July 2, 2017

Regulators at the U.S. Federal Trade Commission (FTC) are asking for public comment on the effectiveness of the CAN-SPAM Act, a 14-year-old federal law that seeks to crack down on unsolicited commercial email. Judging from an unscientific survey by this author, the FTC is bound to get an earful.


Signed into law by President George W. Bush in 2003, the “Controlling the Assault of Non-Solicited Pornography and Marketing Act” was passed in response to a rapid increase in junk email marketing.

The law makes it a misdemeanor to spoof the information in the “from:” field of any marketing message, and prohibits the sending of sexually-oriented spam without labeling it “sexually explicit.” The law also requires spammers to offer recipients a way to opt-out of receiving further messages, and to process unsubscribe requests within 10 business days.

The “CAN” in CAN-SPAM was a play on the verb “to can,” as in “to put an end to,” or “to throw away,” but critics of the law often refer to it as the YOU-CAN-SPAM Act, charging that it essentially legalized spamming. That’s partly because the law does not require spammers to get permission before they send junk email. But also because the act prevents states from enacting stronger anti-spam protections, and it bars individuals from suing spammers except under laws not specific to email.

Those same critics often argue that the law is rarely enforced, although a search on the FTC’s site for CAN-SPAM press releases produces quite a few civil suits brought by the commission against marketers over the years. Nevertheless, any law affecting Internet commerce is bound to need a few tweaks over the years, and CAN-SPAM has been showing its age for some time now.

Ron Guilmette, an anti-spam activists whose work has been profiled extensively on this blog, didn’t sugar-coat it, calling CAN-SPAM “a travesty that was foisted upon the American people by a small handful of powerful companies, most notably AOL and Microsoft, and by their obedient lackeys in Congress.”

According to Guilmette, the Act was deliberately fashioned so as to nullify California’s more restrictive anti-spam law, and it made it impossible for individual victims of spam to sue spam senders. Rather, he said, that right was reserved only for the same big companies that lobbied heavily for the passage of the CAN-SPAM Act.

“The entire Act should be thrown out and replaced,” Guilmette said. “It hasn’t worked to control spam, and it has in fact only served to make the problem worse.”

In the fix-it-don’t-junk-it camp is Joe Jerome, policy counsel for the Electronic Frontier Foundation (EFF), a nonprofit digital rights advocacy group. Jerome allowed that CAN-SPAM is far from perfect, but he said it has helped to set some ground rules.

“In her announcement on this effort, Acting Chairman Ohlhausen hinted that regulations can be excessive, outdated, or unnecessary,” Jerome said. “Nothing can be further from the case with respect to spam. CAN-SPAM was largely ineffective in stopping absolutely bad, malicious spammers, but it’s been incredibly important in creating a baseline for commercial email senders. Advertising transparency and easy opt-outs should not be viewed as a burden on companies, and I’d worry that weakening CAN-SPAM would set us back. If anything, we need stronger standards around opt-outs and quicker turn-around time, not less.”

Dan Balsam, an American lawyer who’s made a living suing spammers, has argued that CAN-SPAM is nowhere near as tough as it needs to be on junk emailers. Balsam argues that spammy marketers win as long as the federal law leaves enforcement up to state attorneys general, the FTC and Internet service providers.

“I would tell the FTC that it’s a travesty that Congress purports to usurp the states’ traditional authority to regulate advertising,” Balsam said via email. “I would tell the FTC that it’s ridiculous that the CAN-SPAM Act allows spam unless/until the person opts out, unlike e.g. Canada’s law. And I would tell the FTC that the CAN-SPAM Act isn’t working because there’s still obviously a spam problem.”

Cisco estimates that 65 percent of all email sent today is spam. That’s down only slightly from 2004 when CAN-SPAM took effect. At the time, Postini Inc. — an email filtering company later bought by Google — estimated that 70 percent of all email was spam.

Those figures may be misleading because a great deal of spam today is simply malicious email. Nobody harbored any illusions that CAN-SPAM could do much to stop the millions of phishing scams, malware and booby-trapped links being blasted out each day by cyber criminals. This type of spam is normally relayed via hacked servers and computers without the knowledge of their legitimate owners. Also, while the world’s major ISPs have done a pretty good job blocking most pornography spam, it’s still being blasted out en masse from some of the same criminals who are pumping malware spam.

