CAN-SPAM Act Turns 5 Today — What Went Wrong? 301
alphadogg writes "Five years ago, the US tech industry, politicians, and Internet users were wringing their hands over the escalating problem of spam. This prompted Congress to pass a landmark anti-spam bill known as the CAN-SPAM Act in December 2003. Fast forward five years. The number of spam messages sent over the Internet every day has grown more than 10-fold, topping 164 billion worldwide in August 2008. Almost 97% of all e-mails are spam, costing US ISPs and corporations an estimated $42 billion a year. What went wrong here?"
Who is receiving spam? (Score:5, Interesting)
I know where it is, and why it is still a problem. It is not in my email box, or the email box of most people. It is in the spam filters of our email providers. And that is the problem. I don't see it so I don't care. Sure, it may increase my cost to get online, but by how much. DSL is dirt cheap to what I was paying 10 years ago, and at better bandwidth. So what do I care? I don't see it, the problem is solved. And I can delete the 5 messages of spam that get through.
So out of sight, out mind, right? Wrong. I also know for the average person, and for the average spammer, those five messages per person that gets through can mean huge amounts of money. Even if nothing is bought, the way that mail clients are set up and vulnerabilities in the mail and web clients can make the spammer money. For instance, most clients now render HTML and load images automatically. Apple still refuses to set an option in mail.app to turn off HTML permanently, though it does allow one to not load images. Still, most people load images, which registers as a hit on some scam web site and registers the email as valid. Rendering the HTML can allow viruses on the receivers machine. And even the semi legitimate spammer still has hope that someone will buy a product.
We won't be able to get rid of all spam, even though we can't get rid of mail scams though it is a felony. The best we can manage it. If we are to fix it more, then we have to bring the problem to the forefront by letting spam through, or some other methods.
Nothing went wrong! (Score:3, Interesting)
The bill got the people who paid for it, what they wanted. Permission to send spam.
To fix the bill, it needs the following:
1. Outlaw spam. (yeah, won't probably happen, but I can dream.)
2. Require labeling. Make it easy for spam filters.
3. Permit private right of action for individuals.
4. Require attorney fees to be paid to successful plaintiffs.
5. Strict liability for the advertised party. No more, "Oh yeah, that affiliate didn't get permission to send that e-mail to you -- don't blame us."
The bill is incorrect, you can go after foreign spammers, it is just harder.
Re:What went wrong here? (Score:3, Interesting)
Considering we were responsible for 56.7% of the spam in 2005, I don't think that 14.9% is a very 'vast' majority. Granted, we're still twice the countries below us, but we've either become much better or the other countries have all become far worse.
Re:Who is receiving spam? (Score:1, Interesting)
Just list your e-mail address with a domain name or post to Usenet. You'll get closer to 99.9% spam.
I've had the same e-mail address for 15 years so about only one out of every 10,000 messages I receive is legitimate. Spam is making my e-mail more of a hassle to use than it is worth. Bill Gates can lie all he wants and say that spam is not a problem and has never been a problem, but we all know that is a lie.
Re:What went wrong here? (Score:5, Interesting)
#1 source of spam is the USA
They didn't do enough plus they must have had loopholes.
I managed a few email servers with a few hundred users back when the law was passed. When it went into effect (not when it passed) I saw within a few days a jump in spam of about 50-75% (trying to recall) it jumped up to about 2-3 times during the rest the year; it didn't rise that quickly in previous years. I don't think it has risen as quickly since then but I don't know.
Connection? I don't know. That is what I observed.
Since the USA is the source for most spam, other measure should be taken besides kicking down the door of some old lady who's windows PC was hijacked by a dozen spammers.
At least that spam king was taken care of since the passing of the law. The law didn't do it; it just sent him over the edge and he took care of himself with a bullet and removed his genes from the genepool... (BTW, he lived in the USA)
Who says what SPAM is (Score:2, Interesting)
Political speech, asking for a petition to be signed, telling someone about your faith, selling door knobs... there is a plethora of good bad and highly subjective things people can say, repressing speech, even 'commercial' speech both a constitutional violation and a vary dangerous precedent to set.
I don't like receiving 'get a bigger penis' adds any more than the next guy, but the legal action should be against the individual for lying, not for communicating speaking.
Re:hint:criminals don't follow laws (Score:5, Interesting)
especially when they are anonymous(or at least obfuscated) and in many cases, overseas and therefore beyond prosecution under this law
After tiring of the increasing load on our incoming mail servers running spamassassin, I undertook to spend a couple of days finding as many netblocks that ONLY have spam coming from them.
It's shocking really, that I ended up spending more than two days since there were so many spread out all over the place at various colo companies. And I'm sorry to say that what I found is that nearly all of the snowshoe spammers I found were riddled around in colos here in the US. There are a bunch of ISPs out there that seem to be making a bunch of money from snowshoe spammers, so much so that they don't mind allocating half of a damned /19 for the spammers to use and populate with randomly generated domain names. And, of course, just to make it easier for us poor and broke sysadmins, these colos don't just put them all into nice contiguous blocks of IP addresses. I've about given up complaining to the likes of GalaxyVisions, Pacific Internet Exchange, AboveNet (yes, Abovenet is these days hosting lots of snowshoe spammers--sad). The list goes on and on.
I'm up to ~375 netblocks we no longer accept SMTP connections from. The load average on our three MXs is usually about half what it used to be now.
