Feeds

Good Spam: Bad Spam

Report from the OECD workshop floor

  • alert
  • submit to reddit

SANS - Survey on application security programs

The world+dog is ganging up against spam with the US and UK governments and the European Commission this week all urging multinational co-operation and action in the fight against spam. Prompting this flurry of press release activity was a workshop convened in Brussels by the OECD to discuss ways of halting the spam tsunami. Monika Ermert attended the workshop on behalf of The Register. Here is her report.

EC Commissioner Erkki Liikanen this week issued a call to action in the "battle against spam, which we must not lose". In his opening remarks at a two-day OECD conference on Spam in Brussels, Liikanen declared that spam is a global problem that "requires global action. If we want to combat spam effectively, efforts made in the European Union and other regions of the world must be echoed by similar efforts at the international level, not only by governments but also businesses and consumers."

Co-operation, yes; but co-operation on what? The OECD conference shows all too clearly that there is a faultline in the huge international anti-spam coalition being assembled. Countries and their agencies remain divided over The Big Question: should spam be fought by opt-in or opt out?

Target-rich

Many of the spammers that the US government is prosecuting "violated 72 laws", said Hugh Stephenson from the US Federal Trade Commission (FTC). The agency has successfully brought 55 spammer cases to court, all investigated before the CAN-SPAM Act with its opt-out principle was enacted on January 1.

An FTC study showed that most spam mails are in one way or another fraudulent, by falsifying header information, disguising the sender's identity or trying to lure recipients to criminal get-rich-quick schemes. Spam prosecutions therefore, according to the FTC is such a "target-rich field", that the anti-spam fighters should go for cooperation, instead of debating legal differences.

However, many European member states see themselves as victims of the more liberal opt-out principle, even after they have implemented the opt-in regime. European member states have to transfer opt-in into national legislation in compliance with the European Data Protection Directive.

"France is more an importer of spam," said Eric Walter from the Direction for Media Development at the Office of the French President. "We do have French spammers, and we try to prevent them from growing. But our main concern is, what can we do about is English spam, which we do not know where it comes from."

At least 80 per cent of spam originates from the US, claim European representatives such as Kurt Einzinger, general secretary of Internet Service Providers Austria (ISPA). With opt-out spam, numbers still could continue to rise, warned George Mills of EuroCAUCE (European Coalition against Unsolicited Email).

"If only one per cent of the 23 million companies in the US start to play opt-out in their marketing activities European companies need to have a fulltime employee to do the opt-out procedures," he said.

Opt-In-Out

This could become even more of a nightmare scenario if one looks at the spam load conveyed by mobile operators in Asia. In Japan, 90 per cent of the spam already goes to mobile phones, the conference was told.

Philippe Gerard, presenting the European's Commission's thinking on spam, said the Community wanted to tackle all unsolicited mail, not just fraudulent spam. Only last week, the EC published a Communication to pressure member states not only to transfer the directive in national laws, but also to apply strong enforcement with financial and even criminal sanctions.

Some member states have implemented harsh fines and penal laws against spammers; in Italy, spammers can go to prison. And in Denmark last month a convicted spammer was ordered to pay a fine of €50,000, Liikanen noted. But many member states say the task to bring cases against spammers is burdensome.

The Commisson recommends that member states open email "spam boxes" to receive complaints from the public. But few have complied - they fear they will simply be swamped by the sheer mass of complaints that would flood in. (The FTC estimates that it receives 300,000 spam complaints every day.)

"Enforcement faces huge problems," says Marianne Abyhammar of the Swedish Consumer Agency. She urged co-operation within Europe and with other countries. On this point the international Anti-Spam workshop again converges. Co-operation in investigation and legal enforcement is critical according to all participants of the OECD conference.

Lindsay Barton of the Australian National Office for the Information Economy (NOIE) presented the concept of a memoradum of understanding(MoU) between his agency and the Korean Information Security Agency (KISA) - notwithstanding the fact that Australia follows the opt-in philosophy while Korea plumps for opt-out.

All other methods

Korea, with its large number of broadband customers, is viewed as a haven for spammers using servers of innocent users for their mass mailings, but has seen high fines for illegal spam. This MoU could be a model that Australia apply to other bilateral pacts in the anti-spam war. The FTC this week rallied a group of more than 30 agencies from all over the world for its Secure your Server Campaign, announced this week.

Phil Jones of the UK Information Commissioner's Office said his office was already in talks with the FTC to co-operate on spam. The Office is to enforce the new British anti-spam legislation. So far he has received dozens, rather than hundreds of complaints.

When this comes to the point where fraudulent cases are handled properly and only the issue of opt-in and opt-out remains, "we will be in a much better situation as we are right now," according to Jones After all, he says, quoting a former Israeli prime minister: "Countries behave reasonably when they have exploited all other methods." ®

Related stories

EC draws line in spam sand
EU anti-spam laws are OK
Feds seek input on spammer sentencing
CAN-SPAM means we can spam
UK anti-spam law goes live

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.