Canning spam: Unclogging law firm mailboxes

Issue March 2004 By Sharon D. Nelson, Esq. and John W. Simek<br />© 2004 Sensei Ente

So how much do you hate spam? Spam-haters have become the world largest club. People talk more about the bane of spam than the latest absurdly unreal "reality" shows. Where we all once had a trickle of unsolicited e-mail that turned into a river, most lawyers now see spam in terms of a tsunami that grows in height on a daily basis and threatens to crush legitimate e-mail correspondence. Only the larger firms have tended to manage filter spam well. And now we have a new federal anti-spam law, whose effectiveness remains a matter of great speculation.

As a practical matter, can we "can the spam?"

The grim facts

First, let's examine the unnerving statistics, as reported by Massachusetts Institute of Technology's Technology Review and Consumer Reports, some of which may seem startling. It will not surprise anyone that spam now comprises more than 50 percent of the average inbox, up from 8 percent in 2000. More than 13 billion unsolicited e-mail messages swamp inboxes worldwide every day. America Online reports it routinely blocks more than 1.5 million spam messages per day and yet it also averages 7 million complaints daily about the spam that gets through. According to the Radicati Group Inc., a market research firm specializing in e-mail, the number of spam messages is doubling every 18 months. Ferris Research now estimates spam causes a $10 billion a year drag on the economy.

How the spammers find you

How do spammers get your address in the first place? There is the classic "dictionary attack" in which spammers target guessed names such as johndoe, johndoe1, johndoe2, etc. Spammers all have software to facilitate these attacks - if they don't receive a "bounceback" indicating that the address is invalid, they add it to their "confirmed valid" database.

If you shop or register for something online, be wary. L.L. Bean will not sell your e-mail address, but "Joe Chen's Bargain Computers" might do just that. Make sure you look at privacy policies and be skeptical about companies you don't know to be reputable.

If a lawyer places an e-mail address on his or her law firm site at 8 a.m., he or she is likely to receive the first spam message by 8:10 a.m. Ditto for talking in chat rooms. Spammers use special harvesting software to scan the Net for visible e-mail addresses. As an experiment, The Center for Democracy & Technology, a Washington, D.C., advocacy group, posted 250 new e-mail addresses on its Web site. Within six months, the addresses received more than 10,000 unsolicited e-mails.

Spammers also harvest e-mail addresses from free chat services. That was at least part of the reason that Microsoft closed its chat rooms in 28 countries on Oct. 14, although it allowed them to remain open on a subscription basis in the U.S., Canada and Japan, where visitors are more accountable because their billing details are on record with Microsoft.

How do the rest of them find your address? Often through reselling. Sometimes lawyers are their own worst enemy as they reply angrily "Remove" or "Unsubscribe," only to have their address now added to spammers "confirmed valid" lists, which they will of course then sell to other spammers. Unsurprisingly, "confirmed valid" lists are generally resold many times over.

State legislative solutions: Spammers in the slammer?

As the federal government struggled with competing lobbies and got nowhere quickly, 35 states managed to pass anti-spam laws, none of which seemed to accomplish a great deal.

Spammers in the slammer, a common state penalty, sounds great to many of us, but many commentators have expressed the concern that prosecutors would not enforce such laws aggressively, both because they lack funding and because they don't perceive spam as a serious crime. Typically, one would think murder, arson, rape, armed robbery and other significant charges would receive attention far ahead of unsolicited bulk e-mail. Another factor is it's extremely difficult to trace the source of spam in most cases. Spammers are wily creatures who change their network addresses regularly and relay their e-mail off unsecured servers, primarily in Asia, to hide the true source of the e-mail.

