US companies are still deluged with spam, despite new anti-spam legislation.

The number of spam campaigns has continued to rise, despite the anti-spam law that went into effect in January, according to a survey released by anti-spam vendor Commtouch Software.

Part of the problem with the new Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act is that 40 percent of spam e-mail comes from outside the US, said Avner Amram, Commtouch executive vice president.

Commtouch's spam detection centre doesn't measure the total number of spam messages sent, but the number of spam "outbreaks" - the company defines an outbreak as the bulk sending of one spam message - rose from about 350,000 per day at the end of 2003 to about 400,000 per day in March, Amram said.

"There's certainly not a slow down in volume," Amram said.

Commtouch has also seen more "phishing" scams targeting e-mail users. Phishing scams typically send a fraudulent e-mail to customers, telling them they have to update their credit card numbers at an e-commerce site. The phishing e-mail directs customers to a bogus Web site that mimics the look of the real e-commerce site, and the spammers harvest credit card numbers from the unsuspecting customers.

CAN-SPAM requires that spam e-mail include a working return e-mail address, a valid postal address for the sending company, a working opt-out mechanism and a relevant subject line. The law also directs the U.S. Federal Trade Commission (FTC) to study setting up a national do-not-spam list, similar to the national do-not-call telemarketing list now in effect.

In January, Commtouch found only 1 percent of spam e-mails it surveyed complied with CAN-SPAM. The amount of e-mails complying with the law has risen to 3.5 percent, according to Commtouch.

The problem with the CAN-SPAM law is that of the 1 million spam messages Commtouch tracked in March, 40 percent came from outside the US, spread across IP (Internet Protocol) addresses in 152 nations, according to Commtouch. The highest offender outside the US was China, with 6 percent of spam coming from IP addresses there. South Korea generated 5 percent of spam tracked by Commtouch, Canada generated 4 percent and Brazil 3 percent.

Backers of the CAN-SPAM law say eventual prosecutions under the law may help curb the amount of spam. The FTC and state attorneys general have authority to bring civil complaints against spammers, resulting in fines of up to US$6 million. The law also has criminal penalties of up to five years in jail for spammers who violate such provisions as hacking into someone else's computer to send spam, and falsifying header information in bulk spam.

The FTC is pursuing cases against spammers, but spammers use false header information and open relays to hide their identities. "We have said that it's very difficult to find spammers," said an FTC spokeswoman. "That's why spam cases are resource intensive and aren't very quick."
Commtouch's Amram agreed that spam prosecutions could help CAN-SPAM enforcement. "Certainly, it's going to help because when people hear about enforcement, they will be afraid," he said. "It's not going to help to the maximum extent because there are many ways CAN-SPAM can't be enforced."