Using three computers and working out of his mother's home in Buffalo, N.Y., Carmack sent an impressive 857,500,000 unsolicited e-mails in one year, something that is perfectly legal in New York State. But Carmack crossed the line, according to EarthLink, his Internet service provider, when he set up 343 accounts using stolen credit-card numbers to send these e-mails.
EarthLink took notice and began a year-long cat-and-mouse game to discover Carmack's true identity. "My name's not on anything," he boasted at one point, according to investigators, when they reached him on his uncle's cell phone. "You'll never catch me." Fingered by his upstairs neighbor and a former employer, Carmack went to ground. A private detective was hired to stake out his mother's house. Carmack was finally caught running from his car to the front door and was served with a complaint. Now out on bail, he has been found liable in a $16.4 million civil lawsuit by EarthLink. Charges of criminal fraud filed by state attorney general Eliot Spitzer are still pending. "There are many more like Carmack," Spitzer warns. "This sends a message that we are pursuing them." Spitzer, a man who knows how to put himself in the spotlight, was the avenging angel of Wall Street last year. Now he is on a cybercrusade against spam.
And no wonder. In the space of a year, according to research firm IDC, the number of uninvited entries into U.S. In boxes has shot up 85%, to a total of 4.9 trillion. Driven by cheap technology and the promise of easy profit, spammers have gone from pests to an invasive species of parasite that threatens to clog the inner workings of the Internet. For the first time last month, according to MessageLabs, more than half the emails received by U.S. businesses were unsolicited. The time we spend deleting or defeating spam costs an estimated $8.9 billion a year in lost productivity. Sensing an enemy as unpopular as al-Qaeda, lawmakers are pondering a plethora of solutions some of which, spam watchers say, could end up doing more harm than good.
Why do spammers flood the Internet with ads nobody wants to read? Because some people do read them, and a tiny fraction actually respond which in the world of direct marketing is like money in the e-bank. Take former spammer Scott Hirsch of Boca Raton, Fla., who sold his e-mail marketing business last year for $135 million and retired at the age of 37. Florida is home to more spammers than any other state, and Hirsch who started his first bulk e-mail list way back in 1996--likes to take credit for helping make Boca Raton "the spam capital of the world." Hirsch filled his mailing lists with the e-mail addresses of people who had "opted in" by checking (or forgetting to deselect) one of those ubiquitous boxes on website order forms. "When people want to receive [e-mail]," he explains, "you get a much higher return."
But for an increasing number of Hirsch's imitators, spamming is a numbers game that rewards excess. "The more times they deliver the message, the more money they make," says Charles Curran, general counsel for America Online, which last week filed lawsuits against more than 100 spammers. "They all want to get as close to infinity as possible." This is getting easier all the time, as high-speed Internet access gets cheaper and computer processor power continues to double every 16 months. Meanwhile, the software tools for spamming continue to improve. Web crawlers harvest e-mail addresses en masse from chat rooms and newsgroups. Dictionary-attack programs string together words or names in multiple languages, random numbers, an "@" and the names of common mail servers. Presto: millions of likely e-mail addresses.
Spoofing the practice of faking the return address of a spam, so you won't be able to trace who sent it, or the subject line, so you will open it just complicates things further. Today, according to the Federal Trade Commission (FTC), 66% of spam are spoofs of one sort or another. Brian Westby, a porn-website owner based in St. Louis, Mo., was a classic spoofer: the subjects for his Xrated spam included "Good evening," "What's going on?" and "Please resend the email." Westby's spam deluged a bank in Santa Barbara, Calif., and an Internet service provider in Coatesville, Pa., some of whose clients angrily canceled their service. The FTC finally got a federal judge in Chicago to shut down Westby's operation. A trial is pending.
Spoofed or otherwise, the spam that makes it to your In box is just the tip of the iceberg. At the four major e-mail providers MSN (including Hotmail), Yahoo, EarthLink and AOL (which, like this magazine, is owned by AOL Time Warner)--between 40% and 70% of all incoming mail is killed upon arrival at their mail servers. But this has spawned a kind of spam arms race: the more mail is blocked, the more spammers send, in hopes that some will get through. As a result, the performance of the mail servers is starting to suffer. Two months ago, 8% of MSN mail was spam. Today it's 50%. "The rate of spam," warns MSN business manager Kevin Doerr, "is threatening the viability of e-mail as a communications medium."