CAN-SPAM Act Turns 5 Today — What Went Wrong?

alphadogg writes "Five years ago, the US tech industry, politicians, and Internet users were wringing their hands over the escalating problem of spam. This prompted Congress to pass a landmark anti-spam bill known as the CAN-SPAM Act in December 2003. Fast forward five years. The number of spam messages sent over the Internet every day has grown more than 10-fold, topping 164 billion worldwide in August 2008. Almost 97% of all e-mails are spam, costing US ISPs and corporations an estimated $42 billion a year. What went wrong here?"

hint:criminals don't follow laws

[hguorbray]

especially when they are anonymous(or at least obfuscated) and in many cases, overseas and therefore beyond prosecution under this law

'I'm just saying

Re:hint:criminals don't follow laws

[the_womble]

It may be obvious, but it was not obvious to legislators....

Unless, of course, its more important to them to be seen to do something, rather than actually do something effective (like providing a budget for enforcement).

Re:hint:criminals don't follow laws

[lysergic.acid]

except in this case the people profiting from (and are the driving force behind) the crime aren't considered criminals. it makes no sense to outlaw spam but not go after the companies that hire spammers, and whose product advertisements are filling everyone's inbox.

even though a lot of spam is bounced through other countries, most of the products/services being advertised are of U.S. companies who operate completely out in the open and have easily traceable bank accounts. by going after these scummy businesses, you would cut off the money supply the fuels the spam industry and eliminate any financial incentive to send spam.

otherwise, this is like making it illegal commit murder but still allowing people to hire hitmen to do the killing for them.

Re:hint:criminals don't follow laws

[CodeBuster]

One possible response would be for the various sysadmins everywhere to get organized and attempt to close ranks against ISPs which host spammers in any of their IP ranges. Then all of the sysadmins could collectively retaliate against the ISPs in question by blocking all traffic from their entire range. There would be collateral damage, of course, but the ISPs, faced with the fragmentation of the Internet, might relent and quit hosting spammers in return for a cut of the action. The botnets would still be a problem but their effectiveness would be reduced if the ISPs hosting the Command and Control / Relay servers were retaliated against.

Re:hint:criminals don't follow laws

[fredklein]

I've said it before- Email Certification.

Want to run a Certified Email server? Go to your ISP (or other such companies that may arise to offer the service). They check you out (Are you who you say you are? Do you have valid contact information? Etc...), then have you produce a Public/Private key pair. You give them the 'Private' key, and keep the 'Public' one to configure your email server with. Your email server must add an additional header with your Certifier's Certification Server (usually their email server), and a header that is encrypted with your Public key.

An email client that is Certification-compatable will, when it reveives an email, look to see if it has those two headers. If not, it will handle it according to the user's wishes. This means NON-Certified email might be deleted, or sent to a different folder, or whatever. Whitelists/blacklists are still possible.

If the email has the headers, the email client will connect to the Certification Server listed in the one header, and download the 'Private' key to attempt to decrypt the other header. If the decrypted header is valid, the client treats the email the way it is configured to, usually by placing it in the Inbox. Again, whitelists and blacklists can still be used.

If the user receives Spam that is Certified, they can easily report it to the Certifier (email clients can have a 'Report Cetrtified Spam' button that automatically shoots an email off to the Certifier, for instance). The Certifier can then contact the owner of the Certified Server and notify them of the spam. This gives the server owner a chance to stop the spam, in case the server was hacked or the spam was accidental. If the Server owner does not stop the spam, the Certifier simply pulls the Certification, by removing the 'Private' key on their server. From that moment forward, ALL email the Email server in question sends will be NON-certified (and quite frankly, probably deleted by the recipients).

If the Certifier refuses to do anything about the Spamming Server (because they are 'in on it', friendly to spammers, or just incompetent), then ALL Certifications from that Certifier can be marked as 'bad', either on a client-by-client basis, or thru the use of a Certifier black-list.

-There is no 'Central Authority'- your ISP Certifies you for a modest fee.
-You can still send non-certified email, so hobby mailing lists and the like are not affected- the people who receive the mailing list just need to whitelist it.
-Legit email will (eventually, almost always) be Certified, so Certified emails can be sent straight to the Inbox. Non-certified email will (eventually, almost always) be spam, so it can be trashed.
-Any spam that is sent from a Certified server will quickly be reported by pissed-off recipients, and quick action will be needed to avoid that Certifier (and ALL the servers it has certified) from being put on a blacklist.
-Spam will dwindle as Spammers either move to 'spam-friendly' Certifiers (which are blacklisted so the spam never gets thru anyway), or will spend huge amounts of money switching ISPs every 2-3 days to get re-certified over and over. Of course, ISPs could take a clue from the Las Vegas Casinos, and keep a 'black book' of known spammers, and check new clients against them before Certifying them.
-This system does not need to be adopted all at once. Certified and non-certified emails can be handled both by email clients that are Certification aware and not.

