Get rich quick! Reduce your debt now! Lose weight fast! Blaring headlines like these are amongst the most frequent e-mail messages we receive. The whole world now refers to this form of electronic bombardment as spam. It first appeared decades ago, and today Internet users around the world agree that it's out of control - a bigger nuisance than viruses. According to the Hong Kong Anti-Spam Coalition, in April of this year, 81percent of all e-mails received locally was spam. The estimated cost to local businesses is some HK$10 billion per year.

The deluge

Spam generally refers to unsolicited bulk commercial e-mails sent to recipients without their consent, though the term is also used for messages that are posted simultaneously on message boards around the Web or fed into news groups. Spam first emerged in 1978, seven years after the birth of e-mail, and has been spreading like a scourge ever since. In May 2003, Hotmail, estimated that 80 percent of the 2 billion messages sent out daily via their service were junk mailings. At the same time, Yahoo! was recording 1 billion spam messages daily. According to the United Nations, this deluge costs US$25 billion in lost time. IT managers, entrepreneurs and even governments are scratching their heads in search of a solution to this extraordinary deluge.

The spamming business

Spam was created as a cheap, effective form of advertising. The appeal is obvious: an agent can set up as many free e-mail accounts as required and proceed to inundate the world with advertising messages. Unlike traditional paper-based junk mail, e-mail can reach millions of people in a matter of seconds without the cost of paper, printing and postage - which for that kind of volume would be colossal. For companies keen to promote their services, it's an ideal form of direct marketing; for spammers, it's a business that can be established with little effort and minimal cost.

E-mail addresses are the most valuable asset in spamming. Everywhere on the Web spammers are hunting for e-mail addresses. They sneak into online newsgroups, bulletin boards, electronic phone books, shopping sites, Usenet and Internet Relay Chat sites - wherever there's a chance of picking up more names. On a more sophisticated level, some spammers use viruses, or "harvesting tools", which install themselves on a recipient's computer as soon as a message is opened.

More than a nuisance

Individuals usually regard the time spent deleting spam as being its most harmful effect. Unfortunately, there's more to it than that. Apart from wasted time and energy, and the frustration of losing real e-mail that is mistakenly deleted, spam also exposes recipients to business scams. Regular commercial spam which advertises goods and services is basically harmless, but some spam carries exaggerated or deceitful information to lure users into fraudulent traps, such as phishing? Phishers send official-looking e-mail to users requesting them to resubmit personal data, or directing them to phony Websites which look exactly the same as legitimate sites used for commercial purposes. In Hong Kong, customers of major banks like HSBC, Hang Seng Bank, Bank of China, Bank of East Asia and CitiBank have, in recent times, been subjected to phishing attacks.

Address-harvesting programs and similar viruses can also be extremely malevolent: some of them break open security loopholes, making the recipient - and anyone else whose e-mail address is on their system - susceptible to further Internet-generated harassment and attack.

Even Internet Service Providers aren't neutral conduits in all this: spam takes up an ISP's bandwidth and disk space, clogs servers and puts ISPs at risk of being placed on anti-spam blacklists, which can lead to them being effectively cut off from all other servers.

Fighting back: client side and server side

But Web users are fighting back, and there are now a number of measures - with varying degrees of effectiveness - that can be taken by individual users and ISPs.

Some of the steps that can be taken by individual users include:

• Ignore and delete: Remove any unwanted or source-unidentified e-mail without opening it. In particular, don't open any attached files
• Don't reply: Do not "unsubscribe" or reply to a sender's address. It's usually a fake address and your response will simply be used to confirm the validity of your e-mail address
• Filter: install filtering and anti-spam software or choose service providers that are committed to keeping spam off their servers
• Protect your e-mail address: avoid giving your regular e-mail address or set up a different account for public use and communication with unknown online entities. Read a Website's privacy policy before you provide any information or do any online business
• Report to your ISP: Ask your ISP to shield you from certain domains which are constantly spamming you

