A year after the U.S. Congress passed the first federal antispam law, observers see no evidence that it has cut the amount of unwanted commercial e-mail arriving in U.S. residents’ inboxes.
Most vendors of antispam products have charted an increase in the amount of spam since the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act went into effect on Jan. 1.
CAN-SPAM includes criminal penalties, ranging up to five years in prison, for some common spamming practices, including hacking into someone else’s computer to send spam and using open relays to send deceptive spam. The law allows fines of up to US$250 per spam e-mail with a cap of $6 million for aggravated violations.
But some antispam activists assert that the law has aided spammers because CAN-SPAM requires recipients to opt out of unwanted commercial e-mail by contacting each sender, instead of forcing senders to get opt-in permission. The federal law also hurt spam-fighting efforts by pre-empting parts of some tougher state laws, including a California opt-in requirement, said Laura Atkins, president of the SpamCon Foundation.
CAN-SPAM also prohibits private citizens from suing spammers, instead allowing only state attorneys general or ISPs (Internet service providers) to file civil suits. People like Atkins, who operate their own mail servers and receive thousands of spam e-mail, have no recourse against spammers under CAN-SPAM.
“CAN-SPAM has not made it any easier to find spammers,” Atkins said. “It has not decreased the amount of spam.”
Backers of CAN-SPAM say it provides for the possibility of civil lawsuits and jail time for spammers. ISPs have used CAN-SPAM to file hundreds of civil lawsuits against spammers in 2004, and the key to making the law work is more enforcement, said a spokeswoman for Senator Conrad Burns, a Montana Republican and main sponsor of CAN-SPAM.
“Senator Burns has said from day one that enforcement is key for this legislation to be effective,” said Jennifer O’Shea, his spokeswoman. “We have seen several big lawsuits, which have been helpful, but we need to continue to see more of these lawsuits in order to keep up with big time spammers and keep spam out of inboxes.”
Burns believed businesses should have an opportunity to market over e-mail, instead of having to get opt-in permission from all e-mail recipients, she added.
“The opt-out provision … gives the e-mail user the responsibility of opting out if there is something they do not want to receive messages about,” O’Shea said in an e-mail.
Statistics supplied by vendors of antispam products seem to bear out the criticism of CAN-SPAM. Postini Inc., an e-mail security service provider, said the percentage of legitimate non-spam e-mail it sees dropped from 22 percent of all e-mail at the beginning of 2004 to just 12 percent by December. The company processes 2.4 billion e-mail messages a week.
MX Logic Inc., another antispam vendor, found 67 percent of all e-mail to be spam in February. By November, 75 percent of all e-mail was spam, according to MX Logic.
Spammers, apparently in response to CAN-SPAM, changed tactics this year, said Andrew Lochart, director of product marketing at Postini. More spammers are using so-called zombies networks — computers hijacked with Trojan horse programs — to send spam, and spammers are using increasingly sophisticated directory harvest attacks to spam corporate mail servers, he said.
About 30 percent to 50 percent of spam came through zombie spam relays in April, MX Logic estimated. In a three-week survey in November and December, the company found 69 percent of spam sent through zombies.
“I think CAN-SPAM caused spammers to change their tactics significantly,” Lochart said. “The spammers got even more creative at hiding, and they’ve always been pretty good at it.”
Although CAN-SPAM hasn’t resulted in less spam, the law gives law enforcement agencies a new tool in the fight spam, Lochart said. “It’s a good thing we have a law, so when we find some of these roaches, we can prosecute them,” he said. “It’s a good thing that the federal government recognizes how important spam is.”
ISPs and law enforcement agencies have used CAN-SPAM provisions, including requirements to include a valid postal address and an unsubscribe option in commercial e-mail, to go after spammers. Four large U.S. ISPs filed hundreds of lawsuits against spammers this year, and the U.S. Federal Trade Commission filed criminal CAN-SPAM charges against two companies in April.
Despite these efforts, antispam vendors predict more spam in 2005, not less. “Even from a service provider perspective, after all the lawsuits and convictions, we still have not seen a deterrence effect happen,” said Scott Chasin, chief technology officer at MX Logic. “Spam has continued to increase and saturate inboxes, and we’ve not seen a decline whatsoever. From that perspective, CAN-SPAM is pretty toothless.”
Chart: CAN-SPAM key events during 2004
Compiled by MX Logic
— The CAN-SPAM Act goes into effect on Jan. 1. While the law does not prohibit unsolicited commercial e-mail, it does require that senders of unsolicited commercial e-mail senders:
— Identify themselves in the “from” line of e-mail
— Include a subject line that’s consistent with the e-mail’s message
— Include a valid postal address
— Include a mechanism that allows recipients to opt out of future e-mail from the sender
— Hypertouch, a California ISP, files the first civil lawsuit under CAN-SPAM against the owner of BobVila.com.
— America Online Inc., EarthLink Inc., Microsoft Corp. and Yahoo Inc. file the first major ISP lawsuits under CAN-SPAM.
— The first criminal prosecution under CAN-SPAM Act happens in Michigan. Arrest warrants are issued for four men charged with sending out hundreds of thousands of fraudulent unsolicited e-mail messages advertising a weight loss product.
— The U.S. Federal Trade Commission (FTC) requires all unsolicited e-mail with sexually oriented content to include the label “SEXUALLY-EXPLICIT:” in the subject line.
— The FTC releases a study required in CAN-SPAM about the feasibility of a national do-not-spam registry. The FTC concludes that a registry would be nearly impossible to implement and could create a target for spammers.
— As part of Operation Web Snare, the U.S. Attorney’s office in Los Angeles announced it filed charges against a man for sending unsolicited e-mail advertising pornographic Web sites from his laptop computer while driving through Venice, California, and using unsecured wireless access.
— Nicholas Tombros, the “wireless spammer”, becomes first person convicted under the CAN-SPAM Act.
— The FTC and the National Institute of Standards and Technology convene an Email Authentication Summit.
— Jeremy Jaynes, considered one of the world’s top spammers, is sentenced to nine years in prison under Virginia’s antispam law for sending millions of spam messages to America Online customers.
— A Maryland judge overturns the state’s antispam law (2002 Commercial Electronic Mail Act), ruling that it interferes with interstate commerce.
— A federal judge in Iowa orders three companies to pay an ISP more than $1 billion in spam-related damages. The judgment, based on an Iowa antispam law, is believed to be the largest fine against a spammer to date.