Unsolicited mail far more dangerous than mere nuisance, with cyber-criminals able to hold firms to ransom.

It's being described as a war, an arms race, an unseen struggle where the stakes are being raised and the weapons redefined each minute.

In New Zealand, the ramparts are constantly being tested by attacks numbering in the tens of millions each hour.

The odds are becoming increasingly stacked against people like Peter Merrigan, but major battles are still being won.

Mr Merrigan is a senior investigator at what might be called the A-Team of the spam war: the Department of Internal Affairs' Electronic Messaging Compliance Unit (EMCU).

Advertisement

The enemy they and other agencies fight is often a faceless cyber-criminal, sitting in a faraway country, hidden behind layers of electronic protection.

When their spam does make it through email filters, they can hold victims to ransom for tens of thousands of dollars, or turn their computer against others.

But most of the victories of Mr Merrigan's team so far have been against New Zealand-linked companies that have spammed people in their own country.

The unit consists of just four investigators in a Wellington office, tasked with responding to between 800 and 900 spamming complaints from the public each month.

In each case, the investigators must establish if a piece of spam has breached the Unsolicited Electronic Messages Act 2007.

In some instances, the follow-up may only involve contacting the unwelcome sender.

Last year, the unit gave formal warnings to spammers as innocuous as dental clinics, shoe shops and tailors; also on the list were high-profile companies such as Whitcoulls, Les Mills and Cash Converters.

But beyond these "quick kills", as Mr Merrigan called straightforward cases, were investigations that could last weeks, or even years.

Advertisement

Such a case came to a close at Manukau District Court last week, in what was the first defended anti-spam case in New Zealand, and the first civil pecuniary penalty application to be heard through to completion.

It began back in July 2012, when Auckland man Zeljko Aksentijevic sent 2230 commercial electronic messages that included links to his free Android app Crazy Tilt Arcade Challenge, largely to members of an internet gaming forum, following an online argument.

The emails were mainly abusive in nature but also contained links to a webpage promoting the app.

Aksentijevic had also sent the emails from a number of different email addresses in an attempt to keep his identity anonymous. Even after being put on notice by the Department of Internal Affairs, he continued to send emails.

In ordering him to pay $12,000 last week, Judge Charles Blackie singled out the hostile nature of his emails as an aggravating factor, remarking that breaching the act was one thing but "adding a veneer of abuse" was another.

Other major prosecutions brought by the unit have led to much harsher penalties.

Auckland firm Image Marketing Group was last year fined $120,000 in a case involving 45,000 text messages and 519,545 emails in 2009, while in 2013, a Perth-based businessman was last year ordered to pay $95,000 after 53 complaints about spam emails promoting his company.

In the first case under the act, brothers Shane and Lance Atkinson were each fined $100,000, and business partner Roland Smits was made to pay $50,000, for sending more than two million unsolicited emails to New Zealand addresses marketing pills.

Mr Merrigan admitted the unit's resources were limited, and it was up to each investigator, who was always dealing with multiple inquiries at any time, to choose what to follow up.

The job required not just a good knowledge of the law but the technical nous to reach through the multiple electronic barriers that spammers often hid themselves behind.

Spam messages could range from annoying promotions sent by companies without the consent of recipients, through to the nefarious extremes of sophisticated ransomware hidden in email attachments.

The unit drew on the latest innovations to meet emerging threats, such as GSMA Spam Reporting Service from messaging security software provider Cloudmark, which allowed the team to work more closely with New Zealand mobile operators analysing SMS text spam.

But the investigators hit hurdles with spam from abroad. The volume flowing in from overseas each day could be likened to an electronic tsunami.

Among its 150,000 Kiwi business users, email security company SMX logs between 10 million and 20 million messages a day - nearly 90 per cent of them spam.

"If you aggregated that across an hourly period, some hours would see three or four million spam emails," the company's chief technology officer, Thom Hooker, said.

Up to half originated in the United States and the number was even observed to drop off on American holidays.

"It's just a constant war between the spam writers and the anti-spam engines."

There was the constant risk that spam which made it past filters could lock down an entire computer network with ransomware, or use a bot to hijack a machine and send spam, steal the user's identity, or host a phishing site to scam others.

Read more:
*Scammers strike with fake IRD site
*Cyber crime: Hackers and phishers target Kiwis

Mr Hooker blamed the email protocol, which was written back in the late 1970s and early 1980s.

"The protocol hasn't really changed at all: it's still a very open and friendly protocol ... it's pretty much the most dangerous protocol out there as far as access to your network," he said.

If SMX and companies like it are a safety barrier, NetSafe is the ambulance at the bottom of the cliff.

In hopeless cases, the internet watchdog has been able only to help desperate victims pay ransoms to spammers who had encrypted every file on their computer.

"I think it's a plague, to be honest," NetSafe digital project manager Chris Hails said. "I've been online for 20 years, and it's always been with us. It's endemic."

Spammers slammed

2008/2009:

New Zealanders Shane and Lance Atkinson each fined $100,000 and Roland Smits ordered to pay $50,000 for their roles in a Christchurch business that over four months in 2007 sent more than two million unsolicited emails to New Zealand addresses marketing pharmaceutical products.

2013: Perth businessman Wayne Robert Mansfield fined $95,000 after 53 complaints about spam emails promoting his company, Business Seminars NZ, between April 5 and September 27, 2010.

2014: Image Marketing Group Ltd fined $120,000 for a case involving 45,000 text messages and 519,545 emails sent in 2009 plus an unknown number sent in 2010, together with the sale of a database of 50,000 email addresses.

Last Tuesday: Auckland man Zeljko Aksentijevic fined $12,000 plus costs in the Manukau District Court after sending 2230 commercial electronic messages that included links to his free Android app Crazy Tilt Arcade Challenge, largely to members of an internet gaming forum, following an online argument. It was the first defended anti-spam case in New Zealand, and the first civil pecuniary penalty application to be heard through to completion.