Regulatory Resource   Threat Intelligence      Resilient IT      Boardroom Strategies      
Regulatory Resource / Law

Getting Tough on the Growing Spam Problem

By Stacey McDaniel

We all know about the negative impact of spam in the workplace: It undermines user productivity, introduces potential legal liability, and increases the burden on the IT staff, infrastructure, and budget. With its already limited staff and stretched finances, the public sector cannot afford to succumb to wave after wave of spam. Unfortunately, spam is not going away -- in fact, a recent study by Ferris Research in San Francisco shows that lost productivity resulting from spam is expected to rise by 70% from 2004 to 2005. According to the 2004 National Technology Readiness Survey, the cost of spam in terms of lost productivity is approximately $21.58 billion. Nucleus Research estimates that in 2004, lost productivity averaged $1,934 per employee, compared to $874 in 2003. As the numbers increase, so too do the challenges that spam presents.

Evolving spam

Spam is the Internet's version of junk mail. By definition, it is always unsolicited, typically irrelevant and/or inappropriate, and frequently used for commercial purposes. Spamming is comparable to unsolicited telemarketing. In fact, some states specifically define spam as unsolicited commercial email or UCE.
 
The most common forms of spam, comprising 64% of all spam analyzed by Ferris Research during January 2005, deal with the sale of products, financial services, adult-oriented goods and services, and pharmaceutical/health-related topics. Common subject matter includes heavily discounted brand name drugs, stock promotions or other moneymaking schemes, pornography, and "succeed while working at home" schemes.

As the amount of spam climbs, so does the complexity of the techniques used. Over the past couple of years, "phishing" has become a common phenomenon. Phishing attacks seek to lure the unwitting into revealing confidential information, such as passwords, account information, and Social Security numbers. Spamming is increasingly being used as a delivery vehicle for these fraudulent messages.

Stopping spam and its variants is a challenge that has yet to be met -- but the federal government, state attorney generals, and others are actively working on better ways to identify and prosecute spammers.

Fine-tuning CAN-SPAM

The federal CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography and Marketing Act), which took effect on January 1, 2004, imposes severe penalties (including prison sentences) on those convicted of sending unsolicited email. The problem is, the CAN-SPAM act doesn't explicitly ban unsolicited email -- instead, it only requires that spam sent to consumers must include a means of opting-out of the mailing list used by the sender. Other weaknesses in the CAN-SPAM act have been cited, prompting the Federal Trade Commission (FTC) to amend its rules for enforcing the Act. The FTC is seeking comments on its proposals until June 27, 2005.

The Act was supported by the Direct Marketing Association (DMA), whose members employ spam as a component of their marketing strategies. Consequently, it is doubtful whether CAN-SPAM will ever have real teeth.

On another front, the FTC recently launched a global anti-spam campaign, "Operation Spam Zombies," specifically targeting hijacked or "zombie" computers. Zombies can be remotely controlled by hackers to attack Web servers, collect personal information, or send spam emails. On average, 172,000 users lose control of their machines each day, and zombie networks account for about  50-80% of all spam, according to various industry reports. The FTC is preparing to send letters to more than 3,000 Internet Service Providers (ISPs) advising them on ways to secure their computers from hijacking attempts, and urging them to get tough on computers that have been hijacked to act as spam relays.

The FTC is also asking ISPs to set a limit on the rate at which emails may be sent and to be wary of users that send abnormal amounts of emails. The FTC, together with ISPs, plans to educate and help users understand the threats of zombie computers and provide remedies to zombie attacks.

State laws

Over 35 states have outlined legislation targeting spammers. Some states regard spam as a civil matter, while others regard it as a criminal offense. If spammers are to be prosecuted, all states need a way to generate spam data and analysis as evidence. Here is a look at what two different states, Florida (civil) and Virginia (criminal) are doing to stop spam:

Florida:  The Electronic Mail Communications Act

The Florida statute, enacted in May 2004, prohibits unsolicited commercial email messages containing false or misleading information in the subject line, a false header, and/or false or deceptive information. The Electronic Mail Communications Act applies to spam sent from and to a computer in Florida or a Florida resident's email address. Florida treats spam as a civil matter and applies only civil penalties, including compensatory damages of up to $500 for each unsolicited email.

Brief Case History from Florida

In April of 2005, Florida Attorney General Charlie Crist filed the first anti-spam lawsuit in the state. Florida residents Scott Filary and Donald Townsend were charged with sending more than 65,000 illegal spam emails during 2004. Filary and Townsend face a total potential penalty of $24 million. The verdict is still pending.

Virginia: Anti-Spam Law

In March 1999, Virginia legislation made sending unsolicited bulk email containing falsified routing information illegal. Virginia also granted state courts personal jurisdiction over a nonresident who uses a computer or network located in Virginia. Virginia's current Anti-Spam Law took effect on July 1st, 2003.

Virginia treats spam as a criminal matter. As outlined by the Office of Attorney General of Virginia, sending messages with a misleading/fraudulent header or routing information, and accompanied by one of the following factors, is punishable as a Class 6 Felony (one- to five-year prison sentence and/or $2,500 fine):

  • Volume of unsolicited messages sent exceeds 10,000 in any 24-hour time period, 100,000 in any 30-day time period, or 1 million in any one-year period.
  • Revenue generated from spam exceeds $1,000, or total revenue generated from all spam exceeds $50,000.

Sending unsolicited messages with misleading/fraudulent header or routing information but without the above accompanying factors is punishable as a Class 1 Misdemeanor (up to 12 months in prison and/or $2,500 fine).

Conclusion

Until now, there have been few effective tactics in place to stop spam. Spammers, meanwhile, have had the luxury of time to come up with new ways to transmit spam, and have even begun cooperating with criminals to aid them in their schemes. The good news is that federal and state governments are working on ways to bring charges against spammers -- although this has yet to be done in a consistent manner. The hope is that, in the near future, news of spam-related prosecutions will become commonplace, and our inboxes will be less clogged with irritating, inappropriate, and distracting spam.

Stacey McDaniel has been writing about high-tech issues for more than six years.

 

IT Strategy Center is a daily editorial resource offering innovative insights and strategies for building an integrated, secure and resilient IT infrastructure.

Articles by Topic
Sectors
Law
Tactics
Related Content

Features

View More


Metrics

View More

Fast Fact

"Productivity resulting from spam is expected to rise by 70% from 2004 to 2005."

-- Ferris Research
Sponsor Tools

Resources

White Papers

View More


Podcast Audio Content

CIO Strategy Center is now available in audio format.

This week's feature topic is:


Risks of Wireless Email
Playtime: 8 min 23 sec



Download | Subscribe

Copyright © 2008 Studio One Networks. All rights reserved.