• About CSIA
  • Mission Statement
  • Committees
  • CSIA Team
  • CSIA Offices
• Board Members
• Events
  • CSIA Events
  • Industry / Gov't Events
  • Member Events
• Member Directory
• Newsletters
  • Current Issue
  • Archive
  • Sign Up
• Testimonials
• Join CSIA

SPAM: Get the Facts

What is spam?

Spam is an unsolicited bulk message, typically received via email, though it can also be received via instant messages (SPIM), mobile messages, images, Usenet newsgroups, Web search engines and blogs. Spam, also known as unsolicited commercial email (UCE) or unsolicited bulk email (UBE), is often used to promote scams involving a product, service or "get rich quick" scheme. Some spam messages are inappropriate, sexually-explicit advertisements that try to lure the recipient's interest with false promotions and products.

How prevalent is spam?

Spam is an increasingly troublesome issue for businesses and consumers worldwide. Some statistics on spam include:

• Spamhaus, an international non-profit anti-spam organization, states that 80 percent of spam received by Internet users in North America and Europe can be traced via aliases and addresses, redirects, hosting locations of sites and domains, to a hard-core group of around 200 known spam operations.
• In 2005, spam cost an estimated $17 billion in the United States in lost productivity and the expense of measures to fight it, according to San Francisco-based Ferris Research.
• In November 2006, the European Commission reported that spam makes up 50 to 80 percent of all messages sent to email inboxes and two-thirds of that is coming from outside the European Union.

Why is spam a problem?

The California legislature found that spam cost United States organizations alone more than $10 billion in 2004, including lost productivity and the additional equipment, software and manpower needed to combat the problem. In 2005, Ferris Research estimated that spam would cost $51.1 billion globally and estimated costs to the major European economies, Germany, UK and France, to amount to 6.8 billion euros.

There are several major problems associated with bulk spamming. One issue is that the growing volume of unwanted email places an unprecedented strain on existing IT infrastructures and undermines email's effectiveness as a business tool. While spam itself does not necessarily carry a computer virus, there is a connection because many email virus programs involve a mass-email element. In addition, spam can cause denial-of-service (DoS) attacks in Usenet newsgroups (otherwise known as Internet chat rooms). By sending an overwhelming amount of spam messages to a specific newsgroup, legitimate messages and computing resources can be lost in the shuffle as users are trying to delete the junk emails. Spam can also contain malicious scripts that can be activated when a user opens an attachment in the email.

Other crimes that typically accompany spam include: identity theft attacks, data and intellectual property theft, viruses and other malware infections, child pornography, fraud and deceptive marketing.

How does a spammer get email addresses?

Consumers who register for chat rooms, newsletters or online services can easily have their email addresses harvested from the Internet by a list broker. Spammers buy these lists for a minimal cost from brokers and then send millions of emails at one time. Because many mailing lists limit activity to their subscribers, spammers will often use automated tools to subscribe to as many mailing lists as possible, so that they can obtain more address lists or use the mailing list as a direct target for their attacks. Spammers use special harvesting software programs, known as "robots" or "spiders" to record email addresses listed on Web sites.

Are spammers getting more sophisticated?

Lately, fraudsters have been using hijacked bot networks to increase spam spread through more aggressive attacks. Bot networks, more commonly referred to as "bot nets," are compromised of PCs that can automatically send out spam emails. Consumers and businesses are at an additional risk because the owner of the computer could be held liable for any criminal or civil penalties that result from actions taken by the fraudster.

Spammers have advanced their methods recently by using a technique called "island-hopping," in which they use Internet domains from foreign nations to disguise their mass email campaigns. They have also developed new types of spam that tries to defeat standard anti-spam technologies. For example, image spam evades anti-spam applications by embedding messages in emailed image files, rather than using traditional text emails.

Spammers also try to conceal their identities by spoofing or hiding the origin of their email address so that unwanted messages appear to be coming from another source. They use false names, emails and addresses to set up disposable email accounts with Internet Service Providers (ISPs) and often use stolen credit card accounts to do so, making it harder to track them down.

How can consumers and businesses limit the amount of spam they receive?

According to the U.S.-based Federal Trade Commission (FTC), consumers should take the following measures to reduce the amount of spam they receive in their inbox:

• Try not to display your email address in public. This includes newsgroup postings, chat rooms, Web sites or online service membership directories.
• Check the privacy policy when submitting an address to a Web site. If a Web site allows the company to sell email addresses, consumers may want to opt out of this provision, if possible, or not submit to a site that will not protect addresses.
• Read and understand the entire form before transmitting personal information through a Web site. Some sites allow users to opt-out of receiving emails from their partners, but might require users to uncheck a pre-selected box to opt-out.
• Consider using two email addresses - one for personal messages and one for newsgroups and/or chat rooms. A disposable email address service can create a separate email address and forward messages to another account.
• Use a unique email address. Spammers use "dictionary attacks" to sort through possible name combinations at large ISPs or email services, hoping to find a valid address. Thus, a common name such as "jdoe" may get more spam than a unique name like "jd51x02oe."
• Use an email filter. Email accounts often provide a tool to filter out potential spam or a way to channel spam into a bulk email folder.

