FTC Spam Summit Reviews the Next Generation of Threats and Solutions
By Stephanie Jordan
Prior to the launch of the CAN-SPAM Act of 2003, the Federal Trade Commission (FTC) held a Spam Forum. The intent was to gather information and hear first hand from industry experts and those with a vested interest in adhering to highvolume emailing rules—namely email marketers. In July, once again messaging industry, law enforcement, consumer advocacy groups, and email marketers gathered with the FTC in Washington D.C. to discuss the status of spam.
"The FTC works in the anti-spam world including enforcement efforts against spyware and malware," notes Ruth Yodaiken, an attorney in the division of marketing practices, in the Bureau of Consumer Protection at the FTC. "We became aware, due to our enforcement efforts and from security industry reports, that the nature of spam is changing. Previously spam had been an annoyance, and was touted as an annoyance when CAN-SPAM was enacted. The spam we are seeing today is not so much an annoyance, but rather a vehicle for carrying malware. This summer seemed like a good time to gather information from consumer groups, ISPs, as well as marketers, to see if our thoughts were right in terms of spam heading in a much more malicious direction." The summit had nine panels with almost 50 panelists participating ranging from consumer advocacy groups to industry players such as AOL, Microsoft, IronPort, Cisco, Cloudmark, StongMail Systems, Messaging Anti-Abuse Working Group (MAAWG), and Secure Computing. Also prominent were law enforcement entities including the Federal Bureau of Investigation (FBI), various state attorney general offices, and the Department of Justice (DOJ), among others.
From Other's Perspective
Those reporting their opinion of the conference were positive. "This was one of the more interesting conferences," thought Barry Abel, VP of field operations for Message Systems. "The session topics went beyond the discussion of traditional assaults, to look at where spam is originating. There was a lot of discussion around the high emergence of bot-networks (or botnets) and went into detail about how they work. This malware is ubiquitously downloaded from tool bars or automatically emailed from one infected computer to another. Organized crime is selling time across its botnets allowing anyone to purchase the dissemination of information of their choice." Money appears to be what is motivating this behavior. "The possible future of this is scary," warns Abel. "Today it is for financial gain. In the future it could be terrorist activities like electronic warfare. From launching denial of service attacks all the way down to extortion—for example sending parents a picture of their child and saying harm will come to him unless money is sent." Abel notes that it is very difficult to track where the threats come from. Especially since it is not the actual computer owner, but rather someone in far off countries like Asia or Eastern Europe. "Millions of PCs are i n fected," reports Abel. "Representatives from the U.S. Postal Service Security and FBI were at the summit, and admit that the good guys are way out numbered from a pure criminal perspective." Attendee and presenter, Patrick Peterson, VP technology for IronPort Systems, noted a number of successes from the summit. A primary one being the FTC's desire to gather information to ensure its perspective incorporates myriad of perspectives. "This enables better advice to congress," believes Peterson. "Leveraging the dozens of experts at the FTC event can only increase the FTC's ability to deal with a very challenging problem. I wish more government organizations would take such an approach."
Summit Outcome
Yodaiken noted that at the end of the two-day conference, it was apparent to her, especially in light of what panelists had to say, that the nature of spam is clearly shifting to criminal activity. The conference, while titled a Spam Summit, was not about the CANSPAM Act. "We stayed away from CAN-SPAM because it is in open rule making, so we cannot discuss the nature of it. Some of the marketing service providers talked about how CAN-SPAM is working. But the goal of the conference was to get a pulse on how spam is evolving," clarified Yodaiken. While many approaches on how to address current spam challenges were discussed, key ones included law enforcement, collaboration, technology, and education.
Law Enforcement
In her opening remarks, FTC Chairman Deborah Platt Majoras declared, "We can't permit the electronic frontier to become a lawless world." According to Majoras there has been 89 law enforcement actions against 142 individuals and 99 companies with 26 of the cases filed after Congress enacted the CANSPAM Act in late 2003. Yodaiken confirmed that law enforcement is preparing to crackdown even more. She noted that at the conference, the DOJ announced that more individuals would see actions against them. "There was a panel on law enforcement where they explained how they took action. Throughout the conference what really came out was the need for collaboration between law enforcement and industry." Yodaiken noted ISP's technical expertise and the different methods employed to attempt to stop and track spammers as an example of where collaboration could take place.
