Office for Competition and Consumers Protection

Unwanted and unsolicited electronic mail (spam) is one of the greatest threats of the modern world. In a very short time, the number of spam messages has exceeded the number of wanted e-mails. This causes higher costs and financial losses both to Internet service providers, the business world and the end-users. Due to people growing increasingly dependent on the Internet and e-mail for their personal and professional communication, the phenomenon of spam may seriously hamper further development of e-economy (e-commerce) and destroy users’ trust in on-line activities.

The estimate costs of fighting the most common viruses disseminated by spam, published by “Computer Economics” (www.itu.int) in January 2002 are as follows: Melisa – US$ 1.10 x 109, I love You – US$ 8.75 x 109, CodeRed US$ 2.62 x 109, SirCam US$ 1.15 x 109, Nimda US$ 0.635 x 109. Moreover, according to the International Telecommunication Union, a virus, if not stopped in time, may infect 1014 computers in 24 hours – it is more than the whole population of the world (www.itu.int).

Spam is one of the biggest problems facing e-commerce and may soon significantly limit the use of the Internet and e-mail in economic life. According to the estimates of Brightmail Co., an American Internet services provider, in mid-2003 spam rose above 50% of the computer networks traffic for the first time.

A study by Ferris Research, published on February 6th, 2005 in The New York Times shows that 60% of all e-mails sent out every day are spam. According to the research, each day 25 billion of e-mails are sent globally, 15 billion of them are spam. Of the non-spam e-mails, 7.5 billion are addressed to corporate users and 2.5 billion to individual users.

The main problems related to spam include:

• deceitful, misleading contents,
• huge widespread of the problem,
• harmfulness for computer systems (viruses, system overload)

 

The word “spam” is English and means canned minced meat. However, it is now also used both in everyday and legal language to refer to unsolicited correspondence sent to many addressees, usually to market commercial goods and services. The contents of spam messages are very broad – ranging from advertising cheap airline tickets to offensive pornographic contents. Spam is very often identified with unwanted and unsolicited messages send via e-mail. It should however be remembered that the phenomenon of spam is much broader.

According to the definition provided by Mail Abuse Prevention System, an American NGO, an electronic message (not necessary a commercial one) is considered spam if:

 

• the recipient's personal identity and context are irrelevant because the message is equally applicable to many other potential recipients; and
• the recipient has not verifiably granted deliberate, explicit, and still-revocable permission for it to be sent; and
• the transmission and reception of the message appears to the recipient to give a disproportionate benefit to the sender.¹

Therefore, spam includes unwanted correspondence disseminated via:

 

• e-mail,
• phone, fax,
• mobile phones (text messages, multimedia messages),
• Internet messengers (e.g. ICQ, Gadu-Gadu),
• chats (IRC),
• websites (and containing the so-called pop-up advertisements).²

Spam is usually characterised by its advertising character, but it may also constitute a contractual offer.

Currently, mail considered spam is more and more often used in relation to cybercrimes, such as attempts to acquire user’s financial information (e.g. account numbers) and passwords or sending messages masquerading as a trustworthy entity (“brand-spoofing”, “phishing”). For example, according to ITU statistics, only in January 2005 12,845 phishing cases were reported. This constitutes a 42% increase compared to December 2004. These attacks were launched with the use of 2,560 spoofed websites especially created for this purpose, which is a 47% increase compared to December 2004 and an almost 300% increase compared to October 2004.³

Nowadays, spammers use more and more sophisticated methods to avoid detection, such as: concealing the origin of the message or avoiding its contents from being verified by filters. The scale of this problem reaches such high levels that the lawmakers in many countries decided to create the so-called anti-spam law. Also it should be noted that internationally there is a consensus that spam as a cross-border issue cannot be effectively fought against using merely national legal instruments and a close international cooperation and coordination of actions is needed.

