SpamArrest Loses in Court

Internet law expert Eric Goldman points out that winning anti-spam lawsuits is hard. SpamArrest just learned that the hard way, he explains. If you weren’t aware, SpamArrest (whose website proclaims “SPAM ARREST WORKS!”) is a vendor of a Challenge/Response-based anti-spam filtering system. The way that works is, if you’re using a C/R-based system, any time somebody sends you an email, the system sends the person back a “challenge” email that the sender must now respond to, usually by clicking on a link. By engaging in this “response,” the sender is proving that they’re not a robot. The theory being that by doing so, the sender must not be a spammer. It’s a flawed system, for multiple reasons. First, the internet is global, and it’s possible for bad guys to very cheaply hire people from a far away land to click these links all day long, every day. Even worse, legitimate senders aren’t going to take the time to bother to click through these links; they’re going to write it off as too time intensive. Do you really think Amazon is going to bother responding to challenge requests, to push through your shipping notification? For years, I’ve been telling senders to ignore C/R challenge emails, because it’s a self resolving problem, those people don’t want to receive emails, so let those people not get their emails. Even worse than that, those of us who actually care about the email ecosystem find C/R abhorrent because of its inherent backscatter problem. Spammers forge sending addresses. C/R systems send challenge emails back to those forged sending addresses. Thus, unrelated people often receive C/R challenge emails, when they didn’t even initiate the original message. It doesn’t solve the spam problem; it just exchanges spam mail for misdirected junk mail. I’m not a fan of SpamArrest, but I’m also not a fan of anything that makes it hard to use legal means to go after people sending unsolicited email. So my emotions are mixed on this one. Regardless, I wouldn’t be happy if I were one of the 600 SpamArrest users who received the alleged spam message in question. And with regard to the rest of their users, I worry that bad guys will now interpret the court’s ruling as making it acceptable to set up “C/R approval farms” and respond to every challenge message received. This would seriously undermine both SpamArrest’s business strategy and anti-spam strategy. And to the rest of the anti-spam community, allow me to echo something Eric says in his article: Anti-spammers don’t win in court just by showing up.