CONSUMER ALERT

MIKE COX

ATTORNEY GENERAL

The Attorney General provides Consumer Alerts to inform the public of unfair, misleading, or deceptive business practices, and to provide information and guidance on other issues of concern. 

Michigan's Children's Protection Registry –

Dealing With Spam Sent to Minors

THE MICHIGAN CHILDREN'S PROTECTION REGISTRY

A new Michigan law effective on July 1, 2005, seeks to provide protection against one type of undesirable electronic communication by allowing parents and other responsible adults to register children's e-mail addresses and other electronic "contact points" with the Michigan Public Service Commission (MPSC).  Senders of communications that advertise or link to Web sites selling products or services that children cannot legally possess or purchase - such as alcohol, tobacco, pornography, illegal drugs, and firearms – must remove registered addresses from their lists of recipients 30 days after registration (or, at the earliest, August 1, 2005).

Parents may now register contact points. For more information, visit the official "Protect MI Child" Web site at https://www.protectmichild.com.

The text of Michigan Children's Protection Registry Act, MCL 752.1061 et seq, is available from the Michigan Legislature's Web site at http://www.legislature.mi.gov/mileg.asp?page=getObject&objName=mcl-Act-241-of-2004

The new law provides that violations of the Children's Protection Registry act also constitute computer crimes.  The text of the computer crimes statute, MCL 752.791 et seq, is available at http://www.legislature.mi.gov/mileg.asp?page=getObject&objName=mcl-Act-53-of-1979

CAUTION – CONSUMERS ADVISED NOT TO OPEN UNSOLICITED E-MAILS

The Attorney General's Office recognizes that parents and other responsible adults may wish to open e-mail messages sent to registered children's e-mail addresses in order to determine if these messages violate the Child Protection Registry law. 

Because of the dangers of opening unsolicited e-mails, however, we continue to urge all computer users - parents, children, businesses and consumers alike – to treat unsolicited commercial e-mail (also known as "spam") with utmost caution.  These messages, if opened, can contain computer viruses or other malicious programs that can be surreptitiously installed on users' computers. 

The Attorney General's Office therefore strongly recommends that consumers NOT open e-mail messages that are clearly spam.  If your e-mail program allows you to forward the spam without opening it – or if you have opened a message and found spam inside - you may send it to the Federal Trade Commission at spam@uce.gov.  The Michigan Attorney General continues to work closely with the Federal Trade Commission to identify and pursue spammers.

In order to protect children from inappropriate e-mail and other electronic communications, the Attorney General's Office advises parents to consider actively monitoring their children's use of e-mail, instant messaging, chat rooms, and other avenues for communicating over the Internet.  Such monitoring could include using filtering options available on their e-mail programs or using e-mail services that offer protection against spam, viruses, and other malicious communications.

ADDITIONAL INFORMATION

The following discussion describes in greater detail the hazards of spam and provides tips for reducing spam.

DANGERS OF JUNK E-MAIL

It can be dangerous to open spam.  Experts predict an increase in the number of viruses that are spread through e-mail, dangers unleashed simply by opening the e-mail message which triggers the downloading of a virus on your computer.  In addition to deleting without opening spam, consumers should make sure they have up-to-date antivirus and firewall software on their computers.

It can be doubly dangerous to respond to spam.  If you open an unsolicited e-mail because it appears to come from a source you recognize (EBay, PayPal, Best Buy, your bank, etc.) but discover the e-mail asks for personal information, do not respond.  Professional criminals around the world are luring consumers to provide valuable, private personal information that they will use to commit frauds in your name.  Responding to this kind of spam (called "phishing") increases your risk of becoming a victim of ID theft. 

For more information about this global problem, see the Attorney General's "E-Mail Thieves Intend to Steal Your Personal Information" alert at http://www.michigan.gov/ag/0,1607,7-164-17343_18163-81088--,00.html.

TIPS FOR REDUCING SPAM

There are two basic strategies for reducing the flood of spam e-mail:

1. Limiting the use of your main e-mail address(es);

2. Using filters to block spam from your inbox.

1.  Limit the use of your main e-mail address.  Spammers harvest e-mail addresses from Web pages and newsgroups where you have inadvertently revealed your address.  Here are some possible methods:

• Consider "masking" your e-mail address.  Masking involves putting a word or phrase in your e-mail address so that it will trick a harvesting computer program, but not a person.  For example, if your e-mail address is "johndoe@myisp.com," you could mask it as "johndoe@spamaway.myisp.com." Be aware that some newsgroup services or message boards won't allow you to mask your e-mail address and some harvesting programs may be able to penetrate common masking methods.

• Use a separate screen name for chatting. If you use chat rooms, use a screen name that is not associated with your e-mail address.  Consider using the screen name only for online chat.  Parents should consider monitoring their children's use of chat rooms.

• Set up "disposable" addresses.  Decide if you want to use two e-mail addresses - one for personal messages and one for posting in public.  Consider using a disposable e-mail address service that creates separate e-mail addresses that forwards to your permanent account.  If one of the disposable addresses begins to receive spam, you can shut it off without affecting your permanent address.

• Use two or more e-mail accounts.  If you work for a business or organization that wants to receive e-mail from the public, consider creating separate accounts or disposable e-mail addresses for that purpose, rather than having an employee's address posted in public.

• Use a unique e-mail address, containing both letters and numbers. Your choice of e-mail address may affect the amount of spam you receive because some spammers use "dictionary attacks" to e-mail many possible name combinations at large ISPs or e-mail services, hoping to find a valid address.

