Research Brief
Regulators Combat E-Mail Spam
Abstract: The U.S. government is trying to regulate unsolicited commercial e-mail. Spammers
are more likely to be caught and prosecuted under an anticipated new federal law.
By Lydia Leong and Ron Cowles
Recommendations
■ Internet service providers (ISPs) and other service providers that provide e-mail must
continue to participate in shaping spam regulation at the federal and state levels.
■ Service providers must establish cooperative relationships around the globe that
enable spam to be effectively fought.
■ Service providers must continue to pursue technical solutions to the problem of
spam, as regulation alone will not solve the problem.
Publication Date:1 August 2003
2
Regulators Combat E-Mail Spam
What Is Spam?
A consumer's e-mail inbox is increasingly cluttered each day, and the
deluge of unwanted and irrelevant messages, colloquially known as
"spam," makes it increasingly difficult for users to utilize e-mail effectively.
Gartner Dataquest has defined four types of spam (see "Keeping Spam Out
of Your E-Mail," TU-15-0487). They are as follows:
■
"Pure trash" spam (fraudulent schemes, pornography advertisements
and so on)
■
Honest folks trying to make a living ("junk mail")
■
Chain letters, urban legends and hoaxes
■
Personal spam (occupational spam from colleagues, jokes forwarded by
friends and so on)
The first two types of spam are known as unsolicited commercial e-mail
(UCE) and are the subjects of significant technical, industry and legal
efforts aimed at limiting or controlling its distribution.
Democratic Sen. Charles Schumer of New York has introduced a bill that
would create a national "opt out" e-mail registry and ban the "harvesting"
of e-mail addresses. It also would require senders of UCE to mark the
message as an advertisement by putting the keyword "ADV" in the subject
line of the message, give their full identity and provide an "unsubscribe"
mechanism. His proposal is similar to those that have previously been
debated in Congress, as well as laws in 27 states.
Gartner Dataquest believes that federal legislation is likely to only have a
limited effect on spam; it is not likely to be much more effective than the
legislation that states have already passed. Though the legislation
increases the recourse that ISPs have against spammers, it also increases
the burden on legitimate businesses engaged in direct marketing. To
understand why legislation, industry self-regulation and technical
solutions have not been entirely effective to date, we must examine the
way spammers operate and how spam is being fought.
Direct Marketers vs. Spammers
Consumer irritation with UCE has been increasing over the past 10 years,
commensurate with the increase in the volume of spam. Nonetheless, it's
important to distinguish between the two types of UCE. We will refer to
the legitimate businesses sending commercial solicitations as "direct
marketers" and the senders of pure-trash solicitations as "spammers."
Direct Marketers
Most legitimate businesses doing direct marketing have adopted the
following practices:
2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
1 August 2003
3
■
Do not send e-mail to consumers with whom they do not already have a
relationship
■
When obtaining a customer's information, obtain explicit permission to
market to him via e-mail (see "Five 'Privacy Protecting' Ways to
Encourage Opt-In," TG-16-6693, for some recommendations on how to
accomplish this)
■
Explicitly state, in a privacy policy, what can be done with a consumer's
personal information, including under what circumstances a consumer's
e-mail address can be shared or sold
■
Clearly identify who is sending the e-mail and what it is about
■
Provide, in the e-mail message, a way to unsubscribe from future
commercial announcements
■
Provide value to the customer (see "Gartner's E-Mail Marketing Best
Practices," DF-16-8433, for recommendations on how to accomplish this)
■
Send e-mail through the enterprise's own Internet connection or via a
reputable direct marketer providing this service on an outsourcing basis
In general, legitimate businesses are trying to forge long-term positive
relationships with their customers. It is not to their advantage to generate
consumer antipathy, either among prospects or their customers. They are
trying to find a reasonable balance between their commercial interest in
low-cost electronic marketing and the goodwill of consumers. They are
selling real goods and services, and they have a brand at stake; they do not
wish to appear fraudulent or otherwise mislead consumers.
However, such legitimate businesses have also been reluctant to close off
the possibility of e-mail solicitation of customers with whom they have
had no prior contact. The present consumer climate, which is intensely
anti-spam, means that legitimate businesses must be cautious when
initiating such contacts, and indeed, consumers still consider these
solicitations to be spam, just as unwelcome as true trash e-mail.
Nonetheless, these marketers do not want to see legislation that forbids all
UCE.
