Nearly three months after Congress passed the Can-Spam Act of 2003, imposing fines and limitations on those who deluge the electronic in-boxes of consumers, including school-age children, with swaths of unsolicited commercial eMail, educational technology leaders say the problem of spam in the nation’s schools continues–and it might even be getting worse.
Though the federal law, which took effect Jan. 1, does not outlaw the transmission of electronic spam mail, it does prohibit spammers from attempting to disguise their identities through dubious return addresses or misleading subject lines and from harvesting valid eMail addresses off legitimate web sites, including online school directories. The law also requires spammers to include an opt-out function in their solicitations, which would enable consumers to decline any future communications from senders on a case-by-case basis.
Supporters of the law had hoped the threat of stringent penalties–from stiff fines to criminal prosecution–would help curb spam, especially solicitations for pornography, sexual enhancement, online gambling, and other potentially offensive products and services. But since the law’s passage, computer users say they’ve been inundated with messages hawking everything from discounted valium to Viagra. The problem has become a source of frustration for school technology leaders in particular, many of whom are charged with the difficult task of keeping spam from reaching students and faculty during the school day.
Scott Kovacik, an information technology liaison for the San Diego City Schools in southern California, says even with the aid of a high-end spam filter–which blocks as many as 20,000 pieces of unsolicited eMail per month–faculty and staff in the nation’s seventh largest school system still receive a handful of bogus messages each day.
It doesn’t matter whether you’re a teacher, principal, or administrator, Kovacik said: Spam is a problem. “No doubt about it, it’s a worldwide epidemic,” he said. “And [schools] are just as much a victim as any other business or corporation.”
And as for the new federal law? It hasn’t helped, at least not yet. “We’ve seen no significant change in the amount of spam received [since Jan. 1],” Kovacik said. “In fact, we’ve seen a large and rather annoying amount.”
Detractors contend that’s because the legislation is all bark and no bite. Although the Federal Trade Commission (FTC)–the agency in charge of fining violators– likely will have mild success against the most novice of spammers, the law’s critics say FTC investigators are no match for the nefarious tactics of the world’s savviest commercial spam artists.
In fact, a recent report from one spam filtering vendor estimates that only 10 percent of junk eMails sent today are in compliance with the new federal law. According to Audiotrieve LLC, maker of the InBoxer filtering system, a survey of more than 1,000 messages collected through “honey-pot” eMail accounts–repositories created to bank and analyze spam–revealed that only 102 of the messages actually met all of the law’s requirements. Of the remaining 898 messages, the Boxborough, Mass.-based company said two-thirds had no opt-out feature and none appeared to have physical addresses as required by law.
“Unfortunately, Can-Spam doesn’t can spam,” said Roger Matus, chief executive of Audiotrieve. “Companies that already act at the margins of the law seem to also ignore these new regulations.”
Instead of making life more difficult for spammers, Matus says the law makes life easier, trumping stricter provisions laid out in state laws–such as those blocked recently in California and Virginia–while depriving individuals and corporations their right to sue spammers of their own accord.
The California law, for instance, would have let spam recipients sue advertisers who use misleading subject lines, invalid reply addresses, or disguised paths to send bulk commercial eMails. It also would have allowed civil judgments of up to $1,000 per message or $1 million per incident.
In all, 36 states have passed anti-spam laws–all of which are superceded by the federal legislation.
“The [federal] law actually makes the world a much safer place [for spammers],” Matus said, noting that under the Can-Spam Act only the federal government and state attorneys general can seek legal action against alleged violators. It doesn’t help that a large percentage of spammers conduct their operations overseas, he added–well beyond the long arm of federal law enforcement: “The [FTC] can’t reach them.”
At home, technology is creating problems of its own. Andrew Lochart, director of product marketing for spam filtering service provider Postini Inc., points out existing eMail technology was not built with the intentions of spammers in mind.
Originally, he said, Simple Mail Transfer Protocol, or SMTP–the language computers use to exchange messages across the internet–was intended to provide a free, uninhibited information exchange between technologists and academics, not a launching pad for mass-marketing campaigns.
In fact, it’s the open nature of SMTP that has left the nation’s eMail servers vulnerable to numerous threats–from debilitating computer viruses such as the MyDoom worm unleashed earlier this year to flash-flood spam assaults, Lochart said.
What’s more, the internet is a very easy place for people to hide. The savviest computer users are able to hop in and out of open relays at will and otherwise disguise their identities by spoofing internet protocol (IP) addresses–a move that makes them virtually untraceable. “You can claim to be anyone you want,” Lochart said. “Before you can prosecute [spammers], first you must be able to find them.”
He expects the FTC eventually will dole out fines to new and unaccomplished spammers, but doubts the agency will have much luck against more serious offenders. “It’s really going to take a massive overhaul of the protocols involved in order to catch the really big guys,” Lochart said. “I doubt they’re losing any sleep at night.”
Still, the FTC says it is making headway. Aside from drawing up new rules and giving periodic updates to members of Congress, the agency currently collects an average of 250,000 spam messages a day through tips from consumers and other means.
FTC staff attorney Katie Harrington-McBride said the messages are part of a massive collection effort on behalf of the agency to track and analyze spam transmissions in hopes of identifying suspect subject lines and other clues that will lead investigators to the origins of these scams.
“It’s really too early yet to tell what the impact of the law will be,” Harrington-McBride said. Though the FTC has yet to announce publicly any legal action taken against alleged scammers under the new law, it does suggest computer users–including educators–can do their part by reporting illegal activity via eMail to the agency’s web site. To participate, consumers must send a copy of the message in question to the FTC’s unsolicited commercial eMail division at firstname.lastname@example.org.
Victims also can report concerns to the agency’s Consumer Response Center, which will make the complaints accessible to different branches of law enforcement.
With regard to pinpointing the exact source of such spam messages, Harrington-McBride said the FTC is well aware of the problems posed by the anonymous nature of the internet. One tactic law enforcement likely will use is to target businesses that employ spammers to conduct advertising campaigns for their products, the idea being to uncover a “money trail” that will lead them directly to the source.
Under the law, the FTC also will create a federal “do-not-spam” registry similar to the “do-not-call” list officials used earlier this year to stave off unsolicited telephone calls, though Harrington-McBride said details are still pending.
In the meantime, the FTC recommends that eMail users pay close attention to the opt-out provision of the law. If a spammer continues to send messages even after a user has opted out, the sender would be considered in violation of the law and subject to legal action, officials said.
But convincing computer users it’s in their best interest to participate might be easier said than done. Many contend the new opt-out provision goes against everything people have been taught about internet security.
As a general rule of thumb, San Diego’s Kovacik said he instructs educators to resist the temptation to respond to unsolicited eMails. While most legitimate businesses likely will respect the opt-out provision, he said, responding to an illegitimate eMail could put educators and others in a position to receive even more spam. That’s a risk he’s not willing to take. “Until this law gets some legs,” he said. “[our district] will continue to perform the practice of not clicking.”
On Capitol Hill, lawmakers acknowledge that they don’t anticipate stopping
the spread of spam mail entirely, but say they are at least interested in giving consumers an opportunity to decide for themselves whether they want to receive the messages.
To date, the best option for schools remains some type of spam filter. But even the most advanced products–including Postini’s web-based service, which filters more than 2 billion message a week for more than 5 million users nationwide–are not 100-percent effective.
See these related links:
Federal Trade Commission’s spam site
FTC web site on how to report spam