Asia Perspective: The Tripartite War Against Spam

If spam emails only present an occasional, infrequent nuisance, most people would simply delete such emails and get on with work and life. However, depending on which analyst you speak to, between 40 percent and up to 80 percent of incoming emails may be unsolicited bulk email.

Worse, if spam only contains content we did not consent to or care for, that is just a tedious matter of deleting them into the Trash mailbox. However, more and more incoming spam not only contains the relatively harmless text or HTML content, but may also carry dangerous “payloads” of Trojans, viruses, or other malware.

Why? Such malware are used to infect the user’s computer and turn it into a zombie SMTP host to relay future spam. From the old days of individual spammers to commercial organizations, there is now an even more advanced trend of crackers, called “spackers” (spam crackers), who resell zombie SMTP hosts through proxies around the world, reducing the legal impact on the end-user spammers or spamming organizations by making them all the more untraceable by conventional forensics.

In short, the world of spamming has become much more sophisticated than regulatory controls, since many zombie hosts are in developing nations, and are merely “pawns” to the scheme of spamming, and are not a malicious intention of the infected computers’ owners or users.

We also need to distinguish the difference between “content” and “consent.” This is because there has been public opinion that some spam may be useful to select individuals. However, the true definition of spam is not about whether little blue pills might benefit some, but more of whether you consented to receiving the spam in the first place.

If technology itself and the diligence of users collectively can only do so much, can legislation bound with punitive measures make things work?

As of February 2004 at the APCAUCE (The Asia Pacific Coalition Against Unsolicited Commercial Email) event, Taiwan R.O.C. and Malaysia do not yet have binding laws with associated punitive measures that limit spamming, but focus on requesting service providers and end users to “self-police” for the time being. Legislation is a necessarily tedious process since passing laws make it concrete and binding, and it will require the same tedious approval process should there be future or incremental changes.

The United States passed the CAN-SPAM Act on October 22, 2003, with the crux being “opt out” for those in mass mailing lists. This means that theoretically, if your name and email appears in a list you did NOT subscribe to, it is your responsibility to unsubscribe yourself. This may present a problem because the burden of unsubscribing from unsolicited lists still falls on end users. On balance, CAN-SPAM has many punitive measures, including a one year jail time and up to US$1 million fine, and up to five years jail time for repeat offenders. There are also specific requirements in the Act to disallow misleading and pornographic subjects, as well as a strict rule against spamming those on “do not spam” lists.

Just a month earlier, on September 18, 2003, the honorable Senator Richard Alston of Australia announced the antispam law there, which has a powerful limiter on spam—that of allowing spammers to only spam those in “opt in” lists. This means that if you send spam to someone who did not subscribe to your mail list, you may be breaking the law. As with the U.S. CAN-SPAM Act, the Australian law is very punitive for offenders as well, with up to AU$44,000 fine per day for individual spammers, and up to AU$220,000 fine per day for corporate spammers. Repeat offenders can pay from AU$220,000 fine per day for individuals and AU$1 million for corporations.

Spam is a unique problem, and simply relying on good filtering technology, the diligence of end users, or strong legislation alone, may not work to eradicate spam. Only by combining all three, coupled with a transparent cooperation between ALL countries worldwide to share information to reduce spam, can spam eventually become a nonissue. The road to success may be far yet, but eventually, it is very possible to reach there when the power of “three” becomes one.

By Seamus Phan

Based in Singapore, Seamus Phan is
one of Asia’s leading thinkers and practitioners
in business leadership, Internet security, and marketing.