Security

The cost of spam: Filtered e-mail results in missed court date


Cost of spamFor law firm Franklin D. Azar & Associates PC, the cost of spam probably rang up to the tune of several thousand dollars, or so blogged Venkat Balasubramani, principal of Balasubramani Law.

The entire episode began with a sudden deluge of pornographic spam that assailed the Azar & Associate's mail servers. Enough of it seeped through Azar & Associates' Barracuda Spam Firewall for employees to complain up to management.

The IT administrator at the firm, Kevin Rea, was told to do something about it. So, on the morning of May 21st, Rea dialed up the spam settings on the Barracuda. Less spam made it through the Barracuda after that. Unfortunately, false positives also increased, including an e-mail from the U.S. District Court for the District of Colorado, advising company lawyers of a date for a court hearing for a civil case.

The Colorado federal court judge in this case criticized the law firm for not whitelisting the court's domain name. They were ordered to pay related attorney fees and expenses incurred by lawyers representing the other side of the case.

I have previously reported about spam in Five billion spams in just one day; Arun Radhakrishnan has also wrote about the increasing problem of image spam in Image spam gets fuzzy.

Now, there is no doubt at all that the world is not short of gullible fools users (See what I wrote in The Deadliest Day Zero Exploit) who will click on anything that can be clicked. Make no mistake about it, spam is here to stay.

Having said that, the question that I would like to pose is: Can IT staff be held responsible for wrongly filtered e-mails?

About

Paul Mah is a writer and blogger who lives in Singapore, where he has worked for a number of years in various capacities within the IT industry. Paul enjoys tinkering with tech gadgets, smartphones, and networking devices.

15 comments
GoodOh
GoodOh

The court advises dates etc by email!!?? The 20th century has been over for a little while now and it might be time for the justice system to catch up with the facts of the 21st century world. My advice is that the court immediately set up a secured website and post such sensitive and important information there. Registered users (law firms) then are expected to access the site to collect the information they need. If a law firm can't arrange to check such a site once a day they don't belong in business. The posting of an information note could produce and automatic email / sms / whatever advice of the posting to known interested parties if that was seen as useful. The issue here is that email is so insecure and spam has so badly damaged email as a business tool that any industry (and here the 'industry' is the justice system) that relies on it as a key tool is simply negligent. The only criticism of IT people here is if they haven't pointed out the need for a 21st century solution to replace the 'broken' 20th century email system now being used. (I'd wager they've done it repeatedly and it has fallen on deaf ears.) The idea that the courts are going to send emails and faxes and make phone calls can only be made by people who believe that the public sector has large amounts of resources to pay for the costs of deliberate duplication of services. That's simply not true in any country where people complain about paying too much tax (and that's everywhere I've ever been or heard of). The first US justice system to get a secured notification site up and running properly will be able to sell the facility on to the rest for profit and thereby consolidate the court postings into a centralised site making the whole process more efficient and effective for all involved.

Deadly Ernest
Deadly Ernest

Courts shouldn't be sending court dates by email only - they should be followed up with faxes or phone calls - email for appointments of any sort should only be for confirmation, or should require a physical action by the recipient to acknowledge receipt. the court is at fault here for being lazy buggers. Easiest way to cut back on spam is an industry wide acceptance of a the filtering out of any message going to more than 10 addresses, and the filtering out of multiple sends of the same message to more than one set of addresses, except from registered list servers. Sure this is a bit more work for the list server people, but it's a hell of a lot more work for the spammers - most will think it's too much and give up. And it'll automatically shut out most of the zombie sent messages. My best method to cut spam is to never use my ISP based email - everything on that, except from the ISP management, is automatically dropped in the bit box. All my mail goes through my domain mail box, and it has three filters before it gets to me. Since I started doing this, my spam has dropped to less than 1% of what it was before hand.

paulmah
paulmah

Can IT staff be held responsible for wrongly filtered e-mails?

Deadly Ernest
Deadly Ernest

Most court hearing dates etc are public knowledge and thus a normal web site may be sufficient. The issue is the changing of the laws to handle this properly. What I find must interesting is the double standards used by the law courts in this country. When I start a court case, I have to get a date and place from the courts, I then have to pay to have papers with this information served on the other party, then I have to lodge affidavits about the serving of the papers with the court house - all this has to be done in person, I can't just mail the papers in. Emails aren't accepted as legal evidence, unless all parties mentioned or referred to, agree to the contents of the email. Yet the court can lawfully hold me to count for a telephone message or email of a change of date or venue - even when the message is given to someone else and not me. Then the court staff get mighty pissed when the only contact details I give them are a PO box and a mobile phone - so I can have total control over the receipt of the documents and messages. With no other information provide for contact, they have no legal right to leave messages at other phone numbers.

