Oregon State Bar Bulletin — APRIL 2004

Canning the Spam
Unclogging law firm mailboxes
By Sharon D. Nelson & John W. Simek

So how much do you hate spam? Spam-haters have become the world largest club. People talk more about the bane of spam than the latest absurdly unreal 'reality' shows. Where we all once had a trickle of unsolicited e-mail that turned into a river, most lawyers now see spam in terms of a tsunami that grows in height on a daily basis and threatens to crush legitimate e-mail correspondence. Only the larger firms have tended to manage filter spam well. And now we have a new federal anti-spam law, whose effectiveness remains a matter of great speculation.

As a practical matter, can we 'can the spam?'

The Grim Facts
First, let’s examine the unnerving statistics, as reported by Massachusetts Institute of Technology’s Technology Review and Consumer Reports, some of which may seem startling. It will not surprise anyone that spam now comprises more than 50 percent of the average inbox, up from 8 percent in 2000. More than 13 billion unsolicited e-mail messages swamp inboxes worldwide every day. America Online reports it routinely blocks more than 1.5 million spam messages per day and yet it also averages 7 million complaints daily about the spam that gets through. According to the Radicati Group Inc., a market research firm specializing in e-mail, the number of spam messages is doubling every 18 months. Ferris Research now estimates spam causes a $10 billion a year drag on the economy.

How the Spammers Find You
How do spammers get your address in the first place? There is the classic 'dictionary attack' in which spammers target guessed names such as johndoe, johndoe1, johndoe2, etc. Spammers all have software to facilitate these attacks — if they don’t receive a 'bounceback' indicating that the address is invalid, they add it to their 'confirmed valid' database.

If you shop or register for something online, be wary. L.L. Bean will not sell your e-mail address, but 'Joe Chen’s Bargain Computers' might do just that. Make sure you look at privacy policies and be skeptical about companies you don’t know to be reputable.

If a lawyer places an e-mail address on his or her law firm site at 8 a.m., he or she is likely to receive the first spam message by 8:10 a.m. Ditto for talking in chat rooms. Spammers use special harvesting software to scan the Net for visible e-mail addresses. As an experiment, The Center for Democracy & Technology, a Washington, D.C., advocacy group, posted 250 new e-mail addresses on its website. Within six months, the addresses received more than 10,000 unsolicited e-mails.

Spammers also harvest e-mail addresses from free chat services. That was at least part of the reason that Microsoft closed its chat rooms in 28 countries on October 14, although it allowed them to remain open on a subscription basis in the U.S., Canada and Japan, where visitors are more accountable because their billing details are on record with Microsoft.

How do the rest of them find your address? Often through reselling. Sometimes lawyers are their own worst enemy as they reply angrily 'Remove' or 'Unsubscribe,' only to have their address now added to spammers 'confirmed valid' lists, which they will of course then sell to other spammers. Unsurprisingly, 'confirmed valid' lists are generally resold many times over.

The statistic that takes most people aback is the experts’ consensus that roughly 90 percent of all spam is sent by less than 200 people, a view affirmed by the Coalition Against Unsolicited Commercial E-mail, an anti-spam coalition. Jon Praed, an attorney with the Internet Law Group in Arlington, Virginia told Technology Review these major league spammers are 'hackers gone bad or they are crooks gone geek.'

Whoever they are, they are making law firms miserable. Managing e-mail is a daily task, and as we all hit the delete key scores of times, it’s easy to accidentally delete a legitimate e-mail from a client without noticing. Not to mention the frustration of having to wade through the mess we find in our inbox every morning. The authors of this article currently receive several hundred spam messages each day. Spam has become a daily chore and e-mail management a daunting task.

State Legislative Solutions: Spammers in the Slammer?
As the federal government struggled with competing lobbies and got nowhere quickly, 35 states managed to pass anti-spam laws, none of which seemed to accomplish a great deal.

Spammers in the slammer, a common state penalty, sounds great to many of us, but many commentators have expressed the concern that prosecutors would not enforce such laws aggressively, both because they lack funding and because they don’t perceive spam as a serious crime. Typically, one would think murder, arson, rape, armed robbery and other significant charges would receive attention far ahead of unsolicited bulk e-mail. Another factor is it’s extremely difficult to trace the source of spam in most cases. Spammers are wily creatures who change their network addresses regularly and relay their e-mail off unsecured servers, primarily in Asia, to hide the true source of the e-mail.

