Home / Blogs

A Year of CAN SPAM

BLACK FRIDAY DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]

The CAN SPAM Act of 2003 went into effect a year ago on Jan 1, 2004. As of that date, spam suddenly stopped, e-mail was once again easy and pleasant to use, and Internet users had one less problem to worry about.

Oh, that didn’t happen? What went wrong?

There are a few good things about CAN SPAM. It made some arguably fraudulent practices specifically illegal, and set per-spam statutory damages. That allowed a variety of lawsuits such as the one where an Iowa ISP won a billion dollar default judgment against a Florida spammer. It also explicitly ratified ISPs authority to set and enforce their own stricter policies about e-mail.

But overall, CAN SPAM’s weaknesses outweigh its benefits. The biggest problem with CAN SPAM is that it doesn’t actually forbid spam, for any normal definition of spam. So long as mail doesn’t involve fraudulent elements, and contains specified contact and opt-out information, it’s 100% legal until the recipient begs the sender to stop. This has set an extremely low floor for mailers to meet, and far too many now argue that since they comply with CAN SPAM they must be OK. I’ve gotten spam from the National Council of Churches, who really should know better, to addresses that were clearly scraped from my church’s web site and added to the NCC’s list without asking permission. When I complained, they pompously assured me that they complied with the letter and spirit of CAN SPAM, an utterly vacuous claim since CAN SPAM says nothing at all about non-commercial e-mail. (The obvious counter-argument is that if they didn’t comply with CAN SPAM, they’re be criminals, but they evidently don’t see it that way.)

Another problem is that the remedies are cumbersome, since they require filing in Federal court, so they’re likely to be useful only to medium and large businesses who get a lot of spam and can bundle many similar complaints into one case. CAN SPAM wiped out a lot of more stringent state laws, but even so, the remaining state laws are at least as useful as CAN SPAM. For example, the criminal conviction of large-scale spammer Jeremy Jaynes was under the Virginia state law, not CAN SPAM.

What does this all portend for the future? A surprising press release from AOL reported that the amount of inbound spam at AOL dropped by 22% compared to a year ago. Other ISPs reported no such drop, so we can only speculate about the causes, but my speculation would be about one part spam filtering, which AOL does well, and four parts legal threats, both the Jaynes criminal case and several civil cases they’ve filed in the past year. Spammers may turn away from large ISPs and aim more at smaller domains who are less likely to have the resources to sue them. Tune in again next year and find out.

By John Levine, Author, Consultant & Speaker

Filed Under

Comments

Phil Howard  –  Jan 17, 2005 12:15 AM

What went “wrong” with CAN SPAM happened in 2003.  I think we know that it wasn’t really intended to address the problem of the volume of spam.  To members of Congress and the bulk of their constituents, who know nothing about the costs of running a network and the servers that power them, it was more about things like pornography (a button that can get lots of special interest groups activated, and hence get members of Congress to move), and the various scams.  Had no spam ever promoted any pornography site, or promoted any illegal activity, as far as Congress would be concerned, there isn’t a problem.

I’ve stored and kept every piece of spam I got (at designated spamtraps) in 2004.  The 122,295 spams received breakdown by month to: 2186, 2768, 4685, 6818, 9099, 10612, 11713, 12318, 10473, 13558, 17394, 20671.  September dropped because my primary mail server went down for a few days due to a hardware failure, and the backup server didn’t have the spamtraps configured.  All these spam traps are for email addresses that have never been used or assigned to any user.  In at least a couple cases, I’ve tracked down that people have entered fake email addresses to post at some sites (most likely to prevent spam in their own mailboxes).  I didn’t pursue them for using my domains for that purpose.  Instead, I just took advantage of that to run it as a spamtrap.

We need to turn to Congress yet again.  But perhaps the best thing to do is simply have CAN SPAM undone.  If they can’t do it right, and I doubt they ever will, we’re better off without it.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Cybersecurity

Sponsored byVerisign

DNS

Sponsored byDNIB.com

New TLDs

Sponsored byRadix

IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API