The term ‘spam’ originated from Hormel's Spiced Ham product bearing the same name. Spam, or Unsolicited Commercial Email (UCE), is just a nuisance. It includes junk emails sent to make its way into user inboxes and litter them with messages intended to promote products and services to churn a profit.
What is Spam?
Any Unsolicited Bulk E-Mail (UBE) or UCE is defined as spam. In both cases, spam comprises ‘unsolicited’ messages, which mean that there is no pre-relationship between the sender and the receiver, and that the recipient has not expressly agreed to receiving the communication. Spamming is more widely defined as the sending of unsolicited email in large volumes, which has no relevance with end user and is received by multiple recipients. But of late, spam is progressively being considered as a more severe messaging threat, as it is used to deliver worms, viruses, and Trojans, as well as rooks of more directly financial nature. Spammers often succeed in deceiving even the smartest of e-mail users into opening such messages.
Spam is redundant email adorning our inbox to advertise things like amazing mortgage deals, adult websites, and get superfast-rich schemes. Almost everyone who has an email account has been ‘spammed’ and most people agree it’s irritating and a sheer waste of time dealing with it. Spam has some essential characteristics as follows:
- It is unsolicited, i.e., sent without the permission of the receiver
- It involves promotion of products or services for sale.
In everyday parlance, spam can also imply any redundant email such as chain letters from known people, or commercial email from retailers you have earlier engaged with.
Origin of Spam
The first instance of email spam dates to 1978. Although incidents of spam started seriously in 1994, the recent history of spam trouble started in 2002. In early 2002, spam comprised about 16% of all emails sent over the internet; by early 2008, spam comprised between 87% and 95% of all emails sent. However, the ratio of email presented by spam disguises a larger problem – the sheer volume of spam that is sent every day. While spam messages amounting to just a few billion were sent each day in 2002, today, approximately 100 billion spam messages cross the internet on a typical day. Moreover, spam volumes can multiply quickly over a very short span of time, such as the repeating of spam volume that occurred between May and November 2006, coupled with spam ‘spikes’ during the New Year season and at other random occasions.
Problems Caused by Spam
There are a variety of problems caused by spam:
Bandwidth Limitations: Spam entering the network of an organization consumes network bandwidth that could otherwise be used for legitimate purposes. With the increase in spam volumes, especially with newer types of spam, more bandwidth is consumed on a per-message basis for non-legitimate purposes. In several cases, this requires the deployment of larger data pipes just to maintain acceptable performance.
Storage Necessity: When more spam enters an organizational network, more of such content has to be put in for review in spam isolation. As spam is usually stored for a minimum of 30 days for employees to review the content for false positives, rise in the entry of spam volume in an organization inevitably leads to larger storage requirements.
Productivity Loss of Staff: Though some believe that loss of staff productivity is a serious concern for several organizations, Oysterman Research has discovered that it is comparatively an insignificant issue in the broad context of the spam problem. However, it is an issue for some smaller organizations that do not filter spam adequately at the server or gateway.
Miscellaneous Issues: There are a host of other issues related to spam, including phishing attempts alleged to have come from a valid source, such as a bank, but instead direct recipients are coaxed to enter their secret information on a phisher’s website; some employees frittering away time in exploring products and services offered in spam; links furnished in spam messages that could re-route users to harmful or offensive websites; and so on.
Some other losses caused by spam are mentioned as under:
Spam is received via e-mails and may have luring subject line such as ‘free offer’, ‘once-in-a-lifetime opportunity’, etc., and ultimately it may compel you to open the mail and read it. This is what the spammer wants you to do. Opening an email, reading it and then deleting it consumes internet access time and costs money. The mail servers used to deliver the mail via a host of servers involve use of money and bandwidth to deliver junk redundant to you. Moreover, the junk mail would have gained precedence over an urgent mail for the mails to be delivered.
Few spam e-mails contain some attachments and ask you to open it. If you do so, you may run the risk of allowing a virus, which may be hidden in the e-mail, to create havoc to your system. Moreover, the costs involved in eliminating a virus from your system are huge.
Few spam e-mails contain a luring description of services and products that ask you to click on a link for further information. These links can provide access to porn or other sites that you had originally not intended to visit. But details of the visit are recorded in your server and you may have to explain it to someone to whom you are accountable.
Advertisement of product via spam e-mails requires you to provide your credit card number and some other personal information, which may jeopardize and compromise your privacy.
Why is Spam Harmful?
>Content: Much of the opposition to spam pertain to its content. Objections to commercial messages that encourage skeptical ventures and messages that contain expressly adult material are quite common. However, the most important objection is regarding messages containing malicious embedded code and unfriendly file attachments.
