Feeds

Spammer prosecutions waste time and money

Spammed if you do and spammed if you don't

  • alert
  • submit to reddit

The Power of One eBook: Top reasons to choose HP BladeSystem

The recent US Federal Trade Commission (FTC) report on the futility of establishing a national 'do not email' registry contains a number of interesting observations related to spam control and to the so-called CAN-SPAM Act.

In a nutshell, the FTC rejects the registry because it would become a weapon that spammers could use to fortify their ever-growing lists of victims, as we reported here.

But there are a number of related points in the report that deserve attention. One is an indirect critique of the CAN-SPAM Act, recent legislation that promises lawsuits and even jail time for incontinent spammers. The Act is meant as a deterrent, and in order for it to work as such, it will obviously have to be used, and spammers will have to be made examples.

Unfortunately this is an expensive and often futile business, as the FTC observes:

"A prosecutor in Washington State spent four months and sent out 14 pre-suit civil investigative demands (CIDs) just to identify the spammer in one lawsuit. Likewise, in another case, it took the Virginia Attorney General, over the course of four months, multiple subpoenas to domain registrars, credit card companies, and Internet providers, and the execution of a search warrant, before having enough information to file a case against a spammer."

And these are mere individual cases. The spam industry is very much decentralized and scattered. Only a small fraction of spammers can be identified, the report explains:

"One major ISP reports that, after collecting and analyzing over 45 million spam messages...during 2003, it linked only about 2.6 million to a person responsible for them. In all, this ISP identified 271 parties responsible for these 2.6 million spam messages..."

And this process is time consuming and very expensive. The ISP "acquired sufficient information to file a lawsuit or send a warning letter to only 91 of the 271 parties. To identify these 91 parties, the ISP estimates that its internal and outside legal teams expended approximately 12,100 hours, or an average of 133 hours per spammer. The ISP expended these resources solely to identify the spammers; these costs do not include litigation expenses."

That's 12,000 very billable hours spent to identify 91 spammers, or roughly a third of those responsible for 2.6 million spam messages out of 45 million. And then comes the cost of taking action against this drop-in-the-bucket sample. Once a spammer is identified, the costs of litigation start to kick in, and they mount fast.

Legislative window dressing

Just filing the suit can be tremendously inconvenient. According to the FTC report, many lawsuits "must be filed as 'John Doe' lawsuits because the ISPs cannot identify the spammer prior to filing. For instance, Microsoft, AOL, Yahoo! and Earthlink recently announced six lawsuits against 225 defendants, charging violations of the CAN-SPAM Act. These ISPs charged all but nine of the defendants as John Does at the time the suits were filed. In previous John Doe lawsuits, ISPs have needed to issue up to ten subpoenas to determine the identity of the spammer."

"According to one ISP that has sued numerous spammers, litigation costs can range from $100,000 or less (when the spammer is easily identifiable), to more than $2 million (when the spammer mounts an aggressive defense). Not surprisingly, some ISPs believe that lawsuits against spammers are an expensive and often fruitless way to stop spam."

Indeed, with this sort of expense and level of difficulty, it would be reasonable to expect spammers to threaten an aggressive defense in order to obtain a settlement or a light punishment. It's obvious that prosecutions and lawsuits are far more trouble than they're worth. Spending perhaps a half million dollars to sue someone who produces maybe one or two per cent of the spam clogging your pipes, knowing that there are thousands of other spammers ready to take up the slack for him, is bound to be discouraging - only to the ISPs, not to the spammers.

It appears that the CAN-SPAM Act is destined to remain an example of legislative window dressing - the sort of useless law that Congress passes periodically to create the impression that it cares about issues that ordinary people care about. But as a tool for cutting down on spam, it's practically worthless. Some ISPs may have supported the legislation originally, but now that they've had a taste of the actual costs of using it, it's a safe bet that the Act itself will be canned, at least after Ashcroft and Company have prosecuted a few pornographers with it and enjoyed a few triumphal press conferences. ®

Thomas C Greene is the author of Computer Security for the Home and Small Office, a comprehensive guide to system hardening, online anonymity, encryption, and data hygiene for Windows and Linux.

Related stories

US proposes rigorous spam sentencing
Spammers not deterred by Can Spam Act
Big US ISPs set legal attack dogs on big, bad spammers

Designing a Defense for Mobile Applications

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.