Archive for October 2011

CAN-SPAM Myths Busted: Part I

leave a comment »

In 2003, Congress passed CAN-SPAM – the “Controlling the Assault of Non-Solicited Pornography and Marketing Act”. In the intervening 8 years, there have continued to be numerous misconceptions, misunderstandings, and outright fallacies regarding what CAN-SPAM covers or doesn’t cover, says or doesn’t say, and permits or doesn’t permit. Over the next few postings, I plan to address some of the more common questions regarding CAN-SPAM and show what it really does and doesn’t do for senders.

Before we can bust any myths, we need to understand the Act, as it was passed. The full text of the Act is online over at Legal Archiver. You might want to go read it first; I’ll be referring to the actual wording quite frequently. It’s OK – I’ll still be here when you’re done.


Now that everyone’s read it (or at least skimmed it), let’s talk about what it says, by section. Sections 1 and 2, for this discussion, are meaningless; they’re just backstory. The real meat starts in Section 3, the Definitions. As with many things, the email world is filled with its own jargon, and some people interpret words and phrases in different ways (as proof of this, ask any 10 random people to define ‘spam’; likely as not, you’ll get at least 5 distinct answers). The drafters attempt to avoid ambiguity by clearly spelling out what they mean by commercial messages, how those messages differ from transactional emails, what a recipient is, and so on. It’s important to note that the Act only covers those things as defined in the Definition section.

Section 4 lists things that are prohibited as ‘predatory and abusive’. Note the wording of the amended Section 1037a – it’s an ‘OR’ series of prohibited things. Doing any one of them (accessing a protected computer without authorization, or falsifying headers, or…) qualifies your email as being in violation of the Act. The penalties for violating Section 4 are pretty stiff. This section is mostly designed to cover compromised PCs/email accounts, and is less applicable to general commercial email.

Section 5 covers what your commercial email email must include (and, in some cases, must not do) to be legal under the Act. It is the absolute minimum that a commercial sender must do for their email not to leave them liable for fines or imprisonment. Things that must be done include having a working unsubscribe mechanism and including your physical address in all mailings. Things that must not be done include sending mail to people who unsubscribed more than 10 days ago, falsifying any header information, or including a misleading Subject line. Section 5 also includes an ‘Aggravated Violation’ – if your email is already in violation of the Act and it can be shown that you harvested addresses, engaged in a ‘dictionary attack’, or relayed your email through a server for which you were not authorized, extra penalties can be added. Those are not violations in and of themselves, however; they require that you have already violated the Act before they start counting.

Section 6 details who is liable for email sent in violation of the Act. Specifically, if a company knows, or should know, that an advertiser they’ve hired is using email that violates the Act to promote their products, the company can be held liable for that email. Section 7 lays out the process by which action is taken against violators, and defines the various penalties.

Lastly (for this discussion), Section 8 defines how the Act (a Federal law) interacts with state laws, as well as detailing the effect it has on ISPs’ attempts to curtail the inflow of unwanted mail. In general, the Act supplants previous state laws that govern commercial email, and it does not in any way affect (positively or negatively) an ISP’s right to block or reject mail it considers unwanted. Sections 9 through 16, while interesting, don’t impact what the Act does or covers.

That’s a lot for today. But, with a solid understanding of what’s in the Act, we can start debunking some of the myths that ESPs, individual senders, and large companies have regarding CAN-SPAM.

Next up: Myth #1 – “Since my email is CAN-SPAM compliant, you have to let it through.”


Written by hanov3r

October 14, 2011 at 1:02 pm

Posted in Uncategorized