|
As a daily and enthusiastic reader of The New York Times, I was disappointed to read their February 1 article on CAN-SPAM entitled, “Law Barring Junk E-Mail Allows a Flood Instead” (subscription required). The theme of the article was, as the title suggests, that enacting CAN-SPAM was worse than having no laws at all.
The article really missed the point on several fronts.
First, it suggests, through quotes from Spamhaus’s Steve Linford, that not requiring upfront permission on commercial email is akin to legalizing spam outright. While Steve and I would agree that commercial email should have upfront permission (like the EU and most of Asia require), I don’t see how this translates into endorsing spam.
Second, it references only one company, Postini, on their view that spam is getting worse and implies that CAN-SPAM is to blame. While I don’t doubt that Postini may be seeing increases in spam, I was surprised the article didn’t quote AOL. Most B2C email marketers will tell you that AOL is the largest single domain in their list. So, isn’t it relevant that AOL announced that they’ve seen huge drops in both inbound spam and user complaints about spam? In fact, a recent letter from the head of AOL’s anti-spam group spells out a completely different view on the state of spam - this article is a must-read if you’re in the email business.
Third, the New York Times article can’t seem to make up its mind on the source of the spam problem. Is the problem that CAN-SPAM is ineffective because it allows unsolicited mail? Or is the problem that spammers will recklessly ignore laws and, for example, take your opt-out request as a form of validating your email address for their lists? You really can’t have it both ways - either spammers are law abiding but the law is wrong or spammers will ignore the law so what difference will any law make?
One element, however, I do agree with is that spamming is about economics. But rather than simply quote some 21 year old criminal spammer who claims there is a ton of money in spamming, let’s look at what CAN-SPAM really does (assuming spammers will pay some attention to the law). CAN-SPAM forces them outside the US - this raises costs and complexity of doing business materially. CAN-SPAM also makes it illegal to harvest email lists from the web. As any email marketer will tell you, building the list is far more expensive than delivery.
So, CAN-SPAM takes a big chunk of profit away because lists are no longer free. And, based on every article I’ve read, it appears CAN-SPAM is now forcing many spammers to hire lawyers to keep themselves out of jail. So while a spammer may be able to make over a hundred thousand dollars a year as the article claims, what does it cost the spammer to make it? And, even if the hundred thousand dollars is pure profit, how many people will find it worth the cost of having to live on the run, constantly trying to evade the wrath of a few multi-billion dollar ISPs and their lawyers? Wouldn’t it just be easier to take that $60K job as a technician or, even simpler yet, con old ladies out of their life savings and get away with a million dollars?
The fact is that CAN-SPAM won’t stop spam any more than speed limits will prevent anyone from ever going faster than 55 mile per hour. However, legislation coupled with technology will continue to raise the cost of being a spammer. In the end, if we are lucky, only a few die-hard spammers will continue to pursue their trade and maybe, just maybe, our inboxes will start to get smaller again.
—-
This article originally posted on Bill Nussey’s blog.
Sponsored byDNIB.com
Sponsored byRadix
Sponsored byWhoisXML API
Sponsored byCSC
Sponsored byVerisign
Sponsored byVerisign
Sponsored byIPv4.Global
Hi Bill,
Postini never meant to imply that CAN-SPAM is responsible for an increase in spam. As a matter of fact we have always said that we’re in favor of the CAN-SPAM act but laws alone won’t stop spam. Solving the problem will take both laws and technology. Our CEO testified to this a year ago in front of the Senate committee reviewing the CAN-SPAM Act. What we are seeing is that spam is remaining relatively constant, but other email threats, like directory harvest attacks are on the rise and today, legitimate email is only 12 percent of all email. This is based on the more than 3 billion email messages that flow through our data centers each week.
Some comments if I may:
1 - CAN-SPAM is an American law. Here in the EU, we see a substantial amount of spam citing CAN-SPAM compliance somewhere in a footnote. This tends to suggest a couple of thoughts:
a) if the CAN-SPAMmer is hitting non-US email addresses with “compliant” spam, what does that say about the provenance of his address list?
b) national legislation will never adequately address an international problem unless a sufficiently large group of nations decides to act together (OK, I hope/believe that this will eventually happen with spam).
2 - Not just Postini, but a large number of other organisations report continuing rises in spam. This ongoing rise is in fact clearly visible in my own stats. In my view, CAN-SPAM is categorically not to blame but it clearly has not helped very much either.
