Thursday, April 9, 2009

An open letter to new US FTC Chairman Jon Leibowitz

The following is a letter which has been drafted by many of the members of the Fight Spammers Forum at to Jon Leibowitz, who was appointed as the new chairman for the Federal Trade Commission. I think it deserves some exposure.

We very much support the efforts the FTC is taking to educate consumers about internet fraud and identity theft, and we recommend that everyone view the excellent materials online at However, those types of problems require a level of coordinated effort beyond what any one individual or business can accomplish. We urge the next head of the FTC to see the big picture. And one obvious part of the picture is spam.

Spam is like a flashing light alerting us to far more serious criminal activity beneath the surface. By minimizing the severity of spammers' offenses, you lose the ability to expose and investigate much deeper risks to the US, even impacting on national security.

Spam -- unsolicited commercial email -- is a nuisance. Because it is so inexpensive to advertise through email, spam volume has ballooned to comprise the vast majority of email messages. And the majority of the spam being mailed advertises products that are fraudulent or illegal, whose sponsors do not care about building a positive brand image. Most users have little idea how much spam would be arriving in their inboxes if their internet service providers were not using strategies to block the worst of it.

This is obviously a problem in terms of time/money spent on spam filtering systems and in deleting spams that pass through filters. More importantly, the loss of valid emails due to spam filtering is making some types of email communication extremely difficult. Legitimate commercial email is lost in the deluge of spam messages.

But the problem in the inbox pales by comparison to the multiple layers of illegal activity spammers employ to circumvent users' attempts to avoid their garbage. Spammers are hijacking the computers of innocent users to send their email and host their web sites. They are using stolen identities to register their website domain names, and using stolen credit/debit/PayPal accounts to pay for them. Their websites flagrantly violate trademarks, fraudulently claim approval from agencies like the FDA and Better Business Bureau, use stock photos of buildings and people to create imaginary locations and corporate officers for themselves, display forged pharmacy licenses, and sell counterfeit copies of drugs still protected by patents within the US. They abuse voice-over-internet phone service, using US local phone numbers to give unwitting consumers the impression they are located within the US. They transmit protected health information and credit card numbers via insecure connections, and use fake images of SSL icons to deceive consumers about that fact. They require no prescription for drugs that require one in the US, often including controlled narcotics. They ship pills of questionable content into the US, competing with those produced under FDA oversight, and they smuggle them through customs via fraudulent declarations. They use spam emails to lure additional people to websites where their computers will become infected with malicious programs like computer viruses and Trojan horses, allowing the spammers to continue to expand their power to abuse the internet.

While CAN-SPAM attempted to provide a safe haven for legitimate emailers, it is totally ignored by the criminal spammers whose products would still be illegal no matter how "compliant" their emails might be. Enforcement is hampered because spammers can maintain anonymity by using other people's hijacked computers, and because many of the most prolific spammers operate in countries which tolerate or even condone their activities.

But the situation is not as hopeless as it would appear. Not all reasonable measures are being taken to control the problem. Spammers could not continue at this level of activity without the passive cooperation of legitimate businesses. For instance, there are multiple systems in existence to identify the hijacked computers and illegally registered domain names that spammers rely on to conduct their business. Spam filtering products rely on them to obtain the necessary information to identify spam. Yet that information is often ignored by the otherwise legitimate registrars, hosting companies and telecommunications services which have the power to do something about it.

Does anyone really believe the spammer smuggling counterfeit Viagra into the US is sitting at home at the address provided in the domain registration, waiting for law enforcement to drop by? Then why is there unwillingness to investigate and suspend these domains? Do internet service providers think their customers would rather not know their computers are controlled by strangers in foreign countries, sending spam and helping themselves to users' personal information? Then why are they so unreceptive to reports of hijacked servers within their own networks? Do banks consider it acceptable for their clients' credit card numbers to be stolen to register illegal domains? Then why is there no effort to identify and close the credit card merchant accounts being used to process orders at those same sites? And when it would be simple to block all traffic from rogue countries which allow these criminals to operate, why are US internet companies so lax at shutting down bots on their own networks, making it impractical for American companies to block traffic from the worst spam-spewing IP address ranges?

The other issue is that these armies of zombie computers, called "botnets," do more than just send spam or host websites. They are also used to conduct Distributed Denial of Service attacks. In such attacks, large numbers of computers access the resources of an internet target simultaneously, making it impossible for that web site to continue to operate without spending large sums of money for mitigation.

We in the antispam community saw an extreme example of such an attack in 2006 when angry spammers attacked the company Blue Security, whose product submitted automated unsubscribe request for its members. The high volume of that DDoS attack not only shut down Blue Security, it knocked many other innocent firms off-line as well. Yet this was apparently dismissed as a private matter between Blue Security and the spammers, and there was no notice given of the potential risk to national security posed by criminals with control of such a powerful botnet. A year later, a DDoS was used to attack government agencies in the nation of Estonia. While our government expressed concern, there was little evidence of action. Now similar attacks on the nations of Georgia and Kyrgyzstan have been in the news, and non-governmental targets continue to be attacked for the purpose of extortion or harassment. This is more than merely a commercial or consumer nuisance; it is a threat to national security.

These botnets are in fact being purchased and maintained by the spam economy. That's the "military budget" keeping those "standing armies" available for rental by any terrorists who might wish to attack the US. There is serious potential for cyberterrorism to cripple significant parts of the US government and private sector, and spam is just one particularly visible part of the problem. The silly messages and sexually oriented products should not deceive anyone about the danger. We ask you to work to coordinate the various companies whose actions and inaction enable spammers to operate, so that the current state of extreme lawlessness can be brought under control.

-- from the spam and
internet security investigators

SiL / IKS / concerned citizen

No comments: