity is good publicity, by an absolute refusal to acknowledge that the tools that they are creating are being used irresponsibly, and by a strong wish that the government keep its hands off their business. As one reseller of the address extractor program NetContact told me, "Everything we've come to enjoy and take for granted in the Western world is at risk if we restrict the honest expression of salespeople."

Neil Albala's competitors airily dismiss his fears. Adverse legislation? No problem, we'll just move our servers to another country. As Forrest Dayton, author of the Stealth Mass Mailer program observes, "They couldn't ban porno on the Net. How are they going to ban bulk e-mail?"

Blocking software? So what -- it's just another market opportunity. Floodgate's woes, say competitors, are due to its own deficiencies. Newer, smarter programs have become the spammer's first choice. "My mail gets through," asserts Dayton.

Depressed sales? Business has never been better, claims self-proclaimed "spam king" CyberPromo's Sanford Wallace.

"Since the day we started this business we haven't shown a loss," says Wallace, who enjoys referring to himself by the nickname "Spamford." Claiming revenues this year exceeding $2 million, he scoffed at assertions that the bulk e-mail biz is little more than a pyramid scheme in which the irresponsible rip off the clueless. "You'd have to make a mistake not to make money in this business."

CyberPromo, boasts Wallace, is responsible for "80 percent of the bulk e-mail currently delivered across the Internet." Wallace is eager to claim that CyberPromo moves 25 million e-mail messages a day for 11,000 clients. But CyberPromo markets no actual products itself -- just the tools of the spamming trade. The company is a one-stop-buys-all spam clearinghouse, addressing, says Wallace, the biggest problem that would-be spammers face -- the likelihood that they will lose their account at their local Internet service provider if they abuse spam policies.

That's not a problem at CyberPromo, which -- in addition to its flagship product, the bulk e-mailer Cyber-Bomber -- also has its own network of mail server computers, and purchases connectivity to the Internet through a service provider, Agis, that remains deaf to anti-spammer outrage.

Wallace's competitors aren't crazy about his devil-may-care stance. To them, he is undermining the "respectability" of the bulk e-mail business.

"His 'how are you going to stop me' attitude is great for his publicity and great for his marketing, but as far as legitimizing this business and this industry, it's not helping a whole lot," says Todd Farmer, marketing director at Extractor Marketing, which sells the address extractor programs Extractor Pro and Web Weasel.

But is the business really legitimate in the first place? To most systems administrators and anti-spammers, the bulk e-mailers are taking advantage of technical loopholes in the Internet infrastructure to get a free marketing ride on an already overburdened system. And the fact that they seem mostly to be selling their own tools exposes their hollowness, argues Scott Mueller, a systems administrator at WENET, a mid-sized Internet service provider in San Francisco.

"If you think about it, if there were money to be made spamming ads, then wouldn't you want to keep other people from competing with you?" asks Mueller.

Mueller is a leading force in the Coalition Against Unsolicited Commercial e-mail (CAUCE), a group that is backing federal legislation that seeks to financially penalize advertisers for unsolicited e-mail, rather than go after vendors of spamming services. He's given up on techno-fixes to the spam problem, convinced that there is no way, "unless we have true artificial intelligence," that spam blocking software can ever keep up.

First, there is the endless creativity of the spammers. Spammers change their return addresses constantly, and are always coming up with new formulations of the basic pitch. And software like the Stealth Mass Mailer makes it possible to use any mail server computer on the Net as a bulk e-mail relay station, even if the bulk e-mailer doesn't have an account on the service provider that owns the mailer. Such a practice, referred to as "hijacking," is considered one of the more egregious spamming sins. Even Dayton, the author of the program, says he frowns upon such "unethical" activity.

"I don't police what my people use it for," says Dayton. "I tell them up front you shouldn't mail through a server you don't have an account from. You can open up an account with a bulk e-mail Internet service provider and you're doing it totally legit. All the program was designed for was speed."

To anti-spammers, such assertions reek of disingenuousness. But questions of morality aside, the truth is that the open architecture of the Internet permits all kinds of abuses. Decentralized anarchy is one of the Net's greatest strengths; but it doesn't come for free. If you want the power of e-mail -- cheap, fast and universal -- you must pay the price of spam.

Or at least that's how it seems right now, with the prospect of any significant legislation taking effect still at least a year away, according to Mueller. But the obvious health of the market for spam tools begs an obvious question -- where is the market for spam blockers?

In its infancy, argues software engineer Ron Guilmette.

Guilmette is a leading anti-spam radical -- a longtime spam hater who finally decided to bet his talent on an emerging market for anti-spam technology. Guilmette notes that new versions of popular e-mail programs such as Pegasus and Eudora come equipped with powerful and increasingly easy-to-use filter systems that allow users to configure their applications to reject unwanted mail. The problem, he concedes, is that spammers move too fast for users to keep up with -- you'd have to spend more time updating your filters than it would take just to delete the messages by hand.

Guilmette believes he has an answer to the problem -- a spam blocking program that is configurable by users, but constantly updates its own internal list of spam offenders by connecting to a central database. Guilmette says his program, Deadbolt, available for purchase in September, would be installed at the mail server level -- thus catching, and blocking, spam before it ever is downloaded into a home computer.

And just as the spammers are constantly harvesting the Net for new e-mail addresses, Guilmette has spies lurking everywhere, watching for new spammers.

"We have a global network of listening posts," says Guilmette. "E-mail addresses that we put on different Web pages, that we have posting to newsgroups and mailing lists. They are carefully disguised to look like normal e-mail addresses, but they actually forward every message that they receive back to our central database. The spammers will never find them all."

Like most software engineers, Guilmette is confident that an acceptable solution is only a few lines of code away. Spam technology, he says, is kid's stuff.

"As far as the arms race is considered -- their tricks vs. our tricks -- I think their tricks have been extremely trivial," says Guilmette. "It doesn't take a rocket scientist to figure out how to write a spam program. But our defenses, or our tools or weapons, have, to date, been very primitive in response. What I'm trying to do with Deadbolt is raise the bar to a much higher level. I agree with the people who assert that spammers may invent new tricks. But right now they are only using a small handful of tricks, and they have no others. Once we raise the bar on our side, the odds of them being able to jump over a higher bar is actually quite low."

Would that it were so. Because without either the development of powerful defenses or punitive legislation, the spam onslaught is unlikely to slow. The bulk e-mailers like to talk about responsibility -- some have even gathered together in consortiums aimed at coating their business with a respectable veneer. But when pressed, most authors of bulk e-mail software disclaim any real responsibility for what is done with their programs. In fact, Neil Albala, Forrest Dayton and Todd Farmer all immediately retreated to the identical clichis drawn from the libertarian arsenal of the National Rifle Association.

"A person selling a gun is not responsible if someone goes out and shoots someone," says Albala. "Almost any tool can be used irresponsibly. Implying that I should be responsible is a bit of a stretch."

"A gun can kill a person," says Dayton. "It is very simple to go and kill someone. But that's not what it was designed for."

Right. And bulk e-mail software wasn't designed to bombard your mailbox with crap, either.


By Andrew Leonard

Andrew Leonard is a staff writer at Salon. On Twitter, @koxinga21.

MORE FROM Andrew Leonard


Related Topics ------------------------------------------