ATLANTA — You know things are bad when the big Internet service providers are working together and federal lawmakers from both sides of the aisle are in agreement.
But all this togetherness likely won't stop the con artists, hackers and run-of-the-mill spammers who swamp the Internet daily with billions of unwanted e-mails.
Until now, the war on spam has been fought primarily by Internet providers with faulty filtering systems and federal regulators scratching for ammunition to stop spammers. In recent weeks, the anti-spam forces at least look more aggressive.
President Bush signed a national anti-spam bill into law on Tuesday. It authorizes creation of a popular anti-spam registry and provides criminal penalties for faking parts of e-mail, such as sender IDs.
But many consumer advocates don't think much of the legislation, effective Jan. 1. The registry may not be technologically feasible, and the legislation, heavily influenced by mainstream businesses that market products through e-mail, pre-empts some stronger state measures.
"Congress should be ashamed of itself," said Pete Wellborn, an Atlanta attorney who has sued hundreds of spammers.
A coalition of a half-dozen major Internet providers, fierce competitors who aligned last spring to combat spam, is expected to announce its proposals soon. Those likely will include a system to identify bulk e-mailers and certify legitimate ones. That won't cut the volume of spam flooding user inboxes, consumer groups say.
These are catch-up efforts, frenetic reactions to a problem no one foresaw, including Internet companies that were too busy buildIng their networks and gaining market share to recognize the warning signs, industry experts say. No one else saw the signs, either.
"I don't think anybody, even those of us who are professionally paranoid about spam, thought it was going to get this bad this quickly," said John Mozena, co-founder of the Coalition Against Unsolicited Commercial Email, an advocacy group. "AOL is now blocking more spam than they are delivering legitimate messages. That is a galactic technical and social problem to deal with."
Controlling spam, industry experts and consumer groups say, will take aggressive action and marked improvement on many fronts, including legislation, law enforcement and technology.
Consumers must step up, too, and get comfortable with anti-spam technology. Only about one-third of e-mail users with personal accounts have their own filters, according to the Pew Internet & American Life Project study.
"They've got to be looking left and right on the superhighway, doing the things they can do to protect themselves," said Orson Swindle, a member of the Federal Trade Commission, the federal agancy leading the war on spam.
Even with the toughest laws and smartest consumers, "that doesn't mean spam will go away — it will be manageable," said Paul Judge, founder of the Anti-Spam Research Group, an international consortium of technologists, Internet providers and software makers.
"I am optimistic because there are so many smart, talented people working on the problem," said Judge, who also is chief technology officer for CipherTrust, an Alpharetta, Ga.-based company that filters spam for major corporations. "Spammers now are having to respond in desperate ways. We definitely have got them out of their comfort zone."
There is still room for pessimism in his world view. Spammers who survive will be the most technologically savvy and criminally bent — in Judge's words, the "smart scum."
Consumer groups miffed
Consumer groups have been lobbying for a national anti-spam law for six years. Now that they have one, they aren't happy.
"As it stands, it fails the most basic test for any anti-spam law, which is telling people not to spam," Mozena said. "It doesn't say don't spam. It just regulates how to spam."
The legislation, backed by phe Direct Marketing Association and Internet providers, offers some added protections for consumers, especially those in the minority of states without anti-spam laws.
"We are not going to support any legislation that makes it easy on spammers or doesn't have any guts to it," said Dave Baker, EarthLink's vice president of law and public policy.
But the federal legislation weakens tougher measures in other states.
California's "opt-in" law, scheduled to take effect Jan. 1, would have required that companies get consumers' permission before sending any e-mail. By contrast, the federal legislation requires senders of unsolicited e-mail to include their return addresses, giving recipients a mechanism for "opting out" of subsequent e-mails.
It has created a paradox of sorts. The law requires junk e-mailers to honor requests to be removed from a mailing list. But the time-honored wisdom of the Web has been to avoid the "opt-out" link since any answer — in the hands of an unethical marketer — validates the address and makes it more likely to receive spam.- Business interests say opting in slows the growth of e-commerce, while consumer advocates say opting out sanctions spamming.
The advocates dub the "Can-Spam Act" — Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 — the "I Can Spam Act."