MidnightGeek
MidnightGeek

Hi all, I am the network administrator for 2 small hosting companies. And I would like to share a few small insights on the problem of SPAM. 1. Most of the spam that makes it to a person's mailbox THROUGH all of the various anti-spam techniques comes from bot nets not single site powerhouse senders. 2. Almost none of these bot net systems are sending large mailing lists to ISPs for delivery, rather they are sending the messages one-at-a-time. It is a huge inefficient time expensive delivery method, but the spammers don't care. They have slaved thousands of machines to do this dirty work for them. They don't need list servers. 3. The spammers "test" the messages they send against the current technology to attempt to fool the filters if even for one pass of the delivery. 4. SPAM would not be a problem if users would just stop clicking and buying. It is costing the vendors using the spam systems for marketing some serious cash to use the spammer's resources, and it only takes a small percentage of "buyers" for them to recoup the losses. Zero buyers means loss of revenue for the seller. In a short time, only the naive would use the spammers for marketing. And in a longer time, no one would. (In a near perfect world, but one can dream.) 5. Using an ISP account mailbox has no different behavior characteristics than using a private domain address account. What makes the difference is how long your address has been active, how many address books it is in, how publicly available it is on the internet, and if it uses a common name (like alan, lisa, smith, bob) or a business role (i.e. sales, accounting, etc.) It is an odds based numbers game, and as soon as the spammer know an address is good, it will be reused, and it will be sold to others for reuse. I host domain and ISP accounts that get maybe 4 messages a month, and others that get nearly 230 a day through 5 layers of industry standard spam filtering tools and techniques. The difference is how the account holder has used the address. 6. As ISPs we really want to put filters into play and tighten down the gates, however, the perceived risk of false positives mean we must keep the rules loose. Even if someone types an incorrect destination address, we are always the first to get blamed for the problem. Much of the problem of SPAM has to do with users not understanding the fundamental purpose of email and how to responsibly manage their own accounts. As ISPs we don't grant anonymous access to a directory of our email clients. Supporting just the normal email traffic, we as ISPs spend money, time, and hardware resources on a service that no-one want to pay for. For us, handling the SPAM traffic only costs us money, its a complete loss on the books no matter how you look at it. We can't do it alone, the end users must work with us by be responsible in the management of their accounts and who they give the addresses to. And most importantly, never buy from a vendor who uses spam marketing, never.

DanLM
DanLM

I never thought of that one with regard of only allowing a specific number of outbound email address's. Great idea. Thanks. dan

robocso
robocso

In most jurisdictions it is accepted that an e-mail is received when the mail enters the recipients e-mail system. The recipient who indicates that he accepts e-mail as a valid means of communication is then responsible if he does not retrieve it from his e-mail system. The answer is that the IT staff can and should be held responsible if important mails are filtered out.

DanLM
DanLM

Where I brought up that ISP's should be allowed to monitor more closely their network. Most spam is driven from zombie machines. Here is why privacy advocates are wrong when they want no monitoring by ISP's of their own network. 1). Most spam mail comes from zombie machines on those networks. These zombies are abusing these companies property. 2). The spam and other infectious emails have caused both business's and private citizens to budget how many billions in protection software. How many business's have been driven out of business because of spam? How much malicious emails still get through? 3). How many people have had legal issues because of infections that occur on their machines from these spam or infectious software? I can think of two high profile ones. This being one, where the business lost money for no fault of their own because they were trying to protect themselves. And the teacher who had the pop ups that occurred on a school computer that almost cost her the job? 4). Lets talk about the individuals that are not the sharpest tacks on the board. The ones that believe this spam, and get directed to web sites that appear as the sites they know. Banks, credit card, auction look a likes. And have their credit card and personal information stolen. I guess these people don't count to the privacy advocates. Neither the fact these people lost their identities or banking information to these scam artists. 5). Let us not forget about the business and governments that are now being ddos'd from these zombie machines. I have seen no privacy advocate offer any solution other then to live with it. How many millions of lives have to be affected before these privacy advocates decide to offer a solution. And don't give me, shut off their service. You would have privacy advocates claiming that was an intrusion of privacy also. My apartment complex has banks of camera's through out all area's of the outside to insure that no destruction or other unlawful acts are occurring to the best of their ability. People are happy for this protection. This is not an invasion of privacy, I would like this in big cities just like London does. Staring with ALL major cities. This is monitoring, just like ISP's should be able to monitor and report. Get over it. I can provide more then enough examples of where monitoring occurs by other business's. ISP's have the same right, you are abusing that rights. Here is an answer to the privacy advocates. Start your own isp, make your own business rules. The ISP's have a right to run their business how they think is best to protect their privacy. You have the same right to own and run an ISP business how ever you want. The number of people that are being adversely affected by malicious emails of all types from zombie machines far outweigh your privacy concerns. This is just another example of it. I'm sorry. This is a serious problem and something has to be done about it. Whether the privacy advocates like it or not. I am one willing to compromise so if they can offer anything(which they haven't), I will listen and try to find a middle ground. So privacy advocates, put up or shut up. And I'm waiting for the far left liberals here to tell me how full of it I am. I just offered you a challenge, lets see if you got the guts to meet it. I know I am willing to listen and compromise, are you willing to offer something. Or are you just going to whine and complain that the big bad companies are out to get you. Dan p.s. Here is a quote from someone great, someone that used this argument to get the constitution passed. Privacy advocates don't want to hear founding fathers that made statements such as this, but here you go. Among the many objects to which a wise and free people find it necessary to direct their attention. That of providing for their safety seems to be first. Safety from external danger is the most powerful director of national conduct. Even the ardent love of liberty will, after a time, give way to its dictates. These are not vague inferences, but solid conclusions, drawn from the natural and necessary progress of human affairs.. Federalist papers, written by Hamilton, Madison, Jay to address concerns of the anti federalists. These papers were published to address concerns that the Constitution was flawed. In other words, your freaken privacy is not more important then others safety.

