Spam graduates from annoyance to liability

Though not relegated to the past, e-mail’s virus vexation seems to be taking a back seat to another scourge – spam.

If corporate Canada does not take preventative measures to nip this problem in the bud, the situation has the potential to get a lot worse before it gets better, experts agree. The tip of the spam iceberg, that aspect which is most visible to decision makers, is reduced employee productivity.

Companies “have seen an increase in the volume of spam over the past couple of years to the point…that anywhere between 10 and probably 25 per cent of all of the messages they receive are spam,” said David Skoll, president of Roaring Penguin Software Inc. in Ottawa.

“The network and storage costs are there but they are probably a small part of the cost (since) most e-mail servers are over-engineered anyway,” he said.

“The real cost (today) is just wasted time in terms of people having to go through more full mailboxes and having to delete things…(and) as the volume increases…people start to get more irritated.”

Even antivirus specialist Symantec is hearing complaints. Spam is a hot topic of discussion at most of meetings for Michael Murphy, general manager of Symantec Canada in Toronto. “It is not just because the cost to bandwidth and productivity, it is also the level of content that is inappropriate or unwelcome,” he added, “and I think that is the greater liability issue for corporations.”

This is the underwater portion of the iceberg, the one that is a lot bigger and that can potentially sink ships. For that reason, companies need to be very careful.

“There is no law dealing specifically with this sort of e-mail, although clearly there are laws that say an employer has an obligation to avoid having a hostile work environment and to take steps to ensure that their employees don’t feel discomfort,” said Ian Kyer, director of the information technology law group at Fasken, Martineau, DuMoulin LLP in Toronto.

Pornographic spam, in particular, could potentially create a hostile work environment. Kyer said an employee could legitimately base such a complaint on receiving pornographic spam.

Though he has yet to hear of a case such as this, he said it is important not to dismiss its probable existence.

“While there aren’t cases, (that) does not mean that there aren’t complaints and steps being taken,” he said. “I suspect that there are lots of incidents right at the moment (where) corporations are receiving complaints.”

Where a company could find itself held liable is if a complaint is received and it does nothing to alleviate the problem.

“Where the employer can be put back on the hook, in a sense, is where they have a policy and they just look the other way,” Kyer said.

“The employer is obviously not responsible for the sending of the e-mail, so the only question is what are reasonable steps that should be taken by the employer to prevent the e-mails from coming through.”

The number one step, one that many companies are taking, is to install anti-spam software at the e-mail gateway to make sure the issue is resolved long before it starts.

Symantec uses its own anti-spam tool for all incoming e-mail, a tool which Murphy said will be available by Q2 this year. All messages deemed to be of an unacceptable nature, such as pornography, never get to Murphy’s inbox. The rest of the spam, mostly of a commercial nature, is flagged as spam in the subject line. Murphy can then set a rule that moves those messages to a spam folder, which he can peruse if he has the time or if he has a suspicion that a legitimate message got a false positive (legitimate mail labelled as spam).

“I get one or two messages a day that are flagged as spam,” he said.

There are other solutions from a variety of vendors. But in the long term governments may need to create legislation that deals specifically with spam since, legally speaking, most of it is not breaking the law. Though there are many cases of fraud, the majority are just trying to sell something few want or need – wonder drugs, pornography or advice on how to work from home and make $4,000 a week.

Microsoft Corp. is looking to burn spammers who target users of its Hotmail e-mail service with a lawsuit filed in a California federal court this month. The suit goes after unnamed defendants accused of harvesting e-mail addresses from its Hotmail servers with the intention of spamming subscribers. The “John Doe” suit allows the company to conduct discovery in the case, and issue subpoenas as part of the investigative process of the trial, a Microsoft representative said recently.

In its complaint, Microsoft says it has tracked down the IP address used by a harvester, but that the address is registered to an ISP known as Neutelligent Inc., and it is unclear to whom the ISP has assigned the IP address.

The company claimed that beginning in or about September 2002, the harvesters accessed Microsoft’s computers and servers in Mountain View, Calif., using “an extractor or database searching software program or similar program” to obtain customers’ e-mail addresses.

“Microsoft’s customer lists have been taken and misused, and Microsoft’s reputation, goodwill and relationships with its customers have suffered,” the complaint states.

The software giant is asking for general, special and punitive damages, attorney’s fees and restraining orders against the defendants, as well as a disgorgement of the profits made from the pilfered addresses.

The complaint alleges that the harvesters’ actions violate the Computer Fraud and Abuse Act, California Uniform Trade Secrets Act and California Penal Code.

– With files from IDG News Service