---

1. See www.mail-abuse.com/spam_def.html and Piotr Waglowski „Spam a prawo – próba wskazania kierunków badawczych”, http://www.vagla.pl/skrypts/spam_kierunki_badawcze.htm, and literature listed therein.

2. Waglowski, op. cit.

3. Information about the phishing statistics were prepared by ITU Anti-Phishing Working Group and are available at the ITU website: http://www.itu.int/osg/spu/newslog/Phishing+Activity+Trends+Report.aspx

 

The EC and Polish law narrow the definition of spam down to non-commissioned commercial information addressed to a specified recipient using electronic communication means, in particular e-mail.

From consumers’ point of view, the most important piece of legislation concerning protection against unwanted e-mails is the Act of 18 July 2002 on provision of services by electronic means, which transposed into the Polish legal system the provisions of Directive 2000/31/EC of 8 June 2000 on electronic commerce. The Act increases the protection of persons using services provided by electronic means and, to some extend, regulates Internet behaviours, also as far as unsolicited correspondence is concerned.

According to the Act, sending unsolicited commercial information addressed to a specified recipient by electronic means (in particular e-mail) is unlawful as an act of unfair competition. Commercial information is any information used to promote, directly or indirectly. the goods, services or image of an enterprise or professional. Moreover, commercial information should be clearly separated from other contents and unambiguously marked as commercial information. Sending such messages requires explicit prior consent of the recipient, it cannot be implied from a different declaration of will. Therefore, only e-mails solicited by the consumer should be found in his/her inbox – for example magazine subscription, current offers of e-shops.

Usually, the following measures are listed when considering effective methods of fighting spam:

 

• legal regulations, including penalties for unfair operations on the Internet,
• international cooperation: information exchange, joint actions and work on new legal procedures,
• soft law (codes of good practice),
• promotion of protection technologies,
• education on fair trading in e-commerce.

For rough traders, spam is one of the cheapest forms of reaching consumers with their offer, as the main costs o it are paid by the recipient. As spammers do not have to specify any target group to send the messages to, each e-mail address is equally useful for them, regardless of the method of its acquisition. Searching for active e-mail addresses and creating lists which are then sold to rough traders (e-mail harvesting) has become one of the businesses of the Internet underground.

• Addresses posted on publicly available websites are under greatest threat of receiving unwanted correspondence - providing your e-mail address in a readable form gives you almost 100% certainty that it will be tracked down and put on spammers’ mailing lists.
• The second kind of risk concerns addressed used in discussion groups. They can be tracked down as easily as the addresses posted on websites and discussion groups are equally valuable resource for spammers.
• Often, to use a Web service, you have to register providing your e-mail address. This applies both to various discussion forums and large e-shops. Usually you are able to check the privacy policy before registering. Although most services respect it, sometimes it contains a consent to make the address available to other entities. It may also happen that the service owner is dishonest and sells the lists of his users' addresses.
• E-mail addresses can also be obtained by a dictionary attack, i.e. randomly testing a series of possible combinations of letters and numbers added to known domain names, most often using dictionaries of names and popular words.

These are the most common, although not the only, methods of acquiring addresses by spammers. There are also other ways; for example, a computer attacked by viruses may “leak” addresses of persons in the address book.

 

Conceal addresses which you post on websites - whether it is your personal website or a comment on a blog. If it is your own website, you may post the address in the form of an image instead of text or use a special notation used in HTML, which will make your address unreadable in the page contents, but visible when it is displayed. If you give your address in a comment on a forum you may post a string of characters which will enable people willing to write you to discover your real address, but will deceive searching bots, e.g. jan@CUTTHATpoczta.isp.pl

Use two (or more) e-mail addresses. Use one address in correspondence with friends and relatives whom you trust and another one where there is the risk that the address may be obtained by unauthorized persons (e.g. when creating accounts on Web portals). If it turns out that the “public” account gets large amounts of spam, simply cancel it and create a new one. In any case, it is advisable to separate the professional account, used at the company for which you work, from the private one.

