Computer users are seeing fewer unsolicited commercial e-mail messages in their inboxes two years after the U.S. Congress passed an antispam law, the U.S. Federal Trade Commission (FTC) said Tuesday.
The antispam law, called the CAN-SPAM Act, has provided the FTC and law enforcement agencies a new weapon to fight spam, but much of the reason computer users are seeing less spam is because they’re using blocking software and services, said the FTC in a 116-page report to Congress. The volume of spam seems to be leveling off, and blocking technologies are keeping most spam messages away from inboxes, the FTC said.
“The e-mail landscape has changed significantly, largely for the better,” the report says. “In essence, these developments suggest that spam has not, as once feared, destroyed the promise of e-mail.”
CAN-SPAM has also helped focus attention on spam and its dangers, said Lydia Parnes, director of the FTC Bureau of Consumer Protection. Law enforcement agencies, consumer groups and technology companies have “really focused on the spam issue” since CAN-SPAM was passed, she said during a press conference.
“We’re not here saying that the spam problem is solved,” Parnes said. “What we’re saying is that we’re making progress. It’s a very incremental process.”
Some in the technology community have questioned the law’s effectiveness, but the FTC said CAN-SPAM has helped define a group of standardized best practices for sending commercial e-mail. The FTC did not recommend any changes to CAN-SPAM in its report, although it recommended Congress pass legislation, called the U.S. SAFE WEB Act, that would allow more international cooperation among law enforcement agencies fighting spam and other computer crimes.
CAN-SPAM — short for Controlling the Assault of Non-Solicited Pornography and Marketing — has also given law enforcement agencies and ISPs (Internet service providers) an “additional tool” to fight spam by filing lawsuits against spammers, the report said. Law enforcement agencies and ISPs have filed more than 50 lawsuits against spammers in the past two years, the report noted.
Also Tuesday, the FTC announced that U.S. law enforcement agencies, Canadian consumer protection officials and three state attorneys general have targeted several spammers in an international enforcement operation.
The FTC recently targeted three spam operations, the Canadian Competition Bureau settled two cases, and the attorneys general of Florida, North Carolina and Texas filed complaints seeking to block three more operations, the FTC said.
The FTC targeted e-mail senders who allegedly violated CAN-SPAM by sending spam with false “from” header information and misleading subject lines, and failed to provide opt-out options or a physical address. Some of the accused e-mailers hijacked consumers’ computers and turned them into spamming machines, the FTC said.
The CAN-SPAM Act helped the FTC bring civil charges against this latest group of alleged spammers, Parnes said.
Consumer groups and some IT security experts have questioned the effectiveness of CAN-SPAM. Consumer groups have criticized CAN-SPAM for allowing companies to send unsolicited commercial e-mail until a recipient opts out, instead of a tougher opt-in standard.
CAN-SPAM has been “largely ineffective,” said Ray Everett-Church, counsel for the Coalition Against Unsolicited Commercial Email. “Most of the criticisms leveled at CAN-SPAM when it was passed have proven correct,” he said. “CAN-SPAM’s ineffectiveness was predictable because instead of outlawing the practice of spamming, the law largely set out rules that marketers could follow to make sure their spam was legal under the act.”
Antispam vendor MX Logic Inc. found that 68 percent of e-mail traffic it scanned in 2005 was spam, down from 77 percent in 2004. But only 4 percent of unsolicited commercial e-mail complied with CAN-SPAM in 2005, up from 3 percent in 2004, the company said earlier this month.
Others also voiced doubts about CAN-SPAM. Instead of making the FTC largely responsible for fighting spam, Congress should pass a law holding ISPs responsible for passing on e-mail containing scams and malware, said Russ Cooper, editor of the NTBugtraq mailing list and a scientist at security vendor Cybertrust Inc.
“We’re not talking about excessive e-mails from Columbia House here, but instead e-mail offerings for drugs that really aren’t, or goods that never appear,” Cooper said. “Spam is so insidious these days that it is to the point that it seriously disrupts day-to-day business and creates a distinct loss of GDP [gross domestic product].”
But the FTC found that ISPs’ filtering technologies are working well, Parnes said. FTC research into two popular free e-mail services found that one caught 86 percent of spam in its filter, and the other caught 95 percent, she said.
“The ISPs are doing a very good job of filtering out spam,” she said.
The FTC reported several improvements in fighting spam since 2003 and several areas where new problems have occurred. Spammers have continued to provide false information to domain name registrars to hide their identities, and CAN-SPAM has done little to combat spam coming from outside the U.S., the FTC said.
Spammers have also turned to increasingly complex business relationships to hide themselves from law enforcement agencies, and spam has increasingly included viruses or worms, the FTC said. “Rather than merely advertising products and services, spam messages now sometimes include ‘malware’ designed to harm the recipient,” the FTC report says.
But the FTC also recorded several improvements. Among those improvements: Spam seems to be leveling off, there’s been a “significant decrease” in the amount of sexually oriented spam, and legitimate e-mailers have largely complied with CAN-SPAM’s rules, the FTC said. CAN-SPAM requires that commercial e-mail include several items, including a working return e-mail address, a valid postal address for the sending company, a working opt-out mechanism and a relevant subject line.
“Virtually all” of what Parnes called legitimate e-mailers now include working opt-out mechanisms in their e-mail messages, she said. Before CAN-SPAM, an FTC study found that 66 percent of opt-out links in commercial e-mail did not work. In a recent study of 100 top online businesses, the FTC found that 89 percent honored opt-out requests.
Instead of changes to CAN-SPAM, the FTC urged technology vendors to continue to improve antispam technology, particularly domain-level authentication of e-mail senders.
(Robert McMillan in San Francisco contributed to this report.)