The Tyranny of E-mail (15 page)

Spam is such a universal problem today that its dimensions are hard to properly comprehend. By some estimates, 85 to 95 percent of all e-mail sent is spam, and dealing with it cost $140 billion in 2008. It has been with us since the beginning of the Internet, too. Gary Thuerk sent the first piece of it in May 1978 over the ARPANET to 400 of the 2,600 people who had e-mail addresses at that time to invite them to an open
house for new models of Digital Equipment Systems computers in Los Angeles. Like G. S. Smith’s band of circular mailers, Thuerk had to type every e-mail address in by hand. Many of the people who heard from him weren’t happy about being pitched. Someone from the RAND Corporation wrote to him to say he had broken an unwritten rule of the ARPANET that it wasn’t to be used for selling things. A major phoned Thuerk’s boss and asked that he never send such an e-mail again. Even so, it was a cost saver and a success. It also led to an estimated $12 million in sales.

The origin of the word “spam,” as identifying unwanted mass messaging, is in dispute. One of them links back to the Monty Python skit from the 1970s in which a man and a woman (played by Eric Idle and Terry Jones, in drag) are trying to order from a breakfast menu at a cafeteria in which every item has Spam in it. Spam—the canned pink pork product— was one of the only meats not subject to rationing in post–World War II Britain, so it was ubiquitous, some would say unfortunately so. Whenever the word “Spam” is uttered in the skit—and it is said 132 times in three minutes—a chorus of Vikings chimes in.

As in postwar Britain, people didn’t want any spam, but they would get it nonetheless. Aside from Gary Thuerk’s message, other examples of early mass messaging included one sent on an early time-sharing network mail program at MIT to the more than one thousand users linked to it protesting the Vietnam War. The message began: THERE IS NO WAY TO PEACE. PEACE IS THE WAY. In the early days of the Internet, “spamming” referred to the habit of flooding chat rooms and bulletin boards with unwanted text. Around this time the immigration lawyers Laurence A. Canter and Martha S. Siegel paid a Phoenix programmer to flood Usenet’s various message
boards with an advertisement for their service of enrolling people in the green card lottery. As with Thuerk’s e-mail, the outcry was immediate. But it didn’t matter; the scheme worked. In just two months the ad brought the couple $100,000 of new business.

As more and more people began using e-mail, spammers gravitated to it as the best way to target potential customers. By 2005, there were 30 billion spam messages
per day
; in 2007 that number had jumped to 100 billion. The number of these e-mails that are trying to sell products has also led to spam being called junk mail, a phrase that refers to the load of “junk” advertising circulars marketed to people through the post. One of the most common ways of sending messages— and eluding authorities—is for spammers to take over a series of computers, which are turned into “zombies” that work together in networks known as “botnets,” and use them to send spam.

A botnet turns a series of hijacked computers, most of which are in homes, into a spam factory. Most computers become part of a botnet because they have inadequate firewall protection. A Trojan horse, or piece of malicious code, can be sent down an open line and activated later, causing the botnet to transmit messages either to a single site, shutting it down as a form of attack, or to many addresses, in the form of spam. Eighty percent of the spam sent in 2006 was sent from zombie PCs. In 2008, there were more than 10 million zombie PCs in use at any one time. In many cases, the owners of the PC never know that they have been taken over. It happens in seconds. In 2005, as a test, the BBC set up an unprotected PC, and within eight seconds it was infected by a spammer’s worm.

Staying ahead of these armies requires a lot of work and
money. In November 2008, a San Jose, California, Web-hosting company called McColo was pulled offline when security experts approached the companies that managed McColo’s connection to the larger Internet, showing that McColo’s Web sites were being used for spamming and other online schemes. Indeed, it was estimated that 75 percent of spam shot out into the world had come from machines hosted by McColo. But the fix was short-lived. The machines, which had been infected by a Trojan horse virus called Srizbi, formed what may have been the largest botnet in the world. At some 450,000 machines, it was capable of sending 60 billion e-mails a day hawking everything from watches to penile enhancement pills. Deprived of the McColo-hosted Web sites, however, these machines lacked a connection to centralized instructions. Once the sites went down, they simply started looking for new domain names where they could find new instructions.

