ESCOM Corporation logo

ASMTP and the Can-Spam Act

Home
Spam Filter
Support
Contact
Sales
FAQ
Economics
Customers
White Paper
Other Papers
About ESCOM
Press Releases
Security Consulting
Acceptable Use

© ESCOM Corp. 2000-2005

 

"It would be a lot simpler to block viruses if only Congress would step up to the plate and require that all e-mail containing viruses have a meaningful subject and an opt-out address like they did for Can-Spam."
-- Al Donaldson, ESCOM

President Bush signed the Can-Spam Act of 2003 into law on 16 December 2003. The full name of the bill "Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003", appears to be designed mainly as a play on the product name "SPAM". The law went into effect on 1 January 2004 as Public Law 108-187. There is no official phase-in period, however, it will probably take a few months for the Federal Trade Commission (FTC) to refine its procedures.

ESCOM believes the Can-Spam Act will be largely ineffective while adding significant new burdens for ordinary use of commercial e-mail. We believe technology could have handled the spam problem much more effectively and with less disruption to the economy.

Why Not Technology?

We're disappointed that Congress rushed into an intrusive spam law without at least looking at what technology is already doing. Section 2 Paragraph (a)(12) of the bill, below, pays lip service to technology:

(12) The problems associated with the rapid growth and abuse of unsolicited commercial electronic mail cannot be solved by Federal legislation alone. The development and adoption of technological approaches and the pursuit of cooperative efforts with other countries will be necessary as well.

Businesses have been developing technological solutions to the spam problem for years. Some of these solutions are already capable of blocking from 90% to over 99% of incoming spam. The spam problem described in Section 2(a) of the bill results not from the lack of technology, but rather because internet providers and other organizations are not using available technology. Unfortunately, the bill itself does not appear to provide any incentives to speed adoption of these solutions. Instead, the Can-Spam Act will probably slow deployment by sucking the oxygen out of the technology market for several months until the public determines that Can-Spam is just another failed spam law.

So why didn't Congress at least consider spam-filtering technology as the preferred solution to the spam problem? Perhaps it is the cost of such technology, But most spam filtering solutions, including ESCOM's ASMTP product, are competitive when you factor in the cost of dealing with spam.

ESCOM believes the spam problem is equivalent to other types of network attacks, and should be solved the same way.

It is illegal to hack web sites, but prudence dictates that administrators install firewalls to prevent their web sites from being hacked. The important thing is to prevent the attack, and then prosecute the attacker.

Principle of Self-Protection

This notion that individual sites are responsible for their own protection goes back at least to the late 1980s. The early internet protocols essentially provided connectivity and interoperability. Any computer could attempt to connect to any other computer, but there were few security incidents because there were relatively few systems on the network and everyone was accountable. Users were accountable to their administrators, and administrators were accountable to each other for their reputations. However, as the internet expanded in the late 1980s, it became apparent that organizations could no longer implicitly trust their neighbors.

For the past 15 years the internet has operated according to the principle that each organization installs whatever technical means it requires to protect its own data and operations. Firewall and router vendors provide filtering (based on IP address and ports) to block undesired connections. Operating system vendors strengthened their software. When mail server vendors saw that spammers were abusing open relaying, they responded with anti-relay protection.

In the mid to late 1990s several companies began to develop spam-filtering products. ESCOM moved from computer and network security consulting to develop a patented approach to identifying spam risks. Now there are somewhere between 70 and 300 different companies selling anti-spam technology, according to a report by Infoworld. The report cites an estimate that $150 million dollars of venture capital were invested in spam filtering technology during the six months before the Can-Spam Act took effect. This figure presumably does not include the various companies' internal funding of research and development activities.

These investments and products rest on two foundation principles: (1) That each organization is responsible for protecting itself and, (2) That commercial interests (the desire to make money) will provide technological solutions to technological problems. That's how it's been for about 15 years and that's how it will continue to be, whether there are spam laws or not.

Reasons for Can-Spam

So with all this investment in spam technology, why did Congress pass the Can-Spam Act? This law appears to be the result of the following factors:

  1. Ever increasing amounts of spam. The overall percentage of spam has increased sharply since 2000, and now makes up over 50 percent of all e-mail on the internet.
  2. Ignorance of how electronic mail works and how the spammers have abused it.
  3. Ignorance about spam filtering technology. Many in Congress and the press don't seem to know it exists.
  4. Unwillingness to pay for spam filtering technology. In no other area of technology have we heard so many complaints from organizations unwilling to use available technology, and end-users unwilling to pay ISPs for spam filtering.
  5. The latest California spam law, which would have permitted only opt-in e-mail, and would have gone into effect on 1 January 2004 if not preempted by a Federal law.
  6. Pressure from the direct marketing lobby to protect bulk advertising via e-mail.
  7. Pressure from the spam law lobby (big ISPs, public interest groups, and lawyers).
  8. Elected representatives usually want to be re-elected, so they cannot afford to be accused of being against a spam law.
  9. There are more attorneys in Congress than engineers.

