SPAM SNOW GLOBE from
Individually spams are little more than a nuisance, but collectively they pose a considerable threat to our infrastructure. They bring little cheer, except perhaps to the manufacturers of anti-spam software and possibly to Hormel Foods’ Spam merchandising returns (the original meat product manufacturer – see spamgift.com). Current indications are that the spamming industry will continue to thrive at the expense of computer users and recent legislation is unlikely to turn the tide in the short-term future. This article argues that spamming is a complex issue and therefore requires a framework of solutions, of which law is but one part.
Incidentally, for the handful of souls still unaware, spams are unsolicited bulk e-mails containing invitations to participate in ways to earn money; obtain free products and services; win prizes; spy upon others; obtain improvements to health or well-being, replace lost hair, increase one’s sexual prowess or cure cancer. The term is derived from a Monty Python sketch in which the word ‘spam’ was repeated to the point of absurdity in a restaurant menu (CompuServe Inc. v Cyber Promotions, 962 F.Supp. 1015 f/n 1).
Although a vague argument in favour of spam can be based upon the promotion of legitimate commercial activity and also upholding rights to free expression, the demerits far outweigh the merits as they undoubtedly degrade the quality of virtual life. They rarely live up to their promises, often carrying unpleasant payloads in the form of potent deceptions or harmful computer viruses and worms. Moreover, they choke up Internet bandwidth and slow down access rates, reducing efficiency and costing Internet service providers and individual users lost time through their having to manage spams.
Currently about half of our e-mails are spams (Brightmail) and along with pop-ups and Web ads, unsolicited messages constitute a major obstacle to effective Internet usage and its further development. All the more worrying when it is likely that the growth in spam numbers will continue to double each year (Wall, 2003) despite concerted attempts to stem their flow by recent anti-spam legislation and technology. The recent UK legislation (SI 2003/2426), which required Internet users from 11 December 2003 onwards to opt-in to e-mail lists, and the US CAN-SPAM Act, which gave users the right to opt out of spam lists from 1 January 2004, have already become the focus of criticism for their various shortcomings (see NLJ, 28/11/03, p. 1780). Apart from this obvious discordance between the
We clearly need to know more about spam, and ongoing empirical research (see Wall, 2003) is revealing that the spam problem is far more complex than commonly assumed. Not only is the spamming industry in fact two quite different sets of enterprises (the compilation and production of bulk e-mail lists which are then sold on (to spammers) and the use of the lists to spam recipients with a variety of offers), but offending related to the spamming process clearly needs to be disaggregated from the intent that motivates many spams.
Bulk e-mail list compilation
The current legal method of compiling e-mail lists in EU countries (under Directive 2002/58/EC) is to require voluntary opt-in to e-mail lists through subscription. More common place, however, is the compilation of e-mail address lists (now illegal to use in the EU) through automated ‘spider-bots’ that scour the Web. The economics are simple. E-mail addresses have no perceivable individual worth but, when collated with 10, 20, 40 or 80 million others, they accumulate value. Spammers tend to use e-mail addresses from lists sold to them in CD-ROM format by bulk e-mail compilers. Banners such as “Email Addresses 407 MILLION in a 4-disk set. Complete package only $99.95!!” will be familiar subject lines to many readers. But few spams from these addresses will ever reach the recipient because most will be inactive; there again only a few responses are needed to recoup costs and make a profit. Ironically, some of the major victims of the spam list compilation industry are themselves intending spammers.
Active e-mail addresses have a much higher value, rising further when profiled by owner characteristics. In common with advertisements, spams containing information relevant to the recipient are most likely to obtain a positive response and result in a successful transaction. One popular strategy to confirm that an e-mail address is active and also to yield important information about the recipient is to send out ‘spoof spams’ using one of three tactics. A blank e-mail may be sent which requests an automatic response from the recipient’s computer upon opening. Else, it may include offensive subject content or make preposterous claims that incite the recipient to ‘flame’ the sender. Alternatively, the spoof may include the option to ‘deregister’ from the mail list, not only providing important information but sometimes leading recipients to pay recurrent ‘administration charges’ and embroiling them in a ‘remove.com’ scam.
An ongoing survey of spams between 2000-2003 reveals that only a relatively small proportion, possibly just over 10% of all spams, are genuine attempts to inform recipients about products or services. The remaining 90% lack plausibility, suggesting that spammers are short on business acumen, or they are victims of unscrupulous list builders, or they deliberately intend to deceive the recipient (Wall 2003). Approximately one third of all received spams are ‘spoof spams’.
The contents of unsolicited bulk emails
An analysis of spam content lends weight to the earlier implausibility argument and outlines clearly the types of risk that recipients might face. Though not a precise match, the following categories and proportions listed in order of prevalence find a resonance in Brightmail’s 2002 Slamming Spam and other spam surveys.