One security firm, FireEye, found that if it registered domain names that the Srizbi-infected computers would look for, it could actually stay ahead of the spam problem. Each week, it registered 450 new domain names at a total cost of $4,000, the idea being that it could possibly send instructions so complicated that they would halt the compromised computers in their tracks as they tried to work them out or actually send instructions to the computer to uninstall the virus program. The latter idea, however, could have been illegal or actually harmful to the infected computers. So eventually, after unsuccessful attempts to enlist other corporations, such as Microsoft, or the U.S. government to enlist the remaining domain names sought by the Srizbi-infected computers, FireEye stopped the practice. A few days later the massive botnet was resurrected and the spam volume shot up again.

Not all scams and spam problems have passive victims. In other cases, “phishing” schemes encourage people to hand over passwords or private information by posing as e-mail from a legitimate, trustworthy source, such as a bank, a health care organization, or even the IRS. Some of the earliest cases of phishing occurred over America Online, the world’s largest ISP network in the 1990s. Hackers would break into the AOL staff area and send instant messages to users currently online, posing as staff members needing to confirm password information. Even though AOL had a message on its screen—“AOL will never ask you for your password”—the scheme worked, allowing phishers to then use those accounts for spam or other malicious purposes. Breaking into an AOL internal account gave a phisher access to AOL’s membership search engine, which gave access to credit cards. We’ve come a long way from the British-American Claim Agency’s twelve typists sending out phony pitches for inheritance claims.

Since then phishing schemes have become incredibly more sophisticated and hard to stop. In recent years they have become clever enough that criminals can figure out which bank a victim might use, which is called “spear phishing.” A message will be sent with a phrase such as, “We are changing systems and we need you to confirm your password data.” If you click on a hyperlink in the e-mail, it takes you to a site that is bogus but cosmetically similar to that of the institution, which collects your data. We care about our money and our health, and we care about love—and just one curious click can be lethal to your computer.

Even worse, spammers have become very skilled at targeting people where they’re most vulnerable. People love and need to be loved. Not surprisingly, the most successful phishing schemes mimic social networking sites, logging, in some cases, a 70 percent effectiveness rate. In May 2008, many of the most common malware spam e-mails—messages that provide a link to a Web site that triggers the download of software that will compromise a PC—came with the following headers: “Love You”; “With You By My Side”; “A Kiss So Gentle”; “Me & You.” And then there’s the bizarre: according to AOL, which blocked 1.5 billion spam messages a day in 2006, the most common junk e-mail subject line was “Donald Trump wants you, please respond.”

Let’s stop for a moment to ponder this curious condition.
A mechanized network of zombie PCs gangs up to flood communication channels with messages appealing to people’s need for the most human of all emotions, love, in order to turn their workstations, the extensions of their minds, into factories for pumping out unwanted advertising messages. This sounds like science fiction, but it’s far too real, and it’s a battle between machines and people that we are losing. Like a virus, botnets use up a host and move on. The costs to the system are astronomical—and never ending.

Tougher laws do not seem to affect the volume of spam which is sent. In 2003, the United States passed the CAN-SPAM Act, which made it illegal to send commercial e-mail with a misleading subject line. The law also requires that the e-mail include an opt-out method, that it be identified as a commercial e-mail, and that it can be returned to an actual address. The first trial centered around charges based on the CAN-SPAM Act of 2003 didn’t occur until 2007, when two men who had run a $2 million pornographic spam service were brought to trial for charges ranging from wire fraud to interstate traffic of hard-core pornographic images. The men used a server in Amsterdam to make it appear that the messages were coming from outside the country and registered their domain under the name of a fictitious employee at a shell corporation they had set up in the Republic of Mauritius. Each time someone clicked through a link in their e-mail spam to a pornographic Web site, the men received a commission. They also received a lot of complaints—over 650,000 were logged with AOL alone. In October 2007 they both received five-year prison sentences.

