Conclusions

So, what have we learned? And what should we do?


Spam is Huge

For the internet at large, spam already represents more than half of all email traffic. Obviously for me the proportion is much higher. My friends who run medium-large ISPs tell me their spam problem is similarly huge. And it's still growing.


Spam is Expensive

If I only needed to run my web site and deal with legitimate email, I could get by with hardware from a couple of years back, which would be basically free. Instead I have to buy nearly cutting-edge hardware, spending thousands of dollars. Then there is the value of the time I have to spend fixing email. And also, the extra money I have to spend for internet bandwidth.

Now multiply this by the many thousands of sites out there as large or larger than my own, and we're talking billions of dollars per year.


Spam is Coarse

Looking at the stats graphs, we can see lots of sudden jumps and sudden declines in the spam rate. Seems to me, this means there aren't that many different entities (persons, groups, botnets) sending it out. I think that is very encouraging because finding and stopping even one spam source can have a large benefit to the health of the net. And it may actually be feasible to put every single spammer in jail.


Spam and Viruses are the Same

It used to be that commercial or political spam was sent out by one type of miscreant, while worms and viruses were created and propagated by another type. These days, the two have merged. This is because spammers are using viruses to take control of thousands of people's computers, which the spammers then use to send out their crap. A recent example of this was the Sober.P virus, which propagated itself for a few weeks, went silent for a week, and then re-emerged as Sober.Q sending out masses of right-wing hate-spam in German.


Responsibility

Who is to blame for this mess? I see four groups who share responsibility.



Legal Action

Spam is illegal in many different ways. Spammers are using botnets of thousands of other people's machines to send out their spam - that is theft of service on a massive scale. Spammers send out mail with fake "From:" lines - that is fraud, billions and billions of counts of it. Surely we can get the law to do something about this. Don't you think some DA somewhere would like to prosecute for a billion counts of fraud? And get to put "longest sentence ever" on his or her resumé?

Criminal Charges, Federal

Spam is a nation-wide, even world-wide problem, so it would seem logical that federal law enforcement would want to get involved in fighting it. There's a problem, though. Federal laws are weird, and often very specific to offenses against the federal government itself. For instance, there is no general anti-fraud law at the federal level. There are specific laws against fraud aimed at agents of the federal government. There's also the Computer Fraud and Abuse Act, 18 USC 1030, which bars some specific types of unauthorized access to some computers but has nothing to do with fraud in general. And then there's the CAN-SPAM Act of 2003, which is worse than useless. It actually legalized some spam, and does nothing to help catch spammers. Currently there has been exactly one (1) prosecution under CAN-SPAM. So, laws at the federal level, not so useful. Although I do sometimes fantasize about Microsoft getting charged under the RICO Act (18 USC 1961-1968) for conspiring with unnamed spammers John Doe One through One Thousand.

Criminal Charges, State

I think all states have laws against fraud, which is basically lying for commercial gain. Every time a spammer sends out a message with a fake "From:" line trying to sell you something, that is a count of fraud. If a spammer sends out a million of these messages per day, that is a million counts of fraud.

Furthermore, the spammer and the recipient don't have to be in the same state. Using what are called "longarm" statutes, a state can prosecute a spammer living elsewhere for even a single criminal act directed into the state. The problem, though, is investigating and identifying the spammers, which is even harder when they are out of state. Here is where some federal help could make a difference.

Civil Action

Sue a spammer? Some people have tried it. Again the problem is tracking them down, and then if you win a judgement you have the added problem of collecting.


Regulatory Action

The Federal Trade Commission has some jurisdiction over this area. They run the Do Not Call list, so they are helping fight phone spam. They recently started a campaign to advise ISPs on how to deal with spam zombies

Quoting from their web site, "While the FTC does not resolve individual consumer problems, your complaint helps us investigate fraud, and can lead to law enforcement action." They have an online Consumer Complaint Form which you can fill out. It's not worth anyone's time to fill this out for every spam you get. However, it seems to me that everyone who gets a virus on their PC ought to fill out this form complaining that Microsoft sold them defective software. Maybe after a few million similar complaints, someone will sit up and take notice.


Legislative Action

I don't think any new laws are needed; as I said above, spam is already very illegal. However Congress could do some good by appropriating money for a federal investigative task force. I'm thinking of something that would act as a clearinghouse, coordinating investigations and prosecutions among multiple state and local jurisdictions. Note that this is what the FBI is supposed to do, but they are not doing it. Allocating money for the task would either get it done directly or get the FBI interested in doing their job, to snag the funding; either way works for me.


Political Action

Neither party has done anything significant about spam. However, one of the first things that Bush's Justice Department did was to settle the case against Microsoft. Remember, Microsoft had already been convicted and was about to be broken up. The Republicans stopped that from happening. On that basis, they are on the wrong side of the spam war.


Direct Action

If anyone wants to volunteer to pie Bill Gates again, I'll contribute to the defense fund. Or if you prefer, you could just kick him in the nuts.
<<< [Hall of Shame] <<< >>> [Links] >>>