The most stringent of the state spam laws was California, whose law was signed on Sept. 23, 2003, and scheduled to take effect on Jan. 1, 2004. It was called vulnerable to legal challenges, including First Amendment grounds or arguments based on the law’s interference with interstate commerce. The new federal CAN-SPAM Act preempts California’s 'opt in' requirement. The California law outlawed sending most commercial e-mail messages to anyone in the state who has not explicitly requested them. That made it the most wide-reaching law of any of the 35 other state laws meant to regulate spam or any of the anti-spam bills that Congress considered. The law, which also prohibited companies inside the state from sending unsolicited e-mail to anyone outside the state, imposed fines of $1,000 for each message, up to $1 million for each campaign. Proponents of the law said it would be more effective than many anti-spam laws because it gave people the right to file private lawsuits rather than depending on state prosecutors. Unfortunately, the California law never got a fair shot as the federal law largely preempted it.

Can the Federal CAN-SPAM Act Can Spam?
Congress remained, for a shamefully long time, a lumbering ineffectual giant that listened to the lobbyists for marketing groups, particularly the powerful Direct Marketing Association. Competing anti-spam bills vied against one another, as did their passionate proponents and opponents. Finally, prodded by their constituents, every member of Congress got one clear message: the voters wanted them to do something about spam and were going to be distinctly fed up with a Congress that didn’t produce a law quickly. Hence, the CAN-SPAM Act of 2003. The lobbyists did not lose entirely — the Act that emerged from Congress has been greeted with a great deal of skepticism.

The Act has an unwieldy name: Controlling The Assault Of Non-Solicited Pornography And Marketing Act of 2003. Even the Act itself contains the subtitle 'CAN-SPAM Act of 2003.' It was signed by President Bush on Dec. 16, 2003 and went into effect Jan. 1, 2004. It pre-empts state anti-spam laws except to the extent that they prohibit falsity or deception in any portion of a commercial electronic mail message or information attached to it. Unlike the California Act, which required that users 'opt-in,' the federal law is an 'opt-out' law. It does not ban spam outright, and it is questionable whether 'opting-out' is ever a methodology that will truly work. The Act does not apply to political or charitable spam. For other unsolicited bulk e-mail, the Act:

Prohibits senders from falsifying or disguising their true identity.

Prohibits the use of misleading subject lines.

Prohibits the harvesting of e-mail addresses by either: 1) automatic means from an Internet website or proprietary online service maintained by a third party; or 2) an automated system that generates possible electronic addresses by combining names, letters and numbers in numerous permutations.

Prohibits businesses from knowingly promoting themselves through false or misleading e-mails.

Requires the inclusion of a legitimate return e-mail and physical postal address for the sender.

Requires the inclusion of a functioning opt-out mechanism, clear and conspicuous notice of the opportunity to opt-out and require senders to honor any such opt-out request.

Requires clear and conspicuous notice that the message is an advertisement or solicitation; and

Requires messages with sexually oriented material to be clearly identified.

Liability under the act is broad, including not only the spammers themselves, but those who hire them. If a company knowingly hires a spammer who does not comply with the Act, the company may be prosecuted in the same manner as the spammer. Criminal penalties for violation of the Act include stiff fines and up to five years in prison. Civil penalties can be as much as $250 per e-mail. Repeated misconduct or aggravated violations can result in treble damages.

In a move that has generated a lot of contemptuous criticism, the Act charges the Federal Trade Commission with administering a 'Do Not Spam' registry, presumably much like the 'Do Not Call' registry. The FTC has six months in which to submit a comprehensive plan for the 'Do Not Spam' list to Congress, but critics scoff that there is no way to enforce the list against all of the foreign generated spam. In any event, after Congressional review, the FTC will have three months to implement the plan. The FTC is also charged under the act with developing rules within 270 days to curtail spam messages on cell phones.