In most instances, though, the acts of malicious spammers are criminal. Majoras said that criminal law enforcement agencies are best suited to shut down those operations. "For example," offers Majoras, "In June the DOJ and FBI had a crack down on spammers. The DOJ identified more than one million personal computers infected with malware allowing them to be hijacked and used as part of an army of bots to spread more malware or send spam. The crack down net three arrests. Robert Selway who allegedly sold spam kits. James Brewer who allegedly compromised more than 10,000 PCs around the world and Jason Downey who allegedly ran a botnet for distributed denial of service attacks." Yodaiken adds that another tool in the arsenal came at the beginning of this year when the Safe Web Act, which allows for more international cooperation, was enacted.
Collaboration
"Unfortunately there are limits to what industry can do with law enforcement," concedes Peterson. "Some tasks have to be left to those who wear the badges. But there are things we can do. My top recommendation is for industry experts to join innovative organizations that help bring law enforcement and industry together." Peterson notes that The National Cyber-Forensics and Training Alliance is an innovative law enforcement organization that provides a neutral collaborative venue where critical confidential information about cyber incidents can be shared discreetly. They also offer resources that can be shared among industry, academia and law enforcement. Another organization Peterson recommends is The Internet Crime Complaint Center, whose mission is to serve as a vehicle to receive, develop, and refer criminal complaints regarding the rapidly expanding arena of cyber crime. Finally, Peterson notes that the FBI's InfraGard program brings the FBI and industry together for information sharing and analysis.
Majoras believes that, as in the physical world, we need help to protect ourselves in the electronic world. "Collaboration among all the stakeholders in the electronic world is invaluable. Given the technical aspects of the spam problem, continued collaboration from experts from the technical community, including ISPs and email filtering companies, will strengthen these efforts against malicious spam," Majoras told summit attendees. "And in addition, because of the global nature of the spam, international cooperation is essential. Most of our enforcement actions against spam have had international components, so we are in cooperation with our law enforcement counterparts around the world."
Technology
Technology plays an important role in responding to the current spam challenge. "This is a technological problem, from a certain extent because of the botnets," says Yodaiken. "With the exploitation of the systems, there needs to be steps taken." Yodaiken notes that there was discussion about adoption progress on email authentication, including DKIM and Sender ID, and reputation services. "Some of the ISPs talked about how and whether they take a look at these factors and other filtering to catch variations of spam messages." Majoras also noted that the exploration of technological tools must continue in order to keep malicious spam out of the inboxes. "The commission urges improvement in anti-spam technology and in particular continuing adoption progress in domain level authentication. This technology we still believe paired with reputation and accreditation systems holds great promise from preventing spammers from operating anonymously, which is something they obviously count on. We intend to continue working with industry to spur these events," says Majoras.
Education
The FTC encourages all users to practice self-defense. "Every consumer needs to learn how to spot, avoid, and defend themselves against malicious spam," believes Majoras. "We've taken many steps to educate consumers about how to avoid problems with phishing, malware and bots." The FTC offers comprehensive online information on its Website OnguardOnline. The site encourages consumers to use anti-virus and anti-spyware software and to keep their defenses up-to-date. "The biggest problem the FTC has in consumer education is not with pulling together the right materials," concedes Majoras. "It's distribution. And everyone can help with that issue."
Conference attendees realized that solutions have to keep consumer capabilities in mind. "There was discussion that there were certain things that the average consumer could not do," says Yodaiken. "They may not be able to understand how to clean their machines. That would be too sophisticated for most. But there is much that consumers and businesses can do. In terms of how they behave, in terms of getting anti-virus protection and actually updating it. There were some statistics about that." Yodaiken notes that people need to treat email from a stranger, similar to a stranger at the door. "Use basic caution," she advises. She also believes there is a need for education for businesses. "It is important for SMBs to use safe email behavior and that they use authentication to help not just themselves, but the ISPs and everybody else."
By all reports the two-day conference was a success. "The event was extremely well done. There was a lot of energy, good speakers and most importantly a lot of new information. It did not have the re-hash, re-stating of some of the usual conference topics," observes Abel. "I think it was useful for email marketers to really understand how consumers are viewing their mail and to realize the magnitude of the problem. It was extremely interesting to hear how it is being addressed by the FBI and FTC."
The event organizers were successful in bringing together many of the groups interested in combating the proliferation of botnets and malware via spam. "Today's online criminals are cooperating all the time to launch attacks," says Peterson. "The malware author, bot-herder, spam sender and illegal-drug shipper work together seamlessly to maximize their profit and maximize the harm to consumers. All too often the business, government , technology and ISP communities fail to work together to defend the consumer. The FTC event was an all-too-rare example of 'goodguy' collaboration. I would hate to see us lose the momentum."
At the moment, the FTC does not plan to hold a summit annually. To stay in touch with FTC actions and news, Yodaiken recommends the main FTC Webpage. Look also to future issues of Messaging News. SJ/TMP