Making life more miserable and expensive for malware spammers and phishers has been major focus of my work, both here at KrebsOnSecurity and in my book, Spam Nation: The Inside Story of Organized Cybercrime. Stay tuned later this week for the results of a lengthy investigation into a spam gang that has stolen millions of Internet addresses to play their trade (a story, by the way, that features prominently the work of the above-quoted anti-spammer Ron Guilmette).

What do you think about the CAN-SPAM law? Sound off in the comments below, and consider leaving a copy of your thoughts at the FTC’s CAN-SPAM comments page.

72 thoughts on “Is it Time to Can the CAN-SPAM Act?

  1. IRS iTunes Card

    The 2004 Can-The-Spam-Act is about as worthless as the Federal Do-Not-Call law

  2. John

    When I left my comments at the FTC, I was comment # 50,000…… Come on people. Step up and act, or be quiet little sheep that get fleeced….:)

  3. Mark Withers

    and the real SPAM will turn 80 July 9th

  4. Leo Notenboom

    It’s kinda pointless, actually. Like a cheap padlock, it keeps honest people honest, but the sad reality is, as the article points out, much of what we’re facing these days wouldn’t be impacted by any law. Overseas spammers simply aren’t beholden to what our lawmakers come up with, and those with malicious intent ignore whatever the law might be, almost by definition.

    It’s just not that simple a problem.

    So far the only pragmatic solution seems to be improving the spam filters we all currently rely on. Far from perfect, but significantly more effective than any legislation.

    1. Ron G

      “Overseas spammers simply aren’t beholden to what our lawmakers come up with…”

      You’de be stunned (as would everyone) if you only knew how many spammers I’ve tracked down who have gone to great lengths to make it -appear- that they are overseas, when in fact they are right here in he U.S.

      I catch ’em, routinely, but then can’t -do- anything with them, because the YOU-CAN-SPAM Act made it a steep hill to climb if an oridinary individual spam victim wants to sue one of these bastards. Some rare people have managed to successfully pull it off, like Dan Balsam and a couple of other people I know, but the whole endeavor (to bring these people to the bar of justice) has been made exponentially harder by the existance of the YOU-CAN-SPAM Act.

  5. Rob Pomeroy

    With the countdown to GDPR well underway in Europe, surely the pressure will mount for the US to develop something similar? Maybe Seth Godin’s Utopian vision of “permission marketing” will actually become a reality…

    1. Ron G

      (Note for the uninitiated: GDPR == EU’s new “General Data Protection Regulation”.)

      Unfortunately, in general European ideas about personal privacy are both demented and counterproductive, in particular when it comes to trying to flush out spammers, hackers, and all sorts of online miscreants. Just try to get a domain name WHOIS record for either a .DE or a .EU domain via the standard and traditional port 43 WHOIS service and you’ll get just a small glimpse of what I’m talking about (because you can’t). European online crooks, fraudsters, scammers and spammers are -already- managing to effectively hide their identities due to the stupid, irrational, illogical and downright demented currently existing european “personal privacy” rules, and I suspect that this new GDPR thing is only going to make matters worse.

      In Europe, personal data is treated with kid gloves, as if -everybody- was legitimately afraid of some deranged ex-spouse showing up with a machine gun. But in fact, only maybe 0.5% of all the people in Europe who are online and seeking to protect their identities have legit reasons to do so, and the other 99.5% are just plain online crooks who are working the system to their advantage.

      The whole thing would be laughable if it wasn’t so sad. Everybody in Europe, especially the politicians, routinely reguritate an endless stream of lovely sounding platitudes to indicate how much they deeply deeply care about personal privacy, but then, of course, as we all know by now, the governments are the worst offenders, and both the German BND and the UK’s GCHQ work hand in glove with the NSA every day of the week, and none of these organizations allow little things like laws or governmental oversight slow them down. Not one bit. (Snowden’s revelations, shocking as they were, have only resulted in tiny changes around the margins. Mostly it’s still the same old game for the intelligence services, on both sides of the pond.)