The FTC and state attorneys general are charged with the enforcement of the law. Most commentators are relieved that there is any federal law at all, but it remains to be seen how well it will be enforced. Even with the law’s considerable teeth, will states and the FTC commit real resources to anti-spam enforcement?

In the end, finding spammers is an expensive, time-consuming process that often leads to a dead end. Even when they are found, few spammers have significant assets. Earthlink, MSN and AOL have all filed numerous suits against spammers, but for the most part, in spite of 35 state laws on the books and a barrage of suits, spam continues to grow as a percentage of the mail in everyone’s inbox. How can this scourge be stifled effectively? There are some methods today, and the promise of much better methods in the future, especially if Congress finds the courage to employ them nationally and to back them with stiff penalties.

Today’s Best Hope: Filters
In an astonishingly short period of time, most of corporate America has adopted some sort of filter system to screen unwanted e-mail. Though wildly imperfect, filters have become the nation’s No.1 weapon in the fight against spam. One way to measure the effectiveness of a spam filter is to weigh the percentage of junk e-mail blocked versus the false positive rate (the percentage of legitimate mail inadvertently blocked). A 95 percent filtration rate is considered excellent, and some companies claim a higher rate. But be wary of claims, since corporate users generally report something more like a 70 percent filtration rate. The higher the filtration rate, the higher the false positives, unfortunately. It’s generally considered unacceptable to have a rate of .1 percent or higher, which translates into losing 1 of 1,000 legitimate e-mails.

One filter used by some of America’s corporate giants comes from San Francisco-based Brightmail Inc., which says its filter processes about 10 percent of the world’s e-mail. Brightmail has an extremely low false positive rate, about one out of every 1 million spam messages. Though Brightmail claims a filtration rate of more than 90 percent, once again, consumers report the rate is significantly less. A great help, certainly, but not a complete solution. Brightmail is a server-based solution and not available for a small or solo office that doesn’t have its own e-mail server.

Though there are many kinds of filtering software, law firms with Exchange servers rely more and more on Symantec’s filtering product. The old version was called Symantec AntiVirus/Filtering for Microsoft Exchange and provided very basic methods for identifying spam addresses and unwanted content. The software was time-consuming to manage and had a long list of flaws. The new version is called Symantec Mail Security for Microsoft Exchange and promises to do a much better job of managing unsolicited e-mail. Some of the new features include separate scanning of inbound and outbound mail, comparison of attachment type to the file extension, support for external 'black list' databases (known spammers) and support for 'white lists' to allow all e-mail from a known good address regardless of content. Unlike the old version, it also can be configured to give or not to give users notification of blocked e-mail, though only if the action selected is to delete the message. If the messages are to be quarantined, it will still give the users notification. As many lawyers have complained, having the long list of notifications in their inbox is almost as irritating as the spam itself, especially if they are retrieving their e-mail via a PDA. It’s akin to spam about spam.

Consumer Reports Picks the Best Spam Filters:

1. Stata Labs SAProxy: According to Consumer Reports, this free program outperformed all other spam filters, but be forewarned that it requires some degree of computer skill and comes with complicated installation instructions.

2. Mailshell SpamCatcher Universal: $20

3. Blue Squirrel Spam Sleuth: $30

4. Symantec Norton Internet Security 2003 (Spam Alert): $70

Our own experience is greatest with Symantec’s products, which we have no problem recommending, especially with all the enhancements of the current version. At an enterprise level, this is an excellent approach to reducing spam. Not that it works all alone. We combine the Symantec product (Symantec Mail Filter, which comes bundled with Symantec Antivirus, Enterprise Edition) with the application of certain blacklists. For a list of all currently known blacklists, see http://www.declude.com/junkmail/support/ip4r.htm.

Although experts disagree on which blacklists are best, the Super Computer Center at the University of California uses these, which seems a pretty decent recommendation:





Anecdotally, some of our solo and small-law firm clients speak well of Sunbelt’s iHateSpam ($19.95).

