CAN-SPAM: What went wrong?

Five years ago, the U.S. tech industry, politicians and Internet users were wringing their hands over the escalating problem of spam.

Watch a slideshow of the most notorious convicted spammers.
Follow the famous quotes about spam throughout the years.

Back then, 45% of all e-mails were unwanted pitches for such products as Viagra, penny stocks or porn sites. An estimated 15 billion spam messages were sent over the Internet daily in 2003, prompting 74% of online adults to favor a law that would make mass spamming illegal. 

Statistics like these prompted Congress to pass a landmark antispam bill known as the CAN-SPAM Act in December 2003.

Fast forward five years.

The number of spam messages sent over the Internet every day has grown more than 10-fold, topping 164 billion worldwide in August 2008. Almost 97% of all e-mails are spam, costing U.S. ISPs and corporations an estimated $42 billion a year. 

The content of spam has changed, too. In 2003, spam was an annoying or offensive come-on to buy a product. Today, more than 83% of spam contains a URL for a Web site that is trying to infect computers with malicious software. 

Law enforcement officials have prosecuted dozens of spammers under the CAN-SPAM Act and won some high-profile cases, such as putting pharmacy spam king "Rizler" behind bars for 30 years and awarding MySpace damages of $234 million from two spammers. (See a slideshow of the most notorious convicted spammers.)

Nonetheless, CAN-SPAM has done little to deter spammers. So much for the legislation that lawmakers once said was the “best tool we have” for eradicating spam and putting spammers in the slammer. 

Click to see: A bar chart of spam activity

CAN-SPAM "is mostly a flop," says Jaime de Guerre, CTO of antispam vendor Cloudmark. "I think [legislation] is rather futile anyways because the attackers are so advanced in their threats, and it’s so hard to detect where they are coming from."

"CAN-SPAM was not the solution that many people hoped it would be," adds Ray Everett Church, Director of Privacy and Industry Relations at Responsys. "As the ultimate solution to spam, it was definitely a bust. As a first step toward pushing the marketplace in a reasonable direction, it was OK."

What CAN-SPAM can do

Industry observers say the CAN-SPAM Act of 2003 wasn’t a complete failure because it defined spam. It prompted legitimate e-mail senders to improve their online marketing, and it led to several high-profile convictions of spammers in conjunction with other fraud laws.

CAN-SPAM "sets some basic standards for the industry that have been useful in encouraging companies to follow good e-mail practices," Church says. "What it hasn’t done is stop the bad guys from being bad. I don’t think anybody really believed CAN-SPAM would do that."

The CAN-SPAM Act of 2003 provides a framework for commercial e-mail senders -- a minimum set of rules that companies must follow to ensure that its online sales pitches are not dubbed spam.

Click to see: Spam at a glance

Most e-retailers and newsletter publishers go beyond CAN-SPAM and use an opt-in mechanism for consumers to request e-mail promotions instead of the law’s lesser requirement of an opt-out mechanism.

"The primary thing that CAN-SPAM was successful at is giving a clearer message to legitimate companies about how to use e-mail in direct marketing and how to do it appropriately," says Graham Cluley, senior technology consultant at Sophos, a security software vendor. "It made a distinction between the really bad guys on the one hand, and incompetent companies on the other hand."

Legitimate e-mail senders quickly complied with CAN-SPAM to avoid being fined or jailed. That’s why CAN-SPAM has reduced the number of consumer complaints lodged against legitimate companies.

"It has created better e-mail hygiene for legitimate senders," de Guerre says. "In the past, they may have struggled with a message falling in the grey area and being called spam. CAN-SPAM does help a bit in that area."

A tool for prosecutors

Another positive of CAN-SPAM is that it has led to more spammers being caught, prosecuted and convicted.

"A lot of spammers have been caught and sentenced to jail," Cluley says. "The good news is that we constantly see headlines of spammers sent to jail, but they are the tip of the iceberg. There are other spammers waiting to jump in."

CAN-SPAM provides a tool for law enforcement agencies to use to prosecute spammers.

"Lawyers were having to work overtime to stretch existing laws to cover what was going on with spam. Issues like falsified headers were not clear-cut legal offenses," Church explains. "A lot of folks were saying: 'What can we do to give some teeth to legal efforts to try to stop spam?' There were a number of different proposals over many years, and the one that carried the day was the CAN-SPAM Act."