The prevailing opinion was that only legislation could solve the spam problem. But the track record of spam legislation is not so good.

State Spam Laws

If Can-Spam solves the spam problem, it will be a first. Spam laws have never solved the spam problem before. The first Virginia Spam Law was signed into law on 30 March 1999 and used by the big ISPs (e.g., AOL, Verizon, etc.) to sue the big spammers. These ISPs put some spammers out of business and established some new precedents, but spam generally got worse between 1999 and 2003.

The second Virginia Spam Law went into effect July 1, 2003. Its introduction implicitly admitted that the first spam law was a failure; otherwise, why would we need a second Virginia Spam Law? Under this law, the Commonwealth of Virginia takes over prosecution of big spammers, thus relieving the big ISPs of some of their legal expenses. The Virginia Attorney General recently charged two North Carolina men with felony counts of "using fraudulent means to transmit unsolicited bulk e-mail." It is too early to determine if such actions will deter other spammers.

California is also on their second spam law. S. B. 186 would have provided an opt-in regime with penalties of up to $1,000 per recipient ($1,000,000 per incident) for sending unsolicited e-mail. These penalties would apply even if the e-mail was sent from another state. We believe that mailing list operators and direct marketers should limit their mailings to those who have opted in. But it is stifling to apply these same strict requirements to targeted business e-mails, e.g., from the president of one company to the president of another, without getting explicit permission. The California law would probably have made it illegal to send on-subject responses to persons who post articles on net newsgroups or provide their e-mail address in magazine articles.

Spam law advocates have rationalized the failures of state spam laws by explaining that the spammers are often in a different state than the recipients. They called for a uniform Federal law so they could bring lawsuits against spammers in other states. But such a Federal law is not necessary for this purpose -- Verizon v. Ralsky established the precedent that a lawsuit can be brought where the spam lands, i.e., in the recipient's state, regardless of where the spam originated [source: Jon Praed, Internet Law Group, in talk at MIT Spam Conference, January 2003].

In addition to being unnecessary, a Federal spam law probably will not be sufficient, either. Most of the spam received in the US is sent from overseas. Even if one accepts the premise that a Federal spam law could control interstate spam, it is not at all obvious how a Federal spam law would stop offshore spam.

Why Can-Spam Won't

Because (1) spam laws have never solved the spam problem and (2) offshore spammers are free to ignore any U.S. law (state or federal), we believe the Can-Spam law will join the list of other failed spam legislation. Here's some more reasons:

  1. Can-Spam is an opt out law. It was supported by the Direct Marketing Association and other advertising associations. It allows anyone to send you as many commercial email messages as they like, until you opt out. Even after you opt out, they can continue to send you more unsolicited messages for up to 10 days.

  2. It appears the law may legitimize spammers that have been sued under state laws. Saul Hansell, writing in the New York Times, explains how Alan Ralsky (of Verizon v. Ralsky) plans to resume sending e-mail advertising in January 2004. According to the report, he once sent 70 million messages a day. Now with some changes to his procedures, Ralsky can be back in operation. However, even though Ralsky may be legitimate with respect to the Can-Spam Act, that won't make his spams any more palatable.

  3. Section 3 (2) of Can-Spam defines the focus of the law on commercial e-mail messages: "any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service." However, this does not address abusive use or even bulk use of non-commercial mail, such as political advertisements, religious advertisements, requests for contributions, or even denial-of-service attacks spewing random e-mail noise to millions of recipients. These can be every bit as annoying as commercial advertisements.

  4. It seems unlikely that offshore spammers will be deterred by the Can-Spam Act. In a Network World interview in June 2003, Ron Scelson (aka "The Cajun Spammer") said he delivers 100 million messages a day from offshore servers to avoid US laws: "As long as there's a country that lets me send mail, I'll do it." Scelson said overseas ISPs contact him with offers to use their servers. The Can-Spam law anticipates international cooperation, but this seems optimistic based on recent experience. When asked about an international global remove, Scelson replied, "The UN can't even decide where to have dinner."

