BACKGROUND MATERIAL
SESSION - I
Defining SPAM: Identifying the Economic, Technical and Legal Problems
1. Spam –Definition
1.1 The most common definition of spam is “unsolicited commercial email”. This
definition however limits itself to messages that are commercial in nature and
consequently excludes many types of messages that could be considered as
spam. Unsolicited messages that apparently do not promote any commercial
activity are left out of the ambit of this definition.
1.2 CAN-SPAM Act
In the United States, the CAN-SPAM Act is premised on this approach and
defines the expression “commercial electronic mail message” to mean “any
electronic mail message the primary purpose of which is the commercial
advertisement or promotion of a commercial product or service (including
content on an Internet website operated for a commercial purpose)”.
The CAN-SPAM Act further clarifies that a ‘transactional or relationship’
message does not come within the ambit of the term ‘commercial electronic
message’. The said Act defines “transactional or relationship message” to
mean “an electronic mail message the primary purpose of which is:
(i) to facilitate, complete, or confirm a commercial transaction that the
recipient has previously agreed to enter into with the sender,
(ii) to provide warranty information, product recall information, or safety
or security information with respect to a commercial product or
service used or purchased by the recipient,
(iii) to provide (a) notification concerning a change in the terms or features
of, (b) notification of a change in the recipient’s standing or status
with respect to, or (c) at regular periodic intervals, account balance
information or other type of account statement with respect to, a
subscription, membership, account, loan, or comparable ongoing
commercial relationship involving the ongoing purchase or use by the
recipient of products or services offered by the sender
(iv) to provide information directly related to an employment relationship
or related benefit plan in which the recipient is currently involved,
participating, or enrolled,
(v) to deliver goods or services, including product updates or upgrades,
that the recipient is entitled to receive under the terms of a transaction
that the recipient has previously agreed to enter into with the sender”.
1.3 The Australian Spam Act, 2003
In Australia, the Spam Act, 2003 has adopted a like approach and defined a
“commercial electronic message” to mean “an electronic message, where,
having regard to:
(a) the content of the message; and
1-1
(b) the way in which the message is presented
(c) the content that can be located using the links, telephone numbers or
contact information (if any) set out in the message; it would be concluded
that the purpose, or one of the purposes, of the message is
(d) to offer to supply goods or services;
(e) to advertise or promote goods or services;
(f) to advertise or promote a supplier, or prospective supplier, of goods or
services;
(g) to offer to supply land or an interest in land;
(h) to advertise or promote land or an interest in land;
(i) to advertise or promote a supplier, or prospective supplier, of land or an
interest in land;
(j) to offer to provide a business opportunity or investment opportunity;
(k) to advertise or promote a business opportunity or investment opportunity;
(l) to advertise or promote a provider, or prospective provider, of a business
opportunity or investment opportunity;
(m) to assist or enable a person, by a deception, to dishonestly obtain property
belonging to another person;
(n) to assist or enable a person, by a deception, to dishonestly obtain a
financial advantage from another person;
(o) to assist or enable a person to dishonestly obtain a gain from another
person; or (p)
(p) a purpose specified in the regulations.”
1.4 Unsolicited Bulk Email
Another common definition of spam is that it is unsolicited bulk email. This
definition categorizes messages based on the number of recipients to whom it
is addressed. In this regard, while stipulating what constitutes “bulk”, some
legislations attempt to specify a precise number whilst many do not. Even in
cases where a specific number has been prescribed under State laws in the
United States, the precise number varies from anything more than 2 messages
in case of Idaho, to 500 in case of Kansas and 1000 in case of Louisiana.
1.5 OECD Approach
The OECD adopts a definition that combines the elements of both the above
approaches. It defines spam as “unsolicited and unwanted commercial
electronic messages or emails that are sent to large numbers of people.”1
1.6 Characteristics of Spam
The NOIE2 Report states that spam messages usually share one or more of the
following characteristics:
(a) Sent in an untargeted and indiscriminate manner, often by automated
means;
1
Report of Directorate for Science, Technology and Industry, OECD.
