Upload
laureen-young
View
214
Download
1
Embed Size (px)
Citation preview
CPSC 457:
Sensitive Information in a Wired World
Anti – Spam Legislation and Technology
Jeannie Wong
Costs of Spam
In the U.S. and the E.U., half of all email are unsolicited commercial emails.
The Federal Trade Commission maintains and monitors a spam database, and has set up a special mailbox that receives 40 thousand junk emails a day.
Spam is used not only to peddle merchandise and various money-making scams, but also to disseminate computer viruses.
FTC: spam costs between $10 billion and $87 billion annually. 7 billion pieces of spam are sent daily, which drains bandwidth and
productivity. ISPs pass the increased cost along to their customers. Schumer: NYC residents receive 8.25 million pieces of spam daily
and spend 4.2 million hours annually deleting them. Jupiter Research:
in 2002, $1.4 billion spent on email marketing campaigns in 2007, $8.3 billion will be spent
Anti-spam technology is an $88 million industry.
Spam originates mainly from:
1. United States - 33% 2. China - 18% 3. Korea - 9% 4. Brazil - 4% 5. Canada - 3% 6. United Kingdom - 2% 7. Italy - 2% 8. Mexico - 2% 9. Germany - 2% 10. Taiwan - 1%
Anti-spam Legislation
107th Congress: 8 bills 106th Congress: 11 bills 108th Congress: 9 bills
Anti-Spam Act of 2003 Ban on Deceptive Unsolicited Bulk Electronic Mail Act
0f 2003 CAN-SPAM Act of 2003 Computer Owners’ Bill of Rights Criminal Spam Act of 2003 REDUCE Spam Act of 2003 Reduction in Distribution of Spam Act of 2003 Stop Pornography and Abusive Marketing Act Wireless Telephone Spam Protection Act
CAN-SPAM Act of 2003
Controlling the Assault of Non-Solicited Pornography and Marketing Act
Reintroduced for the third time in April 2003 by Sen. Conrad R. Burns (R-MT) and Sen. Ron Wyden (D-OR)
Requires unsolicited commercial email messages to be labeled, to include opt-out instructions, workable return email addresses, and the sender’s physical address
Preempts state laws that prohibit unsolicited commercial email outright
Imposes fines of up to $10 per email on spammers if the receiver has opted out, up to $500,000, and a fine of up to $1.5 million for spammers who willingly and knowingly violated the law
CAN-SPAM Act of 2003
Imposes fines of up to $1 million for delibrately deceptive email
A criminal penalty of up to a year in jail for spammers who include deceptive subject lines and misleading header information.
Criminal Spam Act of 2003 Introduced June 19, 2003 by Sen. Orrin
Hatch (R-UT) Cosponsors: Senators Leahy, Schumer,
Grassley, Feinstein, DeWine, Edwards, Wyden, Burns, Pryor, Miller, and Nelson. Prohibits unauthorized or deceptive use of a third party’s computer for relaying bulk commercial email messages
Prohibits the use of false header information in bulk commercial messages
Regulates the use of multiple email accounts or domain names for the purposes of sending such messages.
Applies only to quantities or more than 100 messages within 24 hours, or 1000 within 30 days, or 10000 within one year.
Senders of email with misleading headers may fined up to $25,000 each day or receive up to five years in federal prison
SPAM Act
Stop Pornography and Abusive Marketing Act
Introduced in June 2003, Sen. Charles Schumer (D-NY)
Establishes a national “no-spam” registry, administered by the FTC, using fees paid for marketers for access to the list
FTC would be empowered to prohibit explicit commercial messages to minors even if they are not on the list
Requires full disclosure in email headers and addresses, require working unsubscribe mechanisms, ban the use of false sender names, and automated harvesting of email addresses
SPAM Act
All messages that contain commercial content must have the letters ADV in the subject line, except those sent in compliance with an FTC-approved self-regulatory program, and must include the sender’s physical address.
