CAN-SPAM: What went wrong?

Five years ago, the U.S. tech industry, politicians and Internet users were wringing their hands over the escalating problem of spam.

Watch a slideshow of the most notorious convicted spammers.

Follow the famous quotes about spam throughout the years.

Back then, 45% of all e-mails were unwanted pitches for such products as Viagra, penny stocks or porn sites. An estimated 15 billion spam messages were sent over the Internet daily in 2003, prompting 74% of online adults to favor a law that would make mass spamming illegal. 

Statistics like these prompted Congress to pass a landmark antispam bill known as the CAN-SPAM Act in December 2003.

Fast forward five years.

The number of spam messages sent over the Internet every day has grown more than 10-fold, topping 164 billion worldwide in August 2008. Almost 97% of all e-mails are spam, costing U.S. ISPs and corporations an estimated $42 billion a year. 

The content of spam has changed, too. In 2003, spam was an annoying or offensive come-on to buy a product. Today, more than 83% of spam contains a URL for a Web site that is trying to infect computers with malicious software. 

Law enforcement officials have prosecuted dozens of spammers under the CAN-SPAM Act and won some high-profile cases, such as putting pharmacy spam king “Rizler” behind bars for 30 years and awarding MySpace damages of $234 million from two spammers. (See a slideshow of the most notorious convicted spammers.)

Nonetheless, CAN-SPAM has done little to deter spammers. So much for the legislation that lawmakers once said was the “best tool we have” for eradicating spam and putting spammers in the slammer. 

CAN-SPAM “is mostly a flop,” says Jaime de Guerre, CTO of antispam vendor Cloudmark. “I think [legislation] is rather futile anyways because the attackers are so advanced in their threats, and it’s so hard to detect where they are coming from.”

“CAN-SPAM was not the solution that many people hoped it would be,” adds Ray Everett Church, Director of Privacy and Industry Relations at Responsys. “As the ultimate solution to spam, it was definitely a bust. As a first step toward pushing the marketplace in a reasonable direction, it was OK.”

What CAN-SPAM can do

Industry observers say the CAN-SPAM Act of 2003 wasn’t a complete failure because it defined spam. It prompted legitimate e-mail senders to improve their online marketing, and it led to several high-profile convictions of spammers in conjunction with other fraud laws.

CAN-SPAM “sets some basic standards for the industry that have been useful in encouraging companies to follow good e-mail practices,” Church says. “What it hasn’t done is stop the bad guys from being bad. I don’t think anybody really believed CAN-SPAM would do that.”

The CAN-SPAM Act of 2003 provides a framework for commercial e-mail senders — a minimum set of rules that companies must follow to ensure that its online sales pitches are not dubbed spam.

Most e-retailers and newsletter publishers go beyond CAN-SPAM and use an opt-in mechanism for consumers to request e-mail promotions instead of the law’s lesser requirement of an opt-out mechanism.

“The primary thing that CAN-SPAM was successful at is giving a clearer message to legitimate companies about how to use e-mail in direct marketing and how to do it appropriately,” says Graham Cluley, senior technology consultant at Sophos, a security software vendor. “It made a distinction between the really bad guys on the one hand, and incompetent companies on the other hand.”

Legitimate e-mail senders quickly complied with CAN-SPAM to avoid being fined or jailed. That’s why CAN-SPAM has reduced the number of consumer complaints lodged against legitimate companies.

“It has created better e-mail hygiene for legitimate senders,” de Guerre says. “In the past, they may have struggled with a message falling in the grey area and being called spam. CAN-SPAM does help a bit in that area.”

A tool for prosecutors

Another positive of CAN-SPAM is that it has led to more spammers being caught, prosecuted and convicted.

“A lot of spammers have been caught and sentenced to jail,” Cluley says. “The good news is that we constantly see headlines of spammers sent to jail, but they are the tip of the iceberg. There are other spammers waiting to jump in.”

CAN-SPAM provides a tool for law enforcement agencies to use to prosecute spammers.

“Lawyers were having to work overtime to stretch existing laws to cover what was going on with spam. Issues like falsified headers were not clear-cut legal offenses,” Church explains. “A lot of folks were saying: ‘What can we do to give some teeth to legal efforts to try to stop spam?’ There were a number of different proposals over many years, and the one that carried the day was the CAN-SPAM Act.”

CAN-SPAM allows the Federal Trade Commission, the Justice Department and state agencies to prosecute spammers, and it allows ISPs to sue those who violate the law.