Their fine was a pittance compared to the $873 million judgment a New York District Court judge handed down against Adam Guerbuez, a Canadian man who used a phishing scheme to steal Facebook members’ passwords. He then sent 4 million
spam messages to Facebook members in the form of e-mails and postings on their walls, signed with the names of their friends, so they appeared to be legitimate. Among the products friends appeared to be endorsing were marijuana and the ubiquitous penile enhancement pills.

Solutions to the spam problem tend to have a short-lived life cycle, since spamming remains incredibly lucrative. A UC San Diego survey discovered that, with large enough networks of botnets behind them, spammers can become millionaires on a response rate of just 1 in 12.5 million e-mails. That hasn’t stopped people from trying to prevent them from cashing in. In 2004, Bill Gates announced to the World Economic Forum, “Two years from now, spam will be solved.” Gates turned out to be wrong, but you can hardly blame him for trying. In late 2004, it was reported that the most spammed person in the world was… Bill Gates, who received more than 4 million messages per year, most of them spam. “Literally, there’s a whole department almost that takes care of it,” said Microsoft CEO Steve Ballmer. They’ll continue to be busy. Despite dips in spam, it’s only going to increase. Studies have shown that online marketing is going to double from its current state by 2012. And the number of viruses in e-mail has been growing faster than the volume of e-mail itself.

With all these threats to privacy, the message is clear: “You have zero privacy,” Scott McNealy, the CEO of Sun Microsystems, once said about life on the Internet. “Get over it.” Web sites you visit send tracking “cookies” to your browser, tiny parcels of text that go back and forth between a server and a client like your
browser, allowing the Web site to store information about your preferences and the Web sites you have visited. Retailers mine your computer any time you purchase something online—and then turn around and sell it to the highest bidder. And it doesn’t stop there. E-mail, which, it’s important to remember, is stored on servers most of us don’t own, is constantly monitored. Especially at work.

In 2001, 14 million U.S. workers—35 percent of the online workforce—had their Internet or e-mail under constant surveillance. Worldwide, 27 million workers were in the same boat. Employers spend $140 million a year on employee-monitoring software. Thanks to the Sarbanes-Oxley Act of 2002 and other regulations, publicly traded companies are required to archive their e-mail. Europe still has strong privacy protections for its employees, but many U.S. employers in the private sector, as long as they have an established policy and have put it into writing, can keep a close eye on what their employees send and receive, and where they point their browsers. “Some companies say they do it to control the information that employees send through the corporate network,” wrote Matt Villano in
The New York Times
. “Other companies do it to make sure employees stay on task, or as a measure of network security. Other companies monitor e-mail to see how employees are communicating with customers.” Mary Crane, the president of a consulting firm in Denver, gave this advice: “The last thing you want to do is make your employer think you’re slacking off…. Nothing you’re doing on e-mail is worth jeopardizing your career.” The names of the companies that specialize in employee monitoring will make you never want to goof at work again: ICaughtYou.com, eSniff, Cyclope Series.

It’s not just your employer peeping in, however. Lovers and spouses do it, too. A survey done in Oxford revealed that one in
five people had spied on their partner’s e-mails or texts. Cheaters are constantly caught. “Spurned lovers steal each other’s BlackBerrys,” wrote Brad Stone. “Suspicious spouses hack into each other’s e-mail accounts. They load surveillance software onto the family PC, sometimes discovering shocking infidelities.” In one case, Stone described a woman who was convinced her husband was straying—he was far too obsessed with his BlackBerry. On his birthday she drew him a bubble bath and rifled through his handheld while he was soaking, discovering that he did have a bit on the side and planned to meet her
that night
. All this evidence gleaned from glowing devices winds up in divorce proceedings, where the electronic paper trail becomes the knife you stick in your former partner’s back. “I do not like to put things on e-mail,” said one divorce lawyer. “There’s no way it’s private. Nothing is fully protected once you hit the send button.”