Feeds

Spammer prosecutions waste time and money

Spammed if you do and spammed if you don't

  • alert
  • submit to reddit

SANS - Survey on application security programs

The recent US Federal Trade Commission (FTC) report on the futility of establishing a national 'do not email' registry contains a number of interesting observations related to spam control and to the so-called CAN-SPAM Act.

In a nutshell, the FTC rejects the registry because it would become a weapon that spammers could use to fortify their ever-growing lists of victims, as we reported here.

But there are a number of related points in the report that deserve attention. One is an indirect critique of the CAN-SPAM Act, recent legislation that promises lawsuits and even jail time for incontinent spammers. The Act is meant as a deterrent, and in order for it to work as such, it will obviously have to be used, and spammers will have to be made examples.

Unfortunately this is an expensive and often futile business, as the FTC observes:

"A prosecutor in Washington State spent four months and sent out 14 pre-suit civil investigative demands (CIDs) just to identify the spammer in one lawsuit. Likewise, in another case, it took the Virginia Attorney General, over the course of four months, multiple subpoenas to domain registrars, credit card companies, and Internet providers, and the execution of a search warrant, before having enough information to file a case against a spammer."

And these are mere individual cases. The spam industry is very much decentralized and scattered. Only a small fraction of spammers can be identified, the report explains:

"One major ISP reports that, after collecting and analyzing over 45 million spam messages...during 2003, it linked only about 2.6 million to a person responsible for them. In all, this ISP identified 271 parties responsible for these 2.6 million spam messages..."

And this process is time consuming and very expensive. The ISP "acquired sufficient information to file a lawsuit or send a warning letter to only 91 of the 271 parties. To identify these 91 parties, the ISP estimates that its internal and outside legal teams expended approximately 12,100 hours, or an average of 133 hours per spammer. The ISP expended these resources solely to identify the spammers; these costs do not include litigation expenses."

That's 12,000 very billable hours spent to identify 91 spammers, or roughly a third of those responsible for 2.6 million spam messages out of 45 million. And then comes the cost of taking action against this drop-in-the-bucket sample. Once a spammer is identified, the costs of litigation start to kick in, and they mount fast.

Legislative window dressing

Just filing the suit can be tremendously inconvenient. According to the FTC report, many lawsuits "must be filed as 'John Doe' lawsuits because the ISPs cannot identify the spammer prior to filing. For instance, Microsoft, AOL, Yahoo! and Earthlink recently announced six lawsuits against 225 defendants, charging violations of the CAN-SPAM Act. These ISPs charged all but nine of the defendants as John Does at the time the suits were filed. In previous John Doe lawsuits, ISPs have needed to issue up to ten subpoenas to determine the identity of the spammer."

"According to one ISP that has sued numerous spammers, litigation costs can range from $100,000 or less (when the spammer is easily identifiable), to more than $2 million (when the spammer mounts an aggressive defense). Not surprisingly, some ISPs believe that lawsuits against spammers are an expensive and often fruitless way to stop spam."

Indeed, with this sort of expense and level of difficulty, it would be reasonable to expect spammers to threaten an aggressive defense in order to obtain a settlement or a light punishment. It's obvious that prosecutions and lawsuits are far more trouble than they're worth. Spending perhaps a half million dollars to sue someone who produces maybe one or two per cent of the spam clogging your pipes, knowing that there are thousands of other spammers ready to take up the slack for him, is bound to be discouraging - only to the ISPs, not to the spammers.

It appears that the CAN-SPAM Act is destined to remain an example of legislative window dressing - the sort of useless law that Congress passes periodically to create the impression that it cares about issues that ordinary people care about. But as a tool for cutting down on spam, it's practically worthless. Some ISPs may have supported the legislation originally, but now that they've had a taste of the actual costs of using it, it's a safe bet that the Act itself will be canned, at least after Ashcroft and Company have prosecuted a few pornographers with it and enjoyed a few triumphal press conferences. ®

Thomas C Greene is the author of Computer Security for the Home and Small Office, a comprehensive guide to system hardening, online anonymity, encryption, and data hygiene for Windows and Linux.

Related stories

US proposes rigorous spam sentencing
Spammers not deterred by Can Spam Act
Big US ISPs set legal attack dogs on big, bad spammers

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.