acm-header
Sign In

Communications of the ACM

Communications of the ACM

Compliance with the CAN-SPAM Act of 2003


In December 2003, U.S. President George W. Bush signed into law the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (S.877), more commonly referred to as the CAN-SPAM Act of 2003.1 One major criticism of the CAN-SPAM Act is that it was never intended to eliminate or even reduce unsolicited commercial email (UCE) messages [1, 2]. UCE is now estimated to be 60% of all email [10] and better known by most email users as spam. Instead, the Act was intended to set specifications for how email advertisers can legally distribute UCE messages and specifically commercial email messages containing pornographic text and images.

Despite being 21 single-spaced pages long, the CAN-SPAM Act places surprisingly few restrictions on advertisers for the distribution of unsolicited commercial email messages. Specifically:

  • Advertisers are prohibited from "harvesting" email addresses from Web sites or newsgroups;
  • Advertisers are prohibited from illegally using (that is, without permission) a third-party computer to relay spam messages;
  • Email messages cannot contain false or misleading header information (header spoofing);
  • Advertisers must use a legitimate return email address in all UCE messages they send; the return email address must remain active for 30 days from the date the message was sent;
  • UCE messages cannot contain deceptive subject lines;
  • UCE messages must be clearly marked as advertisements;
  • Each UCE message must contain an "opt-out";
  • Each UCE message must include a physical address of the advertiser; and
  • Pornographic or sexually explicit messages must be clearly labeled as such [5].

As spammers are reticent about revealing why they have not yet fully complied with CAN-SPAM or with any other guidelines for distributing marketing email messages, it is pure speculation to try to determine their motives. But a good guess could be that many of the guidelines would make it easier for anti-spam filtering programs to identify spam email messages and filter them before they reach users' desktops. For example, several U.S. states such as Arizona, Colorado, Illinois, and Indiana, prior to CAN-SPAM, enacted laws stating that all email advertisements contain the subject line prefix "ADV:". Having this type of red flag identifying all spam messages would make even the weakest anti-spam filtering programs virtually 100% effective at blocking spam. Mandating subject lines that are not misleading or deceptive would have almost the same effect as the "ADV:" prefix. Likewise, having to include an opt-out in every message and having to remove from their mailing lists every email user who asks to be removed means eventually spammers would be greatly reducing the size of their mailing lists and potentially their incomes.

Since the CAN-SPAM Act was passed by the U.S. Congress in November 2003 and signed into law that December, the question remains: were email advertisers in compliance after approximately six months? Were they in compliance after two years? Numerous Web sites [9], consulting firms [12], and even the Federal Trade Commission [7] quickly began providing advice to advertisers on what they needed to do to comply with the new federal law.

For this study, initially more than 1,100 UCE messages were randomly selected from all UCE messages received by five email accounts during the sixth month of CAN-SPAM's existence. Messages were grouped by common UCE categories and examined for compliance with the specifications of the CAN-SPAM Act. A follow-up analysis, which examined more than 800 UCE messages to see if email advertisers had improved their level of compliance with CAN-SPAM, was performed two years later.


The Act was intended to set specifications for how email advertisers can legally distribute UCE messages and specifically commercial email messages containing pornographic text and images.


If the critics are correct, the level of compliance with the CAN-SPAM act will be low. In contrast, the FTC's Do Not Call Registry, which was designed to reduce the number of telemarketing phone calls to consumers, reported that six months after its inception 92% of consumers who registered reported a reduction in the number of telemarketing calls and 25% of consumers who registered reported receiving no telemarketing calls [6].

Back to Top

Method

A total of 1,133 email messages were randomly selected and examined from approximately 4,800 email messages received by five different email accounts—the author's university and personal accounts, plus three additional accounts created through Yahoo Mail from June 1–June 30, 2004. In 2006, from Sept. 10–Oct. 10, 801 email messages from the author's university and personal accounts were selected from more than 1,900 UCE messages received.