· Income generating claims – 28% (business opportunities; investment schemes; pyramid selling; working at home; investment opportunities; Nigerian Advanced Fee scams).
· Pornography and materials with sexual content – 16% (sexually explicit materials; sharing images; increasing Web traffic with sex sites).
· Offers of free or discounted products, goods and services (including free vacations) – 15% (free trial periods for services; free products; cheap grey market goods such as cigarettes, rare stones, body parts, alcohol, fuel, sexual services).
· Advertisements /information about products and services – 11% (cheap office supplies and equipment; cheap medical equipment; cheap branded goods; educational qualifications; Internet auctions; bulk e-mail lists).
· Health cures/snake oil remedies – 11% (miracle diets; anti-ageing lotions and potions; prescription medicines; non-prescription medicines; Viagra; hair loss remedies; body enhancement potions; plastic surgery; cures for cancer).
· Loans, credit options or repair credit ratings – 9% (credit facilities without the checks or security; repair of bad credit ratings; credit cards with zero interest).
· Surveillance information, software and devices – 3% (surveillance and counter-surveillance software and hardware).
· Hoaxes/ Urban Legends, Mischief collections – 3% (perpetuating Urban Legends; ‘gullibility viruses’ tricking recipients into destroying files or opening virus attachments; threatening chain letters; post-9/11 e-mail victim-donation scams; links to hoax WWW sites).
· Opportunities to win something, on-line gambling options – 3% (free credit in trial gambling sites; prizes).
Most of the above are disguised forms of entrapment marketing from which victims subsequently find it hard to disengage.
Victims and offenders
Victims of spam content are very hard to identify because of the general problem of under-reporting. Spam-assisted crime will be recorded by the principle offence, though usually the individual losses are either too small or victims are too embarrassed to make a report, or else they do not know to whom they should make a report. Yet, an analysis of ISP complaints statistics suggests that the overall threat to the majority of individuals is reasonably small because they tend to find their own ways of dealing with spams – although novel forms of spamming do frequently catch Internet users unaware (Wall, 2003).
The greatest danger posed by spams is towards vulnerable communities: the poor with financial problems; the terminally sick ever hopeful of some relief from their pain; the poor single parent who sends off their last $200 for a ‘work at home’ scheme; the youths who seek out ‘cheats’ for their computer games. A particularly vulnerable group are the newly retired who possess all of the ingredients for online fraud – spare time, lack of computer knowledge and large sums of money to invest.
The spammers are also a very heterogeneous group. At one end of the spectrum are the honest brokers who genuinely seek to advertise products and services, but at the other end are the dishonest brokers whose aim is purely to entrap and defraud. Somewhere in the middle are the misguided brokers, protesters, pranksters, smugglers, artists and list builders.
Canning the Spam!
There are a number of ways that we can deal with spam, of which increasing legislation is the most obvious. However, while the law tells us what it right and wrong, various challenges to law enforcement and also issues of unequal access to justice for the individual emerge because the spam problem is trans-jurisdictional. As
The first technique is hardening computers by technological means, using spam filters, e-mail preference services, e-mail filtering facilities, and other software. But self-protection through technology does not make up for shortfalls in law.
The second technique is more education to understand the nature of the beast – what is and what is not spam and what the risks are. This information is currently provided by coalitions of interested parties, NGOs and government organisations. Especially informative is Spamhaus.org, the Coalition Against Unsolicited Commercial Email (cauce.org), and also David Sorkin’s spamlaws.com site.
The third technique is for individuals to consult counter-spam groups such as Spamhaus.org, Spambusters.com and Junkbusters.com about how they can remove their own addresses from existing spam lists.
The fourth is to choose an Internet service provider with a robust policy towards spams. Some (mainly
The fifth and final technique is to lobby politicians into pushing for a more co-ordinated international response. The Parliamentary All Party Internet Group (apig.org.uk) have been very active in this endeavour.
Conclusion
I began by saying that individual spams are little more than a nuisance, but collectively they pose a considerable threat to our infrastructure. We need to wise up to the fact that spam is here to stay in one form or another. Not only will they continue to increase in number, but spammers and their software are very inventive and reflexive to changes in security. Unfortunately, this reflexivity means that if we are to maintain current Internet freedoms and openness and not become strangled by security, then we also may have to tolerate spam to some degree. Although, on a more encouraging note, spam legislation, when accompanied reflexively by a range of other measures, constitutes the most viable and effective attack upon what has quickly become ‘the white noise’ of the Internet.
============
Dr David S. Wall is the Director of the Centre for Criminal Justice Studies at the
This article is based upon research originally funded by a Home Office Innovative Research Award. See further pp. 123-130 Wall, D.S. (2003) ‘Mapping out Cybercrimes in a Cyberspatial Surveillant Assemblage’, pp.112-36 in Webster, F. and Ball, K. (2003) The intensification of surveillance: Crime terrorism and warfare in the information age,