      1. J J

        @Ron J
        It seems that you are well informed, can you share where your percentages come from and what you base yourself upon to build you opinion (because in the end, I see no facts)?
        Also, you mention “European ideas about personal privacy are both demented and counterproductive…” when talking about GDPR (which aims to protect privacy). How is GDPR against privacy (why is it counterproductive)?
        I feel like protection of PII and Spam are 2 different issues.

  6. DaveM

    I think the act is now largely irrelevant. Email providers and the ISPs seem to be doing a pretty good job of filtering out the spam before it reaches the IN box. I have a GMail account and I can’t remember the last time I received any spam through GMail. I have a few email accounts through my ISP (Cox) and again, I can’t remember the last time I received any spam on any of these addresses. Once every few weeks or so, however, I’ll get some blatantly obvious phishing email on one of my Cox accounts – always supposedly from some bank I’ve never had an account with asking me to update my account information or supposedly from Cox demanding that I update my password, social, and other info immediately or my account will be closed. The ones purportedly from Cox are so amateurish (all plain text content, misspellings, obvious unfamiliarity with the English language, etc) that anyone who falls for one of them deserves what happens to them.

  7. JCitizen

    IRS iTunes Card brings up a good point, and I predict it will backfire on email spammers as well. The robo-calling epidemic is one subject that makes more people I know blow their tops. They don’t just get mad, it almost borders on homicidal rage!! Good thing they can’t get their hands around the neck of a culprit of robo calling, or they would certainly commit murder. This has reinvigorated folks everywhere to remember how much we hate such disruption in our lives, and I wouldn’t doubt it becomes a major political issue soon.

    One of the best organizations I know fighting for our rights on these issues, is the Consumer’s Union action group, and just joining them will get you easy direct access to regulators and your congressmen; whereby you can join personally in the fight to improve laws and regulations to help mitigate these insects! Thanks Brian for this article – I didn’t realize just how loose the spam laws were!

    1. QuarterBack

      If they redo the anti-spam laws, they should redo the Do-not-call laws at the same time. They have both basically evolved to become two sides of the same coin anyway. Virtually all of these unwanted calls originate on internet services anyway. I am particularly disappointed at how useless CallerID has become, which could be very helpful if it could be trusted.

      How about a “Make CallerID Great Again Act”? Require the telcos to designate whether CallerID info is coming from from a network that the telco trusts, and pass along the CallerID info tagged with a designator indicating whether it came from a trusted network. A subscriber could then choose to block or send to voicemail calls originating from untrusted networks. Even for calls I might take, I would like know whether it is a landline or an internet call. Just a start off the top of my head.

  8. John Jie

    Worthless act. Since the act when into effect, spam has done nothing but increase exponentially.

    1. acorn

      Yet, the proportion of spam for every non-spam has decreased, “Cisco estimates that 65 percent of all email sent today is spam. That’s down only slightly from 2004 when CAN-SPAM took effect. At the time, Postini Inc. — an email filtering company later bought by Google — estimated that 70 percent of all email was spam.”

      Curious what the thoughts are of why there’s that proportional 5% decrease (the near 70 percent is near what I recall Trustwave, acquired by if I recall right Spider Labs, reporting for non-recent years). That’s the first of any year over year decrease I’ve seen during the last 10 years or so , 13 years to be exact in the article.

  9. Nina

    I was considering spam just the other day. I use gmail so legitmate spam mail that I never signed up for in some way, shape or form automatically gets filtered into the junk mailbox. I think it is insane that i have to have a special mailbox for all the spam mail. I typically never go in there for anything but the other day i read the headlines of these mails and they were mean spiritied, cruel messages like an 8th graade bully on the playground, whats that about? I can’t unsubscribe because I’m too afraid to open this mystery mail and it be a virus or something. It would be nice to have this cleaned up.

    1. Ron G

      “I typically never go {to my spam folder} for anything but the other day i read the headlines of these mails and they were mean spiritied, cruel messages like an 8th graade bully on the playground, whats that about?”

