LATimes

Monday, April 16, 2001 | Print this story

Lone Guns Set Sites on Spam

A self-appointed global army has taken on the mass Internet mailings that annoy users and crash systems. It is a demanding and risky hobby.

By MICHAEL A. HILTZIK, Times Staff Writer

In his more than five years as one of the Internet's self-appointed police officers, David L. Ritz has suffered many wounds. Ritz says his life has been threatened. Anonymous antagonists have applied for dozens of credit cards in his name. Someone sent a subscription for a pornography magazine to his 82-year-old grandmother. His friends and acquaintances, including his children, ex-wife and a former landlord, have been inundated with unsolicited orders for books and magazines or had personal information such as their driver's license numbers posted on the Internet for public view. It's not as if he doesn't relish the fight. "I describe myself as an adrenaline junkie," says Ritz, 51, who earned his activist credentials in the early 1990s by fighting anti-abortion protesters on the streets of his hometown in Milwaukee. That was excellent training, as it turned out, for his subsequent battles. Ritz's quarry is spam. Spam is one of those features of modern life, like infomercials and telemarketers, for which almost no one has a good word. Spam generally falls into two categories: E-mail spam, with unsolicited commercial messages directed at individuals, which account for up to half of all e-mail, or hundreds of millions of messages per day. The second is newsgroup spam, or mass postings sent to Internet discussion groups on the popular Usenet, an informal electronic network popular among millions of users where spam accounts for about 80% of all postings. Either way, spam clogs computer network routers and shoulders legitimate e-mails and postings out of the way. Companies accused of sending spam include giant corporations such as Microsoft and Yahoo. But most spam is attributed to obscure marketers of get-rich-quick schemes, pornography and other marginal products and services. ("Reverse the AGING PROCESS 10-20 Years!" reads one pitch recently e-mailed to untold mailboxes.) As used online, the term spam derives from a Monty Python sketch about a pub where the available dishes are listed as "spam, spam, spam, spam, spam and spam" (which refers to the highly processed, and much lampooned, meat product). Scarcely a day passes when a spam overload does not crash an Internet service provider's computers that store and forward e-mail. Occasionally a mail-bombing is intense enough to bring down a major system, with results that resemble a regional electric blackout. Last year, 144,000 subscribers of Pacific Bell's Internet service repeatedly lost access to their e-mail for hours because servers were clogged with spam. But spam has inspired dozens of self-appointed spam-busters. This all-volunteer army is made necessary, in part, because by its very nature the Internet is not governable by a single global authority. "In the absence of an effective public [Internet] sheriff, you will have these private ones," says Jonathan Zittrain, executive director of the Berkman Center for Internet and Society at Harvard Law School. Vigilantes such as Ritz generally work alone but keep in contact with computer network administrators committed to keeping corporate networks and subscriber systems free of spam. When one or several anti-spam activists identifies an active spam source, they begin messaging each other in a global discussion of possible remedies. Most agree that it is a demanding hobby. "It gets scary sometimes," says Howard Knight, 39, a San Diego-based networking engineer and spam fighter who has been threatened and harassed by online foes. "You have to have a thick skin to be in this business." Knight won the spammers' enmity as a leading "spam canceler" when he developed programs to hunt down Usenet spam by analyzing the arcane coding that identifies every message's source, and then automatically deleting the offending messages. At the peak of his activity, Knight's program was canceling up to 30,000 spam postings a day by his own reckoning. The cancellations were based not merely on the commercial nature of the offending postings but on their frequency, and thus their ability to overwhelm legitimate discourse on the Usenet. But it did not take long for the spammers to strike back. Some wrote counterattack programs that would clog the discussion groups, rather than clear them. Others turned to rougher tactics, including vague physical threats. "You don't know if they're serious or just blowing smoke, but once I found out they knew where my kids lived and went to school I decided to take a lower profile," said Knight, who is divorced. The threats contributed to his decision in November to cease actively canceling spam, he said. "But I also felt a little unappreciated," Knight added, noting that many computer network administrators--perhaps fearful of getting involved in the bruising battle between spammers and their adversaries--had stopped honoring Knight's judgments about what messages to cancel. One the most annoying features of spam is that it is virtually inescapable. Ordering merchandise online, joining a chat group, or engaging in personal or business correspondence in cyberspace generally means posting your e-mail address in a way that can make it very public. Some spammers also use software programs that can run through millions of random combinations of letters, names and numbers to generate lists of legitimate addresses. So most e-mailboxes get loaded with electronic junk. "These are companies I've never heard of selling products I don't want by assuming I'm a moron," complains Marc Strassman, a Studio City Internet consultant. Strassman is so exasperated by the volume of spam filling his computer mailboxes that he is contemplating bringing a class-action lawsuit against the senders on grounds they are misusing his property and invading his privacy. "My time is being wasted and I feel violated every time I get an e-mail advertising a penis enlarger," he said. Ritz, a divorced former radio and recording engineer, pursues his campaign against Internet abuse out of a cluttered Milwaukee suburban apartment equipped with an ordinary dial-up Internet connection for his desktop computer. He sends out a constant stream of messages to dozens of freelance spam-cancelers and thousands of network administrators.

