On January 1, 2004, the most sweeping federal antispam law ever enacted took effect. Coauthor Senator Conrad Burns (R-Montana) said that CAN-SPAM (Controlling the Assault of Non-Solicited Pornography and Marketing, the bill's full name) was supposed to "put an end to the bothersome e-mail [people] see each day in their in-boxes" by imposing harsh penalties against "kingpin" spammers and by allowing people to opt out of marketing mailing lists with a simple mouse click.
But if you're receiving less junk e-mail now, you are in the minority. By all accounts, CAN-SPAM has failed to restrain the inundation of spam that is slowly drowning the Internet. Brightmail, which filters spam for some 300 million user accounts worldwide, reports that in January 60 percent of incoming e-mail messages worldwide was spam--up 2 percent from the levels observed in December, just before the law took effect.
Perhaps the most striking consequence of the law is that it may have driven a number of spammers offshore. America Online, whose 33 million customers have long been a major target for spammers, says that immediately after the law took effect, it saw a 10 percent jump in spam originating overseas--beyond the reach of U.S. antispam laws.
It's the Law
CAN-SPAM requires commercial e-mail messages to include an opt-out mechanism so you can tell senders to remove you from their mailing list. Also outlawed are false and deceptive headers and subject lines. Companies must include a postal address in their marketing e-mail.
MX Logic, a self-described "commercial e-mail defense company," determined that of 40,000 unsolicited commercial e-mail messages it reviewed in a four-week survey, 97 percent violated the CAN-SPAM law. The most common violations, MX Logic officials say, involved failing to include a valid postal address or a clear opt-out mechanism.
The law also bans popular spamming techniques such as employing software to harvest e-mail addresses from Web sites. Prohibited, as well, is "dictionary attack" software, which randomly generates e-mail addresses in an effort to come up with at least some real recipients.
The toughest penalties under CAN-SPAM include jail time for spammers who falsify the header information in e-mail messages or who hack into someone else's computer to send bulk e-mail. Convicted spammers are also subject to jail time for registering five or more e-mail accounts, for giving false information when signing up for those accounts, or for using the accounts to send unsolicited bulk e-mail.
Burns and various CAN-SPAM supporters--among them Microsoft, Yahoo, and the telecom consumer advocacy group Telecommunications Research and Action Center--say that the law's steep fines and jail terms will, in time, weed out the worst offenders. They say that CAN-SPAM will make junk e-mail easier to spot and filter. But spammers seem to be paying little attention to the law.
Strong First Step?
Even though spam is as rampant as ever, Burns remains optimistic about the new law. He says federal legislation is a strong first step in curbing spam. But he also points out that CAN-SPAM wasn't meant to be a spam-slaying silver bullet. "The industry now has a way to legitimize and put integrity into the practice of sending commercial e-mail," he says.
"CAN-SPAM is great for companies like ours that play by the rules," contends Paul McDonnell, cofounder of direct e-mail marketer IMarket Offers. He and many other e-mail marketers appreciate that CAN-SPAM presents a single set of rules to an industry previously struggling to navigate the shoals of 34 existing state antispam laws. "This makes compliance much easier," McDonnell says.
But what is good for the e-marketing industry may not be great for the eternally spammed. The CAN-SPAM law does not proscribe unsolicited e-mail, so long as it's CAN-SPAM-compliant. Critics view this as a major flaw, while known spammers see it as a loophole that will keep them in business.
Scott Richter, whose name regularly appears on the Register of Known Spam Operations list of top spammers, says his mail had mostly complied with CAN-SPAM already. "All I have to do is add my postal address to outbound e-mail messages, and it is business as usual."
California state senator Debra Bowen, a Democrat who supported a more stringent California law that the federal law superseded, says the situation has deteriorated. "CAN-SPAM does not can spam at all; it gives it the congressional seal of approval," she asserts.
California's antispam law mandated an opt-in approach that prohibited sending unsolicited commercial e-mail without the recipients' prior consent or without an established business relationship. Bowen argues that marketing e-mail should be prohibited unless it is requested by users.
Wait and See
"CAN-SPAM's impact on consumer in-boxes will take time," says J. Howard Beales III, director of the FTC's Bureau of Consumer Protection, which is among the federal agencies charged with enforcing the CAN-SPAM Act.
The FTC has other obligations under CAN-SPAM. One is that the agency must write regulations governing the labeling of pornographic messages. It must consider mandatory labels for unsolicited e-mail in general. The FTC must also investigate the feasibility of a do-not-spam registry similar to the telemarketing do-not-call registry.
The FTC has proposed requiring adult-related e-mail to have the phrase "Sexually-Explicit-Content" at the beginning of message subject lines, making them easy for recipients to filter out.
The problem with this and other CAN-SPAM mandates, from Beales's point of view, involves enforcement. "I have expressed some doubts about the enforceability of CAN-SPAM," Beales says. Spammers are difficult to locate, and if they're found outside the United States, enforcement becomes even more difficult.
"Without strict enforcement, I don't see how any antispam law can work," says Sam Simon, chair of the Telecommunications Research and Action Center, a supporter of CAN-SPAM. According to Beales, the FTC has filed nearly 60 antispam cases under antifraud laws, yet the volume of spam has continued to rise.
One example of antispam efforts in the courts: In December, New York's state attorney general Eliot Spitzer and Microsoft sued Scott Richter and his company OptInRealBig.com in New York and Washington states, respectively, alleging that they had violated each state's consumer protection laws by sending billions of illegal and deceptive unsolicited e-mail messages.
Richter, who insists that the charges are false, says he lost some business initially but now sends as many e-mail messages as he did before the suits were filed.
Many observers view laws as just one element in fighting spam. "We feel that the CAN-SPAM law will, when combined with other tools and weapons, have a positive impact," says America Online spokesperson Nicholas Graham.
Analysts agree better spam-fighting technology (see "Tech Weapons of Spam Destruction") is needed. The research firm IDC estimates that by 2007 messaging security will be a $1.1 billion business, up from $236 million in 2002.
"Spam laws on their own mean nothing," says Richi Jennings, e-mail analyst with Ferris Research. "Any solution will have to go hand in hand with technology."