Read in detail the privacy policy of the Web portal where you are about to register. If it is not available in any form, you should consider the portal as not trustworthy. This also applies to portals that offer free e-mail accounts. Often, when registering in them, you consent to receiving correspondence from third companies. Such correspondence cannot be considered unsolicited.

Avoid simple and short addresses. Although they are more practical to use, they may easily become the subject of a dictionary attack. Therefore, it is better to choose a longer address, containing digits or special characters, e.g. Name.Surname@poczta.isp.pl

Enterprises willing to advertise using e-mail must obtain the consumer’s consent. Failure to obtain such a consent before sending an e-mail with an offer or an advertisement is unlawful and may be pursued individually (as a transgression or violation of personal rights) and also by the President of the OCCP as an infringement of collective consumer rights.

It is therefore possible to send an addressee an e-mail asking whether he/she agrees to receive commercial information. Usually, the sender specifies in the e-mail some identification data and briefly describes what the commercial message relates to. The e-mail usually ends with a request to consent to receive the message. It should however be remembered that the request per se should not bear any characteristics of commercial message, is should be brief, clear and may not be misleading in any way.

To facilitate easy reply on the part of the addressee, senders often include a link in their request; by clicking it you automatically express interest in receiving commercial messages on a given subject. Lack of reaction means lack of consent to receive the commercial messages and a categorical prohibition to send it.

NOTE! MISTAKES MADE MOST FREQUENTLY

Example 1
“Please provide your consent to receive commercial messages on sales of brand X watches. You may revoke your consent at any time. To provide your consent, please choose ‘reply to sender’ and type in ‘I give my consent’ in the content of the e-mail.
“At the same time we wish to inform you that brand X watches, models 1234, 5678, 9012, are 15% off at the moment. The number of watches on special offer is limited. Please contact us if you are interested in the details of our offer.”

The above e-mail may be considered unlawful, as it bears the signs of commercial message, while the recipient has not given his/her consent yet. Of course, the recipient must have at least a general idea about the type of information he/she is asked to agree to receive, but in the example given above we are dealing with an obvious example of advertising (information on a special offer and its details).

Example 2
“Persons not wishing to receive our correspondence are asked to send this message back, with the word “remove” in the subject line. If we do not receive your request to remove your e-mail address from our database, we shall consider that you have agreed to receive our offers in the future.”

The sender of this letter may not consider the lack of request to remove the address as a consent to receiving commercial e-mails, as, under the law, the consent must be explicit - it cannot be implied, e.g. from the lack of objection or different declaration of will.

Example 3 – sending e-mail with the website address.
“Dear Sir/Madam, we are an Internet shop selling photo cameras of the leading market brands. Details of our offer and contact to our company are available at www. xyz.com.pl.”

The above e-mail contains information which indirectly promotes the services of the sender, e.g. the address of the website (www.xyz.com.pl) which features an invitation to submit offers concerning the sale of cameras. Therefore, it may be assumed that this message has a commercial purpose. It seems in fact illogical to argue that popularisation of information on the services provided is not expected bring commercial effects at the same time.

Consumers may request efficient protection against spam by virtue of the following regulations:

• Act of 16 February 2007 on competition and consumer protection - violation of collective consumer interests,
• Act of 16 April 1993 on combating unfair competition – practice violating the law or good customs,
• Act of 2 March 2000 on protecting certain consumer rights - using e-mail to propose a contract without prior consent of the consumer.

If you receive spam, you should firstly find out whether you did not provide consent to receive correspondence from the sender or whether your address was not provided by another company which had received our consent to make the address available to third parties. If it is true that you agreed to be sent the message, you still have the right to revoke your consent at any moment, without explaining the reasons. It is enough to reply the following: “I object to any further use of my personal details by your company for marketing purposes and making them available to other entities”.