AOL is the single exception to this rule and the reason that spam reports from their users have dropped probably has more to do with their skill in filtering the stuff than any real decrease. Aside: Google (Gmail) also has very effective spam filtering so they might, if pressed, offer a similar position to that of AOL though of course they have been in the email business for a considerably shorter time.
3 - The decline in spam reaching AOL users is sadly not counterbalanced by a concomitant reduction in spam coming from them. Recently we have seen a substantial rise in spam of all kinds (phish, pornography) originating at AOL dynamic IPs and helpfully delivered by an AOL relay.
4. After CAN-SPAM, spammers may be virtually forced out of the US, but they have no need to move physically. They have any number of bot nets now to do the dirty work of delivering their wares. I therefore doubt that the economics of spam are yet sufficiently difficult to deter any but the most fainthearted spammer.
I keep asking this question and nobody has yet provided a satisfactory answer. It amounts to saying, Follow the money!
Why not target the contact details provided in the spam? Commercial spam can only make money by telling you where to send your money or what website to visit.
Why can’t US law enforcement just go through the illegal spam and bring charges against the owner of every street address, post office box, telephone number, email address, or domain name to which the spam is trying to attract money or traffic?
Yes there would be some false positives and even some dirty tricksters who would put someone else’s details in a spam to cause trouble, but those cases could be dealt with and would in any event be orders of magnitude smaller in number and easier to solve than the spam itself.
If the US—and the EU and other rich jurisdictions—would take such a move, the beneficiaries of spam would have to set up shop in less desireable jurisdictions: They would have to receive their money in those jurisdictions, which is a big problem. And it would mean that victims would have to make an international transfer to give their money to spammers. .
A similar strategy could be applied to adware, which sends users’ browsers to website unbidden. The beneficiary of the ad visit has to be identified in each visit for the beneficiary to collect on it. Make it illegal to send browsers unbidden to view ads and then prosecute the beneficiary of the visit when it happens.
Follow the money, stupid!
I agree the NY Times article was excessively pessimistic, and AOL has it right. Spam can be stopped. It just takes effort by the ISPs who tolerate outgoing spam. That will happen when they can be held accountable. Accountability will happen when we have a robust system of authenticating the domain names on incoming mail. Authentication technology is available now. It will be adopted sooner or later by all reputable ISPs. What is surprising to me is that even these ISPs, who should know better, share the pessimism that is seen in the NY Times article.
In response to Chris Linfoot’s comment that AOL has not reduced its outgoing spam, I made a quick chart showing the relative % of spam from each of three large domains.
http://www.ece.arizona.edu/~edatools/etc/DomainRatings.htm
Looks like AOL might be 100 times better than average. I say might, because this is based on a very small sample of reports from SpamCop. We need a domain-rating list that uses a larger sample.
Just to clarify, the volume of spam we have from AOL is too low to be susceptible to any meaningful statistical analysis, but it has grown recently with 4 sightings in the past 24 hours.
One of those was a Barcleys Bank (UK high street bank) phish, three were Russian commercial solicitations which I can’t read. All came from AOL domestic DSL systems probably running malware proxy software and were relayed via AOL’s mail core.
My more general point is this:
Citing AOL’s apparent success against spam, a single example, and seeming to derive a general picture of the state of spam from it may just be a little unbalanced.
AOL’s postmaster as quoted by John Levine is absolutely right when he asserts that the problem can be very easily solved when ISPs take responsibility for their own users’ abuse instead of focussing attention on incoming abuses from other ISPs. Clearly AOL has had some measure of success there, but the global picture is very gloomy. Just take a look at the volume of abuse coming out of most Korean ISPs to see what I mean. I honestly do not believe these ISPs feel any motivation to clean up their own networks.
I have just run a statistical analysis of spam here since Jan 04 and the growth is (as I suspected) exponential.
Of course we are in Europe so you might expect the impact of CAN-SPAM to be less here though a not insignificant volume of spam here continues to protest CAN-SPAM compliance in its disclaimer text.
The author disputes the position that:
... not requiring upfront permission on commercial email is akin to legalizing spam outright ...
The CAN SPAM Act of 2003 is a compromise.
From one perspective, you can say the Act establishes certain standards for commercial emailers, leaving it up to Internet access services to control the situation.
Presuming the Internet access services do “the right thing,” the Act has value.
