Feeds

Feds seek input on spammer sentencing

Help us calculate the actual harm

  • alert
  • submit to reddit

SANS - Survey on application security programs

A formula that would sentence deceptive spammers to more time in prison for each e-mail address spammed is among the proposals under consideration by the presidentially-appointed commission responsible for setting federal sentencing rules, which this week sought the public's input on how to punish violators of the newly-enacted CAN-SPAM Act.

"Arguably the more e-mails you've sent out, the greater the social harm-- just like arguably distributing more drugs is worse that distributing fewer drugs," says Michael O'Neill, a law professor at George Mason University Law School, and a member of the seven-member United States Sentencing Commission (USSC). "The problem is, it's so incredibly easy to send out massive e-mails now, I'm not sure [it] is going to get at the harm the way you want it."

The USSC publishes the Federal Sentencing Guidelines that carve out narrow ranges of sentences a court can choose from when punishing violators of federal criminal law. The guidelines work off of a point system that sets a starting value for a particular crime, and then adds or subtracts points for specific aggravating or mitigating circumstances.

A convicted kidnapper, for example, starts off with 24 sentencing points -- which maps to 51 to 63 months imprisonment for a first-time offender. But if the culprit held his victim for 30 days or more, he gets two bonus points, translating to an additional 12 to 15 months. The criminal earns another six points if he demanded a ransom, and two points for injuring a victim -- but can shave off two points for pleading guilty and accepting responsibility for the crime.

If sentencing kidnappers is relatively straightforward, the Commission is finding it more challenging to erect an appropriate framework for punishing deceptive spammers. Should spammers be sentenced from the same table that decides the fate of thieves and con artists, based on the amount of financial losses inflicted on the victims? If so, what counts as a loss -- if a forged e-mail address makes an innocent company look bad, a "Joe job," in the parlance of anti-spammers -- should that reputational harm earn the spammer more time in stir. "This is one of the places that the Commission is having a difficult time, in determining how to calculate the actual harm," says O'Neill.

More Time for Harvesting?

The CAN-SPAM Act, which took effect January 1st, doesn't criminalize unsolicited bulk commercial e-mail, but it does outlaw most of the deceptive practices used by spammers. Senders are prohibited from breaking into someone else's computer to send spam (which was probably illegal already); deliberately crafting spammy messages to disguise the origin; materially falsifying the headers in spam; spamming from five or more e-mail accounts established under fake names; or hijacking five or more IP addresses, and spamming from them.

A first-time violator face up to one year in federal stir for a small-time operation-- three years if he or she meets one of several minimum standards of bad behavior, like leading a spam gang of at least three people, sending over 2,500 messages in one day, or using 10 or more falsely-registered domain names. Repeat offenders can get up to five years in prison.

Exactly where spammers are sentenced within that range will be decided by an amendment to the Federal Sentencing Guidelines. In a formal request for comments published in the Federal Register this week, the Commission is asking the public's opinion on such questions as:

  • Should deceptive spammers get an "enhancement," i.e., a little more prison time, if they employ "sophisticated means" to send the spam?
  • Should the method the offender used to gather the targeted addresses be a consideration in sentencing? Under one proposal, spammers could face an enhancement for harvesting e-mail addresses from Web forums, or generating them randomly.
  • Should criminals who commit fraud, identify theft, child porn trafficking or other serious crimes be sentenced more severely if they sent unsolicited bulk e-mail in the course of the crime?
  • Comments are due by March 15th, and can be sent by snail mail to the United States Sentencing Commission, One Columbus Circle, NE., Suite 2-500, Washington, DC 20002-8002, Attention: Public Affairs. Perhaps not surprisingly, the Commission is not inviting comments by e-mail.

    Copyright © 2004, SecurityFocus logo

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.