3 new CAN SPAM cases

Xmission, a Utah ISP, has filed suit against 3 companies alleging violations of CAN SPAM. The cases were filed in the Utah District Court in April and June. I’ve downloaded some of the documents and complaints and they are now in RECAP. I’ve also included the complaints here (and the links from here on out are almost all .pdfs of the court documents).
Xmission v. Adknowledge (Case 2:15-cv-00277).
Xmission v. Clickbooth (Case 2:15-cv-00420).
Xmission v. Thompson and Company (Case 2:15-cv-00385).
In all the cases Xmission is alleging similar violations of CAN SPAM.
Falsified header information: part 1
Xmission asserts that the domains in the headers were spoofed, unregistered or belonged to an unrelated 3rd party. One of the complaints listed subject lines of the emails sent, so I dug through my spam folder for similar emails. I found a few examples of what I suspect are the spams mentioned in the suit.

Received: from lijiboyulecheng7.com (unknown [114.98.67.145])
    by mx.wordtothewise.com (Postfix) with ESMTP id C5BAB17EC50
    for <lxxxxx@xxxxxx.xxx>; Mon, 22 Sep 2014 16:46:00 -0700 (PDT)

lijiboyulecheng7.com doesn’t exist in DNS and is an unregistered domain. That same spam had a from address of: Awards <RewardsDepartment@lijiboyulecheng7.com>.
While I don’t know for sure that these are the specific emails in question, there is a lot of spam being sent from unregistered or invalid domains. It’s not hard to argue this is a CAN SPAM violation.
Falsified header information: part 2
Xmission asserts that the domains were acquired under false pretenses. They go so far as to say that the domains that were registered were done so for the sole purpose of sending spam and in violation of the registrar agreements.
Registering lots of domains, only to use them for a short period of time, is a common tactic among spammers. I don’t know if I’d go so far as to say it’s a CAN SPAM violation, but the Xmission reading of the law may persuade the judge.

“Header information that is technically accurate but includes an originating electronic mail address, domain name, or Internet Protocol address the access to which for purposes of initiating the message was obtained by means of false or fraudulent pretenses or representations shall be considered materially misleading.” 15 U.S.C. § 7704(a)(1)(A).

Using automated means to create addresses
Xmission alleges that the defendants used scripts to create both the recipient and the sender addresses. CAN SPAM doesn’t mention anything about scripts to create sender addresses, or domains, so I think this is a bit of a stretch for Xmission. And I haven’t seen any evidence these spammers are creating addresses. Overall, I think the aggravated damages is going to be a very hard sell for Xmission. Did the authors of CAN SPAM intend for the automated address provision to be used against the sender address. I’m pretty sure they didn’t.
But it’s hard to argue that the domains that Xmission did mention were somehow not automatically created:

Defendants transmitted e-mails to XMission customers through the following domains: 00261.net; 00374.net; 00596.net; 00689.net; 001268.net; 048588.com; 0959.org; 17000666666.com; 1700099999.com; 323333.net; 366666666.com; 466666666.com; 888338.net.

The founder of XMission, Pete Ashdown, did submit a declaration in the Clickbooth case. This declaration provides some extra details about spam coming into Xmission. The data points I found most interesting were:

  • Xmission has 13 servers just to handle incoming spam.
  • Xmission has 2 full time staffers to manage incoming mail, deal with complaints and adjust filters.
  • Xmission spends between 100K and 200K dollars per year on anti-spam technology.
  • Xmission uses both URIBL and Spamhaus as part of their filtering.
  • Even with these two blocklists, between 40 and 85% of mail coming into Xmisison is spam.
  • Xmission clicked unsubscribe on links in emails and saw no effect.

Of all the cases, only Adknowlege has responded to the complaint, and they deny everything and ask for summary judgement as “they don’t own the sending domains in question.” The judges in the Adknowledge and Clickbooth cases have ordered that both companies are to accept a list of domains from Xmission and cease mailing to them.
Xmission has put a lot of energy into this case, and they have actually avoided a lot of the problems I’ve seen in other CAN SPAM cases brought by ISPs. It seems to me that this is a case on principle for them as much as it is about recovering damages. They’re also the first group I’ve seen go after the advertiser (URL owner) as well as the sender. This is a provision in CAN SPAM that I don’t think the FTC has even enforced. We’ll see what happens.

Related Posts

Spam disclaimer of the day

Things are extremely busy here so blogging is not getting quite the attention it should. I hope to return to more extensive posts soon. Meanwhile, you’ll have to put up with short posts.
Today is a disclaimer I received in a spam. This is one of my addresses that has, somehow, ended up on UK-specific lists.

Read More

Don't like opt-outs? Target your program better.

I get a LOT of spam here. Most of it is marked and trivial to get rid of. Some of it is what I would call semi-legitimate. It’s a real product, but I never asked to receive any information from this company and am not actually part of their demographic. For one time things I just hit delete and move on. Life is too short to complain or opt out of every spam I get. (Tried that, got more mail)
But sometimes if the same sender keeps bothering me, I will send back an email asking them to cease contact. I recently had an occasion where someone sent an initial email trying to sell me bulk SMS, online video and other services. I ignored it because we’re not in the market for any of these services. A week later I get a followup asking why I hadn’t provided feedback to them and if there was a better person to talk to at the company. I looked for a way to opt-out of this message stream, but there wasn’t one. I send a reply telling them we were not interested in speaking to them and to please cease all communication. (“You didn’t receive feedback because I have no interest in talking to you. Please cease all future contact.” Admittedly that was terse, but it was polite.)
My request to cease communication was not well received, nor was it honored. Mind you, they first contacted me trying to sell me services that are totally off what we offer. When I asked them not to contact me, they turned it around that we’d lost business.

Read More

Bad unsubscribe processes

We recently renewed our support contract with VMWare. It’s a weirdly complicated system, in that we can’t buy directly from VMWare, but have to buy through one of their resellers. In this case, we purchased the original hardware from Dell, so we renewed our contract through Dell.
Dell sends my email address over to VMWare as part of the transaction.
My only role in this is as CFO. I approve the purchase and pay the bill. I don’t do anything technical with the license.
The email failures start when VMWare decides that I need to receive mail about some user group meetings they’re holding all over the US. First off, I’m not the right person to be sending this mail to inside our company. I’m the billing contact, not the user contact. Then, they send me mail about meetings all over the US, when they know exactly where I’m located. Would it be so hard to do a semi-personalized version that highlighted the meetings in my local area then pointing out the other locations? Apparently, yes, it is so hard.
The biggest failures, though are in the unsubscribe process.
unsubscribe option
The unsubscribe page is no big deal. I get to unsub from all VMWare communications, and submit that request without having to figure out what my VMWare password is or anything.
After I hit submit, I’m taken to this page.
VMWareThank you
Wait? What?
“Thank you for registering?” I didn’t register! I don’t want you to contact me. Plus, this is a HP co-branded page when I’m not a customer of HP. VMWare knows this, they know they got my address from Dell.
The biggest problem is that I’m not sure that my address was actually unsubscribed. I suspect that someone copied a form from elsewhere on the site to use as an unsubscribe form. This person forgot to change the link after the “submit” button was clicked. But what else did they forget to change? Is the unsubscribe actually registered in the database?
I suppose only time will tell if VMWare actually processed my unsubscribe. If they didn’t they’re technically in violation of CAN SPAM.
The lesson, though, is someone should check unsubscribe forms. Someone in marketing should own the unsubscribe process, and that includes confirming that unsubscribe pages work well enough.

Read More