Slashdot Mirror

← Back to Stories (view on slashdot.org)

CAN-SPAM Act Turns 5 Today — What Went Wrong?

Posted by kdawson on from the calling-mister-hormel dept.

alphadogg writes "Five years ago, the US tech industry, politicians, and Internet users were wringing their hands over the escalating problem of spam. This prompted Congress to pass a landmark anti-spam bill known as the CAN-SPAM Act in December 2003. Fast forward five years. The number of spam messages sent over the Internet every day has grown more than 10-fold, topping 164 billion worldwide in August 2008. Almost 97% of all e-mails are spam, costing US ISPs and corporations an estimated $42 billion a year. What went wrong here?"

2 of 301 comments (clear)

  1. Re:We took a knife to a gun fight. by kybred · · Score: 4, Informative

    Um, flag day?

    Yes, a Flag Day.

  2. Re:Legislation fixes nothing by Timothy+Brownawell · · Score: 4, Informative

    There's a trivial technological means to fight spam. It just requires abandoning SMTP and moving to a new protocol with the following requirements.

    • All compliant mail transport daemons must require all connections from client computers to be authenticated.
    • All compliant mail transport daemons must sign all messages as they pass them along.
    • All compliant mail transport daemons must have a service record in DNS for their host name that provides a public key for verification of the signature.
    • All compliant mail transport daemons must refuse to accept any email if the signature cannot be verified immediately (even if this is due to load), forcing the sending end to retry.
    • All compliant mail transport daemons must refuse to accept any email if the host name does not resolve to the IP number from which the inbound message was received.

    You forgot one:

    • All relevant DNS servers must implement DNSSEC.

    With that, spam is basically dead. As soon as you require those restrictions, suddenly spammers have to actually own a domain name and provide a working DNS server in order to deliver spam, and that DNS server must contain up-to-date mappings for those hosts to IP numbers. That pretty much obliterates the use of zombies for delivering mail.

    Unless they can 0wn a DNS server, or have the zombies send through the owner's legitimate outbound email accounts, or can get a steady supply of disposable domains somewhere (zombie-XXXXXX.disposable-20081217.com, etc).

    It also means that there is now a domain name, which by ICANN policy, is required to have a valid postal address, phone number, and other contact information associated with it.

    And when the spammers don't follow the policy? Sure the domains might get shut down after someone realized (and got the registrar to verify) that the contact info was bogus, but that's a bit too late.