The most stringent of the state spam laws was California, whose law was signed on Sept. 23, 2003, and scheduled to take effect on Jan. 1, 2004. It was called vulnerable to legal challenges, including First Amendment grounds or arguments based on the law's interference with interstate commerce. The new federal CAN-SPAM Act preempts California's "opt in" requirement. The California law outlawed sending most commercial e-mail messages to anyone in the state who has not explicitly requested them. That made it the most wide-reaching law of any of the 35 other state laws meant to regulate spam or any of the anti-spam bills that Congress considered. The law, which also prohibited companies inside the state from sending unsolicited e-mail to anyone outside the state, imposed fines of $1,000 for each message, up to $1 million for each campaign. Proponents of the law said it would be more effective than many anti-spam laws because it gave people the right to file private lawsuits rather than depending on state prosecutors. Unfortunately, the California law never got a fair shot as the federal law largely preempted it.

Can the federal CAN-SPAM Act can spam?

Congress remained, for a shamefully long time, a lumbering ineffectual giant that listened to the lobbyists for marketing groups, particularly the powerful Direct Marketing Association. Competing anti-spam bills vied against one another, as did their passionate proponents and opponents. Finally, prodded by their constituents, every member of Congress got one clear message: the voters wanted them to do something about spam and were going to be distinctly fed up with a Congress that didn't produce a law quickly. Hence, the CAN-SPAM Act of 2003. The lobbyists did not lose entirely - the act that emerged from Congress has been greeted with a great deal of skepticism.

The act has an unwieldy name, CONTROLLING THE ASSAULT OF NON-SOLICITED PORNOGRAPHY AND MARKETING ACT OF 2003. Even the act itself contains the subtitle "CAN-SPAM Act of 2003." It was signed by President Bush on Dec. 16, 2003, and went into effect Jan. 1, 2004. It pre-empts state anti-spam laws except to the extent that they prohibit falsity or deception in any portion of a commercial electronic mail message or information attached to it. Unlike the California act, which required that users "opt-in," the federal law is an "opt-out" law. It does not ban spam outright, and it is questionable whether "opting-out" is ever a methodology that will truly work. The act does not apply to political or charitable spam. For other unsolicited bulk e-mail, the act:

•  Prohibits senders from falsifying or disguising their true identity;

•  Prohibits the use of misleading subject lines;

•  Prohibits the harvesting of e-mail addresses by either (1) automatic means from an Internet Web site or proprietary online service maintained by a third party; or (2) an automated system that generates possible electronic addresses by combining names, letters and numbers in numerous permutations;

•  Prohibits businesses from knowingly promoting themselves through false or misleading e-mails;

•  Requires the inclusion of a legitimate return e-mail and physical postal address for the sender;

•  Requires the inclusion of a functioning opt-out mechanism, clear and conspicuous notice of the opportunity to opt-out and require senders to honor any such opt-out request;

•  Requires clear and conspicuous notice that the message is an advertisement or solicitation; and

•  Require messages with sexually oriented material to be clearly identified.

Liability under the act is broad, including not only the spammers themselves, but those who hire them. If a company knowingly hires a spammer who does not comply with the act, the company may be prosecuted in the same manner as the spammer. Criminal penalties for violation of the act include stiff fines and up to five years in prison. Civil penalties can be as much as $250 per e-mail. Repeated misconduct or aggravated violations can result in treble damages.

In a move that has generated a lot of contemptuous criticism, the act charges the Federal Trade Commission with administering a "Do Not Spam" registry, presumably much like the "Do Not Call" registry. The FTC has six months in which to submit a comprehensive plan for the "Do Not Spam" list to Congress, but critics scoff that there is no way to enforce the list against all of the foreign generated spam. In any event, after Congressional review, the FTC will have three months to implement the plan. The FTC is also charged under the act with developing rules within 270 days to curtail spam messages on cell phones.

