FTC: Computer users seeing less spam, law helped

Computer users are seeing fewer unsolicited commercial e-mail messages in their inboxes two years after the U.S. Congress passed an anti-spam law, the U.S. Federal Trade Commission said Tuesday.

The anti-spam law, called the CAN-SPAM Act, has provided the FTC and law enforcement agencies a new weapon to fight spam, but much of the reason computer users are seeing less spam is because they're using blocking software and services, said the FTC in a 116-page report to Congress. The volume of spam seems to be leveling off, and blocking technologies are keeping most spam messages away from inboxes, the FTC said.

"The e-mail landscape has changed significantly, largely for the better," the report says. "In essence, these developments suggest that spam has not, as once feared, destroyed the promise of e-mail."

Some in the technology community have questioned the law's effectiveness, but the FTC said CAN-SPAM has helped define a group of standardized best practices for sending commercial e-mail. The FTC did not recommend any changes to CAN-SPAM in its report, although it recommended Congress pass legislation, called the U.S. SAFE WEB Act, that would allow more international cooperation among law enforcement agencies fighting spam and other computer crimes.

CAN-SPAM - short for Controlling the Assault of Non-Solicited Pornography and Marketing - has also given law enforcement agencies and ISPs an "additional tool" to fight spam by filing lawsuits against spammers, the report said. Law enforcement agencies and ISPs have filed more than 50 lawsuits against spammers in the past two years, the report noted.

Consumer groups and some IT security experts have questioned the effectiveness of CAN-SPAM. Consumer groups have criticized CAN-SPAM for allowing companies to send unsolicited commercial e-mail until a recipient opts out, instead of a tougher opt-in standard.

CAN-SPAM has been "largely ineffective," said Ray Everett-Church, counsel for the Coalition Against Unsolicited Commercial Email. "Most of the criticisms leveled at CAN-SPAM when it was passed have proven correct," he said. "CAN-SPAM's ineffectiveness was predictable because instead of outlawing the practice of spamming, the law largely set out rules that marketers could follow to make sure their spam was legal under the act."

Antispam vendor MX Logic found that 68% of e-mail traffic it scanned in 2005 was spam, down from 77% in 2004. But only 4% of unsolicited commercial e-mail complied with CAN-SPAM in 2005, up from 3% in 2004, the company said earlier this month.

Others also voiced doubts about CAN-SPAM. Instead of making the FTC largely responsible for fighting spam, Congress should pass a law holding ISPs responsible for passing on e-mail containing scams and malware, said Russ Cooper, editor of the NTBugtraq mailing list and a scientist at security vendor Cybertrust.

"We're not talking about excessive e-mails from Columbia House here, but instead e-mail offerings for drugs that really aren't, or goods that never appear," Cooper said. "Spam is so insidious these days that it is to the point that it seriously disrupts day-to-day business and creates a distinct loss of GDP [gross domestic product]."

The FTC reported several improvements in fighting spam since 2003 and several areas where new problems have occurred. Spammers have continued to provide false information to domain name registrars to hide their identities, and CAN-SPAM has done little to combat spam coming from outside the U.S., the FTC said.

Spammers have also turned to increasingly complex business relationships to hide themselves from law enforcement agencies, and spam has increasingly included viruses or worms, the FTC said. "Rather than merely advertising products and services, spam messages now sometimes include 'malware' designed to harm the recipient," the FTC report says.

But the FTC also recorded several improvements. Among those improvements: Spam seems to be leveling off, there's been a "significant decrease" in the amount of sexually oriented spam, and legitimate e-mailers have largely complied with CAN-SPAM's rules, the FTC said. CAN-SPAM requires that commercial e-mail include several items, including a working return e-mail address, a valid postal address for the sending company, a working opt-out mechanism and a relevant subject line.

Instead of changes to CAN-SPAM, the FTC urged technology vendors to continue to improve anti-spam technology, particularly domain-level authentication of e-mail senders.

Robert McMillan in San Francisco contributed to this report.

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies