July 2, 2017

Regulators at the U.S. Federal Trade Commission (FTC) are asking for public comment on the effectiveness of the CAN-SPAM Act, a 14-year-old federal law that seeks to crack down on unsolicited commercial email. Judging from an unscientific survey by this author, the FTC is bound to get an earful.

spamspamspam

Signed into law by President George W. Bush in 2003, the “Controlling the Assault of Non-Solicited Pornography and Marketing Act” was passed in response to a rapid increase in junk email marketing.

The law makes it a misdemeanor to spoof the information in the “from:” field of any marketing message, and prohibits the sending of sexually-oriented spam without labeling it “sexually explicit.” The law also requires spammers to offer recipients a way to opt-out of receiving further messages, and to process unsubscribe requests within 10 business days.

The “CAN” in CAN-SPAM was a play on the verb “to can,” as in “to put an end to,” or “to throw away,” but critics of the law often refer to it as the YOU-CAN-SPAM Act, charging that it essentially legalized spamming. That’s partly because the law does not require spammers to get permission before they send junk email. But also because the act prevents states from enacting stronger anti-spam protections, and it bars individuals from suing spammers except under laws not specific to email.

Those same critics often argue that the law is rarely enforced, although a search on the FTC’s site for CAN-SPAM press releases produces quite a few civil suits brought by the commission against marketers over the years. Nevertheless, any law affecting Internet commerce is bound to need a few tweaks over the years, and CAN-SPAM has been showing its age for some time now.

Ron Guilmette, an anti-spam activists whose work has been profiled extensively on this blog, didn’t sugar-coat it, calling CAN-SPAM “a travesty that was foisted upon the American people by a small handful of powerful companies, most notably AOL and Microsoft, and by their obedient lackeys in Congress.”

According to Guilmette, the Act was deliberately fashioned so as to nullify California’s more restrictive anti-spam law, and it made it impossible for individual victims of spam to sue spam senders. Rather, he said, that right was reserved only for the same big companies that lobbied heavily for the passage of the CAN-SPAM Act.

“The entire Act should be thrown out and replaced,” Guilmette said. “It hasn’t worked to control spam, and it has in fact only served to make the problem worse.”

In the fix-it-don’t-junk-it camp is Joe Jerome, policy counsel for the Electronic Frontier Foundation (EFF), a nonprofit digital rights advocacy group. Jerome allowed that CAN-SPAM is far from perfect, but he said it has helped to set some ground rules.

“In her announcement on this effort, Acting Chairman Ohlhausen hinted that regulations can be excessive, outdated, or unnecessary,” Jerome said. “Nothing can be further from the case with respect to spam. CAN-SPAM was largely ineffective in stopping absolutely bad, malicious spammers, but it’s been incredibly important in creating a baseline for commercial email senders. Advertising transparency and easy opt-outs should not be viewed as a burden on companies, and I’d worry that weakening CAN-SPAM would set us back. If anything, we need stronger standards around opt-outs and quicker turn-around time, not less.”

Dan Balsam, an American lawyer who’s made a living suing spammers, has argued that CAN-SPAM is nowhere near as tough as it needs to be on junk emailers. Balsam argues that spammy marketers win as long as the federal law leaves enforcement up to state attorneys general, the FTC and Internet service providers.

“I would tell the FTC that it’s a travesty that Congress purports to usurp the states’ traditional authority to regulate advertising,” Balsam said via email. “I would tell the FTC that it’s ridiculous that the CAN-SPAM Act allows spam unless/until the person opts out, unlike e.g. Canada’s law. And I would tell the FTC that the CAN-SPAM Act isn’t working because there’s still obviously a spam problem.”

Cisco estimates that 65 percent of all email sent today is spam. That’s down only slightly from 2004 when CAN-SPAM took effect. At the time, Postini Inc. — an email filtering company later bought by Google — estimated that 70 percent of all email was spam.

Those figures may be misleading because a great deal of spam today is simply malicious email. Nobody harbored any illusions that CAN-SPAM could do much to stop the millions of phishing scams, malware and booby-trapped links being blasted out each day by cyber criminals. This type of spam is normally relayed via hacked servers and computers without the knowledge of their legitimate owners. Also, while the world’s major ISPs have done a pretty good job blocking most pornography spam, it’s still being blasted out en masse from some of the same criminals who are pumping malware spam.