The FTC has brought around 30 law enforcement actions under the CAN-SPAM Act, according to a staff report issued in November 2007. Meanwhile, AOL, Yahoo, EarthLink and Microsoft have sued hundreds of alleged spammers under CAN-SPAM. 

“One of the other good things about CAN-SPAM is that it provided the ability for end users and ISPs who are victims of spam to seek justice on their own behalf, and a number of them have taken advantage of that fact,” says Dmitri Alperovitch, director of intelligence analysis at Secure Computing.

CAN-SPAM is one of several laws – -including computer fraud, mail fraud, theft and tax evasion — used to prosecute spammers.

“CAN-SPAM gets dragged into lots of cases, but it is still being interpreted by the courts. So it’s unclear how effective it can be at catching the bad guys,” Church says. “There have been a few high-profile cases where CAN-SPAM is part of the case….But there’s not this massive army of law enforcement agencies who have the time and the resources to bring these cases.”

Still, the law hasn’t been much of a deterrent to other spammers.

CAN-SPAM “certainly doesn’t help in the ability to detect and catch spammers, which is one of the hardest areas in any attempt at prosecuting them,” de Guerre says. “It’s generally ignored by the spammers. I don’t think the spammers take it seriously.”

The sad state of spam

Five years after the passage of CAN-SPAM, spam is at an all-time high.

“Obviously, [CAN-SPAM] didn’t stop spam. Spam is bigger than ever,” Alperovitch says. “Anybody who expected a law to eliminate spam overnight was wildly optimistic. We have statutes against financial fraud, and we have had them for hundreds of years, but that doesn’t stop bank robberies.”

Spam levels are so high — representing 96.5% of all e-mail — that only 1 in 28 e-mails sent over the Internet is legitimate, Sophos says.

“Most businesses don’t realize how bad spam is because, thankfully, there are gateways and anti-spam filters that are stopping it,” Cluley says. “But the Internet providers are feeling the pain. And the IT department is feeling the pain.”

Of particular concern is the number of botnets that spammers control.

“What the spammers have done is use botnets to generate huge amounts of mail,” says Tim Shine, CTO of SpamTitan, an antispam vendor. “This has increased the amount of spam that is being sent by about 50% since last year in Europe and North America.”

Spam is more vicious today, thanks to e-mail attachments that link to Web pages that infect computers with malicious code. Spammers steal data or take control over the infected computer and join it to botnets for future attacks.

“We see over 5,000 new malicious Web pages every day, and most of them are linked to or from a spam message,” Cluley says. “The Web sites you get taken to are not necessarily porn or gambling. Ninety percent of them are legitimate Web sites that have been hacked. That, again, fools people into thinking that they’ve received a regular e-mail.”

Increasingly, spam is being sent by organized crime networks rather than petty crooks. Among the biggest money makers for spammers are selling counterfeit products, pumping up stocks, stealing personally identifiable information and other scams.

“Organized crime is investing in advanced R&D organizations that are conducting these attacks,” de Guerre says. “They are developing botnet software and they are developing the ability to modify images so that each image sent in an e-mail is different.”

Spam is more international than it was when the CAN-SPAM Act was passed. One reason the law hasn’t been that effective is because it doesn’t apply to spammers in other countries.

The U.S. is the world’s largest spammer, but its share of spam has dropped dramatically since CAN-SPAM was passed. In February 2004, the United States was responsible for 56.7% of the world’s spam. Today, that number is at 14.9%. Next in line as top spammers are Russia, Turkey and China. 

Industry observers agree that spam is thriving in the post CAN-SPAM era.

“Spam is continuing to escalate as opposed to nearly being solved,” de Guerre says. “I don’t think that spam is going away. I don’t think the attackers are struggling. They are innovating in the types of attacks they are able to send and the medium they use to send them.”

Should CAN-SPAM be tweaked?

Experts say CAN-SPAM could be improved, but that it still wouldn’t eradicate spam because no law can eliminate scams or prevent people from falling for them.

“As long as spam is profitable — and there is no question that it is — and as long as people fall for spam, then we are going to have people trying to do it,” Alperovitch says. “Fundamentally, spam is a people problem. As long as people are willing to fall for the allure of $1 million that they may have won in a lottery…there will be spam.”

One tweak to CAN-SPAM that might make it better is to mandate opt-in mechanisms for e-mail senders instead of opt-out. Opt-in is what antispam crusaders originally wanted in the bill but weren’t able to get because of opposition from mass e-mail senders.