2
National Office for the Information Economy, Australia
2-2
(b) Includes or promotes illegal or offensive content;
(c) Purpose is fraudulent or otherwise deceptive;
(d) Sent in a manner that disguises the sender;
(e) Does not offer a valid and functional address to which recipients may
respond, in particular, for opting out of receiving further unsolicited
messages.
The manner in which spam is disseminated also differs significantly from case
to case. Broadly, spam falls within one of the following categories –
(a) Usenet Spam – Messages sent to multiple Usenet or other newsgroups.
Usenet spam robs users of the utility of newsgroups by flooding them with
unsolicited advertising.
(b) Email Spam – Messages targeting individual users through email messages
direct to their addresses.
(c) Wireless Spam – A relatively new form of unsolicited electronic messages
is spam sent by text messages to mobile phones.
In view of the above there is a need for an agreed definition of spam so as to examine
its impact and permit evaluation of potential measures that may be adopted to counter
it.
2. Magnitude of the Spam Menace
2.1 To date, no significant statistics have been compiled regarding incidence of
spam in India. Estimates indicate that there were approximately 5 million
internet users in India in 2003, nearly all of whom would have been faced by
the problem of spam at some time or the other. However, in absence of
specific data reliance may be placed on surveys conducted in foreign
jurisdictions. Such surveys would suffice as a reference point for India given
that the Internet renders geographical divides meaningless. Spam uniformly
affects users on the Internet across the globe regardless of territorial borders.
2.2 Available data from various jurisdictions indicates that the incidence of spam
is rapidly increasing. The CAN-SPAM Act includes the following finding of
the United States Congress: “The convenience and efficiency of electronic mail
are threatened by the extremely rapid growth in the volume of unsolicited
commercial electronic mail. Unsolicited commercial electronic mail is
currently estimated to account for over half of all electronic mail traffic, up
from an estimated 7 percent in 2001, and the volume continues to rise…”
2.3 Brightmail Inc., a business specializing in anti-spam software and services,
has estimated that spam accounts for 20% of all email messages sent. The
3-3
Gartner Group has estimated that 35% of all business messages received are
spam, and that this figure is likely to touch 50% by 2005.3
2.4 Microsoft MSN and Hotmail together block an average of 2.4 billion spam
messages every day. In a civil action initiated in the United States by America
Online (AOL) against spam, AOL averred that it receives around two billion
emails on a daily basis, of which spam filters installed by the ISP block over
one billion. This figure is ten times higher than what it was in 1999. Data
released by Postini, a spam-blocking filter program that monitors over a
billion emails per month, reveals that the amount of spam is doubling
approximately every five months.
2.5 The NOIE Report notes that as per the findings of the survey conducted by
CAUBE4, Australia spam increased six times in volume in 2001 alone. The
NOIE Report further cites a 300% increase in spam from 2001 to 2002.
2.6 This dramatic increase is attributable in part to the increase in the penetration
of the Internet across users worldwide. In case of a developing country like
India with very low Internet penetration levels at present, there is an imminent
likelihood of spam growing at exponential rates over the coming years.
3. Effects of Spam
3.1 General impact of Spam
The United States Congress, after extensive deliberations on the impact of
spam, decided to incorporate the following findings in the CAN-SPAM Act
which succinctly sets out the effects of spam:
“…(3) The receipt of unsolicited commercial electronic mail may result in
costs to recipients who cannot refuse to accept such mail and who incur costs
for the storage of such mail, or for the time spent accessing, reviewing, and
discarding such mail, or for both.
(4) The receipt of a large number of unwanted messages also decreases
the convenience of electronic mail and creates a risk that wanted electronic
mail messages, both commercial and noncommercial, will be lost, overlooked,
or discarded amidst the larger volume of unwanted messages, thus reducing
the reliability and usefulness of electronic mail to the recipient.
(5) Some commercial electronic mail contains material that many
recipients may consider vulgar or pornographic in nature.
(6) The growth in unsolicited commercial electronic mail imposes
significant monetary costs on provides of Internet access services, businesses,
and educational and nonprofit institutions that carry and receive such mail, as
there is a finite volume of mail that such providers, businesses, and institutions
can handle without further investment in infrastructure.
3
The NOIE Report at 9.
4
Coalition Against Unsolicited Bulk Email
4-4
(7) Many senders of unsolicited commercial electronic mail purposefully
disguise the source of such mail.
