Enforcing
Canada’s Anti-Spam
Legislation (CASL)

The CRTC continues to take important steps to protect Canadians from online threats. In 2022, the CRTC recognized that Canadian carriers play a key role in reducing botnet activity and developed a national framework to block harmful traffic before it reaches Canadians’ devices. Based on this, the CRTC determined that regulatory action was necessary.

Action to block botnets

In 2025, the CRTC set out terms and conditions for Canadian carriers to block botnets and other harmful activities within their networks. This helps prevent threats from reaching Canadians’ devices. The framework currently allows only the use of blocklists.

• Decision CRTC 2025-142

Exploring additional blocking methods

The CRTC is consulting on whether to adjust or expand the botnet-blocking framework. The consultation explores additional blocking methods, such as file signatures, traffic anomalies and network fingerprinting.

• Notice of Consultation CRTC 2025-143

Investigation into email account compromises

Following an extensive investigation, which included the execution of two search warrants, CRTC staff found that an individual party had acquired usernames and passwords from darknet marketplaces. He used these credentials to access multiple email accounts belonging to unsuspecting individuals. Once inside the accounts, he set up forwarding rules to redirect incoming emails to his own address.

These emails contained sensitive information, such as online banking transactions and utility billing details. This type of data is often used in phishing campaigns and other fraudulent activity.

For these unauthorized email redirections, the CRTC issued a notice of violation which included an administrative monetary penalty of $50,000.

Action against the Ebury Botnet

CRTC staff took action to protect Canadians from the Ebury Botnet, a major cybersecurity threat responsible for more than 35 million spam messages per day. In addition to sending spam, the botnet redirected web traffic and deployed malware and posed a significant risk to online safety.

Working with national and international partners, CRTC staff identified the botnet’s impact in Canada. As part of the response, the CRTC issued warning letters to 80 web hosting companies whose servers had been infected by Ebury. These letters alerted the companies to the compromise and encouraged them to take corrective action.

This initiative aimed to reduce unwanted communications to Canadians and promote good cybersecurity practices. It also supported compliance with section 9 of CASL, which prohibits aiding in the violation of the Act.

Enforcement measures between April 1 and September 30, 2025

Long description:

• 153 Notices to Produce
• 123 Warning Letters
• 5 Preservation Demands
• 1 Notice of Violation

Reporting unsolicited commercial electronic messages, including spam, to the SRC is a key part of how the CRTC gathers intelligence on spam and electronic threats.

The CRTC, the Competition Bureau, and the Office of the Privacy Commissioner of Canada—the three enforcement agencies responsible for CASL compliance—use the SRC database to collect information that supports their respective mandates.

Between April 1 and September 30, 2025:

• The SRC received 152,603 complaints, averaging 5,869 per week
• Approximately 3,121 complaints were submitted using the SRC's online form , which allows users to report spam and other electronic threats in detail
• The remaining complaints, about 98%, were submitted by email to spam@fightspam.gc.ca.

The best way to report spam is to use the SRC online form and upload your spam message.

Outreach and engagement activities are essential for educating legitimate businesses about their responsibilities under CASL.

To help industry and Canadians better understand CASL, the CRTC offers a variety of resources on how to contact Canadians for commercial purposes in a compliant manner. These include:

• the Spam and malware webpage
• videos on the CRTC YouTube channel, which provide practical tips on sending commercial electronic messages

In September 2025, staff from the CRTC’s Compliance and Enforcement team, along with representatives from the Canadian Anti-Fraud Centre, delivered a joint presentation to members of a Royal Canadian Legion. The session focused on raising awareness and sharing helpful advice about spam, phishing, malware, and other types of scams—particularly those targeting seniors.

In addition, Steven Harroun, Vice-President, Compliance and Enforcement participated in a Fireside Chat with the Retail Council of Canada and recorded a podcast with the Canadian Marketing Association to promote industry compliance with CASL.

The CRTC works with members from over 26 countries to fulfill its mandate, to promote international cooperation and address problems relating to spam and unsolicited communication.

In August, the CRTC entered into a new Memorandum of Understanding with the Commission for Communications Regulation of Ireland to improve information sharing with respect to regulatory policy and best practices.