FTC Versus Spam: Tackling a Growing Problem

The Federal Trade Commission’s second summit on Spam in the last four years addressed the growing problem of unsolicited emails that is creating costs for businesses and consumers alike.

FTC Chairman Deborah Platt Majoras addressed the summit held July 11-12 in Washington, D.C. “The volume of spam reported by email filtering companies is rising.” She added botnets – networks of hijacked personal computers that spammers use to conceal their identities – have become the preferred method for sending spam.

Even more troubling to Platt Majoras is that spam reaching consumers’ inboxes is more often being used to launch phishing attacks and to deliver malicious code or “malware” to consumers’ computers. “This new generation of malicious spam goes beyond mere annoyance – it can result in significant harm to consumers and undermine the stability of the Internet and email in particular,” she noted.

Even merely opening a malicious email can subject a computer user to harm from malware, she continued. “The surreptitious deployment of such malware can result in slowed computer performance; installation of key-logger software that can record and report your every keystroke; the spread of computer viruses; and the hijacking of your computer for use as a botnet.”

In addition, new threats to communications media other than email are knocking on the door. Spam’s cousins, SPIM (spam over instant messaging), SPIT (spam over internet telephony), and spam to mobile devices, threaten to undermine the benefits of mobile services and Internet telephony in the same way as spam. Social networking web sites have become yet another frontier for spam messages, she said. “The lessons we have learned and continue to learn from spam also will be valuable as we begin to address, or even better avoid, similar problems for other communications technologies,” Platt Majoras commented.

She addressed the summit and urged more work to combat malicious spam. “The first way is through law enforcement. We cannot permit the electronic world to become a lawless frontier.”

The FTC has engaged in aggressive law enforcement to combat spam. Since 1997, the Commission aggressively pursued deceptive and unfair practices perpetrated through spam in 89 law enforcement actions against 142 individuals and 99 companies, with 26 of the cases filed after Congress enacted the CAN-SPAM Act, she noted.” For example, in one recent case, FTC v. Dugger, the FTC sought to stop the underlying use of botnets to send spam.” Under the final order obtained in the case, the defendants are barred from violating the CAN-SPAM Act and required to turn over all of their ill-gotten gains.

She noted that in most instances, the acts of malicious spammers are inherently criminal, and “criminal law enforcement agencies are best suited to expertly shut down their criminal operations.”

Platt Majoras pointed to the recent FBI and Department of Justice crackdown on botnets and those who control them. As part of this operation, the FBI and DOJ identified more than one million personal computers infected with malware that allowed them to be hijacked and used as part of an army of bots to attack other computers, spread malware, or send spam. To date, the crackdown has netted three arrests: Robert Soloway, who allegedly sold spam kits and access to botnets for spamming; James Brewer, who allegedly compromised more than 10,000 PCs around the world; and Jason Downey, who allegedly ran a botnet used to conduct distributed denial of service (DDoS) attacks.

“While there is no single solution to halt the use of botnets and malware completely, these large scale arrests and criminal law enforcement actions are significant. A second way to defend ourselves from malicious spam is knowledge – knowing with whom we are interacting. Just as we can ask visitors to swipe identification badges and use biometric identifiers to verify who is entering our physical space, we can use authentication technology to verify who is entering our electronic space,” she said.

The FTC has taken steps to educate consumers about how to avoid problems with phishing, malware, and spambots in a consumer alert, “Botnets and Hackers and Spam (Oh, My!)” and on its comprehensive website, “OnguardOnline.gov.” These education materials encourage consumers to use anti-virus and anti-spyware software and to keep the software up-to-date, among other tips.

Platt Majoras said collaboration among stakeholders in the electronic world is invaluable in the fight against spam. “Given the technical aspects of the spam problem, continued collaboration with experts from the technical community, including Internet Service Providers and email filtering companies, will strengthen efforts in the fight against malicious spam.”

Because of the global nature of malicious spam, international cooperation is essential, she continued. “Most of our enforcement actions involving spam have had an international component, and we have cooperated with foreign enforcement agencies on many of them.”

In addition to cooperating with foreign partners on individual cases, Platt Majoras said the FTC is active in the London Action Plan initiative, an informal network of spam enforcers and industry representative from over 20 countries that allows participants to discuss cases, investigation techniques, and educational initiatives. The US SAFE WEB Act gives the FTC authority to cooperate more closely with its foreign counterparts, “gives us tools we need to strengthen our enforcement program, and we are using those tools now to share information with our overseas counterparts,” she concluded.


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network