Is Your Computer Sending Spam?

Last week Congress passed the CAN-SPAM act, effectively outlawing fraudulent unsolicited email. President Bush has promised to sign it, so we ought to have a brand-spanking-new anti-spam law on the books pretty soon.

Isn’t your inbox quivering with excitement?

If you haven’t been following the legislative wrangling, the bottom line is spammers are now forbidden to forge email addresses and send out unsolicited mail to addresses harvested from Web sites. In addition, any commercial email must include the means for recipients to remove themselves from the list. Obviously, all legitimate email marketers are going to have to take notice of these new rules… but aren’t they doing so already?

That’s exactly the problem. As Ray Everett-Church of ePrivacy points out:

This piece of legislation is telling people that as long as they don’t lie, spam is all right… Today, the biggest problem is indeed coming from folks who are operating on the fringes of legality. This bill gives them legal cover. If they don’t lie, their email can be treated as legitimate and legal. And this gives legitimate companies legal cover, enabling them to do what only the herbal viagra dealers have been doing.

Right now, most spam isn’t coming from you or me or probably most ClickZ readers. Instead, it’s coming from fly-by-night operators who utilize a variety of dirty tricks to get their messages out. Given the widespread use of offshore servers, hacked mail relays and Trojan horse programs, most of the truly malicious spam isn’t going to be stopped by this law.

In fact, things may get a lot worse. New technology advances that allow spammers to hijack broadband-connected PCs to form P2P spam-sending networks are becoming more prevalent. The same day the CAN-SPAM legislation was passed, the New York Times ran a horrifying article detailing how Trojans such as Sinit have evolved. They can now be controlled and updated remotely, without a central server that can be tracked down and shut off (such as the one controlling the spread of the Sobig virus). Researchers at LURHQ have analyzed the Sinit Trojan and concluded these programs are “basically impossible to shut down.”

If that doesn’t make you nervous enough, this SecurityFocus article ought to do the trick. The article is pretty technical, but the gist is spammers are now using sophisticated software to break into computers, insinuate themselves into the operating system, and gain control of the system to send their spam… all under the nose of the inattentive computer owner. In fact, MessageLabs has been quoted as saying over 60 percent of spam is sent from commandeered computers.

Obviously there’s a big problem — one that’s not going to be fixed by legislation. I’m not saying the legislation is bad; the five-year prison sentence may deter weekend scammers from jumping into the game. But, clearly, we need more than what’s on the books to stop the truly illegal scammers (many of whom have been tied to international organized crime) from ruining the Net for the rest of us.

I’ve written about this before. These latest developments underscore the need for not only legislation but also basic code-level changes in the way the Internet works before it’s too late. It’s not enough to hope the problems will simply go away or legislation will take care it (take a look at Larry Lessig’s book “Code” for some good arguments on how underlying technology influences how we work).

We must develop technology for personal whitelists, digital signatures, and better antivirus software to get ahead of the game. With the disturbing trend of home computer hacking by spammers on the rise, the spam problem isn’t just about corporate networks and productivity anymore. Now it’s personal.