Ray Everett-Church

Comments for Consumer Privacy 1997 - P954807
Submitted by Ray Everett-Church

Introductory Statement:
"Guerrilla Warfare: A System Administrator's Perspective on
Unsolicited Commercial E-Mail"

This document contains my written comments addressing several of the specific questions posed in your Invitation to Comment for Sessions Two and Three as part of your Workshop on Consumer Information Privacy. Before addressing the specific questions posed by the Commission, I would like to briefly introduce myself and provide a brief overview of the unsolicited commercial e-mail problem.

In presenting these comments, I wish to help the Commission see life from the perspective of those technology professionals whose roles as Internet systems administrators put them at the forefront of the unsolicited commercial e-mail (UCE) issue. As a computer consultant and law student, I have been extremely active for several years in the legal and technical issues involving Internet abuse, particularly unsolicited commercial postings on USENET newsgroups ("Spam") and UCE. While I do not seek to represent the interests of any one particular organization before the Commission, I offer my perspective as one who has worked for several years as a consultant to the online services industry dealing primarily with the issue of unauthorized use of e-mail for commercial advertising. My most recent assignment has been as a contractor for America Online's Postmaster Services Team participating in the development and implementation of procedures for managing complaints regarding Spam and UCE. I wish to note, however, that I submit these comments representing only my own personal views as a technology professional; I do not seek and am not authorized to represent the views of my past or present clients.

In my individual capacity as a technology professional, I was recently requested by the New York State Attorney General's office to supply evidence and an affidavit in their current prosecution of Kevin Lipsitz, alleging fraud in a magazine subscription scheme advertised via unsolicited commercial e-mail. As the operator of several Internet mailing lists that were targeted by Mr. Lipsitz, my affidavit dealt specifically with the technical issues surrounding e-mail forgery and network address spoofing.

I wish to share with the Commission a different perspective from the usual variety of advocates you're likely to hear from on this issue. The perspective I seek to present is that of one who is regularly faced with both the technological and functional problems caused by the proliferation of UCE. I believe it is very important for the Commission to understand the techniques employed by UCE purveyors, and the variety of damage done. I also wish to share with the Commission my knowledge of the "self-help" techniques employed by hundreds of system administrators and network technologists to protect their resources from damage caused by UCE.

Too often, the problem of UCE is characterized as merely a conflict pitting entrepreneurs engaged in legitimate business versus nerdish "computer geeks" zealously protecting their private playground in Cyberspace. This is a dangerously myopic view that clouds real issues of theft, fraud, deception, unfair trade issues such as false designation of origin and trademark infringement, and other impediments to consumer access to trustworthy information. The world of Internet e-mail is a realm of guerrilla warfare where technology professionals like me deal on a daily basis with generators of unsolicited e-mail who:

Use UCE software incorporating "hacker" techniques to gain unauthorized access to mail servers for sending their e-mail;
Falsify the "sender" information on e-mail, causing damage to computer systems when massive amounts of undeliverable e-mail are unable to be returned to the "sender";
Damage the reputation of the organizations identified as the source of unsolicited mail;
Defraud Internet service providers by obtaining service with the intent to violate the provider's usage contract, often defrauding the same providers numerous times by providing false names and billing data in order to open new accounts after previous accounts have been terminated; and
Create elaborate software packages to conceal e-mail origins and automated mail processors to avoid detection and to wreak vengeance on those who dare to complain.

As one who regularly participates in a wide variety of online discussion groups dedicated to coping with the ever-growing onslaught of UCE, this comment presents a variety of problems experienced by system administrators. Those problems are the underlying basis for my primary argument: severe restrictions on UCE an appropriate and timely consideration for the Commission.

It may come as a surprise to those who are not skilled in Internet usage, but simplicity is at the core of the Internet. In the world of computing, information is distilled down to individual bits of data and computer programs are comprised of little more than a few dozen simple instructions chained together in different ways to process that data. Internet protocols are similarly simplistic in order to facilitate interoperability between different types of machines and in order to increase efficiency in transmitting or processing the data stream. With this simplicity comes the opportunity for abuse. Unfortunately, in order to make inherently simple systems less prone to abuse, they become less simple and less efficient. Therefore, in order to maintain optimal functioning of computers and networks, less complicated solutions are preferred.

Bearing in mind the desire to maintain simplicity, the key to solving the problem presented by UCE is two-fold. First, regulators should assure that the law adequately discourages the elements of the UCE marketplace that are based on fraud and deception against service providers and consumers. Second, consumers and system administrators should have adequate remedies under law to avoid being forced to bear the costs which UCE purveyors displace onto them.

Many in the anti-abuse community believe that the solution to the problems posed by UCE can be found in modifying the ban on unsolicited facsimile ("fax") transmissions (see 47 USC 227 and 47 CFR § 64.1200) to include UCE. I believe very strongly that this simple modification would eliminate the cost shifting problem inherent in UCE. By outlawing the practice and giving victims a direct cause of action, unsolicited facsimiles are very rare. In fact, it is informative to note that one of the most successful UCE purveyors on the scene today began his career in the unsolicited facsimile business immediately prior to the ban. While fax technology and e-mail technology are very different, the problem of cost-shifting which Congress recognized in the unsolicited faxing is even greater in the area of unsolicited e-mailing.

While such modifications to the telecommunications statutes may be beyond the scope of the FTC's jurisdiction, the Commission has a recognized expertise in prosecuting trade practices which cause harm to consumers, unfairly shift costs to innocent parties, inflict damages upon legitimate businesses, and perpetuate fraudulent activities. All of these evils are present in the current UCE marketplace.

It is my sincerest desire that the Commission will review the attached Comments and agree that a ban on the techniques of unsolicited e-mailing is the most simple and effective solution. The Commission would not be alone in this consideration; several state legislatures, including Ohio, Connecticut, New York, and Nevada, are currently considering bans on UCE within their states. However, give the interstate nature of most Internet UCE transmissions, such state-by-state approaches may not prove very effective. I hope the Commission will take this opportunity to assess the damage to consumers and to the Internet marketplace caused by the proliferation of UCE and endorse a complete ban on the practice.

