: To start with, can you give people an overview of where you think the war on spam is today? [This interview was conducted in early 2005.]
Levine: I'd say the war on spam is about where World War I was in 1916 -- you know, it's gotten to the point where it's way worse than either side though it was going to be, and although I think we're starting to see some progress on the anti-spam side, we still have an awful lot more work to do.
Mike: Do you think that a solution, then, is many years away?
Levine: I don't think we're ever going to see anybody finally turn a switch and have spam stop, but I do think many of the most egregiously criminal spammers are going to be stopped, basically by social and legal means. There's at least one significant criminal trial coming up where, with any luck, they'll put the spammer in jail, and we're seeing lots of civil trials where the recipient ISPs are finally starting to take advantage of some of the anti-spam laws we have now. They go after the spammers and start getting large judgments against them. Since the incentive for spam is basically financial, the solutions are basically going to be financial too. In the meantime, we're always going to have to use filtering. It's basically a social problem with social answers.
There's a variety of reasons we still need to do technical stuff. One is that, simply to keep our email usable now, you've got to do lots of filtering. If I didn't do extensive mail filtering, I'd probably get 20,000 or 30,000 spams a day, and I'm a little ahead of the curve, but I've had the same email address for 12 years, so it's on every spam list ever. Beyond that, simply to make the laws enforceable, you have to be able to show conclusively where the spam is coming from. Although you can always do that by following the money, better authentication schemes to show that mail that purports to come from somebody actually does come from them will be useful to deter forgery, and if spammers do put their actual return address on the spam, which they sometimes do, make it so you can actually pin it on them.
Mike: You mentioned authentication -- what do you make of the recent breakdown of talks for some of the authentication strategies?
Levine: The reality is you can't push on a string. Standards efforts work the best when you're standardizing something that's already pretty well accepted. When Internet SMTP mail was standardized 20 years ago, people had already had 15 years of experience with electronic mail in various forms. So, by the time they got around to writing the specs, what they standardized wasn't very different from what people had been using all along.
The problem now is that we have a lot of sort of paper designs for authentication schemes. I mean, we have everything from Microsoft's caller ID to Yahoo's domain keys, and even after a year of people touting them, only in the last month or so have we started to see significant useful experiments on how they work. People have been publishing SPF records saying this is where our mail comes from for a year, but if you look at the number of people who actually use those records and actually look at the mail coming in and say, "Okay, how much would this have filtered, and how much of it would have filtered correctly, and how much of it would be a mistake," there's remarkably little of that. We've just started literally this month.
Mike: Along those lines, there was an announcement made about domain keys and Google and Gmail using domain keys?
Levine: Yes. Gmail is putting domain key signatures on all of their outgoing mail, which I think is great. Not many people are checking those signatures yet, but I know a lot of people who have said, "If Gmail is doing it and Yahoo is doing it, then that's a big enough experiment. It's worth my finding some software to start looking at domain key signatures, and, again, seeing how much mail does it correctly filter and when does it make mistakes and stuff like that."
So, this is something that doesn't necessarily have to take years, but it's something that you need months for, because the email system is so enormous that any change you make is going to have some kind of unexpected side effect, and so before you do something as dramatic as saying, "We're going to use this software to keep out the mail from forgers," you want to be really sure that the mail you're keeping out is, in fact, the mail you want to keep out.
Mike: Do you think that Google and Yahoo get us pretty close to a critical mass point on something like domain keys, or do we need a lot more participation?
Levine: It's critical mass from the point of view of experiments. If you're looking at the critical mass for email in general, there's a small handful of big gorillas, but the biggest gorilla is AOL, and so the next round is Hotmail and Yahoo and probably EarthLink, and then it sort of goes down from there. Gmail is very high profile, but the actual number of users is still much smaller than any of the big ones.
Mike: You're the author of Fighting Spam for Dummies and Internet for Dummies -- how did you become this spam guru, or I should say anti-spam guru?
Levine: Out of desperation. Since I've literally had the same email address since 1993, I have been getting spam pretty much longer than anybody, and starting with some of my earliest Dummies books in 1993, I started putting email addresses in all my books so that my readers can write to me, and I've gotten hundreds of thousands of comments -- even a three-page treatise on what someone liked in the book and what they didn't. I also get millions and millions of spams. I guess it became apparent to me earlier than it was to other people that spam was a big problem, and if email is going to stay usable, then we have to do something about it. Since I have a fairly extensive technical background, I started working on it, and one thing led to another, so here I am -- the big spam expert.
Mike: What is your technical background?
