- Is the Cisco MARS mission going to abort?
- First iPhone worm spreads Rick Astley wallpaper
- 10 stunning 3D buildings made with Google SketchUp
- Open source software ready for big business
- Four reasons to buy (and one reason to avoid) the Droid
Mich Kabay takes a high-level view of security issues and provides resources to help safeguard your corporate and personal security.
On Jan. 1, the CAN-SPAM Act of 2003 took effect in the U.S. as an attempt to do something about the spam problem.
Formally entitled, “Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003,” the law has been consistently attacked by critics as inadequate to control spam on the following grounds:
1. The Act is based on an opt-out philosophy. Anyone can send one junk e-mail message legally as long as they offer an opt-out procedure. However, it is widely believed that many or most of the people who send spam value opt-out replies because they validate addresses. They then sell those addresses to other spammers. As a result, many people will be reluctant to use opt-out mechanisms. In any case, there are more than 20 million businesses in the U.S., so if every one of them chose to send a user exactly one message per year at random, a user could expect an average of over 54,000 messages requiring an opt-out response per day. If only 1% of these businesses chose to send out junk e-mail, the daily average would be 500 or more new junk messages requiring an opt-out.
The law requires spammers to provide an opt-out mechanism, but describes these mechanisms broadly as including “a manner specified in the message, a reply electronic mail message or other form of Internet-based communication.”
As pointed out by blogger Ed Foster, this section means that a spammer could create an opt-out mechanism requiring an unwilling
recipient to log on to a Web site and search for opt-out instructions, possibly while being bombarded by pop-up ads:
http://www.gripe2ed.com/scoop/story/2003/11/24/02356/143
Can you imagine having to log on to Web site after Web site to unsubscribe from drivel you never asked for and detest on sight? Think of the time involved. Furthermore, Web-based opt-out instructions permitted under this law will make it difficult for automated systems to unsubscribe victims of spam using such mechanisms. (I remember one spammer who demanded that his victims _solve a puzzle_ in order to be freed from his waves of, ah, e-xcrement.)
2. Section 9 of the Act mandates a Do-Not-E-Mail Registry for no later than July 2004 but provides no details on how such a registry would be created and updated, how it would be protected against abuse by spammers, which government agency would control it or how it would be used to limit spam.
M. E. Kabay, PhD, CISSP-ISSMP, is Program Director of the Master of Science in Information Assurance program at Norwich University.
Rss FeedRss Feed
The Leader in Network Knowledge
Comment