  5. It does not appear that Can-Spam will do anything about "open proxy" spam sent from hijacked Microsoft systems that have been infected and are now being used (without the owner's permission). By some estimates [Washington Times Editorial page, Dec 11 2003] two thirds or more of spam is delivered this way. ASMTP's patented dialup filter can detect these client spams when they connect and either reject or quarantine the message. But it will be much more difficult for spam investigators to trace backwards through forged (or nonexistent) headers to find the actual sender. Anyone clever enough to hijack a computer for sending spam will probably not provide log files or Received lines referencing his IP address. Any progress in reducing offshore spam will probably involve significant foreign aid payments.

  6. Section 7(f)(8) of Can-Spam will limit state action while a federal action is pending. Section 8(b) preserves state laws only to the extent they relate to falsity or deception. This appears to supercede the California opt-in law while permitting aspects of the second Virginia spam law.

  7. The Can-Spam Act gives a curiously mixed message to end users. For years, the FTC and other authorities have recommended that users not reply to opt-out addresses because it (a) is ineffective and (b) confirms that the recipient's address is in use. That will continue to be the case with offshore spam, but now the FTC will presumably suggest that users should opt out from undesirable e-mail sent in the US. However, most users will probably not be able to tell whether a message originated in the US or overseas.

  8. While the title of the bill includes the word "Pornography" (apparently the "P" was necessary to complete the tortured acronym), it seems to do do very little to penalize the sending of pornographic spam. The FTC may develop some labeling requirements for U.S. porno spammers, but these are unlikely to be observed by offshore spammers.

  9. The Can-Spam Act appears to give ISPs immunity in their role as access providers. Some ISPs may continue to enforce their Acceptable Use Policies (AUPs) with respect to kicking spammers off their own networks, but a more likely outcome is that most ISPs will become more tolerant of spam sent from their own networks. In that event, the only constraints would be lawsuits by the Federal Government, state governments, or other ISPs.

  10. It appears that Can-Spam has destroyed the value of an Acceptable Use Policy (AUP) as it relates to incoming spam. In Virginia, Verizon v. Ralsky established the precedent that the spammer is presumed to be aware of the recipient's AUP. But an AUP that warns against sending unsolicited e-mail to a network would appear to be unenforceable under Can-Spam.

  11. Can-Spam will not give individuals a right to sue. All actions must be initiated by the Federal Government, state governments, or by ISPs. It is not clear if individual business, for example, IBM, would have a right of action.

  12. Section 5(a)(1) of the bill makes it illegal to materially change the 'From:' line in a message header. However, the bill curiously does not mention forging the SMTP envelope address in the MAIL From command.

Interfering with Reasonable Commerce

While the Can-Spam law will probably not do much to stop spam, we believe if it is enforced to the letter of the law it will interfere significantly with legitimate business communications.

  1. John Gilmore, in a message to the Politech mailing list explains (his emphasis) that "most of its provisions apply to ALL commercial email, not just BULK commercial email." So a message typed in manually by an individual at one business and sent to a user at another business might violate the law, simply because it relates to a commercial transaction.

    In another transaction, John describes how an individual doing a web search for a job and then applying for the job might run afoul of the law. "You've violated the bill in two different ways. You used automated means (Google) to extract an email address, and you sent commercial email advertising a service (your services).

  2. It appears that the law will intrude even on routine interpersonal matters, for example, sending e-mail offering cars or other equipment for sale. This appears to be the case whether the sender is an employee of a commercial organization, a nonprofit organization, a government employee, or a user at an ISP.

  3. Because the professional spam (perhaps offshore, perhaps using hijacked computers) will be so difficult to trace to its original source, it seems likely that the weight of the Federal government will fall on two groups of businesses: (a) incompetent spammers operating within the US, and (b) legitimate companies who are technically noncompliant with the law.

  4. Expect Can-Spam compliance to be a growth business for law firms and consultants for the next several years. Businesses are already advertising consulting and law firms are advertising legal services to help legitimate companies avoid the trap of technical noncompliance. These products and services will be paid for by businesses who have not previously been thought of as spammers, thus adding to the cost of business and adversely affecting the economy.

  5. Section 5(a)(3) of Can-Spam requires each commercial message to have a functioning return address or comparable internet-based mechanism "capable of receiving [opt out] requests for no less than 30 days." Larger businesses will probably use an unsubscribe web page, but many smaller businesses have read-only web sites without the ability to collect opt-out information.

