Is the CAN-SPAM Law Working?

Less than 1 percent of spam e-mail sent to U.S. inboxes this month complies with a national antispam law that went into effect January 1, according to two spam filtering vendors.

Commtouch Software, based in Mountain View, California, and MX Logic, based in Denver, both found that more than 99 percent of spam e-mail they checked through late last week did not comply with one or more provisions of the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003.

A third spam filtering vendor, Audiotrieve, found just over 10 percent of unsolicited commercial e-mail complying with CAN-SPAM requirements in a survey of e-mail it conducted over the weekend.

On the Rise

The new law hasn't had an effect on the amount of spam being sent, either. "There's been no reduction in the volume of spam," says Scott Chasin, MX Logic's chief technology officer. "In fact, the exact opposite--our spam rates are actually going up."

MX Logic classified 77 percent of its customers' e-mail as spam on Monday, up 6.5 percent from January 1.

CAN-SPAM requires that spam e-mail include a working return e-mail address, a valid postal address for the sending company, a working opt-out mechanism, and a relevant subject line. The law also directs the U.S. Federal Trade Commission to study setting up a national do-not-spam list, similar to the national do-not-call telemarketing list now in effect.

Enforcement Needed

The numbers from the three vendors show the need for enforcement actions against major spammers, says a spokesperson for Senator Conrad Burns (R-Montana), a sponsor of CAN-SPAM.

On December 11, Burns and Senator Ron Wyden (D-Oregon), the other leading advocate of CAN-SPAM, sent a letter to FTC chairman Timothy Muris, asking his agency to take enforcement action against "kingpin" spammers once CAN-SPAM became law.

"Senator Burns has continually stated that enforcement is key regarding the CAN-SPAM legislation," the Burns spokesperson says in an e-mail. "This is something that we certainly won't let fall through the cracks."

An FTC spokesperson didn't immediately respond to a request for comment, but Burns' spokesperson provided a letter from Muris dated January 7. "Although we have directed substantial resources to studying a do-not spam registry, we have many more investigations under way," Muris wrote to Burns and Wyden.

Spammers often hide their identities, and an investigation into a spammer can take months, Muris also wrote.

Taking Action

The national spam law alone won't cut the amount of spam being sent, but enforcement could have an impact, with multimillion dollar fines and jail terms allowed in CAN-SPAM for some spamming activities, says Avner Amram, executive vice president at Commtouch. "Legislation is the first step, enforcement is the second," he says.

Commtouch and the other vendors tout antispam technology as an essential partner in the fight against spam. "While legislation helps, it's not the answer," Chasin says. "We applaud the intent of the legislation. Any step in the direction of trying to stop spam is a good road to go down."

To determine how much spam is in compliance with CAN-SPAM, the three vendors took different approaches. MX Logic, which provides spam and virus filtering services, looked at 1000 randomly selected pieces of spam received during the first seven days of January and found only three that complied with CAN-SPAM requirements that the e-mail include a working opt-out option and a valid postal address. In cases where the spam includes a physical address, it may be the address of a bulk e-mail company and not the actual company marketing the product, Chasin says.

Audiotrieve, based in Boxborough, Massachusetts, collected e-mail messages using so-called "honey pot" accounts on January 10 and 11, and found 102 of 1000 messages analyzed contained all of the information required by CAN-SPAM. Physical addresses were missing from all of the remaining 898 spam messages, according to a press release from Audiotrieve, which markets its InBoxer spam filter.

Commtouch, which uses its Recurrent Pattern Detection technology to identify and filter massive spam attacks, has analyzed millions of e-mail addresses since January 1 and found less than 1 percent that comply with CAN-SPAM, Amram says. Commtouch found that 80 percent of spam e-mail didn't include valid return e-mail addresses and more than 40 percent contained subject lines that weren't related to the text of the e-mail.

Subscribe to the Daily Downloads Newsletter

Comments