Spammers
Spammers, on the other hand, usually have nothing to lose by annoying
thousands of consumers. They have no relationship with these consumers,
and they expect a low rate of response. They have no brand that
consumers are likely to recognize. The benefits of the nearly-free mass
marketing outweigh any negatives to the business. Thus, they usually
adopt the following practices:
■
Mass e-mail to an untargeted list of e-mail addresses
■
Deliberately obscure the identity of the person who is sending the email. A Federal Trade Commission (FTC) study found that this occurred
in 46 percent of the spam surveyed.
■
"Fake out" scheme designed to entice the user to read the message,
initially obscuring the message's commercial intent. For example, the
©2003 Gartner, Inc. and/or its Affiliates. All Rights
1 August
Reserved.
2003
4
Regulators Combat E-Mail Spam
message might appear as a misaddressed e-mail — one friend telling
another friend about a great deal he got on something. Or, the message
might have a subject line that might worry the consumer and thus get
him to open the message, such as, "Your credit card was rejected."
■
Gives a fake unsubscribe mechanism — Either the method for
unsubscribing is nonexistent, or the spammer simply uses the attempt to
verify that the user indeed reads his spam, thus ensuring that his
address will be kept on the spammer's list.
■
Advertise pornography or a fraudulent offer — The FTC found that
between 42 percent and 96 percent of spam contained likely false claims,
depending on what was being advertised.
Because spammers often use deceptive subject lines to disguise
advertisements for hard-core pornography — advertisements that
frequently include highly explicit photographs — adults inadvertently end
up seeing things they did not wish to see; also, it is difficult to protect
children from such content.
While some spammers utilize high-speed Internet connections purchased
through ISPs, many spammers also send out e-mail through a variety of
dubious means, which include the following:
■
Abuse of improperly configured Simple Mail Transfer Protocol (SMTP)
servers, known as "open mail relays" — Such servers do not require any
authentication and accept e-mail from any origin IP address and will
deliver it to any e-mail address, regardless of whether either the origin
or destination are within the enterprise's or service provider's network.
This problem is common to many consumers running mail servers at
home, off a cable modem or DSL connection. ISPs estimate that
approximately 400 new open relays are discovered every day.
■
Abuse of improperly configured proxy servers — These "open proxies"
typically sit behind a residential broadband connection, where a user
has installed them to enable computers on his home network to
communicate with the Internet. Spammers can often use open proxies to
browse the Internet (and harvest addresses) as well as to actually send
e-mail via a mail server owned by the user's ISP. ISPs estimate that
approximately 2,000 new open proxies are discovered each day.
■
Abuse of free e-mail accounts through services such as Yahoo and
Microsoft's Hotmail — These free e-mail accounts have terms of service
that specifically forbid using them to send out UCE. Consequently, as
soon as the e-mail provider discovers that the account is being used for
spamming, the account will be deleted immediately.
■
Abuse of an ISP subscription — The spammer will sign up for a dial-up
connection online, using a credit card; in some cases, this is a stolen
credit card. The spammer might also take advantage of a free trial offer.
Because ISPs have terms of service forbidding users from sending UCE,
the account will be terminated as soon as the ISP receives a report that it
has been used for spamming. The spammer may never be charged for
2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
1 August 2003
5
service. Note that some technologies allow spammers to send at the
speed of a high-speed connection despite being on dial-up.
■
Hijacking of an individual's PC — Spammers are increasingly
investigating the use of "Trojan horse" programs that install mail servers
on the computers of victims. These computers are usually compromised
through a mechanism such as a worm, or through ordinary hacking.
Whenever the computer is connected to the Internet, the spammer can
send e-mail from it, without any need for a relay server.
■
Hijacking a block of IP addresses — Spammers sometimes convince
American Registry for Internet Numbers (ARIN), the Internet address
allocation authority, that they have control over a particular block of IP
addresses, usually one that was assigned to a company that has gone
out of business. They then persuade backbone providers to announce
that block in their Border Gateway Protocol (BGP) routing. Note that
this involves active deception of both ARIN and the service providers,
as it usually requires forging the letterhead of the company that the
block originally belonged to.
