Teenager in court over "email bomb" DoS attack

A teenager will appear in court on Tuesday accused of unleashing an "email bomb" on his former employer, in what will be a test case for the Computer Misuse Act (CMA).

Police accuse the youth, who cannot be named for legal reasons, of sending five million emails to the company he used to work for. This amount of email could cause an email server to crash — and is hence classed as a form of denial-of-service (DoS) attack.

This case will prove to be a test of the effectiveness of the CMA as no-one has yet been successfully convicted under the Act of launching a DoS attack. According to those familiar with the case, the defence will argue that a launching a DoS attack is not illegal under the CMA.

At present, the CMA does not specifically include a denial of service attack as a criminal offence — something some MPs want changed. The Act currently explicitly outlaws "unauthorised access" and "unauthorised modification" of computer material, but DoS attacks sit in a legal grey area.

The youth is being tried at Wimbledon Magistrates Court under section three of the CMA, which concerns unauthorised data modification and tampering with systems.

The defence is expected to argue that the youth can't be convicted under the CMA because a flood of email would not modify any data on the server, according to Peter Sommer, a technical expert expected to be called by the defence.

Sommer, a senior research fellow the London School of Economics' information systems department, told silicon.com's sister site ZDNet UK: "When you send an email to an email server, you are not modifying that server, because the purpose of the email server is to sit around waiting to receive emails aimed at that domain."

If the emails themselves contained no malware that could modify the system, then sending them would not contravene CMA, according to Sommer.

Tom Espiner writes for ZDNet UK