Respectfully submitted,

Attached: Comments in Response to Session Two Questions 2.16, 2.17, 2.18, 2.19, 2.20 and Session Three Questions 3.16, 3.17, 3.18, and 3.19.

2.16 How widespread is the practice of sending unsolicited commercial e-mail? Are privacy or other consumer interests implicated by this practice? What are the sources of e-mail addresses used for this purpose?

Exact statistics in the world of unsolicited commercial e-mail (UCE) are difficult to come by because it can be transmitted from virtually any Internet connection to thousands of destinations all over the globe. Both UCE and legitimate e-mail are processed by mail servers in exactly the same manner and it would take a detailed item-by-item search through voluminous mail server transmission logs from all of the receiving sites in order to determine accurate numbers. In this area, however, it is instructive to look at the claims made by UCE "professionals."

Many UCE purveyors claim to have lists of over 10 million addresses, and some sell software for collecting e-mail addresses, claiming to add thousands to your database in a matter of an hour. Others sell UCE software packages and claim that the average user can mail upwards of 150,000 e-mails per hour over a 28.8 kbps modem. Preliminary data from a study by system administrator Michael Rathbun indicated that UCE amounts are growing every day. Mr. Rathbun's experiment involved replicating the actions of a typical consumer to determine how much UCE an average consumer might receive. He established an account with America Online, through which he obtained a total of five e-mail addresses.

Over the course of five weeks in March and April 1997, Mr. Rathbun studied the flow of mail into these test mailboxes. His full reports, originally posted to the SPAM-L mailing list, are attached as Exhibit 1, however a brief summary of his data for a five week period indicated:

Week One: His five "screen names" accumulated a total of 49 pieces of UCE and zero legitimate e-mail, requiring almost 10 minutes of online time to download.
Week Two: His addresses accumulated 62 pieces of UCE and zero legitimate e mail. (Total UCE received for two weeks: 111)
Week Three: His addresses accumulated 88 pieces of UCE and zero legitimate e mail. (Total UCE received for three weeks: 199)
Week Four: His addresses accumulated a total of 102 pieces of UCE and one (1) legitimate e-mail. (Total UCE received for four weeks: 301)
Week Five: His addresses accumulated a total of 63 pieces of UBE and one (1) partially legitimate e-mail. (Total UCE received for five weeks: 364)

There are many ways that distributors of UCE obtain their lists of e-mail addresses. They may (1) obtain a list of addresses from one who collects and sells such lists, or (2) they may "harvest" addresses from a variety of online locations including capturing them from online service chat rooms, copying them from postings to USENET and other varieties of online discussion groups, and conducting random searches of online service Member Directories. Several enterprising individuals market specialized programs that will accomplish these tasks for people who wish to go into the UCE list-making business for themselves. By their very nature, these lists are collected without the permission of the addressees. Moreover, despite claims that such lists are "targeted" to those with particular interests, when e-mail addresses are gathered in a haphazard fashion by simple automated collection programs, there is little to support such claims.

Exhibit 2 is an example of an advertisement for a software program called "Floodgate," which claims to offer the means of gathering e-mail addresses from the major online services and directly from the Internet. As the manufacturer of Floodgate advertises, addresses are gathered from:

"1. Compuserve Classifieds: Send your marketing letter to everyone who is running a classified ad. I'll teach you how to download all of the classifieds from any single ad category. This is one of the most responsive list of buyers. . . .
"2. America Online Classifieds: Download 2,500 addresses in 15 minutes. These are excellent lists of business-to-business sales.
"3. Compuserve Forums: You can join a forum and download hundreds of forum messages in a matter of minutes.
"4. America Online Forums: Choose from dozens of forums. All good targeted lists.
"5. Prodigy Forums: Prodigy allows you to easily export any group of forum messages. More targeted lists.
"6. Internet Newsgroups: These are all targeted lists. You'll be able to send your marketing letter to everyone who posts a message in any newsgroup. Easily collect 1,000's of addresses an hour.
"7. America Online Member Directory: Most member directories only allow you to search by city and state, with AOL, you can search by business type, hobbies, computer type, etc. This is the gem of all member directories. Build huge targeted lists.
"8. Compuserve Member Directory: This is a major resource. If you're willing to target your mailing to a single city, you can collect about 1,000 e-mail addresses an hour.
"9. Delphi Member Directory: The Delphi Member Directory allows you to search for people based on key words. These are good targeted mailing lists. A single search can easily generate 5,000 addresses.
"10. Genie Member Directory: Similar to the Compuserve Member Directory, only you can download names much quicker. You can easily pull hundreds of thousands of addresses out of each of these member directories. . . ."

It should be noted that "harvesting" e-mail addresses in this way is a violation of the Terms of Service of most of the online services named above. For example, America Online's "Rules of the Road" § (C)(iii)(g) states:

Advertising, Solicitation and Name Harvesting. Unless you obtain express permission from the Member in advance, you may not use AOL to send unsolicited advertising, promotional material or other forms of solicitation to another Member except in areas designated for such a purpose (e.g., the classified area). You may not use AOL to collect or "harvest" screen names of other Members without the express prior permission of the Member. . . . (emphasis added)

Unfortunately, while the use of programs like Floodgate may be prohibited by an online service's user agreement, enforcing such provisions is extremely difficult because such programs exploit many of the features of online services that make them so popular to the public. Floodgate, for example, operates along side your online service's software and captures e-mail addresses anywhere they appear on your screen. It also provides "scripts" which automatically activate the online service's software, mimicking the steps a normal user would perform in, for example, searching for a friend's e-mail address in a Member Directory. However, this script can perform these searches hundreds of times, substituting any number of search parameters in order to broaden the variety of names captured and then automatically dumps each address into its database files. These programs can also cruise automatically through message boards, file libraries, and move sequentially through every online chat room, snatching every available address it finds.

"Harvesting" programs of this type are specifically designed to assist individuals in violating their contract with online service providers. They capitalize on the most popular features of online service, the features most utilized by consumers, and use the consumers' participation in those online activities against them. Although these programs are banned by many online services, enforcement is nearly impossible. This is because, from the online service's end of the connection, it is impossible to tell whether there is a real person looking for messages or chat rooms of interest, or if it is one of these automated programs -- from the online service's perspective, the activity on their machines appears virtually identical. Consequently, the only truly effective means for an online service to control this method of collecting user e-mail addresses is to disable such features -- denying legitimate users access to these popular features.

