LWN first
looked at the CAN-SPAM
act back in 2003. This U.S. law was an attempt to address the spam
problem through legal means. Our impression at the time was that CAN-SPAM
would do little good, and might even do harm by overriding state
legislation and legitimizing certain kinds of commercial email.
One of the provisions of this law was that the U.S. Federal Trade
Commission was required to create a report to Congress on how effective the
law is, and what improvements could be made. That report
is now
available [PDF]. The FTC went through a major investigation; among
other things, it used its compulsory powers to require nine ISPs to provide
email information. The bottom line, according to the FTC: the CAN-SPAM act
has been effective in reducing spam.
Your editor's mailbox, now receiving something over 5,000 spams/day, would
beg to differ from this conclusion. In fact, a deeper reading of the
report suggests that CAN-SPAM has not been as effective as one might expect
from reading the headlines, and that the real progress against spam has
been made elsewhere.
So what has CAN-SPAM accomplished? From the report:
First, the substantive provisions of the Act have mandated adoption
a number of commercial email "best practices" that many legitimate
online marketers are now following. Second, the Act has provided law
enforcement agencies and ISPs with an additional tool to use when
bringing suit against spammers. The more than 50 cases brought to
date by the FTC, the Department Justice, state Attorneys General,
and ISPs demonstrate CAN-SPAM's enforcement efficacy.
Both of these claims are probably true. And, doubtless, many LWN readers
are pleased to know that some of their incoming commercial email follows
"best practices." But the spam problem never had much to do with
"legitimate online marketers." There have been suits brought against
spammers, and that can only be helpful in the end. But even lawsuits will
only be so effective in a world filled with spammers. So one might well
wonder how to square these limited gains against this claim from the
report:
One particularly significant development since the enactment
of CAN-SPAM is that the volume of spam has begun to decrease.
MX Logic, an email filtering company, reported that during the
first eight months of 2005, spam accounted for 67 percent of
email passing through its system, a nine percent decrease from
the same period one year earlier. Some ISPs report an even
more dramatic decline. For example, America Online ("AOL")
reported that its members received 75 percent less spam in
2004 than in 2003. Studies from other countries similarly
report a decrease in the amount of spam reaching consumers'
inboxes. As the Executive Director of the Institute for Spam
and Internet Public Policy succinctly stated, "the average
inbox doesn't have that much spam anymore."
(LWN reported on the MX Logic
report last August.) A reading of the above paragraph might well lead one
to the conclusion that the battle against spam has been won, and that
CAN-SPAM did it. Anybody who deals with email in any serious way knows
that this is not the case.
What is going on - and the report recognizes this - is that anti-spam
techniques unrelated to CAN-SPAM have gotten better. The reported 75% drop
for AOL users does not mean that 75% less spam has been sent in that
direction; it does not even mean that there are 75% fewer AOL users, though
one might be tempted to reach that conclusion. The difference is that much
less spam is actually making it all the way to their mailboxes. Your
editor, too, has seen a reduction in spam reaching his inbox; spamassassin
nicely takes care of the bulk of it. But better filtering is not a solution to
the problem; it is more like sweeping it under the carpet. And, in any
case, it was not legislated by CAN-SPAM.
The report notes that a number of tactics adopted by large ISPs have
helped. These include blocking outgoing access to port 25 (which
imposes unfortunate costs on some users), rate-limiting email entering and
leaving the system, and actively disconnecting users with known-compromised
systems. Blacklisting is an effective tool; the report claims that
large ISPs are able to block 80% of spam before it ever enters their mail
server. The FTC also takes credit for helping to shut down open relays.
Another happy result, according to the FTC, is that "users have grown more
tolerant of spam." That's one way to solve the problem.
For the future, the report notes an increase in phishing mail, as well as
in spam containing malware. There are a few recommendations; one of those
is the adoption of SenderID or some other sort of email authentication
mechanism. The FTC would like to see the "US SAFE WEB Act" passed; this
law would make it easier for the FTC to share information with agencies of
other governments. It would also empower the FTC to compel information
from ISPs and others while requiring confidentiality - an extension of
governmental power which, given recent disclosures in the U.S., may not be
entirely welcome. In fact, this recommendation, along with the agency's
desire for email authentication and more rigorous requirements for WHOIS
information, leads to the question of just how badly we want governments to
"solve" the spam problem for us. Given that the most effective techniques
we have so far did not come from governments, perhaps it's time to
recognize that the solutions lie elsewhere.
Comments (4 posted)
