CAN-SPAM Gets Mixed Report Card for First Year

The much-hyped CAN-SPAM Act — the first major stab at legislation in the U.S. aimed at cutting down the flood of unwanted commercial e-mail messages — is seen largely failing to live up to its promise during its first year.

The Act, which took effect at the start of 2004, was meant to curtail spam by beefing up law enforcement’s ability to investigate and prosecute alleged spammers and by giving consumers more control over their inboxes.

Still, some say it — and other tactics — are working. America Online said in late December that the amount of spam sent to its users during 2004 was down by more than 70 percent over the year before. AOL credited its anti-spam campaign, which has included working closely with law enforcement agencies through CAN-SPAM as well as technical solutions.

Exception to Rule

AOL said the drop ended a five-year run during which spam worsened each year.

“We’re opening up a new, better chapter in the story about spam,” AOL director of anti-spam operations Carl Hutzler said in a statement.

If AOL saw such a drop, though, analysts say it is the exception to the rule, with most tracking another year of increase in the volume of unwanted e-mail being sent to consumers without their consent.

“The law clearly has had no meaningful impact on the unrelenting flow of spam that continues to clog the Internet and plague inboxes,” Scott Chasin, chief technology officer of filtering firm MX Logic, said. Chasin noted that the rate of compliance with CAN-SPAM did climb during the year, peaking at 7 percent in December.

Chasin said there have been other positive developments, such as the legislation helping to bring industry leaders together to fight the spam problem. “Unfortunately, ending the spam epidemic will require a long-term, ongoing effort” that includes law enforcement as well as new technology and even greater cooperation among various Internet companies, he added.

Quality and Quantity

Other analysts point out that just tracking spam volume tells only part of the story. For instance, 2004 saw the abrupt rise of phishing attacks using e-mails purporting to be from trusted sources such as financial institutions — eBay’s PayPal is a favorite target.

Those attacks do more than just annoy since they can be the basis for identity theft and other types of fraud.

Other than the volume of spam being sent, the percentage of e-mail traffic that can be considered spam also crept higher in 2004. According to monthly data from MessageLabs, more than 84 percent of the total message volume in August, the worst month for spam in 2004, was unwanted. The monthly average for 2004 was more than 73 percent, the highest it’s ever been and well above the 40 percent level from 2003.

MessageLabs Chief Technology Officer Mark Sunner said phishing attacks have risen from being virtually unheard of just a year ago to become one of the most dangerous types of unwanted e-mail.

Emerging Threat

Sunner said that in September of 2003, his firm intercepted some 279 phishing messages, compared to 2 million during September of 2004. Also, newer attacks are showing increased sophistication and are being blended with other types of criminal activity, such as blackmail. MessageLabs recently warned about attempts by phishers to dupe Web users into laundering money stolen from bank accounts obtained through attacks.

“In just 12 months, phishing has emerged as a threat to any organization conducting e-commerce and any user who received e-mail,” Sunner said. “We believe that the targeting of certain companies characteristic of phishing attacks could signal the beginning of a wider trend that bears watching in 2005.”

Meanwhile, developments that some analysts predicted would occur after CAN-SPAM have not taken place either, such as a predicted migration of spamming operations to offshore locations where U.S. law enforcement would be hard-pressed to stop them.

In fact, anti-virus and spam filtering company Sophos said that the United States topped its list of countries sending the most spam in 2004.

“Early in the year, the U.S. had the excuse that CAN-SPAM had just been passed,” said Graham Cluley senior technology consultant at Sophos. “But by now, it’s clear that the legislation has made very little headway in damming the flood of spam.”

Creative Techniques

Computers in the U.S. sent more than 42 percent of all worldwide spam in 2004, Cluley said. In second place, and the only other nation in double digits, was South Korea, which was responsible for about 14 percent.

Cluley added that CAN-SPAM, as some predicted, has resulted in more creative spamming techniques, with computer users, especially those with high-speed connections to the Web, increasingly being duped into becoming mules for e-mail spam.

“Zombie computers — PCs that have been compromised by hackers or virus writers — are sending out over 40 percent of the world’s spam, usually to the complete ignorance of the PC’s owner,” Cluley noted.

Other analysts note that spam has already begun to spread to other venues, from chat rooms and instant messaging to cell phones, so that even if the volume of e-mail spam is reduced, the flood of such messages might well continue to rage.