Can CAN-SPAM Really Stop Spammers?

• By theWHIR.com , January 23, 2004

•   Digg
    Delicious
    Reddit
    Newsvine
    Stumbleupon
    Twitter
  Facebook

  (close)

  From:

  To:

  (close)
  Share | Send | Print | Comments (0)

Can CAN-SPAM Really Stop Spammers?

By Dennis McCafferty

From Web Hosting Monthly, January 2004 edition

January 23, 2004 -- (WEB HOST INDUSTRY

REVIEW) -- Is spam on the lam in the US, or are unsolicited bulk

emailers simply smirking at what is being called "groundbreaking"

federal legislation?

According to the industry, the answer is

yes - on both counts. The recently-passed legislation will force

spammers to find new ways to remain in deep cover and to keep doing

business. But these alternative game plans are readily available and

are already being deployed, experts say.

The bottom line for hosts? Be prepared for anything - and don't look to the legislation as a cure-all.

Citing industry estimates placing the

cost of spam at $10 billion a year for US companies, Congress passed

the law late in 2003, with President Bush signing it in December. Among

other provisions, the "CAN-SPAM Act of 2003" requires unsolicited

commercial email messages to include the sender's address and opt-out

instructions. It will also allow the Federal Trade Commission to create

a "do not spam'' resource for spam victims. Proponents praise the law

for creating an enforceable standard of acceptable e-marketing

practices on a nationwide scale. Previously, anti-spam legislation was

enacted by the states in patchwork fashion.

But hosting industry players remain, at

best, only mildly optimistic about the effectiveness of the

legislation. To begin with, Spam is ubiquitous these days. Emeryville,

California-based email message management company Sendmail Inc. (sendmail.com)

estimates that 40 percent of enterprise information technology

professionals are spending two hours or more a day dealing with spam.

And most spammers operate jurisdictionally outside of the US anyway, so

the law is irrelevant to them. Besides, if a spam victim opts out, what

is to stop criminal spammers from taking advantage of the knowledge

that they now have "real" addressees to use as targets for more spam?

At least, that's the case being made by

those in the forefront of anti-spam technologies, such as Marina del

Rey, California-based FrontBridge (frontbridge.com) and UK-based SurfControl (surfcontrol.com).

Susan Larson, vice president of global product content for SurfControl,

predicts that this legislation will benefit spam-friendly hosting

operations in foreign countries at the expense of their US-based

spam-monitoring hosting counterparts. "The push towards overseas spam

operations will have interesting economic ramifications for spammers,"

Larson says. "Just as with other industries, the ability to have

operations hosted in other countries - especially countries with

struggling economies - will significantly lower the costs for doing

business."

In the meantime, industry watchers should

expect spammers to continue tinkering with their methods for

circumventing anti-spam technologies, says Dan Nadir, vice president of

product management for FrontBridge. "One particularly insidious

approach happens when a spammer will use a generic subject line, such

as 'follow up,' in order to get the user to open the email," he says.

"Once opened, the user recognizes the spam and then deletes it.

However, embedded within the email itself is a pixel-sized tag that

notifies the spammer that the email has been opened and that the

address is, in fact, legitimate." Another common approach, Nadir says,

is to disguise the "From:" address as a local user or domain, which

both confuses the user and bypasses anti-spam systems that rely on

"trusted" senders.

And if all of that sounds like the

cyber-equivalent of Mad magazine's Spy-versus-Spy cartoon, well, that's

because it is. Often, spammers thwart their antagonists using non-tech

or low-tech means that rely on old-fashioned human craftiness.

"Unsophisticated keyword filters are

easily fooled by spammers with a technique known as content

manipulation," says Scott Chasin, chief technology officer for

Denver-based MX Logic Inc. (mxlogic.com),

an email security company. "By inserting legitimate business

communication or terms into messages, spammers have a better chance of

fooling filters. Spammers also bypass signature-based filters using a

technique called 'uniqueness generation' whereby they insert a string

of meaningless characters and numbers or random, non-spam words in a

message. Additionally, spammers often manipulate the color of a

message, hiding the illegitimate content that can fool spam filters by

making it the same color as the background of the message." For every

solution, there appears to be three or four solutions to the solution

that spammers are coming up with.

The legislation has brought up concerns

over not only its potential lack of effectiveness, but its chilling

effect on perfectly respectable Web-based marketers who use email

marketing in an above-board way. For example, the law was never

designed to hurt marketers who mail customers using opt-in promotional

features on their Web sites. But that may be the end result, some say.

"There may be disputes arising from

unhappy email recipients who may have forgotten that they opted in to

an email list," says Jonathan Wilson, vice president and assistant

general counsel for Web host Interland, and chair of the American Bar

Association's Internet Industry Committee. "The act will not have much

impact, however, on the truly 'bad actors' in the spam world. The bad

actors are those who know that they are peddling a worthless or illegal

product with illegitimate methods and who simply don't care. Those bad

actors already spoof their originating domains and use dummy email

accounts or hacked servers to send their spam. The legislation does not

give law enforcement or private litigants any practical tools to track

down the bad actors and bring them to justice."

Not all forecasts for the future of

anti-spam measures are so pessimistic, with some industry experts at

least acknowledging that the new law is a start. "Will this law stop

all spammers?" asks Matt Blumberg, CEO of New York-based Return Path

Inc. (returnpath.com), an email performance-management company for corporations such as IBM, Gateway, Sprint and Dell.

"Unfortunately, no. Will it have a

positive impact in the war on spam? Absolutely. The most egregious

spammers will find a way to continue flooding us all with unwanted

email - most likely by moving more operations overseas. But this

legislation should help lessen spam by giving the federal government

the authority it needs to hand out fines and jail time to offenders; by

setting clear minimum standards for legitimate mailers to follow; and,

perhaps most useful of all, by providing a way for the average consumer

to identify and report spam."

• Print | Comments (0)

OLDER:  New AboveNet Shifts to Premium Services

|

NEWER:  VeriSign: an Iceberg in the E-Commerce Stream

• (0) Comments
• View Post