Recipients and service providers have no option but to incur time and costs for transmitting, accessing, reviewing, storing, and discarding spam mail. Users may risk missing important mail lying buried amidst spam mails. Anti-spam filters are limited in effectiveness, as most spammers disguise the source and provide deceptive headers. Stringent filters or white-listing may result in blocking important genuine mails.
The solution to spam lies in preventing such mails rather than trying to delete or block it. Towards this end, many States enacted legislation that regulated unsolicited commercial electronic mail. Such statues however imposed different standards and requirements, and left everybody confused. In 2003, the Congress enacted the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act, as a federal initiative to control spam, and replace the various state laws.
The CAN-SPAM Act empowered the Federal Communications Commission (FCC) to restrict commercial email messages. While the act does not prevent businesses from sending unsolicited commercial emails, it prohibits them from:
- Placing false or misleading header information. The act requires email senders to specify the true domain and business name in the “From,” “To,” “Reply-To,” and routing information, and also provide a valid identity of a person and postal address in the message text
- Using deceptive subject lines. If the message is an ad, it should explicitly reveal likewise
- Using automated means to register for multiple e-mail accounts and send spam from such emails
- Sending sexually oriented spam without the label "Sexually Explicit"
- Email harvesting. The sender remains responsible for any email directories or lists purchased from others
- Indulging in methods such as dictionary attacks, IP address spoofing, hijacking computers through Trojan horses or worms, or using open mail relays to send spam
The act also requires providing recipients with an opt-out option to block future mails. The opt-out needs to remain valid for at least 30 days, and senders need to honor opt-out requests within 10 business days, without charging any fees
These provisions apply to commercial messages that advertise or promote a commercial product or service, but does not apply to “transactional or relationship” messages, notices to facilitate a transaction already agreed to, such as statements about an existing account or warranty information, and non-commercial messages, such as religious messages, and messages about candidates for public office.
The CAN-SPAM Act is the natural extension of the Telephone Consumer Protection Act (TCPA) that established the National Do-Not-Call list and prevented telemarketers from calling up people listed in such registry. The opt-out provision in CAN-SPAM is a similar feature for electronic mail.
Although CAN-SPAM Act is intended to preempt or replace the various state anti-spam laws, state laws prohibiting fraudulent or deceptive acts and computer crimes remain. Thirty-seven states have anti-spam laws that regulate unsolicited electronic mail advertising. Such laws mostly target fraudulent mails, but a few states such as Virginia apply such laws to unsolicited bulk e-mail regardless of whether the content is genuine or fraudulent.
Some spam emails may also come under the purview of Title 18 of the United State Code dealing with mail fraud. The law considers any scheme attempting to obtain money or valuables through unlawful means, and in which the postal system finds use at any point as a criminal offense.
Each separate email in violation of the CAN-SPAM Act may attract a penalty up to $16,000. This is besides any prison sentence the court may decide. The first lawsuit based on this act was filed against a company, Phoenix Avatar, and four associated individuals on charges of sending hundreds of thousands of spam emails advertising a diet patch and hormone products. The first conviction however occurred in November 2004 when Nicholas Tombros sentenced to three years probation, six months house arrest, and $10,000 fine for hijacking wi-fi connections and using it to send porn spam.
Laws however do little to reduce spam, for much of the spam originates from outside the USA. The European Union adopted a "Privacy and Electronic Communications" Directive in 2002 that specifically covered sending unsolicited commercial email, but not all member states have enacted local laws to bring this to effect. The bulk of spam anyway originates from Eastern Europe and parts of Asia where there are no anti-spam laws, and in fact spam may be legal! US courts have tried and convicted foreign nationals for spamming in the US, but nothing much have come out of that.
The recent battle against the Coreflood botnet expose the limitations of laws. In April 2011, the FBI took down the Coreflood servers located within the USA after obtaining permission from the United States District Court of Connecticut, but Coreflood continues to thrive globally.
CAN-SPAM and other legislation do not prevent spam, and many internet activists opine that the act actually gave federal approval to the practice. As of now, users have no option but to live with spam and try best to deflect it from their inbox.
- "Spam: Unwanted Text Messages and Email." https://www.fcc.gov/guides/spam-unwanted-text-messages-and-email. Retrieved July 10, 2011.
- "CAN-SPAM Act: A Compliance Guide for Business." https://business.ftc.gov/documents/bus61-can-spam-act-compliance-guide-business. Retrieved July 10, 2011.
- Jones Day. "United States: A New Weapon in The Fight Against Spam." https://www.mondaq.com/unitedstates/article.asp?article_id=28901. Retrieved July 10, 2011.
- "Controlling the Assault of Non Solicited Pornography and Marketing." https://uscode.house.gov/download/pls/15C103.txt. Retrieved July 10, 2011.