Spam Plans

I have written frequently about the need for Canada to move forward on anti-spam legislation (I was a member of the National Task Force on Spam that unanimously concluded that such laws are needed).  More recently, the Privacy Commissioner of Canada echoed the call for anti-spam legislation.  This week, both the Conservatives and the Liberals raised the spam issue and in the process provided a clear point of difference.

On Monday, the Government of Canada and the RCMP demonstrated that effective action is not in the cards.  As part of fraud prevention month, the RCMP issued a release (posted on the GOC news site) announcing that "Canadian consumers can now sign up for a free service to reduce the amount of unsolicited commercial email they receive." The Government's proposed solution?  Signing up for e-MPS, the U.S. Direct Marketing Association's widely discredited do-not-email list.  Leaving aside the fact that this is nothing new – the DMA launched it seven years ago – the list was never a success (even the DMA has admitted as much) with respected anti-spam groups such as Spamhaus and Junkbusters warning consumers against registering for the list.  Under Canadian law, consumers shouldn't have to opt-out of spam – marketers must obtain their opt-in consent.  Moreover, no spammer subscribes to the DMA's eMPS service which means that contrary to the RCMP's claims, Canadians will experience absolutely no reduction in the spam they receive. 

Meanwhile, yesterday Liberal leader Stephane Dion staked out his party's position on spam in a speech on crime.  In addition to calling for mandatory security breach notification and identity theft legislation, Dion said the following about spam:

"we need laws implementing the recommendations of the federal Task Force on Spam – recommendations that have so far been ignored by the Conservatives. Spam is the weapon of choice for identity thieves, who use phony e-mails to trick people into revealing personal information. Canada is the only G-8 country without anti-spam legislation, and a Liberal government led by me will change that."

I believe that's a position that all the political parties should endorse.


  1. *If* Canada ever adopts anti-spam legislation, I truly hope we do not simply clone the USA\’s laws on the matter like it seems we do with other e-issues. The US has attempted to regulate rather then banning unsolicited email. The result is that the private mail servers in just about any size of business are being choked to death on the copious amounts of SPAM. Subsribing to Spamhous and others helps but it does not stop the SPAM from arriving in the first place eating up precious bandwidth.

    It was estimated that in December 2006, over 80% of all email was unsolicited SPAM. Many estimates place it over 90%. SPAM is free postage right? Wrong!! We pay the postage for these hucksters. Even the so called legitimate SPAMmers (those honestly selling with SPAM, not defrauding with it) are stealing bandwidth from all of us. Those companies that provide the framework that make up the internet are providing these people free postage, due to the way email works. They are picking up the tab for the cost of the bandwidth, and bandwidth does indeed cost. And of course, those costs all get passed down to us.

    How much of my 50 dollar a month internet fees are a direct result of so much SPAM wasted bandwidth, I could only guess. But my guess is that it would total an amount I would find unacceptable.

    So next time you get SPAM, remember, you are the one that paid the postage for that SPAM letter. The SPAMmer, he got it free.

  2. I would be interested in knowing what effect legislation has had on spam overall. I realize that anti-spam legislation gives teeth to law enforcement once a spammer is caught, but how much of a deterrent is a Canadian or US law for a spammer located in Russia? “Canada is the only G-8 country without anti-spam legislation”; if enacting legislation would result in a drop in spam, then I should be getting 7/8th less spam then I would if all G-8 countries had NO anti-spam legislation (and NO spam once all G-8 countries have legislation). But the spam keeps arriving at my inbox.
    I think that this is more a technical problem then a legislative problem. If the goal is to eliminate spam by volume, then funds into anti-spam technologies will work better than legislation. Right now the marketplace is handling this well, to spite the view that people are getting more spam than ever. The volume of spam stopped by anti-spam technologies is huge (ridiculously enormous actually). End users see what slips through the cracks and think that they are getting LOTS of spam (LOTS here being a relative term to what they would get with zero anti-spam technologies between themselves and the spammers). If we want spam to cease we must pay for it, maybe some national infrastructure, maybe funding some computer research, … But we cannot rely on legislation to stop spam.
    Of course spam itself has changed over the years. It is no longer simply a “buy this” message. Spam, as the Stephane Dion correctly points out, has turned into a vehicle for fraud. It is increasingly difficult to know if my bank has/has not sent a given email in regards to a problems with my accounts. But I’m sure we have laws against fraud already.

    The old idea of “get people to stop buying stuff from spam offers and spammers will no longer have incentive to send spam” breaks down in the face of fraud attempts. Fraudsters are not playing the same numbers game as door-to-door salesmen play (if for every 100 doors there is 1 potential sale, then more doors == more sales). They are more likely to “work” a lead they get from the initial email solicitation (think “Nigerian scam”). The initial e-mail is simply the bait, the beginning, not the whole thing.
    …I ramble on….