Consumption of Internet Resources: Spam represents a significant chunk of all e-mail traffic, occupying humongous amounts of network bandwidth, memory, storage space, and other resources. Internet users and system administrators spend voluminous amounts of time reading, deleting, filtering, and blocking spam, because of which they have to pay more for Internet access.
Threat to Internet Security: Spammers often access the Simple Mail Transfer Protocol (SMTP) servers and direct them to send copies of a message to a long list of recipients. Third-party relaying usually indicates theft of service because it is an unauthorized appropriation of computing resources. Because of its association with a third-party relaying, a company may put its reputation at stake.
Methods Used by Spammers
A spammer has several subtle ways of getting email addresses. Here are some of the most prevalent methods employed by spammers to get individual e-mail address:
- Postings in user newsgroup
- User registrations at unscrupulous sites
- User chat sessions
- From email lists bought by the spammer
- From spam bots that crawl the web for any @ sign
- From mailing lists subscribed by users
- By garnering all the email addresses on your company's server
- By random generation of name combinations for your domain.
Spamming is done through various other methods. The usual ones are as follows:
Hostile ISPs: Spammers, who have enough funds, operate hostile ISPs. This allows them to use multiple domain names. It receives its own network numbering and multiple domain names from the inter NIC. You may be able to block a domain, but not a ISP provider.
‘On-the-fly’ Spammers: These types of spammers enroll themselves as multiple genuine users with different ISPs. They fabricate an identity or steal credit cards and use them to create identities. They then use these accounts to start spamming. By the time the realization sinks in to the ISP that they are hosting a spam run, the spammer switches to a different account.
Blind Relays: Some poorly configured servers enable blind relaying, i.e., sending unauthenticated messages. Spam is routed through such blind relays.
Why Spammers Use Spam?
Spammers transmit their messages to billions of people hoping that some people may respond to it. They make income by selling the actual products, or a percentage commission by selling such products. Response rates and benefit margins are usually low, as are the costs.
The gargantuan number of messages spammers may send in a single day may sum up to a significant income. For instance, with say a $1 per unit profit margin, and only a 0.1% response rate, a spammer could make $100,000 by sending 10 million email messages. All that the spammer needs to send the spam are the following:
- Spamming software: This is quite economical and can be easily obtained over the Internet.
- An email address list: These can be bought on a CD, or garnered from various sources.
- A financial opportunity: There seems to be no dearth of opportunities for spammers. Spam mails usually contain information about product sales, offers, adult site membership, etc.
- An email server: Spammers usually carry a credible third-party's mail servers to conceal their identities. These servers are experienced as open relay servers.
Anti-Spam Legislation in The U.S.
The US enforced its first federal law on spam called as ‘The Can-Spam Act, 2003’. This law is an Act to regulate inter-state commerce by imposing restrictions and penalties on the transmission of unsolicited commercial email through the internet. It provides various do's and don'ts for legitimate spammers. This law is based on the ‘opt out’ option. The email messages should insure the attack of marketing and non-solicited pornography activity, and should be properly labeled if any unsolicited activity occurs. This law is being hailed as a triumph of the powerful marketing and advertising industries that wishes to use the benefits of spam over bona fide consumer interests.
CAN-SPAM Act of 2003: United States-Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003
The Act states that the sender can send a commercial email to the receiver only if the receiver has given a written or oral consent. Moreover, the sender must identify himself or the entity by disclosing the name of the sender of the email and refrain from using untrue or misleading header information. In addition, once the receiver has authorized the sender, then each mail sent should have an option to ‘opt-out’, which should be honored within 10 days. ‘Opt-out’ means blocking the sender. This Act requires identifying the message as an advertisement, informing recipients about your location and refraining from using deceptive subject lines. It also requires monitoring what others are doing on your behalf. The law makes clear that hiring another company to handle your email marketing will not relieve you of your legal responsibility to comply with the law. The legal liability for sending the message lies with both the company whose product is promoted in the message and the company that actually sends the message.
Anti-Spam Legislation & its Position in India
Spam emails come quite close to the irritating telemarketing phone calls. It is absolutely not a fun to have the phone ring at lunch time and listen to the voice on the other end asking us about a new credit card, a loan, or an investment opportunity. It is quite akin to the spam email. No one wants to go through their inbox deleting every single message, just to get to the legitimate ones that are from our friends and family. Email is supposed to be an easier and more convenient way to keep in contact with friends and family. Unfortunately, spammers viewed it as a great opportunity to increase our stress levels.
A working group comprising a software employee, privacy protector, and IT secretary should be set up to devise a draft, based on which an amendment to the IT Act should be finalized on spam email. E-mail users are aware that no number of filters can protect privacy from sending unsolicited emails. The current era is called as the ‘technology era’, and India does not have any law to prevent the spammers who spawn the cyberspace by continuously sending unsolicited messages. Spammers keep transgressing the privacy of email account holders by compelling them to receive unwanted emails. Developed countries, such as the US and other European countries, have already enacted anti-spam laws, but the third-world countries, such as India, do not have any anti-spam law. A lack of such law is being viewed as a triumph of the powerful marketing and advertising industries that wishes to use the benefits of spam over genuine consumer interests.