It should be reminded, however, that when you set up free Internet accounts on popular Web portal, agreeing to receive commercial messages is necessary to complete the registration. Therefore, it is legal to send commercial messages to such accounts.

If you received a commercial e-mail without your prior consent, by no means answer it electronically. Your reply will be a signal for the spammer that the e-mail was in fact received and that you read its contents. This will make the spammer certain that the address is active and worth sending other offers to. The same applies to attempting to cancel your e-mail address on the distribution list by clicking on a link provided in the e-mail (for instance, the e-mail may read: “If you do not want to receive any more messages, reply to the following address: xxx@spam.com.pl”) – usually this results in increased numbers of unwanted correspondence instead of the desired effect.

Existing regulations provide for penal liability both for illegal use of personal details and for sending unsolicited commercial messages. A person guilty of sending unsolicited commercial messages using electronic communication means is liable to fine (Article 24(1) of the Act on providing electronic services). The offence of sending unsolicited commercial messages is investigated upon request of the victim.

If you think your personal details have been used illegally or if you have received unsolicited commercial messages, you may:

• inform the Police,

file a complaint to:

• Office of Competition and Consumer Protection (www.uokik.gov.pl),
• Polish Consumer Federation (www.federacja-konsumentow.org.pl),
• Local Consumer Ombudsman,
• Inspector General for the Protection of Personal Data (www.giodo.gov.pl).

For your convenience, in the nearest future, different public administration bodies will also launch special mailboxes where it will be possible to report spam. The so-called “spamboxes" will be launched by the Ministry of Transport, the Inspector General for the Protection of Personal Data, the Office of Competition and Consumer Protection and at the Office of Electronic Communications.

It should also be remembered that spam is more and more often used to transfer dangerous Internet content, such as: viruses, Trojan horses, diallers and other computer bugs, which may get installed on your computers, destroy disks, spy on your behaviour on the Internet or re-direct your connections to numbers with increases rates. That is why, under no circumstances, should you open attachments to e-mails from unknown senders or messages you did not expect to receive.

Internet security threats or violations may also be reported to CERT Polska (www.cert.pl) or your Internet service provider, but remember that the message content displayed on your screen is not enough to identify the real source of the message. In particular, all the information in the “From” and “To” line (the sender and recipient data) may be false. That is why, do not hastily base your complaints on these data only. When forwarding the message for expert analysis, include full headers or send the message as attachment if your software supports such an option.

 

• Do not trust e-mails which look like they have been sent, for instance, by your bank and which request you to confirm data, passwords or even your PIN or CVV2, either by e-mail or at a website to which you are redirected through a link in the e-mail. Banks never ask to confirm any information in such a way. In case you have any doubts, simply contact your bank in any other way than indicated in the message-mail, e.g. by phone.
• Do not fall for stories of great wealth the recovery of which needs only a little bit of assistance on your part.
• Is not true that someone will get a couple of cents for each e-mail you send – unfortunately, you cannot help anybody whose in a difficult situation this way. Instead, you will help to jam your friends' mailboxes. If someone is asking you to help them by making a bank transfer – give yourself the trouble to check whether this person is really in need.
• Many e-mail account administrators offer some kind of protection against unwanted correspondence. As there are no clear-cut criteria to differentiate spam from legitimate mail, most of the protection mechanisms require the user to cooperate with the administrator and mark the unwanted messages appropriately, to facilitate the recognition of similar messages in the future. You should also remember that filtering is not always effective in recognising unwanted messages and carries the risk that some legitimate messages are erroneously considered to be spam and withheld.

Finally, there is one more thing to remember: spam is strictly related to the business on the Internet. If you support that business by buying products and services advertised by means of spam, you make the rough traders willing to continue their practices, leading to your mailbox being more and more jammed in the future.

 

Cybercrime is less common in Poland than in the US or the countries of Western Europe, nevertheless both data theft and illegal money transfers from personal and corporate accounts are reported by our police.

