• United States

Anti-spam law just a start, panel says

Dec 18, 20035 mins
Enterprise ApplicationsMalwareMessaging Apps

NEW YORK – While it’s an important first step, the federal anti-spam law signed this week is unlikely to reduce spam noticeably, and companies will have to find other ways to fight it, a panel of experts agreed Wednesday.

Speaking at Network World’s “Spam Forum: The Future of E-mail” in New York, the panelists indicated that the legislation is nothing more than an initial swipe at a problem that is much bigger than the attempted solution (Hear the audio Webcast).

One issue is that the Federal Trade Commission, which has been charged with enforcing the law, has too much on its plate to effectively build many cases against criminal spammers, said Eileen Harrington, associate director for marketing practices at the FTC’s Bureau of Consumer Protection.

“It really is a stretch for us,” she said. “Spam investigations are very resource-intensive.” The law gives the FTC new responsibility without new funding, and the organization has other high priorities, like tracking identity theft and enforcing the new National Do Not Call Registry.

As for state anti-spam efforts, the states are in worse shape, with extremely tight budgets, Harrington said.

Another issue is that the definition of spam is still quite fuzzy. The new law limits the definition to unsolicited commercial bulk e-mail, leaving out political bulk e-mail, for instance.

But to some, spam is any e-mail they don’t want.

“It doesn’t matter how government defines [spam],” because in the end, what customers want to receive is what counts, said Mary Youngblood, manager of ISP Earthlink’s Abuse Team. Earthlink gives its customers several different options for spam filtering, so they can choose their preferences.

Yet another issue is that the law allows “opt-out” marketing – that is, a company can send e-mail users unsolicited advertising until the users tell the company to stop.

“Everybody gets a bite at the apple,” said Ted Gavin, founding trustee, secretary and chief financial officer of the SpamCon Foundation, a non-profit group organized to preserve e-mail as a viable communications medium. “The problem is that it’s an expensive apple, and the person paying for it isn’t the one biting the apple; it’s the one holding the apple.”

The benefits

On the plus side, the experts agreed that the law raises awareness of the spam scourge among law enforcement and starts to spell out how e-mail advertising might be done legally and ethically.

“It provides a framework for the good guys,” said David Silver, vice president of business development and strategy at Responsys, an e-mail marketing firm. “For legitimate marketers, [the federal law] is less confusing than the [state] laws that were evolving and changing.”

“Definition of the crime had to start someplace,” said Wilson D’Souza, vice president of the global collaboration and directory services team for Merrill Lynch.

The panelists agreed that specifying directory-harvest attacks as a crime, for instance, was impressive. Directory-harvest attacks are a spammers’ technique for gathering valid e-mail addresses. They work by bombarding e-mail servers with large numbers of messages aimed at fabricated addresses. When a message gets through, the spammer notes that the address used is active.

“That practice is now a violation of federal law,” said the FTC’s Harrington. “Hopefully [spammers who conduct the attacks] will be criminally prosecuted. But if not, certainly the FTC will go after them in a civil suit.”

Another good inclusion in the law is a provision that companies can be liable for spam crimes even if they hired another firm to do their e-mail marketing for them, SpamCon’s Gavin said. That should help authorities prosecute companies that use spamming firms outside of the U.S.

Only part of the solution

The panel clearly recognized, however, that there is only so much the U.S. government can do. “Spam is really a global problem,” Harrington said. “The U.S. has put its marker down.” The FTC is working with other governments to track down spammers, “but it’s very slow going,” she said.

In addition to legislation, technical tools and education for marketing companies and e-mail users are needed, the panel agreed.

Postini CEO and President Shinya Akamine promoted his company’s anti-spam services, saying that Postini uses its technology to find the attributes of good e-mail and let that through to its customers. He also said anti-spam companies like his are now “bigger than the spammers” and can react more quickly than ever to new spammers’ techniques for getting through filters.

The panel discussed techniques for making spam a financially less attractive option for marketing. Currently, marketing through e-mail costs very little to the marketer.

Gavin said that a “micropostage” option, where senders pay a little for each message sent, has been around for a while, but has had no success.

Earthlink’s Youngblood said the ISP can use technology to identify spam-like behavior and have the ISP’s switches deny traffic from a spammer once a threshold has been reached.

Certainly, waiting for a do-not-spam list isn’t really an option. The panelists roundly criticized the idea of keeping a central database of e-mail addresses of people who don’t want to receive e-mail, a concept similar to the current federal anti-telemarketing do-not-call registry.

Responsys’ Silver pointed out that the database would have to be very specific about what e-mail is acceptable to a user and what isn’t. Akamine said that the database “would be the biggest target in the world for hackers.” And D’Souza said the database would be “pushing the problem offshore again,” as spammers move operations to locations where do-not-spam lists don’t apply.

The FTC’s Harrington put it all in perspective when she noted that it took 10 years for the do-not-call registry to go from concept to reality, as the commission tried to determine any unintended consequences. “That would be the approach we would take” with the do-not-spam registry, she said.