The thing is, how do you even prosecute it? Where the company is based? Where the web servers are based? Where the email servers are based? Where it was served? The email client's server location?

As long as the company does business in the US, you have enough of an argument to drag them into court over it. Whether or not that is worth your time (or will ultimately net you anything) is anyone's guess.

Can you actually drag a company into court over CANSPAM? I was under the impression it was FTC fines only.

Consumers can't really take any action on their own, but ISPs can. Microsoft has been pretty active in this regard. My understanding is they use this to file charges against John Doe spammers so that they can use court procedures to track down their actual identity. IANAL.

There are a lot of things wrong with the CAN SPAM Act, but this is not one of them. It applies to any company where the US can claim jurisdiction which, at the very least, includes every US based company. It does not matter how or where the emails are sent.

the company can in the U.S. at least get hit with an FTC fine.