States, Companies Begin to Can Spam

Transcription

1 www. Govtech.com States, Companies Begin to Can Spam - p. 1 States, Companies Begin to Can Spam News Report January 4, 2005 One year after the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act went into effect, on average 97 percent of unsolicited commercial e- mail over the past year failed to comply with the federal anti-spam law, security firm MX Logic found. "While we applaud the intent of the CAN-SPAM Act, clearly it has had no meaningful impact on the unrelenting flow of spam that continues to clog the Internet and plague inboxes," said Scott Chasin, CTO, MX Logic. "In fact, the overall volume of spam increased in 2004 and we fully anticipate continued growth in 2005." On average, spam accounted for 77 percent of all traffic through the MX Logic Threat Center in MX Logic has measured CAN-SPAM compliance each month since the law went into effect by examining a random sample of 10,000 unsolicited commercial s each week. During 2004, monthly compliance ranged from a low of 0.54 percent in July to a high of seven percent in December. 2004: The Year in Spam "Despite low compliance levels, the CAN-SPAM Act does provide enforcement capabilities and has helped to galvanize government and industry efforts to curb spam," Chasin said. "Unfortunately, ending the spam epidemic will require a long-term, ongoing effort that, in addition to the law, must also include technology, industry cooperation to improve authentication and security protocols, and end-user education." In 2004, the CAN-SPAM Act and state anti-spam laws have been used to pursue criminal prosecution and civil action against spammers. On March 20, four major Internet Service Providers filed the first lawsuits under CAN- SPAM. In April, Michigan conducted the first criminal prosecution under the CAN-SPAM Act, issuing arrest warrants for four men charged with sending out hundreds of thousands of fraudulent, unsolicited commercial messages advertising a weight-loss product. In September, Nicholas Tombros, the "wireless spammer," became the first person convicted under the CAN-SPAM Act. In November, Jeremy Jaynes, considered one of the top 10 spammers in the world, was sentenced to nine years in prison under Virginia's anti-spam law for sending millions of spam messages to America Online customers. Canning SPAM: Key Events in the Fight Against Spam

2 www. Govtech.com States, Companies Begin to Can Spam - p. 2 January The CAN-SPAM Act goes into effect on Jan. 1. While the law does not prohibit unsolicited commercial , it does require that unsolicited commercial senders: Ensure that the "FROM" line clearly reflects the sender's identity Include subject line text consistent with message content Include the advertiser's valid postal address Contain a working opt-out mechanism as a way for the consumer to decline to receive further commercial from the sender March Hypertouch, a California-based ISP, files the first civil lawsuit under CAN-SPAM against the owner of BobVila.com. On March 20, America Online, EarthLink, Microsoft and Yahoo! file the first major ISP lawsuits under CAN-SPAM. The Internet Engineering Task Force (IETF) creates a working group to examine Mail Transfer Agent (MTA) authentication, including examination of proposals for the domain name system (DNS) publication of data that allow validation of Internet Protocol (IP) address or envelope originator header data for SMTP MTAs. April Michigan conducts the first criminal prosecution under the CAN-SPAM Act, issuing arrest warrants for four men charged with sending out hundreds of thousands of fraudulent, unsolicited commercial messages advertising a weight-loss product. May Federal Trade Commission (FTC) issues a ruling requiring all unsolicited with sexually oriented content to bear the label "SEXUALLY-EXPLICIT:" in the subject line. Microsoft agrees to merge its Caller ID for anti-spam proposal with another of the leading domain authentication schemes, Sender Policy Framework (SPF), to form SenderID. June Only one in six s complies with the FTC "SEXUALLY-EXPLICIT" label. FTC issues "National Do Not Registry: A Report to Congress" on the feasibility of creating a Do Not registry. Among the report's conclusions are that a registry would be nearly impossible to implement today and could create a target for spammers. The report calls for a summit on authentication.

3 www. Govtech.com States, Companies Begin to Can Spam - p. 3 July CAN-SPAM compliance reaches a low of 0.54 percent, while 84 percent of all traffic through the MX Logic Threat Center is spam. August As part of Operation Web Snare, the U.S. Attorney's office in Los Angeles announces it filed charges against Nicholas Tombros for sending unsolicited advertising pornographic Web sites from his laptop computer while driving through Venice, Calif., and using unsecured wireless access points to disseminate spam. September Nicholas Tombros, the "wireless spammer," becomes the first person convicted under the CAN-SPAM Act. Sixteen percent of spammers have adopted the Sender Policy Framework (SPF) authentication scheme in an effort to make their messages appear more legitimate. IETF disbands its MTA Authorization Records in DNS (MARID) Working Group, which was tasked with developing an authentication standard to prevent forgery. The working group failed to achieve consensus support for the SenderID authentication proposal (a merger of Microsoft's Caller ID proposal and Sender Policy Framework). November FTC and the National Institute of Standards and Technology convene an Authentication Summit. Jeremy Jaynes, considered one of the top 10 spammers in the world, is sentenced to nine years in prison under Virginia's anti-spam law for sending millions of spam messages to America Online customers. December A Maryland judge overturns the state's anti-spam law (2002 Commercial Electronic Mail Act), ruling that it interferes with interstate commerce. In the largest judgment against a spammer to date, a federal judge in Iowa orders three companies to pay an ISP $1 billion in damages. MX Logic reports CAN-SPAM compliance hits an all-time high of 7 percent. Looking Ahead to 2005 In addition to continued growth in spam volume, MX Logic outlined several predictions for The Increase in number of phishing attacks and in attack sophistication