Making life more miserable and expensive for malware spammers and phishers has been major focus of my work, both here at KrebsOnSecurity and in my book, Spam Nation: The Inside Story of Organized Cybercrime. Stay tuned later this week for the results of a lengthy investigation into a spam gang that has stolen millions of Internet addresses to play their trade (a story, by the way, that features prominently the work of the above-quoted anti-spammer Ron Guilmette).

What do you think about the CAN-SPAM law? Sound off in the comments below, and consider leaving a copy of your thoughts at the FTC’s CAN-SPAM comments page.


72 thoughts on “Is it Time to Can the CAN-SPAM Act?

  1. Jay Barone

    The fact that our country is lacking in the education of SPAM and phishing is alarming. So many people are naive and uneducated when it comes to email that is malicious. We are such a trusting society that it is a major downfall. When are we going to catch up with the rest of the world and start teaching our younger and next generation Computer Science that can help them in life.

  2. Erik

    Just can it. There are three issues here:

    1) Legitimate businesses that are rude with email marketing. The CAN-SPAM act gives them substantial latitude to misbehave, and they conflate what’s legal with what’s socially acceptable. This is a common problem with regulation: society has largely devolved to the point where people (at least in the US) frequently assume that whatever they can get away with is automatically OK. Additionally. this problem will never be solved by regulation – we get plenty of spam through ESPs like Office365 and Gmail that have enough clout to leave that door wide, wide open.

    2) Illegitimate businesses that spam – the risk / reward ratio is still strongly in their favor, or they would stop doing it. QED, the law doesn’t work.

    3) Cybercriminals and nation-states (but I repeat myself) sending malware – They don’t care about you or your laws.

    Just get rid of the law. No significant good came of it, and plenty of bad was rationalized. Spam filtering is pretty good these days. Give people space to work it out as a civil matter as opposed to a judicial one.

  3. Robert Scroggins

    My suggestion is to fix it (after consulting with users and legitimate advertisers.

    It seems to me that lots of email I get has deteriorated into a sort of non-spam spam category. Many email advertisers play very loosely with “we have an existing relationship so I can spam you”, and the result is a sort of spam even though I may have purchased something from them at some time.

    Regards,

  4. Tired of spam

    Is it possible, practical, legal, etc… for ISPs to get together and set up a spam clearing house whereby they would all share info on spam?

    Spammers and fishing expeditions folks send mega amounts of email out. Each email is the same, it’s not individualized or unique. The spam I get is worded the exact same as the one you get. If all ISPs set up accounts geared to receiving spam (spam traps) they could use software that reads each email spam and only looks for the same spam wording in our email, then deletes it.

    We’d have to give them individual permission to read our email but once found they simply could delete all the same spam emails on their servers. The idea is to make it almost useless to send spam or ransomware, malware links since it will be deleted before it gets to our mailbox.

    Of course someone will complain that real email might accidentally get deleted, I don’t buy into that. Passing laws that can’t or won’t be enforced serves no purpose.

    1. Darron Wyke

      You’re talking about M3AAWG, which is supposed to do that. In reality, the board is made of some of the worst legalized spammers in the US, so it doesn’t do much. Want to join? Be prepared to fork out a few thousand dollars unless you have corporate sponsorship.

      https://en.wikipedia.org/wiki/MAAWG

  5. Larry Morgan

    I have been trying for over a month to end the subscription of my old email address and start one with my new email address.
    I keep getting notifications only on my old email address. Please do not publish this, I am just frustrated with trying to get help with moving my subscription. I have tried once a week for 6 weeks and I see no change.

  6. David M

    It would seem to me that there is a technical solution here somewhere. For example, if all email cost a penny per email to deliver, I’m sure that most spam would dry up in a week. And to collect that penny, one might incorporate a bitcoin tailored scheme where a deposit must be made by the sending email server to a government bitcoin account before the receiving email server would accept the email. I’m not an email expert nor a bitcoin expert, but some kind of electronic money seems ready made to take the cost of email from free to less than free without seriously affecting legitimate email. Don’t ask me about the details. All I know is that the free nature of email is the root cause of unwanted millions of email spam.

