Your Peace of Mind is our Commitment

Contact Us English Recent Articles
Home > Yui Kee Computing Monthly Newsletter > 2007 Back Issues > December 2007 > OFTA Increases Complexity of Spam Reporting

OFTA Increases Complexity of Spam Reporting

First published: 31st December 2007

On 22nd December, the second phase of the Unsolicited Electronic Messaging Ordinance cam into effect in Hong Kong, and the Office of the Telecommunications Authority (OFTA) has updated its' online report form accordingly. However, some of the features that make reporting spam long-winded and inconvenient have not been improved. The sections of the form are now:

  1. Contact details: name and phone number. These need to be entered for each report made. It would be convenient if these could be entered once for a bunch of reports.
  2. Company / Organisation name. Like the contact details, needs to be repeated for multiple reports.
  3. Address. The option to be informed of the result of reporting, by email, fax or in writing. Again, needs to be repeated for multiple reports.
  4. Type of message received, and the receiving address.
  5. Content of the message. Options for non-email, email headers, email contents and file upload:
    • As the type of message has already been specified, the email and non-email options are superfluous.
    • For email, the simplest method would be to upload the entire message as a single file. This makes the header and content fields a superfluous repitition.
    • The upload dialogue specifies, "Maximum size per attachment file is 2MB.", spam larger than 2MB is uncommon, but surely an alternate procedure for sending large files should be specified?
    • The upload dialogue also restricts the file types to, "TXT, RTF, DOC, GIF, JPG, TIF, PDF, CNM". To quibble, these are file extensions, not file types (TIFF is the full abbreviation for the Tagged Iage File Format), and a file in these formats may not have the specified extension. More seriously, it seems strange to refuse to accept evidence from a victim on the grounds that it is not correctly formatted, or of the wrong size, "I'm sorry, we can only accept fingerprints in black ink on paper, and that bloodstain is too large".
    • The dialogue also informs the reporter, "To avoid receiving an infected file, your attachment will be scanned", which leaves the question of how a victim is supposed to report infected spam. To be safe, OFTA should assume that any file uploaded is potentially malicious. OFTA should have the expertise to receive and handle potentially malicious samples in a safe, secure manner. If it does not have this expertise, it should acquire it as soon as possible.
  6. Other details. This section asks for a mixture of information that is mostly unknown, epetitious or can be obtained in other ways:
    • "Name of sender: (if you know)". Why should the recipient have reliable information on this? The message may be fraudulent or misleading about the sender, and the question is encouraging the recipient to make unjustified assumptions, based on the message content.
    • "Caller Number or Calling Line Identity (if applicable):". Good, but the type of message has already been specified, so it is unnecessary to ask this for email.
    • Date and Time of receiving the message. This can be more accurately ascertained from the email headers. Unfortunately, the time can only be specified in 12-hour format, and email headers generally use the 24-hour clock.
    • "Are you residing in Hong Kong?". Necessary for establishing the Hong Kong link.
    • "Did you receive the message in HK?". Could be determined from the IP address in email headers, or the receiving number for fax or phone.
    • "Particulars of the Reports". Options for the most likely UEMO offences. Good.
    • "Other contact details of the sender". Is this necessary when section 7 is present?
  7. "Further information which you think may be useful for our investigation". Necessary.
  8. "Consent for Disclosing Personal Data and Documents to the Sender". This question seems odd when there is potential that an investigation may lead to a criminal prosecution with punishment of up to 10 years in jail and an unlimited fine. Do the Police ask witnesses if they mind whether their personal details are revealed to the suspects for crimes with similar punishments?
  9. "Consent for Disclosing Personal Data and Documents to Other Government Departments or Parties as part of the Investigation". A necessary formality.
  10. "Consent for providing further statement(s) and acting as witness in court proceedings where necessary". A necessary formality.

On submitting the form, the user is presented with a preview of their report, with a field for entering the text from a Captcha image. The Captcha image has been upgraded, the old version was four numeric digits, the new version is four letters. The page explains, "To prevent our service from being abused by automated scripts, please type the security code as shown in the picture", but spam is an automated offence, why is OFTA requiring manual reports, which, in effect, adds an unnecessary burden to the victim? OFTA should aim to assist users by providing reporting mechanisms that can be automated easily.