The 1,934 (1,133 from 2004 and 801 from 2006) UCE message ads to be examined were grouped into 91 separate categories (including online pharmacies, auto warranties, pornography, online dating services, diploma mills, real estate, health insurance, and others) according to the products or services being advertised. The top five categories for the largest number of ads received were online pharmacies (20%), mortgage refinancing (9.7%), investment/financial services (9.0%), male sexual enhancement products such as Viagra and Cialis (8.7%), and discount computer software (6.9%).

The following categories of spam and spam-type email messages were excluded from the sample:

  • Email messages written in a language other than English; the vast majority of the messages in this category were Cyrillic;
  • Obvious scams, such as phishing2 scams (for example, PayPal, Citibank, eBay; see Figure 1), scams purportedly by deposed African officials escaping with $30 million they are willing to share, and others (these were excluded because technically they do not fit the definition of "commercial email" since they are not attempts to sell a service or product but instead are attempts to defraud the recipients);
  • Blank email messages; and
  • Duplicate email messages—duplicates received in the same day (these were excluded so as not to inflate the numbers against or favoring compliance).

Each email message was examined for CAN-SPAM compliance from the perspective of a typical user, looking to see if:

  • The content of the email message could be determined by viewing the subject line, for example, was the subject line descriptive of the advertisement or was the subject line misleading or deceptive;
  • The email message contained the physical address of the advertiser;
  • The email message contained a functional opt-out;
  • The email message contained a sexually explicit message and was identified as such.

The header information of each email message was not examined to see if the message contained any false or misleading information since it is relatively easy and common to include or use a valid email address hijacked or "borrowed" from an unsuspecting victim [10]. The purpose of this study was to examine email compliance from the point of view of the average user, and most email users do not have the knowledge or expertise to examine email headers for validity. Valid header information is of more interest to Internet Service Providers (ISPs) since they would ordinarily use this information to set up email spam filtering.

The first task was to look at the subject line of each message to see if it could be determined from the subject line alone the content of the message, or more specifically, what product or service the ad was selling. The CAN-SPAM Act specifically states that subject lines cannot be misleading. In the criteria of this study each subject line was examined to try to determine if the subject line specifically states what the product or service is that is being offered, or if there were any key words indicating the product or service being promoted. For example, if an ad for an online pharmacy contained the name of a well-known drug such as Viagra, Vioxx, or Vicodin—even if the spelling was distorted as they often are by spammers in an attempt to confuse anti-spam filtering programs (VI@gra, CIAlli$, v10xx, VhAGRA...)—the subject line was listed as identifiable for the product or service being marketed.

Back to Top

Results and Discussion

The first aspect of compliance examined was compliance with CAN-SPAM's insistence that subject lines not be misleading or deceptive. In this study it was found that in the 1,133 UCE messages examined from 2004, the product or service could not be determined from reading the subject line in 55.2% of the email messages (see Table 1). For example, the following five subject lines are from actual email message ads from this study:

  • "out?"
  • "It's not a dream"
  • "Quc this lit a fire under me"
  • "Re: so what's the deal?"
  • "Flight#5658 Arriving in Bermuda"

The first three subject lines accompanied ads for online pharmacies; the fourth subject line was for a software ad; the fifth subject line was from a mortgage-refinancing ad.

In examining the 801 email messages received in 2006, 52.7% contained subject lines that in no way identified or indicated what products the advertisers were attempting to sell.


The compliance issue that most email users and anti-spam advocates are concerned about is the inclusion of an opt-out in the ad.


This criterion can be somewhat subjective since it is somewhat dependent on the email user being aware of certain products in certain categories of advertised products such as pharmaceuticals, automobile models, and so on. But the CAN-SPAM Act is vague regarding what constitutes a misleading or deceptive subject line. It does not list or describe how much information a subject line must contain to accurately identify the product or service being advertised. This point may eventually be taken up either in an amendment to CAN-SPAM or by a federal court.

