© ESCOM Corp. 2000-2005
"It would be a lot simpler to block viruses if only Congress would step up to the plate
and require that all e-mail containing viruses have a meaningful subject and an opt-out address
like they did for Can-Spam."
-- Al Donaldson, ESCOM
President Bush signed the
Can-Spam Act of 2003 into law on 16 December 2003.
The full name of the bill "Controlling the Assault of Non-Solicited Pornography
and Marketing Act of 2003", appears to be designed mainly as a play on the
product name "SPAM".
The law went into effect on 1 January 2004 as
Public Law 108-187.
There is no official phase-in period, however, it will probably take a few months
for the Federal Trade Commission (FTC) to refine its procedures.
ESCOM believes the Can-Spam Act will be largely ineffective
while adding significant new burdens for ordinary use of commercial e-mail.
We believe technology could have handled the spam problem much more effectively
and with less disruption to the economy.
Why Not Technology?
We're disappointed that Congress rushed into an intrusive spam law
without at least looking at what technology is already doing.
Section 2 Paragraph (a)(12) of the bill, below, pays lip service to technology:
(12) The problems associated with the rapid growth and abuse of
unsolicited commercial electronic mail cannot be solved by Federal
legislation alone. The development and adoption of technological
approaches and the pursuit of cooperative efforts with other
countries will be necessary as well.
Businesses have been developing technological solutions to the spam problem for years.
Some of these solutions are already capable of blocking from 90% to over 99% of incoming spam.
The spam problem described in Section 2(a) of the bill
results not from the lack of technology,
but rather because internet providers and other organizations are not using available technology.
Unfortunately, the bill itself does not appear to provide any incentives to speed adoption of these solutions.
Instead, the Can-Spam Act will probably slow deployment by sucking the oxygen out of the technology market
for several months until the public determines that Can-Spam is just another failed spam law.
So why didn't Congress at least consider spam-filtering technology
as the preferred solution to the spam problem?
Perhaps it is the cost of such technology,
But most spam filtering solutions,
including ESCOM's ASMTP product,
are competitive when you factor in the
cost of dealing with spam.
ESCOM believes the spam problem is equivalent to other types of network attacks,
and should be solved the same way.
It is illegal to hack web sites,
but prudence dictates that administrators install firewalls
to prevent their web sites from being hacked.
The important thing is to prevent the attack,
and then prosecute the attacker.
Principle of Self-Protection
This notion that individual sites are responsible for their own protection
goes back at least to the late 1980s.
The early internet protocols essentially provided connectivity and interoperability.
Any computer could attempt to connect to any other computer,
but there were few security incidents because there were relatively few systems
on the network and everyone was accountable.
Users were accountable to their administrators, and administrators
were accountable to each other for their reputations.
However, as the internet expanded in the late 1980s, it became apparent
that organizations could no longer implicitly trust their neighbors.
For the past 15 years the internet has operated according to the principle
that each organization installs whatever technical means it requires
to protect its own data and operations.
Firewall and router vendors provide filtering (based on IP address and ports)
to block undesired connections.
Operating system vendors strengthened their software.
When mail server vendors saw that spammers were abusing open relaying,
they responded with anti-relay protection.
In the mid to late 1990s several companies began to develop spam-filtering products.
ESCOM moved from computer and network security consulting
to develop a patented approach to identifying spam risks.
Now there are somewhere between 70 and 300 different companies selling
anti-spam technology, according to a report by
The report cites an estimate that $150 million dollars of venture capital were
invested in spam filtering technology during the six months
before the Can-Spam Act took effect.
This figure presumably does not include the various companies' internal funding of
research and development activities.
These investments and products rest on two foundation principles:
(1) That each organization is responsible for protecting itself and,
(2) That commercial interests (the desire to make money) will provide
technological solutions to technological problems.
That's how it's been for about 15 years and that's how it will continue to be,
whether there are spam laws or not.
Reasons for Can-Spam
So with all this investment in spam technology,
why did Congress pass the Can-Spam Act?
This law appears to be the result of the following factors:
Ever increasing amounts of spam.
The overall percentage of spam has increased sharply since 2000,
and now makes up over 50 percent of all e-mail on the internet.
Ignorance of how electronic mail works and how the spammers have abused it.
Ignorance about spam filtering technology.
Many in Congress and the press don't seem to know it exists.
Unwillingness to pay for spam filtering technology.
In no other area of technology have we heard so many complaints
from organizations unwilling to use available technology,
and end-users unwilling to pay ISPs for spam filtering.
The latest California spam law, which would have permitted only opt-in e-mail,
and would have gone into effect on 1 January 2004
if not preempted by a Federal law.
Pressure from the direct marketing lobby
to protect bulk advertising via e-mail.
