CAN-SPAM Act Turns 5 Today — What Went Wrong?

alphadogg writes "Five years ago, the US tech industry, politicians, and Internet users were wringing their hands over the escalating problem of spam. This prompted Congress to pass a landmark anti-spam bill known as the CAN-SPAM Act in December 2003. Fast forward five years. The number of spam messages sent over the Internet every day has grown more than 10-fold, topping 164 billion worldwide in August 2008. Almost 97% of all e-mails are spam, costing US ISPs and corporations an estimated $42 billion a year. What went wrong here?"

hint:criminals don't follow laws

[hguorbray]

especially when they are anonymous(or at least obfuscated) and in many cases, overseas and therefore beyond prosecution under this law

'I'm just saying

Re:hint:criminals don't follow laws

[Chris+Burke]

Thanks for the hint! Now I know why my life of crime has been so slow to take off.

Re:hint:criminals don't follow laws

[SgtAaron]

especially when they are anonymous(or at least obfuscated) and in many cases, overseas and therefore beyond prosecution under this law

After tiring of the increasing load on our incoming mail servers running spamassassin, I undertook to spend a couple of days finding as many netblocks that ONLY have spam coming from them.

It's shocking really, that I ended up spending more than two days since there were so many spread out all over the place at various colo companies. And I'm sorry to say that what I found is that nearly all of the snowshoe spammers I found were riddled around in colos here in the US. There are a bunch of ISPs out there that seem to be making a bunch of money from snowshoe spammers, so much so that they don't mind allocating half of a damned /19 for the spammers to use and populate with randomly generated domain names. And, of course, just to make it easier for us poor and broke sysadmins, these colos don't just put them all into nice contiguous blocks of IP addresses. I've about given up complaining to the likes of GalaxyVisions, Pacific Internet Exchange, AboveNet (yes, Abovenet is these days hosting lots of snowshoe spammers--sad). The list goes on and on.

I'm up to ~375 netblocks we no longer accept SMTP connections from. The load average on our three MXs is usually about half what it used to be now.

Re:hint:criminals don't follow laws

[the_womble]

It may be obvious, but it was not obvious to legislators....

Unless, of course, its more important to them to be seen to do something, rather than actually do something effective (like providing a budget for enforcement).

Re:hint:criminals don't follow laws

[lysergic.acid]

except in this case the people profiting from (and are the driving force behind) the crime aren't considered criminals. it makes no sense to outlaw spam but not go after the companies that hire spammers, and whose product advertisements are filling everyone's inbox.

even though a lot of spam is bounced through other countries, most of the products/services being advertised are of U.S. companies who operate completely out in the open and have easily traceable bank accounts. by going after these scummy businesses, you would cut off the money supply the fuels the spam industry and eliminate any financial incentive to send spam.

otherwise, this is like making it illegal commit murder but still allowing people to hire hitmen to do the killing for them.

More enforcement would help

[alain94040]

Enforcement would be nice. How hard would it be for some FBI office to sign up to get all the possible spam out there, and start replying to all the great offers from African banks?

Of course, a lot of the perpetuators do not reside in the US, but quite a few do. The more legitimate a business looks like, the more likely it has a US presence that can be used to stop it.

So vote with your US tax dollars and force your government to allocate serious funds to the problem. Please!

--
http://fairsoftware.net/ -- where software developers share revenue from the apps they create

Re:More enforcement would help

[SomeJoel]

Yes, well, while the RIAA can evidently track down and prosecute a 6 year old downloading "Wheels on the Bus", the U.S. government can't seem to figure out which companies are responsible for the SPAM, even with all the contact information that must be available for the SPAM to have any value whatsoever.

Re:More enforcement would help

[thetoadwarrior]

But the spammer is just a business man trying to make money. However the 6 year old is an evil communist terrorist trying to spread socialist values by stealing music. He deserves nothing less than a good water boarding at Guantanamo Bay.

What went wrong here?

[flaming+error]

1) Legislation was flawed
2) Problem transcends US Jurisdiction
3) Enforcement is spotty at best
4) Idiots buy their stuff

Re:What went wrong here?

[bussdriver]

#1 source of spam is the USA
They didn't do enough plus they must have had loopholes.

I managed a few email servers with a few hundred users back when the law was passed. When it went into effect (not when it passed) I saw within a few days a jump in spam of about 50-75% (trying to recall) it jumped up to about 2-3 times during the rest the year; it didn't rise that quickly in previous years. I don't think it has risen as quickly since then but I don't know.

