Government's CAN-SPAM Act Works Just as it Sounds

Five years after the CAN-SPAM Act of 2003, SPAM still runs rampant across the Internet. According to SpamCop.net for July 24, 2008, there are approximately 3 million SPAM messages milling through the Internet during any given 24 hour period.

The average active email address will be sent between 300 and 500 spam messages each day. Many, of course, are blocked or filtered, but those numbers are still 5 to 10 times higher than in 2003 when the CAN-SPAM Act first went into effect.

The odd thing? According to anti-SPAM activists Spamhaus.org there are 100 known SPAM operators that are responsible for 80% of your SPAM. And still the numbers keep going up.

So much for the effectiveness of the law.

How much "juice" does CAN-SPAM really have? Not much, apparently. Anti-SPAM activists commonly refer to the law as the "YOU-CAN-SPAM Act" because it does not address a fundamental anti-SPAM principal of requiring emailers to get permission from the recipient (opt-in) before sending a marketing message. And, amazing enough for an American law, it explicitly prohibits individuals who receive SPAM from suing SPAMmers.

On the other hand, the original CAN-SPAM Act did specify that senders could not use false email headers, could not use "harvested" email addresses (skimmed from websites or directories) and could not use deceptive subject lines. It also required labeling of adult content and a 10-day address removal time for recipients that "opt-out". Sadly, it exempts religious and political messages. (This author receives 1-3 emails a day from the Obama Campaign -- and he lives in Canada!)

This month, the CAN-SPAM law was changed to tighten up some of the loopholes in the original law. The new rules define "person" to include businesses, and insist on a streamlined, no-fine-print opt-out and name removal process. The new changes also expand the law to cover multiple-sender emails. Previously, using multiple senders for an email made it rather ambiguous as to who had the obligation to remove the address -- the originator or one of the senders. (Source: btobonline.com)

The latest changes, while appropriate, won't really improve the law's effectiveness. In a recent SPAM analysis performed by CommTouch on emails received since January 1, 2008, they found that less than 1% of email solicitations comply with CAN-SPAM. It also found that 80% of the email solicitations did not include a valid return email address, and 40% contained deceptive subject lines. All of these are prohibited under the CAN-SPAM Act. Obviously, enforcement is a problem. (Source: pcworld.com)

The Federal Trade Commission is responsible for enforcement of the law. So far, while investigations are allegedly underway, and there is the occasional arrest (the last was SPAMmer Alan Ralsky in January of this year) little has been done.

The only real enforcement occurs privately through the combined efforts of Internet Service Providers (ISPs) and anti-SPAM consumer groups. By maintaining and coordinating "blocklists" these groups combat SPAM through "reputation-based" screening -- i.e. if you've been known to send SPAM from a certain IP address, that IP address will have a bad reputation and therefore will be blocked.

Spamhaus.org, an international, non-profit consortium based in Switzerland, maintains several "blocklists". These include a database of IP addresses of verified SPAM sources, a database of hijacked PC's, and a database of policy-based IP address (IP address that should not be sending unauthenticated emails. These databases are available to ISPs to validate email senders prior to processing or delivering email. Spamhaus currently protects over 1.4 billion user mailboxes with their reputation-based databases.)

So, CAN-SPAM notwithstanding, SPAM is alive, well, and thriving. And it will continue to thrive until there is some serious enforcement action against known SPAMmers. Think about it: if 100 SPAMmers (most being in the U.S.) are responsible for 80% of the SPAM, we could cut SPAM by 80% by doing what?

Hey! FTC! Wake up over there!