Spam

The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Spam is usually defined as "unsolicited commercial emails," frequently sent in bulk.^[1] Spam remains a frequent and troubling issue for many Internet users. A report released by McAfee Security indicated that August-September 2013 had a large spike in spam emails with just under 4 trillion messages detected.^[2] Social media spam specifically has increased in the first part of 2013 by 355% according to Nexgate's State of Social Media Spam Report.^[3]

It is important to note that not all of what people consider to be spam is illegal and that spam can be used for legitimate advertising purposes, such as receiving email offers through online mailing lists.^[4]

Public Perception

Public perception on Spam ranges from viewing it as an irritating, yet inevitable, nuisance that comes with having an email address to a potentially dangerous threat to computer security. Spam has become such a large problem that it is addressed by law, making the activity of many spammers criminal.

Outcome

The outcomes of spam vary and include providing commercial offers, spreading malware, and enabling phishers to commit fraud and identity theft.

Historical Use

Spam can be used for a variety of purposes ranging from solicitation to criminal fraud and identity theft and accordingly, can vary greatly in content.^[2] Spam can be used to:

Commit fraud, such as 419 Fraud, where a Nigerian official asks for monetary help in order to transfer money out of Nigeria and offers a large reward,^[5] or the more recent Hurricane Katrina Relief Fraud^[1]
Perpetrate phishing scams by asking for personal or financial information
Install and spread malware and viruses
Create "zombie computers" or botnets controlled by hackers in order to send spam to more users and access private information^[6]
Share legitimate advertising or commercial offers

ICANN Policy

ICANN does not have a policy directly relating to spam as the "content of an e-mail message, ftp file, or web page bear no inherent relation to the assigned domain name, and therefore fall outside of ICANN's policy-making scope."^[7] However, the use of WHOIS data to send spam is a violation of ICANN's Registrar Accreditation Agreement, and in this case, ICANN suggests contacting the offending registrar. ^[7] A Security and Stability Advisory Committee (SSAC) study stated that "the appearance of email addresses in response to WHOIS queries assures spam will be delivered to these emails."^[8]

Legislation

CAN-SPAM Act of 2003 (or the Controlling the Assault of Non-Solicited Pornography And Marketing Act): originally enacted by the U.S. government in 2003 and updated in 2008,^[9] the CAN-SPAM Act defines the boundaries of what constitutes legal versus illegal spam. Legal commercial emails will fit the following requirements:^[10]

"The header of the commercial email (indicating the sending source, destination and routing information) doesn't contain materially false or materially misleading information;

The subject line doesn't contain deceptive information;

The email provides "clear and conspicuous" identification that it is an advertisement or solicitation;

The email includes some type of return email address, which can be used to indicate that the recipient no longer wishes to receive spam email from the sender (i.e. to "opt-out");

The email contains "clear and conspicuous" notice of the opportunity to opt-out of receiving future emails from the sender;

The email has not been sent after the sender received notice that the recipient no longer wishes to receive email from the sender (i.e. has "opted-out"); and

The email contains a valid, physical postal address for the sender."^[10]

It is important to note that this act only addresses commercial emails^[10] and does not address emails deemed transactional/relational or non-commercial.^[11] Additionally, fines up to $16,000 per spam email may be charged and guilty parties may even be subject to imprisonment if:
- The spammer uses another person's computer or email to send spam without his/her consent or
- If the spammer uses false information or domain names.^[11]

The U.S. wire fraud statute: this legislation prohibits any fraud or deception that uses "wire, radio, or television communication in interstate or foreign commerce, any writings, signs, signals, pictures, or sounds for the purpose of executing such scheme or artifice."^[12] It has previously been used to address computer crimes although it was not originally created for this purpose.^[13] There is also a special provision that addresses fraud cases that try to benefit from disasters or emergencies.^[12] Under this act, using email to send out fake Hurricane Katrina Relief spam could result in up to 30 years in prison or 1 million dollars in fines.^[12]

Additional Resources

File an FTC Spam Compliant
Forward spam emails to spam@uce.gov
Read tips on How to Avoid Spam
View the SSAC Study concerning the relationship between WHOIS Services and Spam

References

↑ ^1.0 ^1.1 To Report Unsolicited Commercial E-mail ("Spam"), United States Department of Justice
↑ ^2.0 ^2.1 Spam Resurgence: Email's Nemesis Makes It Back on the List of Security Worries by Alexander Slagg (December 16, 2013), BizTech
↑ Social Media Spam Increased 355% in First Half of 2013 by Lorenzo Franceschi-Bicchierai (September 30, 2013), Mashable.com
↑ Spam at Webopedia
↑ Commons Fraud Schemes, Federal Bureau of Investigation
↑ FTC, Partners Launch Campaign Against Spam Zombies (May 24, 2005), Federal Trade Commission
↑ ^7.0 ^7.1 FAQs, Internet Corporation for Assigned Names and Numbers (ICANN)
↑ Is the Whois Service a Source of email Addresses for Spammers? (PDF), p. 5, Internet Corporation for Assigned Names and Numbers (ICANN)
↑ FTC Approves New Rule Provision Under the CAN-SPAM Act (May 12, 2008), Federal Trade Commission
↑ ^10.0 ^10.1 ^10.2 CAN-SPAM ACT OF 2003: CORE REQUIREMENTS, Legal Information Institute, Cornell University Law School
↑ ^11.0 ^11.1 CAN-SPAM Act: A Compliance Guide for Business, Bureau of Consumer Protection
↑ ^12.0 ^12.1 ^12.2 18 U.S. Code § 1343 - Fraud by wire, radio, or television, Legal Information Institute, Cornell University Law School
↑ Federal Computer Crime Laws by Maxim May, SANS Institute

[justice-1] 1.0 ^1.1 To Report Unsolicited Commercial E-mail ("Spam"), United States Department of Justice

[lab-2] 2.0 ^2.1 Spam Resurgence: Email's Nemesis Makes It Back on the List of Security Worries by Alexander Slagg (December 16, 2013), BizTech

[3] Social Media Spam Increased 355% in First Half of 2013 by Lorenzo Franceschi-Bicchierai (September 30, 2013), Mashable.com

[4] Spam at Webopedia

[Nigerian-5] Commons Fraud Schemes, Federal Bureau of Investigation

[6] FTC, Partners Launch Campaign Against Spam Zombies (May 24, 2005), Federal Trade Commission

[faqs-7] 7.0 ^7.1 FAQs, Internet Corporation for Assigned Names and Numbers (ICANN)

[8] Is the Whois Service a Source of email Addresses for Spammers? (PDF), p. 5, Internet Corporation for Assigned Names and Numbers (ICANN)

[9] FTC Approves New Rule Provision Under the CAN-SPAM Act (May 12, 2008), Federal Trade Commission

[core-10] 10.0 ^10.1 ^10.2 CAN-SPAM ACT OF 2003: CORE REQUIREMENTS, Legal Information Institute, Cornell University Law School

[compliance-11] 11.0 ^11.1 CAN-SPAM Act: A Compliance Guide for Business, Bureau of Consumer Protection

[wire-12] 12.0 ^12.1 ^12.2 18 U.S. Code § 1343 - Fraud by wire, radio, or television, Legal Information Institute, Cornell University Law School

[sans-13] Federal Computer Crime Laws by Maxim May, SANS Institute

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

Spam

Contents