Looked at from another perspective, you can say Congress gave:
* marketers one “bite at the apple;” and;
(See The CAN SPAM Act: Requirements for Commercial Emailers, as published by the FTC.)
* Internet access services the ability to sell bandwidth to those commercial emailers who comply with the requirements for sending unsolicited commercial email in bulk.
From this view point, the Act clearly under cuts those wanting to do the “right thing.”
The author?s next premise is that:
?CAN-SPAM also makes it illegal to harvest email lists from the web. ?
This is not correct. The Act only makes it an aggravated offence to send commercial email with false headers to email addresses which you knew or ought to have known are harvested.
The Act does not prohibit harvesting email addresses and sending Can Spam compliant unsolicited commercial email to these addresses.
Please read with care sub-paragraph 5 (b) (1) (A) of the Act.
The author goes on to criticize those who are upset with the Act, stating in part:
...Is the problem that CAN-SPAM is ineffective because it allows unsolicited mail? Or is the problem that spammers will recklessly ignore laws ...
The two concepts are not mutually exclusive.
The Act, by delegating “volume control” to the Internet access services which includes networks, mail box providers, web hosts, email service providers and others, pits those who want to do the right thing against those who want to collect money from both sides.
We see this in a variety of ways. Two quick examples:
* Since last June, AOL has been calling for network security to deal with the problem of networks being spam sources.
At the same time, MCI has been selling bandwidth to spam gangs, including one gang which was marketing software that takes advantage of security holes in the Windows operating system, while marketing anti-spam security measures to its customers.
The result? While one group is yelling “fire, fire” and dousing the fire with water, another group continues to quietly sell matches and fuel at great profit to the arsonists.
* The Email Service Provider Coalition says it is against unsolicited commercial email.
Yet, under its guidelines members are authorized to send commercial email without “affirmative consent” based on the pre-existing business relationship concept.
In turn some members and many other providers allow direct import of customer lists without any due diligence including requiring the list go through a closed loop verification process when appropriate.
The result? Unfortunately, some ESPs are really ?spam houses? while operating under the guise of being opposed to spam.
The law largely left it up to the market to get its “act” together, by delegating significant authority to Internet access services.
(As an aside, Congress did take a tougher stance in responding to the problems of unwanted commercial email sent to wireless machines.)
At the same time, Congress did place a time limit on the exercise. It called upon the FTC (in consultation with other agencies) to file a report within two years of the Act?s passage on the Act?s effectiveness and to recommend any needed legislative changes.
Time is running very short.
Will this happen? Will the Internet access service industry at least stop playing both sides of the street?
Personally I doubt it, because the economics continue to favour this behaviour.
If industry can not regulate itself, the FTC, DOJ and FCC need to go back to Congress and say ?industry could not get its Act together.”
“We need tougher measures including an opt-in law through regulation of the Internet access service industry by the FCC, so forcing everyone to start rowing in the same direction.”
John Glube
Toronto, Canada
I keep hoping that the industry will “get its act together”, and avoid government regulation, but the last 15 months since CAN-SPAM seems to say otherwise. The great hope of 2004 was that email authetication would allow us to identify spam-hosting domains and hold the domain-owners responsible. The engineering community tried to get agreement on a standard authentication protocol, but the negotiations broke down in bitter disputes over technical details. Each camp went its own way, and they are now developing incompatible systems. It may take years for a clear winner to emerge, and meanwhile we can only conduct small experiments among systems using the same protocol.
I’m an electrical engineer, not an email protocol expert, so I may be wrong, but the more I study this problem, the more I believe a solution is possible, even without agreement by the warring camps. What we need is a very simple standard covering just the few items needed for the competing systems to inter-operate. I’m talking about things like the content of an authentication header. If we could standardize that, the details of how the authentication was done wouldn’t matter to a spam filter somewhere down the line. All the spam filter needs to know is the domain name and the authentication result.
I’ve got an initial draft of a proposal (http://www.ece.arizona.edu/
edatools/etc), but I’m not sure where to take it now. The IETF seems unwilling or unable to demand of the advocates that they agree on anything. The FTC is probably more able to deal with lobbyists, but I fear that their involvement could turn into burdensome and ineffective regulation. Ideally, there should be a “voluntary” standard, then maybe the implicit threat of regulation would break the logjam.
Suggestions are welcome. As John says, time is running out.