techrepublicsucks
techrepublicsucks

What the heck is a court doing sending critical information via email? I suppose if the court house was on fire they would send an email to the fire department! Any experienced IT person knows that email is "connectionless" and there no guaranty of delivery. Spam filter aside, what if the firm's Internet connection when down or the mail server crashed? How does the court contact attorneys that don't have email? (Yes, there are still some out there.) This is the fault of the two parties, court and attorney, not understanding the limitations of email. If it is important, PICK UP THE PHONE.

GoodOh
GoodOh

It's a constant source of shock to me just how far out of touch the legal system is with the current tools of knowledge and information work, exactly the 'stock in trade' of the legal system. Good to see you pulling their tail a bit!

Deadly Ernest
Deadly Ernest

I have four email addresses, one through my domain, two via gmail, and the one via my ISP. The anti-spam filters work on all; yet I still get heaps of spam through my ISP email, despite it rarely being given out - usually to places where I need to give an email address, and I have doubts about them. The one at my domain gets about two spam through the filters per month. But the real interesting point is the Gmail addresses. One is given out only to specific people for specific reasons, it's had only one spam message in seven months. The other is used a lot to do with my writing under a nom de plum, and is used for reader feedback and contact. That one is advertised in only four places, yet it gets about 30 spam messages a day passing the filters. What is surprising is the name is totally fictitious, yet I've had over 80 emails from a e-greeting card company claiming to have greeting cards for me from friends and relatives, and another 70 plus people have sent messages from one of those web social contact organisations to put you in contact with old friends etc, saying they're from old school friends who went to school with me - in both cases you get no more information until AFTER you join up. Guess what, I just delete them, and enter the names of those organisations into my own spam filter's black list, and advise my web hosts and ISPs of the organsiation's names as well. It's a great way to quickly pick up on new organisations that use spammers - all the other clients get a benefit from it too.

Deadly Ernest
Deadly Ernest

as many courts do NOT accept an email as a valid record of anything, unless the contents are agreed to by both the sender and recipient. Also, how do you prove to the satisfaction of the court that it was received by the recipient. Does an e-mail to my address with the ISP count as being received when it gets to the ISP's email server? That's great, as I never hand that one out and never check it because of that reason - it's one I can use, but don't use. A response that requires a physical action by the recipient is the best way to prove they got it.

TG2
TG2

It's quite simple ... the court initiated a contact process via an insecure and non-guarenteed method. Only if the court had solicited replies or selecting a link in the email to prove it reached its destination, and even within that, proof that the person clicking the link was the intended recipient, only then could the courts guarantee and hold themselves harmless in this case. I would be surprised if the law firm doesn't appeal, and win based on the fact that email is not an acceptable method for guaranteed delivery!

Don Ticulate
Don Ticulate

lead to a virus if the links are followed. The domain they came from are spoofed so blocking them does nothing!

paulmah
paulmah

I did not mention from the original article, but it appears that e-mail is now part of the official notification procedure for serving court notices in the US. Hmm tried to find it, but failed. I am sure I filed it up at home; if you do want the reference for it, let me know and I'll track it down. Anyway, the follow-on story here: http://news.lp.findlaw.com/andrews/pl/med/20050223/20050223barnes.html