Home ›
Disputes/Legal ›
Other legal information ›
Domain names and spam
Introduction
If you have an email account, you will know what spam is, and will probably have wished that someone would do something about it. You may also know about "phishing" - where you get an email pretending to be from a bank (or ebay, paypal or some other place where you might enter personal information and bank details) which is actually from a scammer trying to steal your money and information. For more information about Phishing, see the banking industry website.
There are certainly plenty of people out there trying to stop spam. A full explanation of how the global spam system works, why it works, and what can be done to stop spam would be too long for this page, but we are members of organisations like the London Action Plan that try to do something about spam.
What this page does is explain why:
Faking it - Spoof headers, dodgy links, copied websites and email zombies
Spoof headers
The email system was not designed with fraud in mind, so it largely trusts the sending computer to tell the truth. Sadly, that is now a big mistake. The email headers (all the address and transport information that the computers use to route email and which is generally hidden from you) are routinely faked, so it can be hard to know where an email came from, and the email address (and domain name it contains) do not have to be ones that the spammer controls.
In fact, it is better for the spammer if the sending email address is faked to appear to be someone else - when you send a lot of emails you will get a lot of emails returned for bad address, or 'out of office' emails. If you put someone else down as the sender, all this rubbish goes to them, not you - great for the spammer.
Dodgy links
There are also a lot of tricks that can be used to make the links in emails look as if they take you to one place, but which actually take you to another. For example:
Copied websites
A useful element for phishers is to either hack into a real site, or copy all the logos and graphics off the real one so that their fake site looks genuine. They may also copy trust symbols, pictures of padlocks, copyright statements and even warnings against phishing sites and emails!
The bank or other target company will usually have rights in copyright law to get ISP involved to take the content down, or close the loophole in their site security.
Email zombies
So who should we blame for all this spam? Quite possibly you! If you are a home PC user, with broadband, a slightly out-of-date firewall and a tendency to click on dodgy links (which puts you in a group with a lot of other people) then it is possible that your computer has a trojan on it. In this case, a trojan is a little piece of software that listens for instructions from another computer and can be used to send spam. With enough of these so-called "zombies" under his control, the spammer can send large volumes of spam which cannot easily be traced back to him. To find out more about this, see the government website on safe internet use - "GetSafeOnline".
Why can't you just turn off this domain name? - It is being used for spam!
The first answer is, of course, "is it really?", because as we saw above, most header information is faked. If we had the power to turn off domain names for this reason, a spammer would simply use domain names of people they did not like, just to get their services disrupted. Also as we have seen a link may have nothing to do with the domain name you can see - and if it does, it may be because the website has been hacked into.
The second answer is that it is not the domain name that is the problem - it is the zombie, or the mailing computer being used to send this stuff. In these cases the actual solution is to find that computer or zombie and get it taken off the Internet until the problem is fixed. We have no right to cancel the domain name.
So where did they get my email address?
There are a number of possible sources:
Can we sue them? (Disclaimer: This is general information, not specific legal advice.)
In the UK, there the law against spamming is very limited. Some service providers have taken action against spammers (Microsoft, as the operators of Hotmail have tried particularly hard) based on the terms of use of their services.
Generally, there is no right for companies to sue for spam, but individuals can sue spammers (if they can find them) under for sending direct marketing emails under paragraph 22 of The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). As far as we know, this has only happened three times.
Where the email/website contains an attempt at fraud (including phishing), it is probably illegal, and action can be taken. Equally, if it contains or links to illegal content (such as child abuse images) then action can be taken by the responsible bodies.
Who can I report spam to?
It depends on what type of spam it is:
If you have an email account, you will know what spam is, and will probably have wished that someone would do something about it. You may also know about "phishing" - where you get an email pretending to be from a bank (or ebay, paypal or some other place where you might enter personal information and bank details) which is actually from a scammer trying to steal your money and information. For more information about Phishing, see the banking industry website.
There are certainly plenty of people out there trying to stop spam. A full explanation of how the global spam system works, why it works, and what can be done to stop spam would be too long for this page, but we are members of organisations like the London Action Plan that try to do something about spam.
What this page does is explain why:
- the domain names you see in spam are probably nothing to do with the problem of spam
- we as a domain name registry can not just 'turn off' spammers;
- some places where spammers get their email addresses;
- what has been done under UK law to spammers; and
- who you can report these things to.
