The Role of Public Policy in the Fight Against Spam

Presentation Transcript

Jacob Scott

UC Berkeley

IEEE

August 3rd, 2004

Spam Threatens the Viability of E-Mail

“Spam is about to kill the ’killer app’ of the Internet - specifically, consumer use of e-mail and e-commerce.”

FTC Commissioner Orson Swindle, June 2003

Incredible Growth

“Since Hotmail deployed it six months ago, SmartScreen has been blocking more than 95 percent of all incoming spam — an average of nearly 3 billion messagesevery day.”

Bill Gates, June 2004

Wide-ranging Effects

Businesses
Consumers
ISPs
Legitimate E-Mail Marketers

“Today, it is estimated that 80% of email traffic is spam and the costs of spam to the global economy amounts to USD 25 billion annually.”

Press Release, UN ITU, July 2004

Example: Phishing

Anti-Phishing

Working Group

“Direct losses from identity theft fraud against these phishing attack victims cost U.S. banks and credit card issuers about $1.2 billion last year”.

Press Release, Gartner Research, May 2004

Good Spam versusBad Spam

Good Spam

Annoying
Identifiable
Legitimate
Possibly Requested
Big Business

“This translates into an excess of $19 billion spent in response to commercial e-mails in 2003.”

Direct Marketing Association, March 2004

Bad Spam

Untraceable
Deceptive
Fraudulent
Pornographic
Illegitimate
The Problem

The Reasons for Spam:Profit and Anonymity

The Spam Profit Numbers

5% of e-mail users have purchased from UCE
Cost to send one e-mail: $.0005
Profit possible with .0001% response rate

AOL’s captured spammer Porsche

E-Mail: Exactly the Same Since 1982

SMTP Provides No Authentication, Enables Anonymity

Anti-Spam Technology

Filters look at incoming e-mail and sort spam from legitimate messages

Filtering Mechanisms

IP Blacklists
Header/Routing Analysis
Heuristics
Adaptive (Bayesian)
URL Filtering
Checksums/Signatures
Collaborative Networks
Challenge-Response
Many more…

Filtering Success

Brightmail advertises that their filter catches 95% of all spam, and mislabels only 1 in a million false positives
CRM114, open source spam “classifier” reports over 99% accuracy rate in spam/ham sorting
Vibrant R&D, commercial implementations

The Spam “arms race”

Increased volume
Evasive techniques
Concern over false positives
The worst spam (sent by “outlaw spammers”) are the hardest to defeat technologically

“Knowing that only a small percentage of their output will get past today's filters, spammers have responded by significantly cranking up the volume of emails they send. So networks are burdened with even more junk than before.”

Bill Gates, June 2004

The CAN-SPAM Act of 2003

Introduction

First national anti-spam law
Originated as S877
Passed Senate 97-0
Passed House 392-5
Signed December 16, 2003

Senator Burns

Senator Wyden

Motivation

“senders of commercial electronic email should not mislead recipients as to the source or content of such mail; and recipients of commercial electronic mail have a right to decline to receive additional commercial electronic mail from the same source.”

CAN-SPAM Act of 2003

Strong on fraud and deception
Weak on privacy
Consumer protection law – Federal Trade Commission is point

Opt-In, Opt-Out

CAN-SPAM is single-source opt-out

Ask each e-mailer to stop, one at a time

Chosen over opt-in

marketers have to ask before they send
Popular in Europe

Does the difference matter?

“Imagine that you put a ‘do not solicit’ sign at the front door of your home, and every company in the world could only ring your doorbell once, at which point you could tell the salesperson not to bother you anymore…”

Consumers Union, May 2004

Probably Not

“the practical difference between opt-in and opt-out laws in terms of real enforcement is virtually nonexistent. If a spammer wishes to convert the strongest opt-in law into an opt-out law, all he or she needs to do is tell one lie: ‘The recipient requested to receive my messages.’”

Matthew Prince, July 2004

The worst “outlaw” spammers will not care either way

Compromise?

Do Not E-Mail Registry

Provides global opt-out
Anyone who sends to e-mails in the registry is in trouble
Modeled after the Do Not Call Registry

Probably Not

“This Report concludes that a National Do Not Email Registry, without a system in place to authenticate the origin of email messages, would fail to reduce the burden of spam and may even increase the amount of spam received by consumers.”

FTC DNE Registry Report, July 2004

How can you not e-mail someone without knowing who not to e-mail?
How can use of the registry be required and enforced?

The Ways in Which You Can Spam Under CAN-SPAM

Good Spam, Bad Spam Again

What You Must Do

In commercial e-mail

Include an opt-out mechanism
Include a real physical address
Clear notice that the message is an advertisement

No requirement for this to be machine readable, but does give good hints to filters

What You Cannot Do

Falsify header or route information of your e-mail messages
Hack into other computers and send spam from them
Harvest e-mail addresses from the web or in a directory harvest attack
Hire other people to spam for you
Send adult-oriented spam without a subject line label (FTC rulemaking)

Penalties

Quite stiff

Violations of CAN-SPAM are considered violations of the FTC Act, $11,000 per violation
Some violations are criminal, with up to five year prison terms
ISPs and State AGs can sue under CAN-SPAM for civil damages (caps in some cases)

Getting Tough on Enforcement

Importance of Enforcement

CAN-SPAM has teeth, but does it bite?

Outlaw spammers will not follow law if not enforced

Provides an avenue to recoup spammer profits
Creates a deterrent effect, makes spammers think twice

Compliance and Enforcement

Average CAN-SPAM compliance over first six months only 2.3%
FTC has brought only two actions under CAN-SPAM (62 total spam cases in history)
Roughly a half dozen ISP CAN-SPAM based lawsuits pending
Maybe one or two state cases