Pressure from the spam law lobby (big ISPs, public interest groups, and lawyers).
Elected representatives usually want to be re-elected, so they cannot afford to be accused
of being against a spam law.
There are more attorneys in Congress than engineers.
The prevailing opinion was that only legislation could solve the spam problem.
But the track record of spam legislation is not so good.
State Spam Laws
If Can-Spam solves the spam problem, it will be a first.
Spam laws have never solved the spam problem before.
The first Virginia Spam Law
was signed into law on 30 March 1999
and used by the big ISPs (e.g., AOL, Verizon, etc.) to sue the big spammers.
These ISPs put some spammers out of business and established some new precedents,
but spam generally got worse between 1999 and 2003.
second Virginia Spam Law went into effect July 1, 2003.
Its introduction implicitly admitted that the first spam law was a failure;
otherwise, why would we need a second Virginia Spam Law?
Under this law, the Commonwealth of Virginia takes over prosecution of big spammers,
thus relieving the big ISPs of some of their legal expenses.
The Virginia Attorney General recently charged two North Carolina men with felony counts of
"using fraudulent means to transmit unsolicited bulk e-mail."
It is too early to determine if such actions will deter other spammers.
California is also on their second spam law.
S. B. 186 would have
provided an opt-in regime with penalties of up to $1,000 per recipient
($1,000,000 per incident) for sending unsolicited e-mail.
These penalties would apply even if the e-mail was sent from another state.
We believe that mailing list operators and direct marketers
should limit their mailings to those who have opted in.
But it is stifling to apply these same strict requirements to targeted
business e-mails, e.g., from the president of one company to the president
of another, without getting explicit permission.
The California law would probably have made it illegal to send on-subject responses
to persons who post articles on net newsgroups or provide their e-mail address
in magazine articles.
Spam law advocates have rationalized the failures of state spam laws
by explaining that the spammers are often in a different state than the recipients.
They called for a uniform Federal law so they could bring lawsuits against spammers
in other states.
But such a Federal law is not necessary for this purpose -- Verizon v. Ralsky
established the precedent that a lawsuit can be brought where the spam lands,
i.e., in the recipient's state,
regardless of where the spam originated [source: Jon Praed, Internet Law Group,
in talk at MIT Spam Conference, January 2003].
In addition to being unnecessary, a Federal spam law probably will not be sufficient, either.
Most of the spam received in the US is sent from overseas.
Even if one accepts the premise that a Federal spam law could control interstate spam,
it is not at all obvious how a Federal spam law would stop offshore spam.
Why Can-Spam Won't
Because (1) spam laws have never solved the spam problem and
(2) offshore spammers are free to ignore any U.S. law (state or federal),
we believe the Can-Spam law will join the list of other failed spam legislation.
Here's some more reasons:
Can-Spam is an opt out law.
It was supported by the Direct Marketing Association and other advertising associations.
It allows anyone to send you as many commercial email messages as they like, until you opt out.
Even after you opt out, they can continue to send you more unsolicited messages for up to 10 days.
It appears the law may legitimize spammers that have been sued under state laws.
writing in the New York Times, explains how Alan Ralsky (of Verizon v. Ralsky)
plans to resume sending e-mail advertising in January 2004.
According to the report, he once sent 70 million messages a day.
Now with some changes to his procedures, Ralsky can be back in operation.
However, even though Ralsky may be legitimate with respect to the Can-Spam Act,
that won't make his spams any more palatable.
Section 3 (2) of Can-Spam defines the focus of the law on commercial e-mail messages:
"any electronic mail message the primary purpose of which is the
commercial advertisement or promotion of a commercial product or service."
However, this does not address abusive use or even bulk use of non-commercial mail,
such as political advertisements, religious advertisements,
requests for contributions, or even denial-of-service attacks
spewing random e-mail noise to millions of recipients.
These can be every bit as annoying as commercial advertisements.
It seems unlikely that offshore spammers will be deterred by the Can-Spam Act.
In a Network World interview in June 2003,
Ron Scelson (aka "The Cajun Spammer") said he delivers 100 million
messages a day from offshore servers to avoid US laws:
"As long as there's a country that lets me send mail, I'll do it."
Scelson said overseas ISPs contact him with offers to use their servers.
The Can-Spam law anticipates international cooperation,
but this seems optimistic based on recent experience.
When asked about an international global remove, Scelson replied,
"The UN can't even decide where to have dinner."
It does not appear that Can-Spam will do anything about "open proxy"
spam sent from hijacked Microsoft systems that have been infected
and are now being used (without the owner's permission).
By some estimates [Washington Times Editorial page, Dec 11 2003]
two thirds or more of spam is delivered this way.
ASMTP's patented dialup filter can detect these client spams when they connect
and either reject or quarantine the message.