India and the Spam Menace
Spam legislation is non-existent in India. The much-publicized Information Technology Act of 2000 does not mention the issue of spamming at all. It only refers to punishment given to a person, who after having secured access to any electronic material without the consent of the person concerned, discloses such electronic material to any other person. It does not have any impact on violation of individual's privacy in cyberspace. The illegality of spamming is not considered. Other cogent reasons for introducing a comprehensive legislation to prevent, control and punish spammers are as follows:
- The Delhi High Court acknowledged the absence of appropriate law pertaining to spam in a case, wherein Tata Sons Ltd., and its subsidiary, Panatone Finwest Ltd., filed a suit against McCoy Infosystems Pvt. Ltd., for transmission of spam. It was held that in the absence of statutory protection to check spam mails on Internet, the traditional principles of tort law, of trespass to goods as well as law of nuisance, would have to be applied.
- With the rising number of Internet users every day and the burgeoning proportion of junk e-mail, it is important that steps be implemented to prevent spam, before it assumes diabolical proportions as in the US. With the establishment of the Indian arm of the Coalition Against Unsolicited Commercial E-Mails (an international organization against spam), some efforts are being made to fight against the spam menace. However, in the absence of stringent laws and technical advancements, the proliferation of spam seems inevitable.
Legal Protection Against Spam
With the increasing number of Internet users in India, the government should fortify the Cyber Crime Prevention Strategy to deal with this menace. After the death of Section 66A (of Information Technology Act 2000, which was inserted by Information Technology Amendment Act 2008), India does not have any law to discuss the issue of Spamming at all.
Implementation of anti-spam policies, opt-out clause, prohibition, statutory provisions and enforcement mechanisms will have to be enforced to tackle the spamming menace. But, before that, we should decide whether we need to prohibit or just limit Spam. Some civil advocates claim that anti-spam legislation may result in constitutional issues such as restriction of free speech over the Internet, and hence, anti-spam legislation must be very specific. In India, the Supreme Court has held ‘commercial advertising’ to be an inalienable part of the freedom of speech, which is enshrined in Article 19 of the Constitution. Hence, the anti-spam legislation should confine itself to only ‘commercial email’.
To protect the netizens from any fraudulent or deceptive advertising, we already have the consumer protection laws. Legislation regarding prohibition of transmission of pornography also exists, but it needs some modification, so that netizens have some protection from receiving sexually explicit material via spam. Establishment of Indian arm of the Coalition against Unsolicited Commercial E-mails (an international organization against spam) is the first step towards combating the spam menace.
As of today, the Indian government is yet to come out with a concrete legislation that directly addresses the issue of spam. The Information Technology Act, 2000 (IT Act 2000) does not contain any provision regulating the act of spamming, though it does regulate obscenity, which covers publishing, transmitting or causing to be published in electronic form, any material that is lascivious, or appeals to the sexual interest.
The government should create a panel and engage more technical people and experts from the IT industry to plan a legislation for cyber security and IT laws, including spamming. The government is also contemplating whether the punishment to spammers should be given after verifying the nature of the spam attack – whether the act of spamming was done inadvertently or intentionally.
Cyber law in India is still in an incipient stage, and a lot of initiatives are needed to make it a mature legal instrument. The government needs to give a new and different look to the existing IT Act 2000 to make it safer, stronger and more relevant. It must also remember the absolute requirements of ICT and cyber security in India, which are drastically missing.
The government is considering establishing a ‘Center for Communication Security Research and Monitoring’ to overlook the activities of criminal elements online, and has sanctioned INR 50 crores for the same. The nodal implementation agency is Center for Development of Telematics. The research side of the Center will focus on multiple communication technologies to supervise all traffic types (satellite, wire line, wireless, internet, email, IM, VoIP), encrypted communication for de-encryption of net-based encryption methods being used by terrorists, regulatory standard to ensure compliance by telecom operators and equipment vendors and system design, inter alia.
CAN-SPAM Act India
The impact of spam is clearly widespread. Currently, India lacks a specific anti-spam legislation. In consideration of the swelling growth of spam worldwide and the increasing number of Indian users, it is of utmost urgency that a specific legislation is formulated to tackle the issue.
Suggestions for Anti-Spam Law in IT Act, 2000, to protect the privacy of an individual:
More than 50% of all worldwide e-mail traffic is now spam. The problem in India is aggravating at high cost to business and consumers. 50% of all e-mail in the world is spam, with a significant 3% of it originating in India itself, and a further 20-40% from other Asian sources. The following are some suggestions to tighten the anti-spam laws in India:
- There is a need to form an alliance of Internet-related businesses and associations to aid consumers and businesses in fighting against spam in India.
