IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.
Cybersecurity

States, Companies Begin to Can Spam

Despite low compliance levels, the CAN-SPAM Act does provide enforcement capabilities and has helped to galvanize government and industry efforts to curb spam

July 27, 2010 • 
News Report
One year after the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act went into effect, on average 97 percent of unsolicited commercial e-mail over the past year failed to comply with the federal anti-spam law, e-mail security firm MX Logic found.

"While we applaud the intent of the CAN-SPAM Act, clearly it has had no meaningful impact on the unrelenting flow of spam that continues to clog the Internet and plague inboxes," said Scott Chasin, CTO, MX Logic. "In fact, the overall volume of spam increased in 2004 and we fully anticipate continued growth in 2005."

On average, spam accounted for 77 percent of all e-mail traffic through the MX Logic Threat Center in 2004.

MX Logic has measured CAN-SPAM compliance each month since the law went into effect by examining a random sample of 10,000 unsolicited commercial e-mails each week. During 2004, monthly compliance ranged from a low of 0.54 percent in July to a high of seven percent in December.

2004: The Year in Spam
"Despite low compliance levels, the CAN-SPAM Act does provide enforcement capabilities and has helped to galvanize government and industry efforts to curb spam," Chasin said. "Unfortunately, ending the spam epidemic will require a long-term, ongoing effort that, in addition to the law, must also include technology, industry cooperation to improve authentication and security protocols, and end-user education."

In 2004, the CAN-SPAM Act and state anti-spam laws have been used to pursue criminal prosecution and civil action against spammers.

On March 20, four major Internet Service Providers filed the first lawsuits under CAN-SPAM.

In April, Michigan conducted the first criminal prosecution under the CAN-SPAM Act, issuing arrest warrants for four men charged with sending out hundreds of thousands of fraudulent, unsolicited commercial e-mail messages advertising a weight-loss product.

In September, Nicholas Tombros, the "wireless spammer," became the first person convicted under the CAN-SPAM Act.

In November, Jeremy Jaynes, considered one of the top 10 spammers in the world, was sentenced to nine years in prison under Virginia's anti-spam law for sending millions of spam messages to America Online customers.

Canning SPAM:
Key Events in the Fight Against Spam

January
The CAN-SPAM Act goes into effect on Jan. 1. While the law does not prohibit unsolicited commercial e-mail, it does require that unsolicited commercial e-mail senders:
  • Ensure that the "FROM" line clearly reflects the sender's identity
  • Include subject line text consistent with message content
  • Include the advertiser's valid postal address
  • Contain a working opt-out mechanism as a way for the consumer to decline to receive further commercial e-mail from the sender

March
Hypertouch, a California-based ISP, files the first civil lawsuit under CAN-SPAM against the owner of BobVila.com.

On March 20, America Online, EarthLink, Microsoft and Yahoo! file the first major ISP lawsuits under CAN-SPAM.

The Internet Engineering Task Force (IETF) creates a working group to examine Mail Transfer Agent (MTA) authentication, including examination of proposals for the domain name system (DNS) publication of data that allow validation of Internet Protocol (IP) address or envelope originator header data for SMTP MTAs.

April
Michigan conducts the first criminal prosecution under the CAN-SPAM Act, issuing arrest warrants for four men charged with sending out hundreds of thousands of fraudulent, unsolicited commercial e-mail messages advertising a weight-loss product.

May
Federal Trade Commission (FTC) issues a ruling requiring all unsolicited e-mail with sexually oriented content to bear the label "SEXUALLY-EXPLICIT:" in the subject line.

Microsoft agrees to merge its Caller ID for e-mail anti-spam proposal with another of the leading domain authentication schemes, Sender Policy Framework (SPF),
  • to form SenderID.

    June
    Only one in six e-mails complies with the FTC "SEXUALLY-EXPLICIT" label.

    FTC issues "National Do Not E-mail Registry: A Report to Congress" on the feasibility of creating a Do Not E-mail registry. Among the report's conclusions are that a registry would be nearly impossible to implement today and could create a target for spammers. The report calls for a summit on e-mail authentication.