But it will be much more difficult for spam investigators to trace backwards
through forged (or nonexistent) headers to find the actual sender.
Anyone clever enough to hijack a computer for sending spam will probably
not provide log files or Received lines referencing his IP address.
Any progress in reducing offshore spam will probably involve significant
foreign aid payments.
Section 7(f)(8) of Can-Spam will limit state action while a federal action is pending.
Section 8(b) preserves state laws only to the extent they relate to falsity or deception.
This appears to supercede the California opt-in law while
permitting aspects of the second Virginia spam law.
The Can-Spam Act gives a curiously mixed message to end users.
For years, the FTC and other authorities have recommended that users
not reply to opt-out addresses because it
(a) is ineffective and (b) confirms that the recipient's address is in use.
That will continue to be the case with offshore spam,
but now the FTC will presumably suggest that users should opt out
from undesirable e-mail sent in the US.
However, most users will probably not be able to tell whether a message
originated in the US or overseas.
While the title of the bill includes the word "Pornography"
(apparently the "P" was necessary to complete the tortured acronym),
it seems to do do very little to penalize the sending of pornographic spam.
The FTC may develop some labeling requirements for U.S. porno spammers,
but these are unlikely to be observed by offshore spammers.
The Can-Spam Act appears to give ISPs immunity in their role as access providers.
Some ISPs may continue to enforce their Acceptable Use Policies (AUPs)
with respect to kicking spammers off their own networks,
but a more likely outcome is that most ISPs will become more tolerant of spam
sent from their own networks.
In that event, the only constraints would be lawsuits by the Federal Government,
state governments, or other ISPs.
It appears that Can-Spam has destroyed the value of an Acceptable Use Policy (AUP)
as it relates to incoming spam.
In Virginia, Verizon v. Ralsky established the precedent that the spammer is presumed
to be aware of the recipient's AUP.
But an AUP that warns against sending unsolicited e-mail to a network
would appear to be unenforceable under Can-Spam.
Can-Spam will not give individuals a right to sue.
All actions must be initiated by the Federal Government, state governments, or by ISPs.
It is not clear if individual business, for example, IBM, would have a right of action.
Section 5(a)(1) of the bill makes it illegal to materially change the 'From:' line in a message header.
However, the bill curiously does not mention forging the SMTP envelope address
in the MAIL From command.
Interfering with Reasonable Commerce
While the Can-Spam law will probably not do much to stop spam,
we believe if it is enforced to the letter of the law
it will interfere significantly with legitimate business communications.
John Gilmore, in a message to the
Politech mailing list
explains (his emphasis) that
"most of its provisions apply to ALL commercial email,
not just BULK commercial email."
So a message typed in manually by an individual at one business
and sent to a user at another business might violate the law,
simply because it relates to a commercial transaction.
In another transaction, John describes how an individual doing a web search
for a job and then applying for the job might run afoul of the law.
"You've violated the bill in two different ways.
You used automated means (Google) to extract an email address,
and you sent commercial email advertising a service (your services).
It appears that the law will intrude even on routine interpersonal matters,
for example, sending e-mail offering cars or other equipment for sale.
This appears to be the case whether the sender is an employee of a commercial organization,
a nonprofit organization, a government employee, or a user at an ISP.
Because the professional spam (perhaps offshore, perhaps using hijacked computers)
will be so difficult to trace to its original source,
it seems likely that the weight of the Federal government will fall on
two groups of businesses:
(a) incompetent spammers operating within the US, and
(b) legitimate companies who are technically noncompliant with the law.
Expect Can-Spam compliance to be a growth business for law firms and consultants
for the next several years.
Businesses are already advertising consulting and law firms are advertising legal services
to help legitimate companies avoid the trap of technical noncompliance.
These products and services will be paid for by businesses who have not
previously been thought of as spammers, thus adding to the cost of business
and adversely affecting the economy.
Section 5(a)(3) of Can-Spam requires each commercial message to have
a functioning return address or comparable internet-based mechanism
"capable of receiving [opt out] requests for no less than 30 days."
Larger businesses will probably use an unsubscribe web page,
but many smaller businesses have read-only web sites without the ability
to collect opt-out information.
Because of the requirement to provide a functioning return address,
businesses that collect opt out addresses by return e-mail
may now be prohibited from using standard blacklisting techniques
to block mail from certain high-spam sources.
(By "standard blacklisting" I refer to spam filters that
drop the remote host connection immediately after it connects,
based upon an IP address or domain name of the sending host.)
A recipient who is offended by your commercial message might choose
to opt out from anywhere in the world;
if you do not accept their notice, then you're in violation of the law.
