Small percentage of spam complies with new law

WASHINGTON – Less than 1% of spam e-mail sent to U.S. inboxes this month complies with a national anti-spam law that went into effect Jan. 1, according to two spam filtering vendors.

Commtouch Software, based in Mountain View, Calif., and MX Logic, based in Denver, both found that more than 99% of spam e-mail they checked through late last week did not comply with one or more provisions of the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act of 2003.

A third spam filtering vendor, Audiotrieve, found just over 10% of unsolicited commercial e-mail complying with CAN-SPAM requirements in a survey of e-mail it conducted over the weekend.

The new law hasn’t had an effect on the amount of spam being sent, either. “There’s been no reduction in the volume of spam,” said Scott Chasin, MX Logic’s chief technology officer. “In fact, the exact opposite – our spam rates are actually going up.”

MX Logic classified 77% of its customers’ e-mail as spam on Monday, up 6.5% from Jan. 1.

CAN-SPAM requires that spam e-mail include a working return e-mail address, a valid postal address for the sending company, a working opt-out mechanism and a relevant subject line. The law also directs the U.S. Federal Trade Commission (FTC) to study setting up a national do-not-spam list, similar to the national do-not-call telemarketing list now in effect.

The numbers from the three vendors show the need for enforcement actions against major spammers, said a spokeswoman for Sen. Conrad Burns, a Montana Republican and sponsor of CAN-SPAM. On Dec. 11, Burns and Sen. Ron Wyden, the other leading advocate of CAN-SPAM, sent a letter to FTC chairman Timothy Muris, asking his agency to take enforcement action against “kingpin” spammers once CAN-SPAM became law.

“Senator Burns has continually stated that enforcement is key regarding the CAN-SPAM legislation,” the Burns spokeswoman said in an e-mail. “This is something that we certainly won’t let fall through the cracks.”

An FTC spokeswoman didn’t immediately respond to a request for comment, but Burns’ spokeswoman provided a letter from Muris dated Jan. 7. “Although we have directed substantial resources to studying a do-not spam registry, we have many more investigations under way,” Muris wrote to Burns and Wyden (D-Ore.).

Spammers often hide their identities, and an investigation into a spammer can take months, Muris also wrote.

The national spam law alone won’t cut the amount of spam being sent, but enforcement could have an impact, with multimillion-dollar fines and jail terms allowed in CAN-SPAM for some spamming activities, said Avner Amram, executive vice president at Commtouch. “Legislation is the first step, enforcement is the second,” he said.

Commtouch and the other vendors tout antispam technology as an essential partner in the fight against spam. “While legislation helps, it’s not the answer,” Chasin said. “We applaud the intent of the legislation. Any step in the direction of trying to stop spam is a good road to go down.”

To determine how much spam is in compliance with CAN-SPAM, the three vendors took different approaches. MX Logic, which provides spam and virus filtering services, looked at 1,000 randomly selected pieces of spam received during the first seven days of January and found only three that complied with CAN-SPAM requirements that the e-mail include a working opt-out option and a valid postal address. In cases where the spam includes a physical address, it may be the address of a bulk e-mail company and not the actual company marketing the product, Chasin said.

Audiotrieve, based in Boxborough, Mass., collected e-mail messages using so-called “honeypot” accounts on Jan. 10 and 11, and found 102 of 1,000 messages analyzed contained all of the information required by CAN-SPAM. Physical addresses were missing from all of the remaining 898 spam messages, said a press release from Audiotrieve, which markets its InBoxer spam filter.

Commtouch, which uses its Recurrent Pattern Detection technology to identify and filter massive spam attacks, has analyzed millions of e-mail addresses since Jan. 1 and found less than 1% that comply with CAN-SPAM, Amram said. Commtouch found that 80% of spam e-mail didn’t include valid return e-mail addresses, and more than 40% contained subject lines that weren’t related to the text of the e-mail.