EarthLink and Pacific Bell, two of the largest ISPs in California, say they are looking into a handful of cases each, but neither has filed a complaint nor named the violators.

"We've been working on it, but we aren't sure what the burden of proof will be," says Dayman of SBC, explaining why the Pacific Bell division hasn't sued. "We don't know if it will be enough to show that the spam always came from the same home phone and that there were several credit cards and e-mails registered to that address."

In other words, Dayman isn't sure if he can tie the spam to the spammer.

This cat-and-mouse game of identification remains the largest hurdle to litigation. And ironically, despite his doubts, Dayman is closer to winning that game than he realizes. At least he's caught some personal information. Most serious spammers manage to completely avoid giving up such data, say systems administrators. On the Net, "It's just not that hard to hide," says Anderson at Redshift.

Indeed, several options are available. Speed is one. Many spammers send thousands, even millions of e-mails from one address, then shut down quickly before someone like Anderson at Redshift blocks them, or before they're added to MAPS Realtime Blackhole List, which blocks all mail coming from ISPs that have allowed spammers to use their networks and going to networks run by RBL members.

Others fake their identities. ISPs "in places like Finland and Hong Kong" let users sign up from anywhere, often with no personal, traceable information, says Steve Dougherty, EarthLink's director of technology acquisition and a manager of its e-mail abuse department.

And if it's not an international address they're sending from, it's often a stolen one. Sometimes, spammers grab these addresses by hacking into people's accounts; in other cases, they impersonate staffers from an ISP, sending users an e-mail that asks for their password "to fix their account," says Timothy Walton, a Mountain View, Calif., attorney who has filed four lawsuits that attempt to broaden California's laws by allowing consumers to sue. With these addresses in hand, they can route mail through several of them -- a process known as "spoofing" -- and obscure the original IP address.

"Fewer than one in 1,000 spams offer a real reply address," Walton says. Dougherty doubts that spammers are that hard to find, if only because spam comes not just from professionals, but also "a rotating crop of amateurs" who naively believe that spam will make them rich beyond their wildest dreams.

These amateurs can often be traced, but is it worth taking them to court? If someone's been scammed -- forking over $39.95 to some pro spammer for 50,000 e-mail addresses -- should ISPs bother trying to convince a judge that they're criminals, not victims? Dougherty doesn't think so. "Most of them don't even know what they're doing is wrong, and once we tell them, they rarely come back," he says. "That's the problem with the law -- unless it's narrowly defined, it tends to paint with a broad brush."

On the other hand, Dougherty would be happy to put the professionals out of business. He estimates that there are a few thousand full-timers, but that this "10 percent of the total [does] 80 percent of the damage." And these repeat offenders know the game. They're not easy to find. "They live in the shadows," Dougherty says. "They'll move and always be there."

There are, of course, exceptions. High-profile suits such as those against Sanford Wallace, the self-declared "Spam King," proved that some spammers can be found -- and sued. Together, EarthLink, Concentric, CompuServe and other ISPs won judgments in 1997 for over $2 million from Wallace and his company CyberPromo, which sold bulk e-mail software.

And several sites offer tools to help. SamSpade.org will search the Whois database for domain name registrars, and Whew.com will help you find the physical address of a spammer, as will other resources found on sites like Suespammers.org. Attorney Walton says he used several of these search tools to find three of the four spammers that he's suing and none of the searches took more than 30 hours.

Still, folks like Wallace and the spammers Walton is suing represent rare cases: spammers who didn't try very hard to hide. Wallace publicly defended his actions, and all but one of Walton's defendants were easily unmasked: One sent marketing-related faxes and e-mails to 4,000 people who attended a marketing conference; another, Friend Finder Inc., is an established online dating service that allegedly sent an unknown number of e-mails to persons it deemed interested. Both spammers identified themselves in the e-mails. A third, Newport Internet Marketing, apparently tried to hide by simply misspelling its own name: "It sends spam under the name 'Neuport,' but was listed at Dogpile.com [a meta-search engine] as 'Newport,'" Walton says.

Only one case, relating to pornographic spam sent from an America Online account, required serious digging. And in that case, Walton still hasn't found the defendant. He's charging "John Does 1 through 200" in the meantime.