It may not be perfect, but it'd be a good start.

More enforcement would help

[alain94040]

Enforcement would be nice. How hard would it be for some FBI office to sign up to get all the possible spam out there, and start replying to all the great offers from African banks?

Of course, a lot of the perpetuators do not reside in the US, but quite a few do. The more legitimate a business looks like, the more likely it has a US presence that can be used to stop it.

So vote with your US tax dollars and force your government to allocate serious funds to the problem. Please!

--
http://fairsoftware.net/ -- where software developers share revenue from the apps they create

Re:More enforcement would help

[SomeJoel]

Yes, well, while the RIAA can evidently track down and prosecute a 6 year old downloading "Wheels on the Bus", the U.S. government can't seem to figure out which companies are responsible for the SPAM, even with all the contact information that must be available for the SPAM to have any value whatsoever.

What went wrong?

[girlintraining]

What went wrong? Nobody stopped to define "Spam" before trying to make it illegal. So they made something up, called it spam, and made that illegal. And when people called them up to ask why they were still getting spam, they replied: I don't see any spam here!

Re:What went wrong?

[HTH+NE1]

Musante: How are things here on the station?
Sheridan: Fine, fine. Status quo. We have had problems with the lurkers, but nothing--
Musante: Lurkers?
Sheridan: It's our version of the homeless. In many ways, we have the same problem Earth does.
Musante: Earth doesn't have homeless.
Sheridan: Excuse me?
Musante: We don't have the problem. Yes, there are some displaced people here and there, but they've chosen to be in that position. They're either lazy or they're criminal or they're mentally unstable.
Sheridan: They can't get a job.
Musante: Earthgov has promised a job to anyone that wants one. So if someone doesn't have a job, they must not want one.
Sheridan: Poverty?
Musante: It's the same.
Sheridan: Crime?
Musante: Yes, there is some, but it's caused by the mentally unstable. We've instituted correctional centers to filter them out at an early age.
Sheridan: Prejudice?
Musante: No, we're just one happy planet. Well, all right, there's the Marsies, but that won't change until they stop fighting the Earth rule.
Sheridan: And when exactly did all this happen?
Musante: When we rewrote the dictionary.

Musante: Captain, you're a good man. You're a fine soldier. A leader. You understand that sometimes before you can deal with a problem you have to redefine it.
Sheridan: But you can't deal with the problems by pretending they don't exist.
Musante: There's no need to embarrass our leaders by pointing out the flaws that they're aware of and dealing with in their own way. Some people just enjoy finding fault with our leaders. They're anarchists, troublemakers, or they're simply just unpatriotic. None of which describes you. Now, do you want people thinking otherwise?

Possibly...

something to do with the fact that the US Congress doesn't have jurisdiction over international crime rings.

That, and the allure of free advertising in a world full of idiots.

What went wrong here?

[flaming+error]

1) Legislation was flawed
2) Problem transcends US Jurisdiction
3) Enforcement is spotty at best
4) Idiots buy their stuff

Legislation fixes nothing

[EmbeddedJanitor]

Legislation only allows some other mechanism to be used. Legislation on its own can do nothing.

All the legislation in the world won't fix teenage pregnancies, the War On Drugs, etc etc.

Since there is really no technical mechanism to kill spam, the legislation itself is ineffective.

Re:Legislation fixes nothing

[Whiney+Mac+Fanboy]

Since there is really no technical mechanism to kill spam, the legislation itself is ineffective.

IOW, your post doesn't advocates a:

( ) technical (X) legislative ( ) market-based ( ) vigilante

approach to fighting spam, in favour of advocating a:

(X) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting spam?

Re:Legislation fixes nothing

[Sancho]

If there were a technological means to fight spam, we wouldn't need the legislation.

What's needed is actual enforcement. Spammers make money because people buy their wares. Where there's money changing hands, there's a trail you can follow. The problem is seemingly that no one wants to follow that trail.

No enforcement? Practically no law.

Re:Legislation fixes nothing

[Luthair]

I disagree, I believe that there are definitely changes which could lower the amount of spam, the problem is that getting all parties (ISPs everywhere) on board a single standard is nigh impossible. Perhaps one possibility is to require that the sender's domain resolve to the system sending the mail. This doesn't correct hijacked servers, or spam servers, but it might eliminate spam sent from botnet zombies.

What really needs to happen is that big players (MS, Yahoo, Google, Comcast, British Telecom, etc.) get together and agree on a standard. Make the standard open, unencumbered, and state that as of date X they won't support anything else.

what went wrong?

