Is the CAN-SPAM Act Working? 280
DynaSoar writes "Lance Ulanoff of PCMag.com offer his opinion on the success, or lack thereof, of the CAN-SPAM Act. It doesn't appear to be working, though spammers have noticed, in that they try to make their spam look "legit". What might make a real difference, according to US Senator Conrad Burns, co-author of the bill, is international standards and enforcement."
No... (Score:2, Informative)
The only chnage I've noticed is that my filters are no longer as effective, now that some of the spams are trying to look legitimate.
Don't wait for the government to fix it (Score:5, Informative)
Re:War on Poverty, War on Drugs (Score:4, Informative)
Re:Huh? (Score:2, Informative)
So it didn't say "all spam must start with [ADV]," but "all spam must start with a tag to be chosen by the FCC within x months of this law going into effect."
Re:Filtering out spam and black listing email serv (Score:3, Informative)
What I would like to see is some kind of convenient exothermic chemical reaction, which would convert abundant materials -- such as, say, wood, or possibly carbonaceous minerals -- into glowing gases we could use to heat things up with. This would be of great use in preparing food and keeping warm in the winter.
Little hint: Before you say "I wish a thing like this existed," you might want to do some research in the field. As a matter of fact, a few projects along the lines of what you describe already do exist. Google for "Distributed Checksum Clearinghouses" (DCC, created by Vernon Schryver) and "Vipul's Razor" (created by Vipul Ved Prakash).
CAN-SPAM works some if you are careful (Score:4, Informative)
I basically tried to sort out which spams were legitimately adhering to the law (which wasn't too hard), and if anything was iffy I would fill out the unsubscribe link with a throwaway e-mail to see if I got spam from it.
long story short 4 weeks later I'm getting about 170 spams/days. A decrease of 60 messages/day or about 25% less. Not a huge decrease, but noticeable.
The big benefit though is that the spam that is left is more "spammy" than before - hence my bayesian filter has achieved a slighly higher success rate which is good.
Straight from a horses' mouth (Score:5, Informative)
December 2003
Total messages: 162,564
Total messages blocked by SpamAssassin: 36,927
January 2004
Total messages: 180,375
Total messages blocked by SpamAssassin: 48,661
So what we have is 10% growth in total messages, but a 31% growth in spam.
Making spam illegal isn't working. Not surprising to me.....
FWIW, I attribute the 10% growth to MyDoom and its ilk - my user base did not grow 10%, nor do I think my users suddenly started sending more email - they just received more stuff that got deleted (but counted) by the virus scanner.
Re:Usable snailmail addresses? (Score:4, Informative)
Re:Filtering out spam and black listing email serv (Score:2, Informative)
-G
Re:Huh? (Score:3, Informative)
So it didn't say "all spam must start with [ADV]," but "all spam must start with a tag to be chosen by the FCC within x months of this law going into effect."
You don't quite have it right. All porn spam needs a standard identifier (to be set by "the Commission", not sure which one), not all spam. See the text of the CAN-SPAM act [spamlaws.com], in particular section 5 (d) (3). This has to be done within 120 days of Jan 7, 2004.
Re:Faster than ever (Score:5, Informative)
Re:Huge Spike (Score:3, Informative)
Not all of the dns blacklists are created equal, but I have enough confidence in both the spamhaus and spamcop lists to automatically mark a message as spam if either of those tests fail.
Re:Huh? (Score:4, Informative)
The actual law says: [spamlaws.com]
(b) LIMITATION- Subsection (a) may not be construed to authorize the Commission to establish a requirement pursuant to section 5(a)(5)(A) to include any specific words, characters, marks, or labels in a commercial electronic mail message, or to include the identification required by section 5(a)(5)(A) in any particular part of such a mail message (such as the subject line or body).
Now, the FTC is required to report back in less than 18 months about the feasibility of requiring ADV: or other indicators, but does not authorize them to require it in the meantime.
Want to try again?
They are basically passing the buck off to whomever has to vote on it in 18 months. [You were right about one thing - it is the FTC, not my idiotic FCC]
It's all good talking about foreign enforcement (Score:2, Informative)
Just wait, you'll get spam. (Score:5, Informative)
Be listed as the domain contact for a domain where a working address is mandatory. Failure to have a working address is grounds to have your domain cancelled. (Fortunately many registrars offer filtered address these days, but that doesn't help for the addresses that were visible before and are already on lists.
Post to usenet. I stopped doing that years and years ago, but I got on spammers lists back then and those addresses still circulate.
Have your job require that your email address be on the web. Similarlly, be responsible for a business address (like "support") that has to be on the web.
Post to a publically archived mailing list that doesn't remove email addresses. Posting to said list may be part of your job and can't be avoided.
Have someone else post your mailing address to a publically archived mailing list
Have someone else send you a e-card from a sleazy site that resells addresses
Have a moderately common name and use a moderately popular email host, you might get dictionary attacked
Ultimately, if you use the same address for long enough it will leak somewhere, possibly without your knowledge. Are you sure no one you know isn't posting a "Hey, my friend bob@example.com knows about this, as him" to a publically archived mailing list? Switching addresses isn't a very good option; it cuts off communication with other people. Throwaway addresses help (I use them myself), but to suggest that it's a reasonable option for Joe Random User is silly.
Count yourself lucky that you haven't had a problem. I got a new email address with a new job about two years ago. That address has never been used for personal use, just work. I've always obfuscated it on my web page (I need to have it available as part of my job). But I'm already getting 10 or so spam a day. (Although that's an improvement over the 80 or so a day I get at my various personal accounts.)
Re:More wasted bandwidth (Score:1, Informative)
Re:Don't wait for the government to fix it (Score:4, Informative)
Now this is susceptible to guessing. Once I know or guess a user ID, the rest is made up each time. To make this harder, you can set "code words" that must be in the made-up prefix. Further, you can set a "password" that must prefix the entire address (secret.nyt.2.spamisevil@...).
Keep in mind this is geared toward providing temporary throw-away accounts. If someone looks in their logs/database and sees "secret.nyt..." they can sure start spamming you. Change the password or list of code words and they can no longer make up email addresses for you.
Someone would have to be pretty damn desperate to start scanning logs for SG email addresses, especially since they'd stop working pretty soon after they started using them to spam.
I just started using it last week after a similar post here. The thing I like most is that I don't have to go to SG's website to create a new account. You literally make up email addresses with the option to use the extra features to make it more difficult for someone else to do it to you.