      Trump fundraising emails for his 2020 campaign.

  10. chesscanoe

    The Chrome browser already does a pretty good job of filtering CAN-SPAM. I’d prefer browser providers be rewarded with a tax credit rather than rely on laws and lawyers to improve on fixing the problem.

  11. Blue Critter

    The source of the problem is that email is free. So like air, water and any free resource, it will be polluted by exploiters. Since the US grants a monopoly in mail, the post office could charge senders for email, say $.01 per message.

    1. Darron Wyke

      And how, pray tell, would that be enforced?

      It can’t be. Worthless idea that was tossed around 20 years ago and summarily discarded then.

    2. Steve

      I was going to post the same comment. I don’t know what the rate should be, but the only way to reduce spam is to make the cost of sending it higher than the payback. Clearly, threats of lawsuits have not worked. Even if US law is amended, prosecuting overseas spammers will be too difficult. But if sending email costs money, bot owners — the computer owners, not the botnet controllers — suddenly have a strong incentive to scrub their computers. That’s a wonderful ancillary benefit.

      This is a pipe dream, of course. Google would fight it tooth and nail.

  12. Jesse

    Comment 43 – I feel the primary concern with CAN-SPAM is that it doesn’t do anything to protect email users from viruses and malware. The act has helped lower non-solicited marketing and vulgar emails since enacted in 2004, but it is showing age. Email is the #1 delivery channel of cyberattacks today and it is only going to get worse. A lot of these viruses have been getting through Office 365, used by US governments and education (our kids).

    -From email user for over 20 years

    1. Darron Wyke

      CAN-SPAM was never intended to fight malicious email. That’s what CFAA is for.

  13. Eric R

    Having spent time at Goodmail Systems, which used encrypted header tokens to create Certified Email, I can vouch for the fact there are ways to eliminate spam overnight..but they involve technology on both the sending side (Commercial mailers and ESP’s) and the recipient side (ISP’s and consumers).

    While we could get enough commercial senders and ISP’s on board (it exposed ESP delivery gaps and challenged ISP’s business models where they wanted people to spend time on websites and not email)…I always thought this role of ‘trusted honest broker’ to creating integrity in the email supply chain belonged to the United States Postal Service to run in parallel to the postage stamp.

    Put 1/10th of a penny postage stamp on those commercial emails, and all of a sudden the email marketers will stop sending you emails 5x a week for their latest sale…particularly when you haven’t opened a single email in the last year. It also takes away all incentive for big time spammers/scammers because the small postal cost coupled with having to certify themselves as legitimate marketers takes them off the map.

    1. Eric R

      Sorry…couldn’t get enough support from the ESP’s and ISP’s. This is where the Federal Government and USPS could have played a role vs. a private firm. Non-profits would scream because we wanted to charge a fee for certifying email and guaranteeing inbox delivery with images on and links active…unable to get their heads around the 20-30% improved performance from the email channel. They somehow thought they should not be restricted in any way to send to. Whomever they wanted whenever they wanted…for no additional fee.

      Permission based spamming is the biggest issue today…due to Google and other ISP’s doing a very credible job at spam filtering.

  14. EJ

    I receive a constant stream of grey email spam from tech companies who hide behind the CAN-SPAM Act. You can unsubscribe from them until you’re blue in the face but they just send your address to the next tech marketer. Because they only are sending to you from one sender at a time, they can keep hitting you because the next company they email you from is “new” and they get to email you once. I’d love for the rules to be tightened up. The lawless spammers I can filter out but the grey email spammers that use semi-legit emailers are the ones I’d like to see put in line.

  15. Bob Brown

    The CAN-SPAM act has legitimized spammers like Mailchimp. Every one of their customers gets one free whack at your mailbox. If you don’t like it, YOU have to opt out… and opt out… and opt out…

    Only verified opt-in is really acceptable as a way of doing email marketing. The YOU-CAN-SPAM act has done Americans a great disservice.

    No amount of legislation will stop the online pharmacy scammers, porn purveyors, etc. but it could put abusers like Mailchimp out of business.

