Can-Spam Law A 'Big Disappointment'

"Can-Spam has provided more prosecutorial teeth, but it hasn't had a huge deterrent effect," says Scott Chasin, the chief technology officer of MX Logic. "It's been a fairly big disappointment."

To be fair, Chasin says, Can-Spam was never meant to stop spam, only regulate it. But even at that job, the law has been a dismal failure. According to MX Logic's data, no more than 7% of all spam was ever compliant with the legislation's requirements. And that was within the act's first year. This year, compliance ran at all-time lows, never once reaching 1%.

"It's just another reminder that the legislative leg is not having a lot of impact," Chasin says.

Anti-spam researchers -- Chasin included -- have watched as spam volumes jumped in October, then soared again in November. Spammers haven't looked back since. "[Spam] traffic has doubled or in some cases even quadrupled," says Chasin. IronPort, an MX Logic rival in the e-mail security market, recently said that the amount of spam increased by 35% in November over October, and doubled in the 12 months ending in October 2006.

Can-Spam never was equipped to stop the flood of junk mail, says Chasin, who adds that its approach has been made moot by an explosion in botnets, collections of compromised PCs that spammers use to send billions of unwanted e-mail messages a month.

In fact, Chasin is pessimistic about efforts to control or even contain the rising tide of spam. He scoffs at calls to cut off botnets from spammers, and calls such proposals unrealistic. "We don't even know what we're dealing with. The [botnet] detection capabilities are rudimentary at best. And now we're encountering polymorphic 'queen bots' that understand antivirus engines and exploit the signature release windows of [antivirus] vendors. It makes detection very difficult."

Queen bots can easily reconfigure themselves, often on the fly, as they seed a new victim PC, escaping detection by the reactive antivirus companies that must create and distribute a new signature, or fingerprint, for each morphed version of the bot.

The only way to stem the rapidly rising volume of spam, says Chasin, is for Internet service providers to wall off systems by refusing to allow computers obviously owned by consumers to send massive amounts of junk mail. Such PCs are almost always bot-controlled.

"It's got to come down to containment," says Chasin, who recognizes that there are problems with the practice, including privacy issues. "I think the focus [in 2007] will shift from Microsoft and back to ISPs."

Even so, he has low expectations for a solution any time soon. Although Bill Gates' infamous promise in January 2004 that "two years from now, spam will be solved" has been relegated to the technology equivalent of "Dewey Defeats Truman!" the war against spam will be long and hard.

"That was simply wishful thinking," says Chasin. "We're going to be dealing with spam for some time. We're going to be reactive, that's what the security industry does.

"We have a long way to go."