Skip to content


Debunking Offshore Spam

Spam: Since the CAN-SPAM act passed Congress, there’s been quite a few comments raised against it — unsurprising, as it does still have quite a few shortcomings.

However, one of the negative comments needs to be debunked — namely the old favourite, ‘most spam comes from countries outside the US’. In April, Declan McCullagh even quoted the CTO of Brightmail to this effect.

This is not true.

What’s happening here is that it appears a lot of spam is coming via non-US servers, if do simplistic analysis of the IP addresses that are connecting to your mail servers. But look a little deeper — some testing will reveal that those IPs are compromised hosts, running proxies or trojans to relay spam from their genuine origin.

Capturing relays in foreign countries is good sense for a spammer, because the network-abuse staff of a foreign ISP will be slower to react to complaints if they don’t speak the complainant’s language; in addition, some offshore ISPs seem to tolerate much more than US/European ISPs would. For example, in a few cases, US-based spammers are installing servers in offshore colocation facilities to operate their spam runs, and generally getting away with it — much more than they would in the US or Europe. In some cases, there’s serious abuse occurring — here’s a ROKSO report indicating Chinese servers being used to operate a massive SMTP AUTH username/password cracking operation against hosts across the world.

Once you get beyond these origin-obfuscation methods, and follow the spam to the source (which is hard work BTW!), you find yourself back in the US. The front page ‘top 10 worst spam countries’ list still features the US at number 1.

Now, what about if a spam law passes, and the spammers do move offshore?

I would say that a good 80% of the spamming population will, after a few prosecutions, find themselves unwilling to leave their home country and move to a foreign place in order to continue spamming. After all, wholesale relocation to a foreign society is hard work. So IMO, they’ll move on to other pursuits and leave the email spam racket.

However, it is possible that the most motivated spammers themselves will pack up their bags and physically leave the US. This is where concentrating on the spam bureaus themselves becomes a dead end, and concentrating on their customers, the companies using the bureaus, is useful. Read the CAUCE FAQ:

Because most spam advertises goods or services offered by US-based entities (for example, get-rich-quick schemes and quack medical remedies being sold out of someone’s basement), we advocate anti-spam laws in which the focus is not where the email came from but on whose behalf the spam was sent. If the law applies to the advertiser — the entity profiting from the activity — it doesn’t matter where the spam originates.

The FAQ also raises this very good point:

Second, the reach of US law outside the borders of the US is tenuous at best, however that fact does not negate the need for or effectiveness of laws against those in the US. It can be very difficult to bring a murderer to justice in the US if they escape abroad, but no one could seriously argue that this fact means domestic murder laws are unnecessary or irrelevent. Spam isn’t comparable to murder, but if our judicial system means anything, the same principles of justice must apply.

Dead right.