Home
Login
Search
Article Archive
Subscribe Now
Editorial Topics
Change Ups
Specialty Publications
Book Of Lists
Gemini Publications
Contact Us

Subscribe Now		   Grand Rapids Business Journal

BUSINESS JOURNAL REPORT ON WZZM NEWS
 

’Tis the season for targeted spam attacks
Pete Daly

As the holiday shopping season approaches, expect more spam in your e-mail, advises Jim Bruxvoort, director of cloud services at Trivalent Group in Grandville, one of the longest-established IT consulting companies in West Michigan.


Bruxvoort
“We do anticipate an increase,” said Bruxvoort.

“It’s always been bad and it’s not getting any better,” he said, adding that he has seen a recent estimate that as much as 89 percent of all e-mail traffic is now spam.

Spam, in this context, is not the same thing as cyber attacks on computers or actual scams in which criminals are trying to con gullible people out of money or to reveal sensitive information such as credit card, social security and bank account numbers.

Conventional spam is more like the so-called “junk mail” that is still delivered by the U.S. Postal Service every day.

“Spam is really just a lot of unwanted e-mail,” said Bruxvoort. He compares it to watching a commercial on television: “You didn’t ask to watch it, but it’s being presented to you,” he said.

“There are a lot of initiatives to try to reduce it or eliminate it, and I’ve not seen many that have been real effective because it’s just so huge.”

“It costs very little money to send out a million e-mails, and if 1 or 2 percent of those e-mails result in a purchase, (the spammers) are going to make some money on that,” said Bruxvoort.

Spam on your home computer is a nuisance, but on the network computers at work, it’s more serious. Employees waste time wading through it and deleting it, or the company has to shell out for a filtering service. Spam can overload computer systems, so Trivalent recommends use of a third-party service that filters out the obvious spam before routing the rest to a company’s network. Some companies, such as those sending and receiving medical records data, are constrained by medical privacy laws from using third-party services to filter e-mail, he said.

The spammers sending out e-mails that advertise their clients’ products or services “are getting increasingly more savvy in their ability to bypass today’s spam filters,” said Bruxvoort. “The services that block spam are updated at least daily — and often times, multiple times a day — to try and stay ahead (of the spammers).”


Kugele
Because spam is a cheap means of advertising and not necessarily illegal, it is difficult to combat.

Norbert Kugele, a partner at Warner Norcross & Judd, said the federal CAN-SPAM Act that took effect in 2004 was originally intended to be a means of fighting spam, but it has been largely ineffective.

“A company figures out ways to filter the spam, and then the spammer figures out ways to defeat the filter. It goes in cycles like that,” said Kugele.

CAN-SPAM, which stands for Controlling the Assault of Non-Solicited Pornography and Marketing, “was mocked when it was first passed as the ‘You Can Spam Act.’ In a way, it establishes a safe harbor for spam,” said Kugele, who is chair of Warner’s HIPPA Task Force and co-chair of the firm’s Privacy and Information Security Team.

The act established the right to send out unsolicited e-mails advertising a legitimate product or service as long as the e-mails contain an opt-out mechanism for the recipient and do not provide false information about who is sending the e-mail.

Using software to automatically harvest e-mail addresses off the Internet is illegal, under CAN-SPAM, according to Kugele. “But it’s so hard to figure out who these people are. It’s hard to enforce the law,” he said.

“I think a lot of people are happy to receive e-mails from businesses they do business with. They might hear of sales,” or other useful information, he said. “It’s not really spam if it’s welcome,” he added — but sometimes the “good” spam gets caught in the filters set for bad spam.

Before CAN-SPAM was enacted, some states had laws against spam that were more restrictive than the Act itself, Kugele said. “The problem is, the CAN-SPAM Act kind of trumps state law.”

Within months of its enactment, the CAN-SPAM Act was the basis of prosecution of two spam operations that “clogged the Internet with millions of deceptive messages and violated federal laws,” according to the Federal Trade Commission website. One of those was an enterprise operating out of Australia and New Zealand; the other was Phoenix Avatar, based in Detroit.

From time to time, said Kugele, the FTC does go after a company for violating CAN-SPAM. The federal law also provides Internet service providers with a legal framework for fighting spammers in court. The spammers are using ISPs to deliver their spam, so the ISPs get blamed for it by their customers, but in many cases, not even the ISPs can tell where the spam is coming from.

Spammers route their mass e-mails through multiple servers to disguise the origin, said Kugele. “It’s hard to tell where they are — there’s spammers all over the world, and you just can’t tell from the domain name” where the spam originates.

Bruxvoort noted that sometimes there are clues that a spam e-mail isn’t from the U.S. “Lots of times, you’ll see words misspelled, or broken English,” he said.

“Anywhere that you can get an Internet connection that allows you to bounce e-mail off it — as in spam — that Internet service provider will get taken advantage of,” said Bruxvoort, but he added that a lot of ISPs in the U.S. are constantly monitoring their e-mail traffic and “trying to reduce the amount of spam that’s actually being launched here in the U.S. It’s fairly difficult to do it for very long (in the U.S.) before being shut down — but internationally, that’s not as big a deal.”

The CAN-SPAM Act does spell out how much money a U.S. ISP can collect from a spammer in a successful lawsuit, but it’s limited and the maximum “is small,” according to Kugele. So ISPs have a limited recourse to stop illegal spammers who are a major problem, but for businesses, in general, and for individuals, “most of us really don’t have any kind of effective remedy against it,” said Kugele.

The exception is using filters and the opt-out link on each piece of spam — if it’s there. Filters can be set to the desired level of aggressiveness. Too aggressive, and potentially valuable e-mails might not get through; not aggressive enough, and too much spam gets through. Opt-out can work, but using it routinely might mean employees are spending too much time on it and not getting their work done.

If there is no opt-out mechanism, Kugele noted that there is one thing anyone can do: Send the e-mail to the FTC. The FTC maintains a database of spam that may be illegal, “and every now and then they take action against someone,” he said.

If the opt-out mechanism doesn’t work, and the same spammer keeps sending the same useless e-mail, you can forward it to the FTC at spam@uce.gov. The “uce” stands for “unsolicited commercial e-mail.”

Of course, that takes as much time as opting-out, but at least it feels good.

Grand Rapids Business Journal
549 Ottawa Ave. NW Suite 201
Grand Rapids, Michigan 49503-1444