December 27, 2004
(IDG News Service)
WASHINGTON -- A year after the U.S. Congress passed the first federal antispam law, observers see no evidence that it has cut the amount of unwanted commercial e-mail arriving in people's in-boxes.
Most vendors of antispam products have charted an increase in the amount of spam since the Controlling the Assault of Non-Solicited Pornography and Marketing Act, or CAN-SPAM, went into effect on Jan. 1.
CAN-SPAM includes criminal penalties ranging up to five years in prison for some common spamming practices, including hacking into someone else's computer to send spam and using open relays to send deceptive spam. The law allows fines of up to $250 per spam e-mail with a cap of $6 million for aggravated violations.
But some antispam activists assert that the law has aided spammers because CAN-SPAM requires recipients to opt out of unwanted commercial e-mail by contacting each sender, instead of forcing senders to get opt-in permission. The federal law also hurt spam-fighting efforts by preempting parts of some tougher state laws, including a California opt-in requirement, said Laura Atkins, president of the SpamCon Foundation.
CAN-SPAM also prohibits private citizens from suing spammers, instead allowing only state attorneys general or Internet service providers to file civil suits. People like Atkins, who operate their own mail servers and receive thousands of spam e-mail, have no recourse against spammers under CAN-SPAM.
"CAN-SPAM has not made it any easier to find spammers," Atkins said. "It has not decreased the amount of spam."
Backers of CAN-SPAM say it provides for the possibility of civil lawsuits and jail time for spammers. ISPs have used CAN-SPAM to file hundreds of civil lawsuits against spammers in 2004, and the key to making the law work is more enforcement, said a spokeswoman for Sen. Conrad Burns (R-Mont.), the main sponsor of CAN-SPAM.
"Sen. Burns has said from Day 1 that enforcement is key for this legislation to be effective," said Jennifer O'Shea, his spokeswoman. "We have seen several big lawsuits, which have been helpful, but we need to continue to see more of these lawsuits in order to keep up with big time spammers and keep spam out of in-boxes."
Burns believed businesses should have an opportunity to market over e-mail, instead of having to get opt-in permission from all e-mail recipients, she added.
"The opt-out provision ... gives the e-mail user the responsibility of opting out if there is something they do not want to receive messages about," O'Shea said in an e-mail.
Statistics supplied by vendors of antispam products seem to bear out the criticism of CAN-SPAM. Postini Inc., an e-mail security service provider in Redwood City, Calif., said the percentage of legitimate nonspam e-mail it sees dropped from 22% of all e-mail at the beginning of 2004 to just 12% by December. The company processes 2.4 billion e-mail messages a week.
MX Logic Inc., an antispam vendor in Denver, found 67% of all e-mail to be spam in February. By November, 75% of all e-mail was spam, the company said.
Spammers, apparently in response to CAN-SPAM, changed tactics this year, said Andrew Lochart, director of product marketing at Postini. More spammers are using so-called zombie networks -- computers hijacked with Trojan horse programs -- to send spam, and spammers are using increasingly sophisticated directory harvest attacks to spam corporate mail servers, he said.
About 30% to 50% of spam came through zombie spam relays in April, MX Logic estimated. In a three-week survey in November and December, the company found 69% of spam sent through zombies.
"I think CAN-SPAM caused spammers to change their tactics significantly," Lochart said. "The spammers got even more creative at hiding, and they've always been pretty good at it."
Although CAN-SPAM hasn't resulted in less spam, the law gives authorities a new tool in the fight against spam, Lochart said. "It's a good thing we have a law, so when we find some of these roaches, we can prosecute them," he said.
ISPs and law enforcement agencies have used CAN-SPAM provisions, including requirements to include a valid postal address and an unsubscribe option in commercial e-mail, to go after spammers. Four large U.S. ISPs filed hundreds of lawsuits against spammers this year, and the U.S. Federal Trade Commission filed criminal CAN-SPAM charges against two companies in April.
Despite these efforts, antispam vendors predict more spam in 2005, not less. "Even from a service provider perspective, after all the lawsuits and convictions, we still have not seen a deterrence effect happen," said Scott Chasin, chief technology officer at MX Logic. "Spam has continued to increase and saturate in-boxes, and we've not seen a decline whatsoever. From that perspective, CAN-SPAM is pretty toothless."
Critics claim the CAN-SPAM law is ineffective and say the amount of spam in U.S. residents' in-boxes increased since the measure became official last year.