Security

Tech Tip: Learn why antispam laws may make things worse

By Jonathan Yarden

Anyone who's worked with the Internet for more than 10 years may recall a time, perhaps with some nostalgia, when junk e-mail didn't exist. But as the Internet's popularity grew, the de facto rules of conduct went out the window.

Almost 10 years ago, the infamous "Green Card" message that made the rounds on Usenet was the first shot in a battle that continues today. Worldwide outrage over this incident didn't deter others from taking the same approach.

These days, by some counts, junk e-mail accounts for more than half of all e-mail. In my opinion, the number is horribly low for some people; about 92 percent of my current e-mail is junk.

How do junk e-mailers obtain your e-mail address? In my case, one reason is that I was an early, frequent user of Usenet newsgroups, a resource that existed long before the now ubiquitous World Wide Web.

It also didn't help that a rogue subscriber to the ISP I used in 1992 downloaded the list of users from a poorly secured system. Once you end up on one of those "30 million e-mail addresses on CD-ROM" deals, you might as well just change your e-mail address.

Junk e-mail comes from thousands of different locations, with thousands of different subjects, but it usually focuses on a topic of sex, money, drugs, or a combination. But since many of these offers are illegal in their own right, how can laws prohibiting junk e-mail really have any effect?

The net effect of more legislation instead of direct action is that junk e-mailers will devise even more desperate methods or move to areas that don't have antispam laws. Principal junk e-mailers are already primarily offshore, using leagues of hijacked broadband computers all over the world to send their unwanted e-mail. So antispam laws will likely leave them unaffected.

In addition, there's the so-called "legitimate" e-mail marketing issue, which is already creeping into legislation. Direct marketing lobbyists in Washington are keeping a close eye on the "anti-junk" legislation. Campaign donations and swanky parties have a way of changing legislation, even if the public is behind it.

Do we really need federal antispam legislation? Technically, it makes no difference if we do because it won't stop the flood of junk e-mail. A number of state antispam laws already exist, but they're grossly ineffective. In addition, many have specific provisions to allow legal advertisements.

Have these state laws made any headway with stopping spam? Not really—in fact, the opposite is occurring. Legislation has no bearing on the hundreds of thousands of "spam drones" on broadband networks, regardless of the state.

What will make a difference? Broadband ISPs can start by shutting off cable modems for spam drones that their customers refuse to secure and enforcing acceptable use policies.

I've personally reported thousands of spam drones, yet companies such as Charter, AT&T, and Road Runner have taken little if any action. They just don't care.

Make a law that requires ISPs to care, and then you'll have a real solution. The few companies and individuals running relay block lists (RBLs), which are actually quite effective in stopping junk e-mail, are the ones at the front lines of the spam war. But these companies are constantly under attack from both the junk e-mailers and people who haven't properly secured their e-mail systems.

Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.

Editor's Picks

Free Newsletters, In your Inbox