Legal Definitions - CAN-SPAM Act of 2003: Problematic Spamming Techniques

The CAN-SPAM Act of 2003, which stands for Controlling the Assault of Non-Solicited Pornography And Marketing Act, is a United States law that sets rules for commercial email and commercial messages. While the Act establishes general requirements for sending commercial emails, it specifically identifies certain spamming techniques as particularly harmful and deceptive. Individuals or entities that use these "problematic spamming techniques" face enhanced legal penalties due to their severe nature.

The problematic techniques prohibited by the CAN-SPAM Act include:

• Address Harvesting: This involves using automated programs or processes to collect email addresses from websites or online services that have a stated policy against sharing their users' email information, with the intention of sending unsolicited commercial emails.
• Dictionary Attacks: This technique occurs when a spammer sends emails to a large number of automatically generated or guessed email addresses (e.g., trying common names or sequential letters at a specific domain) in the hope that some of them will turn out to be valid email addresses of real people.
• Automated Creation of Multiple Email Accounts: This refers to using automated tools or scripts to create numerous email accounts for the sole purpose of sending a high volume of spam.
• Computer Hijacking for Spam: This involves gaining unauthorized access to another person's computer or network device and then using that compromised computer to send spam emails that violate the core requirements of the CAN-SPAM Act, often without the owner's knowledge.

The Federal Trade Commission (FTC) also has the authority to identify and specify additional problematic spamming techniques as technology evolves.

Here are some examples illustrating these problematic spamming techniques:

• Example 1 (Address Harvesting): A company selling diet supplements wants to expand its customer base. Instead of building an email list through legitimate sign-ups, they deploy a specialized software bot to crawl public profiles on various social media platforms and professional networking sites. The bot automatically extracts email addresses from these profiles, even though the platforms' terms of service explicitly prohibit such automated data collection and sharing. The company then uses this harvested list to send unsolicited promotional emails for their products.

  How it illustrates the term: This scenario demonstrates Address Harvesting because the company used an automated program to collect email addresses from online services that had policies against sharing user emails, with the clear intent to send spam.

• Example 2 (Dictionary Attacks and Automated Account Creation): An individual wants to promote a dubious "get rich quick" scheme. To maximize their reach, they write a script that generates thousands of potential email addresses for a popular email service provider (e.g., trying combinations like `[email protected]`, `[email protected]`, `[email protected]`). Simultaneously, they use another automated program to create hundreds of temporary, disposable email accounts to send messages to these guessed addresses. This allows them to bypass sending limits from a single account and makes it harder to trace the origin of the spam.

  How it illustrates the term: This example combines two problematic techniques. The systematic guessing of email addresses to find valid ones is a Dictionary Attack. The use of automated software to create numerous temporary email accounts specifically for sending these unsolicited messages illustrates Automated Creation of Multiple Email Accounts for spamming purposes.

• Example 3 (Computer Hijacking): A cybercriminal develops malware that secretly infects hundreds of thousands of personal computers belonging to unsuspecting users. Once infected, these computers become part of a "botnet" controlled by the criminal. The criminal then uses this vast network of compromised computers to send millions of spam emails promoting counterfeit luxury goods. The owners of the hijacked computers are completely unaware that their devices are being used to send illegal spam.

  How it illustrates the term: This situation is a clear instance of Computer Hijacking. The cybercriminal gained unauthorized access to numerous computers and used them to send a massive volume of spam, leveraging the compromised machines to obscure the true source of the unsolicited messages.