    1. acorn

      Various posters here say a penny or some other low amount. At 42 times higher, at the cost of a postage stamp, I still get more snail mail spam than I care to receive. Organizations have a marketing-spamming budget. Example, raise the cost to millions of dollars like what many politicians spend on advertising-spamming and the amount keeps going higher — doesn’t stop them from spamming the public for months, adnausium.

      1. David M

        True, a penny an email isn’t going to stop all spam, but it would certainly stop (or slow down) some spammer sending out millions of spam messages an hour. Regardless, it’s not the amount per se that is the fix, it is the free cost. If snail mail was free from the sender’s perspective, I submit that one would get a hell of a lot more snail mail spam that one does today.

        1. Darron Wyke

          I’m going to be blunt here: making an email tax is a moronic idea. There’s NO way to enforce it, and it would only matter for email legitimately sent, having zero impact on emails sent through open relays.

          Anyone who suggests that making email cost-to-send has absolutely no idea how an MTA works or how the internet in general works and should stay out of these conversations.

          The only way to charge for email that works (and is being done now) is subscription costs for senders and receivers. ESPs charge based upon volume, either a flat rate for a max sender/time of X, or a tiny fee for each message sent. If it’s self-hosted, they pay for bandwidth, power, facility costs, etc.
          A subscriber to receive mail (like your ISP’s mailbox or a “free” service like GMail or Yahoo!) pays a monthly fee or receives ads to get their mailbox.

          1. acorn

            “… through open relays” and other freely obtained or stolen paths. The spammers would just get around any attempted per-email-cost scheme. The Internet as a whole is built for open traffic, care of the Internet Society organization (which I disagree with when it comes to spam, malware, and other intentional public harm).

  7. Canuck

    Opting out of a spam list that you never opted in to – pretty stupid stuff and emblematic of the entire thing.

  8. The Phisher King

    Opt-out sounded like a good idea way back when, but cannot work anymore.
    Opting-out requires you to reply to the spammer and so validate that there is a human at the end of that email address.
    By doing this, unless the spammer is one of the small minority who complies with the law, you are simply giving more ammunition to the spammers. The risk is too great so wisely most people never opt-out.
    This law is irrelevant and toothless now – dump it and start again.

  9. jim

    The deeper problem is more than email – it’s the persistance of advertisers. I used to have a tub near my front door and more paper ended up in the tub than went to my desk. I think that Congress passed CAN SPAM to give the appearance of doing something without inconveniencing anyone. I personally went with a whitelist for a long time. When I found I was missing some mail I wanted, I wrote some real filters. The problem is not hard to solve on an individual basis.

  10. mornons

    When u you people start undestood one thing?
    Problem reaction and solution.
    those who make problem are the same people who have solution. So stop asking who?why and..so
    its all so simple !!

  11. morons

    The law dont do nothing if u are over seaas.
    law will only limit your privacy and humen rights in usa.
    wake up naive wester society soft lazy people.

  12. Gary Warner

    To determine if CAN-SPAM has been effective we can look at the criminal prosecutions under CAN-SPAM, the civil enforcements under CAN-SPAM, and the volume of spam “then and now”.

    Can anyone name what they would say are “effective” CAN-SPAM enforcements? I’d love to steal Brian’s comment wall to gather a great list. I can think of a few pathetic enforcement examples, and a couple good civil ones by FTC.

    One of my least favorite was the Shah Brothers case …

    1. acorn

      One of the best ways I’d try is search Spamhaus for words like “ftc”, “attorney(s)” as in Attorney General, “microsoft”, “Arbor Networks”, “researcher(s)”, “aol”, “Alien Vault” if I recall correctly, and other takedown assisters (lots). I could vaguely list many more assisters: A few antivirus companies, European assisters, and Russian.

  13. DavidK

    I’m not concerned about email spam since it’s not particularly intrusive, especially now that companies like google have fantastic algorithms to deal with it. I’d love for there to be a way to destroy the companies that robo-dial my cell and office numbers multiple times a day from spoofed phone numbers. Those are the ones that really irritate me.