Responsible ISPs can take many steps, including the following:

1. Filter: Install filtering and anti-spam software to prevent junk mail from entering the network infrastructure
2. DNS blacklist: Keep up-to-date with the worldwide Domain Name System blacklist and use this information to block all messages from known spammers
3. Spam detection: Apply spam "keyword" lists, and examine message headers to check the validity of a sender's domain. If possible, use special codes issued by recognized companies like Habeas and TRUST-e to perform specific analyses
4. Service-contract terms: Include terms that prohibit the sending of unsolicited e-mail through your server. Enforce these clauses.

Spam wars

All around the world, large corporations, small businesses, government and private individuals are demanding legislation that protects Web users from spam and aggressively prosecutes anyone caught spamming. In the US, the outcry resulted in the passing of an anti-spam law in January this year, but the effect was far from satisfactory: Observers who monitor on-line activity say the volume of spam has continued to increase since the law was passed. But strong preventative measures and deterrent actions are now being taken more frequently: In April, Yahoo! filed four lawsuits against spammers, and in June, AOL took one of its software engineers to court for stealing and selling the company's customer list - 92 million names! - to a spammer. The rogue AOL staff member faces five years in prison and a fine of US$250,000.

Undoubtedly it's going to take time to find ways of enforcing these laws and for their full effect to be felt. And there's still one enormous problem to be overcome: There are no national borders in cyberspace. Spam can be sent from anywhere in the world to any destination in the world, so even if a regulatory body in one country manages to track down a spammer the offender will quite likely be in another country where the laws don't apply.

Anti-spam laws remain undeveloped in most countries. Despite Hong Kong's high rating as a spamming hotspot, there's still no legislation here that restricts or prohibits the sending of junk mail. Long-suffering Internet users can look to the Personal Data (Privacy) Ordinance for some support, but it's a watchdog that lacks real teeth. The ordinance states that an e-mail address is personal data so any private individual has the right to check whether his/her e-mail address is being held by a "data user"; and then has the right to demand that a data user stops using the address for direct-marketing purposes and removes it from his databases. If the data user refuses to do so, one can request action from the Office of the Privacy Commissioner for Personal Data. In practice, this is a lengthy, complicated process, and it all becomes moot if the spammer is based in another country.

The power of an ISP

Ultimately, the only way to suppress spam is to standardize protective legislation throughout the world - but that's undoubtedly going to take some time. Until then, the most effective counter-measures lie in various types of technology. There are a number of programs that individual users can buy and install, but pricing realities and the limited processing power of the average PC means they're usually only partial solutions. By far the most potent preventive measures are the various options offered by responsible ISPs. By employing several different preventative measures, a well organised ISP can block virtually all spam.

In Hong Kong, HKNet is one ISP offering an extensive and potent line-up of anti-spam technology. Some of these measures are in general use and some are options that subscribers can choose if they want. The blockers range from a basic SpamWall Solution through to a Content Filtering Service which has an accurate and up-to-date URL control list, the more sophisticated MISS+ (Managed Internet Security Services) which includes a high-end firewall, intrusion detection, security intelligence and vulnerability management. Customers using the SpamWall Solution can set their own message rules, decide which conditions to apply, designate which part of an e-mail to check and determine what kind of action gets taken against any spam that's detected. Users can also create a folder to store deleted e-mails, enabling them to check from time to time to ensure that no legitimate mail has been mistaken for spam.

Hitting where it hurts

One other method of controlling junk e-mail is quite simply to make it expensive. The greatest appeal of spam is that it's essentially free. If the senders had to pay, as they do with conventional postal services, the incidence of spamming would decline rapidly. Corporations like Microsoft are looking at systems that penalize spammers, but still allow legitimate users free e-mail; but, like most other anti-spam measures, these options are still in early stages of discussion and development. Until then, perhaps cyberspace will continue to be cluttered with junk.