    Perhaps as a clarification point (if it has not been done already), we should adopt a new term, different for spam (Spamhaus: Unsolicited Bulk Email) which simply attempts to sell us stuff (ads), from spam that attempts to defraud us: or 🙂 . One is simply annoying (spam), the other is potentially very dangerous . Then we can talk about the technologies to stop the annoying, and the laws to stop the illegal.

  3. It’s legislation that’s needed, but it won’t actually have a measurable impact on spam. I mean look at the US with CAN-SPAM, and the amount of people they caught. It’s still in the single digits, is it not?

    Then there’s comment/blog spam, social networking sites spam, forum spam – these must not be forgotten.

    In any case, I’ve been silently observing activities at some spam havens as part of some research. Now these places are overt – but an instant look tells you why catching spammers is so difficult. The criminals don’t spam, they hire others to do it for them. Others based in Russia, India, depending on the task at hand. If you want to fill out catchpas, you get people that you can hire for a matter of cents. For that, choose a poor nation with cybercafe access. If it’s to do some spam runs, then you get the Russians or whatever.

    So the Canadian/American individual hires the spammers, but never do the spamming themselves. The language they use when hiring is vague as well. You know what they’re referring to. They might even make requests for the mail to comply with CAN-SPAM, which all parties know is meant to be disregarded.

    You can’t get the IPs of the spammers either – the servers where these discussions take place are in Russia. Bulletproof hosting. Now you’ve seen how hard it is for foreign pressure to close something as overtly unethical as AllofMP3. Given that some of these ISPs are actually run by the mafia itself, what are the odds that the Russians will suddenly cooperate with these matters of spam?

    There are though Americans that are part of this spam equation as well. There are American-based registrars, affiliated with these spam havens, which offer bulk domain registration. We all know why those exist. Through that, a possible lead. That said, with such links – how could the FBI get authority to make a bust?

    The spammers I’ve dealt with don’t communicate through methods outside of these servers, which means you can’t extract their IP from IM or email conversations. And with the payment method being via e-gold, it’s not like there’s much to follow up on there either.

    No, this is legislation that’s needed. But like I say: it won’t accomplish much.

  4. Oh and let’s talk about botnets, shall we?

    It would be a piece of figurative cake to infiltrate the current command & control servers if we had physical access to the machines. It only takes sniffing the traffic of one zombie PC to find out at least one of these C&C servers are.

    With some botnets having as many as 70,000 zombies, can you imagine what impact it would have to shut the C&C server down? Or better yet – given access to the machine itself, use MitM attack to spoof the commands necessary to install a patch into all of these zombies, so that they couldn’t be exploited further?

    The same reason why we can’t get people to get physical access to those servers and shut them down is the same reason why spammers thrive today.

  5. Greg A. W. says:

    Legislation won’t stop spam, though good legislation might make it worthwhile to punish at least some of the spammers within the jurisdiction where they reside.

    Technology alone won’t stop spam either.

    In fact we already have already have almost all the technolgy we could ever need to actually stop 100% of all spam. The trick is to get people to actually use the tools at hand, and the problem with this approach is that _everyone_ (well, except the spammers), individually and collectively, must work together to use these existing tools against spam. (of course I’m also assuming that everyone, except the spammers, actually wants to stop all spam)

    The tools I’m talking about are of course PGP and the cryptographically protected web of trust it makes use of.

    If everyone only accepts PGP signed and encrypted e-mail then the spammers would be forced to try to adopt PGP and thus they (and the people who they abuse to join the web of trust) would fall into the trap we would set for them. Goodbye spammers! We don’t even need any legislation or inter-jurisdictional co-operation to stop spammers with PGP — we just revoke their keys the instant they’re found to be spamming and force them to try again until they give up. The only new tools I think we really need are better and faster means of distributing revocation details and default of automated use of key revocation information to force abusers out of the web of trust as quickly as possible.

    Sadly not even any of the large corporate citizens of the Internet, and especially not any of the banks (so far as I’m aware — none of the ones I deal with for certain) are even aware that they should be using PGP to at least give their customers a reliable tool that could eliminate phishing and other forms of fraud.

    PGP has been around in various forms for over a decade. I think it’s high time that everyone considered it as a good solution to putting the many criminals we all face daily on the Internet out of business.

  6. 消費者金融
    池袋 眼科
    乳がん 治療
    風俗 性病
    渋谷 内科
    The latest music news
    銀座 眼科