Can-Spam Isn’t Doing the Job

Data compiled by MX Logic says less than 1 percent of all unsolicited e-mail complies with the law.

Compliance with the Can-Spam Act has fallen to a new low, according to recent data collected by MX Logic. In July, compliance fell for the first time to less than 1 percent -- dropping to a measly 0.54 percent of all of the unsolicited commercial mail that the company sampled during the month.

MX Logic has been tracking compliance with Can-Spam since the federal law went into effect in January. Through April, MX Logic's numbers remained stable, with about 3 percent of spam messages complying with the law's requirements, which range from verifiable return addresses to measures consumers and businesses can use to opt out of mailing lists. In May and June, however, the number slipped to 1 percent.

"Now, it's been halved," says Steve Ruskin, a senior analyst at MX Logic. "No one's really sure what's going on, but it's clear that Can-Spam isn't a threat to spammers. They're just ignoring it."

Although hard-core spammers -- the relatively small number who account for the bulk of the world's spam -- were never likely to toe the line, says Ruskin, it's possible that some spammers who were complying have stopped.

The blame, he says, could be laid on law enforcement, which hasn't been successful in tracking down spammers. Some individuals have been stymied -- most recently, a Boca Raton, Fla., resident had his assets were frozen by the courts -- but enforcement is the exception rather than the rule.

A contributing factor to the poor compliance showing could be due to the ever-expanding number of spammers. "It's possible that the same number are complying now as in January," says Ruskin, "but that as the number of spammers continues to grow, that percentage gets watered down."

One of the tools businesses and users are hoping to put into play against spam is a sender authentication standard that would prevent spammers from spoofing, or forging, addresses.

This week, the standards-setting Internet Engineering Task Force is holding meetings to discuss, among a raft of other issues, Sender ID, a scheme that combines Microsoft's proprietary Caller ID for Email idea and Sender Policy Framework, an extension of the SMTP protocol.

Sender ID and its rivals, such as Yahoo's DomainKeys, aim to slow down spam by verifying sender addresses, which would prevent spammers from hiding behind bogus addresses. If they have to use legitimate domains -- and buy their own -- spammers would be easier to track.

"We'd like to see some sort of authentication standard go forward," says Ruskin. "Like everything else, it's not a silver bullet but it could go a long way toward defeating spam."

The ITEF working group responsible for evaluating Sender ID is expected to nominate it as an Internet standard this week.

"We're giving it a pretty good chance of passing," says Ruskin, who has a company representative at the IETF meetings. "The word on the street is that everyone wants to support [Sender ID], but that some are concerned about the proprietary licensing that Microsoft wants to put in it. If someone has to fax Microsoft each time a change is proposed to the standard, that doesn't go down well with a certain group of people."

Sender ID, or at least a critical mass of some sort of authentication standard, can't come too soon for Ruskin.

During July, MX Logic's monitoring found that 84 percent of all e-mail outside corporate networks was spam, another new record.

With the spam-to-non-spam ratio just 50 percent only a year ago, Ruskin wonders where spam will stop. "Sometime next year, spam will hit the 90s," he says. "You'd like to think that there's some natural equilibrium, but unless there's a fundamental change to the framework of e-mail, we run the risk that virtually all mail will be spam."