Feeds

Feds seek input on spammer sentencing

Help us calculate the actual harm

  • alert
  • submit to reddit

Providing a secure and efficient Helpdesk

A formula that would sentence deceptive spammers to more time in prison for each e-mail address spammed is among the proposals under consideration by the presidentially-appointed commission responsible for setting federal sentencing rules, which this week sought the public's input on how to punish violators of the newly-enacted CAN-SPAM Act.

"Arguably the more e-mails you've sent out, the greater the social harm-- just like arguably distributing more drugs is worse that distributing fewer drugs," says Michael O'Neill, a law professor at George Mason University Law School, and a member of the seven-member United States Sentencing Commission (USSC). "The problem is, it's so incredibly easy to send out massive e-mails now, I'm not sure [it] is going to get at the harm the way you want it."

The USSC publishes the Federal Sentencing Guidelines that carve out narrow ranges of sentences a court can choose from when punishing violators of federal criminal law. The guidelines work off of a point system that sets a starting value for a particular crime, and then adds or subtracts points for specific aggravating or mitigating circumstances.

A convicted kidnapper, for example, starts off with 24 sentencing points -- which maps to 51 to 63 months imprisonment for a first-time offender. But if the culprit held his victim for 30 days or more, he gets two bonus points, translating to an additional 12 to 15 months. The criminal earns another six points if he demanded a ransom, and two points for injuring a victim -- but can shave off two points for pleading guilty and accepting responsibility for the crime.

If sentencing kidnappers is relatively straightforward, the Commission is finding it more challenging to erect an appropriate framework for punishing deceptive spammers. Should spammers be sentenced from the same table that decides the fate of thieves and con artists, based on the amount of financial losses inflicted on the victims? If so, what counts as a loss -- if a forged e-mail address makes an innocent company look bad, a "Joe job," in the parlance of anti-spammers -- should that reputational harm earn the spammer more time in stir. "This is one of the places that the Commission is having a difficult time, in determining how to calculate the actual harm," says O'Neill.

More Time for Harvesting?

The CAN-SPAM Act, which took effect January 1st, doesn't criminalize unsolicited bulk commercial e-mail, but it does outlaw most of the deceptive practices used by spammers. Senders are prohibited from breaking into someone else's computer to send spam (which was probably illegal already); deliberately crafting spammy messages to disguise the origin; materially falsifying the headers in spam; spamming from five or more e-mail accounts established under fake names; or hijacking five or more IP addresses, and spamming from them.

A first-time violator face up to one year in federal stir for a small-time operation-- three years if he or she meets one of several minimum standards of bad behavior, like leading a spam gang of at least three people, sending over 2,500 messages in one day, or using 10 or more falsely-registered domain names. Repeat offenders can get up to five years in prison.

Exactly where spammers are sentenced within that range will be decided by an amendment to the Federal Sentencing Guidelines. In a formal request for comments published in the Federal Register this week, the Commission is asking the public's opinion on such questions as:

  • Should deceptive spammers get an "enhancement," i.e., a little more prison time, if they employ "sophisticated means" to send the spam?
  • Should the method the offender used to gather the targeted addresses be a consideration in sentencing? Under one proposal, spammers could face an enhancement for harvesting e-mail addresses from Web forums, or generating them randomly.
  • Should criminals who commit fraud, identify theft, child porn trafficking or other serious crimes be sentenced more severely if they sent unsolicited bulk e-mail in the course of the crime?
  • Comments are due by March 15th, and can be sent by snail mail to the United States Sentencing Commission, One Columbus Circle, NE., Suite 2-500, Washington, DC 20002-8002, Attention: Public Affairs. Perhaps not surprisingly, the Commission is not inviting comments by e-mail.

    Copyright © 2004, SecurityFocus logo

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.