Federal Internet Law & Policy
An Educational Project
SPAM: Enforcement:
Sending Spammers to the Slammer
Dont be a FOOL; The Law is Not DIY

The next big question is who gets to whack the spammers? DOJ and the FTC carry primary federal jurisdiction, although a host of other agencies can also whack spammers, including (and I am not making this up) the Secretary of the Agriculture under the Packers and Stockyards Act (who says Congress doesn’t have a sense of humor). The FCC has specific authority to deal with wireless phone SPAM. The provisions which may be enforced by the FTC may also be enforced by states and privately by ISPs. Individuals suffering the onslaught of generous opportunities have no direct recourse, and any recourse they might have had under state law has been preempted.


DOJ has authority to whack spammers who hack into computers to send or relay multiple SPAMs or falsifies the header in multiple SPAMs. Congress directs DOJ to “use all existing law enforcement tools to investigate and prosecute” spammers (let’s see, as DOJ, do I go after terrorists or whack spammers? Well Congress directed me to…. With limited enforcement resources and other priorities, it is questionable the degree to which DOJ will be an active prosecutor of spammers). Under DOJ authority, spammers can land in jail for up to 5 years, get hit with some serious fines (note that FTC authority lacks the ability to put spammers in the slammer), and forfeiture of assets. 18 USC s 1037(b).

The Federal Trade Commission, which as a part of its day-to-day duties seeks to protect the consumer, has authority under the act with is crafted more towards the protection of the recipient. Like DOJ, the FTC may take action against a spammer where an individual has received an email from or a hacked computer or relayed through a hacked computer, or where the email has a falsified header (note that the “multiple” requirement imposed on DOJ authority is lacking with FTC authority).

Unlike the DOJ, the FTC has authority to enforce the opt-out requirements, the prohibition against using harvested or dictionary attack email addresses, sexual content restrictions, false subject lines prohibitions, and the required inclusion of specified information. The FTC may also enforce labeling provisions if it elections to implement such restrictions.

The remedies available to the FTC include fines and injunctive relief (cease and desist orders).

Other federal agencies may also prosecute spammers particular to their own individual authority (things such as wire fraud, food and drug law, and customs violations). Additional agencies that have been involved in spam prosecution include the FBI, US Postal Inspection Service, and the SEC.

States may generally enforce those provisions which may be enforced by the FTC (there is a degree of ambiguity between Sec. 7(f)(1) & (2) that state officials should clarify; for some of these provisions the state will have to establish a pattern of behavior). 15 USC 7706(f). The remedies available to state officials include injunctive relief and the greater of actual damages or statutory damages. Statutory damages amount to $250 per piece of SPAM with a ceiling at $2,000,000 per violation. The state can seek treble damages for aggravated violations. States can also recover attorney’s fees. States must serve notice on the FTC prior to implementing an action; the FTC may join the action; and if the Feds already have an action pending, the state is precluded from initiating an action. Actions must be brought in federal court.

The CAN SPAM Act mostly preempts state laws; in particular, it was reported that the CAN SPAM Act was rushed through Congress in order to preempt a tough California SPAM law that was on the verge of being enacted. According to 15 USC s 7707(b)(1):

This chapter supersedes any statute, regulation, or rule of a State or political subdivision of a State that expressly regulates the use of electronic mail to send commercial messages, except to the extent that any such statute, regulation, or rule prohibits falsity or deception in any portion of a commercial electronic mail message or information attached thereto.

Thus the CAN SPAM Act leaves a loop hole where some state SPAM laws are not preempted.

Omega World Travel, Inc. v. Mummagraphics, Inc., 469 F.3d 348, 354 (4th Cir. 2006) (Oklahoma anti-spam law preempted) (holding that the CAN-SPAM Act preempted a defendant's Oklahoma statutory counterclaims "insofar as they applied to immaterial misrepresentations." 469 F.3d 348, 353-57 (4th Cir. 2006))

Silverstein v. Keynetics, Inc., Dist. Court, ND California 2016 Second Amended Complaint dismissed on grounds that it is preempted by federal law; deceptive unauthorized use of linkedin addresses in FROM field was not "material"

Silverstein v. Keynetics Inc., ___ F. Supp. 3d ___, 2016 WL 3479083, at *4 (N.D. Cal. June 27, 2016) Plaintiff's claims were preempted by federal law.

