CAN-SPAM Misses Mark

IT managers need to act as if CAN-SPAM didn't exist.

Early word from the field is that the can-SPAM Act hasnt made a dent in the amount or character of spam. Surprise!

Commtouch Software announced Jan. 8 that its spam-detection center saw no significant difference in the number of spam campaigns. Commtouch also analyzed bulk e-mail for compliance with the law and found that fewer than 1 percent of e-mail messages met the simple requirements laid out in CAN-SPAM.

Jesse Dougherty, director of development at anti-virus and anti-spam software maker Sophos, confirmed the sorry state of post-CAN-SPAM junk e-mail traffic when I talked with him recently. While companies such as Sophos have a vested interest in showing a high rate of spam, the amount of junk e-mail even after CAN-SPAM is not in dispute.

The ultimate impact of CAN-SPAM might be different from the early results. The Federal Trade Commission and the Federal Communications Commission have oversight of the act, with the FTC empowered to make rules. As rules are made over time—and as enforcement action shapes new boundaries for sending commercial e-mail—the effects of the anti-spam act will become clearer.

However, whats happened so far confirms what Ive said here before: CAN-SPAM wont significantly reduce the amount of junk e-mail, and it will have little impact on the content of e-mail. Thus, companies need to continue putting anti-spam systems in place. Further, employer responsibility to keep out e-mail that potentially creates a hostile work environment—namely, pornographic e-mail—will continue to be a burden of IT.

The law prevents recipients of spam from initiating enforcement action, but will resource-strapped federal agencies be able to take up the slack? In a sense, CAN-SPAM may fail in its stated aim of reducing junk e-mail for the same reason peddling drugs and bogus financial schemes are so popular on the Internet already: There is little chance of getting caught and almost no cost to using e-mail to promote scams.

For the most part, this means IT managers need to act as if CAN-SPAM didnt exist. You still need to invest in anti-spam products or services to prevent junk e-mail. You should continue to advise users about the same best practices—such as not using the unsubscribe link to supposedly get off e-mail lists. As far as I can tell, the CAN-SPAM Act, and the publicity around it, are likely to make spam problems worse for business users.

The reason is summed up in the term "phishing." I talked with Avner Amram, executive vice president at Commtouch, and he described phishing as harmful e-mail that imitates legitimate companies to coax users to provide information including passwords and account numbers.

"This e-mail tells you that your account [at any number of well-known companies] is about to expire. You go to a Web site that looks exactly like the one of Citibank or eBay ... and you happily put your user name and password and maybe your account number and then push submit," said Amram.

Ive seen several examples of phishing e-mails, and they are good. Very good. Because this e-mail appears to meet nearly all the visible requirements of CAN-SPAM, including a postal address to unsubscribe in the body of the e-mail, end users are very likely to be suckered into going to these sites and giving up their money. The publicity around CAN-SPAM lends credibility to junk e-mail because recipients reasonably expect that the legislation will protect them from this type of fraudulent e-mail. Hence, things will get worse, not better.

To repeat, IT managers must pretend CAN-SPAM doesnt exist, to protect their organizations from the bad effects of spam. It may well be worthwhile to take this time to remind your e-mail users of the importance of prudent e-mail use, such as carefully evaluating messages that appear to be from trusted sources and asking for financial or personal information. I know Im not letting my guard down now that the feds have stepped in to save me from spam. Once the dust has settled, CAN-SPAM legislation will likely be seen for what it is, a second-rate attempt to tackle first-rate spammers.

Senior Analyst Cameron Sturdevant can be contacted at