Spam

Updates

22 Aug 2017

The global spam rate for July was the highest seen since March 2015, increasing to 54.9 percent, reports Symantec in its July Intelligence report. Similar proportion of spam also reports the Kaspersky lab in its Spam and phishing in Q2 2017 report, however not indicating a peak in spam traffic. Both companies use their own metrics and mostly report on spam identified by their systems. 

11 Aug 2017

The Australian Competition and Consumer Commission (ACCC) is taking action against two domain name registrars that have been sending out unsolicited communications to its business clients. According to ACCC, the notices sent by the two registrars looked like renewal invoices for their clients’ domain names, while, in reality, they were invoices for the registration of a new domain name (similar to the ones the companies already had). Between November 2015 and April 2017, there were around 300 000 such notices sent to business registrants, many of which ended up paying, unwittingly, for a new domain name that they might have not needed or wanted.

16 Jul 2017

The social network botnet called Siren algorithmically created Twitter accounts and generated more than 8.5 million spam tweets. ZeroFOX, a company that discovered the botnet, believes this has been one of the largest spam campaigns on social media so far. The botnet used sophisticated techniques in order to deceive various anti-spam tools used by Twitter and Google. Siren gained over 30 million clicks from its victims. Although the links led to sites related to porn services they, reportedly, did not contain any malware.  Nevertheless this case demonstrates some weak points and vulnerabilities of new communication tools. Spammers have been increasingly re-focusing their vectors of attack shifting from email to other channels like social media and instant messengers. 

Pages

Spam or unsolicited mail is sent to a wide number of Internet users. Spam is mainly used for commercial promotion. Its other uses include social activism, political campaigning, and the distribution of pornographic materials.

Spam is one of the Internet governance issues that affect almost everyone who connects to the Internet. However, whereas 10 years ago spam was one of the key governance issues, it is today a less prominent issues thanks to highly sophisticated technological filters.

 

According to statistics from 2014, 66% of e-mail traffic is spam. Besides the fact that it is annoying, spam also causes considerable economic loss, both in terms of bandwidth used and lost time spent checking/deleting it.

Spam can be combated through both technical and legal means. On the technical side, many applications for filtering messages and detecting spam are available. Several best practices have been developed by the technical community, include those by the Messaging, Malware, and Mobile Anti-Abuse Working Group (M3AAWG), the Spamhaus Project, GSMA, and the Internet Society.

The issues of spam or unsolicited mail

There are various issues associated with spam. From a technical perspective, one of the main problems with filtering systems is that they are known to delete non-spam messages, too. For instance, Verizon’s anti-spam filtering led to a court case as it also blocked legitimate messages causing inconvenience for users who did not receive their legitimate e-mail. The anti-spam industry is large, and employs increasingly sophisticated applications capable of distinguishing spam from regular messages.

Another issue arises from the different definitions of spam. Different understandings affect the anti-spam campaign. In the USA, a general concern about the protection of the freedom of speech and the First Amendment affect the anti-spam campaign as well. US legislators consider spam to be only ‘unsolicited commercial e-mail’ leaving out other types of spam, including political activism and pornography. In most other countries, spam is considered to be any ‘unsolicited bulk e-mail’ regardless of its content. Since most spam is generated from the USA, this difference in definitions seriously limits any possibility of introducing an effective international anti-spam mechanism.

One of the structural enablers of spam is the possibility of sending e-mail messages with a fake sender’s address. There is a possible technical solution to this problem, which would require changes in existing Internet e-mail standards. The IETF has been considering changes to the e-mail protocol, which would ensure the authentication of e-mail. This is an example of how technical issues (standards) may affect policy. A possible trade-off that the introduction of e-mail authentication would bring is the restriction of anonymity on the Internet.

Most spam originates from outside a given country. It is a global problem requiring a global solution. There are various initiatives that could lead towards improved global cooperation. Some of them, such as bilateral MOUs, are mentioned below. Others measures include capacity building and information exchange. A more comprehensive solution would involve some sort of global anti-spam instrument. So far, developed countries prefer the strengthening of national legislations coupled with bilateral or regional anti-spam campaigns. Given their disadvantaged position of receiving a ‘global public bad’ originating mainly from developed countries, most developing countries are interested in shaping a global response to the spam problem.

