By Tom Espiner, 1 November 2005 15:25
NEWS
A teenager will appear in court on Tuesday accused of unleashing an "email bomb" on his former employer, in what will be a test case for the Computer Misuse Act (CMA).
Police accuse the youth, who cannot be named for legal reasons, of sending five million emails to the company he used to work for. This amount of email could cause an email server to crash and is hence classed as a form of denial-of-service (DoS) attack.
This case will prove to be a test of the effectiveness of the CMA as no-one has yet been successfully convicted under the Act of launching a DoS attack. According to those familiar with the case, the defence will argue that a launching a DoS attack is not illegal under the CMA.
At present, the CMA does not specifically include a denial of service attack as a criminal offence something some MPs want changed. The Act currently explicitly outlaws "unauthorised access" and "unauthorised modification" of computer material, but DoS attacks sit in a legal grey area.
The youth is being tried at Wimbledon Magistrates Court under section three of the CMA, which concerns unauthorised data modification and tampering with systems.
The defence is expected to argue that the youth can't be convicted under the CMA because a flood of email would not modify any data on the server, according to Peter Sommer, a technical expert expected to be called by the defence.
Sommer, a senior research fellow the London School of Economics' information systems department, told silicon.com's sister site ZDNet UK: "When you send an email to an email server, you are not modifying that server, because the purpose of the email server is to sit around waiting to receive emails aimed at that domain."
If the emails themselves contained no malware that could modify the system, then sending them would not contravene CMA, according to Sommer.
Tom Espiner writes for ZDNet UK
Comments
There are 6 comments. Join the discussion
1. Stephan Coupland
Clearly the teenager has done wrong, but I am not convinced the CMA covers any kind of DoS attack. Can you instead argue that crashing a system modifies its behaviour?
2. Patrick Archibald
So how did he send these emails? The obvious answer would seem to be by using zombies - so he must be guilty of modifying someone's system.
3. anonymous too
If not zombies, then he might have used the classic smtp relay approach.
In either case he's guilty of unauthorised access of someones system.
4. ISPs are to blame too
ISPs are partly to blame here too since no one can send 5 million emails (of very probably the exact same content and/or subject line) without a simple program on an ISP's server spotting huge duplication and blocking those duplicates.
Would this then kill off email marketing? Not if smart email marketers were then forced to personalise their messages.
I agree with other silicon.com comments on other recent stories about the urgent need for an outbreak of common sense augmented with a dash of creative thinking to solve these very solvable problems!
But what secondary school teaches common sense and creative group problem solving???
5. anonymous
Anyone deliberately causing such chaos deserves to go to jail! The same could be said for any solicitor who defends such an individual on technicalities.
6. Bang to Rights
Not for me to claim to be an "expert" although I could be, but people may like to read the Act and consider subsection (2) of section 3 [under which the person is charged] which defines an offence of the "modification of the contents of any computer" and by so doing [para (a)] "to impair the operation of any computer".
Looks pretty clear to me.