Re:Who is receiving spam? (Score:2, Interesting)
FWIW, I get over 4K spams a day to my 8-year-old email address, and they don't actually bother me much - combo of bogofilter and spamassassin that KMail automagically configured me. I get the occasional false negative (just a matter of clicking "this is junk" and it learns), but after the first couple of days training (you teach it known-good emails too), false positives stopped
Admittedly, I guess such spam filtering is cpu and bandwidth intensive, but the email address in question is yet to become unusable in practice.
I work for a company that does opt-in mail lists (Score:4, Interesting)
Our clients include many bands and music venues. We make every effort to be legit (unsubscribe links, legit reply email addresses, and all legit headers and DNS entries), but the rules of the game are not even available.
See, many ISP's (AOL, and my new target of wrath, earthlink) have rules about the maximum number of messages allowed to come from a single source to their domains in a given time period. Exceed those, and you are an abuser. Except they won't tell you how many messages or how long the period. On the one hand I understand as spammers could use this to get through. But you can't even call them and get info. I've emailed their abuse lines with no reply. It's as if NO ONE knows this info. How does one follow the rules when they are undocumented and beyond the legislative code?
Or when earthlink this past weekend decided we were a spammer, and spammed us back with abuse notices. But then they delivered our email to their customers many, many times in repetition. Like a dozen or more. It was not a server flaw on our side as confirmed by the database and log files. It was 'something' on their side that acted as a repeater for our legit email even as it was notifying us that we were spamming. We then get lots of nasty emails, which we reply to by hand. I spent half of the morning yesterday trying to get anything out of earthlink regarding the issue, but if you don't want to subscribe for service, they don't know what to do or where to have you call. I don't even know what the hoops are, much less can I jump through them.
I get lots of unwarranted spam, but I also get many distribution lists that I want and look forward to reading. Some places make that a nightmare if you want to provide that service.
Re:Laws just hamper the law abiding (Score:2, Interesting)
You could require all men to carry guns. How far do you think the gunmen in Bombay would have made it if they knew every man they came upon would shoot back?
Certainly this plan has a lot of side effects, but it is not completely without merit.
Re:Legislation fixes nothing (Score:5, Interesting)
Just to clarify, it is technologically trivial, but nearly impossible to actually implement in a way that completely blocks spam for everyone because it requires complete adoption before you can start rejecting all non-compliant email. Basically, we'd be better off just starting a new email system in parallel and letting the old one die off as people stop using it.
Re:What went wrong? What could have gone right? (Score:5, Interesting)
But yes, your general point is quite correct. It was desired by the spammers because without it any one state could have crafted a more restrictive law. With it, they can claim to be operating under the federal rules and that those trump the state requirements.
I'd make it a requirement that the company address (physical, not PO boxes) be included in every spam, as well as a phone number. The headers must be real. If any part of the spam is faked (IP addresses, from field, or such, as well as the contact information must be accurate for at least 30 days after the spam is sent), then prosecure them for fraud and illegal access of a computer. If some woman getting on myspace uses a fake name and gets convicted, so should spammers using false headers.
Re:Laws dont solve technical problems. (Score:3, Interesting)
I know others have said this and it's been argued before, but SMTP as it is right now should be dead. A new protocol should replace it. Yes yes, I know what a huge Herculean feat that would be - but if you look at the effort and $$ the world has collectively dumped into spam control up until this point, to me it just makes sense to start over and gradually replace the old protocol. I'm in the same boat as you, as well as my users... hardly any spam makes it to the inbox, but the damned maintenance on perimeter spam control devices and all the eaten-up bandwidth is just nuts.
Re:hint:criminals don't follow laws (Score:4, Interesting)
It's not a new concept either. As the old saying goes, 'A lock is a device to keep an honest man honest.' It won't stop a crook.
Let's start penalizing ISPs that don't take sufficient measures to ensure spam doesn't leave their network. Once that's done and spam zombies in first-world countries are shut off (or at least, can't do any damage), then ISPs can start banning traffic from countries that don't bother to do anything about problems (such as Taiwan).
Re:We took a knife to a gun fight. (Score:1, Interesting)
Well, Internet Mail 2000. But good luck getting everyone to switch.
Re:hint:criminals don't follow laws (Score:2, Interesting)
They also called it "CAN-SPAM" which implies...
Just sayin'
I wonder who comes up with these acronyms?
Re:hint:criminals don't follow laws (Score:2, Interesting)
How about you meet up with fellow sysadmins in your area and trade lists, have them contribute? Yes, I'm aware that it's a Legislative ( ) Technical (x) Market Based ( ) Vigilante (x) approach to the problem, yada yada yada, but if you keep it limited to offline groups (telephone, physical contact, fax, etc) and make sure you don't provide a big enough target for spammers to bother with, then there's no chance of a DDoS, list-harvesting or spammer-instituted counter-measures. Take a page from America's least unsuccessful enemies (vietcong, terrorists, etc) and use low-tech asymmetric guerrilla warfare - it's a lot more difficult to hit a large group of small targets than it is to hit a small group of large targets. Just make sure you force factions to fork into cells if it becomes too popular, that way any time a list is compromised, only one cell is affected.
Re:More enforcement would help (Score:3, Interesting)
User: "Hi, I'd like to order $HIGH_SPEED_SERVICE."
Tech: "Ok, cool. Are you going to run an SMTP server?"
User: "Um... no, what's that?"
Tech: *Puts user down for modem w/firewall that rate-limits SMTP and doesn't allow sending to noncommercial IP blocks*
Spammer: "shit shit shit, my bots can't send any email!"