Because the use of such programs is difficult or impossible to detect by the online service provider, I believe that software designed to facilitate this harvesting should be outlawed. Such restrictions would not impair the ability of online marketers to gather lists of e-mail addresses, however it would restrict them to collecting addresses using methods that would not breach online service agreements. It would also encourage UCE marketers to seek methods of attracting consumers into affirmatively requesting addition to their marketing lists, rather than being added without permission and forced to bear the costs of receiving UCE.

Restricting such harvesting programs would also reduce the incentive for dedicated UCE generators to open online service accounts with the intention to breach their contractual agreement with that service. For example, in instances where breaches of the service agreement are discovered, the abuser's account is typically terminated. However, the need for new e-mail addresses drives dedicated UCE mailers to obtain new accounts with those online services, often using fraudulent subscription information to avoid their applications being intercepted and denied. By banning the use of such harvesting programs, there would be reduced incentive to defraud online services and a reduced incentive to breach the usage contract. Online marketers would still be able to collect e-mail addresses, however they would be forced to employ methods which do not involve fraud or breaches of contract.

It should be noted that there is a "new" program for harvesting e-mail addresses that has recently been advertised by Cyber Promotions, a leading purveyor of UCE lists and services. Exhibit 3 is an advertisement posted on the World Wide Web home page of Cyber Promotions touting its "Web Collector" software which allows anyone to "harvest fresh, targeted e-mail addresses right off the web." Using this software, any e-mail address posted on a Web site may be harvested and added to their UCE databases. As Cyber Promotions boasts:

"The significance of "Web Collector" is that it will provide you with a brand new opportunity. For the first time, you can tap into an *untapped* database of qualified email addresses right off the web! And, no one can accuse you of "violating their privacy" because you will be adding email addresses that are posted in a PUBLIC AREA! . . ."

The problem with such a collection technique is that many business, schools, government agencies, and public interest organizations provide staff contact lists, feedback addresses, customer service and support addresses, and other information for the benefit of consumers on their web sites. While businesses and organizations provide these addresses for the convenience of their customers, a program like Web Collector turns such attempts at added convenience into added liability. For example, a company could find every member of its staff on UCE databases, clogging the mailboxes designated for providing customer service and support. If any e-mail address available on the Web is at risk for being added to UCE lists, the incentive for companies to provide easy customer service may be significantly reduced, to the detriment of all consumers. For those addresses remaining, over time it will become more and more difficult to provide effective service via those accounts. This will ultimately work to discourage businesses from making themselves more accessible, resulting in less access to information and services for consumers.

At least with a program like Web Collector, an individual might have a chance of keeping their e-mail address out of UCE databases by not posting contact information on their personal Web sites. In the case of harvesting programs like Floodgate, users who may only have momentarily visited a chat room or posted a request for help to a Customer Support message board may find themselves wedged firmly on a UCE list with little or no understanding how they got there -- until, perhaps, they receive a UCE advertising Floodgate.

According to many participants in UCE-related discussion groups on the Internet, many people have abandoned their accounts with the major online services because the rates of UCE received made their e-mail effectively unusable. For those who haven't fled the online services, many report that they restrict their online activities in order to avoid being captured and added to UCE lists. Given the advertised tactics of UCE purveyors and confirmed by the evidence of the Rathbun study, consumers' fears about participating in the online world are fulfilled when they receive an e-mail announcing, "Our research indicates that this information may be of interest to you." As the volume of UCE grows, as indicated by the Rathbun research, consumers usage of information technology may be severely chilled. When a consumer is constantly afraid to use features of online services for fear that their name will be spread widely among UCE mailers, their interests are definitely not served.

2.17 What are the risks and benefits, to both consumers and commercial entities, of unsolicited commercial e-mail? What are consumers' perceptions, knowledge, and expectations regarding the risks and benefits of unsolicited commercial e mail?

To understand the risks and benefits to consumers, you must first understand what is most often advertised via UCE. There are many places on the Internet where copies of UCE are reposted by recipients and system administrators in order to help notify the Internet community about where UCE is originating. Surveying mailing lists like SPAM-L@EVA.DC.LSOFT.COM and USENET newsgroups in the news.admin.net-abuse.* hierarchy, you will see that there are very few reputable marketers using UCE to advertise goods and services. To the contrary, the most commonly seen UCEs advertise:

Chain letters
Pyramid schemes (including Multilevel Marketing, or MLM)
Other "Get Rich Quick" or "Make Money Fast" (MMF) schemes
Offers of phone sex lines and ads for pornographic web sites
Offers of software for collecting e-mail addresses and sending UCE
Offers of bulk e-mailing services for sending UCE
Stock offerings for unknown start-up corporations
Quack health products and remedies
Illegally pirated software ("Warez")

Many who are engaged in the UCE business claim that large numbers of recipients are enthusiastic about receiving their advertisements and claim that consumers benefit from receiving the information contained in their UCE. The Federal Trade Commission has a long and distinguished history of promoting the distribution of trustworthy and accurate information in the marketplace. However, if there is a benefit to consumers in being exposed to information about new products and services in the marketplace, the types of offers indicated above are not the sort usually encouraged by the Commission. Given the dubious nature of much that is advertised via UCE, the dissemination of information of this sort carries few benefits and tremendous risks.

Beyond the recent computer/telephone phone sex fraud incidents recently uncovered by the Commission, many consumers have been affected by less sophisticated attempts to defraud them via UCE. For example, the New York State Attorney General's office is currently prosecuting Kevin Lipsitz for an allegedly fraudulent magazine subscription scheme which he advertised by UCE. I was asked by the New York State Attorney General's office to provide an affidavit which discussed the technical issues involving Mr. Lipsitz's attempts to evade the security features of hundreds of academic discussion lists. For those mailing lists whose security features were inadequate, his voluminous messages -- often the equivalent of 8-10 pages of single spaced text -- were distributed to the hundreds or thousands of discussion list subscribers. For example, on numerous occasions each of his advertisements was sent to hundreds of mailing lists at once, which then were redistributed by the list servers to every subscriber of each list, clogging servers and mail systems all over the Internet. One message became thousands, even hundreds of thousands of copies. The costs of such episodes to consumers and organizations can be extremely high, as will be discussed below in the comments for question 2.18. While the lists I administer had been configured with adequate security precautions, a similar magazine UCE of unknown origin was identified as contributing to the crash of a mail server at George Washington University, where I attend law school.