Today's best hope: Filters

In an astonishingly short period of time, most of corporate America has adopted some sort of filter system to screen unwanted e-mail. Though wildly imperfect, filters have become the nation's No.1 weapon in the fight against spam. One way to measure the effectiveness of a spam filter is to weigh the percentage of junk e-mail blocked versus the false positive rate (the percentage of legitimate mail inadvertently blocked). A 95 percent filtration rate is considered excellent, and some companies claim a higher rate. But be wary of claims, since corporate users generally report something more like a 70 percent filtration rate. The higher the filtration rate, the higher the false positives, unfortunately. It's generally considered to be unacceptable to have a rate of .1 percent or higher, which translates into losing 1 of 1,000 legitimate e-mails.

One filter used by some of America's corporate giants comes from San Francisco-based Brightmail Inc., which says its filter processes about 10 percent of the world's e-mail. Brightmail has an extremely low false positive rate, about one out of every 1 million spam messages. Though Brightmail claims a filtration rate of more than 90 percent, once again, consumers report the rate is significantly less. A great help, certainly, but not a complete solution. Brightmail is a server-based solution and not available for a small or solo office that doesn't have its own e-mail server.

Though there are many kinds of filtering software, law firms with Exchange servers rely more and more on Symantec's filtering product. The old version was called Symantec AntiVirus/Filtering for Microsoft Exchange and provided very basic methods for identifying spam addresses and unwanted content. The software was time-consuming to manage and had a long list of flaws. The new version is called Symantec Mail Security for Microsoft Exchange and promises to do a much better job of managing unsolicited e-mail. Some of the new features include separate scanning of inbound and outbound mail, comparison of attachment type to the file extension, support for external "black list" databases (known spammers) and support for "white lists" to allow all e-mail from a known good address regardless of content. Unlike the old version, it also can be configured to give or not to give users notification of blocked e-mail, though only if the action selected is to delete the message. If the messages are to be quarantined, it will still give the users notification. As many lawyers have complained, having the long list of notifications in their inbox is almost as irritating as the spam itself, especially if they are retrieving their e-mail via a PDA. It's akin to spam about spam.

Consumer Reports Picks the Best Spam Filters:

1. Stata Labs SAProxy: According to Consumer Reports, this free program outperformed all other spam filters, but be forewarned that it requires some degree of computer skill and comes with complicated installation instructions.

2. Mailshell SpamCatcher Universal: $20

3. Blue Squirrel Spam Sleuth: $30

4. Symantec Norton Internet Security 2003 (Spam Alert): $70

Our own experience is greatest with Symantec's products, which we have no problem recommending, especially with all the enhancements of the current version. At an enterprise level, this is an excellent approach to reducing spam. Not that it works all alone. We combine the Symantec product (Symantec Mail Filter, which comes bundled with Symantec Antivirus, Enterprise Edition) with the application of certain blacklists. For a list of all currently known blacklists, see

Although experts disagree on which blacklists are best, the Super Computer Center at the University of California uses these, which seems a pretty decent recommendation:





Anecdotally, some of our solo and small-law firm clients speak well of Sunbelt's iHateSpam ($19.95).

Don't expect the problem to go away. Our combination of Symantec, blacklists and our own fine-tuning of the filters has resulted in 92 percent of incoming mail being blocked as spam. Two percent is spam that gets through (more fine-tuning always in progress) and the remainder is our legitimate e-mail. We have created a daily spam folder for each individual - the only spam that goes there is the spam we catch with our own fine-tuning. We review it once in a while and find that we have to whitelist someone (perhaps our realty or financial counselor, whose words may trip our content filters). In terms of the spam we never see because it is caught by the blacklists, only once have we had legitimate mail blocked by a blacklist and that was because a client had their server configured as an open relay and was therefore blacklisted. Clients who are blacklisted have a much bigger problem, since they need to get off the blacklist to conduct business with anyone who uses blacklists - and that's a steadily growing number! By the way, figure at least 72 hours of business impact to get yourself totally removed from the blacklists if you somehow find yourself on them, even if you jump on the problem assiduously from the beginning.

The authors are the president and vice president of Sensei Enterprises, Inc., a legal technology and computer forensics firm based in Fairfax, Va.