In a recent edition of TechLaw we told the Labour government: “Don’t wimp out over cyber laws.” In this article we show you why by taking you closer to home.
Last week our mail server came under a spam relay attack. This was not your typical spammer however. A competent spammer would conduct test runs on a mail server to identify whether the server could be used to relay spam mail. In our case such a test would have immediately shown that open relay was disabled.
But in this case, the spammer in question did not bother to test our system. Instead, the spammer bombarded our server for several hours in an attempt to get our server to relay. This amounted to a denial of service attack.
Any server owner could be open to this same attack. In our case it resulted in considerable expenditure of time by our systems administrator and loss of email and Internet access facilities while we and our Internet service provider (ISP) re-configured our servers. The volume of traffic caused excessive loading on our Internet connection and servers and we were forced to take our proxy server offline.
In other cases, spam relay can cause serious reputation damage. In 1998, hackers sent out spam promoting pornographic sites in which the message header made it appear that Computerworld Philippines was the originator of the email.
Is it a crime?
Should it be a crime where an outside party misuses a computer in this manner?
We may not have specific legislation but that does not mean server owners are powerless. US case law, most recently the case of EarthLink versus Cyber Promotions, has developed the concept of computer trespass however this has not yet been followed by the New Zealand courts.
In April 1997 EarthLink Network, an American ISP, declared war on spam. The actions taken included implementing hardware and software deterrents and co-founding an ISP-industry coalition (ISPSEC) to deal with the problem, as well as legal action. On March 30 1998 EarthLink announced that it received a $2 million consent judgement in its suit against infamous spammer Cyber Promotions and its founder, Sanford Wallace.
In addition to trespass, spammers can also be liable to claims for invasion of privacy. In December last year China reported a malicious computer program that was distributed as an attachment in spam email. When the attachment was opened an executable was launched that sat in the Windows sub-directory and monitored the Web browser to see what Web sites had been visited recently.
This type of information is valuable to Internet advertisers.
The infamous‘DoubleClick’ cookie is used to build a database on users of sites visited and then target banner advertising to those users. A Californian woman is currently suing DoubleClick for allegedly cross-referencing this cookie information with consumer information from the Abacus direct marketing database recently acquired by Abacus. This type of action would also be available where similar breaches of privacy occurred as the result of spam.
As yet the New Zealand Courts have not yet had to consider whether a DoubleClick situation infringes New Zealand privacy rights, although it is likely that some uses of DoubleClick-type cookies would breach the Information Privacy Principles contained in the Privacy Act relating to collection and use of personal information.
Our concern however was not with privacy, but with the denial of use of our Internet and mail server facilities. We decided to take a leaf out of EarthLink’s book and take action.
Evidence the key
The first step was to gather the evidence. Our logs had recorded thousands of failed attempts including recipients with email addresses at: att.net; yahoo.com; mci.com; freemailforall.com; and alltheplanet.com. The content of the junk mail was an advertisement including the IP address 18.104.22.168. A Whois query revealed that the owner of that IP address was a US organisation, Weblizard Inc.
The next step was to send a cease and desist message directly to the advertisers at Weblizard, warning Weblizard that it could be liable for trespass. We gave Weblizard the opportunity to settle this issue if we received within 24 hours a full, unreserved apology and a permanent undertaking to desist from spamming to New Zealand based mail servers. We have not yet received a reply.
Our next step is to give notice of our attack to sites campaigning against open mail relays, such as “ORBS”, Open Relay Behaviour-modification System. ORBS monitors open relay servers in an effort to reduce spam by convincing people operating mail servers to block open relay. Registration of the ORBS database means subscribers to the ORBS database can monitor or block email from open relay servers.
This type of approach can be adopted by all businesses, however, TechLaw believes the huge cost and damage that New Zealand businesses are exposed to justifies the implementation of some assertive legislation.
TechLaw would like to see New Zealand follow the “Can Spam Act” bill that was introduced into the US Senate by California representative Gary Millar. This bill, which was drafted with input from the Coalition Against Unsolicited Commercial EMail (“CAUCE”) gives ISPs the right to establish a policy on spamming and to take action against spammers who violate that policy. The act also creates criminal penalties for hijacking domain names in sending spam.
Can the spam
The Can Spam Act would allow ISPs to sue spammers $50 per unwanted message. In our case we were bombarded with thousands of unwanted emails. If the potential costs were $50 per message then Weblizard would be in for a huge fine for their advertising ploys.
There are many other pending bills in the US, such as Green’s “EMail User Protection Act”. This bill is known as “opt-out” legislation (similar to Murkowski’s bill which died in the US Senate and never became law) and is favoured by spammers because it allows them to have a “free bite” at everybody until each individual opts-out of every mailing list.
Other bills adopt a variety of techniques for dealing with spam such as requiring valid information to be inserted into the email header, the honouring of “remove” requests by the recipient and establishing ISP maintained lists of recipients who actively say no to spamming.
In a previous edition of TechLaw we said the New Zealand Crimes Amendment Bill (number six) contains major gaps relating to hacking. Our recent experience has shown us that the current options when dealing with spammers are also ineffective. In our view, legislative action is required.
Averill Parkinson is a senior associate and Emily Fuller is a solicitor in Clendon Feeney’s technology law team.
This article, together with further background comments and links to Web sites, can be downloaded from www.clendons.co.nz.