Spam's Big Bang!

By Chris Taylor

Cable-TV descramblers! FDA-approved diet pills! Viagra without a prescription! Instant access to XXX movies! Dramatically enhanced orgasms! If you have ever received e-mails advertising products and services like these--some quite within the law, some clearly outside it--chances are they came from a guy like Howard Carmack, professional spammer.

Using three computers and working out of his mother's home in Buffalo, N.Y., Carmack sent an impressive 857,500,000 unsolicited e-mails in one year, something that is perfectly legal in New York State. But Carmack crossed the line, according to EarthLink, his Internet service provider, when he set up 343 accounts using stolen credit-card numbers to send these e-mails.

EarthLink took notice and began a year-long cat-and-mouse game to discover Carmack's true identity. "My name's not on anything," he boasted at one point, according to investigators, when they reached him on his uncle's cell phone. "You'll never catch me." Fingered by his upstairs neighbor and a former employer, Carmack went to ground. A private detective was hired to stake out his mother's house. Carmack was finally caught running from his car to the front door and was served with a complaint. Now out on bail, he has been found liable in a $16.4 million civil lawsuit by EarthLink. Charges of criminal fraud filed by state attorney general Eliot Spitzer are still pending. "There are many more like Carmack," Spitzer warns. "This sends a message that we are pursuing them." Spitzer, a man who knows how to put himself in the spotlight, was the avenging angel of Wall Street last year. Now he is on a cybercrusade against spam.

And no wonder. In the space of a year, according to research firm IDC, the number of uninvited entries into U.S. In boxes has shot up 85%, to a total of 4.9 trillion. Driven by cheap technology and the promise of easy profit, spammers have gone from pests to an invasive species of parasite that threatens to clog the inner workings of the Internet. For the first time last month, according to MessageLabs, more than half the emails received by U.S. businesses were unsolicited. The time we spend deleting or defeating spam costs an estimated $8.9 billion a year in lost productivity. Sensing an enemy as unpopular as al-Qaeda, lawmakers are pondering a plethora of solutions--some of which, spam watchers say, could end up doing more harm than good.

Why do spammers flood the Internet with ads nobody wants to read? Because some people do read them, and a tiny fraction actually respond--which in the world of direct marketing is like money in the e-bank. Take former spammer Scott Hirsch of Boca Raton, Fla., who sold his e-mail marketing business last year for $135 million and retired at the age of 37. Florida is home to more spammers than any other state, and Hirsch--who started his first bulk e-mail list way back in 1996--likes to take credit for helping make Boca Raton "the spam capital of the world." Hirsch filled his mailing lists with the e-mail addresses of people who had "opted in" by checking (or forgetting to deselect) one of those ubiquitous boxes on website order forms. "When people want to receive [e-mail]," he explains, "you get a much higher return."

But for an increasing number of Hirsch's imitators, spamming is a numbers game that rewards excess. "The more times they deliver the message, the more money they make," says Charles Curran, general counsel for America Online, which last week filed lawsuits against more than 100 spammers. "They all want to get as close to infinity as possible." This is getting easier all the time, as high-speed Internet access gets cheaper and computer processor power continues to double every 16 months. Meanwhile, the software tools for spamming continue to improve. Web crawlers harvest e-mail addresses en masse from chat rooms and newsgroups. Dictionary-attack programs string together words or names in multiple languages, random numbers, an "@" and the names of common mail servers. Presto: millions of likely e-mail addresses.

Spoofing--the practice of faking the return address of a spam, so you won't be able to trace who sent it, or the subject line, so you will open it--just complicates things further. Today, according to the Federal Trade Commission (FTC), 66% of spam are spoofs of one sort or another. Brian Westby, a porn-website owner based in St. Louis, Mo., was a classic spoofer: the subjects for his Xrated spam included "Good evening," "What's going on?" and "Please resend the email." Westby's spam deluged a bank in Santa Barbara, Calif., and an Internet service provider in Coatesville, Pa., some of whose clients angrily canceled their service. The FTC finally got a federal judge in Chicago to shut down Westby's operation. A trial is pending.

Spoofed or otherwise, the spam that makes it to your In box is just the tip of the iceberg. At the four major e-mail providers--MSN (including Hotmail), Yahoo, EarthLink and AOL (which, like this magazine, is owned by AOL Time Warner)--between 40% and 70% of all incoming mail is killed upon arrival at their mail servers. But this has spawned a kind of spam arms race: the more mail is blocked, the more spammers send, in hopes that some will get through. As a result, the performance of the mail servers is starting to suffer. Two months ago, 8% of MSN mail was spam. Today it's 50%. "The rate of spam," warns MSN business manager Kevin Doerr, "is threatening the viability of e-mail as a communications medium."