The risk to consumer perceptions from UCE can be substantial. A frequent feature of UCE is a statement to the effect of: "Our research indicated that this information might be of interest to you," or "Your name was provided to us as one who might be interested in the following information." For those unfamiliar with the processes of collecting UCE databases of e-mail addresses, a natural assumption is that their online provider is providing their confidential information to UCE mailers. For those who are especially concerned with issues of online privacy, many recipients of these UCEs begin to fear that someone is monitoring their online travels. In fact, I have seen large numbers of users accuse the online services of revealing their private billing information, monitoring their private online conversations, and screening their e mail. While online services may endeavor to assure customers that their privacy has not been violated by the company, such unpleasant episodes heighten their suspicions and weakens their confidence in the security of the online experience, which translates into a severe chilling effect on those consumers.

2.18 What costs does unsolicited commercial e-mail impose on consumers or others? Are there available means of avoiding or limiting such costs? If so, what are they?

The costs imposed on consumers can be considerable, both directly and indirectly. For those who subscribe to Internet service on a metered basis, the direct cost of the online time spent reading and downloading those messages can be significant. As noted in Exhibit 1, it took nearly 10 minutes to download the 49 pieces Mr. Rathbun received in just one week. Even when services provide unlimited access for a set price, many Internet Service Providers charge extra for the storage of mail in excess of a certain quantity. Subscribers who have to sort through large quantities of UCE looking for their personal mail find this process extremely frustrating. Such mail, even if deleted by the consumer before being read or downloaded, cannot be rejected by the consumer until it as consumed resources and imposed costs on the receiving site. Obviously for those users who have metered payment plans, the costs of storage and access can accrue rapidly. However, even if the consumer has unlimited usage and storage for a fixed price, the transmission and storage costs do not disappear. They are instead borne by a host of people, including the receiving ISP, the ISP from which the e-mail originated, every network service provider whose bandwidth carried the mail, and any third-party relay points whose equipment was used in the effort to disguise the point of origin.

Beyond the direct hardware, software, and bandwidth resources consumed by UCE, other costs to Internet Service Providers can also be quite substantial, including frustration for other ISP customers whose service may suffer degradation due to high UCE volumes. To understand the collateral costs to any Internet site who receives UCE, you must first understand how UCE mailers most often operate.

According to numerous reports on the USENET and on anti-abuse discussion forums, Mr.Kevin Lipsitz (referenced in my comments to question 2.17) allegedly employed a practice similar to that of many UCE mailer marketing campaigns. Many people who generate UCE follow a pattern of creating numerous accounts with online services such as America Online under fictitious names and with fraudulent billing information. Using these "throw-away" accounts, they will send massive amounts of UCE until the abuse is discovered and the account is terminated. For the next installment in the UCE campaign, a new "throw-away" account is opened with more fraudulent information and that one is used until termination, and so forth.

In May and June of 1996, Mr. Lipsitz carried on an extended campaign of UCE mailing from nearly a dozen separate America Online accounts which were reportedly opened using false names and billing information. As the UCE flowed from each account systematically over the course of many weeks, academic discussion lists became jammed with his UCE. A huge influx of complaints from these people flooded into America Online's "Postmaster" mailbox, causing extreme hardship for AOL staff and severe technical problems with the machines used to store Postmaster mail. Angry recipients railed publicly against AOL across the Internet and despite prompt action by AOL in terminating the accounts, their reputation suffered.

Another case involving damage to reputation resulted in an injunction against UCE purveyor Cyber Promotions. In that case, Cyber Promotions had allegedly configured their outgoing e-mail server to display the domain name and address information of a CompuServe e mail server, causing recipients to believe that CompuServe was the source of the UCE. CompuServe successfully obtained an injunction against Cyber Promotions use of CompuServe's trademarks or addresses in the sending of UCE.

One of the methods that service providers and system administrators have employed in order to defend against such systematic abuse is to trade information about individuals and organizations involved in generating UCE. Discussion lists like SPAM-L and a variety of USENET newsgroups allow system administrators to share information about the names and tactics of UCE generators, and serve as a form of "distant early warning" for ISPs who might unwittingly give accounts to people with a track record of violating service agreements.

To understand the scope of the UCE problem, one need only see the modest claims of Cyber Promotions about their program called "Cyber-Bomber." As shown in Exhibit 4, Cyber Promotions claims their software allows anyone to:

"Cyber-Bomber" is a particularly interesting example because the marketing material (the text of which was also recently sent out by Cyber Promotions as a massive UCE) makes it clear that their software enables UCE generators to deceive recipients as to the true origins of the mail and to avoid detection of the abuse by Internet Service Providers. This product, as Cyber Promotions claims, introduces invalid information into the e-mail "headers" making it difficult to locate the Internet Service Providers (ISP) through which the user has connected.

These programs conceal their user's location by corrupting e-mail "headers." Every e-mail carries in its "header" information comparable to that found on an envelope travelling via the U.S. Mail. The header contains the address of the sender, the address of the recipient, a date and time stamp, and a record of each server through which the mail passes. By purposely mangling the routing information, the UCE sender can conceal where the mail originated and avoid the cancellation of their ISP account, allowing them to violate their service agreement with a reduced fear of discovery.

For UCE generators, it is critical to avoid the detection of where they receive their internet connection because most ISPs prohibit use of their systems for the generation of UCE. (See AOL's "Rules of the Road" excerpt in the comments for question 2.16.) ISPs restrict this activity because the generation of such huge volumes of mail consume precious CPU time on their mail servers and consume large amounts of expensive "bandwidth." Bandwidth is the term for the amount of data capacity which a service provider purchases from a larger "backbone" provider in order to connect to the Internet. Because computers can only process a finite number of actions per second, and because only a certain amount of data can be passed along the bandwidth of an Internet connection, massive quantities of e-mail (either outgoing or incoming) can severely disrupt an ISPs service to its other subscribers.