The legal response to spam

Technical methods have only a limited effect and require complementary legal measures. On the legal side, many states have reacted by introducing new anti-spam laws. In the USA, the Can-Spam Law involves a delicate balance between allowing e-mail-based promotion and preventing spam. Although the law prescribes severe penalties for distributing spam, including prison terms of up to five years, some of its provisions, according to critics, tolerate or might even encourage spam activity. The starting, default, position set out in the law is that spam is allowed until the receiver of spam messages says ‘stop’ (by using an opt-out clause).

In July 2003, the EU introduced its own anti-spam law as part of its directive on privacy and electronic communications. The EU law encourages self regulation and private sector initiatives that would lead towards a reduction in spam. In November 2006, the European Commission adopted its Communication on Fighting Spam, Spyware and Malicious Software. The Communication identifies a number of actions to promote the implementation and enforcement of the existing legislation outlined above, as the lack of enforcement is seen as the main problem.

Both of the anti-spam laws adopted in the USA and the EU have one weakness: a lack of provision for preventing cross-border spam. The Canadian Industry Minister, Lucienne Robillard, stated that the problem cannot be solved on a ‘country by country’ basis.

A global solution is required, implemented through an international treaty or some similar mechanism. An MoU signed by Australia, Korea, and the UK is one of the first examples of international cooperation in the anti-spam campaign.

The OECD established a task force on spam and prepared an anti-spam toolkit. The ITU was also proactive by organising the Thematic Meeting on Countering Spam (2004) to consider various possibilities of establishing a global Memorandum of Understanding on Combating Spam. At regional level, the EU established the Network of Anti-Spam Enforcement Agencies, and APEC prepared a set of consumer guidelines.

Another initiative is the International Cybersecurity Enforcement Network implementing the London Action Plan. The network, established in 2004, gathers regulatory authorities, the technical community and the business sector to collaborate on cross-border spam enforcement.

More recently, measures against spam were introduced in the International Telecommunication Regulations which were amended in 2012. Among the new articles, two new provisions deal with the ‘security and robustness of networks’ (Article 6), and the prevention of ‘unsolicited bulk electronic communications’ (Article 7). However, the latter provision on spam does not contain binding language; rather, it merely states that states ‘should endeavour to take the necessary measures’ and encourages them to cooperate together. Similarly, Resolution 52 of the World Telecommunication Standardization Assembly ‘invites’ states to take appropriate steps to combat spam, and refers only to national frameworks.

Events

Actors

(Spamhaus)

Spamhaus’s work focuses on tracking spam and providing realtime actionable threat intelligence to the Internet

...

Spamhaus’s work focuses on tracking spam and providing realtime actionable threat intelligence to the Internet’s major networks, corporations, and security vendors. It also works with law enforcement agencies to identify and pursue spam worldwide. It maintains several realtime threat and reputation blocklists which protect over two billion user mailboxes and block the vast majority of spam and malware sent out on the Internet. In addition, the organisation publishes regularly updated statistics on issues such as: spam enabling countries, Internet service providers with the worst reputation for hosting spam operations, top-level domains with the worst reputation for spam operations.

(M3AAWG)

The M3AAWG began as an anti-spam consortium, but has evolved to focus on the root cause of the issue, from bot

...

The M3AAWG began as an anti-spam consortium, but has evolved to focus on the root cause of the issue, from bots and malware to spyware and distributed denial of service (DDoS) attacks. Styled as a forum that works under Chatham House Rules, the M3AAWG works on developing policy comments and industry best practices. In direct relation to spam, most recently, it has released instructional videos on the Canadian Anti-Spam Law. Other spam-related initiatives include the India Anti-Abuse Working Group various meetings and event focused on ways to tackle spam challenges.

(ITU, UIT)
...

The ITU Telecommunication Standardization Sector (ITU-T) develops international standards (called recommendations) covering information and communications technologies. Standards are developed on a consensus-based approach, by study groups composed of representatives of ITU members (both member states and companies). These groups focus on a wide range of topics: operational issues, economic and policy issues, broadband networks, Internet protocol based networks, future networks and cloud computing, multimedia, security, the Internet of Things and smart cities, and performance and quality of service. The World Telecommunication Standardization Assembly (WTSA), held every four years, defines the next period of study for the ITU-T.

(UCENET)

UCENET works on promoting international cooperation in addressing span-related challenges and in enforcing app

...