(8) Many senders of unsolicited commercial electronic mail purposefully
include misleading information in the messages’ subject lines in order to
induce the recipients to view the messages.
(9) While some senders of commercial electronic mail messages provide
simple and reliable ways for recipients to reject (or ‘opt-out’ of) receipt of
commercial electronic mail from such senders in the future, other senders
provide no such ‘opt-out’ mechanism, or refuse to honour the requests of
recipients not to receive electronic mail from such senders in the future, or
both.
(10) Many senders of bulk unsolicited commercial electronic mail use
computer programs to gather large numbers of electronic mail addresses on
an automated basis from Internet websites or online services where users must
post their addresses in order to make full use of the website or service…”
On the basis of the above findings, the United States Congress determined
that:
“(1) there is a substantial government interest in regulation of commercial
electronic mail on a nationwide basis;
(2) senders of commercial electronic mail should not mislead recipients as
to the source or content of such mail; and
(3) recipients of commercial electronic mail have a right to decline to
receive additional commercial electronic mail from the same source.”
3.2 Impact on Consumers
3.2.1 Among the direct impacts of spam are the inconvenience and costs incurred by
the users for the amount of time they spend online, either reading or
downloading their email messages. Additionally, for those recipients who
have limits on the amount of mail permitted to be stored by their ISP, spam
often creates full mailboxes, which may result in legitimate messages being
rejected. A study conducted by the European Union in 2001 estimated the
worldwide cost of spam to Internet users to be in the range of US$ 10 billion
annually.5
3.2.2 Equally significant are issues relating to invasion of privacy and the fact that
spam is widely regarded as an intrusive nuisance by most users. The ease with
which spammers can access databases of email addresses (known as address
harvesting) of users as well as personal information, without the knowledge or
consent of the users or the website owner, highlights the need to protect the
privacy of the users.
5
Commission of the European Communities Unsolicited Commercial Communications and Data
Protection: Summary of Study Findings, 2001.
5-5
3.2.3 The fact that a high percentage of spam often has illegal or offensive content
or involves confidence tricks and scams is a matter of considerable concern
especially in view of the fact that recipients of such spam may often be
minors. Spam exposes users to additional risks as in many cases the messages
may be fraudulent or deceptive in nature.
3.3 Impact upon Businesses
3.3.1 Businesses suffer due to spam on account of the investments they are required
to make in order to filter out and counter spam. It is also perceived that spam
is adversely impacting e-commerce by eroding the confidence of consumers in
the Internet being a medium for safe and secure transactions.
3.3.2 Spammers sometimes alter the subject line of a message or the address from
which it appears to have been sent in order to create the impression that the
message has originated from a legitimate business. For the business so
targeted, this results in a loss of reputation and goodwill since consumers
mistakenly believe that the business concerned is sending spam. In fact,
businesses have been compelled to initiate legal proceedings against
spammers in order to prevent such damage to their reputation.
3.3.3 Ironically, one area of concern for businesses is the filtering software
employed by ISPs in an attempt to counter spam. In many cases, consumers
have willingly subscribed to certain services or to receive information or
updates from genuine businesses. However, messages sent by such businesses
to the recipients who have expressly consented to receive them are often
confused by the filters installed by ISPs as being spam and therefore, blocked.
3.4 Impact on ISPs’
3.4.1 Spam is an area of concern for ISPs not merely because it uses up large
amounts of available bandwidth on the network and storage space on servers
but more importantly because it upsets customers and increases the technical
support costs. In light of the available data that estimates spam to account for
more than half of all message traffic, it follows that ISPs are presently bearing
the costs for infrastructure that in the absence of spam, would not be required.
To compound their problems, ISPs are required to continually make further
investments to upgrade existing infrastructure to cope with the escalating
threat.
3.4.2 Other negative impacts of spam on ISPs include costs incurred on account of
incorporating internal measures to counter spam, for instance, by way of
filtering programs.
3.4.3 Owing to the fact that spammers often generate random email addresses, many
of the recipients to whom spam is sent are non-existent. In order to avoid the
deluge of undelivered messages that would normally be sent to the sender,
spammers do not disclose a genuine email address and rely instead on a fake
or substitute one, often that of an ISP. This results in a substantial amount of
email traffic getting diverted to an ISP.