There is another interesting aspect to Cyber Promotions' claims about Cyber-Bomber, regarding the use of Cyber Promotions' own mail network in order to avoid stealing the mail server resources of unwitting ISPs. The theft of mail server resources is growing at an alarming rate. Of the 5-8 pieces of UCE which I typically receive every day, the percentage passing through third-party relay sites has gone from 50% to more than 80% in the last month. An example of one of these is attached as Exhibit 5. This piece of UCE was received on AOL and advertises the "STEALTH MASS MAILER," a product similar to Cyber-Bomber. This e-mail has extensively forged headers which attempt to trick the reader into believing the mail originated at an IP address that does not exist. The mail in this example was relayed via a server belonging to CWIA.COM, in all likelihood without their permission. Exhibit 6 is also an example of UCE being relayed from a site in Japan. I was recently contacted by the administrator of the site, explaining that their mail relay was indeed being abused. That e-mail message is also included in Exhibit 6.

In pitching the features of their Cyber-Bomber software, Cyber Promotions explains in the materials attached as Exhibit 4 that:

". . . bulk emailers discovered a new "trick". They realized that many computers on the Internet could be used to relay their mail. Even better, many of those relays did not identify the IP address of the origin's computer.

"But this tactic went sour, too. . . . [T]he owners of many of these unwilling relays quickly caught onto this tactic and reconfigured their computers to reject relay connections. Furthermore, it was established in some precedent-setting court cases (one of which Cyber Promotions was involved in) that sending mail through an unwilling party's relay could be considered a trespass of private property and could be actionable."

While Cyber Promotions has discovered that theft of resources is actionable, their Cyber Bomber program claims to allows users to avoid that crime but in doing so conceals actions that may constitute a breach of a UCE mailers contract with an ISP.

Many Internet sites which use a particular server program called "sendmail" have been able to reconfigure their machines to avoid being hijacked in this way. However, a large number of innocent third-party sites are using mail server software packages that do not allow the "relay" feature to be easily turned off. Only the newest version of sendmail has adequate security features to accomplish this and not every ISP is in a position to upgrade their server's software to the more secure version. For example, some hardware vendors will not provide support for new versions of that software, which leaves some ISPs to either suffer the abuse or lose their factory support by upgrading. This issue is discussed in more detail under question 2.19.

Cyber-Bomber is extremely new on the market and its price is likely beyond the means of many small-time, individual UCE mailers. Many of these individual mailers use less expensive kinds of UCE software that are available on the market despite their being much less sophisticated. These programs are referenced in Exhibit 4 and allow UCE mailers to exploit any number of unwilling sites. However, the vast majority of do-it-yourself UCE mailers use no special UCE software, preferring to make do with free mail software packages which may be obtained anywhere on Internet. In these older and more simplistic programs, the UCE mailer cannot perform the complicated deceptions that are advertised features of the specially designed UCE programs. Their attempts to disguise their location usually amount to simply inserting false addresses in the outgoing mail's "From" line.

This practice is to a great extent even more problematic for services providers, particularly those who have large subscriber bases and are consequently the destination for a great percentage of any UCE campaign. To illustrate the problems, the following is a scenario which is played out sometimes twice or three times every week at many of the large internet service providers and has even been at issue in recent litigation:

A UCE mailer sends a large mailing to several million addresses. For purposes of this example, let us estimate that approximately 1 million of the addresses are for subscribers located at one large ISP. The UCE mailer's list is several months old and contains a large number, say 20%, of e-mail addresses that are no longer valid. In order to avoid being inundated with angry responses from unwilling recipients, and in order to avoid being easily identified by the offenders service provider, the mailer sends UCE with a bogus entry as the "From" address, such as "nobody@nowhere.com." When the million messages arrive at the ISP's mail server, 20% or 200,000 of them are rejected as undeliverable-- a process called "bouncing."

Normally when mail arrives from a real site bearing a valid return address, a delivery problem would cause a simple return of the message back to the original sender. However, when the mail server attempts to "bounce" the 200,000 messages back to their origin, it searches in vain for "nowhere.com." Because this is a fictitious address, the server cannot return the mail to its alleged point of origin. When a server accepts a message with an address indicating "nowhere.org," the server processes it as if it expects that "nowhere.org" would be a valid site if a return bounce is called for. In the absence of trickery, any error re-establishing contact with the origin site for mail is a sign of severe networking problems. Consequently, the ISP's server reacts as if a potential disaster has occurred and delivers the original message, along with a report of the error, to the "Postmaster" of the ISP. When the mail arrives for boxes that are no longer valid, the Postmaster of the ISP suddenly finds herself with an additional 200,000 messages arriving in her mailbox. As one might expect, such a flood of mail is more than enough to overload a single computer and crash its hard drive.

More than the issue of damaging a piece of hardware and inconveniencing the administrator of the site, the Postmaster mailbox itself is of critical importance to the functioning of the any Internet site. Internet protocols require that every mail site not only accept all mail sent to "Postmaster" but that such mail be read by a human administrator. This requirement assures that there is one uniform e-mail address at every Internet site to which emergency problems, errors, and other system-critical information can be routed for quick action. If an ISP's Postmaster machine is out of service for even brief periods this can have serious ramifications -- so serious that the failure to maintain compliance with the Postmaster-related Internet protocols can be grounds for termination of their connectivity from their upstream network service provider.

For many smaller ISPs, the problem may be compounded by the fact that Postmaster mail is often routed into the same server that provides other system services, such as a web, mail, or file transfer services. The crash of such a system, in the absence of redundancies, can mean the irrevocable deletion of e-mail and web files for all of an ISPs customers. The potential damage to the ISP, both in terms of hardware and in business goodwill, as well as the loss of time and business opportunities to an ISP's clients, can be enormous.

Unlike abuse of relays which can sometimes be cured by implementing the newly secured version of sendmail, the scenario just described is not easily avoidable. The Postmaster mailbox must by definition bear the brunt of such abuse because, as was alluded to above, bouncing mail can often be the sign of a real problem with a network. There are other options for filtering which will be described below in response to question 2.19, however these can place a severe burden on the efficient function of an ISP's systems and can often require significant financial investments by an ISP in both hardware and technical expertise in defending against such attacks.

