Spam Slayer: FTC's CAN-SPAM Report Card

By
Tom Spring, PC World
December 29, 2005, 3:55 AM ET
7 min read

— -- Tip of the MonthDon't let your PC become a zombie: Industry experts estimate 60 percent of all spam is sent from zombie PCs whose owners have no idea their PCs are being used for such purposes. Keep your antivirus definitions current to protect your machine from becoming a zombie. Still worried your PC is infected? Get a second opinion by having your Windows XP computer scanned at Microsoft's Live Safety Center.

The federal government's two-year-old antispam law is helping to cut back on unsolicited bulk e-mail, but more must be done to fight the problem. Those are the conclusions of a Federal Trade Commission report, released today, on how well the law is working.

The 116-page report, titled "Effectiveness and Enforcement of the CAN-SPAM Act," is the FTC's first assessment of federal antispam efforts since the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM) took effect. It touts the FTC's accomplishments, outlines new challenges, and advocates passage of an additional law that would give the FTC broader authority to go after international spammers.

But at least some spam experts were prepared to greet the FTC's report with skepticism. "I'm not expecting the FTC to talk about successes, because I don't think it really can trumpet any," says Jordan Ritter, founder of the antispam and secure-messaging firm Cloudmark.

But the FTC's report claims some inroads have been made. The agency notes that it has filed more than 20 lawsuits alleging that spammers violated CAN-SPAM; an additional 30 suits have been filed by the Department of Justice, state attorneys general, and various Internet service providers.

While the FTC does not take credit for recent spam trends, the report outlined several positive developments over the last two years. It cites a study by the e-mail security firm MX Logic that found that spam accounted for 67 percent of e-mail messages during the first eight months of 2005--a 9 percent decrease from spam levels during the same time period a year earlier. America Online, the FTC mentions, says its members received 75 percent less spam in 2004 than in 2003 thanks to enhanced antispam technologies.

However, the FTC did not cite another MX Logic study that reported that only about 4 percent of all e-mails are compliant with CAN-SPAM regulations, compared with 3 percent in 2004.

The FTC cited other indications that the fight against spam is working. It noted, for example, that the number of legitimate online marketers complying with CAN-SPAM has increased. Also, the number of spam messages containing sexually explicit material has dropped significantly.

The FTC says antispam technology--including commercial software and ISP tools--has helped reduce the amount of spam that reaches inboxes at both business and home. "These developments suggest that spam has not, as once feared, destroyed the promise of email," the FTC report states.

The FTC report does acknowledge that the Commission hasn't made a dent in some e-mail problems. Spam sent from outside the United States continues to plague U.S. e-mail users. More troubling, writes the FTC, is the trend of hackers using spam as a vehicle to propagate malicious code (called malware). "Rather than merely advertising products and services, spam messages now sometimes include 'malware' designed to harm the recipient," the FTC writes.

E-mail messages with worms such as Sobig, MyDoom, and Bagle have been found to contain malicious code that allows remote attackers to take over infected machines, unbeknownst to the owners of these PCs.

Attackers will often then turn those PCs into so-called zombie PCs. According to the anti-malware firm Sophos, 60 percent of all spam emanates from zombie PCs whose owners have no idea their computers are being used for such purposes.

Also troubling the FTC is the rise in "phishing," in which e-mail messages try to induce people to click on links to phony versions of Web sites, such as financial sites, where they are then duped into handing over personal financial information. The FTC concedes that CAN-SPAM does not address this type of spam message, but it points out that other antifraud laws do.

The FTC report suggests three measures to further improve the effectiveness of CAN-SPAM.

First, private-sector technology to combat spam is essential. "As Congress found when enacting CAN-SPAM, the spam problem cannot be solved by legislation alone; technological approaches and international cooperation are key," the report states.

Second, the FTC is backing efforts to make it harder for spammers to hide their identity. The FTC says it will work to get the tech industry to deploy domain-level authentication that would make it more difficult for someone to register a domain name with fake information.

"The appreciable inaccuracy of data in domain name registrars' 'Whois' databases and registrars' failure to verify the accuracy of information submitted by registrants continue to hamstring law enforcement," the FTC report says.

The FTC is also backing a bill called the Undertaking Spam, Spyware, And Fraud Enforcement With Enforcers Beyond Borders Act of 2005 (US SAFE WEB Act of 2005). The FTC says in its report: The "US SAFE WEB Act would enhance the agency's ability to combat illegal spam sent from overseas."

Although a recent Sophos report found that the United States remains the world's biggest source of spam, only 27 percent of global spam originates from within its borders. South Korea comes in second, responsible for 18 percent global spam, followed by China, which sends 17 percent.

Among the key provisions of the US SAFE WEB bill are expansion of investigative cooperation between U.S. and foreign law enforcement agencies; increased authority for the FTC to track the proceeds of fraud and deception that are sent through U.S. banks to foreign jurisdictions; and authorization for the FTC to work with the Department of Justice to increase the FTC's leverage in FTC-related foreign litigation, such as the ability to freeze foreign assets and enforce U.S. court judgments abroad.

The Senate Commerce Committee approved US SAFE WEB last week; the bill now proceeds to the full Senate.

The CAN-SPAM Act made it a violation of federal law to send many of the e-mail messages hawking herbal Viagra and get-rich-quick schemes that have been clogging our inboxes. Two years after its passage, all indications are that CAN-SPAM has had little impact on spam volume, with many of us receiving nearly as much junk e-mail as we did before the law was passed.

CAN-SPAM does give the government and private industry a legal framework to go after spammers in the United States, says Gregg Mastoras, Sophos senior security analyst. However, Mastoras believes that CAN-SPAM suffers from a major flaw: It allows a business to send commercial e-mail until a recipient opts out and tells the sender to stop. Mastoras says that until marketers have to get your express permission before they can send you their pitches, spam will continue to be a problem.

Others, including Ritter, don't feel that laws can ever effectively fight spam, even within the United States. "It takes laws years to become effective. It takes days or weeks for the newest Internet e-mail threat to wreak havoc," Ritter says.

Perhaps not surprisingly, antispam firms say spam filters do more than laws to stop spam from reaching our inboxes. Sophos estimates that we never see all of the spam that constitutes 95 to 98 percent of our e-mail because a spam filter successfully blocks it. Cloudmark's Ritter estimates that the industry as a whole blocks about 90 percent of the spam from our inboxes.

The problem is that with spam volumes on the rise, even if only 2 percent of spam gets past the filters, that's still a lot of spam, Mastoras says.

Ritter says we may never turn the corner on spam. Spam is something we'll have to live with, he says. "As long as there is e-mail, there will be spam," he says.