- Permission to send an email to a stranger must be sought and only one reminder should be sent for such permission. Upon decline of the permission, it should be presumed that the request has been rejected, and use of the email address, except self, must be strictly prohibited.
- Spammers use tactics such as avoiding detection and enticing gullible consumers to open spam email. With every email sent, disclosing of the sender’s email address should be made compulsory, so that his identification may be established and traced.
- Sending an email containing untrue information should be deemed as a serious offense.
- Any vague email should not to be sent to anybody; if anyone has acted upon the belief of any email sent to him and suffers any loss because of it, he should be compensated accordingly and sufficiently.
- Sending of any greedy or enticing email to any person should be made an offence.
- There must be detailed discussion and development of industry best-practices for sending commercial e-mail.
- The extent of the spam problem in India should be evaluated through both long-term and short-term projects.
- Identification of the effectiveness of anti-spam legislation should be made through a comprehensive survey.
- The sharing of information would help take effective steps against high-volume spammers.
- Law related to anti-spam must apply to business entities and individuals who intend to use false subject lines in their email.
- Criminal and civil penalties should be imposed for fraudulent e-mails.
- Comprehensive evaluation should be made to prevent reaping and the use of dictionary attacks and prohibition on the use of scripts used to send large volumes of e-mail accounts.
To control the email spam, government is also engaging the involvement of a wide range of people, including:
- Developers and suppliers of anti-spam technologies, Internet service providers (ISPs) and commercial e-mailers.
- Various policy departments, regulatory bodies and enforcement agencies of national governments.
- Inter-governmental and other international organizations involved in policy coordination and the development of technical standards.
- Civil society organizations that represent consumer and business interests; active end users, who monitor and report spam; law related to anti-spam should occupy not only entities and individuals whose products are promoted in spam email, but also others who knowingly help in the transmission of illegitimate spam.
The Way Ahead
Indian citizens are hopeful that, some day, we will have a law to protect us from spammers. This is necessary because we are getting 10-20 or more spam emails into our inbox everyday, and frequently there are news of people getting duped to the tune of INR 10,000 to INR 100,000 or even more.
Awareness and education related to spam alertness is the need of the hour. This will help us to create an environment of healthy competition and consumer-friendly cyber market. It will indirectly encourage our productivity, since spam consumes a lot of our time and resources.
We need to stop spam so that the real marketers can send across their communication to their customers more effectively, and thus create more demand and supply for the economy. The lesser the spam, the more will the customer trust in online business. Control on spam will limit our expenditure on anti-spam software and we will be able to utilize this money on other better initiatives.
Thus, after understanding the benefits of anti-spam law, let’s hope to see a robust anti-spam law in India, too, which will mete out strict punishments to spammers.
India has already achieved, to a great extent, control of telephone call spam through its various telecommunications marketing laws and guidelines. Also, it has a successful ratio in penalizing the defaulters for non-compliance of this telecommunication laws, if we can apply laws somewhat akin to our own mechanism for emails, the day will not be too far when our country will be among the top-three spam control laws.
With the issue being debated across multiple levels, some concrete legislation on spamming can be expected in the near future. Some quarters have already started calling for an amendment of the IT Act. A regulator such as the TRAI (Telecom Regulatory Authority of India), which made regulations such as ‘Do Not Disturb’ hotlines for spam SMS messages and marketing calls, can also be expected, and any violation can be expected to result in penalty.
Bibliography & References
- Saikat Sarkar, 5 Reasons Why India Should Have an Anti-Spam Law, February 20, 2017.
- Mark W. Brennan, Complying With the CAN-SPAM Act, November 8, 2016.
- Ravi Kant, Spamming Under Indian Law, February 24, 2016.
- Anti-Spam Legislation India, January 5, 2016.
- Sachin Kamthe, Top 3 Email Spam Laws Currently, April 29, 2015.
- Deeksha Malik, Legal Framework Governing Spamming on the Internet, March 21, 2015.
- Corey Wainwright, What is CAN-SPAM? [FAQs], September 2, 2013.
- On Dealing with Spam Emails Without the Law: India’s Lack of Data Protection Rules, January 1, 2013.
- Trisha Thomas, Vodafone Becomes First Operator to Crack Down Under India’s New Anti-Spam Laws, December 4, 2011.
- Sudhir Kumar, Email Privacy & Anti-Spam Law, April 28, 2010.
- Rahul Donde, Spam: Is It Time to Legislate?
- Ashwani Mishra, Legislation Against Spammers Soon, Computer Networking News,
- CAN-SPAM Act: A Compliance Guide for Business,