In the case of mail bouncing into the Postmaster mailbox, however, the cheapest avoider of the costs is the UCE mailer. By externalizing the effect of bouncing mail onto the ISP, the UCE mailer profits at the expense of the ISP and their clients. By using fake addresses, the UCE mailer perpetuates an inefficiency: he has no incentive to "clean" his lists by removing dead addresses or the addresses of recipients who do not wish to receive further mail. In many examples of UCE, the mailer gives no valid address for contacting him via e-mail, imposing additional costs in time and effort on unwilling recipients to call the UCE mailer or contact them by other means. By shirking any responsibility for the contents of the list, it is entirely possible that a UCE mailer could continually mail massive quantities of UCE, the vast majority of which ends up in only one mailbox -- the Postmaster's.

The most effective means of curbing the high costs of UCE to consumers and service providers is to prohibit the sending of UCE. This avoids the problem of shifting costs away from the UCE mailer and onto the recipients and their service providers. The problem with allowing the marketplace to govern the usage of UCE is that the costs are distributed widely among ever increasing numbers of UCE recipients (massive amounts of bouncing e-mail onto Postmasters notwithstanding). UCE mailers depend on the diffusion of the costs among a wide base to avoid having to be held to the consequences of their activities. As the cost is distributed among a larger base, the transactional costs of organizing that diffuse population into an effective campaign against UCE is quite substantial. As we have seen, only when UCE purveyors are careless and costs are concentrated on one organization (such as court cases like America Online v. Cyber Promotions and CompuServe v. Cyber Promotions), can the costs be redirected back at the source of the UCE. But as long as UCE mailers avoid situations such as those which have been litigated, they may still profit at the expense of many hundreds, thousands, and even millions of UCE recipients.

2.19 Are there technological developments that might serve the interests of consumers who prefer not to receive unsolicited commercial e-mail? If so, please describe.

For those technologically-savvy Internet users operating from sophisticated systems, the constant flood of UCE can still be extremely maddening, but with experience and skill a significant amount of UCE can be filtered from one's e-mail box. In the UNIX environment, users can employ programs like "procmail" in conjunction with the UCE "early warning" information provided on discussion groups like SPAM-L, to provide relatively effective filtering of the most well known UCE sites.

For the average Internet user who has an account with a local ISP, they may have e-mail software like Pegasus, Eudora, or Claris Emailer, which contains sophisticated filtering routines. Such filters allow knowledgeable users to route a substantial amount of the UCE from previously known sites directly into their trash file. Unfortunately, these software packages can only filter mail after it has already been downloaded from the ISP's server over the traditional dial-up connection, which means that the ISP has already been forced to store the UCE and the consumer has already spent time and money downloading it.

Although many UCE mailers claim to remove unwilling recipients from their databases, this happens far fewer times than is advertised. In my own experience, the vast majority (approaching 90%) of addresses to which you are requested to respond are invalid. The reason those accounts are most often invalid is that the flood of e-mail coming into those addresses usually alerts an ISP administrator to the fact that the address is being used in conjunction with UCE and the account is terminated. In those rare instances where a "remove" request is even received and acknowledged, additional mail advertising the identical products and services begins again after a brief respite -- often because the same harvesting procedures which turned up that e-mail address have been employed again, and the address has been added to the database once again. Additionally, because many UCE purveyors resell their databases to large numbers of independent mailers, "remove" requests sent to one mailer have no bearing on the lists held by other mailers.

America Online has led the online industry in empowering consumers with the ability to block mail from established UCE sources. AOL's "PreferredMail" effectively blocks all mail from any listed site (see Exhibit 7). PreferredMail is active by default on all AOL accounts, but may be deactivated easily by the consumer. However it cannot block mail if the site is not listed, making the domain forgeries and mail relay abuses an effect means of avoiding PreferredMail. As is noted in Mr. Rathbun's study (see Exhibit 1), even during a one week period where he had PreferredMail activated on his account, he still received 29 pieces of UCE. In a more recent example from my own mailbox which is attached as Exhibit 8, PreferredMail failed to intercept UCE from a new Cyber-Bomber user.

As discussed in my response to question 2.18, innocent third-party mail relays may be able to avoid having their servers hijacked by UCE mailers. The most popular mail server software is called "sendmail" and it is used by the vast majority of Internet sites as the basis of their mail system. The authors of sendmail recently released a revised version of sendmail which incorporates significant new security measures in order to prevent such abuses. Unfortunately most sites have not yet upgraded to this most recent version, and indeed many hardware manufacturers do not even provide service or support for the newer version. A perverse benefit of massive relay abuses is that as sites discover their servers under attack, they are forced to upgrade and implement the new security configurations. However, not all sites are able to do this because upgrading and reconfiguring the mail server can sometimes invalidate their support agreements with their hardware providers. In addition, some of the security features have a significant impact on the performance of their servers, reducing the overall speed and capacity of their machine because of the processing time consumed when each incoming piece of e-mail is compared against the list of filtered sites. For many sites, this filtering may double or triple the time needed to process each piece of e-mail, making it a substantial burden on high volume mail sites.

It is also important to note that sendmail operates only on the UNIX-based operating systems. While UNIX machines far outnumber Macintosh and IBM-based machines for use as Internet mail servers, these other platforms are gaining marketshare and the mail software currently available for them is not as easy to secure.

As the anti-UCE community becomes more organized, system administrators and interested individuals have developed a variety of venues for sharing information on how to track and block UCE. Attached as Exhibit 9 is the "SPAM-L FAQ" (Frequently Asked Questions) which provides basic information to anyone on how to track UCE to its source, how to lodge complaints with ISPs who provide service to UCE mailers, and more.