'Death Penalty' Used as Last Resort On one recent day, Ritz targeted a Canadian Internet provider that had ignored repeated warnings that spammers were relaying their messages through unattended ports on the firm's network. This allowed the spammers to conceal their real identities. The dialogue between the company and the spam activists had broken down to the point that Ritz was close to calling for a "Usenet death penalty," which would encourage network administrators around the world to block all messages coming from the service or its customers. A "death penalty" is a frightful weapon that often gets the offending party's attention and inspires it to improve network security. But the period leading up to the declaration of war "can be very stressful for me personally," said Ritz. The research, jawboning and negotiations over calling for "spam death penalty" translate into 70-hour weeks of work, he said. Lone-gun activists such as Ritz and Knight are backed up by a handful of nonprofit groups. These include the Mail Abuse Prevention System, or MAPS, which hosts the "Realtime Blackhole List," a public roster of accused spammers to which 20,000 system administrators subscribe. Individuals or companies that end up on these spam blacklists--including AT&T, which was accused of being a vehicle for spammers--often are unable to send or forward mail because many Internet service providers block all messages traceable to sources on the lists. "I call it democracy in action," says Nick Nicholas, MAPS' former director. One irony is that Ritz, unlike many other spam activists, was never trained as a computing expert. "My 11-year-old twins showed me how to boot up for the first time" in 1993, he said. Like many other online pioneers, he soon discovered the Usenet, a haphazard collection of discussion groups covering thousands of topics. On the Usenet, all communication, then as now, was by text. Even more important, its users regarded this as a sort of electronic village green, the center of a global community. By 1994, however, it had been overrun by spammers, the vast majority of whom were operators of pornography businesses. Ritz, a frequenter of Usenet groups where erotic images were traded as digital files, took the deluge of porn spam personally. "My enjoyment was being interfered with," he says. "The spam got out of hand and I felt I had to take action." Teaching himself how to analyze the complex trails that messages and e-mail leave behind as they journey from source to destination, he began deciphering the obscure electronic code that spammers use to conceal their identities. The battle was subjected to a variety of online and offline mischief, some of which he referred to police or the FBI. In the last year alone, he has had to fight four lawsuits filed in Texas, far from his Wisconsin home, by a single spammer. The suits were eventually dropped or dismissed but still cost Ritz thousands of dollars in legal fees. Ritz scored a conspicuous success last year by threatening the broadband Internet service AtHome with a public boycott for leaving open relays on its network that let spammers circulate tens of thousands of commercial messages. Because this boycott meant that network administrators worldwide might block even legitimate e-mails sent by AtHome's then-1.2 million subscribers, the service moved hastily to close the security loopholes.

Bill Would Allow Suing of Spammers Whether the work of self-appointed spam sheriffs will produce lasting victories is hard to assess. Spam has powerful friends, including major corporations and the direct-mail lobby, which regard e-mail as an efficient and inexpensive way to communicate with existing and prospective customers. Direct-mail lobbyists argue that customers actually enjoy receiving commercial e-mail, or at least find it no more objectionable than junk mail. "We don't think e-mail recipients are more sensitive [to unsolicited messages], but there's a very vocal minority who have an objection," said Robert Weintzen, president of the Direct Mail Assn., the industry trade group.. Legislation reintroduced in Congress this year would require that unsolicited e-mails carry accurate return addresses and allow consumers and Internet providers to sue spammers who ignore requests to be removed from mailing lists. The bill, which overwhelmingly passed the House last year but died in the Senate, still faces opposition from industry groups including the Direct Mail Assn. "This is one piece of legislation [the industry] would like never to see the light of day," says Kevin McDermott, a spokesman for Rep. Heather Wilson (R-N.M.), the bill's principal sponsor. Legitimate companies that run afoul of the spam-busters have also insisted on their right to communicate on the Internet any way they see fit. Last year, MAPS was sued by bulk e-mailers who complained that the blacklist violated their commercial rights. One, Harris Interactive (owner of the Harris Poll), complained in a federal lawsuit that its listing blocked e-mail to 2.7 million of 6.6 million participants in market research polls. The company dropped the case after striking separate agreements with large Internet providers that had originally heeded the listing. Spam opponents say that the last year's economic downturn has made many Internet providers less willing to monitor their networks and shut down spammers. Meanwhile, there is scant prospect that the work of individual spam sheriffs will soon give way to more formal governance. The Net's international character effectively prevents authorities in any one country from imposing regulations on users anywhere. "We as a society don't have a mental model for what jurisdiction should mean on the Internet," said Steven M. Bellovin, an expert on network architecture and security at AT&T Laboratories. "At the time of the War of 1812, a country's territorial waters were set at three miles because that was the range of a cannon. But we don't have a consensus on what constitutes the range of a cannon on the Internet."

-- Anonymous, April 16, 2001