DAVISON DESIGN & DEVELOPMENT INC. v. Riley, Dist. Court, ND California 2013 (state law cause of action preempted where deception was not material)

DAVISON DESIGN & DEVELOPMENT INC. v. Riley, Dist. Court, ND California 2012 Holding that Can Spam Act preempts California state cause of action related to spam email

Balsam v. Trancos, Inc., 203 Cal. App. 4th 1083, 1096, 1102-03 (2012),"found no preemption applicable because the defendant's "deliberate use of randomly chosen, untraceable domain names on the `From' line of the subject e-mails for the stated purpose of concealing its role in sending them does involve deception as to a material matter — the sender's identity — as well as an element of wrongful conduct." (emphasis added). Specifically, it was undisputed that the defendant there had intentionally used only privately registered domain names "to prevent e-mail recipients from being able to identify it as the sender...." "Asis Internet Services v. Member Source Media, LLC, 2010 WL 1610066, at *3 (N.D. Cal. Apr. 20, 2010) "reliance and damages need not be demonstrated to save a lawsuit from preemption."

Asis Internet Services v. Subscriberbase Inc., 2010 WL 1267763 (N.D. Cal. Apr. 2, 2010). "reliance and damages need not be demonstrated to save a lawsuit from preemption."

Hoang v. Reunion, No. C-08-3518 MMC, 2010 WL 1340535, at *6 (N.D. Cal. Mar. 31, 2010). In Hoang, "each plaintiff received an e-mail indicating the sender was an actual person known to such recipient, when, in fact, the e-mails were sent by [the] defendant [advertiser]." 

Internet Service Providers:

ISPs may generally bring actions for violations of the Can Spam Act.

15 USC 7706(g)(1): A provider of Internet access service adversely affected by a violation of section 7704 (a)(1), (b), or (d) of this title, or a pattern or practice that violates paragraph (2), (3), (4), or (5) of section 7704 (a) of this title, may bring a civil action in any district court of the United States with jurisdiction over the defendant—

(A) to enjoin further violation by the defendant; or

(B) to recover damages in an amount equal to the greater of—

(i) actual monetary loss incurred by the provider of Internet access service as a result of such violation; or

(ii) the amount determined under paragraph (3).  

Standing: To take advantage of this generous offer from Uncle Sam, one must be an “Internet access service.” Internet access service is defined as

"a service that enables users to access content, information, electronic mail, or other services offered over the Internet, and may also include access to proprietary content, information, and other services as part of a package of services offered to consumers. Such term does not include telecommunications services."

15 U.S.C. § 7702(11); 47 U.S.C. § 231(e)(4). [Melaleuca]

Gordon, 575 F.3d 1040, 1050 (9th Cir. 2009) (citing 150 Cong. Rec. E72-02) ("[W]e intend that Internet access service providers provide actual Internet access service to customers" - holding that domain name owner, who used GoDaddy's email service and infrastructure, rebranded with his domain name, was not an 'Internet Access Service' under the Act).

ZOOBUH, INC. v. BETTER BROADCASTING, LLC, Dist. Court, D. Utah 2013 (finding email service which has customers in 50 states and 27 countries, and owns, maintains, and configures its own infrastructure and servers is an "internet access service".)

MySpace, Inc. v. The, Inc., No. 06-3391, 2007 WL 1686966, at *3 (C.D. Cal. Feb.27, 2007);

Facebook, Inc. v. ConnectU LLC, 489 F.Supp.2d 1087, 1094 (N.D. Cal.2007)

"Adversely Affected": Derived From: ZOOBUH, INC. v. BETTER BROADCASTING, LLC, Dist. Court, D. Utah 2013

The harm suffered by an Internet access service in order to establish standing under the "adversely affected" part of the CAN-SPAM Act "need not be significant in the sense that it is grave or serious, [but] the harm must be of significance to a bona fide IAS [internet access service] provider—something beyond the mere annoyance of spam. . . ." Gordon, 575 F.3d at 1053-54. In most cases, evidence of some combination of operational or technical impairments and related financial costs attributable to unwanted commercial e-mail suffice. See id. at 1054. Such impairments "include, but are not limited to network crashes, higher bandwidth utilization, and increased costs for hardware and software upgrades, network expansion and additional personnel." Id. at 1053 (internal citations omitted). The CAN-SPAM Act does not require that a plaintiff prove that the emails at issue adversely affect the plaintiff, rather, that "[t]he e-mails at issue in a particular case . . . contribute to a larger, collective spam problem." See Gordon, 575 P.3d at 1054.

