CAN-SPAM: Prohibited Conduct
Prohibited Predatory and Abusive Practices [15 USC § 7703, 18 USC § 1037]
Rule: CAN-SPAM criminalizes certain aggressive and deceptive email practices, including hacking, spoofing, harvesting, and dictionary attacks. Violations carry criminal penalties up to 5 years imprisonment.
Note: While 15 USC § 7704 creates civil obligations enforced by the FTC, 18 USC § 1037 creates criminal offenses for the most egregious conduct.
Criminal Offenses [18 USC § 1037(a)]
It is a federal crime to knowingly:
(1) Unauthorized Access and Spam Transmission
Prohibition: Access a protected computer without authorization and intentionally initiate transmission of multiple commercial email messages.
Example: Hacking into a company’s mail server to send bulk promotional emails.
Elements:
- Unauthorized access to a protected computer
- Intentional transmission (not accidental)
- Multiple messages (see threshold below)
- Commercial email (primary purpose is advertising)
(2) Relay/Retransmission with Intent to Deceive
Prohibition: Use a protected computer to relay or retransmit multiple commercial email messages with intent to deceive or mislead recipients about the origin of the messages.
Examples:
- Open relay exploitation: Using an unsecured mail server to relay spam
- Proxy hijacking: Routing messages through compromised proxy servers
- Botnet distribution: Using infected computers to send spam
Elements:
- Use of protected computer (any computer used in interstate commerce)
- Relay or retransmit function (not direct send)
- Multiple messages
- Intent to deceive about message origin
(3) Header Falsification
Prohibition: Materially falsify header information in multiple commercial email messages and intentionally initiate transmission.
Examples:
- From spoofing: Faking sender email address
- Return-Path manipulation: Falsifying reply address
- Routing falsification: Hiding true origin through fake mail server chains
Elements:
- Materially falsified header (not trivial changes)
- Multiple messages
- Intentional transmission
(4) False Registration (Email Accounts)
Prohibition: Register, using materially falsified information, for 5 or more email accounts or online user accounts, and intentionally initiate transmission of multiple commercial messages from those accounts.
Examples:
- Creating multiple fake Gmail/Yahoo accounts with false names/birthdates
- Bulk account creation for spam distribution
- Using stolen identities to register accounts
Elements:
- 5+ accounts registered
- Materially falsified registration info
- Used to send multiple commercial messages
(5) False Registration (Domain Names)
Prohibition: Register, using materially falsified information, for 2 or more domain names, and intentionally initiate transmission of multiple commercial messages from those domains.
Examples:
- Registering example-bank.com with fake WHOIS data
- Using privacy services to conceal true registrant identity for spam domains
- Creating throwaway domains with false contact information
Elements:
- 2+ domains registered
- Materially falsified WHOIS/registration data
- Used to send multiple commercial messages
(6) IP Address Falsification
Prohibition: Falsely represent oneself as the registrant or legitimate successor of 5 or more IP addresses, and intentionally initiate transmission of multiple commercial messages from those addresses.
Examples:
- IP spoofing to hide true source
- Using hijacked IP blocks
- Claiming ownership of IPs without authorization
Elements:
- False representation for 5+ IPs
- Intentional transmission from those IPs
- Multiple commercial messages
”Multiple” Messages Threshold [18 USC § 1037(d)(3)]
Criminal liability attaches when sender transmits more than:
| Timeframe | Threshold |
|---|---|
| 24 hours | 100 emails |
| 30 days | 1,000 emails |
| 1 year | 10,000 emails |
Important: These are OR conditions — meeting ANY threshold triggers criminal exposure.
Criminal Penalties [18 USC § 1037(b)]
Standard Offense
Imprisonment: Up to 3 years Fine: Statutory maximum
Enhanced Offense (up to 5 years)
Applies if:
- Committed in furtherance of any felony under U.S. law, OR
- Defendant has prior conviction under:
- 18 USC § 1037 (this section), OR
- 18 USC § 1030 (Computer Fraud and Abuse Act)
Examples of felony furtherance:
- Spam used for securities fraud
- Spam promoting illegal drug sales
- Spam distributing child exploitation material
- Spam for identity theft schemes
Sentencing Enhancements [15 USC § 7703(b)]
The U.S. Sentencing Commission considers upward adjustments for offenders who:
(1) Improper Email Address Acquisition
Harvesting Without Authorization
Definition: Collecting email addresses from websites, proprietary services, or online forums without the operator’s authorization.
Methods:
- Web scraping public-facing email addresses
- Crawling forum member lists
- Extracting addresses from social media profiles
- Harvesting from comment sections
Key: “Without authorization” — if website terms of service prohibit scraping, harvesting is improper.
Dictionary Attack (Random Generation)
Definition: Randomly generating email addresses by computer.
Methods:
- Brute-force generation (john@example.com, jane@example.com, admin@example.com, etc.)
