Rising tide of spam confounds attempts to set effective sanctions A year after the U.S. Congress passed the first federal anti-spam law, observers see little evidence that the law has cut the amount of unwanted commercial e-mail arriving in U.S. residents’ inboxes. Most vendors of anti-spam products charted an increase in the amount of spam since the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act went into effect on Jan. 1, 2004.CAN-SPAM includes criminal penalties — up to five years in prison — for common spamming practices, including hacking into someone else’s computer to send spam and using open relays to send deceptive spam. The law allows fines of up to $250 per spam e-mail with a cap of $6 million for aggravated violations.Some anti-spam activists assert that the law has aided spammers because CAN-SPAM requires recipients to opt out of unwanted commercial e-mail by contacting each sender instead of forcing senders to get opt-in permission. The federal law also hurt spam-fighting efforts by pre-empting parts of some tougher state laws, including a California opt-in requirement, said Laura Atkins, president of the SpamCon Foundation. CAN-SPAM also prohibits private citizens from suing spammers, allowing only state attorneys general or Internet service providers to file civil suits. People such as Atkins who operate their own mail servers and receive thousands of spam e-mails have no recourse against spammers under CAN-SPAM.“CAN-SPAM has not made it any easier to find spammers,” Atkins said. “It has not decreased the amount of spam.”Backers of CAN-SPAM say it opens the door to civil lawsuits and jail time for spammers. ISPs took advantage of CAN-SPAM to file hundreds of civil lawsuits against spammers in 2004. The key to making the law work is more enforcement, according to Jennifer O’Shea, a spokeswoman for Republican Sen. Conrad Burns of Montana and main sponsor of CAN-SPAM. “Sen. Burns has said from day one that enforcement is key for this legislation to be effective,” O’Shea said. “We have seen several big lawsuits, which have been helpful, but we need to continue to see more of these lawsuits in order to keep up with big-time spammers and keep spam out of inboxes.” Burns believes businesses should have an opportunity to market over e-mail instead of having to get opt-in permission from all e-mail recipients, she added.Statistics supplied by vendors of anti-spam products seem to bear out the criticism of CAN-SPAM. Postini, a managed e-mail security provider, said the percentage of legitimate nonspam e-mail it sees dropped from 22 percent of all e-mail at the beginning of 2004 to just 12 percent by December. MX Logic, another anti-spam vendor, found 67 percent of all e-mail to be spam in February. By November, 75 percent of all e-mail was spam, MX Logic said.ISPs and law enforcement agencies used CAN-SPAM provisions to go after spammers. Four large U.S. ISPs filed hundreds of lawsuits against spammers. In response, spammers changed tactics. They are using so-called zombie networks — computers hijacked with spam Trojans — to send spam. They are also using increasingly sophisticated directory harvest attacks to spam corporate mail servers, said Andrew Lochart, director of product marketing at Postini. Said Lochart: “The spammers got even more creative at hiding, and they’ve always been pretty good at it.” Technology Industry