According to the latest reports on Internet security, 33 million hacker attacks are reported each week globally. The number of phishing cases increases: coning, website forgery, setting up false websites. These attacks aim to obtain sensitive information, in particular financial details. According to Anti-Phishing Working Group, 2800 such false websites were discovered in March 2005 only.

In 2005 the Computer Emergency Response Team Polska (CERT) noted an over double increase of the number of reported violations of Internet security as compared to the two preceding years. The CERT group reported over 2500 cases related to the breach of Internet security in 2005. Most of them consisted in attempts to obtain information from remote computers by scanning unsecured ports. Other security violations consist in malicious software (mainly Internet bugs) and unwanted messages sent in large numbers. Specialists stress that the differences between traditional viruses, Trojan horses or spyware are now diminishing.

According to the report by McAfee Virtual Criminology, cases of hackers making single-handed attacks on computers are a thing of the past. They have been replaced by the so-called botnets, or networks of thousands of computers over which control is taken without the knowledge of their owners. The compromised computers, or zombies, are then used to conduct large-scale spamming combined with sensitive data theft, storing illegal resources, and launching the so-called denial of service attacks (DoS attacks), i.e. blocking of websites.

The data provided by McAffee, an antivirus software producer, also reveal new methods of taking control over modern models of smartphones. Attackers may gain control over a smartphone using the Bluetooth wireless protocol and use the device the same way as a zombie PC. Phones with their own operation memory, Internet access and supporting e-mail receipt are under greatest risk.

In July 2005, the OCCP joined the international initiative started by the American Federal Trade Commission and aiming to counteract using consumer computers (zombies) to send unwanted electronic mail. Thirty-six government institutions responsible for counteracting unwanted e-mail joined the project to counteract the practice of taking over control of consumer computers by entities that send unsolicited e-mails on massive scale.

Netiquette – a set of rules and standards of good conduct on the Internet, in other words a kind of “constitution” of good behaviour of web users.

Phishing – masquerading as websites of legitimate companies, most often banks, to obtain sensitive data, e.g. credit card numbers, bank account numbers, passwords, PINs.

Spyware - (spying software) software that collects information about the user and is installed without his/her knowledge or control.

Text-message spam
Do you know that it is enough to send 165 text messages per second to block cellular communication on the territory of the size of Manhattan, i.e. approx. 85 square kilometres? (Cf. the results of a research by Pennsylvania University scientists at: www.smsanalysis.org/, and www.idg.pl/news/83768.html).

Social engineering vs. spam
Do you know that social engineering methods are used by spammers increasingly often? Analysts claim that social engineering will be the greatest threat to the web security in the next 10 years.

Social engineering is a term used to describe methods of obtaining sensitive information by a combination of IT tools of data retrieval (e.g. Trojan horses) and psychological skills (e.g. good communication skills, gaining trust, etc.). Spammers are more and more skillful in adapting to the sensitivity of the potential recipients, winning their trust and making them disclose sensitive information.

Spammers also use the psychological mechanism of accepting gifts in return for a service. They send out messages that seem to offer expensive and luxurious gifts, such as TV sets or laptop computers, to be received in return for participating in a consumer test of the product. Senders of such messages masquerade as organisations that conduct research, e.g. related to launching a product, thus obtaining sensitive data.

A billion dollar fine for spam
Do you know that James McCalla, a spammer from Florida, was ordered to pay $11.2 billion after an Iowa court acknowledged the claims of CIS Internet Services, whose servers were blocked after Mr McCalla sent 280 million e-mails. According to Iowa law, it is possible to claim $10 for each unsolicited e-mail received.

Addiction to e-mail
Do you know that 75% of computer users are e-mail addicted? This was shown by a survey conducted among the employees of the largest European companies (research carried out by the Dynamic Markets company). In Poland, 56% of web users claim they are addicted to e-mail.