Spammers also have increasingly looked for offshore mail relays. ISPs in
the United States generally adhere to a policy of not selling connectivity to
spammers. "Upstream providers" — the large backbone providers that
provide connectivity to smaller ISPs and Web hosters — typically require
their customers to police themselves. But outside of the United States,
where the spam problem has not grown to such severe levels, ISPs often
have more lax policies, and some ISPs simply don't care what their
customers use the ISPs for. Postini, which provides anti-spam services to a
variety of ISPs and large enterprises, has stated that more than 50 percent
of the spam volume it processes comes from mail relays outside the United
States, especially the Asia/Pacific region.
Fundamentally, spammers actively seek to circumvent anti-spam
measures, as well as the measures that service providers take to prevent
abuse of their networks. The technology war is escalating on both sides.
Furthermore, the technology war is increasingly resulting in "easy to use"
spamming tools — tools that automate the harvesting and verification of
e-mail addresses, as well as the actual sending of spam. The spammer does
not need to be sophisticated; he merely needs to run the tools. The cost of
entry into the spamming business is extremely low, and easy money can
be made by sending spam on behalf of the so-called "businesses."
What Is the Cost of Spam?
Spam causes service providers, enterprises and consumers to incur cost in
a variety of ways:
■
When spammers build lists of e-mail addresses, they frequently harvest
them from Web pages. Google and other search engines incur costs from
spammers utilizing them to find Web page with e-mail addresses. Web
site owners and Web hosters incur costs for the computational power
and network bandwidth needed for serving these pages to the
©2003 Gartner, Inc. and/or its Affiliates. All Rights
1 August
Reserved.
2003
6
Regulators Combat E-Mail Spam
spammers. Because many Web site owners, particularly small
businesses, pay by the megabyte of traffic served, the cost is passed
along directly to them.
■
Spammers must verify that a harvested e-mail address will actually
reach a user. Similarly, spammers who use "brute force" to generate email addresses — combining a database of usernames (some of which
may be randomly generated, such as "aba," "abb," "abc" and so forth)
with a database of domains ("aol.com," "earthlink.net" and so on) —
must determine which of those addresses are valid. This is done by
software that connects to the mail servers for the domain in question
and behaves as if it were going to send e-mail to that particular user. If
the mail server says that no such user exists, then the address can be
tossed out. However, these verifications place an enormous
computational burden on the mail servers, and they also consume
network bandwidth. Both of these mean a direct cost to whoever owns
and operates that mail server.
■
When spammers actually send e-mails, a cost exists in network
bandwidth, computational processing power and storage space for the
message. Even if the spammer legitimately pays for his own bandwidth,
the recipient mail server also incurs a bandwidth cost. If a spammer
sends 1 megabit (Mb) of traffic a second, then the recipient also needs to
devote a 1Mb pipe to receive that traffic.
■
Spammers that utilize open mail relays and open proxies push the costs
of network bandwidth and computational power onto the owners of the
relays, and the ISPs of the proxy owners. ISPs estimate that 40 percent to
50 percent of all spam comes from open relays or open proxies.
■
Spammers that utilize hijacked PCs — thus engaging in clear computer
trespass — directly steal user bandwidth and compute cycles.
■
For spammers that roam from ISP to ISP, obtaining high-speed business
connections that are terminated as soon as the ISP discovers the circuit is
used for spamming, these contract terminations can cost the ISP
significant fees as a result of canceling the local loop contract with the
local exchange carrier (LEC). ISPs often terminate services to spammers
before they receive their first bill, which means the ISP also absorbs the
installation charge and never receives any revenue from the sale.
■
Spammers that use dial-up ISP accounts for spamming often do not
incur any charge, because their accounts are canceled before they are
billed.
■
Spammers that use free e-mail services for spamming never pay
anything; the e-mail provider bears all the costs for processing power
and bandwidth needed to send the spam.
■
ISPs need a staff to handle complaints about UCE. They incur costs to
discover which of their customers are spamming and to disconnect
those spammers.
In addition to these "hard costs," users waste untold hours in deleting
spam from their e-mail, and enterprises spend money trying to stop this
2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
1 August 2003
7
productivity drain. At the FTC forum on spam, held 30 April through 2
May, Nortel Networks stated that 75 percent to 80 percent of its inbound email is spam — more than a million spam messages a day. Nortel's filters
catch all but 5,000 to 10,000 spam messages per day, but Nortel estimates
that each of those messages cost $1 in lost productivity.
