Spam in the can

Last week, an Erie County, N.Y., judge sentenced Howard Carmack of Buffalo to as many as seven years in prison for identity theft and forgery for sending hundreds of millions of spam e-mails using false addresses. He was convicted of those offenses in April. Last year ISP EarthLink in Atlanta won a multimillion dollar judgment against Carmack for those same activities.

In December, the Virginia Attorney General’s office indicted North Carolina spammers Jeremy Jaynes and Richard Rutkowski and a Texas spammer, Jennifer Murray, with violations of the state’s anti-spam law for sending spam through AOL. A number of other states, including Maryland and Florida, are in the process of passing anti-spam laws similar to Virginia’s, which is currently considered the toughest in the United States. And of course, there’s always the federal anti-spam law.

What’s notable about these situations isn’t just the felony charges imposed on the spammers — although those are very good things indeed — but rather the fact that they were the result of companies (in these cases AOL and EarthLink) going public with their security problems. Rather than trying to hide the fact that their e-mail addresses had been spoofed and that their services were being hijacked in hopes that no one would notice, they went to the law.

Going to law enforcement and getting criminal indictments and convictions makes spammers accept responsibility for their actions. They are being made to pay the price for spamming, both in civil court and by having their freedom taken from them. This takes them off the streets, but it will also serve as a notice to other spammers that the reach of the law is long, and it can be long enough to reach them.

The law in Virginia is particularly important, however, because more than half of all Internet traffic on the planet travels through northern Virginia. What’s equally important is that the state has made it clear that its law enforcement agencies will work with victims of spam to bring the spammers to justice. It kind of makes me happy that I live and work in Virginia.

But Virginia can’t stop spam by itself. Neither can any other state, nor the federal government. While any of these entities can help remedy the problem, it still takes businesses that are willing to admit that they have a security problem. And that’s the problem.

As long as businesses would rather sweep their security issues — whether they are spam, or hackers, or tamperings by disgruntled employees — under the rug, the problems will only get worse. The reasons companies give for hiding their security inadequacies make sense only if you look at the short term: Companies don’t want to look bad. They don’t want their customers to think their security is weak.

But wouldn’t those companies look a lot better if they went after spammers, hackers, worm writers, and others with hammer, tongs, and a cry for blood? I know that I’d feel a lot better about the companies I do business with if I knew that they were making every effort to obliterate the bad guys from the face of the earth.

At the very least, I’d know that they would be helping to raise the cost of spamming and worm writing, and that alone might help slow the problem down. And that’s a good thing, too.