Each CA has its own CPS. How do you the CA conduct its CPS accordingly?
Fortunately, as far as the spam issue is concerned, this question is moot: unlike a breach of confidentiality, a breach of spamfreeness is readily detectable. CAs that do a bad job here will be out of (this) business fast.
