Feeds

Spammer prosecutions waste time and money

Spammed if you do and spammed if you don't

  • alert
  • submit to reddit

Beginner's guide to SSL certificates

The recent US Federal Trade Commission (FTC) report on the futility of establishing a national 'do not email' registry contains a number of interesting observations related to spam control and to the so-called CAN-SPAM Act.

In a nutshell, the FTC rejects the registry because it would become a weapon that spammers could use to fortify their ever-growing lists of victims, as we reported here.

But there are a number of related points in the report that deserve attention. One is an indirect critique of the CAN-SPAM Act, recent legislation that promises lawsuits and even jail time for incontinent spammers. The Act is meant as a deterrent, and in order for it to work as such, it will obviously have to be used, and spammers will have to be made examples.

Unfortunately this is an expensive and often futile business, as the FTC observes:

"A prosecutor in Washington State spent four months and sent out 14 pre-suit civil investigative demands (CIDs) just to identify the spammer in one lawsuit. Likewise, in another case, it took the Virginia Attorney General, over the course of four months, multiple subpoenas to domain registrars, credit card companies, and Internet providers, and the execution of a search warrant, before having enough information to file a case against a spammer."

And these are mere individual cases. The spam industry is very much decentralized and scattered. Only a small fraction of spammers can be identified, the report explains:

"One major ISP reports that, after collecting and analyzing over 45 million spam messages...during 2003, it linked only about 2.6 million to a person responsible for them. In all, this ISP identified 271 parties responsible for these 2.6 million spam messages..."

And this process is time consuming and very expensive. The ISP "acquired sufficient information to file a lawsuit or send a warning letter to only 91 of the 271 parties. To identify these 91 parties, the ISP estimates that its internal and outside legal teams expended approximately 12,100 hours, or an average of 133 hours per spammer. The ISP expended these resources solely to identify the spammers; these costs do not include litigation expenses."

That's 12,000 very billable hours spent to identify 91 spammers, or roughly a third of those responsible for 2.6 million spam messages out of 45 million. And then comes the cost of taking action against this drop-in-the-bucket sample. Once a spammer is identified, the costs of litigation start to kick in, and they mount fast.

Legislative window dressing

Just filing the suit can be tremendously inconvenient. According to the FTC report, many lawsuits "must be filed as 'John Doe' lawsuits because the ISPs cannot identify the spammer prior to filing. For instance, Microsoft, AOL, Yahoo! and Earthlink recently announced six lawsuits against 225 defendants, charging violations of the CAN-SPAM Act. These ISPs charged all but nine of the defendants as John Does at the time the suits were filed. In previous John Doe lawsuits, ISPs have needed to issue up to ten subpoenas to determine the identity of the spammer."

"According to one ISP that has sued numerous spammers, litigation costs can range from $100,000 or less (when the spammer is easily identifiable), to more than $2 million (when the spammer mounts an aggressive defense). Not surprisingly, some ISPs believe that lawsuits against spammers are an expensive and often fruitless way to stop spam."

Indeed, with this sort of expense and level of difficulty, it would be reasonable to expect spammers to threaten an aggressive defense in order to obtain a settlement or a light punishment. It's obvious that prosecutions and lawsuits are far more trouble than they're worth. Spending perhaps a half million dollars to sue someone who produces maybe one or two per cent of the spam clogging your pipes, knowing that there are thousands of other spammers ready to take up the slack for him, is bound to be discouraging - only to the ISPs, not to the spammers.

It appears that the CAN-SPAM Act is destined to remain an example of legislative window dressing - the sort of useless law that Congress passes periodically to create the impression that it cares about issues that ordinary people care about. But as a tool for cutting down on spam, it's practically worthless. Some ISPs may have supported the legislation originally, but now that they've had a taste of the actual costs of using it, it's a safe bet that the Act itself will be canned, at least after Ashcroft and Company have prosecuted a few pornographers with it and enjoyed a few triumphal press conferences. ®

Thomas C Greene is the author of Computer Security for the Home and Small Office, a comprehensive guide to system hardening, online anonymity, encryption, and data hygiene for Windows and Linux.

Related stories

US proposes rigorous spam sentencing
Spammers not deterred by Can Spam Act
Big US ISPs set legal attack dogs on big, bad spammers

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.