A Day in The Life of a Spammer - Page 3

You CAN-SPAM. Get Used to It (page 3 of 3)

All of his bulk-mailing campaigns are legal thanks to the CAN-SPAM Act, which went into law in January. Four months after its passage, the legislation has received lukewarm reviews from e-mail security outfits and the federal agencies charged with enforcing the it.

Eight months later, it seems the United States has turned into the largest spam haven in the world. E-mail security firm CipherTrust last week reported that, while both the United States and South Korea represent only 28 percent each of the IP addresses used to send spam, a whopping 86 percent of the total spam volume comes from the United States, with South Korea a distant second at 3 percent. The U.S. numbers jumped enough during last year to indicate the CAN-SPAM Act had some effect on the numbers, a CipherTrust official said, though it could be a short-term spike as spammers test how far they can push the letter of the law.

Cunningham said spam is only going to get worse, not better, with time. More legitimate bulk mailers and established companies will take advantage of the CAN-SPAM's wording: as long as the e-mail doesn't use spoofed IP addresses, contains an Internet-based opt-out mechanism and includes a legitimate physical mailing address and indication in the subject line that it's an advertisement, then it is legal.

"Some spammers will go legit and some spammers won't," Cunningham said. "Some spammers will stop and some will continue to pursue this lucrative business practice."

Jennifer Martin, a CipherTrust spokeswoman, said many spammers are already finding ways to make it harder for the enforcement arms of the CAN-SPAM Act to prosecute. She said the company's already run into cases where spam includes a legitimate e-mail address with an Internet-based opt-out option. But, she continued, the server hosting the opt-out link returns a message saying the unsubscribe option is out of order and to instead send the request by regular mail to a postal address.

Not many computer users are experienced enough to know that the unsubscribe process needs to be entirely electronic, Martin said, and so they don't report it to the authorities or their ISP.

Not everyone takes to that point of view, especially among the e-mail marketing industry. Officials at the Direct Marketing Association (DMA), a trade association that conducts interactive and database marketing, say they have an entirely different impression of the effectiveness of the CAN-SPAM Act.

Louis Mastria, DMA director of public and international affairs, said the organization has been working with the FBI for the past year, donating technical and funding resources to aid law enforcement officials. He said the response he's gotten from federal agents, the men and women actually responsible for enforcing the legislation, have nothing but good things to say about the new law.

"What we've heard over and over again is that law enforcement feels like this is a boon to them, because, prior to the passage of this act, it used to be a very subjective thing. You would have to find out if they were spamming, and it came down to intent. Intent is a little harder to prove," he said. "Under the CAN-SPAM Act, it's black and white. You've either included an Internet-based opt-out or you haven't; you've either included a physical address or you haven't. So on its face, e-mail can be judged spam very easily, and prosecutions can be built rather quickly. The chances of success on prosecutions are significantly higher under the CAN-SPAM Act."

Still, enforcement of the act is getting off to a slow start, though Mastria expects the number of cases to increase soon. In the two years leading up to the CAN-SPAM Act, the FTC brought only 54 spam cases, according to an attorney at the commission in an interview last fall.

The problem with spammers using falsified information is the fact they are so hard to track down, officials say, and they aren't worried about breaking the law in the first place. In one case, the FTC spent four months tracking down one spammer's identity in an investigation that took one year and spanned two continents.

Phyllis Schneck, CipherTrust vice president of strategic development, said the fact that more than 85 percent of spam is coming out of the United States leads her to believe the arrests will pick up in time.

"I would expect to see more prosecutions and more court cases, but it goes to the policy and enforcement piece of CAN-SPAM," Schneck said. "You can have technology and you can have policy, but at one point you need to show that you're going to enforce it."

What Does It Really Cost in the End?

Like many others, Cunningham takes the stand common among both legitimate bulk-mailers and illegal scammers alike: If you don't like it, delete it. That stand is one side of the central argument surrounding spam -- the cost to the end user.

For network administrators, ISPs and business executives alike, the cost of spam is measured in terms of time wasted hitting the "delete mail" and the money spent in bandwidth to download the messages. There are numerous "spam calculators" on the Web that show just how much those costs are, like those at Computer Mail Services, NetworkWorldFusion and MX Logic.

"You've got to take into consideration the use of advertisements, promotions and more," Cunningham said. "You would be surprised at how many of these providers send their own advertisements and some even work deals in the background with e-mail marketers."

He declined to say who these providers are, saying that many "take extra precautions to make sure this is never exposed."

Despite the negative perception his job brings him, Cunningham doesn't see himself going "legitimate" and back to a nine-to-five job any time soon.

"I enjoy what I do and I enjoy conversations with others in the industry," he said. "As long as it makes me money, I'll continue to do it."

Updates prior version with figures provided by Cunningham on average e-mail campaign returns.