Clever spammers stay ‘one step ahead’ of law

Viagra, gibberish, money-transfer requests, more Viagra.

Three years after the federal Can-Spam Act went into effect, unsolicited commercial e-mails are assaulting inboxes at record rates as spamming technology grows more sophisticated.

“I think the majority of the industry would say that spam levels are at the highest they’ve ever been,” said Scott Chasin, chief technology officer at MX Logic Inc., a Colorado-based Internet security firm.

In September, unsolicited commercial e-mail messages accounted for more than 77 percent of all e-mail filtered by the company. Of that amount, only a fraction — 0.27 percent — was in compliance with federal anti-spamming law.

“Spammers are creative and industrious,” said Michael Davis, a lawyer with the Federal Trade Commission (FTC), which is responsible for enforcing the act. “Because of their dedication and their technological sophistication, they have found ways to stay oftentimes one step ahead of law enforcement.”

Under the Can-Spam Act, marketers are allowed to send unsolicited commercial e-mails as long as they include a truthful subject line and routing information; an opt-out mechanism; a notice that labels the e-mail as an advertisement; and a valid postal address.

“Legitimate businesses overwhelmingly comply with it,” said Stephanie Hendricks, spokeswoman for the Direct Marketing Association. “Obviously, folks are still seeing a lot of spam, but it’s not coming from legitimate companies.”

That’s the problem, according to Mr. Chasin.

“The spammers that were sending spam before the law was passed were not obeying the laws then, and they’re certainly not obeying the laws now,” he said. “When the legislation was adopted, it gave the amateur spammers a decision: Do they want to get out, or do they want to become criminals?”

The challenge of enforcement does not stem from a lack of teeth. Can-Spam allows the FTC to seek civil penalties of up to $11,000 per violation, plus further fines for spammers who unlawfully “harvest” or extract e-mail addresses from Web sites or Web services. The law also gives the Justice Department authority to seek criminal punishment for violators who falsify header information or hijack a computer to send e-mail without a user’s consent.

So far, the FTC has filed 26 lawsuits for violations of the act, Mr. Davis said. In those cases, federal courts have awarded civil penalties totaling more than $10 million.

Spam isn’t just irking consumers; it’s harming the reputations of legitimate businesses, said David Daniels, a vice president and research director with JupiterResearch of New York.

“Forty-three percent of consumers have told us that when they sign up for permission-based e-mail from their bank or retailer, they believe that doing that leads to more spam,” Mr. Daniels said. “That is not the case. When you sign up for an e-mail offer at a reputable retailer or financial services institution, they’re certainly not going to be sharing that information with another party.”

Contrary to the assumption of many home computer users, spammers typically extract addresses using a “botnet,” or program that takes over computers and uses their stored e-mail addresses to spread spam throughout the Web. Botnets can link thousands of computers without owners’ knowledge.

Spammers have learned to avoid common e-mail filters, purposefully misspelling words like “Viagra” or embedding messages in graphics rather than plain text, Mr. Chasin said. They also cut and paste random, unrelated text to throw off filter keyword searches.

Story Continues →