  14. zackw

    The problem will be solved with technology, because there is no other way. There are zero solutions that basically amount to “you bad guys, you spammers, behave or else!” Because they will never behave.
    But if their emails never reach anybody and they stop making any money on it, they will slowly die a painful death.

    The facts:
    1) We want to have and use public email addresses.
    2) Keep email free.
    3) Be able to expect reasonable privacy from email hosts.

    The problem:
    1) We don’t want to accept bulk email we didn’t sign up for.
    2) We may want to accept some limited non-bulk email that is of a marketing/advertising nature. For example I have a small business so I don’t mind if another local company emails to tell me about their services. But some other person may not want even these types of emails.
    It’s a sliding scale. I may accept ads relating to technology, I don’t want anything sex related.

    3) Spam scanning services are very good these days, but it’s not exact, and there are false positives and negatives to deal with.

    Solutions:
    1) Absolute white lists. This is the easiest. Only receive email from addresses in your address book. But how can people ask to be in this white list? By some formal verification procedure that first proves they aren’t bulk mail, and verifies they use a proper email address first from a proper server.
    Currently, the general public finds these verification procedures annoying. But they reduce spam for sure.

    2) Continuing to improve verification systems. DKIM and SPF. To eliminate hijacked systems, open relays, spoofed meta data, and other false information.
    We need to at least know that an email coming from somebody is actually that somebody for real, even if we don’t want to receive their email, we can believe it’s legit.

    3) Eliminate possibility for viruses and malware to be sent through emails. Email is a communication system, how powerful it is should be limited by the nature of the thing. Email should not be a file sharing service. It should be easier to pass email through scanners to make sure there can be no email worms or executables being passed around.

    I don’t know what else can be done, but my point is that the solution is within email technology itself, not regulations and laws.

    There is no spam in any of my Slack channels, because it’s a closed system, a whitelist of people. But in order to maintain that email is public by nature, there must be some other conditions that marketers/spammers/unsolicited cannot get through without our permission.
    I either want to know A) a real actual person wants to send me an email, or B) it’s bulk mail from a list I actually signed up to.

    If (A) is true, it could still be bad email, but then it’s up to how my email host what to do with it. Put in a special box, disable any dangerous parts of the email, make me approve it first, or use some kind of generalized spam settings that I select. Whatever.

    Email technology has to fix it!

    1. Darron Wyke

      Here’s a bit of information before I start refuting your points. You say that if they stop making money they’ll die off? Not really. Their click and buy rates are already incredibly low, usually to the tune of 1-2% or less. There’s not a lot of strangulation to be had there.

      Facts:
      1) Yes.
      2) It will never be free, someone always pays for it. Those free mail accounts, like Yahoo! and Gmail? You’re paying with it by personal data collection and advertising.
      3) Not a chance, if you want privacy run your own mail server. Just a general rule of the internet.

      Problem:
      1) Yes.
      2) This is subjective, and falls well within the point of “confirmed opt-in”.
      3) Yes, and there’s always going to be false positives and false negatives. It’s the nature of any scanning engine. Your point?

      Solutions:
      1) White lists are a joke. No, really. A whitelist is a terrible idea since it requires nothing but constant maintenance and upkeep. You think you spend a lot of time now dealing with spam? Wait until you spend even more time keeping a whitelist going.
      2) DKIM, SPF, and similar systems are great…when implemented properly and actually implemented. But that’s up to the mail admin to implement and make sure it works. For every server that has it, there’s a dozen (or more) more that don’t that send legitimate email. You will never eliminate spoofing, open relays, hijacked servers, and more.
      3) This is pure fantasy land crap. I’m going to call it what it is. Saying that we should eliminate malware from being sent over email is pure fantasy, there’s absolutely no way to accomplish it. If you want to talk about an extreme, like completely blocking attachments of X type, then great, go for it — and watch as users complain, because there are usually legitimate reasons for sending X type of file. And even if you do choose to block the usual suspects like executables, script files, etc. guess what? They’re going to start sending booby-trapped HTML files, Office files (no chance in hell of blocking those), and more. But that’s why we have virus scanners on email. Never going to be perfect but a little user education helps with that too.

Comments are closed.