Levine: I have a PhD in computer science from Yale, and before I was writing books I was writing software. If you were in the software business in the mid-1980s, there was a temporarily famous program called Javelin, of which I was one of the authors. I also did some early commercial UNIX stuff, so it's actually a fairly common progression that when you're young and you can stay up all night, you write code, and then when you get older and more tired and wiser, you write text instead.
Mike: Now, do you think two or three years down the road we're going to have a situation where 90 percent of the spam is no longer an issue for the average end-user, or is it better than that or not that good? What do you think?
Levine: At this point, it's hard to say. I have seen very credible statistics that suggest the vast majority of spam is sent by a relatively small number of spam gangs -- maybe a couple hundred. So I think that and hope that as these trials start to happen -- and the bad guys start discovering you can actually be put in jail for spamming -- it will scare a bunch of them off. If we start seeing civil recoveries against spammers, even if they don't go to jail, losing a $100,000 civil case really wipes out the profits for an awful lot of fake body-part enlargement pills. I'm hoping that once they see that it's no longer easy money, it will scare a lot of them off. The question that remains to be answered is: Will it scare enough of them off that the spam problem will recede, or will the ones that are left simply crank up the volume because they're more desperate?
Mike: What about the idea that people can just go outside the country and there's no jurisdiction, and they can send spam from other countries?
Levine: That is a common myth. The reality is that if you're sending spam over to the U.S., you need to have some kind of presence in the U.S. There's a few exceptions, like the guys who say "I'm a deceased Nigerian prince, and I want your help to steal the treasury." Those guys are outside the U.S., and there's a certain amount of gambling spam from outside the U.S., but everything else -- all the drug spam and the mortgage spam and everything else -- is sent on behalf of American companies, which means that they are within reach of American law, and we are in fact starting to see increasingly good cooperation.
I was in a meeting of the International Telecommunications Union World Symposium on the Internet Society in July in Geneva, and people came from countries all over the world. I discovered two interesting things: One is that big countries, like the U.S., the U.K., Australia and Canada are now starting to work together, and the American Federal Trade Commission and their equivalents in other countries now have sort of direct informal liaisons, so if they need to subpoena something, they know who to call up and say, "What kind of documentation do you need so you can get these records?"
Beyond that, there are the little countries -- like a guy from Syria who was extremely eloquent. Whereas in the old days, the little countries said, "No, no, spam puts us on a level playing field," now the little countries say, "Spam is awful. Spam is terrible. Spam is killing us." There are two reasons for this. One is that they still have very expensive net connections -- so you could imagine what spam costs after paying for every byte that comes out a satellite link -- and beyond that, since they don't have the technical background that we do in the developed world, it's common for people to say, "This internet is just full of scams and crooks and stuff. Even though we might be able to use it to stitch together the provinces of our undeveloped, rural country, just forget it. We're not going to do it."
There was a real agreement, both by the large countries and the little countries, that spam is a big problem. So there will always be international bureaucratic impediments, but it's clear nobody has the formal policy that spam is good. That's definitely a change in recent years.
Mike: When you look at spam and you follow the money, do you think that the companies whose products are being promoted through spam have responsibility in this problem?
Levine: Oh, of course.
Mike: In what way? I mean, suppose they're not even sending them?
Levine: Well, there's a fairly straightforward principle to law of agency that says you are responsible for somebody who does something on your behalf. Maybe this isn't a very good example, but if I hire you to go out and break somebody's kneecaps, I've broken the law just as much as you have. And similarly, now that there are starting to be laws against spam, they invariably say that the company that benefits from the spam is as subject to the law as the people who run the servers and stuff. Now, you could also argue that, "Well, we didn't know they were spammers," but this kind of argument is familiar to the law, and I don't think they'll have any trouble sorting it out.
Mike: So does that mean you think companies like Merck pharmaceutical are responsible in part for the Viagra spam?
Levine: No, because the stuff they're selling is not Viagra. It's all fake. The only large company I know of that has an incredible connection to spam is Kraft, with their Gevalia coffee -- overpriced Swedish gourmet coffee. They have a longstanding history of hiring dodge emailers to send spam, and I'm pretty sure sometime in the next couple years somebody's going to collect enough Gevalia spam to go back and actually file suit against Kraft, which will of course be an excellent suit, because they have lots of money if they lose.
Mike: Wow, so in your book, Kraft is a spammer?
Levine: Well, Kraft is a large distributing company making everything from coffee to Velveeta. They're a subsidiary of Philip Morris, which makes cigarettes, too. There are plenty of other reasons to dislike them, but yes, that particular part of Kraft definitely has a spamming history.
