Feeds

Feds seek input on spammer sentencing

Help us calculate the actual harm

  • alert
  • submit to reddit

Using blade systems to cut costs and sharpen efficiencies

A formula that would sentence deceptive spammers to more time in prison for each e-mail address spammed is among the proposals under consideration by the presidentially-appointed commission responsible for setting federal sentencing rules, which this week sought the public's input on how to punish violators of the newly-enacted CAN-SPAM Act.

"Arguably the more e-mails you've sent out, the greater the social harm-- just like arguably distributing more drugs is worse that distributing fewer drugs," says Michael O'Neill, a law professor at George Mason University Law School, and a member of the seven-member United States Sentencing Commission (USSC). "The problem is, it's so incredibly easy to send out massive e-mails now, I'm not sure [it] is going to get at the harm the way you want it."

The USSC publishes the Federal Sentencing Guidelines that carve out narrow ranges of sentences a court can choose from when punishing violators of federal criminal law. The guidelines work off of a point system that sets a starting value for a particular crime, and then adds or subtracts points for specific aggravating or mitigating circumstances.

A convicted kidnapper, for example, starts off with 24 sentencing points -- which maps to 51 to 63 months imprisonment for a first-time offender. But if the culprit held his victim for 30 days or more, he gets two bonus points, translating to an additional 12 to 15 months. The criminal earns another six points if he demanded a ransom, and two points for injuring a victim -- but can shave off two points for pleading guilty and accepting responsibility for the crime.

If sentencing kidnappers is relatively straightforward, the Commission is finding it more challenging to erect an appropriate framework for punishing deceptive spammers. Should spammers be sentenced from the same table that decides the fate of thieves and con artists, based on the amount of financial losses inflicted on the victims? If so, what counts as a loss -- if a forged e-mail address makes an innocent company look bad, a "Joe job," in the parlance of anti-spammers -- should that reputational harm earn the spammer more time in stir. "This is one of the places that the Commission is having a difficult time, in determining how to calculate the actual harm," says O'Neill.

More Time for Harvesting?

The CAN-SPAM Act, which took effect January 1st, doesn't criminalize unsolicited bulk commercial e-mail, but it does outlaw most of the deceptive practices used by spammers. Senders are prohibited from breaking into someone else's computer to send spam (which was probably illegal already); deliberately crafting spammy messages to disguise the origin; materially falsifying the headers in spam; spamming from five or more e-mail accounts established under fake names; or hijacking five or more IP addresses, and spamming from them.

A first-time violator face up to one year in federal stir for a small-time operation-- three years if he or she meets one of several minimum standards of bad behavior, like leading a spam gang of at least three people, sending over 2,500 messages in one day, or using 10 or more falsely-registered domain names. Repeat offenders can get up to five years in prison.

Exactly where spammers are sentenced within that range will be decided by an amendment to the Federal Sentencing Guidelines. In a formal request for comments published in the Federal Register this week, the Commission is asking the public's opinion on such questions as:

  • Should deceptive spammers get an "enhancement," i.e., a little more prison time, if they employ "sophisticated means" to send the spam?
  • Should the method the offender used to gather the targeted addresses be a consideration in sentencing? Under one proposal, spammers could face an enhancement for harvesting e-mail addresses from Web forums, or generating them randomly.
  • Should criminals who commit fraud, identify theft, child porn trafficking or other serious crimes be sentenced more severely if they sent unsolicited bulk e-mail in the course of the crime?
  • Comments are due by March 15th, and can be sent by snail mail to the United States Sentencing Commission, One Columbus Circle, NE., Suite 2-500, Washington, DC 20002-8002, Attention: Public Affairs. Perhaps not surprisingly, the Commission is not inviting comments by e-mail.

    Copyright © 2004, SecurityFocus logo

The smart choice: opportunity from uncertainty

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.