Is there an organization that monitors spam?

Consumers who receive unsolicited commercial email messages should forward those messages to the U.S.-based FTC at [email protected]. Consumers should also let the FTC know if a "remove me" request has not been honored.

It is important to note that the FTC does not take action on individual complaints. Rather, it collects thousands of complaints and uses them to identify and pursue the most abusive spammers. Because a large portion of spam comes from offshore sources, it is very difficult for local law enforcement to pursue spammers.

Are there any U.S. federal or state laws that prohibit spamming? Have they helped?

The Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM) Act of 2003 requires unsolicited commercial email messages to be labeled as such and to provide instructions on how to opt-out. The legislation gives consumers the right to ask senders to stop spamming them but it does not allow email recipients to sue spammers or file class-action lawsuits.

The FTC is authorized to enforce the federal CAN-SPAM Act and the Department of Justice (DOJ) has the authority to enforce its criminal sanctions. Other federal and state agencies can enforce the law against organizations under their jurisdiction and companies that provide Internet access may sue violators. The full text of the federal CAN-SPAM Act can be found at http://www.spamlaws.com/federal/can-spam.shtml.

Some states have laws that can help consumers take legal action against spammers. Helpful sites that track current and proposed state laws include law.spamcon.org and spamlaws.com. In addition, the FTC recommended that Congress pass the US SAFE WEB Act (S. 1608), which would allow them to work more closely with foreign law enforcement officials to track down spammers whose operations are outside the United States. Signed into law by President Bush on December 22, 2006, the US SAFE WEB ACT also provides the FTC with new tools to fight against international online identify theft and spyware programs.

Some have speculated that the most substantial impact of the CAN-SPAM Act is that it has made it easier for ISPs to go after spammers and bring them into court. Among the companies that have used the CAN-SPAM Act are Microsoft, EarthLink, Yahoo and America Online. One of the biggest cases of 2004 was tried under a state anti-spam law and Jeremy Jaynes, thought to be one of the world's top 10 spammers, was sentenced to nine years in prison under Virginia legislation.

What has been done in Europe to prevent spam?

In 1995, the EU adopted the Data Protection Directive which established the basic principles for the collection, storage and use of personal data. This Directive applies to governments, businesses and any other organizations or individuals engaged in handling personal data. Regarding spam, this Directive states that email addresses are considered "personal data" and harvesting them on public Internet sites such as chat rooms is considered illegal.

In 2002, the European Union adopted the Privacy and Electronic Communications Directive (E-Privacy Directive), which bans the use of spam throughout the EU and requires companies to gain consent before sending emails ("opt-in principle"). In 2004, the Commission presented specific actions in the areas of awareness, self-regulation/technical actions, cooperation and enforcement to complement this Directive, the so-called "Measures to counter unsolicited commercial communications ("spam")".

In November 2006, the European Commission adopted its Communication on fighting spam, spyware and malicious software, in which it calls on Member States, regulatory authorities and industry to step up the fight against spam. As Commissioner Vivian Reding commented, "It is time to turn the repeated political concern about spam into concrete actions to fight spam." The Communication does not propose any new legislation, rather it identifies a number of actions to promote the implementation and enforcement of the existing legislation outlined above, as the lack of these is seen as the main problem. Furthermore, the Commission calls upon email service providers to apply a filtering policy, as recommended by the European Network and Information Security Agency in its survey of industry measures taken to comply with the E-Privacy Directive. In 2008, the Commission will review and assess the implementation of the proposed actions and decide whether additional initiatives are required.

Because spam is a cross-border issue, the Commission has set up a Contact Network of Spam Authorities (CNSA) that meets regularly to discuss best practices for cross-border enforcement mechanisms. CNSA has also established specific procedures to handle cross-border spam complaints. The EU actively works with the U.S. to combat spam through joint enforcement initiatives and is involved in spam working groups and discussions with Asia, Canada, China and Japan.

What is CSIA's position on spam?

CSIA believes there has been good traction in both the U.S. and Europe in the fight against spam in recent years. However, CSIA encourages both Congress and the EU to consider stronger law enforcement methods to address spammers attempting identity theft and phishing crimes.

In the U.S., CSIA supports the CAN-SPAM Act, but believes that Congress should look at broader ways to combat spam, spyware and a host of other cyber security issues. CSIA supports the passing of additional laws, including the recently signed US SAFE WEB Act, which will bolster the FTC's efforts to protect consumers by combating spam, spyware, and Internet fraud and deception.

CSIA welcomes the EU's initiatives in the fight against spam and agrees that more attention should be paid to the implementation and enforcement of the existing legislation, but also encourages the EU to look at broader ways to combat spam, spyware and a host of other cyber security issues. Also, as the majority of spam emanates from outside of the EU territory, there is a growing need for further international cooperation to fight the growing problem of spam.