Faking it - Spoof headers, dodgy links, copied websites and email zombies
Spoof headers
The email system was not designed with fraud in mind, so it largely trusts the sending computer to tell the truth. Sadly, that is now a big mistake. The email headers (all the address and transport information that the computers use to route email and which is generally hidden from you) are routinely faked, so it can be hard to know where an email came from, and the email address (and domain name it contains) do not have to be ones that the spammer controls.
In fact, it is better for the spammer if the sending email address is faked to appear to be someone else - when you send a lot of emails you will get a lot of emails returned for bad address, or 'out of office' emails. If you put someone else down as the sender, all this rubbish goes to them, not you - great for the spammer.
Dodgy links
There are also a lot of tricks that can be used to make the links in emails look as if they take you to one place, but which actually take you to another. For example:
- This link uses an @ symbol: www.nominetnews.org.uk@www.nic.uk
- This link uses an @ symbol but hides it: www.nominetnews.org.uk%40www.nic.uk
- This link uses subdomains: www.nominetnews.org.uk.nic.uk
- This link is actually a link to a particular page: www.nic.uk/www.nominetnews.org.uk
- This link uses IP address (like an Internet phone number): www.nominetnews.org.uk@213.248.210.6/main.htm
- This one looks like one website but is actually another: www.nominetnews.org.uk
- This one will probably look genuine when you hover your mouse over it - but is actually fake: www.nominetnews.org.uk
Copied websites
A useful element for phishers is to either hack into a real site, or copy all the logos and graphics off the real one so that their fake site looks genuine. They may also copy trust symbols, pictures of padlocks, copyright statements and even warnings against phishing sites and emails!
The bank or other target company will usually have rights in copyright law to get ISP involved to take the content down, or close the loophole in their site security.
Email zombies
So who should we blame for all this spam? Quite possibly you! If you are a home PC user, with broadband, a slightly out-of-date firewall and a tendency to click on dodgy links (which puts you in a group with a lot of other people) then it is possible that your computer has a trojan on it. In this case, a trojan is a little piece of software that listens for instructions from another computer and can be used to send spam. With enough of these so-called "zombies" under his control, the spammer can send large volumes of spam which cannot easily be traced back to him. To find out more about this, see the government website on safe internet use - "GetSafeOnline".
Why can't you just turn off this domain name? - It is being used for spam!
The first answer is, of course, "is it really?", because as we saw above, most header information is faked. If we had the power to turn off domain names for this reason, a spammer would simply use domain names of people they did not like, just to get their services disrupted. Also as we have seen a link may have nothing to do with the domain name you can see - and if it does, it may be because the website has been hacked into.
The second answer is that it is not the domain name that is the problem - it is the zombie, or the mailing computer being used to send this stuff. In these cases the actual solution is to find that computer or zombie and get it taken off the Internet until the problem is fixed. We have no right to cancel the domain name.
So where did they get my email address?
There are a number of possible sources:
- they found it on a website, forum, or via searches for anything with an '@' symbol in it on the internet;
- they guessed the domain name (most possible short domain names and dictionary words are registered in popular extensions like .com and .uk) and then by putting standard things on the front created a name;
- you confirmed the name existed by clicking on an opt-out on another email or by emailing them back in some way;
- lists of email addresses are routinely bought and sold;
- they stole the addresses out of a zombie computer; or
- something else - their inventiveness is boundless!
Can we sue them? (Disclaimer: This is general information, not specific legal advice.)
In the UK, there the law against spamming is very limited. Some service providers have taken action against spammers (Microsoft, as the operators of Hotmail have tried particularly hard) based on the terms of use of their services.
Generally, there is no right for companies to sue for spam, but individuals can sue spammers (if they can find them) under for sending direct marketing emails under paragraph 22 of The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). As far as we know, this has only happened three times.
Where the email/website contains an attempt at fraud (including phishing), it is probably illegal, and action can be taken. Equally, if it contains or links to illegal content (such as child abuse images) then action can be taken by the responsible bodies.
Who can I report spam to?
It depends on what type of spam it is:
- If there is a breach of PECR, it can be reported to the Office of the Information Commissioner.
- If it is a phishing email, follow the advice on the Metropolitan Police's Fraud Alert website, which also asks you to report to to Bank Safe Online.
- Where the email/website contains child abuse images (child pornography), or you are concerned that it might, you must not look at it, even to check (as this can be a criminal offence in itself). You should report it at once - either to the police, the Child Exploitation and Online Protection Centre (CEOP, part of the Serious Organised Crime Agency), or the Internet Watch Foundation (a well respected internet charity which combats this problem). If it is in an email, do not send it to them, but tell them what you have and then follow their advice.
- If you think that there is a fraud involved generally, report it to the police or trading standards.