by Nathan Peske, UMN Law Student, MJLST Staff
On May 1, 1978 Gary Thuerk sent the first unsolicited mass e-mail on ARPANET, the predecessor to today’s Internet. Thuerk, a marketing manager for Digital Equipment Corporation (DEC), sent information about DEC’s new line of microcomputers to all 400 users of the ARPANET. Since ARPANET was still run by the government and subject to rules prohibiting commercial use, Thuerk received a stern tongue lashing from an ARPANET representative. Unfortunately this failed to deter future senders of unsolicited e-mails, or spam, and it has been a growing problem ever since.
From a single moderately annoying but legitimate advertisement sent by a lone individual in 1978, spam has exploded into a malicious, hydra-headed juggernaut. Trillions of spam e-mails are sent every year, up to 90% of all e-mail sent. Most spam e-mails are false ads for adult devices or health, IT, finance, or education products. The e-mails routinely harm the recipient through attempts to scam money like the famous Nigerian scam, phishing attacks to steal the recipient’s credentials, or distribution of malware either directly or through linked websites. It is estimated that spammers cost the global economy $20 billion a year in everything from lost productivity to the additional network equipment required to transmit the massive increase in e-mail traffic due to spam.
While spam is clearly a major problem, legal steps to combat it are confronted by a number of identification and jurisdictional issues. Gone are the Gary Thuerk days when the sender’s e-mail could be simply read off the spam e-mail. Spam today is typically distributed through large networks of malware-infected computers. These networks, or botnets, are controlled by botmasters who send out spam without the infected user’s knowledge, often for another party. Spam may be created in one jurisdiction, transmitted by a botmaster in another jurisdiction, distributed by bots in the botnet somewhere else, and received by recipients all over in the world.
Anti-spam laws generally share several provisions. They usually include one or all of the following: OPT-IN policies prohibiting sending bulk e-mails to users that have not subscribed to them, OPT-OUT policies requiring that a user must be able to unsubscribe at any time, clear and accurate indication of the sender’s identity and the advertising nature of the message, and a prohibition on e-mail address harvesting. While effective against spammers that can be found within that entity’s jurisdiction, these laws cannot touch other members in the spam chain outside of its borders. There is also a lack of laws penalizing legitimate companies, often more easily identified and prosecuted, that pay for spamming services. Only the spammers themselves are prosecuted.
Effectively reducing spam will require a more effective international framework to mirror the international nature of spam networks. Increased international cooperation will help identify and prosecute members throughout the spam chain. Changes in the law, such as penalizing those who use spamming services to advertise, will help reduce the demand for spam.
Efforts to reduce spam cannot include just legal efforts against spammers and their patrons. Much like the international drug trade, as long as spam continues to be a lucrative market, it will attract participants. Technical and educational efforts must be made to reduce the profit in spam. IT companies and industry groups are working to develop anti-spam techniques. These range from blocking IP address and domains at the network level to analyzing and filtering individual messages, and a host of other techniques. Spam experts are also experimenting with techniques like spamming the spammers with false responses to reduce their profit margins. Efforts to educate users on proper e-mail security and simple behaviors like “if you don’t know the sender, don’t open the attachment” will also help bring down spammers’ profit margins by decreasing the number of responses they get.
Like many issues facing society today, e-mail spam requires a response at all levels of society. National governments must work individually and cooperatively to pass effective anti-spam laws and prosecute spammers. Industry groups must develop ways to detect and destroy spam and the botnets that distribute them. And individual users must be educated on the techniques to defend themselves from the efforts of spammers. Only with a combined, multi-level effort can the battle against international e-mail spam be truly won.