6-6
3.5 Impact and Concerns for Regulatory Authorities
3.5.1 In addition to what has been stated above, spam is a major concern for
regulatory and law enforcement agencies worldwide for reasons of public
welfare. Due to the attraction that the sender’s identity can be easily disguised
in a spam message, spam is fast becoming a popular medium for advertising
illegal or immoral activities as well as disseminating offensive content. Seen
in light of the enormous reach of the Internet as a medium for mass
communication and the increasingly significant role it has come to play,
widespread and indiscriminate distribution of such socially harmful content is
a matter of grave and urgent concern.
7-7
BACKGROUND MATERIAL
SESSION - II
Containing Spam through integrated measures
1. Technological Solutions
1.1 Technological solutions are a primary means of addressing the problem of
spam. Anti-spam technologies can be implemented at the desktop, server or
ISP level, and are available through software packages as well as software
services. Though there are presently several such solutions on the market,
there is no single approach to blocking spam. Success depends on facts and
circumstances and often a multi-layered technology solution approach.
1.2 Desktop/Server Solutions
Some of the solutions commonly used at the server or desktop level include –
(i) Blacklist Services – Blacklist services involve a database of known
spamming IP addresses. Before delivering an email, the ISP or the
software programme in question checks the address of origin against
those in the database. If a match is found, it is presumed that the
message constitutes spam and is therefore not delivered.
(ii) Whitelist Services - Whitelist services tackle the problem in exactly
the opposite manner to Blacklist services. The Whitelist database
comprises of a list of addresses that are “legitimate” or “safe”. Any
message originating from an address other than those listed is
presumed “unsafe”. Whitelist services are often coupled with a
“challenge and response” system. In the event that the message
originates from an unknown sender, the system automatically sends an
email to the address of origin, seeking a confirmation message. In the
event that a subsequent confirmation is received, the system assumes
that the sender is a legitimate concern (and not an automated
“spambot”) and permits the message to be delivered.
(iii) Linguistic text analysis and Heuristic Engine based filters – Filters are
possibly the most common method of dealing with spam. Filters
comprise of algorithms that analyse the message and determine the
likelihood of it being a spam message. Those that test positive are not
delivered to the recipient. Filtering algorithms normally use linguistic
analysis or statistically derived heuristics to determine the nature of a
message. Linguistic tools permit filters to conduct Boolean searches
based on content and combinations of words or phrases. Heuristic
engines on the other hand use statistics and certain established thumb
rules to analyse content and determine whether the message is spam or
not.
8-8
(iv) Networked Vigilance – Networked vigilance refers to a recent
initiative involving the creation of a centralized database of spam that
is continually updated by submissions from contributing sites and
users. The underlying concept is that a mail server can compare mail
messages it receives with the centralized database to see whether the
said messages have been entered as spam.
1.3 Internet Service Provider/Internet Gateway Solutions
It is estimated that employing anti-spam practices at the Internet gateway can
block up to 40% of incoming spam messages which can reduce the costs of the
expensive message analysis techniques. Measures include6:
(i) Address Harvesting Defense - Monitoring connections to the Internet
mail gateway in order to recognize and block address harvesting
attacks.
(ii) Anti-Spoofing Rules - Spammers often attempt to deliver messages
addressed from the recipient's domain on the assumption that most
domains will "whitelist" their own mail, allowing it to pass through
unchecked. This type of address spoofing can be prevented by
carefully checking the origin of the messages.
(iii) SMTP Authentication/Transport Layer Security (TLS) - Enables
enterprises to tightly restrict access to their Internet gateways by
authenticating users using usernames and passwords
(iv) DNS checks - Verifies domain names by use of DNS lookups. This
represents a relatively quick and easy technique to block spammers
from delivering their messages.
(v) DNS-based Real-time Blacklists - Prevents messages originating from
suspect IP addresses from being delivered.
(vi) In addition, some email service providers and ISPs are considering
future solutions based on electronic proof based approaches involving
virtual “stamps” that notify that an email sender has expended some
sort of resources for every email that they send. At the core of such
approaches is the concept that the solution for spam lies in changing
the economic incentive for sending it.