At the FTC forum, Postini stated that it believes that 75 percent of all email messages it processes are spam. Brightmail's on-line statistics
reported 46 percent of the e-mail messages it processed in May 2003 were
spam, while MessageLabs reported more than 50 percent of the e-mail
messages it processed were spam. Many service providers indicated that
spam was on the rise. It was estimated that the amount of spam has risen
from 40 messages per user per year in 1999 to likely more than 2,500
messages per user per year in 2003. Gartner Dataquest clients who have
tools in place to measure spam have indicated that spam constitutes 30
percent to 50 percent of enterprise e-mail (see "Why Am I Getting All This
Spam?," SPA-17-7036, for more on enterprise spam.)
America Online (AOL) claimed to have rejected 3.27 billion spam attempts
during a single week and to have received as many as 9 million spam
complaints from users in a single day. Clearly, even if each spam attempt
costs only a fraction of a cent, the sheer volume means that costs become
significant. AOL, for instance, believes that it incurs an operational cost of
$2 per month per user because of spam.
The bottom line is that e-mail isn't actually free — it's subsidized by
Internet subscriptions. Spammers are getting a free ride at the expense of
everyone else.
U.S. Government on the Offensive
Interestingly, at a time when lawmakers are divided on every subject from
tax reform to drug benefits, spam has emerged as a powerful bipartisan
issue. The first bill introduced this year that promised to control spam flew
though a Senate committee by a unanimous vote. Consumers are fed up,
and lawmakers are reacting. Spam frustrates everyone — Republicans and
Democrats alike — and the only controversy appears to be in adding
tougher provisions and how to close any legislative loopholes. Here's
what's happening within the 108th Congress:
Senate
In the Senate, the Controlling the Assault of Non-Solicited Pornography
and Marketing Act of 2003, or the CAN-SPAM Act of 2003 (S 877), seems
to have momentum. This bill, sponsored by Sens. Ron Wyden, D-Ore., and
Conrad Burns, R-Mont., flew though the influential Senate Commerce,
Science and Transportation Committee by a unanimous vote.
This bill is a significantly toughened version of anti-slamming legislation
that cleared the committee in the 107th Congress. The provisions include
the following:
©2003 Gartner, Inc. and/or its Affiliates. All Rights
1 August
Reserved.
2003
8
Regulators Combat E-Mail Spam
■
A requirement that all commercial e-mail, solicited or unsolicited, be
labeled as advertising
■
Language that could lead to a "do not e-mail" list comparable to the "donot-call" list being established by the FTC (see "Court Lets U.S. Do-NotCall List Go Into Effect," FT-19-7052, for details)
■
A clarification that a mere visit to a Web site does not constitute a prior
business relationship
■
Some concessions to marketers
■
The threat of prison time for spammers
House of Representatives
Two bills have emerged in the House. Both bills create prison terms for
spammers, forbid harvesting of random e-mail addresses from the
Internet, and demand opt-outs and street addresses in marketing e-mail.
The differences in the bills lie in definitions and enforcement provisions.
One bill, sponsored by Billy Tauzin, R-La., F. James Sensenbrenner Jr., RWis., and Richard M. Burr, R-N.C., has faced a number of lawmaker
defectors because of the active role that the financial services and other
industries had in shaping the legislation. As a result, the other bill,
sponsored by Heather A. Wilson, R-N.M., and Gene Green, D-Texas, has
gained considerable momentum. Expect the House Energy and Commerce
Committee to move on anti-spamming legislation soon, as this is a top
priority issue for lawmakers. In fact, two House Energy and Commerce
Committee subcommittees (Commerce, Trade and Consumer Protection;
and Telecommunications and the Internet) held a hearing on 9 July 2003 to
hear testimony on spam.
Gartner Dataquest Perspective
The three major ways to fight spam are with technology solutions, with
legal solutions and with direct marketing "best practices" solutions.
Gartner Dataquest recommends the implementation of a mixture of all
three methods to achieve reasonable success. The reasons are as follows:
■
It's clear that spammers have no interest in following the best practices
that the direct marketers adhere to.
■
Empirical evidence indicates that fewer than 200 spammers account for
90 percent of spam sent in the United States. Consequently, legislation
that would enable those spammers to be shut down and prosecuted
would have a significant impact on the reduction of the volume of
spam. ISPs have already successfully sued spammers in private court,
but these lawsuits have not translated into a significant reduction in
spam volume.
■
Many existing anti-spam laws, as well as proposed laws, require senders
of UCE to clearly identify who they are and mark the message as an
advertisement (usually by putting "ADV" in the subject line). Expect
spammers to not comply; indeed, they will strive to deceive consumers,
and their success actually depends on that deception.
