• United States




Helping spammers do a better job

Sep 26, 20085 mins
Data and Information SecuritySecurity

Some large Internet organizations act as though stopping malware and spam is the last thing they want to do

Fighting spam is a tough job and not just for the anti-spam software and appliances. Our anti-spam laws seem to be constantly against us.

Since the U.S. CAN-SPAM Act of 2003, which was supposed to end spam as we know it, unsolicited e-mail has doubled or tripled in volume and held steady at those levels for nearly half a decade. Thanks, Congress! Anyone involved with fighting spam knew this law was horrible to begin with and actually encouraged spammers, with its legalized opt-out policies, to continue spamming. The Act is so full of loopholes that I’m actually surprised to see so much “illegal” spam still being sent. I mean, the ways to send legal spam are so available and rich.

Scum and rogue companies continue to send spam pretty much unabated. When someone does get caught and charged with breaking a law, rarely does it lead to stiff penalties or jail time. I’ve read many, many articles where the arrested spammer was not sentenced to anything beyond a weak fine and a suspended jail sentence. The fines often range from a few thousand dollars to less than $10,000. Don’t these prosecutors realize that these people are making thousands to tens of thousands a day? The weak fine and judicial penalties only encourage more spamming because the consequences are so, well, inconsequential.

But it’s great to hear when some huge spammer is put away into the slammer, even though the level of spam never seems to drop when one of the “biggest spammers” gets nailed. One of the more active spammers ever caught was Jeremy Jaynes of North Carolina. He, along with his sister (who received a small fine), were arrested under a Virginia anti-spam law in 2003 for masterminding a big AOL spam attack.

The U.S. court system is a slow and plodding beast, but Jaynes was eventually convicted in November 2004 and sentenced to nine years in jail in 2005. Yea! Way to go! That ought to show the spammers.

Except Jaynes and his lawyers began a multiyear, multicourt appeal saying that Jaynes (an admitted spammer) was just using his First Amendment-protected speech. Jaynes stayed out of jail for years by posting a $1 million bail. I wonder where he got that kind of money? It couldn’t hurt that he had made an estimated $24 million in a few years by sending spam. Of course, most of that money was never collected back by the legal system.

Jaynes lost an Virginia appeal in 2006, and headed to jail. But in 2008, the Virginia Supreme Court overturned Jaynes’ conviction by claiming, yes, the Virginia anti-spam law that was used to convict Jaynes was overly broad and infringed on Constitutional protections. Forget that Jaynes was convicted of spamming, and that his activities were again and again found not to be protected by the Constitution. The law used to convict him did have minor issues, so the justices reversed the lower and appeals courts decisions and de-convicted Jaynes. I wonder how long before he sheds the drab prison clothes he became slightly accustomed to and begins sipping margaritas on his offshore island?

But it gets worse. Even as our laws appear to be insufficiently designed to thwart spammers, our very Internet governing bodies seem to be coddling spammers, pest software makers, and botnet creators. A recent report and several news articles tie some of ICANN’s best sponsors to an overwhelming amount of spam, malware, and illegal Web sites. Of course, ICANN and the accused companies deny any involvement with unethical or illegal behavior. But come on. Even if I give you a huge benefit of the doubt … that you’re just inept at managing the security of your resources and not in direct complicity with these rogue origination points, shouldn’t your level of watchdog security at least meet the industry average? Or put another way, shouldn’t the very firms that are in close financial association with ICANN be on top of their game, with the least amount of questionable activity?

The industry of domain registrars has long been under attack for questionable domain approvals. Even though most registrars have a contract clause that says domains they secure may not be used for illegal activity, many, especially the larger ones, are seen by others as turning a blind eye toward illegal operations. Money appears to win.

We’re not talking about domain registrars (or ISPs, for that matter) being duped a few times by a few unscrupulous players. We are talking about outright, massive, intentional ignorance of those who request and carry far more bad sites than would be considered normal. For example, the registrar gets notices from anti-malware researchers to take down thousands of malicious sites from one (or a common group) or requesting individuals. You would think that registrar would not do business with the domain requester anymore. You would (often) be wrong. In the quest to increase their bottom line, many registrars willingly look the other way and claim there is no way they could censor every Web site hosted or domain name given. I’m not buying it. They could at least try. Instead, anti-malware researchers are left with a massive game of whack-a-mole, without any help from the very companies that are in the position to really do something about our Internet malware problem.

Even if ICANN and the noted domain registrars are not in bed with spammers and botnet makers, and all the previously reported stories are unsupported speculation, these entities should not be in a position where the relationships, and the intent of those relationships, can even be questioned. For example, although “Big 5” accounting firms do get caught up in Enron- and Worldcom-like fiascoes, they aren’t sponsored by organizations with links to suspected organized crime figures. It may make business sense to take money from any willing source, but it’s just not common sense in the malware world of today.


Roger A. Grimes is a contributing editor. Roger holds more than 40 computer certifications and has authored ten books on computer security. He has been fighting malware and malicious hackers since 1987, beginning with disassembling early DOS viruses. He specializes in protecting host computers from hackers and malware, and consults to companies from the Fortune 100 to small businesses. A frequent industry speaker and educator, Roger currently works for KnowBe4 as the Data-Driven Defense Evangelist and is the author of Cryptography Apocalypse.

More from this author