CAN-SPAM Act Turns 5 Today — What Went Wrong?

alphadogg writes "Five years ago, the US tech industry, politicians, and Internet users were wringing their hands over the escalating problem of spam. This prompted Congress to pass a landmark anti-spam bill known as the CAN-SPAM Act in December 2003. Fast forward five years. The number of spam messages sent over the Internet every day has grown more than 10-fold, topping 164 billion worldwide in August 2008. Almost 97% of all e-mails are spam, costing US ISPs and corporations an estimated $42 billion a year. What went wrong here?"

Re:hint:criminals don't follow laws

[SgtAaron]

especially when they are anonymous(or at least obfuscated) and in many cases, overseas and therefore beyond prosecution under this law

After tiring of the increasing load on our incoming mail servers running spamassassin, I undertook to spend a couple of days finding as many netblocks that ONLY have spam coming from them.

It's shocking really, that I ended up spending more than two days since there were so many spread out all over the place at various colo companies. And I'm sorry to say that what I found is that nearly all of the snowshoe spammers I found were riddled around in colos here in the US. There are a bunch of ISPs out there that seem to be making a bunch of money from snowshoe spammers, so much so that they don't mind allocating half of a damned /19 for the spammers to use and populate with randomly generated domain names. And, of course, just to make it easier for us poor and broke sysadmins, these colos don't just put them all into nice contiguous blocks of IP addresses. I've about given up complaining to the likes of GalaxyVisions, Pacific Internet Exchange, AboveNet (yes, Abovenet is these days hosting lots of snowshoe spammers--sad). The list goes on and on.

I'm up to ~375 netblocks we no longer accept SMTP connections from. The load average on our three MXs is usually about half what it used to be now.

Re:Legislation fixes nothing

[dgatwood]

Just to clarify, it is technologically trivial, but nearly impossible to actually implement in a way that completely blocks spam for everyone because it requires complete adoption before you can start rejecting all non-compliant email. Basically, we'd be better off just starting a new email system in parallel and letting the old one die off as people stop using it.