Is CAN-SPAM Working?
A year after the U.S. Congress passed the first federal antispam law, observers see no evidence that it has cut the amount of unwanted commercial e-mail arriving in U.S. residents' inboxes.
Most vendors of antispam products have charted an increase in the amount of spam since the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act went into effect on January 1, 2004.
CAN-SPAM includes criminal penalties, ranging up to five years in prison, for some common spamming practices, including hacking into someone else's computer to send spam and using open relays to send deceptive spam. The law allows fines of up to $250 per spam e-mail with a cap of $6 million for aggravated violations.
But some antispam activists say that the law has aided spammers because CAN-SPAM requires recipients to opt out of unwanted commercial e-mail by contacting each sender, instead of forcing senders to get opt-in permission. PC World recently conducted its own test of CAN-SPAM, and found that opting-out can be difficult.
The federal law hurt spam-fighting efforts by pre-empting parts of some tougher state laws, including a California opt-in requirement, says Laura Atkins, president of the SpamCon Foundation.
CAN-SPAM also prohibits private citizens from suing spammers, instead allowing only state attorneys general or ISPs to file civil suits. People like Atkins, who operate their own mail servers and receive thousands of spam messages, have no recourse against spammers under CAN-SPAM.
"CAN-SPAM has not made it any easier to find spammers," Atkins says. "It has not decreased the amount of spam."
Backers of CAN-SPAM say it provides for the possibility of civil lawsuits and jail time for spammers. ISPs have used CAN-SPAM to file hundreds of civil lawsuits against spammers in 2004, and the key to making the law work is more enforcement, says a spokesperson for Senator Conrad Burns (R-Montana), the main sponsor of CAN-SPAM.
"Senator Burns has said from day one that enforcement is key for this legislation to be effective," says Jennifer O'Shea, his spokesperson. "We have seen several big lawsuits, which have been helpful, but we need to continue to see more of these lawsuits in order to keep up with big time spammers and keep spam out of inboxes."
Burns believes businesses should have an opportunity to market over e-mail, instead of having to get opt-in permission from all e-mail recipients, she adds.
"The opt-out provision...gives the e-mail user the responsibility of opting out if there is something they do not want to receive messages about," O'Shea says in an e-mail.
Statistics supplied by vendors of antispam products seem to bear out the criticism of CAN-SPAM. Postini, an e-mail security service provider, says the percentage of legitimate nonspam e-mail it sees dropped from 22 percent of all e-mail at the beginning of 2004 to just 12 percent by December. The company processes 2.4 billion e-mail messages a week.
MX Logic, another antispam vendor, found 67 percent of all e-mail to be spam in February. By November, 75 percent of all e-mail was spam, according to MX Logic.
Spammers, apparently in response to CAN-SPAM, changed tactics this year, says Andrew Lochart, director of product marketing at Postini. More spammers are using so-called zombies networks--computers hijacked with Trojan horse programs--to send spam, and spammers are using increasingly sophisticated directory harvest attacks to spam corporate mail servers, he says.
About 30 percent to 50 percent of spam came through zombie spam relays in April, MX Logic estimates. In a three-week survey in November and December, the company found 69 percent of spam sent through zombies.
"I think CAN-SPAM caused spammers to change their tactics significantly," Lochart says. "The spammers got even more creative at hiding, and they've always been pretty good at it."
Although CAN-SPAM hasn't resulted in less spam, the law gives law enforcement agencies a new tool in the fight spam, Lochart says. "It's a good thing we have a law, so when we find some of these roaches, we can prosecute them," he says. "It's a good thing that the federal government recognizes how important spam is."
ISPs and law enforcement agencies have used CAN-SPAM provisions, including requirements to include a valid postal address and an unsubscribe option in commercial e-mail, to go after spammers. Four large U.S. ISPs filed hundreds of lawsuits against spammers this year, and the U.S. Federal Trade Commission filed criminal CAN-SPAM charges against two companies in April.
Despite these efforts, antispam vendors predict more spam in 2005, not less. "Even from a service provider perspective, after all the lawsuits and convictions, we still have not seen a deterrence effect happen," says Scott Chasin, chief technology officer at MX Logic. "Spam has continued to increase and saturate inboxes, and we've not seen a decline whatsoever. From that perspective, CAN-SPAM is pretty toothless."