4 www. Govtech.com States, Companies Begin to Can Spam - p. 4 Gartner estimates that 57 million U.S. adults received a "phishing" attack in the 12 months prior to May 2004(1). MX Logic expects phishing attacks to increase in frequency and sophistication in Phishers will use trojans to launch phishing attacks by redirecting users to phony Web sites and soliciting account numbers and other personal financial information. As a result, Web browsers will likely add antiphishing technology in In an effort to prevent phishing attacks and online identity theft, financial institutions will move toward two-factor authentication tokens and smartcards meaning users will be required to have a password as well as a token or smartcard to conduct online financial transactions. In December 2004, the Federal Deposit Insurance Corporation called on financial institutions to upgrade existing password-based, single-factor authentication systems to two-factor authentication systems. Many consumers use something similar today in banking ATM cards. New methods of -distributed denial-of-service (DDoS) attacks In 2004, many users were exposed to MyDoom, the fastest-propagating e- mail worm in history. At the peak of the MyDoom outbreak, the MX Logic Threat Center reported infection rates of one in every six s. Part of the worm's call to action included initiating a denial-of-service attack against the domain sco.com. To date, denial-of-service attacks have been targeted primarily at Web sites. In 2005, new methods will aim to flood SMTP infrastructures, resulting in large-scale denial-of-service attacks that compromise networks. the FTC "SEXUALLY-EXPLICIT" label. FTC issues "National Do Not Registry: A Report to Congress" on the feasibility of creating a Do Not registry. Among the report's conclusions are that a registry would be nearly impossible to implement today and could create a target for spammers. The report calls for a summit on authentication. July CAN-SPAM compliance reaches a low of 0.54 percent, while 84 percent of all traffic through the MX Logic Threat Center is spam. August As part of Operation Web Snare, the U.S. Attorney's office in Los Angeles announces it filed charges against Nicholas Tombros for sending unsolicited advertising pornographic Web sites from his laptop computer while driving through Venice, Calif., and using unsecured wireless access points to disseminate spam. September

5 www. Govtech.com States, Companies Begin to Can Spam - p. 5 Nicholas Tombros, the "wireless spammer," becomes the first person convicted under the CAN-SPAM Act. Sixteen percent of spammers have adopted the Sender Policy Framework (SPF) authentication scheme in an effort to make their messages appear more legitimate. IETF disbands its MTA Authorization Records in DNS (MARID) Working Group, which was tasked with developing an authentication standard to prevent forgery. The working group failed to achieve consensus support for the SenderID authentication proposal (a merger of Microsoft's Caller ID proposal and Sender Policy Framework). November FTC and the National Institute of Standards and Technology convene an Authentication Summit. Jeremy Jaynes, considered one of the top 10 spammers in the world, is sentenced to nine years in prison under Virginia's anti-spam law for sending millions of spam messages to America Online customers. December A Maryland judge overturns the state's anti-spam law (2002 Commercial Electronic Mail Act), ruling that it interferes with interstate commerce. In the largest judgment against a spammer to date, a federal judge in Iowa orders three companies to pay an ISP $1 billion in damages. MX Logic reports CAN-SPAM compliance hits an all-time high of 7 percent. Looking Ahead to 2005 In addition to continued growth in spam volume, MX Logic outlined several predictions for The Increase in number of phishing attacks and in attack sophistication Gartner estimates that 57 million U.S. adults received a "phishing" attack in the 12 months prior to May 2004(1). MX Logic expects phishing attacks to increase in frequency and sophistication in Phishers will use trojans to launch phishing attacks by redirecting users to phony Web sites and soliciting account numbers and other personal financial information. As a result, Web browsers will likely add antiphishing technology in In an effort to prevent phishing attacks and online identity theft, financial institutions will move toward two-factor authentication tokens and smartcards meaning users will be required to have a password as well as a token or smartcard to conduct online financial transactions. In December 2004, the Federal Deposit Insurance Corporation called on financial institutions to upgrade existing password-based, single-factor authentication

6 www. Govtech.com States, Companies Begin to Can Spam - p. 6 systems to two-factor authentication systems. Many consumers use something similar today in banking ATM cards. New methods of -distributed denial-of-service (DDoS) attacks In 2004, many users were exposed to MyDoom, the fastest-propagating e- mail worm in history. At the peak of the MyDoom outbreak, the MX Logic Threat Center reported infection rates of one in every six s. Part of the worm's call to action included initiating a denial-of-service attack against the domain sco.com. To date, denial-of-service attacks have been targeted primarily at Web sites. In 2005, new methods will aim to flood SMTP infrastructures, resulting in large-scale denial-of-service attacks that compromise networks. Rise in frequency of spam without economic profit -borne propaganda from domestic political organizations and from foreign entities such as Al Qaeda affiliates will increase in frequency and in boldness. June 2004 saw the first use of a spambot network (a network of hijacked computers used to send spam) to propagate political spam with the appearance of German spam denouncing the presence of Turks and other foreigners in Germany. More than 25 variants of this "hate mail" flooded the Internet. Political spam is not covered by the CAN-SPAM Act. Growth in zombies for hire In 2005, an expanded number of distributed zombie spam networks will be built and rented out by spammers, providing the infrastructure for a significant increase in the volume of spam that can be distributed. MX Logic discovered that in recent weeks, as much as 69 percent of daily spam came from zombie PCs. Increasing pressure on service providers to keep networks free from spam and other unwanted and malicious . A recent survey found that 58 percent of 1,006 consumer respondents said ISPs needed to work harder to protect their customers from unwanted . MX Logic predicts that in 2005, service providers will come under continued pressure to provide end users with clean bandwidth much the same way that water utility companies are expected to provide potable water. (1) Gartner FirstTake, "Phishing Attack Victims Likely Targets for Identity Theft," Avivah Litan, 4 May