Can-Spam Law A ‘Big Disappointment’

The article opens

As the federal Can-Spam Act nears its third anniversary, a spam researcher calls it a “big disappointment” and says it hasn’t been a deterrent to junk e-mailers, who have stepped up their efforts in the last few months to flood inboxes with an unprecedented volume of spam.


This last week I have been seeing about 300 to 500 items of spam compared to around 50 legitimate items of e-mail in my mailboxes each day.

Or truth be told I don’t see them. I run SpamAssassin and it catches them and puts them in a junk folder.

But the article is quite right, only it is saying something that most secutity analysts have know for a long time. This law doens’t work. It can’t work. It was incorrectly formulated.


Why Can-Spam Can’t Work

As I see it, the problem lies with the American fear of “restraint of trade“. That’s fine in the context of anti-trust and dealing with monopolies – though one might question how even handedly it is applied by the US department of commerce. But the reality is that spam is more like telemarketing. Its annoying.

The economics of spam vs bulk physical mailing is one of the reasons that is has proliferated. It costs between $1 and $2.50 to send out advertising by mail. The cost of the postage is minor, it is the material and handling that adds up. Yes still people do it. You can see adverts for people to stuff envelopes in the jobs sections of many newspapers. No doubt the response rate for physical mailings are marginally better because of the more ‘personal’ touch and because e-mail spam filters are getting good. But the economics of e-mail spam wins out in the end. Its very simple.

For effectively zero cost a spammer can send out hundreds of millions of messages.

A spammer can create a domain and run a mass mailing for effectively zero cost. Or perhaps visit an Inrternet cafe and spoof the ‘From:” domain (see “backscatter“). More agressive spamming makes use of botnets.

For effectively zero cost a spammer can send out hundreds of millions of messages. Even if the spammer has to invest in some PCs (which are cheap) and rent a botnet. My collegue and fellow CISSP Martin McKeay reports thatbusinesses are

paying $61 per 1000 infected systems …

. Each infected system can send out tens of thousands of messages an hour.

No wonder spammers get rich! Only a fraction of a percent of the recipients have to repsond.

Where does Spam Come From?

One report suggests that

Only 200 individuals or spam gangs are responsible for sending about 80 percent of all the spam in the world, according to a report published by the anti-spam organization, Spamhaus.

The report also identified the world’s most notorious spammers and listed the names of the top 10. Half of the top 10 spammers are from The Ukraine and Russia.

Lists of millions of e-mail addresses are readily available for as little as $100. Some individuals make their living from harvesting addresses from USENET, mailing lists, popular webs sites and by using Yahoo and Google to search for addresses.

Spamhaus does keep real statistics on the worst countries, the worst networks and individuals.

It is interesting to note that they say

… some countries do little to deter spammers from operating within their borders.

So what’s the number one country? The one with the Can-Spam law that’s so disapointing – America!

What is the Spam About?

Taking a look through my daily spam collection, I see this breakdown:

  • At least 50% is picture spam, and most of that is pushing some stock, presumably for a ‘pump and dump’ scheme.
    Of the rest, it is picture spam for Viagra/Cialis, though there is still some of this that is not picture spam, and copies of expensive watches
  • The bulk of the rest seems to be advertising illegal software.
  • There is still some spam advertising pharmacies
  • Spam advertising porn sites has greatly declined, perhaps one item a day, if that.

SpamAssassin Works!

I’m very pleased by SpamAssassin. As I say, it catches almost all of my incoming spam.

I’m running version 3.1.5 and also run a tool – sa-update – that updates the list of rules.

I’ve manually added some whitelist items, some stock reports that wold otherwise be viewed as spam and some mailing lists I’m on. I get one or two ‘false negatives‘ a week, spam that otherwise slips through. I add these to my list for training the Baysean classifier using sa-learn.

SpamAssassin can be used with a variety of mail readers in a variety of ways. I have no hesitation recommended it! In the absense of effective laws and measures by ISP its up to the individual to deal with spam. Ignore them and while they may not go away, they will find their business is not worth while.

Technorati Tags: , , ,

About the author

Security Evangelist

Leave a Reply