    1. Chris Nielsen

      MailChimp and providers like Exact Target are NOT spammers. They are only service providers who have problems getting their customers to follow the rules. I used to report them for spam, but for a long time I report TO THEM about any spam. They always take me serious and deal with it. Same thing with ClickBank.com. Their affilite programs are gasoline on the spam fire. But they always take my reports and close spammer’s accounts after confirming. Please direct your justified anger at those that deserve it as that will be more helpful. 🙂

      1. Darron Wyke

        Mailchimp, not a spammer? That’s rich. I’ve caught them using bought/washed lists dozens of times. Each time they act like it’s a big deal and they’re going to take care of it, but you know what they’re going to do? Remove you from the list.

        Their TOS states that they can’t use bought or third-party lists. But I’ve had their support staff claim otherwise. The fact that I’ve reported dozens of spammers on their paid service who do this tells me that they don’t mind looking the other way when convenient.

  16. Fazal Majid

    CAN-SPAM was designed to shield corporations from liability for sending marketing emails without having first secured an opt-in from the customer. The contrast with the EU’s General Data Protection Regulations due to enter in effect in May 2018 is instructive. They require the sender to have verifiable opt-in before sending email, and it also explicitly states that a checkbox the defaults to “yes” on a web form is *not* legitimate opt-in.

  17. Henry Winokur

    Here’s what I wrote on the FTC’s web site: “The law is ineffectual–not to mention that spammers–like most other crimminals–pay no attention to it. Why bother? “

  18. Alan Jackson

    Some years back I set up a very unique e-mail address, and then sent it to the Direct Marketing Association to be added to their “do not spam” list. About 6 months later that address began receiving spam. Proof positive that the DMA are crooks in bed with spammers.

  19. Chris Nielsen

    The worst thing about CAN-SPAM is that it have often ENABLED spammers to feel they can use spam, or UCE (unsolicited commercial email). Over the years I have had to educated many otherwise legit businesses to the fact that while what they are doing may be allowed (Under you Can Spam) their ISP has specific rules against it.

    Reporting SPAM to the FTC never seemed to do much, unlike reporting DNC or robo-call abuses. But reporting spam to ISPs, hosting providers, email providers, and affilite companies has allowed me to use the same widely published email address since 1999. I used to get 400-600 spams a day 12 years ago. Today I get about 5-10% of that.

    Both spam and robo-calls need better solutions and while laws can help they are much less effective especially when dealing with offshore sources.

    But in my opinion we are to blame. We have done so very little to effectively fight the problem. There are answer that exist today and other answers can be found. We only need the motivation and organization to work together. Technology should not be allowed to enslave and create all the fear and problems that it does.

  20. Stratocaster

    Having recently retired, I still get a lot of legitimate advertising email from firms who are associated with my former employment. It is handy to just be able to click on an “unsubscribe” link. Without that recourse, one would have to sleuth out who is in charge of email lists and send them an email. Most of them come from some sort of no-reply mailbox. Of course I wouldn’t do that to the message from the Nigerian prince.

  21. Willard Dawson

    I left my comment on the FTC site, and my count was 00049, so it appears their comment counter only goes to 99999, and seems to have rolled over. Hopefully they don’t throw out the first batch in the process…

  22. Craig Thomas

    The Spam Act 2003 was introduced in Australia and it immediately caused Australia to lose its spot near the top of the league of spam-producing nations.
    One spammer tried to test it and he was informed that he would be fined $millions per day that he continued spamming. He stopped after several days and subsequently lost his case. His challenge was based on the idea of retrospectivity concerning the new Act’s requirements in relation to his “valid” mailing lists.

    Evolving the CAN-SPAM Act into something more like Australia’s CANnot-SPAM Act would be a good option for the US.

  23. #FryAndEatSpam

    good luck changing the law under president dumbass

  24. Mahhn

    I hate to be so cynical, but in the US whom ever spends the most money gets laws made to suite them. And its not the consumer/general population.