As § 4.1 of the SPAM-L FAQ recommends, when UCE is received from a site, recipients should file a complaint with the system administrator. ISPs who have anti-abuse provisions in their service agreements will often invoke those clauses and sanction the user. In some instances, system administrators are uncooperative or the ISP may have a pro-abuse policy. In those cases, lodging such complaints is not without its perils. For example, on March 25, 1997, Cyber Promotions announced that it would introduce a software package called "Hypocrite." According to their Web site:

"Any email flame containing profanities or sent from the same source more than 20 times in the same day will automatically redirect to the hypocrite's postmaster, root, abuse, and UPSTREAM - along with a message that recommends that the ISP take action against the offender! AND SINCE MANY FLAMERS FORGE THEIR HEADERS, HYPOCRITE SOFTWARE WILL AUTOMATICALLY TRACEROUTE BACK TO THEIR IP ADDRESS. The best part is that it will repeat itself 50 times per offending message! The flamers will finally get a taste of their own medicine! Maybe their providers will now say, "Hey, your account is TERMINATED with no prior notice!" This new software will automatically be installed in all Cyber Promotions maintained autoresponders, and will also soon be available for pop accounts on any system! Updates will be posted here regularly! The software will be distributed free of charge. This is Cyber Promotions' way of saying thank you for supporting everyone's right to conduct business through email! Hypocrite software may discourage the few nerds out there that believe the Internet is some sort of sacred ground, where business is wrong, but where illegal interference should run rampant."

This notice was posted at 8:00 p.m. on March 25, 1997, on the Cyber Promotions Web site but disappeared within just a few days. It is unknown whether the threatened mailbombing of Postmaster and other administrative contact addresses has actually been incorporated into their autoresponder service, however many in the anti-abuse community believe that Cyber Promotions' lawyers may have advised them to rescind that plan.

Many of the major network service providers such as MCI and Sprint have explicit anti abuse provisions in their service contracts with smaller ISPs and they will often force those smaller providers to sanction the offending UCE mailer. Unfortunately, other network service providers have policies which allow UCE mailers to operate freely. For example, the service provider AGIS publicly refuses to intervene in most abuse situations, including instances where forgeries and relay abuses abound. In the case of AGIS, they also provide the network connection for Cyber Promotions' Cyber-Bomber software. AGIS has received many complaints about the problems caused by Cyber Promotions' use and sale of UCE products, however AGIS's policy as stated in their e-mail responses regarding UCE is that unless it can be proven that a law has been broken, they will not take action against UCE purveyors.

As § 4.5 and 4.6 of the SPAM-L FAQ discuss, recalcitrant UCE sites can be identified and system administrators may implement gateway-level blocking. Such blocking is currently being widely discussed as a response to AGIS's refusal to respond to abuse issues. Gateway-level blocking is also called the "Internet Death Penalty" or IDP. It usually takes an extensive and severe problem with UCE emanating from a site before an IDP is even considered by system administrators. However the numbers of sites declared as "rogue" and thus receiving IDP-style blocks is increasing. As noted in § 4.5 of the SPAM-L FAQ, IBM.NET was faced with an IDP for failure to deal expeditiously with UCE abuses from its bandwidth. An IDP is highly effective because it is so complete: when all traffic from a particular site is blocked at the gateway, the router ignores every data packet from that site regardless of the type of data being transmitted. No mail, no files, not even Web pages from that site may be accessed.

The reason this approach is often successful is precisely because of the inconvenience imposed on the customers of the recalcitrant sites. From a consumer protection perspective, such procedures are obviously distasteful, however IDP is an incredibly successful means of bringing rogue sites into acceptable standards. For many system administrators, when balancing the inconvenience of a few hundred or a few thousand customers of a rogue site against the security of their own resources, enlightened self-interest prevails. And eventually as consumer pressure builds against the rogue site -- by the rogue site's own customers -- these sites eventually conform to Internet protocols and generally accepted behavior. Once the problems at the rogue site are eliminated, individual sites switch off their blocking and full access can be restored.

IDP is more of a bludgeon than a scalpel, however, and only works against UCE sites who are large enough to have purchased dedicated Internet connections via a network service provider. Neither IDPs nor many of the security measures added to the recent upgrade of sendmail can handle UCE mailers who use the "throw-away" account system, or who can successfully violate their usage contracts by concealing their identity behind systems like Cyber-Bomber.

Until a comprehensive ban on UCE is law, consumers who wish to be free from the onslaught of UCE must train themselves in the online equivalent of guerrilla warfare. Even then, such protections are only partially successful. Clever system administrators may be able to locate and eliminate a number of the fixed conduits of UCE, however as indicated above, those methods of self-help are only partially successful at best and can come at significant cost to consumers and providers.

As stated in my response to question 2.18, system administrators are increasingly being forced to expend extra efforts, and assume greater costs in defending their systems. These are defensive costs incurred solely in an attempt to avoid the costs that UCE purveyors attempt to shift to them. Unfortunately, in attempting to avoid these costs, system administrators wind up bearing yet more costs in their often futile attempt to shield their systems from abuse -- a classic Catch-22. System administrator, like many technology professionals involved in other aspects of Internet communications, are not eager to see more governmental regulation of the communications industry. However, it is well-settled that when the market fails to adequately regulate, the government is most justified in stepping in.

As can be seen in the unabashed claims of UCE software vendors, the growth trends in UCE show few signs of slowing. It is true that a handful of court cases are helping to define the egregious outer limits of behavior in the UCE industry, but the continual diffusion of costs among all recipients and their service providers makes consumer-driven litigation too difficult and expensive to be relied upon as a realistic method of controlling the UCE marketplace. In the absence of clear statutory or regulatory standards, UCE purveyors will continue to push the limits of legality in their quest to extract profit at the cost of consumers. Unless the victims of UCE are protected by law and given a recognized cause of action, there will be no incentive for UCE mailers to ever consider bearing their own costs. UCE mailers depend on an ever-widening base of consumers upon whom they can spread their costs and they diffuse their costs across a wider population in order to lessen the potential of being held accountable for the costs and consequences of their activities.

The handful of well-organized UCE purveyors, and the hundreds of small-time UCE mailers have been very successful in large part because when they are able to spread the costs among a larger base, the transactional costs involved in UCE recipients recouping their losses become tremendously high. Only when these costs become focused on one entity, as we have seen with the legal battles waged by the major online service providers, is there the possibility for a few victims to successfully recoup some portion of their losses. Unfortunately, in today's absence of regulation, UCE databases swell and UCE mailers make significant profits at the ultimate expense of consumers.