Anything that fails to remove the financial motivation behind sending SPAM will fail to prevent SPAM.

No one in their right mind ever thought CAN-SPAM would have any tangible benefit.

Making things illegal WORKS

Remember when we made weed illegal and now you can't buy... ooh, wait a second.

What went wrong? What could have gone right?

[Antique+Geekmeister]

Quite seriously, this law was specifically not aimed at spam. It was aimed at certain types of online fraud, and it deliberately took power away from local law enforcement to put it in the hands of a federal power that does _nothing_ about mere spam. It was carefully designed to allow 'opt-out' advertisements, and that first advertisement from any spammer, and it was carefully legislated that way by the Direct Marketing Association to avoid interfering with the advertisements of their funding agancies. It was also carefully designed to overrule more effective, state efforts.

Such laws should instead be modeled on the junk fax law, which has withstood the test of free speech challenges and ease of prosecution.

Obligatory

Your Congress advocates a

( ) technical (X) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
(X) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
(X) Lack of centrally controlling authority for email
(X) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(X) Asshats
(X) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
(X) Willingness of users to install OS patches received by email
(X) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
(X) Extreme profitability of spam
( ) Joe jobs and/or identity theft
(X) Technically illiterate politicians
(X) Extreme stupidity on the part of people who do business with spammers
(X) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(X) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
(X) Any scheme based on opt-out is unacceptable
(X) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
(X) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
(X) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

( ) Sorry dude, but I don't think it would work.
(X) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

We took a knife to a gun fight.

[mellon]

Seriously, the problem with every anti-spam countermeasure I've seen so far is that they are all based on using SMTP as a mail transport. And SMTP is a protocol designed for a civilized Internet - one where every email sent is assumed to be one that the designated recipient wants.

In order to stop spam, we need to stop using SMTP and switch to a protocol that rejects mail by default. Unfortunately, this requires a flag day, and nobody's put forward a protocol like this yet, so we're still stuck with insane amounts of spam.

There is no problem with CAN-SPAM

[SIR_Taco]

The problem is not that the CAN-SPAM act of 2003 is flawed.
The problem is that the US seems to assume that laws made in their country are globally accepted.
Prohibiting pretty much anything will just make those people that want it get it from another source. For example, look at the prohibition of alcohol in the US... suddenly many people had the urge to visit Canada and/or Mexico more often (even bring back 'souvenirs').

Just my 2-cents in the matter.

Laws just hamper the law abiding

[Alain+Williams]

Just like all this wire tapping, surveillance, air port searches, ... they don't really stop the criminals - they just get up everyone's nose and provide an excuse for those who ''investigate'' us with excuses to abuse our privacy.

Look at the people who blew up the hotels in Bombay (Mumbai these days) - just a few men in boats with guns -- sophisticated protection can't stop them every time. We might as well give up and spend the money on something useful.

Re:Laws just hamper the law abiding

[mjwx]

You could require all men to carry guns. How far do you think the gunmen in Bombay would have made it if they knew every man they came upon would shoot back?

Instead of 100's of dead, you'd have 100's of dead and no way to tell who started shooting in the first place. Person A Shoots persons B and C, Person D shoots person A, Person E sees person D shooting, assumes that Person D is responsible and Person E shoots Person D who is then taken out by person F and so on until you pretty much have no one left capable or willing to shoot. MAD only works if its never used. Your analogy assumes that the shooters will begin to fire ensuring that the MAD bluff is called so this is where MAD fails and a great many people get killed.

Certainly this plan has a lot of side effects, but it is not completely without merit.

Yes it has a great many side effects and this is why it is completely without merit. Your plan relies on the same flaw that all extremist philosophies rely on, that everyone thinks on the same path. In a situation like the one in Bombay no single person will have total awareness of the situation and cannot determine who are the attackers and who are the defenders, thus the person is forced to choose who to attack based on extremely limited observation and you can guarantee that at least 60% of the people will choose the wrong target. Let me add to this, if the myth that guns keep people safe were true, why aren't Somalia and Russia amongst the safest places to live? Firearms are very common in these places. Or perhaps you would look at South Africa, where no-one is willing to travel without a gun, not because Johannesburg is safe but because if you don't have it you will be a victim because crime is so high. Guns don't keep people safe, good laws and effective policing keep people safe. The US, Sweden and Russia have a lot of guns in the hands of civilians, why does Sweden have an order of magnitude less crime then the US (and several orders less then Russia), because of effective policing and a calm populace. Most Swedes will say they don't feel the need nor actually wish to carry guns.

Crime in the US is higher then any other western state (unless we include Russia) so please don't bring up US and the UK as examples of how gun legislation hurts. Properly enacted it will reduce the number of gun deaths (accidents in AU have dropped by 90%, whilst violent crime has not increased by the same amount as the US). You are 8-12 times more likely to suffer injury in by violent crime in the US then you are in Australia.