For example, suppose you send a commercial message to email@example.com
(to pick a user name and ISP at random), then xxx might return an opt out
request from any of the following locations:
- Case 1. Domain mail servers.
If you send commercial mail to an ISP or to another company,
then it seems reasonable that you should accept mail from their servers.
So if you send mail to a comcast address, then you cannot block
- Case 2. Client IPs.
Clients such as c-67-166-4-44.client.comcast.net/18.104.22.168
are frequently hijacked and send a lot of spam.
They are not mail servers and should not be sending e-mail.
However, if you send commercial mail to a particular domain,
you might get an opt out response from one of these IPs.
- Case 3. Somewhere else.
Since the bill does not say anything about where an opt-out request might
be sent from, it appears that a commercial business could not
block IP addresses or domains in China, Argentina, or South Africa.
So if you send just one commercial message to a single recipient,
and you provide an opt-out e-mail address in your message,
then you must turn blacklisting off because the recipient of that
message might try to opt out from anywhere in the world.
To continue with the above point, it seems almost surreal that a law
to stop spam would require commercial organizations to turn off
their inbound blacklisting.
If so, this would be the first time in Internet history that I am
aware of a law that says a (previously sovereign) domain may not
block inbound TCP connections based on IP address/netmask and port.
One could not block SMTP access in your sendmail server,
in packet filters such as iptables/ipchains,
or even at your router/firewall. Does this bother anyone?
The high penalty for failing to remove an opt-out address from one's mailing list
will probably lead to increased network abuse from overseas.
Our resident skeptic asks, "How does Congress intend that businesses
distinguish between actual opt out requests and
forged opt out requests intended merely to disrupt desired e-mail?"
This seems to be a problem whether the commercial enterprise uses a web page
or an opt out e-mail address.
The penalty is so high for making a mistake
that businesses must cease mailing to even long-term customers,
even if the e-mail address (e.g. firstname.lastname@example.org) and
sending domain (e.g., zzu.edu.cn) are clearly incompatible.
Can-Spam establishes a requirement for each organization to maintain a database
of recipients who have requested to opt out.
A business must not send any more messages after being sent an opt-out address.
The law turns administrative oversights into unlawful acts.
Section 9 of Can-Spam requires the Federal Trade Commission (FTC)
to provide a plan and timetable for establishment of a
national "Do-Not-E-mail" registry.
This is in spite of a statement in August by FTC Chairman Timothy Muris
that such a list won't fix the spam problem.
"If such a list were established, I'd advise customers not to waste
their time and effort.
Unlike telemarketers or direct mail users, spammers can easily hide
their identity and cross international boundaries."
[Source: Associated Press article by David Ho, Aug 19, 2003].
Another objection to such a registry is that it would serve as
a database of known valid e-mail addresses to spam.
This would probably result in even more spam to such addresses.
The bill appears to leave the way open for a "mommy state"
in which any person who is offended by any e-mail message will forward
the message to the Federal Trade Commission in hopes that the sender
will be fined.
This would be impossible to manage since
(a) the definition of spam is entirely subjective (i.e., "anything I don't want") and
(b) most users either don't know how to forward spam complaints or don't have the
necessary information (e.g., remote IP addresses, SMTP protocol information, etc.).
In summary, it appears Can-Spam will be ineffective against offshore spam
and SMTP direct spam from hijacked computers.
It burdens ordinary (non-bulk) commercial e-mail,
so compliance will probably add to the cost of doing business for
legitimate companies that have not been viewed as spammers before.
Some suggest that it will increase the amount of spam by
permitting each company one free spam to every possible recipient,
so long as they provide the correct opt-out information.
And it will require a massive federal bureaucracy to manage
"Do-Not-E-mail" registries and spam clearing houses.
The Can-Spam bill itself admits that problems with spam
"cannot be solved by Federal legislation alone."
Here are some reasons why spam filtering is necessary regardless of whether
the Federal spam law is eventually signed into law:
The Can-Spam Act is unlikely to deter overseas spammers.
There will always be people who break laws, and technology is necessary to stop them.
Hacking web sites is illegal, but prudent managers run firewalls.
Technology can assist with identifying email that
violates the prohibition against forging email addresses.
For example, ASMTP can identify most forged addresses.
Technology can also assist in maintaining the chain of control of spam evidence.
Most networks require users to report spam to administrators,
often without headers and other identifying information.
ASMTP maintains the spam on the appliance, in its original form,
under the exclusive control of administrators.
© Copyright ESCOM Corporation 2003-2005
Revised 11 May 2005
"SPAM" is a registered trademark of
Hormel Foods Corporation.
Consequently, we refer to "spam" or "Spam"
when referring to unsolicited electronic mail.
ESCOM believes it is more important to respect commercial trademarks
than to use the Senate's exact spelling.