CAN-SPAM Act Turns 5 Today — What Went Wrong?

alphadogg writes "Five years ago, the US tech industry, politicians, and Internet users were wringing their hands over the escalating problem of spam. This prompted Congress to pass a landmark anti-spam bill known as the CAN-SPAM Act in December 2003. Fast forward five years. The number of spam messages sent over the Internet every day has grown more than 10-fold, topping 164 billion worldwide in August 2008. Almost 97% of all e-mails are spam, costing US ISPs and corporations an estimated $42 billion a year. What went wrong here?"

What went wrong?

[Toonol]

In fairness, nobody with any amount of knowledge expected it to have any impact. It's not really accurate to say it 'went wrong' when most of us never expected it to work in the first place.

Re:More enforcement would help

[DrLang21]

The problem is that the FBI's resources have largely been funneled to the War on Terror. As a result, a lot of crime is being left investigated. White collar crime among others is on the rise.

CAN-SPAM Worked Exactly as Expected

[ericgoldman]

Congress had no idea why spam was a problem and therefore did not draft legislation designed to address the problem. http://ssrn.com/abstract=487162 [ssrn.com] Instead, they took a shotgun approach of trying to legislate against a panoply of problems, which meant that the law was not designed to fix any single problem and therefore was not going to succeed even from day 1. Eric.

Re:Who is receiving spam?

[maxume]

Outlook doesn't load images by default. I don't think Outlook Express did, but I don't remember anymore. Neither Yahoo! Mail or Google mail load images by default.

If you measure by what people are using, you are wrong about most clients (at least, the current defaults).

Re:We took a knife to a gun fight.

[kybred]

Um, flag day?

Yes, a Flag Day [wikipedia.org].

Re:What went wrong here?

[Anonymous Coward]

Before you talk more out of your ass, look at what happened when ONE (1) USA based ISP/hosting provider was taken down in November: SpamCop (year) [spamcop.net]

Re:Legislation fixes nothing

[Timothy Brownawell]

There's a trivial technological means to fight spam. It just requires abandoning SMTP and moving to a new protocol with the following requirements.

• All compliant mail transport daemons must require all connections from client computers to be authenticated.
• All compliant mail transport daemons must sign all messages as they pass them along.
• All compliant mail transport daemons must have a service record in DNS for their host name that provides a public key for verification of the signature.
• All compliant mail transport daemons must refuse to accept any email if the signature cannot be verified immediately (even if this is due to load), forcing the sending end to retry.
• All compliant mail transport daemons must refuse to accept any email if the host name does not resolve to the IP number from which the inbound message was received.

You forgot one:

• All relevant DNS servers must implement DNSSEC.

With that, spam is basically dead. As soon as you require those restrictions, suddenly spammers have to actually own a domain name and provide a working DNS server in order to deliver spam, and that DNS server must contain up-to-date mappings for those hosts to IP numbers. That pretty much obliterates the use of zombies for delivering mail.

Unless they can 0wn a DNS server, or have the zombies send through the owner's legitimate outbound email accounts, or can get a steady supply of disposable domains somewhere (zombie-XXXXXX.disposable-20081217.com, etc).

It also means that there is now a domain name, which by ICANN policy, is required to have a valid postal address, phone number, and other contact information associated with it.

And when the spammers don't follow the policy? Sure the domains might get shut down after someone realized (and got the registrar to verify) that the contact info was bogus, but that's a bit too late.

Re:Laws just hamper the law abiding

[Anonymous Coward]

But you do see a violent crime rate higher than the US National Average http://www.bestplaces.net/city/Virgin-Utah.aspx [bestplaces.net]

Not 200 - a LOT more!

[Gonoff]

http://news.bbc.co.uk/1/hi/technology/7719281.stm [bbc.co.uk] says 1 in 12 million.

Re:Laws just hamper the law abiding

[theaveng]

In cities and states that overturned their anti-gun laws, the murder rate went DOWN.

In cities and states that passed anti-gun laws, the murder rate went up.

Re:More enforcement would help

[Erik Hensema]

I don't agree. I run my own servers, not at home but in a colo some considerable distance away. I own my domains, I run my own name servers. When the ISP for my home connection blocks smtp to any but their own smtp servers, I am disconnected from my own machines.

No you're not. You can simply use smtp port 587 to submit mail to your colo. Providers should never do egress filering on port 587, only on port 25.