“I still think opt-in is the way it should work for e-mail rather than opt-out,” Cluley says. “The direct marketing bodies of the world influenced the law against the consumer.”

That’s why antispam crusaders such as the Coalition Against Unsolicited Commercial E-Mail (CAUCE) warned at the law’s passage that it would not “stop a single spam from being sent.” 

“Some folks, including myself, criticized CAN-SPAM for setting a fairly low threshold of what is legitimate,” Church says. “It didn’t have opt-in, which is how you build a good response rate. The CAN-SPAM Act doesn’t focus on permission. As long as you clear the threshold, you can send as much mail as you want until the recipient asks to be removed.”

Another improvement would be requiring a more secure method of unsubscribing. Internet users can’t trust current unsubscribe mechanisms because spammers use them to harvest e-mail addresses.

“Expanding some of the unsubscribe notions of the law to incorporate the latest developments around secure unsubscribe or safe unsubscribe would be good because users can’t trust unsubscribe in the message itself,” de Guerre says.

Despite its flaws, CAN-SPAM shouldn’t be changed, some experts say.

“The Act itself probably doesn’t need a lot of overhauling,” Church says. “It’s doing what it was intended to do, which is to create some baseline standards. Trying to create more granular details or adding more specifics would actually create further confusion in the market.”

Overall, experts remain pessimistic about a legislative solution to spam. And there no current proposals in Congress to update or tweak the existing CAN-SPAM law.

“I don’t believe the CAN-SPAM Act or any law would be of relevance,” Shine says. “With the nature of the Internet, it’s too easy to move your point of operations away from anywhere you could be in trouble legally. With the advances in network technology and the speeds available today, there’s really no disadvantage of doing spam from the Ukraine and targeting the U.S.”

Alperovitch says what’s needed is not more antispam laws but more money for law enforcement officials to tackle cybercrime.

“When you think about cybercrime in general, there are plenty of laws on the books that give law enforcement agencies the ability to go after criminals,” Alperovitch says. “A key problem that Congress can help solve is giving more resources to U.S. attorneys to go after cybercrime. That is the most urgent thing.”For now, companies and end users must battle spam through technology, experts say.

“The most useful thing is to really protect your computer with up-to-date antivirus, firewalls and security packages and to think twice before you click,” Cluley says. “But as long as people keep making dumb decisions, spam will continue to happen.”

Who’s afraid of spam?

One noticeable change during the last five years is that network managers and consumers worry less about spam.

In 2003, 25% of Internet users said spam was a big problem for them, according to the Pew Internet & American Life Project. By 2007, that number had dropped to 18%. 

The main reason for this shift is that consumers are accustomed to spam, they know what to do about it, and they are less offended by graphic images on the Internet.

Also, today’s antispam tools are much improved, catching anywhere from 95% to 98% of spam before it enters ISP or corporate networks.

Spam is not a priority for our CIO, says Tom Norman, e-mail administrator at Grand Valley State University in Allendale, Mich. “Our spam filters do such an excellent job that she doesn’t worry about it at all,” Norman says.

In March, the university installed software from Proofpoint that checks sender IP addresses, message headers, sender reputation and other features to block incoming spam. Thanks to Proofpoint’s software, Grand Valley State University reduced the number of incoming messages it receives each day from 2.5 million to 500,000.

“When we put in Proofpoint, I went from being the campus villain to the campus hero because it stopped the spam overnight,” Norman says. “We quarantine the messages we block, but many people don’t read them.”

Norman said he spent $15,000 on Proofpoint’s software, which was less expensive than buying heftier e-mail servers to handle the flood of spam.

When it comes to the CAN-SPAM Act, Norman says that no matter what laws are passed he expects to always be playing catch-up with regard to spam.

“Five years ago, we didn’t think about spam at all. We just let it come in, and it was the end user’s responsibility to delete the stuff,” Norman says. “Then it got to the point that it was beyond ridiculous the amount of staff time that spam was taking up.”

Concerns about end-user productivity as well as complaints about pornographic spam led Norman to buy his first antispam product, which was IronMail, in 2003.

Today, Norman sees less graphic e-mail, but he sees more hyperlinks and hidden messages. And he sees a much larger volume of spam.

“I miss the good old days of Viagra and sex aides now that everything is so malicious,” Norman says. “The spammers have changed their toolkits as they try to get around the existing antispam options. To be honest, I have worried about that.”