Feeds

Feds seek input on spammer sentencing

Help us calculate the actual harm

  • alert
  • submit to reddit

The Essential Guide to IT Transformation

A formula that would sentence deceptive spammers to more time in prison for each e-mail address spammed is among the proposals under consideration by the presidentially-appointed commission responsible for setting federal sentencing rules, which this week sought the public's input on how to punish violators of the newly-enacted CAN-SPAM Act.

"Arguably the more e-mails you've sent out, the greater the social harm-- just like arguably distributing more drugs is worse that distributing fewer drugs," says Michael O'Neill, a law professor at George Mason University Law School, and a member of the seven-member United States Sentencing Commission (USSC). "The problem is, it's so incredibly easy to send out massive e-mails now, I'm not sure [it] is going to get at the harm the way you want it."

The USSC publishes the Federal Sentencing Guidelines that carve out narrow ranges of sentences a court can choose from when punishing violators of federal criminal law. The guidelines work off of a point system that sets a starting value for a particular crime, and then adds or subtracts points for specific aggravating or mitigating circumstances.

A convicted kidnapper, for example, starts off with 24 sentencing points -- which maps to 51 to 63 months imprisonment for a first-time offender. But if the culprit held his victim for 30 days or more, he gets two bonus points, translating to an additional 12 to 15 months. The criminal earns another six points if he demanded a ransom, and two points for injuring a victim -- but can shave off two points for pleading guilty and accepting responsibility for the crime.

If sentencing kidnappers is relatively straightforward, the Commission is finding it more challenging to erect an appropriate framework for punishing deceptive spammers. Should spammers be sentenced from the same table that decides the fate of thieves and con artists, based on the amount of financial losses inflicted on the victims? If so, what counts as a loss -- if a forged e-mail address makes an innocent company look bad, a "Joe job," in the parlance of anti-spammers -- should that reputational harm earn the spammer more time in stir. "This is one of the places that the Commission is having a difficult time, in determining how to calculate the actual harm," says O'Neill.

More Time for Harvesting?

The CAN-SPAM Act, which took effect January 1st, doesn't criminalize unsolicited bulk commercial e-mail, but it does outlaw most of the deceptive practices used by spammers. Senders are prohibited from breaking into someone else's computer to send spam (which was probably illegal already); deliberately crafting spammy messages to disguise the origin; materially falsifying the headers in spam; spamming from five or more e-mail accounts established under fake names; or hijacking five or more IP addresses, and spamming from them.

A first-time violator face up to one year in federal stir for a small-time operation-- three years if he or she meets one of several minimum standards of bad behavior, like leading a spam gang of at least three people, sending over 2,500 messages in one day, or using 10 or more falsely-registered domain names. Repeat offenders can get up to five years in prison.

Exactly where spammers are sentenced within that range will be decided by an amendment to the Federal Sentencing Guidelines. In a formal request for comments published in the Federal Register this week, the Commission is asking the public's opinion on such questions as:

  • Should deceptive spammers get an "enhancement," i.e., a little more prison time, if they employ "sophisticated means" to send the spam?
  • Should the method the offender used to gather the targeted addresses be a consideration in sentencing? Under one proposal, spammers could face an enhancement for harvesting e-mail addresses from Web forums, or generating them randomly.
  • Should criminals who commit fraud, identify theft, child porn trafficking or other serious crimes be sentenced more severely if they sent unsolicited bulk e-mail in the course of the crime?
  • Comments are due by March 15th, and can be sent by snail mail to the United States Sentencing Commission, One Columbus Circle, NE., Suite 2-500, Washington, DC 20002-8002, Attention: Public Affairs. Perhaps not surprisingly, the Commission is not inviting comments by e-mail.

    Copyright © 2004, SecurityFocus logo

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Fiendishly complex password app extension ships for iOS 8
Just slip it in, won't hurt a bit, 1Password makers urge devs
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.