Connection? I don't know. That is what I observed.

Since the USA is the source for most spam, other measure should be taken besides kicking down the door of some old lady who's windows PC was hijacked by a dozen spammers.

At least that spam king was taken care of since the passing of the law. The law didn't do it; it just sent him over the edge and he took care of himself with a bullet and removed his genes from the genepool... (BTW, he lived in the USA)

Nothing went wrong

[John+Hasler]

Look at the name of the law. Working as designed.

Re:Nothing went wrong

[Chris+Burke]

Yeah, Spam already came in cans! Duh!

Re:Nothing went wrong

[dgcaste]

Or better yet, read the page title. Pretty sure it reads "I can spam". Yes I can.

Legislation fixes nothing

[EmbeddedJanitor]

Legislation only allows some other mechanism to be used. Legislation on its own can do nothing.

All the legislation in the world won't fix teenage pregnancies, the War On Drugs, etc etc.

Since there is really no technical mechanism to kill spam, the legislation itself is ineffective.

Re:Legislation fixes nothing

[Sancho]

If there were a technological means to fight spam, we wouldn't need the legislation.

What's needed is actual enforcement. Spammers make money because people buy their wares. Where there's money changing hands, there's a trail you can follow. The problem is seemingly that no one wants to follow that trail.

No enforcement? Practically no law.

Re:Legislation fixes nothing

[Luthair]

I disagree, I believe that there are definitely changes which could lower the amount of spam, the problem is that getting all parties (ISPs everywhere) on board a single standard is nigh impossible. Perhaps one possibility is to require that the sender's domain resolve to the system sending the mail. This doesn't correct hijacked servers, or spam servers, but it might eliminate spam sent from botnet zombies.

What really needs to happen is that big players (MS, Yahoo, Google, Comcast, British Telecom, etc.) get together and agree on a standard. Make the standard open, unencumbered, and state that as of date X they won't support anything else.

Re:Legislation fixes nothing

[dgatwood]

Just to clarify, it is technologically trivial, but nearly impossible to actually implement in a way that completely blocks spam for everyone because it requires complete adoption before you can start rejecting all non-compliant email. Basically, we'd be better off just starting a new email system in parallel and letting the old one die off as people stop using it.

Re:Legislation fixes nothing

[Timothy+Brownawell]

There's a trivial technological means to fight spam. It just requires abandoning SMTP and moving to a new protocol with the following requirements.

• All compliant mail transport daemons must require all connections from client computers to be authenticated.
• All compliant mail transport daemons must sign all messages as they pass them along.
• All compliant mail transport daemons must have a service record in DNS for their host name that provides a public key for verification of the signature.
• All compliant mail transport daemons must refuse to accept any email if the signature cannot be verified immediately (even if this is due to load), forcing the sending end to retry.
• All compliant mail transport daemons must refuse to accept any email if the host name does not resolve to the IP number from which the inbound message was received.

You forgot one:

• All relevant DNS servers must implement DNSSEC.

With that, spam is basically dead. As soon as you require those restrictions, suddenly spammers have to actually own a domain name and provide a working DNS server in order to deliver spam, and that DNS server must contain up-to-date mappings for those hosts to IP numbers. That pretty much obliterates the use of zombies for delivering mail.

Unless they can 0wn a DNS server, or have the zombies send through the owner's legitimate outbound email accounts, or can get a steady supply of disposable domains somewhere (zombie-XXXXXX.disposable-20081217.com, etc).

It also means that there is now a domain name, which by ICANN policy, is required to have a valid postal address, phone number, and other contact information associated with it.

And when the spammers don't follow the policy? Sure the domains might get shut down after someone realized (and got the registrar to verify) that the contact info was bogus, but that's a bit too late.

Wait...

[wwwgregcom]

You mean you guys have still been getting spam?

what went wrong?

Anything that fails to remove the financial motivation behind sending SPAM will fail to prevent SPAM.

No one in their right mind ever thought CAN-SPAM would have any tangible benefit.

Making things illegal WORKS

Remember when we made weed illegal and now you can't buy... ooh, wait a second.

Obligatory

[Yvan256]

To summarize the summary of the summary: people are a problem. - Douglas Adams

What went wrong? What could have gone right?