Another requirement of CAN-SPAM is that advertisers include a "valid physical postal address of the sender" [5]. In examining advertisers' compliance with the provision that all UCE messages include the physical address of the advertiser, compliance in the sample comes up short. In this study only 33.8% of all the email messages received in 2004 contained the advertiser's physical address. Out of the 66.2% that were non-compliant (see Table 1), another 1.7% instead listed a P.O. Box instead of a physical address and the remainder had no address listed at all. Among the email messages received in 2006, only 10.4% listed a physical address, and 0.6% instead listed a P.O. Box.

The compliance issue that most email users and anti-spam advocates are concerned about [10] is the inclusion of an opt-out in the ad. An opt-out is some means of relaying back to the advertiser that the user does not wish to receive any additional ads. Once again the authors of the CAN-SPAM Act did not specify what constitutes an opt-out mechanism and various opt-out mechanisms were found to be in use. Most of the functional opt-outs examined were in the form of a hypertext link (URL) to a Web page on the advertiser's server, where users could enter their email address in a simple online input form, press enter or click on some type of submit button for submission to the advertiser's exclusion database (see Figure 2). Some variations on this opt-out mechanism included:

  • Web pages/forms that automatically included the user's email address; and
  • "mailto:" links that force the email user to manually send an email message back to the advertiser (1.5%) to be removed from the advertiser's database.

In examining opt-outs, each apparent opt-out was tested to see if it was functional or just a link to a non-existent or non-functional server. It was found in the sample of 1,133 email ads received in 2004 that only 35.5% included a functional opt-out (34% were hyperlinks, 1.5% were "mailto:" links). Of the remaining 64.5%, 39% did not include any type of opt-out, and 25.5% included a non-functional opt-out linked to a non-existent or non-functional server. In the 801 email ads received in 2006, only 11.5% included a functional opt-out (8.9% were hyperlinks, 2.6% were "mailto:" links). Out of the 88.5% of the ads that did not include a functional opt-out, 87.1% did not include any type of opt-out and 1.4% included a non-functional opt-out link (see Figure 3).

When each of the preceding compliance criteria were looked at together—descriptive subject line, physical postal address, and a functional opt-out—compliance levels dropped even further. Overall, out of the 1,133 email messages received in 2004 only 162 or 14.3% met all three of these simple compliance criteria. When the 801 ads received in 2006 were examined the compliance rate dropped to 5.7%, with only 46 of the 801 email ads in compliance with all three criteria.

When the 91 individual categories for the email messages were examined it was found that no category seemed to have a monopoly on the compliance criteria. Online pharmacies made up the largest number of ads received, but their compliance rate was only 0.56% (1 out of 179) for ads received in 2004 and 0.0% for ads received in 2006. Table 2 shows the compliance rates for the top 10 largest categories of ads examined for both periods.

The final compliance criterion examined was whether sexually explicit ads were labeled as such. In the sample of ads from 2004, 44 ads were examined that were deemed sexually explicit or pornographic in nature.3 Only 9 of the 44 (20.45%) sexually explicit ads were identified as such. In the 2006 sample, nine ads were deemed sexually explicit and only one was identified as such (11.1%). As for compliance along the three previously mentioned criteria for this study only three of the 44 (6.82%) sexually explicit ads in the 2004 sample were in compliance with the examination criteria previously described. In the 2006 sample 0.0% were in compliance with the previously mentioned criteria.

Back to Top

Conclusion

The results of this study clearly indicate that compliance with the CAN-SPAM Act six months after its enactment was very low with only 14.3% of email messages meeting even the minimum standards of compliance listed in this study. Two years after the enactment of CAN-SPAM the overall compliance rate was down even further to only 5.7%.

Armed with CAN-SPAM, U.S. authorities have taken action against violators and since January 2004 more than 50 federal arrests have been made against alleged violators of CAN-SPAM [8]. But apparently the threat of federal prosecution has not been a very strong deterrent: by all indications the amount of spam has continued to increase since the enactment of CAN-SPAM [3, 4].

Litigation or the threat of litigation by ISPs also does not appear to be much of a deterrent. The first federal suit filed under the CAN-SPAM Act was filed in March 2003 by HyperTouch, a California-based ISP against BobVila.com and its marketing agent BlueStream Media. The suit alleges the spammer, BlueStream Media, sent out email message ads with forged email header information in an attempt to prevent the messages from being traced back to BlueStream [1].

