CAN-SPAM Is A Bust

Doc Ruby writes "The Congressional chatter about 'canning spam', in the CAN-SPAM law since January, has turned out to really mean 'they can still spam'. TechWeb News reports that 'In July, compliance fell for the first time under one percent to a measly 0.54 percent', from its 3% max. The researchers claim the ball has been dropped by 'law enforcement'. Those police are probably too busy deleting the 80% spam from their email, like everyone else."

Not enough!

[Trillan]

We also need a clause that allows us to beat anyone who buys stuff from spam.

(Note: It's spam, not SPAM. SPAM is a registered trademark of a certain food company that is graciously not suing the ass off of everyone, and asks only that we not capitlize the word.)

Politics will never solve this problem

[aoasus]

There's just no way that you can solve this problem with politics. It's one the /. crowd will have to solve. Even if I wanted some physical vigialntie justice, I can't afford to track down some spamer in Russia. I'm really thinking it's a 2 pronged problem and, like the rest of you I have (at least) 2 addresses, deviding the issue in half. Only a few select people get one and the minor amount of spam I get there is easily filterable. The other one is a web based account. I don't pay for it; they can fill 10-20% of my allready mostly filtered free (as in beer) space with all the spam they want. Seriously tho, whitelisting is the real solution, but even I may be too lazy for that.

Digital Stamps?

A while back, companies (including Microsoft) were talking about creating a pay-the-sender e-mail system that would force non-whitelist e-mail senders to pay some n-cent "stamp" toll to have their message delivered. I still think this is a great idea: a tiny fraction of the personal e-mail I receive is both (!spam && !expected), and anyone who legitimately wants to contact me is unlikely to balk at a 5-cent fee (unlike, say, a spammer sending out ten-million unwanted e-mails).
The problem, of course, is convincing people to sign-on. If it came out tomorrow (and Microsoft promised to play nice), would slashdotters be on-board?

Re:If they only..

[Jetson]

Yes, really. Accidents are not caused by driving fast (excepting "too fast for conditions", which is a different issue entirely), but by speed differences. If you are driving slower than the surrounding traffic then you are causing compression and the need for lane-changing behind you, both of which increase the risk of collision. As my driving instructor once said "the measure of a driver's skill is not how few accidents he's been in, but how few he's caused".

Re:Spam is getting to be such BS

[PhilipPeake]

All I can say is that you obviously didn't do a good job of setting up your anti-spam system.

I use sendmail to check for lack of HELO etc, then to validate that the sender domain really exists, followed by two RBL lists - although Spamhaus alone is probably good enough - the second one catches maybe another 5 to 10%.

After that its Spamassassin, set up with individual beysian databases per user. Spam goes into the users SPAM folder for them to check, and I ask them to copy good mail into a NON-SPAM folder. Each night the users SPAM folder is scanned (via cron) with --spam and the NON-SPAM with --ham.

The end result is that 90% of spam is stopped before delivery by the sendmail and RBL checks in sendmail, and I see - maybe - one piece of spam per day, and never see any good mail end up in the SPAM folder - with the spam level set to 3.9.

The system runs itself, and it works well. It takes maybe a couple of weeks to stabilise, but then just tracks the changing spam patterns pretty quickly.

Re:We need to fix this on the pay side

[Michael+Spencer+Jr.]

I work for a major credit card processor (First National Merchant Solutions), and I'm at work right now. This is a highly opinionated reply I'm posting here, so let me say right out in front: this opinion is mine, and may or may not be shared by my employer, First National Merchant Solutions. (I heard from a coworker that we process about 5% by volume of all Visa/Mastercard sales nationwide. We're a big company, so the disclaimer is necessary.)

I agree with the general idea of interfering with spammers' revenue streams.

I do NOT agree with the parent's proposed method, for specific reasons I'll describe. In general your proposed change would have a positive effect, making it much more difficult for anonymous businesses to accept Visa or Mastercard. It would have a much more pronounced negative effect, increasing administrative overhead for acquirers (like us) and merchants alike. The end result of this will be more fees for merchants, which hurts small mom-and-pop businesses disproportionately. ("What's this $25.00 regulatory fee on my statement? I barely do 3 transactions a month!" "Well, the Visa and Mastercard regulatory commissions meet once every six months. Usually the changes they mandate are small, and we don't need to charge our merchants to cover significant development costs, but this year...")

First, legislation is *slow*. Keep in mind legislation requiring truncation of customer account numbers on receipts has been rolled out slowly over several years. (Truncation is our industry's term for only printing the last four digits of the card number, instead of printing the entire number.) In some states' implementations of this requirement, new installations must be compliant but existing installations don't need to be made compliant for a few more *years*.

I submit that this new proposed legislation would have a similarly long roll-out, meaning spammers would likely still be using non-compliant web sites legally well into 2010.

Second, there are already mechanisms in place for stopping money laundering. Visa and Mastercard transactions are logged and monitored at every step of the chain for this kind of activity: by the issuing bank (which issued the customer card), by the association (Visa/Mastercard, responsible for funds transfer and administration of the system), and by the acquiring bank (the credit card processor, like us, who helps the merchant collect payment). Just because the information necessary to stop money laundering isn't available on the web site to consumers with no investigative authority doesn't mean the information isn't available at all. All law enforcement has to do is get the merchant to perform a sale, and they have all the information they need to track the transaction all the way back to the merchant's bank account.

So I submit my opinion that one would be unlikely to persuade lawmakers to pass this spam-unfriendly money-laundering-prevention bill, because it doesn't actually do anything significant to prevent money-laundering. You'll have to convince lawmakers to pass this on its spam-fighting merits alone.

I don't think the parent post actually understands the industry well enough to be making that kind of advice. Just like computer experts watch "hacker" movies and groan and complain about all the inaccuracies, I view the parent post as someone with good intentions and good ideas, but not enough understanding of the business to come up with a good implementation. I'd say moderate it +3 at the highest -- to someone in the industry who is sympathetic to the parent poster's cause, it just seems silly. Well-intentioned, but silly.

----------

I'd like to do more than just shoot the parent poster down, though. I want to help. If YOU conduct business with a spammer, or a business who has (deliberately or accidentally) hired a spammer for promotion, you can leverage Visa/Mastercard regulations against them. (If you're going to do business with a criminal for the sole purpose of stopping th