- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
The long view of security strategies for your network.
On Jan. 1, the CAN-SPAM Act of 2003 took effect in the U.S. as an attempt to do something about the spam problem.
Formally entitled, “Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003,” the law has been consistently attacked by critics as inadequate to control spam on the following grounds:
1. The Act is based on an opt-out philosophy. Anyone can send one junk e-mail message legally as long as they offer an opt-out procedure. However, it is widely believed that many or most of the people who send spam value opt-out replies because they validate addresses. They then sell those addresses to other spammers. As a result, many people will be reluctant to use opt-out mechanisms. In any case, there are more than 20 million businesses in the U.S., so if every one of them chose to send a user exactly one message per year at random, a user could expect an average of over 54,000 messages requiring an opt-out response per day. If only 1% of these businesses chose to send out junk e-mail, the daily average would be 500 or more new junk messages requiring an opt-out.
The law requires spammers to provide an opt-out mechanism, but describes these mechanisms broadly as including “a manner specified in the message, a reply electronic mail message or other form of Internet-based communication.”
As pointed out by blogger Ed Foster, this section means that a spammer could create an opt-out mechanism requiring an unwilling
recipient to log on to a Web site and search for opt-out instructions, possibly while being bombarded by pop-up ads:
Can you imagine having to log on to Web site after Web site to unsubscribe from drivel you never asked for and detest on sight? Think of the time involved. Furthermore, Web-based opt-out instructions permitted under this law will make it difficult for automated systems to unsubscribe victims of spam using such mechanisms. (I remember one spammer who demanded that his victims _solve a puzzle_ in order to be freed from his waves of, ah, e-xcrement.)
2. Section 9 of the Act mandates a Do-Not-E-Mail Registry for no later than July 2004 but provides no details on how such a registry would be created and updated, how it would be protected against abuse by spammers, which government agency would control it or how it would be used to limit spam.
3. The Act defines “commercial electronic mail message” as “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service (including content on an Internet website operated for a commercial purpose).” This definition thus permits spam from politicians, political groups, religious organizations, charities, hate groups, hobbyists, cranks and anyone else so long as the content cannot be construed as “commercial” (which is itself not defined in the Act).
4. CAN-SPAM overrides more restrictive state laws, weakening the range of legal countermeasures against spammers in the U.S.
M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.