Re:Laws just hamper the law abiding

[RaigetheFury]

Whoa whoa buddy, your facts are ALL WRONG!!!

Somalia and Russia are a different playing field. More Somalia than russia really. People who have guns have power. Typically those without guns can't afford them. Plain as that. Comparing Somalia to the US is like comparing apples to oranges.

The world is a complex place, and "weapons" don't solve everything... but being a criminal, if you know that person has a gun typically you'll go after the person that doesn't. Less risk.

The US has laws in place that pretty much screws anyone who shoots their gun without using their brain. I wish i didn't live in a world where guns were needed but that's how it is. Before you pass judgment on me... I don't own a gun. The level of security i wish to live requires only two great dogs (labs) to alert me or let the criminal know that my house probably isn't the best place to rob.

However, there are a LOT of people who's way of life and experience require some form of protection. A gun is one of those things.

Another thing, when you're talking about the number of gun deaths, what about the crime rate? You quote VIOLENT crime... but what about overall crime. Hmm lets look!

http://www.gunsandcrime.org/auresult.html ... wait that can't be right it says the crime rate INCREASED... in fact it says the crime rate exploded... lets look at more references... this one must be flawed...

http://www.google.com/search?hl=en&q=AU+crime+rate+gun+legislation&btnG=Google+Search&aq=f&oq=

Well... I'll be damned. Government studies, independent studies and just plain facts show you're completely wrong. Here are some quotes from your own major news groups.

"Crime rate has been skyrocketing in the UK and AU since stricter gun control laws were enacted..."
"Australia saw its violent crime rates soar after it's gun control measures..."

It's littered with the same thing. You are WRONG. Your violent crime might be down but your crime went through the roof!!!!!

The only gun control the US needs is to require education on ALL purchasing of firearms, and much much stiffer penalties on those that illegally own firearms. I have NO problem with someone owning an automatic weapon as long as they have proven that they are trained to use it.

Re:Laws just hamper the law abiding

[geckipede]

Are those US statistics? I can believe it would be true there because the states have drifted into a situation where no force on Earth could get rid of the arms black market and so many people are armed that criminals are forced to be so that they are on an equal footing. Neither of those things are universally true for other countries.

Re:Laws just hamper the law abiding

[Sri.Theo]

Cite? After the Dunblane laws were enacted in the UK the exact opposite happened, deaths involving guns gradually decreased. They're practically non-existent now- although we do have pretty similar levels of violent crime, fewer people get killed because of it.

Re:Laws just hamper the law abiding

> Crime in the US is higher then any other western state (unless we include Russia) so please don't bring up US and the UK as examples
> of how gun legislation hurts. Properly enacted it will reduce the number of gun deaths (accidents in AU have dropped by 90%, whilst
> violent crime has not increased by the same amount as the US). You are 8-12 times more likely to suffer injury in by violent crime in
> the US then you are in Australia.

Accidents aside (I consider that a darwinian effect), you have a rather obvious problem with your statement: This never accounts for the fact that while gun deaths will go down, deaths via other methods will just go up to fill the void that they left. The problem is not guns, it's crime.

The presence of guns does not cause crime. Crime will exist regardless of whether they are available or not, and criminals will use whatever weapons are most convenient to them.

I'm fine with the murder rate here in the U.S., as it mostly represents criminals killing other criminals. Isn't that what we want?

It's been a success!

[mcbutterbuns]

The number of spam messages sent over the Internet every day has grown more than 10-fold, topping 164 billion worldwide in August 2008.

Those are great numbers. Imagine how much SPAM would have been sent had the law NOT been passed!

Private right of action

[gorbachev]

Private right of action got stripped out of it due to complaints from the direct marketers. That was strike one. With so much spam it's completely unreasonable to expect anyone to enforce the law. Crowdsourcing the enforcement through private right of action would've worked. And the direct marketers knew it...

The second strike was that the bill didn't anticipate the success of botnets and Russian organized crime. The law doesn't do jack s*** about that problem.

Re:Obligatory

Insightful? Yeah right. Of course congress did a legislative approach, THAT'S THEIR JOB. They don't have any other authority.

Re:Obligatory

Your Congress advocates a

( ) technical (X) legislative ( ) market-based ( ) vigilante

I think I've already been spammed that reply in dozens of slashdot articles. Any chance our server script overlords can introduce a spam filter for it? Its rigged to always say please give up now.

Re:Who is supposedly profiting anyway?

[Thiez]

> Makes me wonder why do they bother.

Because sending email to many people is cheap. If one out of 200 spammed people buys the product the spam is advertising, the spammer is making a decent profit.