Spam Slayer: Why Spammers Love the CAN-SPAM Law

Send gripes, questions, and tips for the spam wars to spamwatch@pcworld.com. Return to the SpamWatch pagefor more articles.

The Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) law targeting junk e-mail is supposed to lighten our in-box spam load. But scant weeks since the federal law took effect, I'm still getting just as many lame pitches as I did in mid-December.

CAN-SPAM, in fact, has had no discernable impact on the volume of spam. Neither has the law changed spammers' tactics. Today, 58 percent of incoming e-mail is spam, the same percentage as in December, says spam filtering firm Brightmail. MX Logic, another spam filtering company, found that 99 percent of a 1000-sample review of unsolicited commercial e-mail messages violated the CAN-SPAM.

To be fair, I'll give the law more time to resonate with law-abiding spammers before passing final judgment. But I can't help but feel CAN-SPAM was ill-conceived and will never cure the indigestion brought on from too much spam.

Loopholes Galore

CAN-SPAM has more holes that than a slice of Swiss cheese.

First, CAN-SPAM legalizes spam because it doesn't actually prohibit unsolicited e-mail. Legitimate businesses and unsavory spammers alike can keep sending commercial e-mail until you explicitly ask them to stop by using a mandated "opt out" option in e-mail pitches.

Opting out and telling spammers to take a hike sounds like a great idea. The problem is, you get no assurance that when you opt out of receiving spam from one company, you aren't being tricked into validating your e-mail address so you can get spam from another.

Perhaps that's the loophole being addressed by the law's request that the Federal Trade Commission design a "Do Not Spam" registry, modeled after the popular Do Not Call registry. But the overtaxed FTC has already stated that a Do Not Spam registry would be almost impossible to enforce.

Telemarketers on the Do Not Call list are easily identified by their phone numbers. But spammers routinely route e-mail all over the globe before it hits your in-box. Creating a Do Not Spam registry is no problem; it's the enforcement that's tough.

I applaud CAN-SPAM's tough stance on spammers, who now face jail, damages up to $2 million, and fines. In fact, perhaps spammers could get the option of reducing their sentences by agreeing to eat nothing but the lunchmeat Spam while incarcerated. How about that for justice?

Steep CAN-SPAM fines and the threat of lawsuits will likely drive marketers to move their operations offshore, and out of U.S. jurisdiction. America Online is already observing this trend: Between December 31 and January 2, AOL noticed a 10 percent jump in spam originating overseas.

State Laws Superseded

CAN-SPAM actually weakens or nullifies 36 antispam state laws, many of which were considered more effective than the federal mandate. California's antispam law, which was approved but will never be enforced, is superseded by CAN-SPAM. It required a recipient's permission before sending commercial e-mail. Violators risked damages up to $1000 for each message sent to an individual, and up to $1 million per incident.

CAN-SPAM does give the FTC and the Attorney General a powerful weapon with which to fight spam. And if the law is rigorously enforced, perhaps spam volumes will plateau. However, I doubt that 2004 will be the year we turn the tide on the flood of spam.

If you dare, go ahead and opt out--but keep on eye on your in-box and keep forwarding illegal spam to the FTC.

Q&A

Q. My ISP recently updated its spam filter to include an option to "bounce" certain messages as well as the normal move or delete options. Would the bounce option help lessen the amount of spam?
--Paul K

A. In theory, the bounce option tells spammers your address isn't valid, so they remove you from their lists. That assumes spammers are interested in cleaning their lists of nonexistent e-mail address. But it's likely that only the real pros clean their lists of bogus e-mail addresses. And it's thought that a lot of spam is sent by zombie machines (possibly infected with the Sobig virus) or by amateurs who recently decided to get into the spam business. Using the bounce option couldn't hurt, but it may not help.

Q. Is there a way to trace spam back to the sender? What is the best method for determining the source of spam? Are there any tools available to track down the origin? Can't you just trace the IP address embedded in the e-mail message?
--Chris F

A. Tracing e-mail back to the sender is tricky because spammers can hide their place of origin. Wily spammers easily and often forward messages through multiple unsuspecting computers, making it nearly impossible to identify the real sender.

You might find some inkling of the originator through a little sleuthing. Web sites such as Network Tools and SamSpade.org enable you run e-mail address searches to track down a sender. But if the e-mail address is spoofed to begin with, there isn't much you can do.

SamSpade.org offers a free, nifty program called Sam Spade for Windows that looks up Web site owners, tells you where to report spam, and checks domains against e-mail blacklists.