1.4 Changing Spam Requires a Flexible Solution
To ensure effectiveness, and to consistently maintain the same, anti-spam
solutions need to be continually monitored, tuned and modified, as necessary,
to meet the evolving challenges of spam management. Such monitoring seeks
to ensure adaptability of the solution in view of 7-
6
www.sendmail.com/products/antispam_pr.shtml
7
www.sendmail.com/products/antispam_pr.shtml
9-9
(i) Spam changes – It has been estimated that a new spam message or
technique is created every one to three days.
(ii) Enterprises have different concerns about spam - Given individual
corporate policies with respect to the use of language in email,
offensive content filters should be customized to a particular
enterprise's needs.
(iii) Different Enterprises Have Different Legitimate Email Characteristics
- Identifying characteristics of legitimate email are different from
enterprise to enterprise, and even between different job functions
within an enterprise.
2. Legislative/ Regulatory
2.1 Features of an effective legislation
In order to effectively address the problem, without disrupting existing
commercial relationships, a successful anti-spam legislation should seek to
allow consumers to receive email from trusted senders, while allowing them to
block unsolicited or unwanted spam. Effectiveness of any legislation would
have to be judged in terms of its ability to:
(i) Decrease the volume of spam
(ii) Lower costs to consumers, ISPs, service providers and
businesses, who currently bear bandwidth, storage and software
costs associated with spam, as well as the associated
productivity losses and technical support costs
(iii) Greater consumer control over whether and how to receive,
filter or delete messages
(iv) Broader commercial adoption and enforcement of email best
practices
(v) Minimal disruption of pre-existing commercial relationships
between businesses and consumers.
3. International Cooperation-
3.1 Anti-spam initiatives are often ineffective due to problems in identifying
spammers and the lack of extra-territorial jurisdiction. Any national legislation
will initially focus on the enforcement of locally sourced spam.
3.2 The Government should work with multilateral and bilateral bodies to develop
international guidelines and coordination mechanisms to attain a degree of
uniformity in the policy approach to the anti spam drive and the adoption of
international best practices. This would include awareness campaigns with
participation of national consumer groups and self-regulatory groups. The
Government should work along with bodies like the OECD and APEC to
10-10
develop international guidelines and cooperative measures which aim to
reduce the total volume of spam, apply the opt-in principle where practicable,
eliminate false and misleading subject and header lines and provide end users
with information on anti-spam measures.
3.3 Enforcement of penalties relating to overseas sourced spam will be
problematic until a suitable international framework is in place. It will also
ensure that there is an appropriate enforcement regime to deal with overseas
spammers as soon as multilateral arrangements are in place.
4. Conclusion
In view of the above discussion, certain broad conclusions can be made out
regarding spam and the need to take steps to address the problem.
So far, spam has forced governments and private players to take immediate
steps to remedy the situation. Though little consensus exists on what
constitutes spam and the best way to address it, it is generally agreed that there
is no one approach that can comprehensively solve the problem.
Given the magnitude of the problem and its simultaneous impact on several
interest groups, adopting a multi-pronged approach may be the only viable
solution to the problem. Such multi-pronged strategy may include
technological solutions, self-regulation, industry best practices, creating
awareness and legislative/regulatory solutions.
Even those countries that have implemented legislative and regulatory
measures recognize that such measures alone are inadequate to mitigate the
situation. Such countries now plan to implement further measures to
supplement the regulatory framework. International businesses are urging
governments to adopt balanced legislative approaches as part of a toolkit of
possible ways to combat spam.
At present India does not have a law on spam. The Information Technology
Act, 2000 is silent on the issue, and other Indian laws do not appear to deal
with the problem either. In keeping with the proposition of a multi-pronged
approach, it India too may consider adopting a layered strategy comprising of
technological solutions, appropriate self-regulatory measures, consumer
awareness campaigns, legislative measures and guidelines for international
cooperation.
___________________________________________________________________________
Note: The views expressed are of FICCI IT Committee members. For more information please
contact Mr. Tabrez Ahmad, Sr. Asstt. Director – IT at tabrez@ficci.com
11-11