In Facebook v. Power Ventures, Inc., the Northern District of California provided a very helpful analysis of the "adversely affected" requirement for standing. 844 F. Supp. 2d 1025 (N.D. Cal. 2012). There, the court determined that Facebook's receipt and analysis of approximately 60,000 messages constituted an adverse effect. Id. at 1032. At the time, Facebook's network consisted of 901 million users and Facebook had over 3,000 employees. See Facebook "Talking About It." The harm suffered by Facebook with respect to the emails in question was attributable to Facebook's having to spend time and effort to determine the source of the emails, and taking steps to stop the emails. Power Ventures 844 F. Supp. 2d at 1031-32. In that case, the court held that Facebook did demonstrate an adverse effect, and that such was especially true because there were a documented 60,000 messages, and "the costs of responding to such a volume of spamming cannot be categorized as `negligible.'" Id. at 1032.

In its ordinary course of business, ZooBuh utilizes SpamHaus, Razor, Pyzor and Spamassassin as a first line of defense for SPAM received on its system. Despite its efforts to mitigate the harmful effects of SPAM, ZooBuh has experienced hardware crashes, server spikes, bandwidth spikes, kernel crashes, and customer complaints all as the result of a collective spam problem of which the emails in question were a part. If not for its continuous receipt of SPAM email, ZooBuh could successfully service all of its approximately 35,000 customers through four servers. Instead, ZooBuh has had to double its server capacity, at significant expense, in order to successfully service its customers. Even with eight servers, ZooBuh consistently deals with server spikes and crashes, and the servers are constantly pushed to capacity, which significantly decreases the life span of the servers and is expensive in power consumption. Under these facts, ZooBuh satisfies the "adversely affected" requirement as stated by the Gordon court.

ZooBuh's network consists of approximately 35,000 users, ZooBuh has three employees, and there are 13,453 emails at issue. Accordingly, the subject emails created a proportionately greater burden for ZooBuh than the 60,000 emails received by Facebook's 901 million users and over 3,000 employees. Similar to Facebook, for each email, ZooBuh had to expend man-hours and work to identify the source, examine the transmission information, examine and analyze the header information, take efforts to determine how and why the specific emails were able to circumvent and/or bypass preliminary filtering techniques, and to ultimately attempt to make the emails stop. ZooBuh efforts to deal with the spam cannot be categorized as negligible. See Power Ventures, 844 F. Supp. 2d at 1032. Under these facts, ZooBuh satisfies the "adversely affected" requirement as stated by the Facebook court.

In summary, the harm ZooBuh suffered, and continues to suffer, as the result of its collective SPAM problem is much more significant than the mere annoyance of having to deal with SPAM or the process of dealing with SPAM in the ordinary course of business (i.e., installing a spam filter to flag and discard spam). The harm ZooBuh suffered, and continues to suffer, is manifested in financial expense and burden; lost time; lost profitability; decreases in the life span of ZooBuh's hardware; server and bandwidth spikes; server crashes; and pre-mature hardware replacements. ZooBuh is adversely affected by a collective spam problem, which includes the emails in question, and that the second part of the standing test is satisfied. Therefore, ZooBuh has standing as defined by the CAN-SPAM Act to assert claims as a private party plaintiff.

Damages: The remedies available to an ISP include injunctive relief, and actual damages or statutory damages. 15 U.S.C. § 7706(g)(1)(B) Statutory damages are $100 per piece of SPAM for email with false headers and $25 per piece of SPAM for everything else. The maximum whack is $1,000,000 per violation. Treble (multiple by 3) damages are available for aggravated violations. Networks may also seek attorneys fees. There is not a requirement that the action be filed in federal court. Can Spam Act Sec. 7(g)

Gordon v. Virtumundo, Inc., 575 F.3d 1040, 1048, 1054 (9th Cir. 2009) (type of harm necessary to assert CAN-SPAM Act claims excludes costs incurred by Internet access provider to take reasonable precautions against spam as part of normal operations)

ZOOBUH, INC. v. BETTER BROADCASTING, LLC, Dist. Court, D. Utah 2013 (reviewing different awards of statutory damages)

Facebook. v. Wallace, 2009 WL 3617789 at *2 (citing Columbia Pictures Television, Inc. v. Krypton Broad. of Birmingham, Inc., 259 F.3d 1186, 1194 (9th Cir. 2001)) (It is well established that "[a] plaintiff may elect statutory damages regardless of the adequacy of the evidence offered as to his actual damages and the amount of the defendant's profits . . . and if statutory damages are elected, the court has wide discretion in determining the amount of statutory damages to be awarded, constrained only by the specified maxima and minima.")


Heres a problem: who sent the spam? A spam may say that its from the ACME company, it may have the ACME company's address, and it may have the ACME company's logo. But did ACME send the spam? Was ACME spoofed? Or, perhaps, did someone without authority send the spam? Verifying the originator of the emails can be a challenge for an enforcement action. Kramer v. CASH LINK SYSTEMS, Court of Appeals, 8th Circuit 2013 (affirming no liability for defendant company where defendant's information was available online, spams had been routed through a foreign server, and individual who sent spam was apparently an independent contractor acting without authorization of the defendant company).

