In 2003, Congress had the chance to do the right thing about "spam"... and mostly failed. Instead of legislation with teeth, they left the FTC with armament amounting to a wet noodle. What consumers and ISPs really, really wanted was prohibition of unsolicited commercial email (UCE). What we got instead was legislation that overturned more restrictive local law, and removed individual right of recourse against spammers.

The CAN-SPAM Act is often derided as the "Yes you can spam" Act, because worst of all, instead of prohibiting UCE, it gave spammers carte blanche to start and continue sending spam until you tell them to stop. Hence the phrase "opt out", because the burden falls on the recipient to tell each spammer to stop. CAN-SPAM places a trivial requirement on the spammer to include a physical address, and in theory, a not-so-trivial requirement to include an opt-out mechanism. I say theoretically, because in fact it's commonplace for opt-out mechanisms to be broken or ignored, and enforcement is lax.

At least the law does not mandate that ISPs must accept and relay all email received for their users. This concession gives ISPs leeway to use spam detection tools like SpamAssassin, real-time block lists (RBLs), and Sender Policy Framework (SPF) to flag or reject suspicious email.

Because spam has proven such a pernicious drain on resources, the ISP industry as a bloc has adopted anti-spam standards that are stricter than the law. Simply put, accomodating spammers is bad for business - spammers get co-tenant domains and neighboring IP address blocks blacklisted by other ISPs. Undeliverable email and service interruptions drive away customers who need their own non-spam email deliverable.