- Common name dictionaries + domain combinations
- Automated permutation algorithms
- Sequential generation (user1@, user2@, user3@…)
Purpose: Bypass opt-in requirements by guessing valid addresses.
(2) False Domain Registration
Offender knew messages advertised domains with materially false registration information.
Example: Spam promotes “buy-cheap-pills.com” registered with fake WHOIS data.
(3) Related Federal Offenses
Convicted of other federal crimes involving bulk unsolicited email, including:
- Fraud schemes (18 USC Chapter 47)
- Identity theft (18 USC Chapter 47)
- Obscenity (18 USC Chapter 71)
- Child exploitation (18 USC Chapter 110)
- Theft of trade secrets (18 USC Chapter 90)
Enforcement [15 USC § 7703(c)]
Department of Justice
Congress expressed that DOJ should pursue CAN-SPAM enforcement using:
- 18 USC Chapter 47 — Fraud and False Statements
- 18 USC Chapter 63 — Mail Fraud
- 18 USC Chapter 71 — Obscenity
- 18 USC Chapter 110 — Sexual Exploitation of Children
- 18 USC Chapter 95 — Racketeering (RICO)
Reality
Criminal CAN-SPAM prosecutions are rare due to:
- Resource constraints at DOJ
- Difficulty identifying international spammers
- Focus on higher-priority cybercrimes
- Challenges proving criminal intent
Most enforcement occurs via:
- FTC civil actions under 15 USC § 7704
- State Attorney General actions
- ISP civil lawsuits
Practical Guidance
Prohibited Practices — Never Do These
❌ Harvest emails from websites without permission (even public-facing) ❌ Dictionary attack to generate addresses (firstname@company.com) ❌ Relay through open mail servers or compromised computers ❌ Spoof headers (From, Reply-To, routing information) ❌ Register domains with false WHOIS data for email campaigns ❌ Hack mail servers to send unauthorized bulk email
Legitimate Alternatives
✅ Opt-in forms — Users explicitly provide email addresses ✅ Purchased lists — From reputable brokers with consent documentation ✅ Business cards — Collected at trade shows with consent ✅ Customer databases — Existing business relationships (transactional emails exempt) ✅ Referrals — User-provided friend emails (with transparency about source)
Red Flags Indicating Criminal Conduct
⚠️ Anonymizing services (VPNs, proxies) to hide sender identity ⚠️ Bulk account creation (hundreds of email accounts) ⚠️ Throwaway domains registered with fake names ⚠️ Sending volume exceeds 100/day without legitimate business justification ⚠️ Routing through foreign servers to evade detection ⚠️ Using “snowshoe” technique (small volumes from many IPs to avoid blocks)
Comparison: Civil (§ 7704) vs. Criminal (§ 1037)
| Aspect | Civil (§ 7704) | Criminal (§ 1037) |
|---|---|---|
| Conduct | Deceptive headers, no opt-out, missing address | Hacking, harvesting, dictionary attacks, relay hijacking |
| Intent | Knowledge or recklessness | Knowingly (higher standard) |
| Enforcer | FTC, State AGs, ISPs | Department of Justice only |
| Penalty | Fines up to $51,744 per violation | Imprisonment up to 5 years + fines |
| Threshold | Any volume | ”Multiple” (100/day, 1000/month, 10000/year) |
| Typical defendants | Marketers, businesses | Hackers, spammers, cybercriminals |
Case Studies
United States v. Jeffrey Kilbride (2008)
Facts: Defendants sent millions of pornographic spam emails using:
- Hijacked computers (botnets)
- False header information
- Randomly generated email addresses (dictionary attacks)
Charges: 18 USC § 1037 (multiple counts) Outcome: Kilbride sentenced to 6 years in federal prison
Lesson: Criminal prosecution for large-scale spam operations using prohibited techniques.
United States v. Robert Soloway (2007)
Facts: “Spam King” sent over 90 million spam emails using:
- Botnets of compromised computers
- False header information
- Identity theft to register domains
Charges: 18 USC § 1037, identity theft, money laundering Outcome: Ple agreement, 47 months imprisonment
Lesson: Even if emails promote legitimate products, the methods (hacking, spoofing) trigger criminal liability.
Compliance Checklist
To avoid prohibited conduct under CAN-SPAM:
- Never harvest email addresses from websites without explicit permission
- Never use dictionary attacks to generate recipient addresses
- Never send email through unauthorized computers or open relays
- Never falsify header information (From, Reply-To, routing)
- Never register domains or accounts with false information for email campaigns
- Verify all email addresses obtained through legitimate opt-in or business relationship
- Document consent for every recipient on your list
- Authenticate outgoing email (SPF, DKIM, DMARC) to prove legitimacy
- Monitor sending volume to stay below thresholds if any doubt about compliance
- Train staff on prohibited practices and criminal consequences
Sources: