Spam: Since the
CAN-SPAM act passed Congress, there’s been quite a few comments raised
against it — unsurprising, as it does still have quite a few shortcomings.
However, one of the negative comments needs to be debunked — namely the
old favourite, ‘most spam comes from countries outside the US’. In April,
Declan McCullagh
even quoted the CTO of Brightmail to this effect.
This is not true.
What’s happening here is that it appears a lot of spam is coming via
non-US servers, if do simplistic analysis of the IP addresses that are
connecting to your mail servers. But look a little deeper — some
testing will reveal that those IPs are compromised hosts, running proxies
or trojans to relay spam from their genuine origin.
Capturing relays in foreign countries is good sense for a spammer, because
the network-abuse staff of a foreign ISP will be slower to react to
complaints if they don’t speak the complainant’s language; in addition,
some offshore ISPs seem to tolerate much more than US/European ISPs would.
For example, in a few cases, US-based spammers are installing servers in
offshore colocation facilities to operate their spam runs, and generally
getting away with it — much more than they would in the US or Europe. In
some cases, there’s serious abuse occurring — here’s
a ROKSO report indicating Chinese servers being used to operate a
massive SMTP AUTH username/password cracking operation against hosts
across the world.
Once you get beyond these origin-obfuscation methods, and follow the spam
to the source (which is hard work BTW!), you find yourself back in the US.
The Spamhaus.org front
page ‘top 10 worst spam countries’ list still features the US at
number 1.
Now, what about if a spam law passes, and the spammers do move
offshore?
I would say that a good 80% of the spamming population will, after a few
prosecutions, find themselves unwilling to leave their home country and
move to a foreign place in order to continue spamming. After all,
wholesale relocation to a foreign society is hard work. So IMO, they’ll
move on to other pursuits and leave the email spam racket.
However, it is possible that the most motivated spammers themselves
will pack up their bags and physically leave the US. This is where
concentrating on the spam bureaus themselves becomes a dead end, and
concentrating on their customers, the companies using the bureaus, is
useful. Read the CAUCE FAQ:
Because most spam advertises goods or services offered by
US-based entities (for example, get-rich-quick schemes and quack medical
remedies being sold out of someone’s basement), we advocate anti-spam
laws in which the focus is not where the email came from but on whose
behalf the spam was sent. If the law applies to the advertiser — the
entity profiting from the activity — it doesn’t matter where the spam
originates.
The FAQ also raises this very good point:
Second, the reach of US law outside the borders of the US is tenuous at
best, however that fact does not negate the need for or effectiveness of
laws against those in the US. It can be very difficult to bring a
murderer to justice in the US if they escape abroad, but no one could
seriously argue that this fact means domestic murder laws are
unnecessary or irrelevent. Spam isn’t comparable to murder, but if our
judicial system means anything, the same principles of justice must
apply.
Dead right.
Tags: act, april, brightmail, can-spam, congress, cto, effect, favourite, isps, spam
