Compliance with the Can-Spam Act has fallen to a new low, according to recent data collected by MX Logic. In July, compliance fell for the first time to less than 1%--dropping to a measly 0.54% of all unsolicited commercial mail the company sampled during the month.

MX Logic has been tracking compliance with Can-Spam since the federal law went into effect in January. Through April, MX Logic's numbers remained stable, with about 3% of spam messages complying with the law's requirements, which range from verifiable return addresses to measures consumers and businesses can use to opt out of mailing lists. In May and June, however, the number slipped to 1%.

"Now it's been halved," said Steve Ruskin, a senior analyst at MX Logic. "No one's really sure what's going on, but it's clear that Can-Spam isn't a threat to spammers. They're just ignoring it."

Although hard-core spammers--the relatively small number who account for the bulk of the world's spam--were never likely to toe the line, said Ruskin, it's possible that some spammers who were complying have stopped.

The blame, he said, could be laid on law enforcement, which hasn't been successful in tracking down on spammers. Some individuals have been stymied--most recently a Boca Raton, Fla., resident whose assets were frozen by the courts--but enforcement is the exception rather than the rule.

A contributor to the poor showing could be due to the ever-expanding numbers of spammers. "It's possible that the same number are complying now as in January," said Ruskin, "but that as the number of spammers continues to grow, that percentage gets watered down."

One of the tools businesses and users are hoping to put into play against spam is a sender authentication standard that would prevent spammers from spoofing, or forging, addresses.

This week, the standards-setting Internet Engineering Task Force is holding meetings to decide, among a raft of other issues, Sender ID, a scheme that combines Microsoft's proprietary Caller ID for Email idea and Sender Policy Framework, an extension of the SMTP protocol.

Sender ID and its rivals, such as Yahoo's DomainKeys, aim to slow down spam by verifying sender addresses, which would prevent spammers from hiding behind bogus addresses. If they have to use legitimate domains--and buy their own--spammers would be easier to track.

"We'd like to see some sort of authentication standard go forward," said Ruskin. "Like everything else, it's not a silver bullet but it could go a long way toward defeating spam."

The ITEF working group responsible for evaluating Sender ID is expected to nominate it as an Internet standard this week.

"We're giving it a pretty good chance of passing," said Ruskin, who has a company representative at the IETF meetings. "The word on the street is that everyone wants to support [Sender ID], but that some are concerned about the proprietary licensing that Microsoft wants to put in it. If someone has to fax Microsoft each time a change is proposed to the standard, that doesn't go down well with a certain group of people."

Sender ID, or at least a critical mass of some sort of authentication standard, can't come too soon for Ruskin.

During July, MX Logic's monitoring found that 84% of all E-mail outside corporate networks was spam, another new record.

With the spam-to-not-spam ratio just 50% only a year ago, Ruskin wonders where spam will stop. "Sometime next year, spam will hit the 90s," he said. "You'd like to think that there's some natural equilibrium, but unless there's a fundamental change to the framework of E-mail, we run the risk that virtually all mail will be spam."