[Antique+Geekmeister]

Quite seriously, this law was specifically not aimed at spam. It was aimed at certain types of online fraud, and it deliberately took power away from local law enforcement to put it in the hands of a federal power that does _nothing_ about mere spam. It was carefully designed to allow 'opt-out' advertisements, and that first advertisement from any spammer, and it was carefully legislated that way by the Direct Marketing Association to avoid interfering with the advertisements of their funding agancies. It was also carefully designed to overrule more effective, state efforts.

Such laws should instead be modeled on the junk fax law, which has withstood the test of free speech challenges and ease of prosecution.

Re:What went wrong? What could have gone right?

[AK+Marc]

Once, for fun, I signed up on a "get a free x-box" site with a throw-away address. For one, being in Alaska, it was impossible for me to complete the necessary steps to get it. For another, it is the perfect spam generator. You can never take your name off the list. They don't send you any spam, so you can't get your name off. They just re-sell your address. Even if the people that bought it take it off their list, the list you are on will be sold and re-sold thousands of times. As long as the list holders never personally send the spam, they are never required to stop selling you name to others to spam. Any law that doesn't address this is a law that will have no effect. Either all spam must be opt-in (like faxes) or there would be some requirement with all UCE to include contact information of the company where they got their list and how to get of the list of not just the one sending it, but the place they got it as well (and requirements about not sending from a list more than 30 days old and not selling a list within 30 days of getting it or something like that so it won't be sold billions of times before you can get off it).

But yes, your general point is quite correct. It was desired by the spammers because without it any one state could have crafted a more restrictive law. With it, they can claim to be operating under the federal rules and that those trump the state requirements.

I'd make it a requirement that the company address (physical, not PO boxes) be included in every spam, as well as a phone number. The headers must be real. If any part of the spam is faked (IP addresses, from field, or such, as well as the contact information must be accurate for at least 30 days after the spam is sent), then prosecure them for fraud and illegal access of a computer. If some woman getting on myspace uses a fake name and gets convicted, so should spammers using false headers.

Obligatory

Your Congress advocates a

( ) technical (X) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
(X) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
(X) Lack of centrally controlling authority for email
(X) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(X) Asshats
(X) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
(X) Willingness of users to install OS patches received by email
(X) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
(X) Extreme profitability of spam
( ) Joe jobs and/or identity theft
(X) Technically illiterate politicians
(X) Extreme stupidity on the part of people who do business with spammers
(X) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(X) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
(X) Any scheme based on opt-out is unacceptable
(X) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
(X) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
(X) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

( ) Sorry dude, but I don't think it would work.
(X) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

Who is receiving spam?

[fermion]

I receive very little spam. Maybe 20%. That is hardly 97%. So where is it.

I know where it is, and why it is still a problem. It is not in my email box, or the email box of most people. It is in the spam filters of our email providers. And that is the problem. I don't see it so I don't care. Sure, it may increase my cost to get online, but by how much. DSL is dirt cheap to what I was paying 10 years ago, and at better bandwidth. So what do I care? I don't see it, the problem is solved. And I can delete the 5 messages of spam that get through.

So out of sight, out mind, right? Wrong. I also know for the average person, and for the average spammer, those five messages per person that gets through can mean huge amounts of money. Even if nothing is bought, the way that mail clients are set up and vulnerabilities in the mail and web clients can make the spammer money. For instance, most clients now render HTML and load images automatically. Apple still refuses to set an option in mail.app to turn off HTML permanently, though it does allow one to not load images. Still, most people load images, which registers as a hit on some scam web site and registers the email as valid. Rendering the HTML can allow viruses on the receivers machine. And even the semi legitimate spammer still has hope that someone will buy a product.

We won't be able to get rid of all spam, even though we can't get rid of mail scams though it is a felony. The best we can manage it. If we are to fix it more, then we have to bring the problem to the forefront by letting spam through, or some other methods.

Laws just hamper the law abiding

[Alain+Williams]

Just like all this wire tapping, surveillance, air port searches, ... they don't really stop the criminals - they just get up everyone's nose and provide an excuse for those who ''investigate'' us with excuses to abuse our privacy.

Look at the people who blew up the hotels in Bombay (Mumbai these days) - just a few men in boats with guns -- sophisticated protection can't stop them every time. We might as well give up and spend the money on something useful.

Re:Laws just hamper the law abiding

[gandhi_2]

In the town of Virgin, Utah it is legally mandated that every household that can legally have a firearm must have one.

You don't see too many terrorists there. QED.