 2.  Use filters to screen your e-mail.

• Check first with your e-mail service provider to see what options are available to block and report spam.

• If you use an e-mail program on your personal computer, take the time to learn about ways to filter messages from unfamiliar senders.

TRICKS OF THE TRADE – HOW SPAMMERS DISAPPEAR

E-mail can reach its destination in the blink of an eye.  But hours of detective work may not be enough to follow the e-mail trail from your inbox back to the person who sent it.  Spammers have an arsenal of tools to hide their identity and mask their location.  Even if the labor-intensive task of tracing a single junk e-mail is successful, in many cases the path leads to another country.  Indeed, much of the time the spammer, the scam proceeds, or the server routing the spam may be located in another part of the world.

Information contained in the "header" of an e-mail should show the origin of the message and the route from sender to recipient.  If the header information is accurate, then identifying the origin of an e-mail is simple.  But header information can be falsified, and spammers have a range of tricks at their disposal for doing so. 

Below are short descriptions of some of the ways spammers are able to hide their tracks by obscuring the header trail.  These include spoofing, open proxies, and zombies. 

SPOOFING

Simple Mail Transport Protocol (SMTP) is the mechanism behind sending e-mail.  The "To:" information must be accurate; otherwise the e-mail cannot be delivered.  But through "spoofing," users can falsify any other information in the headers, including the Internet Protocol ("IP") numbers.  A spammer can make up "Received:" headers in an otherwise legitimate header, blurring the audit trail between sender and recipient.

JOE-JOBBING

Spoofing the "From:" line and "Receipt-To:" headers also can divert attention from a spammer.  Spammers can falsify headers using made-up information or use legitimate e-mail addresses that don't belong to the spammer.  This is known as "joe-jobbing."  This technique can result in consumers sending complaints to the apparent originating e-mail address user who had nothing to do with the message, causing inconvenience, and even harm, to the innocent user.

OPEN PROXIES

Sometimes spammers take advantage of openings in computer networks.  A proxy server is configured to be the only machine on your network that directly interacts with the Internet, providing more security for your network and more efficient Web browsing for your users.  Security increases because a server's IP number is substituted for the number on the personal computer ("PC") that actually is checking the Internet.  If the computer is not connected to a network (as is the case with many home users), the IP number associated with the PC is sent to the Web site.  If the proxy is open, it may allow unauthorized users to connect through an authorized user's network to other Internet hosts and take advantage of IP number of the unsuspecting PC user. 

Typically, open proxies are the result of misconfigured systems or trojan/worm/virus infections, and administrators may not realize that a proxy is open.  Spammers find them and route their messages through the servers, substituting the IP number of the server for the IP of the sending system.

ZOMBIES

Zombie drones and networks pose serious investigative challenges.  As much as 80 percent of spam may come through mail server software or proxies installed on an individual's PC and brought to life by remote command.  These PCs are sometimes called zombie drones.  The installation is usually accomplished surreptitiously through worms, trojans delivered by e-mail, or script-initiated "drive-by" installation that happens while the user surfs the Web.  Any PC, whether at home or at a business, using broadband or dial-up, can be affected if antivirus and other PC security measures are incomplete or out of date. 

Once infected, the PC becomes an open proxy.  The PC reports information such as its IP number to a server under the control of the spammer who uses bulk-mailing software to connect to the zombie proxies.

Some spammers prefer to install mail server software on the infected PC.  The software downloads a list of e-mail addresses and a template message from a central server that the spammer controls.  The zombie then blasts the messages out with no further connection to the spammer's server.  Whichever method is used, no direct trail to the spammer exists.  Drones have the added advantages that individual PCs are harder to trace than servers and are unlikely to have retained transaction logs even if the PC is identified.

Zombie networks as so named because they resurrect dormant IP numbers.  A company to which a block of IP addresses has been assigned may not be using all such IP addresses, but it might not have relinquished control over those that are not in use.  A spammer who discovers these dormant IP numbers may contact the domain registry, represent himself as the owner, and arrange for lookup records to be changed.  Spam is sent from the spammer's computers, but the trail back to its origin winds up at the registered owner – which may no longer be in operation.

Any one of these methods can defeat the best efforts to trace spam to its source.  Often a message combines more than one method, making it almost impossible to track its origin. 

CONCLUSION

Given the multiple methods employed to avoid detection, enforcing the Michigan Child Protection Registry may prove difficult.  The Michigan Attorney General will continue to work closely with the Federal Trade Commission to identify and pursue spammers.  As the registry program unfolds, the Attorney General may undertake investigations or commence legal action against suspected violators and will continue to participate in national anti-spam task forces and to study technical and other potential solutions to the global spam menace.

Congress has charged the FTC with primary responsibility for addressing spam on a national and international basis.  The FTC currently has the best database to receive, analyze, and investigate spam.  As already noted, consumers should forward spam messages – without opening them to spam@uce.gov.

Consumers may visit the Attorney General's Web site for more information on spam and ID theft and to view consumer alerts on a wide range of topics.  Mail or telephone inquiries and complaints may be directed to the Attorney General's Consumer Protection Division at:

Consumer Protection Division
P.O. Box 30213
Lansing, MI 48909

Phone: 517-373-1140

Toll-free within Michigan: 1-877-765-8388
Fax: 517-241-3771
www.michigan.gov/ag (online complaint form)