Can CAN-SPAM can spam?

* Analysis of the CAN-SPAM Act of 2003

On Jan. 1, the CAN-SPAM Act of 2003 took effect in the U.S. as an attempt to do something about the spam problem.

Formally entitled, “Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003,” the law has been consistently attacked by critics as inadequate to control spam on the following grounds:

1. The Act is based on an opt-out philosophy. Anyone can send one junk e-mail message legally as long as they offer an opt-out procedure. However, it is widely believed that many or most of the people who send spam value opt-out replies because they validate addresses. They then sell those addresses to other spammers. As a result, many people will be reluctant to use opt-out mechanisms. In any case, there are more than 20 million businesses in the U.S., so if every one of them chose to send a user exactly one message per year at random, a user could expect an average of over 54,000 messages requiring an opt-out response per day. If only 1% of these businesses chose to send out junk e-mail, the daily average would be 500 or more new junk messages requiring an opt-out.

The law requires spammers to provide an opt-out mechanism, but describes these mechanisms broadly as including “a manner specified in the message, a reply electronic mail message or other form of Internet-based communication.”

As pointed out by blogger Ed Foster, this section means that a spammer could create an opt-out mechanism requiring an unwilling recipient to log on to a Web site and search for opt-out instructions, possibly while being bombarded by pop-up ads:

http://www.gripe2ed.com/scoop/story/2003/11/24/02356/143

Can you imagine having to log on to Web site after Web site to unsubscribe from drivel you never asked for and detest on sight? Think of the time involved. Furthermore, Web-based opt-out instructions permitted under this law will make it difficult for automated systems to unsubscribe victims of spam using such mechanisms. (I remember one spammer who demanded that his victims _solve a puzzle_ in order to be freed from his waves of, ah, e-xcrement.)

2. Section 9 of the Act mandates a Do-Not-E-Mail Registry for no later than July 2004 but provides no details on how such a registry would be created and updated, how it would be protected against abuse by spammers, which government agency would control it or how it would be used to limit spam.

3. The Act defines “commercial electronic mail message” as “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service (including content on an Internet website operated for a commercial purpose).” This definition thus permits spam from politicians, political groups, religious organizations, charities, hate groups, hobbyists, cranks and anyone else so long as the content cannot be construed as “commercial” (which is itself not defined in the Act).

4. CAN-SPAM overrides more restrictive state laws, weakening the range of legal countermeasures against spammers in the U.S.

5. Nothing in the Act resolves the problem of spam directed against U.S. residents but originating outside the boundaries of the U.S.

By mid-January, anti-spam campaigners were confirming their pessimistic impression of the law’s effectiveness. According to Jan Libbenga of _The Register_, “The NANAS sightings newsgroup (a large collection of spam, updated continuously) doesn’t contain one spam message that is CAN-SPAM compliant.”

Let’s hope for some successful prosecutions of spamming soon with some stiff penalties. Until then, I’m sorry to say that I doubt that this law will have any helpful effect on spam.

Learn more about this topic

Spam Laws: United States: Federal Laws: CAN-SPAM Act of 2003

Opinion: The real meaning of CAN-SPAM

“Spammers not deterred by Can Spam Act”

The Register, 01/02/04

Review: Security auditing tools

Network World, 02/02/04

Feds to the rescue?

Network World, 02/02/04

A new look for Network World Fusion

Network World, 02/02/04

Insider Shootout: Best security tools for small business
Join the discussion
Be the first to comment on this article. Our Commenting Policies