3 new CAN SPAM cases

Xmission, a Utah ISP, has filed suit against 3 companies alleging violations of CAN SPAM. The cases were filed in the Utah District Court in April and June. I’ve downloaded some of the documents and complaints and they are now in RECAP. I’ve also included the complaints here (and the links from here on out are almost all .pdfs of the court documents).
Xmission v. Adknowledge (Case 2:15-cv-00277).
Xmission v. Clickbooth (Case 2:15-cv-00420).
Xmission v. Thompson and Company (Case 2:15-cv-00385).
In all the cases Xmission is alleging similar violations of CAN SPAM.
Falsified header information: part 1
Xmission asserts that the domains in the headers were spoofed, unregistered or belonged to an unrelated 3rd party. One of the complaints listed subject lines of the emails sent, so I dug through my spam folder for similar emails. I found a few examples of what I suspect are the spams mentioned in the suit.

Received: from lijiboyulecheng7.com (unknown [114.98.67.145])
    by mx.wordtothewise.com (Postfix) with ESMTP id C5BAB17EC50
    for <lxxxxx@xxxxxx.xxx>; Mon, 22 Sep 2014 16:46:00 -0700 (PDT)

lijiboyulecheng7.com doesn’t exist in DNS and is an unregistered domain. That same spam had a from address of: Awards <RewardsDepartment@lijiboyulecheng7.com>.
While I don’t know for sure that these are the specific emails in question, there is a lot of spam being sent from unregistered or invalid domains. It’s not hard to argue this is a CAN SPAM violation.
Falsified header information: part 2
Xmission asserts that the domains were acquired under false pretenses. They go so far as to say that the domains that were registered were done so for the sole purpose of sending spam and in violation of the registrar agreements.
Registering lots of domains, only to use them for a short period of time, is a common tactic among spammers. I don’t know if I’d go so far as to say it’s a CAN SPAM violation, but the Xmission reading of the law may persuade the judge.

“Header information that is technically accurate but includes an originating electronic mail address, domain name, or Internet Protocol address the access to which for purposes of initiating the message was obtained by means of false or fraudulent pretenses or representations shall be considered materially misleading.” 15 U.S.C. § 7704(a)(1)(A).

Using automated means to create addresses
Xmission alleges that the defendants used scripts to create both the recipient and the sender addresses. CAN SPAM doesn’t mention anything about scripts to create sender addresses, or domains, so I think this is a bit of a stretch for Xmission. And I haven’t seen any evidence these spammers are creating addresses. Overall, I think the aggravated damages is going to be a very hard sell for Xmission. Did the authors of CAN SPAM intend for the automated address provision to be used against the sender address. I’m pretty sure they didn’t.
But it’s hard to argue that the domains that Xmission did mention were somehow not automatically created:

Defendants transmitted e-mails to XMission customers through the following domains: 00261.net; 00374.net; 00596.net; 00689.net; 001268.net; 048588.com; 0959.org; 17000666666.com; 1700099999.com; 323333.net; 366666666.com; 466666666.com; 888338.net.

The founder of XMission, Pete Ashdown, did submit a declaration in the Clickbooth case. This declaration provides some extra details about spam coming into Xmission. The data points I found most interesting were:

  • Xmission has 13 servers just to handle incoming spam.
  • Xmission has 2 full time staffers to manage incoming mail, deal with complaints and adjust filters.
  • Xmission spends between 100K and 200K dollars per year on anti-spam technology.
  • Xmission uses both URIBL and Spamhaus as part of their filtering.
  • Even with these two blocklists, between 40 and 85% of mail coming into Xmisison is spam.
  • Xmission clicked unsubscribe on links in emails and saw no effect.

Of all the cases, only Adknowlege has responded to the complaint, and they deny everything and ask for summary judgement as “they don’t own the sending domains in question.” The judges in the Adknowledge and Clickbooth cases have ordered that both companies are to accept a list of domains from Xmission and cease mailing to them.
Xmission has put a lot of energy into this case, and they have actually avoided a lot of the problems I’ve seen in other CAN SPAM cases brought by ISPs. It seems to me that this is a case on principle for them as much as it is about recovering damages. They’re also the first group I’ve seen go after the advertiser (URL owner) as well as the sender. This is a provision in CAN SPAM that I don’t think the FTC has even enforced. We’ll see what happens.

Related Posts

Ignoring opt-outs

One of the marketing solutions to the spam problem is just to have recipients opt out.

Read More

Spam disclaimer of the day

Things are extremely busy here so blogging is not getting quite the attention it should. I hope to return to more extensive posts soon. Meanwhile, you’ll have to put up with short posts.
Today is a disclaimer I received in a spam. This is one of my addresses that has, somehow, ended up on UK-specific lists.

Read More

Yahoo.com on FCC wireless "do not mail" list

Update: As of mid-morning pacific time on 10/7 yahoo.com has been removed from the FCC list.
As part of CAN SPAM the FCC maintains a list of wireless domains that require proof of permission to send mail to. Recently, various email folks noticed that yahoo.com was added to this list.
According to the law, senders have 30 days to meet the permission standards for any recipients at domains on the FCC list. In practical terms what this means is that the FCC and Yahoo have 30 days to fix this error and get yahoo.com off the list. Based on conversations with people who’ve talked to Yahoo and the FCC this is in the process of happening.
This isn’t the first time a non-wireless domain has been added to the FCC list.
As a sender what should you do with your yahoo.com subscribers?
Right now, nothing. There is a 30 day grace period between when a domain goes on the FCC list and when senders need to comply. I have every expectation that this will be removed in less than 30 days.
But what if it’s not?
In that case you will need to segregate out yahoo.com subscribers in 30 days and not mail them until the domain is removed from the FCC list. While I can’t actively suggest ignoring the law, it’s unlikely that the FCC is going to start coming after senders for mailing yahoo.com addresses once the 30 days are up.
More information: Al Iverson’s Spam Resource.

Read More