UCENET works on promoting international cooperation in addressing span-related challenges and in enforcing applicable legislation. Its activities are built around four main areas: intelligence, enforcement, communications, and training. The London Action Plan, adopted in 2004, describes the commitment of the network’s member to strengthen spam enforcement cooperation. In 2016, 11 enforcement authorities members of the network signed a Memorandum of Understanding, as an additional framework for information and intelligence sharing in the fight against spam. The network has contributed, together with the Internet Society and the Messaging, Malware, Mobile Anti-Abuse Working Group, to the development of tutorials on combating spam.

(IETF)

The core mission of the IETF is to develop technical standards for the Internet, ranging from Internet protoco

...

The core mission of the IETF is to develop technical standards for the Internet, ranging from Internet protocols (e.g. IPv4 and IPv6) and the Domain Name System (e.g. aspects related to the functioning of Internationalised Domain Names), to routing systems and security issues. Areas of work covered by IETF working groups include applications (e.g. real time communication and audio/video transport), Internet protocols, operations and management (e.g. DNS operations, routing operations, network configuration), routing (e.g. inter-domain routing, tunneling protocol extensions), security and transport (e.g. authentication and authorisation, IP security maintenance and extensions, and transport layer security).

(GSMA)

Net neutrality is one of the digital policy issues the GMSA is paying attention to.

...

Net neutrality is one of the digital policy issues the GMSA is paying attention to. The organisation, which represents the interests of the mobile industry, is of the view that, while the open character of the Internet should be preserved, technical and commercial flexibility for networks is essential. The four main issues the GSMA focuses on when it comes to net neutrality include traffic management, service prioritisation, zero rating, and tariff flexibility. The GSMA promotes its views through papers and other publications, as well as through advocacy activities. For example, it has been a constant contributor to the net neutrality debates and consultations taking place in the EU, USA, and Latin America, among others.

Instruments

Conventions

International Telecommunication Regulations (WCIT-12) (2012)

Resolutions & Declarations

ITU Resolution 52: Countering and combating spam (2012)
IPU Resolution on the Contribution of new information and communication technologies to good governance, the improvement of parliamentary democracy and the management of globalization (2003)

Standards

Recommendation ITU-T X.1240 - ‘Technologies involved in countering e-mail spam’ (2008)

Other Instruments

Resources

Publications

Internet Governance Acronym Glossary (2015)
An Introduction to Internet Governance (2014)

Papers

Fighting Spam by Breaking the Economy of Advertising by Unsolicited Emails (2015)
The Harvester, the Botmaster, and the Spammer: On the Relations Between the Different Actors in the Spam Landscape (2014)

Reports

Kaspersky Security Bulletin. Spam and Phishing in 2015 (2016)
Stocktaking, Analysis and Recommendations on the Protection of CIIs (2016)
The Global Risks Report 2016 (2016)
Best Practice Forum on the Regulation and Mitigation of Unsolicited Communications (2015)
Best Practices to Address Online, Mobile, and Telephony Threats (2015)
Global Cybersecurity Index & Cyberwellness Profiles (2015)
Best Practice Forum on Regulation and Mitigation of Unsolicited Communications (e.g. “spam”) (2014)
Quarterly Spam Reports

Other resources

The Twitter Rules (2016)
Combating Spam and Mobile Threats - Tutorials (2016)
Symantec 2015 Internet Security Threat Report (2015)
Combating Spam: Policy, Technical and Industry Approaches (2012)
The Top 10 Worst
Symantec Monthly Threat Report
M3AAWG Best Practices
Global Spam Map
Global Legal Summaries about Regulatory and Policy Updates Related to Digital Advertising

Processes

WSIS Forum 2016 Report

Spam related challenged faced by emerging economies were discussed in Spam: Understanding and Mitigating the Challenges Faced by Emerging Internet Economies (session 152). It was underlined during the session that spam has become a complex issue, as it is more and more associated with malicious content, and that emerging economies may not have enough technical, human, and financial resources to fight it. Possible modalities to break the vicious cycle of spam generation were discussed (such as spam filtering, intrusion detection, antiviruses and patches, and user education), and reference was made to key areas emerging economies need to work on to combat spam (legislation (with clear rules in place), staff (with technical and legal expertise), and tools).

 

The GIP Digital Watch observatory is provided by

in partnership with

and members of the GIP Steering Committee



 

GIP Digital Watch is operated by

Scroll to Top