War Against Spam Rages OnWar Against Spam Rages On

Publisher Houghton Mifflin Co.'s CEO and CIO decided spam was a potential legal liability because of the offensive and pornographic content, says Eric vanBok, senior manager of messaging technologies. His company bought CipherTrust Inc.'s IronMail gateway appliance and, 64 days later, the system paid for itself, delivering a savings projected to be about $2 million over one year, he says. Pricing for the appliance starts at $9,500.

Though the Can-Spam Act of 2003 didn't outlaw bulk E-mail, it certainly raised the cost of peddling bogus pills. Maintaining a server to handle opt-out requests isn't cheap. Nor are legal bills. Faced with such expenses, the casual spammer who comes home from work and sends out a few million messages from a PC is vanishing. "You're seeing a shakeout in the industry," says Andrew Jaffe, an attorney who represents bulk E-mailers.

Spammers who remain are doing their best to infiltrate in-boxes. They use Web forums to discuss the best ways to defeat filters. The forums have areas for different needs, such as distribution, site hosting, and name lists, says Susan Larson, VP of global content operations for content-security provider SurfControl plc, which is among those that monitor spam chatter.

Spammers' ability to adapt frustrates IT managers such as VanderKaay at Hines Interests. He's seeing a movement away from text to images of text, which tends to stymie keyword filters. "Spammers are getting smarter and smarter, so, at an absolute level, we're getting more and more E-mails each month that are slipping through the spam filter," VanderKaay says.

One company, Sendmails Corp. (unrelated to E-mail vendor Sendmail Inc.) offers $1 per CPU hour if Internet users will send mail on its behalf, thus avoiding the difficulty of having all mail from them blocked. While hijacking a computer to send spam is illegal, this approach isn't, as long as messages comply with the law, and VP Brian Haberstroh says they do.

Many people still believe spam is destroying the Internet's killer app. An October report by the nonprofit Pew Internet & American Life Project says spam has made people less trusting of E-mail and less inclined to use it. The prescription--a combination of law, technology, and education--is at best a long-term cure. Optimists such as Proofpoint's Hahn suggest spam, like viruses, can be made manageable.

But others see a need to revise Internet mail protocols to address the ease with which E-mail addresses can be forged. "For better or worse," says Greg Olson, chairman and co-founder for corporate E-mail vendor Sendmail, "the E-mail protocols were designed for a kinder, gentler Internet." There are more than a dozen authentication proposals under consideration for the Simple Mail Transfer Protocol, Olson says. The leading contenders are Microsoft's Caller ID for E-mail, the open-source Sender Policy Framework (which AOL is testing), and Yahoo's DomainKeys.

If the large E-mail service providers--AOL, Earthlink, MSN, and Yahoo--decide not to accept unauthenticated mail, Olson predicts, spam will become unprofitable.

Microsoft's recent embrace of Bonded Sender, a sender-authentication service for E-mail marketers run by anti-spam vendor IronPort Systems Inc., suggests that day may be coming. Senders not participating in the Bonded Sender service face closer filtering, making it harder to spam millions of MSN and Hotmail addresses. If other E-mail providers follow, unsolicited messages with forged addresses will be stopped more often at E-mail gateways.

It may not add up to a clear victory over spam. But at least business and consumer E-mail users are putting up an increasingly fair fight.