One Year After Law, Spam Still Out of the Can

By David McGuire, washingtonpost.com Staff Writer

The nation’s first law aimed at curtailing junk e-mail earned a mixed report card after a year on the books as few spammers faced legal action and recent surveys showed that spam makes up an even larger proportion of online messages.

Signed into law Dec. 16, 2003, the Can-Spam Act made it illegal to falsify the “from” and “subject” lines of e-mail solicitations. It also required senders of bulk e-mail to include a working “unsubscribe” link in their messages and to honor consumers’ requests to be taken off their mailing lists. The law doesn’t allow individual e-mail users to sue spammers — an omission decried by anti-spam activists — but it did open the door for state attorneys general and ISPs to mount a legal offensive.

The nation’s big four e-mail providers — America Online, Microsoft, Yahoo and Earthlink — were among the most ardent supporters of the law, and wasted no time using the new provisions. In March, the four firms fired off a barrage of lawsuits targeting some of the most prolific spammers on their respective networks. The providers announced another round of suits in October.

On the criminal front, a Virginia jury in November recommended a nine year jail term for a North Carolina man who became the first ever person convicted for felony spamming. The man was convicted under Virginia’s spam law, which is similar to the federal legislation but with stiffer penalties.

“We’ve seen great progress made,” said Sen. Conrad Burns (news, bio, voting record) (R-Mont.), Can-Spam’s original sponsor in Congress. “It’s been a great first step, and as we look ahead it’s important that the [government] utilizes the tools in place to … effectively stem the tide of this unwanted burden.”

Still, through all the courtroom activity and the media attention it generated, spam levels rose in 2004, by almost all accounts. At the beginning of 2003, spam accounted for about 50 percent of all e-mail, according to Postini, a Redwood City, Calif.-based anti-spam firm that scans about 400 million e-mail messages a day for its clients. By the time Can-Spam passed at the end of 2003, that figure had grown to roughly 75 percent. Throughout 2004, spam accounted for 75 to 80 percent of all e-mail, said Chris Smith, Postini’s senior director of product marketing.

Denver-based MX Logic reported similar numbers, saying spam accounted for roughly 77 percent of the messages it scanned in 2004. In December 2003, the month before Can-Spam took effect, MX Logic reported that spam accounted for 67 percent of messages. MX Logic also tracked the number of spam messages that were complying with Can-Spam’s extensive labeling rules and found that only about 3 percent of them met the law’s requirements.

John Levine, author of “The Internet for Dummies” and operator of a small ISP in Trumansburg, N.Y., said the figures are damning. “It [Can-Spam] didn’t work. It’s been utterly useless. I haven’t seen spam decline. I haven’t seen spammers even make nominal efforts to comply with Can-Spam,” Levine said. “They clearly don’t think they’ll be caught.”

But Michael Osterman, president of Osterman Research Inc., a Black Diamond, Wash.-based research firm that specializes in the e-mail and instant-messaging industry, said the failure really isn’t the fault of lawmakers.

“As a law it’s pretty well written. The problem is that spam is almost like drugs — a law isn’t going to have an effect. This whole spamming industry is very shadowy,” Osterman said. The underlying technology of e-mail makes it extremely easy for spammers to hide their identities by using dozens of tricks, including sending messages from the computers of innocent Internet users who’ve had their computers compromised by viruses.

As a result, most of the e-mail industry has turned its attention toward technology, rather than litigation, as the primary means for combating spam, Osterman said.

Dave Baker, vice president of law and public policy at Earthlink, said that despite Earthlink’s aggressive use of Can-Spam, technological solutions to the spam problem remain the company’s main focus.

“You’ve got to stop [spam] from getting to the customers’ machines. If you’re suing a spammer, you’re going after them for damage that’s already been done,” Baker said. “The biggest single element remains technology solutions. None of these companies are relying solely on litigation.”

Each of the four major e-mail providers is involved in a nationwide effort to develop e-mail “authentication” technology that would make it harder for spammers to disguise their messages.

And while Can-Spam may be a failure so far from the standpoint of consumers, whose inboxes haven’t gotten any cleaner in the year since the law passed, that doesn’t mean it’s having no effect, said Anne Mitchell, executive director of the Institute for Spam and Internet Public Policy.

“It’s given prosecutors some very good tools, and if they wield them properly they can be successful,” Mitchell said. “It was never about making spammers stop, it was about making what they were doing illegal so we could force them to stop. There’s never ‘instant anything’ when you pass a new law. Look at any of the civil rights laws — it’s not like they passed and suddenly we had a utopian society.”

The lone bright spot in the fight against spam appears to be America Online. In December, the nation’s largest e-mail provider reported a drop-off both in the volume of e-mail hitting its network and in the amount of spam delivered to users’ inboxes in 2004. AOL fielded 1.6 billion e-mail messages in 2004, down from 2.1 billion in 2003, which AOL attributes almost entirely to a decrease in the amount of spam hitting its network.

“We think the primary reason that spam is down on the service is because of our spam filtering, but we also absolutely believe that the federal Can-Spam law has had a deterrent effect,” AOL spokesman Nicholas Graham said. He pointed out that AOL is based in Virginia, home to the nation’s stiffest anti-spam law and first convicted spam felon.

Graham acknowledged that AOL has no way of measuring what portion of the drop-off can be attributed to legislative efforts. And if the laws have scared some spammers away from AOL, the effect hasn’t carried over to the online population at large, Postini’s Smith said. “It’s quite possible that that’s only true about the AOL domain. We’re not seeing that trend on a whole across the Internet.”

Yahoo, Earthlink and Microsoft have not released end-of-year spam statistics.

Tim Murtaugh, a spokesman for Virginia Attorney General Jerry W. Kilgore (R), said while the effects may not have trickled down to users yet, the state and federal laws will eventually take their toll on spammers.

“The people out there who are the spam kingpins, I’m certain that they’re aware of what we’re doing here. I’m sure it will have at least a psychological impact in that they know we’re serious,” Murtaugh said. “We predict that it will make people have second thoughts. I don’t think they ever thought what they were doing was going to land them in jail.”