Mike: That's fascinating. I wasn't aware of that. What about from the end user point of view? Given the environment today, what realistic steps can an end user take to stop spam?
Levine: I tell people that there are three basic approaches -- you can filter, you can hide, and you can fight. Filtering is filtering, and the most effective spam filters are ones that people's internet providers use, and by and large, most internet providers have reasonably effective filtering. EarthLink has extremely sophisticated stuff. I was down there talking to them a couple of weeks ago, and they have a bunch of stuff they wrote themselves, and they use a bunch of commercial services, and they actually do a pretty good job of keeping the spam out. America Online has fantastically sophisticated spam filters.
The first thing you need to be sure is that whatever Internet provider you sign up with has some sort of credible anti-spam. It could be a big one or it could be a little one. You just need to check. There are anti-spam programs that run on your desktop, but they tend to be less effective, because they can only see your spam and can't compare it to everybody else's. One of the most useful ways to filter spam is to suddenly know that you're getting a thousand copies of a message from someplace you've never seen it before. It's almost certainly spam, and the ISP can do that; you can't. So filtering is the first thing.
The second is hiding. If you think up an obscure e-mail address -- rather than Fred123, F127;QZEED9 -- admittedly, it's a little difficult to explain to your friends, but you only give it to your friends, and you don't put it on a website. You make sure it doesn't accidentally show up on a website by being in an archive for a mailing list or something. If your e-mail address is obscure and you don't give it out, by and large, you won't get any spam.
My mother-in-law, for example, has an email address that she only gives to her friends. It's fairly hard to guess, and basically she doesn't get any spam. So, if you only want to get email from your friends, that's workable. If you're like me and you use email to communicate with the world -- I have my JohnLevine.com website that has an e-mail address that people can contact me through, and I get a lot of work that way -- then you can hardly filter out the world. So that works for some people but not for others.
The third approach is that you can fight. When I get spam, I have fairly automated ways to report most of it, but I actually have an archive of spam received on my tiny network that recently kicked past 1.1 million messages since August a year ago. If I can figure out which network it's coming from, I tell them about it, and the responsible networks -- which is most of the ones in the U.S. -- will actually do something about it. Even for the ones who are irresponsible -- like some of the more poorly run networks in Korea -- at least this puts them on warning that if people are starting to reject all their mail, they know why.
So, with some combination of the three -- and the right combination depends on who you are and how hard you want to work and what your background is -- it should keep everybody's email, if not fabulously wonderful, at least usable.
Mike: Great clarity for the solutions on spam, and I encourage people, if they want to learn more, to check out Fighting Spam for Dummies at their local bookstores or online. Are there any other resources or web addresses you'd like to give out?
Levine: There's a couple other things that I have been working on. One is the Coalition Against Unsolicited Commercial E-mail. It's an actual grassroots anti-spam organization, of which I am a member of the board, and we have no budget and no meetings and no secret handshakes, but you can join if you go to cauce.org. If you join, you basically tell us where you live and what congressional district you're in, so in case some new spam legislation comes up, we can figure out whether it's worth lobbying your particular representative.
CAUCE has been somewhat effective in shaping spam legislation. Not fabulous -- we were blindsided by CAN-SPAM -- but we've managed to knock out some of the more egregious stuff, and I think as people discover that CAN-SPAM doesn't work, it's going to come around again. People who want to fight spam might want to check out abuse.net. It's a complaint forwarding service, not a spam analysis service. For that you need to go to SpamCop.net. If you can figure out whom the spam is from, and you want to know who to complain to, abuse.net can help you do that.
Mike: Interesting. Okay, so that's abuse.net. Is there a form there, or contact information? How do people use that?
Levine: Basically, you give it the name that you want to find the contacts for and it suggests some email addresses. If you want something more automated, go to SpamCop.net -- it'll try and figure out where your spam is from and actually look up the contacts at abuse.net for you, and it can help you send the stuff off.
Mike: One last question: What about fighting spam at the organization level? Is that something you cover in your book? How can people learn about how to do that?
Levine: Actually, the last chapter in Fighting Spam for Dummies talks about spam fighting, not for gigantic ISPs, but for small businesses. If you run your own mail server, there are in fact reasonable services and reasonable software you can get. There are companies like MessageLabs that will provide a service and there are a variety of filtering packages that you can try out that I think will be reasonably helpful.
Mike: Okay, well that's very good advice you've shared here, in this short period of time.