Jail time of up to 2 years for severe repeat offenders. $75 million needed to create the system, including the
FTC registry and for enforcement. Supports domain-wide opt-out
REDUCE Spam Act of 2003
Restrict and Eliminate the Delivery of Unsolicited Commercial Electronic Mail or Spam Act of 2003
Introduced in May 2003 by Rep. Zoe Lofgren (D-CA)
Unsolicited bulk commercial email messages would be required to include a valid reply address and opt-out instructions, and a label (“ADV:” or “ADV:ADLT” or some other form of recognized standard identification)
Applies to messages send in the same or similar form to 1000 or more email addresses within a two-day period
False or misleading headers and deceptive subject lines would be prohibited in all unsolicited commercial email messages, whether or not sent in bulk
REDUCE Spam Act 0f 2003
Similar to the Burns-Wyden bill with the addition of a reward of 20 percent of the civil fine levied by the U.S. Federal Trade Commission against the spammer to the first person to report a spam offender.
Gives Internet service providers the right to bring civil actions against marketers who violate those requirements and disrupt their networks, and it allows for criminal fines and up to a year in prison for fraudulent spam.
Anti-Spam Act of 2003
Introduced June 18, 2003 by Rep. Heather Wilson (R-NM)
Cosponsors: Rep. Rick Boucher (D-VA) & Rep. Ed Markey (D-MA)
Commercial email messages must be identified as such, must include the sender’s physical street address, and an opt-out mechanism.
Messages relating to a specific transaction and consented to by the recipient would be exempt from the requirements
Sexually explicit messages must be identified with a standard label
Commercial email messages with false or misleading message headers or misleading subject lines are prohibited.
Anti-Spam Act of 2003
Sending commercial email messages to addresses generated by an automated dictionary attack would be illegal.
Preempts state laws that restrict the sending commercial email, regulate opt-out procedures, or require subject-line labels.
Laws that regulate falsification of message headers would remain in place
Reduction in Distribution of Spam Act of 2003
RID-Spam Act Introduced in May 2003 by Rep.
Richard Burr (R-NC) Cosponsors: Rep. Billy Tauzin (R-LA)
and Rep. James Sensenberger (R-WI) Requires all commercial email
messages to be identified as such, include the sender’s physical address, and an opt-out mechanism.
Unsolicited sexually explicit messages must be identified with a standard label.
Prohibits the use of false or misleading headers in commercial messages.
Preempts state laws that prohibit unsolicited commercial email, regulate opt-out procedures, or require subject-line labels.
Lets ISPs (but not individuals) sue spammers for damages
Problems with proposed legislation
Definition of spam as fraudulent email Andrew Barrett, executive director of SpamCon:
RID-SPAM Act = “The Spammer’s Bill of Rights”
No distinction between content and consent
Implementation barriers FTC Chairman Tim Muris:
"A do-not-spam list is an intriguing idea, but it is unclear how we can make it work."
Problems with proposed legislation
High cost of enforcement
Makes it more difficult to prosecute spammers RID-Spam Act makes suing spammers more
complicated than it is under the FTC Act Criminal Spam Act of 2003 requires that federal
prosecutors prove a spammer falsified his identity in 10 thousand different emails to bring a felony charge
Opt-out puts the burden on consumers
Better to have legislation favoring permission-based email
Anti-spam legislation in the EU and UK
In May 2002, the European Parliament passed anti-spam legislation requiring companies to receive consumer opt-in permission before sending them commercial email
In the U.K., starting December 11, under a new directive which starts on December 11, companies and individuals can be fined up to $8200 for sending unsolicited commercial e-mail and SMS text messages to mobile phones without prior agreement.
World’s Fourth Largest Spammer
Details Magazine - October, 2003 Issue:9th Most Powerful Men in America under Age 37
World’s Premier Spammer
Alan Ralsky Settled a lawsuit brought
against him by Verizon Internet Services in 2002
Now sends most of his spam mails from overseas
Control 190 e-mail servers: 110 in Southfield, 50 in Dallas and 30 more in Canada, China, Russia and India
Charges a commission on sales or a flat fee of up to $22,000
Has a master list of 250 million valid addresses
Response rate of 0.25 percent
Spam blocking technology
Bill Conner of Entrust: digital credentials Brightmail Solution Suite Internet Engineering Task Force:
implementing a single architecture that will allow receivers to express consent or non-consent
Destroy the spammer’s business model Bayesian filters Other client-side filters
Steps individuals can take
Choose an email address name that is hard to guess
Don’t post your email online Get a spam filter Don’t reply to spam
spam-baiting is inadvisable Be careful when installing free software Don’t sign up for free web services Report spam to your ISP or to the FTC at