    July
    CAN-SPAM compliance reaches a low of 0.54 percent, while 84 percent of all e-mail traffic through the MX Logic Threat Center is spam.

    August
    As part of Operation Web Snare, the U.S. Attorney's office in Los Angeles announces it filed charges against Nicholas Tombros for sending unsolicited e-mail advertising pornographic Web sites from his laptop computer while driving through Venice, Calif., and using unsecured wireless access points to disseminate spam.

    September
    Nicholas Tombros, the "wireless spammer," becomes the first person convicted under the CAN-SPAM Act.

    Sixteen percent of spammers have adopted the Sender Policy Framework (SPF) e-mail authentication scheme in an effort to make their messages appear more legitimate.

    IETF disbands its MTA Authorization Records in DNS (MARID) Working Group, which was tasked with developing an e-mail authentication standard to prevent e-mail forgery. The working group failed to achieve consensus support for the SenderID e-mail authentication proposal (a merger of Microsoft's Caller ID proposal and Sender Policy Framework).

    November
    FTC and the National Institute of Standards and Technology convene an E-mail Authentication Summit.

    Jeremy Jaynes, considered one of the top 10 spammers in the world, is sentenced to nine years in prison under Virginia's anti-spam law for sending millions of spam messages to America Online customers.

    December
    A Maryland judge overturns the state's anti-spam law (2002 Commercial Electronic Mail Act), ruling that it interferes with interstate commerce.

    In the largest judgment against a spammer to date, a federal judge in Iowa orders three companies to pay an ISP $1 billion in damages.

    MX Logic reports CAN-SPAM compliance hits an all-time high of 7 percent.


Looking Ahead to 2005

In addition to continued growth in spam volume, MX Logic outlined several predictions for 2005.
  • The Increase in number of phishing attacks and in attack sophistication
    Gartner estimates that 57 million U.S. adults received a "phishing" attack e-mail in the 12 months prior to May 2004(1). MX Logic expects phishing attacks to increase in frequency and sophistication in 2005. Phishers will use trojans to launch phishing attacks by redirecting users to phony Web sites and soliciting account numbers and other personal financial information. As a result, Web browsers will likely add anti-phishing technology in 2005.

    In an effort to prevent phishing attacks and online identity theft, financial institutions will move toward two-factor authentication tokens and smartcards meaning users will be required to have a password as well as a token or smartcard to conduct online financial transactions. In December 2004, the Federal Deposit Insurance Corporation called on financial institutions to upgrade existing password-based, single-factor authentication systems to two-factor authentication systems. Many consumers use something similar today in banking ATM cards.

  • New methods of e-mail-distributed denial-of-service (DDoS) attacks
    In 2004, many e-mail users were exposed to MyDoom, the fastest-propagating e-mail worm in history. At the peak of the MyDoom outbreak, the MX Logic Threat Center reported infection rates of one in every six e-mails. Part of the worm's call to action included initiating a denial-of-service attack against the domain sco.com.

    To date, denial-of-service attacks have been targeted primarily at Web sites. In 2005, new methods will aim to flood SMTP e-mail infrastructures, resulting in large-scale denial-of-service attacks that compromise e-mail networks.
      • the FTC "SEXUALLY-EXPLICIT" label.

        FTC issues "National Do Not E-mail Registry: A Report to Congress" on the feasibility of creating a Do Not E-mail registry. Among the report's conclusions are that a registry would be nearly impossible to implement today and could create a target for spammers. The report calls for a summit on e-mail authentication.

        July
        CAN-SPAM compliance reaches a low of 0.54 percent, while 84 percent of all e-mail traffic through the MX Logic Threat Center is spam.

        August
        As part of Operation Web Snare, the U.S. Attorney's office in Los Angeles announces it filed charges against Nicholas Tombros for sending unsolicited e-mail advertising pornographic Web sites from his laptop computer while driving through Venice, Calif., and using unsecured wireless access points to disseminate spam.

        September
        Nicholas Tombros, the "wireless spammer," becomes the first person convicted under the CAN-SPAM Act.

        Sixteen percent of spammers have adopted the Sender Policy Framework (SPF) e-mail authentication scheme in an effort to make their messages appear more legitimate.