Re:Laws just hamper the law abiding

[geckipede]

I would really like to see (preferably from a safe distance) that approach tried in a large city, but only because years of action films have desensetised me to violence and I think it would be hilarious.

Re:Laws just hamper the law abiding

[mjwx]

You could require all men to carry guns. How far do you think the gunmen in Bombay would have made it if they knew every man they came upon would shoot back?

Instead of 100's of dead, you'd have 100's of dead and no way to tell who started shooting in the first place. Person A Shoots persons B and C, Person D shoots person A, Person E sees person D shooting, assumes that Person D is responsible and Person E shoots Person D who is then taken out by person F and so on until you pretty much have no one left capable or willing to shoot. MAD only works if its never used. Your analogy assumes that the shooters will begin to fire ensuring that the MAD bluff is called so this is where MAD fails and a great many people get killed.

Certainly this plan has a lot of side effects, but it is not completely without merit.

Yes it has a great many side effects and this is why it is completely without merit. Your plan relies on the same flaw that all extremist philosophies rely on, that everyone thinks on the same path. In a situation like the one in Bombay no single person will have total awareness of the situation and cannot determine who are the attackers and who are the defenders, thus the person is forced to choose who to attack based on extremely limited observation and you can guarantee that at least 60% of the people will choose the wrong target. Let me add to this, if the myth that guns keep people safe were true, why aren't Somalia and Russia amongst the safest places to live? Firearms are very common in these places. Or perhaps you would look at South Africa, where no-one is willing to travel without a gun, not because Johannesburg is safe but because if you don't have it you will be a victim because crime is so high. Guns don't keep people safe, good laws and effective policing keep people safe. The US, Sweden and Russia have a lot of guns in the hands of civilians, why does Sweden have an order of magnitude less crime then the US (and several orders less then Russia), because of effective policing and a calm populace. Most Swedes will say they don't feel the need nor actually wish to carry guns.

Crime in the US is higher then any other western state (unless we include Russia) so please don't bring up US and the UK as examples of how gun legislation hurts. Properly enacted it will reduce the number of gun deaths (accidents in AU have dropped by 90%, whilst violent crime has not increased by the same amount as the US). You are 8-12 times more likely to suffer injury in by violent crime in the US then you are in Australia.

Re:Laws just hamper the law abiding

[Hal_Porter]

The murder rate will go up by a few hundred percent for a few decades. After that it will drop down. Essentially evolution will select people with good impulse control and self discipline, which in the long run will lead to a more civilised society.

You wouldn't have the charts full of rap, numetal and emo for a start.

Private right of action

[gorbachev]

Private right of action got stripped out of it due to complaints from the direct marketers. That was strike one. With so much spam it's completely unreasonable to expect anyone to enforce the law. Crowdsourcing the enforcement through private right of action would've worked. And the direct marketers knew it...

The second strike was that the bill didn't anticipate the success of botnets and Russian organized crime. The law doesn't do jack s*** about that problem.

I work for a company that does opt-in mail lists

Our clients include many bands and music venues. We make every effort to be legit (unsubscribe links, legit reply email addresses, and all legit headers and DNS entries), but the rules of the game are not even available.

See, many ISP's (AOL, and my new target of wrath, earthlink) have rules about the maximum number of messages allowed to come from a single source to their domains in a given time period. Exceed those, and you are an abuser. Except they won't tell you how many messages or how long the period. On the one hand I understand as spammers could use this to get through. But you can't even call them and get info. I've emailed their abuse lines with no reply. It's as if NO ONE knows this info. How does one follow the rules when they are undocumented and beyond the legislative code?

Or when earthlink this past weekend decided we were a spammer, and spammed us back with abuse notices. But then they delivered our email to their customers many, many times in repetition. Like a dozen or more. It was not a server flaw on our side as confirmed by the database and log files. It was 'something' on their side that acted as a repeater for our legit email even as it was notifying us that we were spamming. We then get lots of nasty emails, which we reply to by hand. I spent half of the morning yesterday trying to get anything out of earthlink regarding the issue, but if you don't want to subscribe for service, they don't know what to do or where to have you call. I don't even know what the hoops are, much less can I jump through them.

I get lots of unwarranted spam, but I also get many distribution lists that I want and look forward to reading. Some places make that a nightmare if you want to provide that service.

Re:We took a knife to a gun fight.

[kybred]

Um, flag day?

Yes, a Flag Day.