CAN-SPAM: Good, Bad or Indifferent?

The CAN-SPAM anti-spam law is in effect and you're still getting spam? Hard to believe spammers would actually break the law, isn't it? But just because CAN-SPAM is largely impotent doesn't mean that alternatives would have worked any better, despi

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

Some people just have to be right and their critics wrong. Such looks to be the case with much of the current criticism surrounding CAN-SPAM, the federal anti-spam law that went into effect recently.

We recently reported on such criticism of the law. Youd definitely get the impression, to listen to critics such as Vincent Schiavone, president and chief executive officer of the ePrivacy Group, that things will be worse after CAN-SPAM. Mr. Schiavone argues that spam has been green-lighted by the law.

In addition, a recent Slashdot story agreed, calling CAN-SPAM a "spam friendly anti-spam bill."

These critics would have preferred a purely opt-in-based system, where it would be very hard for any commercial entity to justify sending you e-mail. Now, they argue, all restraint will be gone.

But if we really had a more stringent system, would things really be any better than they will be with CAN-SPAM? I see no reason to believe so. /zimages/6/28571.gif

What these critics (mistakenly) fear is that legitimate companies will go wild with spam because CAN-SPAM has given them "permission." But thats not why we have a spam problem.

Let me reach into my blocked mail folder and pick a few spams to see if any real companies can be found there. What are the subjects: Portuguese stereo equipment, drugs, cigarettes, rapid weight loss and pirated software. In fact, its all the same sort of trash.

No company with a reputation would soil it by casting its lot with such a marketing method. In fact, we used to see real companies using spam (I remember Omaha Steaks among them), but I havent seen them in a while. And if real companies really do see CAN-SPAM as a guide for e-mail marketing, then theyll actually follow the rules in it, including honoring opt-out and not spoofing anything in the message headers.

However, the frustrating part is that the critics are right that CAN-SPAM will likely be ineffective.

For the law to be effective to a fair degree, it must be vigorously enforced. Given todays priorities, Id be very surprised if the government decided to spend less money rebuilding Iraq and more on jailing spammers.

If the necessary resources were really allocated, a lot of spammers could get caught and subject to severe punishment. In addition, companies that promote products through spam could be liable even if the spammers used foreign ISPs.

Sad to say, thats not going to happen.

More likely, in the great American tradition of the civil lawsuit, ISPs, state attorneys general along with some individuals with too much time and money on their hands, will sue the spammers under CAN-SPAM.

Such a tactic might go somewhere if we were talking about suits against a stalwart of Corporate America such as General Motors or McDonalds. But the outfits selling wares through spam dont look like the type of businesses that will be intimidated by a civil suit.

By the time a company could be identified and then served with papers, the perpetrators will have moved assets through three shell corporations and there will be nothing left to sue for. Or perhaps the entire outfit will be located in a foreign country, making it not worth the effort to charge from the get go. The result will be the same: ineffective. /zimages/6/28571.gif

Critics also often point out that CAN-SPAM supercedes a large number of state laws, many of which were stricter on spam. But they dont point out that it doesnt completely supercede them, specifically authorizing state jurisdiction, for example, in matters of fraud. Theres a lot of fraud in spam, and I would argue that its a bigger part of the problem than genuine commercial solicitations from legitimate companies.

Just because Im pointing out the impotence of CAN-SPAM doesnt mean I oppose it. I believe that some things are wrong and should be against the law, even if enforcement of that law is impractical. I used to pooh-pooh proposed technical changes to SMTP, also for reasons of practicality, but Im begriming to think that theyre inevitable. Once spam has strangled the usefulness out of e-mail, people will put up with inconveniences in order to make basic changes. And at that point further legislation might be useful in order to strengthen the transition.

Critics of CAN-SPAM are right that spam will get worse, but thats in spite of CAN-SPAM, not because of it. Unless large numbers of people start going to jail for spamming, or some sort of significant technological change makes spamming more difficult, you can expect the spam percentage of your mail to continue to increase. Were not at the point where people really demand something be done, but were getting there.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Be sure to check out eWEEK.coms Security Center at for the latest security news, views and analysis.

More from Larry Seltzer