In comparison, the majority of the 3,000 to 4,000 e-mail addresses sitting in Redshift's spam database "are anonymous," Anderson says. "We don't know where we can find the senders."

What's more, there is little reason to believe that locating spammers leads to a recouping of the money ISPs spend on processing their mail. EarthLink spends over $1 million a year fighting spam; the median amount spent annually by Internet service providers to filter spam is $387,000, according to a 1999 Gartner Group study.

California law and House Bill 3113 are based on the argument that these costs should be paid by spammers. Otherwise, by transferring costs from sender to receiver, spam acts like a collect call ISP clients have no choice but to accept; it "trespasses on one's chattel or property," says David Kramer, an attorney with Palo Alto's Wilson, Sonsini, Goodrich & Rosati who drafted the California law that lets ISPs sue.

But California's spam cases so far haven't done much to shift those costs. Rallapalli won $600 from a spammer in small-claims court. Yahoo earned an injunction for $44,000 from Information Technologies Corp. and settled with Worldwide Network Marketing on confidential terms that did not disclose whether or not monetary damages were awarded. Walton's four cases are far from judgment. Even Kramer, who worked on the California law, admits that it has afforded "only a marginal improvement," by calculating damages due an ISP whose network has been abused; so far, that hasn't been enough to inspire many ISPs to sue.

Kramer insists, however, that a federal version would plug some of the loopholes that spammers have squirmed through. For example, under present California law, it's not enough for an ISP to simply put its spam policy on its homepage. An ISP must send a warning e-mail and receive a second offensive message from the same source in order to show that spammers know their messages are going to an ISP in a state that outlaws them.

According to Kramer, 3113 would eliminate that defense, "letting ISPs sue any spammer without demonstrating that they were served with notice of the ISP's policy," he says. "It shifts the burden." It also defeats the "commerce clause" defense that was used last month to strike down Washington state's first judgment against a spammer. And it prevents spammers from gaining the advantage of an early warning. "They won't have time to hide," says Nicholas at MAPS.

Plus, the federal law could turn up the scrutiny on spammers. By mirroring a Washington state law, 3113 lets all receivers of spam sue, and gain $500 per message, up to a maximum of $50,000 per day. Anecdotally, this has benefited proactive anti-spammers like Bruce Miller, a Washington state resident who says he "collected $3,900 from four spammers." Proponents of the federal bill expect thousands more to do the same.

"I think we will see quite a number of cases brought against spammers," says Ray Everett-Church, a co-founder of CAUCE, who helped draft 3113. "When you've got a law that says, 'If you do X, damages are presumed to be Y and action can be granted in terms of Z,' then it's much easier to process."

Still, ISPs and users have heard all this before. Even if the law passes, which is not a given -- influential lobbyists such as the Direct Marketing Association and Harvard law professor Lawrence Lessig are among the opponents -- and even if spammers are sued in droves and pay in kind, the law may not empty our in boxes of spam. In fact, more may be on the way.

As the number of Net users grows worldwide, an ever-expanding pool of spammers comes online. Most will be "dumb amateurs," says Dougherty at EarthLink, people who say they believe that "people actually want their product." Others will become professionals, sending out millions of messages, then ducking for cover like new-economy con artists -- or like "u6," a savvy porn spammer who recently found my in box, and promises to remove me if I send mail to endmail@yahoo.com.

"There's always going to be bulk e-mail because it's easy to do," Dougherty says. "Million dollar fines might put a little bit of a chill on it, but not much." Back at Redshift, Anderson has to agree. "Hopefully the law will scare people," she says. "That would be nice. But that's the only way it would affect us."

Recent Stories

The economy crumbled
It was the worst of times for ordinary Americans. And even worse times for deregulators and supply-siders. The bright side? Their party is over.
Is the Web helping us evolve?
The truth lies somewhere between "Google is making us stupid" and "the Internet will liberate humanity."
Ask the pilot
Bailout nation: Will the airlines follow Detroit to the government trough?
Ask the pilot
Can commercial jets fly upside down? Has terrorism forced a change in transoceanic flight paths? And other probing questions for our expert.
Ask the pilot
Malcolm Gladwell claims cultural issues can play a big role in plane crashes. The pilot begs to differ.

Daily Newsletter

Get Salon in your mailbox!