  25. J Meredith

    Come on Brian, another political swipe. The Can-Spam act, nor any federal law, will EVER eliminate or significantly reduce Spam because there are hundreds of other countries from which Spammers send the junk. And of course our very own systems in the USA that get taken over by spambots. However, the act has resulsted in a number of very large lawsuits which have cut down on American corporations sending Spam. Without the act, we’d be getting pummeled by every US company. And if Al Gore > who invented the internet 😉 had proposed this Act, you wound’t even be blogging about it.

    1. BrianKrebs Post author

      A political swipe? Also, the United States probably has the biggest concentration of spammers in the world, and most of them live in Florida.

  26. Bruce W

    The default opt-in for marketing emails needs to be switched. I have noticed that several companies at least now have a checkbox to opt out when signing up for their site (sad that an opt out checkbox can be viewed as an improvement.)

    Also, I just unsubscribed from email from a well-known magazine. The confirmation page stated to “allow up to 10 days” for the unsubscribe to be processed. Yes, I know the statement is a legal CYA but, come on, 10 days?!?!

  27. H Schulzrinne

    The notion that people should be forced to opt out from UCE from potentially millions of entities, across the world, never made much sense, but if a Canadian opt-in model is not achievable, there are smaller steps that would at least help: standards-based opt-out links so that my mail agent can do the job for me; a limit (1 or 2, say) of unsolicited emails from the same corporate entity (not just the same “campaign”) after which opt-in is required; much shorter time periods from opt-out to implementation (e.g., 24 hours). Most legitimate email sending services already adhere to many of these requirements so technical or logistical feasibility should not be an issue.

  28. Henning Schulzrinne

    Opting out of millions of potential email senders never made much sense. If a Canadian opt-out model is not feasible, formalizing the practices of the more responsible email senders might be achievable: (1) limit sending to 1-2 email before opt-in (i.e., automated unsubscription); (2) require a standards-compliant unsubscription link, rather than allowing sending a letter to a postal address; (3) opt-out from a corporate entity, not just a single email campaign. The latter would incentivize email services to police their customers.

  29. Anne P. Mitchell Esq.

    There are certain sections of CAN-SPAM that are effective (for example, the one that I wrote 😉 ). But the big issue is that unlike nearly any other first world country, our law is an opt-out lot, where everywhere else the law is an opt-in law, meaning that they can’t put you on their email list without your permission.

    (Here in the US – currently – they can put you on their email list without asking, they just have to remove you if you asked to be removed. I say “currently” because we are urging people to make that the focus of their comments; if enough people demand that CAN-SPAM be amended to become an opt-in law, there is a chance, no matter how small, that the FTC will revisit that issue and get in line with the rest of the first world.)

    We have a plain English explanation of the request for comments on CAN-SPAM, along with links directly to the comment form; Brian if you’d like to publish it please feel free to do so (I dropped it in the website section of your comment form).


    Anne P. Mitchell,
    Attorney at Law
    Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law)
    Legislative Consultant
    CEO/President, Institute for Social Internet Public Policy
    Member, Cal. Bar Cyberspace Law Committee
    Member, Colorado Cyber Committee
    Member, Elevations Credit Union Member Council
    Member, Board of Directors, Asilomar Microcomputer Workshop
    Member, Board of Directors, Greenwood Wildlife Rehabilitation
    Ret. Professor of Law, Lincoln Law School of San Jose
    Ret. Chair, Asilomar Microcomputer Workshop

    1. Darron Wyke

      The problem with that argument is that it completely falls flat when you look at the act as a whole.

      There is no COI or VOI, which means you can be bulk imported from a purchased list, and you have no means of redress against it. Your only choice is to opt-out, which in turn verifies your email to the sender.

      There is no teeth to the act, either. The only one who can pursue any meaningful punitive measures for it is the FTC, and they won’t give a crap unless the spam wave is so large and so disruptive against a single US-based sender (foreign senders? Ha!). As a private citizen, I have NO means of redress.

      A few good measures in the act, like requiring opt-out to be followed, don’t cover up the many holes in it.

  30. Ronal Kumar

    If 70% of emails are nonsense then I am sure reducing it will definitely help the carbon footprint.

    Some of the emails have become a joke – they keep on sending without any fear.

    Perhaps spammers think its easy to hide behind a curtain and fart.

Comments are closed.