    Because of the requirement to provide a functioning return address, businesses that collect opt out addresses by return e-mail may now be prohibited from using standard blacklisting techniques to block mail from certain high-spam sources. (By "standard blacklisting" I refer to spam filters that drop the remote host connection immediately after it connects, based upon an IP address or domain name of the sending host.) A recipient who is offended by your commercial message might choose to opt out from anywhere in the world; if you do not accept their notice, then you're in violation of the law. For example, suppose you send a commercial message to xxx@comcast.net (to pick a user name and ISP at random), then xxx might return an opt out request from any of the following locations:

    • Case 1. Domain mail servers. If you send commercial mail to an ISP or to another company, then it seems reasonable that you should accept mail from their servers. So if you send mail to a comcast address, then you cannot block their servers.
    • Case 2. Client IPs. Clients such as c-67-166-4-44.client.comcast.net/67.166.4.44 are frequently hijacked and send a lot of spam. They are not mail servers and should not be sending e-mail. However, if you send commercial mail to a particular domain, you might get an opt out response from one of these IPs.
    • Case 3. Somewhere else. Since the bill does not say anything about where an opt-out request might be sent from, it appears that a commercial business could not block IP addresses or domains in China, Argentina, or South Africa.

    So if you send just one commercial message to a single recipient, and you provide an opt-out e-mail address in your message, then you must turn blacklisting off because the recipient of that message might try to opt out from anywhere in the world.

  6. To continue with the above point, it seems almost surreal that a law to stop spam would require commercial organizations to turn off their inbound blacklisting. If so, this would be the first time in Internet history that I am aware of a law that says a (previously sovereign) domain may not block inbound TCP connections based on IP address/netmask and port. One could not block SMTP access in your sendmail server, in packet filters such as iptables/ipchains, or even at your router/firewall. Does this bother anyone?

  7. The high penalty for failing to remove an opt-out address from one's mailing list will probably lead to increased network abuse from overseas. Our resident skeptic asks, "How does Congress intend that businesses distinguish between actual opt out requests and forged opt out requests intended merely to disrupt desired e-mail?" This seems to be a problem whether the commercial enterprise uses a web page or an opt out e-mail address. The penalty is so high for making a mistake that businesses must cease mailing to even long-term customers, even if the e-mail address (e.g. burns@senate.gov) and sending domain (e.g., zzu.edu.cn) are clearly incompatible.

  8. Can-Spam establishes a requirement for each organization to maintain a database of recipients who have requested to opt out. A business must not send any more messages after being sent an opt-out address. The law turns administrative oversights into unlawful acts.

  9. Section 9 of Can-Spam requires the Federal Trade Commission (FTC) to provide a plan and timetable for establishment of a national "Do-Not-E-mail" registry. This is in spite of a statement in August by FTC Chairman Timothy Muris that such a list won't fix the spam problem. "If such a list were established, I'd advise customers not to waste their time and effort. Unlike telemarketers or direct mail users, spammers can easily hide their identity and cross international boundaries." [Source: Associated Press article by David Ho, Aug 19, 2003].

    Another objection to such a registry is that it would serve as a database of known valid e-mail addresses to spam. This would probably result in even more spam to such addresses.

  10. The bill appears to leave the way open for a "mommy state" in which any person who is offended by any e-mail message will forward the message to the Federal Trade Commission in hopes that the sender will be fined. This would be impossible to manage since (a) the definition of spam is entirely subjective (i.e., "anything I don't want") and (b) most users either don't know how to forward spam complaints or don't have the necessary information (e.g., remote IP addresses, SMTP protocol information, etc.).

In summary, it appears Can-Spam will be ineffective against offshore spam and SMTP direct spam from hijacked computers. It burdens ordinary (non-bulk) commercial e-mail, so compliance will probably add to the cost of doing business for legitimate companies that have not been viewed as spammers before.

Some suggest that it will increase the amount of spam by permitting each company one free spam to every possible recipient, so long as they provide the correct opt-out information. And it will require a massive federal bureaucracy to manage "Do-Not-E-mail" registries and spam clearing houses.

Summary

The Can-Spam bill itself admits that problems with spam "cannot be solved by Federal legislation alone." We agree. Here are some reasons why spam filtering is necessary regardless of whether the Federal spam law is eventually signed into law:

  1. The Can-Spam Act is unlikely to deter overseas spammers.

  2. There will always be people who break laws, and technology is necessary to stop them. Hacking web sites is illegal, but prudent managers run firewalls.

  3. Technology can assist with identifying email that violates the prohibition against forging email addresses. For example, ASMTP can identify most forged addresses.

  4. Technology can also assist in maintaining the chain of control of spam evidence. Most networks require users to report spam to administrators, often without headers and other identifying information. ASMTP maintains the spam on the appliance, in its original form, under the exclusive control of administrators.

© Copyright ESCOM Corporation 2003-2005
Revised 11 May 2005


Note: "SPAM" is a registered trademark of Hormel Foods Corporation. Consequently, we refer to "spam" or "Spam" when referring to unsolicited electronic mail. ESCOM believes it is more important to respect commercial trademarks than to use the Senate's exact spelling.