Automated antispam software can only do so much, so the four e-mail giants have started to employ a new weapon: humans. People, it seems, learn the rules of this new battlefield faster than machines do. At AOL's new control facility in Gainesville, Va., home to its antispam special-forces unit, workers like Anna Ford scan screens that show blocks of mail entering the system. She's looking, Matrix-like, for suspicious patterns. "Here's someone sending 50 e-mails to 3,000 recipients," says Ford. "That stinks." With one click, the sender is identified as a China-based spammer; with another, he is banished from the system. Is there room for human error? Possibly--but letting such high-volume users through, says AOL antispam manager Charles Stiles, "would be like a bank welcoming customers in ski masks."

Meanwhile, in Washington another group of humans is dealing with the spam threat at a rather more sedentary pace. Congress has debated e-mail-protection bills for five years without enacting anything. Antispam measures before it this session have a better chance of passing, but none is generating much enthusiasm among either consumer groups or e-mail providers. This is what Senator John McCain told TIME about the legislation expected to pass his Commerce Committee: "I'll support it, report it, vote for it, take credit for it, but will it make much difference? I don't think so."

That bill, called Can-Spam, is sponsored by Senators Conrad Burns and Ron Wyden, and more notably, it is endorsed by the Direct Marketing Association. Can-Spam would make spamming a federal offense punishable by jail time and fines of up to $1.5 million. But it would also require that complainants have actively attempted to avoid spam by placing themselves on an opt-out list. Critics say opting out could become as disruptive as deleting spam is now. If all 23 million businesses in America decided to send you just one message a year, that would give you 600 emails a day to opt out from. Worse still, unsolicited email would effectively be protected by law, provided it had the fig leaf of an opt-out clause. "This is a federal license to spam," complains Andrew Barrett, director of the consumer group SpamCon.

Like many other antispam advocates, Barrett prefers the model of the Telephone Consumer Protection Act of 1991, which effectively put an end to junk faxes by allowing consumers to sue senders at a rate of up to $500 for every unsolicited fax. California is expected to pass a bill that would do the same thing for unwanted e-mails sent to or from any computer in the state. It would also require spammers to use only opt-in lists for their targets. The problem? It's just one state, and 28 other states have entirely different antispam laws on the books. (The toughest belong to Virginia, which requires criminal penalties for major-league spammers.)

Some spam victims aren't waiting for the state laws to kick in. They have become spam vigilantes. Marketer Dan Balsam in Santa Monica, Calif., has waged a one-man legal campaign against spammers who refuse to remove him from their mailing lists. No judgment has netted him more than $1,000, but Balsam isn't in it for the money. "I'm trying to raise the cost of spammers doing business," he says. Los Angeles software engineer Bill Silverstein has taken an even more creative approach. When he wanted to sue a company that refused to stop sending him spam for a penis-enlargement kit but couldn't pin down its real-world address, he simply ordered the $90 kit. The address showed up on his next credit-card statement. "You can hide on the Internet," he says, "but you can't hide from American Express." The offending company eventually settled for $7,500.

Those who send spam for a living contend that some vigilantes, in their antispam fervor, take it too far. "I have had death threats against my family," complains Robert (Bubba) Catts, a former used-car salesman and professional bull rider from Shreveport, La. Catts, who runs a 10 million--message-a-day direct-marketing business and clears up to $700,000 a year, was exposed when his address and phone number were listed, along with those of 179 other "top spammers," on the British-based website Spamhaus.org

The big e-mail providers are trying to tap into a little of that anger by enlisting the help of aggrieved users. REPORT SPAM buttons now adorn all e-mails in AOL, EarthLink and MSN software, and AOL alone receives 9 million reports a day. That may not be enough to stop the Carmacks of the world, but anything that saves us from a few more cable-descrambler ads can't be all bad. --With reporting by Kathie Klarreich/Miami, Sean Scully/Los Angeles, Eric Roston/Washington, Simon Crittle/New York and Noah Isackson/Chicago

With reporting by Kathie Klarreich/Miami, Sean Scully/Los Angeles, Eric Roston/Washington, Simon Crittle/New York and Noah Isackson/Chicago