Anti-Spam Law Has Holes

Senate Bill 877 won't stop the general problem of junk e-mail.

The U.S. congress has just finished work on anti-spam legislation that will likely be signed into law by years end. The bill was a nice try, but I feel confident that Ill be covering anti-spam technology for years to come.

The reason is that Senate Bill 877 wont stop the general problem of junk e-mail. This isnt to say it will have no effect. It will crimp the stupidest spammers, those too feebleminded to go offshore to send their phony baloney. It wont stop commercial e-mail from many mortgage, insurance and credit card companies. And it certainly wont stop big e-mail service providers such as America Online and Yahoo from sending bulk commercial messages to their subscribers.

Further, the legislation takes an opt-out approach as opposed to an opt-in approach. This means that corporate IT managers are going to remain the guardians at the mail gateway, turning back the continuing flood of now legal—but still unsolicited and unwanted—e-mail headed for their e-mail servers. Corporate e-mail users will have to go through the process of unsubscribing from e-mail lists, one at a time, to stop spam.

Corporate users may benefit, however, from one aspect of the pending legislation. The bill currently provides that the Federal Trade Commission study set up a national Do Not Spam list. Id love to get my Ziff Davis e-mail account on any such list. Its an address that Im obliged to put in the public domain, making it difficult to defend from spammers.

If it becomes law, the legislation will supersede anti-spam legislation in 37 states. This is too bad because states such as California and Delaware were closer to the mark in crafting anti-spam legislation. For example, California and Delaware both specified that bulk commercial e-mail could be sent only to recipients who opted to receive it. Also, Californias law would have provided a way for individuals to sue offenders. The federal legislation does neither of these things.

Unfortunately, the federal legislation will most likely create a kind of bulk unsolicited commercial e-mail thats legal under the new rules. These messages will have to follow strict rules including providing accurate subject lines and a valid method for consumers to get off bulk lists. Now corporate IT managers will be faced with a crush of U.S.-government-approved Grade A spam, with no legal recourse but to take it. Which is why technology, not rule-making, is the best way to stop spam.

One promising method of fighting spam uses a "call to action" as a way to filter out spam. The call to action, whether it is in the form of a solicitation to send money or credit card information to a post office box or a request to click on a link, is currently quite difficult to disguise.

Another emerging technology that holds promise for consumers is "disposable" e-mail addresses. These are meant for use during a very short period of time, such as when a consumer sends a message to an e-business site. The technology causes the e-mail address not to function for return e-mails after a short time. Few business users would want to send this type of message as a matter of course, however, because it would prohibit replies from business contacts unless they were to respond quickly.

A form of anti-spam technology that Im not sure will be of much use is called permission-based e-mail. One of the key weaknesses of permission-based systems is revealed by mass-mailer worms. Crackers will be motivated to steal address books and then send spam under the name of the victim to the stolen e-mail addresses. Because the addressees have likely given permission to receive e-mail from the sender, the anti-spam defense goes away.

Although I dont have a problem with the idea of introducing modestly priced e-mail services, its not likely theyll be effective because they follow the permission-based model.

The nature of spam—cheap for the sender, expensive for the receiver—isnt fundamentally changed by the legislation that is likely to become law. And for now, the technologies available cannot fundamentally change the equation either, so like it or not, Ill be covering anti-spam products for the foreseeable future.

Discuss this in the eWEEK forum.

Senior Analyst Cameron Sturdevant can be contacted at