        IETF disbands its MTA Authorization Records in DNS (MARID) Working Group, which was tasked with developing an e-mail authentication standard to prevent e-mail forgery. The working group failed to achieve consensus support for the SenderID e-mail authentication proposal (a merger of Microsoft's Caller ID proposal and Sender Policy Framework).

        November
        FTC and the National Institute of Standards and Technology convene an E-mail Authentication Summit.

        Jeremy Jaynes, considered one of the top 10 spammers in the world, is sentenced to nine years in prison under Virginia's anti-spam law for sending millions of spam messages to America Online customers.

        December
        A Maryland judge overturns the state's anti-spam law (2002 Commercial Electronic Mail Act), ruling that it interferes with interstate commerce.

        In the largest judgment against a spammer to date, a federal judge in Iowa orders three companies to pay an ISP $1 billion in damages.

        MX Logic reports CAN-SPAM compliance hits an all-time high of 7 percent.


    Looking Ahead to 2005

    In addition to continued growth in spam volume, MX Logic outlined several predictions for 2005.
    • The Increase in number of phishing attacks and in attack sophistication
      Gartner estimates that 57 million U.S. adults received a "phishing" attack e-mail in the 12 months prior to May 2004(1). MX Logic expects phishing attacks to increase in frequency and sophistication in 2005. Phishers will use trojans to launch phishing attacks by redirecting users to phony Web sites and soliciting account numbers and other personal financial information. As a result, Web browsers will likely add anti-phishing technology in 2005.

      In an effort to prevent phishing attacks and online identity theft, financial institutions will move toward two-factor authentication tokens and smartcards meaning users will be required to have a password as well as a token or smartcard to conduct online financial transactions. In December 2004, the Federal Deposit Insurance Corporation called on financial institutions to upgrade existing password-based, single-factor authentication systems to two-factor authentication systems. Many consumers use something similar today in banking ATM cards.

    • New methods of e-mail-distributed denial-of-service (DDoS) attacks
      In 2004, many e-mail users were exposed to MyDoom, the fastest-propagating e-mail worm in history. At the peak of the MyDoom outbreak, the MX Logic Threat Center reported infection rates of one in every six e-mails. Part of the worm's call to action included initiating a denial-of-service attack against the domain sco.com.

      To date, denial-of-service attacks have been targeted primarily at Web sites. In 2005, new methods will aim to flood SMTP e-mail infrastructures, resulting in large-scale denial-of-service attacks that compromise e-mail networks.


    • Rise in frequency of spam without economic profit
      E-mail-borne propaganda from domestic political organizations and from foreign entities such as Al Qaeda affiliates will increase in frequency and in boldness. June 2004 saw the first use of a spambot network (a network of hijacked computers used to send spam) to propagate political spam with the appearance of German spam denouncing the presence of Turks and other foreigners in Germany. More than 25 variants of this "hate mail" flooded the Internet. Political spam is not covered by the CAN-SPAM Act.

      Growth in zombies for hire
      In 2005, an expanded number of distributed zombie spam networks will be built and rented out by spammers, providing the infrastructure for a significant increase in the volume of spam that can be distributed. MX Logic discovered that in recent weeks, as much as 69 percent of daily spam came from zombie PCs.

      Increasing pressure on service providers to keep networks free from spam and other unwanted and malicious e-mail. A recent survey found that 58 percent of 1,006 consumer respondents said ISPs needed to work harder to protect their customers from unwanted e-mail. MX Logic predicts that in 2005, service providers will come under continued pressure to provide end users with clean bandwidth much the same way that water utility companies are expected to provide potable water.

      (1) Gartner FirstTake, "Phishing Attack Victims Likely Targets for Identity Theft," Avivah Litan, 4 May 2004.
News Report
See More Stories by News Report
Sign up for GovTech Today

Delivered daily to your inbox to stay on top of the latest state & local government technology trends.
gov-footer-logo-2024.png
gt-footer-logo.png
ii-footer-logo.png
nav-footer-logo.png
cdg-footer-logo.png
cde-footer-logo.png
cpsai-footer-logo.png
em-footer-logo.png