Feeds

Spammer prosecutions waste time and money

Spammed if you do and spammed if you don't

  • alert
  • submit to reddit

Beginner's guide to SSL certificates

The recent US Federal Trade Commission (FTC) report on the futility of establishing a national 'do not email' registry contains a number of interesting observations related to spam control and to the so-called CAN-SPAM Act.

In a nutshell, the FTC rejects the registry because it would become a weapon that spammers could use to fortify their ever-growing lists of victims, as we reported here.

But there are a number of related points in the report that deserve attention. One is an indirect critique of the CAN-SPAM Act, recent legislation that promises lawsuits and even jail time for incontinent spammers. The Act is meant as a deterrent, and in order for it to work as such, it will obviously have to be used, and spammers will have to be made examples.

Unfortunately this is an expensive and often futile business, as the FTC observes:

"A prosecutor in Washington State spent four months and sent out 14 pre-suit civil investigative demands (CIDs) just to identify the spammer in one lawsuit. Likewise, in another case, it took the Virginia Attorney General, over the course of four months, multiple subpoenas to domain registrars, credit card companies, and Internet providers, and the execution of a search warrant, before having enough information to file a case against a spammer."

And these are mere individual cases. The spam industry is very much decentralized and scattered. Only a small fraction of spammers can be identified, the report explains:

"One major ISP reports that, after collecting and analyzing over 45 million spam messages...during 2003, it linked only about 2.6 million to a person responsible for them. In all, this ISP identified 271 parties responsible for these 2.6 million spam messages..."

And this process is time consuming and very expensive. The ISP "acquired sufficient information to file a lawsuit or send a warning letter to only 91 of the 271 parties. To identify these 91 parties, the ISP estimates that its internal and outside legal teams expended approximately 12,100 hours, or an average of 133 hours per spammer. The ISP expended these resources solely to identify the spammers; these costs do not include litigation expenses."

That's 12,000 very billable hours spent to identify 91 spammers, or roughly a third of those responsible for 2.6 million spam messages out of 45 million. And then comes the cost of taking action against this drop-in-the-bucket sample. Once a spammer is identified, the costs of litigation start to kick in, and they mount fast.

Legislative window dressing

Just filing the suit can be tremendously inconvenient. According to the FTC report, many lawsuits "must be filed as 'John Doe' lawsuits because the ISPs cannot identify the spammer prior to filing. For instance, Microsoft, AOL, Yahoo! and Earthlink recently announced six lawsuits against 225 defendants, charging violations of the CAN-SPAM Act. These ISPs charged all but nine of the defendants as John Does at the time the suits were filed. In previous John Doe lawsuits, ISPs have needed to issue up to ten subpoenas to determine the identity of the spammer."

"According to one ISP that has sued numerous spammers, litigation costs can range from $100,000 or less (when the spammer is easily identifiable), to more than $2 million (when the spammer mounts an aggressive defense). Not surprisingly, some ISPs believe that lawsuits against spammers are an expensive and often fruitless way to stop spam."

Indeed, with this sort of expense and level of difficulty, it would be reasonable to expect spammers to threaten an aggressive defense in order to obtain a settlement or a light punishment. It's obvious that prosecutions and lawsuits are far more trouble than they're worth. Spending perhaps a half million dollars to sue someone who produces maybe one or two per cent of the spam clogging your pipes, knowing that there are thousands of other spammers ready to take up the slack for him, is bound to be discouraging - only to the ISPs, not to the spammers.

It appears that the CAN-SPAM Act is destined to remain an example of legislative window dressing - the sort of useless law that Congress passes periodically to create the impression that it cares about issues that ordinary people care about. But as a tool for cutting down on spam, it's practically worthless. Some ISPs may have supported the legislation originally, but now that they've had a taste of the actual costs of using it, it's a safe bet that the Act itself will be canned, at least after Ashcroft and Company have prosecuted a few pornographers with it and enjoyed a few triumphal press conferences. ®

Thomas C Greene is the author of Computer Security for the Home and Small Office, a comprehensive guide to system hardening, online anonymity, encryption, and data hygiene for Windows and Linux.

Related stories

US proposes rigorous spam sentencing
Spammers not deterred by Can Spam Act
Big US ISPs set legal attack dogs on big, bad spammers

Choosing a cloud hosting partner with confidence

More from The Register

next story
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
SMASH the Bash bug! Red Hat, Apple scramble for patch batches
'Applying multiple security updates is extremely difficult'
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
Ello? ello? ello?: Facebook challenger in DDoS KNOCKOUT
Gets back up again after half an hour though
Desperate VXers enslave FREEZERS in DDoS bot
Updated Spike malware targets Asia
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.