Saturday, November 1, 2003

How organizations can develop their rules for identifying spam organization-wide


By Roger Matus

By a 97-0 vote, the U.S. Senate passed the "CAN-SPAM" (Controlling the Assault of Non-Solicited Pornography and Marketing) bill in September. The Senate did its best to define spam for the broad population, without actually using the word spam. The bill refers to a "commercial electronic mail message" that has the primary purpose of "the commercial advertisement or promotion of a commercial product or service."

Last week, the first federal law against unsolicited commercial email moved a step closer to reality after the House of Representatives passed a bill (a different bill, as it turns out) that would punish spammers with fines and jail time. The House voted 392-5 in favor of the bill, which clears it for a vote in the Senate. If the Senate approves the bill, it should reach the White House early next week, according to a House spokesman.

There are dozens of popular definitions of spam. Some people refer to "unsolicited commercial email" or UCE. Others think of spam as "offensive mail." The broadest definition of spam that I have seen is "mail that I do not want and did not ask for." Of course, "mail that I don't want" isn't something suitable for legislation, while mail that has misleading sources or messages may well be.

If you plan to deploy a spam filter, selecting the right definition of spam for your organization will be critical. Only when you can clearly identify which messages are spam will you know if your filter removes the spam messages and leaves all other messages alone.