While I do not have any figures regarding how many entities have implemented the "Principles for Unsolicited Marketing E-mail," for the vast majority of UCE generators, those principles are unknown or irrelevant. The proliferation of do-it-yourself spam tools (Floodgate, Cyber-Bomber, etc.) makes it unlikely that a newly experimenting UCE mailer will have even heard of the Direct Marketing Association (DMA) much less have any incentive to adhere to their policies. One of the largest UCE purveyors, Cyber Promotions, makes no mention of DMA policies on their web site. In fact, their President Sanford Wallace openly disagreed on many points with a DMA representative at a recent George Washington University conference on UCE marketing techniques.

This is not surprising, given the nature of the policies and practices of employed by Cyber Promotions to evade attempts by system administrators to protect their resources. Many of these practices, including deliberate forgery of CompuServe server addresses (to make it appear that CompuServe was sending Cyber Promotions' mail) have prompted network service providers to immediately terminate services and earned Cyber Promotions injunctions in several courts. Other practices have been the subject of numerous lawsuits.

Undoubtedly because of these legal setbacks, Cyber Promotions has been indicating more concern for legal liability. However this concern is not present among many other vendors who market UCE programs or services. For example, the vendor selling Stealth Mass Mailer (see Exhibit 5) touts its ability to disguise the unauthorized use of resources, defending their tactics by claiming that "unlimited service," in their opinion, should include that practice as well. In fact, the marketing materials for both Stealth and Cyber-Bomber compare and contrast their relative abilities to breach anti-UCE provisions of ISP contracts while forging information in order to prevent detection of the breach. As I understand the Principles for Unsolicited Marketing E-mail, they do not condone such breaches of service agreements nor do they endorse any theft of resources.

Consequently, I have very little confidence that the DMA policies will have any effect on the vast majority of the do-it-yourself, small-time UCE generators. Even if a few large organizations agree to adhere to the DMA's policy, which to my knowledge they have not done, these independent UCE mailers have no incentive to follow such policies -- even as they generate volumes of UCE that rival the large purveyors. As long as companies are allowed to market software which facilitates the breach of service contracts, conceals or forges point-of-origin data, or facilitates the unauthorized use of resources, the UCE problem will continue to grow at the ultimate expense of consumers.

Given the indiscriminate methods for collecting e-mail addresses discussed in my response to question 2.16, it is highly likely that a significant number of children's addresses can be found among those collected by UCE mailers. Just as it is nearly impossible to get accurate figures on the actual amount of UCE sent, it is similarly unlikely to determine the number of those addresses which are used by children. Exhibit 1, the Rathbun study, replicates the way a typical family might use an AOL account, with several account created for the parents and the children, and indicates a high volume of UCE to all of the different screen names.

Incorporating by reference my comments in response to question 2.17, the materials most often advertised via UCE present a significant risk that children may fall prey to the volumes of money making schemes and pornographic UCEs that are continually reported on the anti-abuse discussion groups.

Many parents have, in good faith, purchased Internet blocking software or activated parental control features that are a part of many online services. Unfortunately, many parents are not aware of the procedures employed by UCE purveyors and may have a level of confidence in parental control features that may not be entirely well-founded. Even though parents may believe that they have protected their children from surfing onto questionable Internet sites, UCE may bring that very same information directly into their personal e-mail. In my comments on question 3.19, I go into some greater detail on the availability and inadequacies of current blocking technology in the area of UCE.

The over all question of UCE blocking is particularly difficult, as I discuss in my response to question 2.19. The problem for parents is even more vexing considering that despite their best efforts, UCE advertising pornography or other questionable items may still get through.

As I described in my comments for question 2.18, UCE generates significant costs to consumers, online services, and Internet Service Providers. While the economic costs are most often visited upon the parents who are paying for the services, rather than on the children, there may be psychological costs involved, about which I am unqualified to speak. Certainly given the frequency of money making and pyramid schemes advertised via UCE, older children who may have access to money may fall prey. While it is possible that losing one's allowance money in an illegal Ponzi scheme may be a good lesson for children to learn, there are better ways to teach children than via UCE and more appropriate instructors that UCE mailers who use trickery and deceit to distribute their "informative" mailings.

An extremely effective means of avoiding costs to parents, children, and to Internet providers is to ban the practice of harvesting e-mail addresses in an indiscriminate manner and to prohibit the distribution of UCE. I discuss these suggestions further in my responses to questions 2.16, 2.18, and 2.19.

Significant advances have been made in developing robust screening and filtering software for use by parents in protecting children from questionable material on the Internet. Programs like "CyberSitter," "SurfWatch," and "Net Nanny" provide protection against problematic Internet Web sites. The major online services also have added the ability for parents to restrict their children's access to areas of their service which might not be suitable. Unfortunately, even for those children whose parents have engaged filtering devices or activated access restrictions such as AOL's "Parental Controls," such censoring devices are mostly designed to restrict children's exploration. However, children don't go looking for UCE -- it comes looking for them. UCE advertising moneymaking schemes, pornography, or other questionable subjects may still get through.

On America Online it is possible for parents to completely shut off all e-mail access, but many parents may not choose to do that and will rely on something like PreferredMail to prevent unwanted e-mail. However, the pornographic UCE mailers in particular have gone to extreme lengths to avoid blocking. For example, more than a dozen of the domains blocked by AOL's PreferredMail filters have been used by one particular pornographic vendor in Nevada to avoid blocking software and evade PreferredMail filtering. Each time one of their domains was blocked, they obtained a new domain name and resumed their UCE mailing. This particular vendor has obtained more than a dozen different domain names in order to keep mailing. The difficulty in blocking such persistent UCE mailers is that experience has shown they are willing and able to obtain new IP addresses and new domain names on a virtually a daily basis -- sometimes mailing from two entirely new sites in a single day.

Given the difficulty in blocking a moving target, UCE from people determined to evade blocking technology is nearly impossible to control unless UCE of all varieties is restricted. As stated in my response to question 2.19, a prohibition avoids the problem of UCE mailers shifting costs away from themselves and onto children, parents, and service providers. The difficultly in leaving UCE to be controlled by the marketplace is that there are few incentives for UCE mailers to ever bear their own costs. And as we see in the case of some pornographic UCE mailers, the costs of filtering may ultimately be futile.