Junk e-mail is like seasickness: If you don't get it, you don't really understand how bad it is. In 1997, when I proposed my first article on spam, the English editor I approached insisted it was an "American problem." One of his colleagues and I convinced him to take it seriously by ganging up on him: For a week we both sent him a copy of every piece of junk we received.
We couldn't do that now. Heavy Internet users can get hundreds of these messages every day. America Online reported in March that the company filters an average of 22 junk e-mail messages a day per account -- up to 780 million per day. Brightmail, which supplies spam-blocking services and products to Internet service providers (ISPs) and enterprises, counted 1.9 million spam campaigns in November 2001, 7 million in April 2003. By June 2003, the company says, spam was 48 percent of Internet e-mail traffic, up from 8 percent in January 2001. Spam volume is likely to grow further: The longer people are on the Net, the more spam they tend to receive. Aggregating all of my addresses, some of which get no junk and some of which get nothing else, 56 percent of my incoming e-mail is already spam.
Originally, the rage against spammers had more to do with the sense that a private space previously open only to friends and relatives had been invaded. Now the issue is that e-mail is becoming unusable. Even with postal mail, volume matters. If you get 10 pieces of junk postal mail a day, you put a wastebasket next to the front door and trash the unwanted mail on arrival. If you get 200 pieces, finding your bills and personal letters becomes a time-consuming chore. Your postal address has become virtually unusable.
This is the situation many e-mail users are now in. With dozens, if not hundreds, of messages a day, "just press the delete key" is too time-consuming. Spam now has far more in common with viruses and other malicious attacks than it does with any other Net phenomenon. As Brad Templeton, director of the Electronic Frontier Foundation, has said, "It sits at the intersection of three important rights -- free speech, private property, and privacy." One of the most astonishing phenomena he says, is the rage spam provokes, turning libertarians into regulators, advocates of distributed networking into supporters of centralized control, and ardent defenders of the right to free, open e-mail systems and anonymity into people who demand that every e-mail sender be forced to identify himself and pay for the privilege.
The term spam did not originate with junk e-mail. Hormel's ham-based meat product (and a memorable Monty Python skit) aside, Templeton's and others' research suggests its use originated in the game-playing sites known as MUDs (for "multi-user dungeons"), where it applied to several different types of abusive behavior. One of these was floods of repetitive messages, so the term moved on to cover mass posting to the worldwide collection of electronic bulletin boards known as Usenet. Junk e-mail, when it first surfaced, was technically known as unsolicited bulk e-mail, or UBE. Now everyone calls that spam, too, and Hormel is unhappy but resigned.
It makes more sense to define spam in terms of behavior than in terms of content. Bulk-sending millions of identical, unwanted messages can feel just as antisocial if the purpose is to promote a charity (say, the Royal Society for the Prevention of Cruelty to Animals) as it is if the aim is to promote a seedy financial scam (Nigeria must secretly be a very rich country). So the key defining characteristics are "bulk" and "unsolicited." Some spam relates to activities that are already illegal -- bilking people out of their money, selling Viagra without a prescription -- but the problem of spam is distinct from the question of prosecuting people for those activities.
The chief reason people send spam is that it's incredibly cheap to do so. The response rates are tiny compared to those seen in other types of direct marketing, but there are no printing costs, minimal telecommunications costs, almost no labor costs, and no publisher reviewing the content of your ad. It is, to be sure, socially unacceptable behavior. ISPs that let people send spam through their servers may find themselves blacklisted and their customers' e-mail blocked by other ISPs, and companies who send it themselves or who hire third parties to do it for them may find themselves boycotted.
One of the key objections to banning spam is that it amounts to censorship: No one, the argument goes, should have the right to interfere with a person's private e-mail or decide who can or cannot send e-mail or what it may contain. What is often forgotten is that spam itself can be a form of censorship. Many e-mail services have limits on the amount of e-mail that can be stored in a user's inbox at one time. Fill up that space with an unexpected load of junk, and wanted e-mail gets bounced.
Similarly, consider the advice that's often given to people to help avoid getting on the spammers' lists: Hide your e-mail address. The advice makes some sense. In March the Center for Democracy and Technology released the results of a six-month study on how spammers get people's addresses; the most popular method was to harvest them from Usenet or the Web. But hiding addresses has many undesirable social consequences. If there's no visible e-mail address, you can't tell someone there's an error on his Web site or ask for more information. Businesses have to choose between making staff less accessible and making e-mail less productive.
On the brighter side, the study also found that replacing part of your e-mail address with human-readable or HTML equivalents -- typing out the word "at" in the place of the @ sign, for example -- could keep it out of spammers' hands. (The automated programs, called bots, that they use to harvest addresses don't recognize such substitutions.) But spammers are beginning to adopt much more invasive techniques to get their messages through. So-called dictionary attacks send identical messages to endless combinations of letters at a single domain, hoping some will get through to valid users. My skeptic.demon.co.uk domain, which I've had since 1993, gets a lot of these -- hundreds of identical messages over a single weekend. In April the British ISP Blueyonder, which supplies broadband cable access to tens of thousands of subscribers, suffered a dictionary attack of such ferocity that it was unable to deliver e-mail to its paying customers for two days. That's not free speech -- it's a denial-of-service attack.
The next trend is for spammers to use a type of virus called a Trojan to get ordinary people's computers to send their mail for them. In the past, this approach has been used to mount distributed denial-of-service attacks on everything from commercial Web sites to hobbyist Internet Relay Chat networks. The computer's actual owner may not even know it's infected; some Web pages are designed to infect unwary visitors.
A couple of these e-mail Trojans already exist; they're known as Jeem and Proxy-Guzu. Both open up the infected computer for use as a "spambot," that is, a machine churning out spam like a robot. That leaves the innocent owner to face the consequences, which may include being blacklisted so that ISPs block that person's legitimate outbound correspondence. To combat this type of attack, users need not only to protect their machines with anti-virus software but to install firewalls to protect their Internet connections. Learning to configure a firewall isn't easy if you are not technically literate, but these devices will become increasingly necessary. Indeed, one downside to the rollout of broadband is that the computers with fast connections that are always online can be used to mount far more destructive attacks than their dial-up forebears.
What Is to Be Done?
Most solutions to spam fall into three classes: technical, economic, and legal. All three have major drawbacks, and even without those none would provide a total solution.