Swindle acknowledged consumer interests were not the sole consideration in the legislation. "In reality, in Washington, D.C., more often than not those with the big bucks get heard."
swindle and other FTC officials have questioned another key provision — the "do-not-spam" registry. Congress wants the FTC to oversee the creation of one if the agency can ensure that hackers won't be able to mine it for e-mail addresses to spam.
But the idea is riddled with problems, FTC officials say. Spammers can mask their identities, making enforcement next to impossible. Since e-mail users change addresses and Internet providers often, they say, the registry can't be kept current.
"Very likely, we can design some kind of a do-not-spam registry, but whether it will be effective is highly questionable," Swindle said. "Sometimes no legislation is better than bad legislation. This is a piece of bad legislation."
Promising big returns on bogus investments, Tennessee spammer K.C. Smith used hijacked computers, disposable cellphones and dozens of aliases to defraud Internet users out of more than $100,000.
In May, the Securities and Exchange Commission sued Smith. The Department of Justice then prosecuted Smith, 21, who was sentenced to 14 months in prison.
"K.C. Smith is the best example of someone who really took steps to conceal himself but we tracked him down," said John Reed Stark, head of the SEC's Office of Internet Enforcement.
But Smith is the exception, not the rule, federal authorities acknowledge.
Whether spam itself is illegal — and some think it already is under trespass laws — myriad other crimes are committed on the Internet, including theft, fraud and stock manipulation. Law enforcement agencies have stepped up their efforts against spammers who commit such crimes.
Last month the U.S. Department of Justice, working with federal, state and international agencies, touted the arrests or convictions of 125 people, including Smith, in a nationwide crackdown on online crime.
But law enforcement authorities say these successes represent only a small fraction of the crime being committed with spam. Their biggest obstacle is identifying the spammers.
In February 2002, the Federal Trade Commission declared the investigation of fraudulent and deceptive spam a priority and has since filed 57 law enforcement actions — "a trickle" compared with the number of spammers breaking the law, said FTC attorney Brian Huseman.
By contrast, the SEC claims "there hasn't been anyone, when we've wanted to, that we haven't been able to track down," Stark said. "The reality is, in the securities fraud context, spam helps you to get caught. In addition to the online footprints spammers leave, we can trace money. We can trace trading."
Until recently, no one has coordinated the efforts of tHe many federal agencies investigating spam abuse. That's changing, said Dan Larkin, unit chief at the FBI's Internet Fraud COmplaint Center, which will serve as virtual quarterback for law enforcement in cyberspace.
Even more dramatic changes are in the wings. In a break with tradition, the FBI is enlisting experts from Internet providers and other private businesses skilled at tracking online offenders. The first trial using one of these teams is under way.
"We definitely need more manpower ... but not just people with badges," Larkin said.
As more countries develop their pipelines to the Internet, U.S. law enforcement is being presented with a whole new set of challenges. Spam is not confined to the United States.
"One thing about e-mail is that it can be sent for a very low cost from anywhere in the world, to anyone in the world," Huseman said.The best hope for combatting spam, industry experts say, is whiz-bang technology. None is on the horizon.
Internet experts say there must be technical changes to the e-mail architecture to fix the flaw that makes spammers so hard to catch: Anyone who sends a message can do so anonymously.
There's some talk of rebuilding the Inteznet from scratch to plug security holes. But most experts think progress can come from less-radical changes.
The alliance of Internet providers wants to institute something called a trusted sender program — a kind of electronic passport for businesses or groups that send out mass mailings. E-mails from "trusted" bulk mailers will be coded to zip through the network. The rest, presumably from spammers, will be waylaid.
"The general idea is to identify legitimate e-mail so it can get through," said Stephanie Fossan, a senior product manager for EarthLink and part of the alliance. "You can (then) tighten down on some of the mail that is left over."
Some consumer advocates say the system won't do enough, in part because Internet providers are cautious when they filter or block e-mail, fearful they will snag e-mail that subscribers want.
For now, Internet companies are giving subscribers new tools to block spam while the best technological minds in the world wrangle over how to fix the Internet.
"No new law is going to take care of that," Swindle said.
"We are going to have to solve ht with technology. That is going to take awhile."