Enforcing
Canada’s Anti-Spam
Legislation (CASL)

Policy to help limit botnet traffic and strengthen Canadians’ online safety

Botnets facilitate some of the most damaging cyber-attacks, including ransomware and identity theft. These attacks cause significant harm to Canadians, businesses and organizations that provide critical services such as hospitals, schools and government bodies.

In June 2022, the CRTC found that regulatory action was necessary to ensure that Canadian carriers who block botnets do so in a way that provides a baseline level of protection to Canadians.

The CRTC’s Decision on this matter established the overarching guiding principles for a future network-level botnet-blocking framework.  The CRTC requested that the CRTC’s Interconnection Steering Committee (CISC) examine developing technical parameters that are consistent with the guiding principles and produce a report for the CRTC detailing its recommendations.  After this, the CRTC intends to establish standards for botnet blocking.

Innovative solutions to Compliance and Enforcement

While the CRTC employs traditional enforcement tools, it is also open to innovative approaches to bring businesses and individuals into compliance if it deems the circumstances are warranted.   

In the previous Bi-annual Canadian Spam Report, the CRTC addressed its investigation of four Canadians for their involvement in a Dark Web Marketplace known as CanadianHQ.  Since then, the CRTC has negotiated ways that some individuals can give back to contribute to a safer and more secure online marketplace for Canadians and businesses alike in the community.  These innovative solutions include completing volunteer work, donating to a charity related to a safer and more secure online marketplace, doing presentations to deter youth from cybercrime and for a certain period giving the CRTC unfettered access to electronic devices upon request for inspection.

CRTC Stays Vigilant over the QAKBOT

CRTC staff continue to monitor malware, spyware and viruses in computer programs or spam messages, or infected Web links. Thanks to Canadians who take the time to report complaints to the CRTC, the CRTC now has some specific examples of QAKBOT links for its analysis and investigations.

The CRTC warns Canadians that the QAKBOT is a modular and highly evasive information-stealing malware that can lead to targeted attacks involving theft and ransomware. The QAKBOT infection chain usually starts with a malicious spam email and the infection spreads from there.

Long description:

• 3 Warning Letters
• 214 Notices to Produce
• 4 Undertakings
• 1 Notice of Violation
• 2 Preservation Demands
• 1 Decision

Payments and Penalties Under CASL

Since CASL came into force in 2014, enforcement efforts have resulted in more than $1.9 million payable. Of this amount, approximately $1.1 million is from administrative monetary penalties^{Footnote 1} and $685,000 from negotiated undertakings.

Between April 1, 2022 and September 30, 2022

Over 159,101 complaints to the Spam Reporting Centre.

That’s 6,119 per week.

Approximately 5,066 of these complaints were submitted using the online form, which represents only about 3.2% of total complaints. The remainder of complaints were sent by email at spam@fightspam.gc.ca.

The CRTC encourages Canadians to use the SRC’s online form to provide as much information as possible about potential CASL violations. The information provided by Canadians is an essential part of the intelligence the SRC gathers on spam and electronic threats. Each report is valuable and helps us to enforce CASL.

SRC Database Updates

The SRC can now process PDF documents that have been provided by Canadians as part of their complaints.   This enhancement helps the CRTC in its ability to identify malicious PDF campaigns for investigation.  These types of campaigns target Canadians by sending them an infected PDF as an email attachment which, when opened, can be used to evade detection, embed malicious files, load remote exploits, and shellcode encryption.   This can then allow an attacker to run malware under the radar without the victim knowing.

Reasons why Canadians complain

Long description:

Complaint reasons and percentages

• Lack of consent: 47%
• Indentification of Sender: 21%
• Deceptive Marketing Practices: 19%
• Other: 12%
• Software and Malware: 2%

Note: The total does not add to 100% since Canadians can select more than one category for a complaint.

Per month complaints about consent highest in August 2022

Looking at submissions from Canadians to the SRC over the last 6 months, per month complaints were at their highest in August 2022. Moreover, complaints in each of the categories were also at their highest in August and almost double that compared to some of the months during the previous reporting period.

Note: Statistics derived from spam reports filed through the SRC online form.

Long description:

Year-Month	Lack of consent	Deceptive Marketing Practices	Identification of Sender	Other	Software and Malware	Grand Total
2022-4	732	330	346	186	29	1623
2022-5	698	299	323	150	40	1510
2022-6	602	224	242	140	17	1225
2022-7	613	232	273	158	13	1289
2022-8	1223	475	540	316	42	2596
2022-9	703	303	314	182	22	1524
Grand Total	4571	1863	2038	1132	163	9767

Collaboration with International Partners

The CRTC has also forged partnerships with organizations across the globe in order to better fulfill its mandate. The CRTC is part of the Unsolicited Communications Enforcement Network (UCENet). Members from over 26 countries work together to promote international spam enforcement cooperation and address problems relating to spam and unsolicited telecommunications.