3 new CAN SPAM cases
Xmission, a Utah ISP, has filed suit against 3 companies alleging violations of CAN SPAM. The cases were filed in the Utah District Court in April and June. I’ve downloaded some of the documents and complaints and they are now in RECAP. I’ve also included the complaints here (and the links from here on out are almost all .pdfs of the court documents).
Xmission v. Adknowledge (Case 2:15-cv-00277).
Xmission v. Clickbooth (Case 2:15-cv-00420).
Xmission v. Thompson and Company (Case 2:15-cv-00385).
In all the cases Xmission is alleging similar violations of CAN SPAM.
Falsified header information: part 1
Xmission asserts that the domains in the headers were spoofed, unregistered or belonged to an unrelated 3rd party. One of the complaints listed subject lines of the emails sent, so I dug through my spam folder for similar emails. I found a few examples of what I suspect are the spams mentioned in the suit.
Received: from lijiboyulecheng7.com (unknown [184.108.40.206])
by mx.wordtothewise.com (Postfix) with ESMTP id C5BAB17EC50
for <firstname.lastname@example.org>; Mon, 22 Sep 2014 16:46:00 -0700 (PDT)
lijiboyulecheng7.com doesn’t exist in DNS and is an unregistered domain. That same spam had a from address of: Awards <RewardsDepartment@lijiboyulecheng7.com>.
While I don’t know for sure that these are the specific emails in question, there is a lot of spam being sent from unregistered or invalid domains. It’s not hard to argue this is a CAN SPAM violation.
Falsified header information: part 2
Xmission asserts that the domains were acquired under false pretenses. They go so far as to say that the domains that were registered were done so for the sole purpose of sending spam and in violation of the registrar agreements.
Registering lots of domains, only to use them for a short period of time, is a common tactic among spammers. I don’t know if I’d go so far as to say it’s a CAN SPAM violation, but the Xmission reading of the law may persuade the judge.
“Header information that is technically accurate but includes an originating electronic mail address, domain name, or Internet Protocol address the access to which for purposes of initiating the message was obtained by means of false or fraudulent pretenses or representations shall be considered materially misleading.” 15 U.S.C. § 7704(a)(1)(A).
Using automated means to create addresses
Xmission alleges that the defendants used scripts to create both the recipient and the sender addresses. CAN SPAM doesn’t mention anything about scripts to create sender addresses, or domains, so I think this is a bit of a stretch for Xmission. And I haven’t seen any evidence these spammers are creating addresses. Overall, I think the aggravated damages is going to be a very hard sell for Xmission. Did the authors of CAN SPAM intend for the automated address provision to be used against the sender address. I’m pretty sure they didn’t.
But it’s hard to argue that the domains that Xmission did mention were somehow not automatically created:
Defendants transmitted e-mails to XMission customers through the following domains: 00261.net; 00374.net; 00596.net; 00689.net; 001268.net; 048588.com; 0959.org; 17000666666.com; 1700099999.com; 323333.net; 366666666.com; 466666666.com; 888338.net.
The founder of XMission, Pete Ashdown, did submit a declaration in the Clickbooth case. This declaration provides some extra details about spam coming into Xmission. The data points I found most interesting were:
- Xmission has 13 servers just to handle incoming spam.
- Xmission has 2 full time staffers to manage incoming mail, deal with complaints and adjust filters.
- Xmission spends between 100K and 200K dollars per year on anti-spam technology.
- Xmission uses both URIBL and Spamhaus as part of their filtering.
- Even with these two blocklists, between 40 and 85% of mail coming into Xmisison is spam.
- Xmission clicked unsubscribe on links in emails and saw no effect.
Of all the cases, only Adknowlege has responded to the complaint, and they deny everything and ask for summary judgement as “they don’t own the sending domains in question.” The judges in the Adknowledge and Clickbooth cases have ordered that both companies are to accept a list of domains from Xmission and cease mailing to them.
Xmission has put a lot of energy into this case, and they have actually avoided a lot of the problems I’ve seen in other CAN SPAM cases brought by ISPs. It seems to me that this is a case on principle for them as much as it is about recovering damages. They’re also the first group I’ve seen go after the advertiser (URL owner) as well as the sender. This is a provision in CAN SPAM that I don’t think the FTC has even enforced. We’ll see what happens.