Antispam law still not making a difference, says survey

The number of spam campaigns continues to rise, despite a new US antispam law that went into effect in January, according to a...

The number of spam campaigns continues to rise, despite a new US antispam law that went into effect in January, according to a survey released by antispam supplier Commtouch Software.

Part of the problem with the new Controlling the Assault of Non-Solicited Pornography and Marketing (Can-Spam) Act is that 40% of spam e-mail comes from outside the US, said Avner Amram, Commtouch executive vice-president.

Commtouch's spam detection centre does not measure the total number of spam messages sent, but the number of spam "outbreaks" - the company defines an outbreak as the bulk sending of one spam message - rose from about 350,000 per day at the end of 2003 to about 400,000 per day in March, Amram said.

"There is certainly not a slow down in volume," Amram said.

Commtouch has also seen more "phishing" scams targeting e-mail users. Phishing scams typically send a fraudulent e-mail to customers, telling them they have to update their credit card numbers at an e-commerce site. The phishing e-mail directs customers to a bogus website that mimics the look of the real e-commerce site, and the spammers harvest credit card numbers from the unsuspecting customers.

Can-Spam requires that spam e-mail include a working return e-mail address, a valid postal address for the sending company, a working opt-out mechanism and a relevant subject line.

In January, Commtouch found only 1% of spam e-mails it surveyed complied with Can-Spam. The amount of e-mails complying with the law has risen to 3.5%, according to Commtouch.

The problem with the Can-Spam law is that of the one million spam messages Commtouch tracked in March, 40% came from  outside the US, spread across internet protocol addresses in 152 nations, said Commtouch. The highest offender outside the US was China, with 6% of spam coming from IP addresses there. South Korea generated 5% of spam tracked by Commtouch, Canada generated 4% and Brazil 3%.

Backers of the Can-Spam law said eventual prosecutions under the law may help curb the amount of spam. The US Federal Trade Commission (FTC) and US state attorney generals have authority to bring civil complaints against spammers, resulting in fines up to $6m (£3.2m), and the law also has criminal penalties of up to five years in jail for spammers who violate such provisions as hacking into someone else's computer to send spam, and falsifying header information in bulk spam.

The FTC is pursuing cases against spammers, but spammers use false header information and open relays to hide their identities. "We have said it is very difficult to find spammers," said an FTC spokeswoman. "That is why spam cases are resource intensive and are not very quick."

Amram agreed that spam prosecutions could help Can-Spam enforcement. "Certainly, it is going to help because when people hear about enforcement, they will be afraid," he said. "It is not going to help to the maximum extent because there are many ways Can-Spam cannot be enforced."

Fred O'Connor writes for IDG News Service


Read more on IT risk management