Don’t expect the problem to go away. Our combination of Symantec, blacklists and our own fine-tuning of the filters has resulted in 92 percent of incoming mail being blocked as spam. Two percent is spam that gets through (more fine-tuning always in progress), and the remainder is our legitimate e-mail. We have created a daily spam folder for each individual — the only spam that goes there is the spam we catch with our own fine-tuning. We review it once in a while and find that we have to whitelist someone (perhaps our realty or financial counselor, whose words may trip our content filters). In terms of the spam we never see because it is caught by the blacklists, only once have we had legitimate mail blocked by a blacklist and that was because a client had their server configured as an open relay and was therefore blacklisted. Clients who are blacklisted have a much bigger problem, since they need to get off the blacklist to conduct business with anyone who uses blacklists — and that’s a steadily growing number! By the way, figure at least 72 hours of business impact to get yourself totally removed from the blacklists if you somehow find yourself on them, even if you jump on the problem assiduously from the beginning.

An ongoing problem for law firms has been legal newsletters, which are often blocked as spam (because of length or content) even though lawyers have subscribed to them. As whitelists become more prevalent in filters, this problem may erode, though it will require the lawyer to take the additional step of placing the sender on the whitelist. The new Symantec product allows for this. Additionally, publishers of electronic newsletters (we publish 'Bytes in Brief,' a free law and technology newsletter available at www.senseient.com) have learned to let opt-in subscribers receive 'notification only' of each issue’s publication so the content won’t trip filters, as ours often would because of cases involving sexual terms, Internet pornography laws, etc.

Though woefully inadequate, filters are seen by many technologists as a formidable weapon that can be made more potent with modifications. Have you ever heard of Bayesian filters? Named after the 18th century English mathematician Thomas Bayes, his theories of probability have been successfully incorporated in filters that learn from the users themselves. If you typically open penile enlargement e-mails (to pick a common subject), it will regard those as normal e-mails. If you routinely delete them, it will learn to block them. Because individuals train Bayesian filters, they increase their effectiveness over time and foil spammers because the probability of messages getting through is skewered and uncertain.

Microsoft Research has taken this concept one step further, by creating a 'naďve Bayesian filter,' which learns probabilities for words, phrases and other characteristics that distinguish spam. For example, many filters have no trouble blocking 'Viagra' but cannot block V*I*A*G*R*A. Undoubtedly, you have seen many variations on this theme, and the more modern filters are learning to recognize this trick.

Unfortunately, spammers are wily creatures and their seeming ability to get around each new defense is maddening. More and more, they are getting all of us to open their e-mail because it says something innocuous, such as 'Confirming your order,' 'Requesting Information' or the like. Lawyers are finding it’s dangerous to delete too quickly, lest they delete a client or potential client’s e-mail.

Battlefields of the Future
Can we change the economics of spam as a countermeasure? Right now, experts estimate it costs spammers between $200 to $500 to send a million e-mails, with roughly 100 'paying' responses expected from each transmission. One suggestion from technologists is to create an 'e-stamp,' perhaps in a nominal amount such as one-tenth of a cent per e-mail. The amount would be negligible for most users, but would impose a $1,000 tax on anyone sending a million e-mails. Mail without the stamps would be blocked automatically.

Another technical suggestion is to impose a time cost, by forcing a transmitting computer to perform a quick mathematical problem before the transmission goes through — not enough to disturb a normal user, but enough to confound the computers of spammers. Microsoft Research is currently working on this approach.

Microsoft now blocks more than 2.4 billion spam messages daily and has assembled a crack team of experts to come up with innovative and more effective ways to fight spam. Bill Gates himself has lamented the number of 'Get Rich Quick' e-mails he receives every day, though such messages certainly seem to exemplify 'carrying coals to Newcastle.' The sad truth is no one is immune and half of us will continue to receive messages promising to add three inches in length to a body part we don’t possess. Perhaps the ladies among us should buy the product and seek to exercise the warranty? In the meantime, hang on to that trusty old delete key, and press, press, press so you too can be a part of the annual $10 billion loss of productivity caused by spam.

The authors are the president and vice president of Sensei Enterprises, Inc., a legal technology and computer forensics firm based in Fairfax, Va. They are widely published authors and lecturers on legal technology subjects. They can be reached by e-mail at sensei@senseient.com. © 2004 Sensei Enterprises, Inc.

© 2004 Sharon D. Nelson & John W. Simek

return to top
return to Table of Contents