Can-Spam, Laced with Loopholes, Creates Confusion

New legislation has failed to stem the tide of unsolicited e-mail, protecting e-mailers who follow the letter but not the spirit of the law.

Last year the United States Congress ballyhooed its Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (Can-Spam) legislation as a way for businesses and consumers to escape the mountains of unsolicited e-mail clogging the nation’s collective In Box.

Even though it’s early in the law's life (it only took effect January 1), experts say the Can-Spam law has been more of a “can do” license for spammers than a success, since it shields spam companies who follow the letter of the law while still leaving plenty of loopholes, not to mention confusion. Companies are still struggling to decipher real e-mail from spam.

New research points to the law’s ineffectiveness to date. At the beginning of this year, EmailLabs, an ASP e-mail and marketing-via-e-mail vendor, conducted an informal poll. It analyzed e-mails “to which consumers and businesspeople might subscribe,” specifically a range of well-known e-mail newsletters, and e-mails from popular online retailers, media outlets, and Fortune 500 businesses.

The findings: Only half of the companies’ e-mails complied with the Can-Spam requirement that a marketing e-mail include the sender’s postal address. Almost all of the e-mails, however, did meet the unsubscribe requirement, and included either a link, e-mail address, phone number, or postal address for doing so. Yet in the end, of legitimate companies, only half were in compliance with the law.

By contrast, take companies sending e-mail no one asked for. Security firm MX Logic looked at a random sample of 1,000 unsolicited e-mails received in early January, and found only three in Can-Spam compliance.

Under Can-Spam, if e-mail marketers include the required information, such as a postal mailing address, they’re in the clear. Yet as the research shows, most aren’t even bothering. For one thing, many companies aren’t based in the United States. After the law was signed, the U.S. government said it would increase the law’s effectiveness by encouraging other countries to pass anti-spam legislation in other companies. Will such legislation ever be global?

The law may also muddy the issue with its loopholes. For example, unasked-for e-mails whose primary purpose is commercial are prohibited. Web and e-mail filtering company SurfControl, however, reports a rise the tactic of sending mostly non-commercial e-mails (say with a joke) and tacking a short advertisement at the bottom. Is the primary purpose of that e-mail commercial? If not, then it’s legitimate.

The law also doesn’t give end users a way to distinguish between legitimate e-mail and spam. For example, in a message that claims to abide by Can-Spam, clicking on an “unsubscribe” link might very well do the opposite. It’s easy for e-mail marketers to send out an e-mail with a link in the body, labeled “unsubscribe,” yet which has the recipient’s e-mail address embedded. When an end user clicks the link, the marketer actually gets verification: that e-mail address leads to a real person. Or if a company includes a postal address—will an end user take the time to write to it? Is the address legitimate? The law specifies required information, but end users don’t know if it’s valid.

In the end, Susan Larson, SurfContol’s vice president of global content, notes that “unfortunately, many spammers aren't really doing anything different than they did before the Can-Spam law was passed—they're just creating the illusion they are complying with the law and using it to market, or commit fraud.”

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.