US Sentencing Commission Request for Comments

Stanford Cyberlaw Clinic

US Sentencing Commission

Proposed Sentencing Guidelines for United States Courts [pursuant to Can Spam Act], USSC 3/18/2004


Kramer v. CASH LINK SYSTEMS, Court of Appeals, 8th Circuit 2013 (affirming no liability for defendant company where defendant's information was available online, spams had been routed through a foreign server, and individual who sent spam was apparently an independent contractor acting without authorization of the defendant company).

Gordon v. Virtumundo, Inc., 575 F.3d 1040, 1048, 1054 (9th Cir. 2009) (type of harm necessary to assert CAN-SPAM Act claims excludes costs incurred by Internet access provider to take reasonable precautions against spam as part of normal operations)

Melaleuca v Hansen, CV 07-212-E-EJL-MHW (D OH June 29, 2010) (uploaded by Eric Goldman) (dismissing plaintiff's Can Spam claim for lack of standing; plaintiff is not an Internet Access Service) (Technology & Marketing Law Blog)

MELALEUCA, INC. v. Hansen, Court of Appeals, 9th Circuit 2013 (affirming in part, remanding in part)

US v Cyberheat , CV 05-457-TUC-DCB (DAR Mar 2, 2007) (company may be vicariously liable for acts of affiliate contractor which allegedly violated Can Spam Act).

Phillips v Worldwide Internet Solutions, Inc., (NDCa 2007) (no attorney fees absent "frivolousness, motivation, objective unreasonableness (both in the factual and in the legal components of the case) and the need in particular circumstances to advance considerations of compensation and deterrence.")

US v. Goodin, CR-06xxx (CD Cal 2007)

Federal Activity

FTC Halts Illegal Spam Operation; Adult Site Violated CAN-SPAM Act, FTC 5/9/2008

Adult Website Operation Settles FTC Charges Unwitting Consumers Exposed to X Rated Spam, FTC March 4, 2008

Major Online Advertiser Settles FTC Charges. "Free" Gifts Werent Free' Settlement Calls of $650,000 Civil Penalty, FTC Nov 28, 2007

FTC, California Attorney General Seek Halt to Illegal Spam Operation, FTC 4/15/2005

Diet Patch Sellers Settle Can-Spam Charges, FTC 4/1/2005

Adult Web Site Settles FTC Charges, FTC 2/1/2005

Court Stops Spammers from Circulating Unwanted Sexually-Explicit E-mails, FTC 1/11/2005

"To date, the Commission has brought 63 cases in which spam was an integral element of the alleged deceptive or unfair practice." Report to Congress: A CAN SPAM Informant Reward System, p. 10 FTC Sept 2004

FTC settles with pop-up ad 'spammers', NW Fusion 8/9/2004

FTC Announces First Can-Spam Act Cases, FTC 4/30/2004

Law Enforcement Posse Tackles Internet Scammers, Deceptive Spammers, FTC 5/14/03

FTC Asks Court to Block Deceptive Spam Operation, FTC 4/17/03

FTC Press Release, Deceptive Spammers Settle FTC Charges (Oct. 23, 2002);

FTC Press Release, Federal, State, Local Law Enforcers Target Deceptive Spam and Internet Scams (Nov. 7, 2002);

FTC v. BTV Industries, Rik Covell, Adam Lewis, National Communications Team, Inc., LO/AD Communications Corp., and Nicholas Loader (District of Nevada). Complaint, FTC 4/24/02

FTC v. BTV Industries et al TRO, FTC 4/24/02

FTC v., Inc., No. 00-0032 (DDC Jan. 6, 2000) ("settling charges that an online auction site obtained consumers' personal identifying information from a competitor site and then sent deceptive, unsolicited e-mail messages to those consumers seeking their business").

Spam Scam Targets Kids and Their Parents, FTC 4/24/02

FTC Launches Crackdown on Deceptive Junk E-mail, FTC 2/13/02

FTC to Launch Attack on Deceptive Junk E-Mail, FTC 2/8/02

Spammers Settle FTC Charges, FTC 09/01/01`

Federal Agencies, State Attorneys General Crack down on Deceptive Mail Offers, Unsolicited Faxes and Spam Jan 2001

FTC Unveils "Dirty Dozen Spam Scams" JULY 14, 1998

FTC Press Release, "You've Just Won a Playstation 2!" - or Maybe Not, Says FTC in Complaint Filed Against Internet Spammers (Apr. 24, 2002).