2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
1 August 2003
9
■
Accordingly, Gartner Dataquest believes that industry efforts to
determine best practices and to enact laws that are consistent with those
best practices will only impact those who are already trying to be
consumer-friendly.
Will There Be New Anti-Spam Laws?
Gartner Dataquest predicts a new federal anti-spam law will be passed in
the United States in 2003. The Senate bill has passed through the most
important committee and will likely be expanded to include wireless text
messaging, and penalties will be stiffened. Gartner Dataquest predicts the
latter, even though the Senate commerce committee voted down an
attempt to make spammers subject to the Racketeering Influenced and
Corrupt Organization (RICO) Act. Proponents of this measure said
extending RICO would give prosecutors "real teeth" in clamping down on
spam. The Senate bill is expected to reach the full Senate before the August
adjournment and will influence the House bill that will be shaped. Expect
the measure to be signed into law in an expedited manner, so lawmakers
can take full advantage of the action during the campaigns leading up to
the November elections. The public is fed up, the Congress is aware of the
frustration, and this is an important election year.
Multiple laws have been, and will be, passed at the state level. Gartner
Dataquest believes, however, that the federal legislation will be the most
important, as it will provide a consistent minimum baseline.
Gartner Dataquest believes that good anti-spam legislation will meet the
following criteria:
■
It will require senders to clearly identify who they are.
■
It will require senders to mark the message as UCE.
■
It will require senders to provide a working method of opt-out.
■
It will be written sufficiently strictly that it will protect legitimate direct
marketers. Furthermore, while it may be desirable for legislation to
enable service providers and senders in private court to recover the cost
of violations, previous state-level legislation of this type has resulted in
numerous frivolous lawsuits.
■
It will focus on the unsolicited aspect of the e-mail, not on its content.
Gartner Dataquest also believes that it may be reasonable to extend
computer trespass laws so that it is a violation to use a third party as a
mail relay (including as a proxy) without its knowledge and consent.
Will New Laws Help?
Any new laws will have a number of provisions that will be difficult to
enforce. Fraud laws, the FTC's Mail Order Rule and similar government
constructs already provide a basis for prosecution of those who make
deceptive offers on the Internet. The Child Online Protection Act (COPA)
already forbids the presentation of pornography to minors, but it presently
cannot be enforced.
©2003 Gartner, Inc. and/or its Affiliates. All Rights
1 August
Reserved.
2003
10
Regulators Combat E-Mail Spam
Despite the best intentions of the lawmakers, we cannot expect all the
provisions of any new laws to be feasibly enforceable, through either
technological or nontechnological means. For example, Gartner Dataquest
maintains that when legislation is passed in the United States, an even
greater number of spammers will operate from outside the United States.
Effective international cooperation will be required to combat the problem.
Europe already enacts its own anti-spam law, in the form of the European
Directive on Privacy and Electronic Communications, which will be
written into the laws of European Union member states. Asia/Pacific is
the most problematic point of origin; not all countries take effective
technical or legislative anti-spam steps. Australia's ISPs are effective at
enforcement, and Japan has passed an anti-spam law, so they are less
problematic than other countries. China, Taiwan and South Korea,
however, are particularly popular spam origination points; lack of
legislation, coupled with a competitive environment that makes ISPs
reluctant to turn off customers who are spamming, has created a major
global issue. Gartner Dataquest will address these issues more specifically
in future research after final anti-spam legislation is passed.
The major benefit of the expected new federal law would be that, if and
when a spamming perpetrator is apprehended, the case can be prosecuted
under a significant statute.
Key Issue
What will be the impact of regulation, government policy and operator privatization on
public network services?
This document has been published to the following Marketplace codes:
TELC-WW-DP-0577
For More Information...
In North America and Latin America:
In Europe, the Middle East and Africa:
In Asia/Pacific:
In Japan:
Worldwide via gartner.com:
+1-203-316-1111
+44-1784-268819
+61-7-3405-2582
+81-3-3481-3670
www.gartner.com
Entire contents © 2003 Gartner, Inc. and/or its Affiliates. All rights reserved. Reproduction of this publication in any form
without prior written permission is forbidden. The information contained herein has been obtained from sources believed
to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner
shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations
thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The
opinions expressed herein are subject to change without notice.
116575