While the CAN-SPAM Act continues to receive much criticism, critics still contend it is a good legislative first start [10]. What is needed many critics contend, if this legislation will ever have a chance at controlling spam [11], is an amendment to strengthen its perceived weaknesses. High on this list are the vague descriptions for how advertisers are to comply with its specifications.

But many in the IT industry believe that legislation alone will not solve the spam problem. Strong legislation may be a good start at stemming the tidal wave of spam but some IT experts believe the only effective method for eliminating spam is by initiating some type of email tax that will remove the financial incentive that motivates spammers [11]. Considering the technical and logistical problems associated with an email tax, how practical or feasible it is to implement one is left to be determined.

Back to Top

References

1. Asaravala, A. ISP files first Can-Spam lawsuit. Wired News (Mar. 6, 2004); www.wired.com/news/politics/0,1283,62559,00.html.

2. Asaravala, A. Taking a second shot at spammers. Wired News (Apr. 23, 2004); www.wired.com/news/politics/0,1283,63181,00.html.

3. Associated Press. `Can-Spam' cops can arrest (Apr. 29, 2004).

4. Brightmail Spam Percentages and Spam Categories, Spam Statistics 2004; www.brightmail.com/spamstats.html.

5. Burns, C. and Wyden, R. Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM Act of 2003), (S.877), 2003.

6. Federal Trade Commission. Compliance with Do Not Call Registry exceptional (Feb. 13, 2004).

7. Federal Trade Commission. The CAN-SPAM Act: Requirements for commercial emailers (Apr. 2004).

8. Garretson, C. CAN-SPAM works but still needs more muscle says attorney. Network World (Mar. 31, 2006).

9. Jennings, J. Complying with CAN-SPAM: A 10-point checklist for marketers. ClickZ Experts (Jan. 29, 2004); www.clickz.com/experts/em_mkt/opt/article.php/3305101.

10. Sipior, J.C., Ward, B.T., and Bonner, P.G. Should spam be on the menu? Commun. ACM 47, 6 (June 2004), 59–63.

11. Weiss, A. Ending spam's free ride. netWorker 7, 2 (June 2003), 18–24.

12. Wilson, R.F. How to comply with the CAN-SPAM Act of 2003. Web Marketing Today 131 (Dec. 3, 2003).

Back to Top

Author

Galen A. Grimes (gag5@psu.edu) is an assistant professor in the College of Information Sciences and Technology at Penn State University in McKeesport, PA.

Back to Top

Footnotes

1Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003, Sec. 8. Effect on Other Laws, (b) State Law, (1) In General.

2Phishing is an online term for scams that send bulk email to users purportedly from an institution attempting to rectify a security lapse. In reality it is an attempt to dupe unsuspecting users into revealing confidential information. Surprisingly, approximately 5% of email recipients fall prey to such scams. An example is an email message supposedly from officials at Citibank claiming the user must go to a designated Web site and re-enter their account information and ATM PIN number. The fake site and email are designed to look like they are legitimate, but are used only to capture as much data as possible for the perpetrator of the scam. Such scams have also duped users into believing they are being sent from eBay and PayPal.

3The discrepancy in numbers between identified sexually explicit or pornographic ads and advertisements for pornography can be explained simply by stating that an ad can be advertising pornography without itself being pornographic. An ad was deemed pornographic if it contained sexually explicit language or images. The inclusion of particular words did not automatically categorize an ad as pornographic.

Back to Top

Figures

F1Figure 1. Example phishing message.

F2Figure 2. Example opt-out mechanism.

F3Figure 3. Non-functional opt-out link message.

Back to Top

Tables

T1Table 1. CAN-SPAM compliance for three criteria.

T2Table 2. 10 largest message categories and compliance rates.

Back to top


©2007 ACM  0001-0782/07/0200  $5.00

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.

The Digital Library is published by the Association for Computing Machinery. Copyright © 2007 ACM, Inc.


 

No entries found

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account
Article Contents: