Let's talk CAN SPAM

CheckboxEarlier this week I posted about the increased amount of B2B spam I’m receiving. One message is not a huge deal and I just delete and move on. But many folks are using marketing automation to send a series of emails. These emails often violate CAN SPAM in one way or another.
This has been the law for 13 years now, I find it difficult to believe marketers are still unaware of what it says. But, for the sake of argument, let’s talk about CAN SPAM.

What is CAN SPAM?

CAN SPAM is the US law regulating commercial email. It was passed and signed into law in 2003. It took effect Jan 1, 2004.
CAN SPAM is primarily enforced by the FTC, with the FCC having responsibility for email to certain domains. In 2005 FTC published clarifying rules to help businesses comply with the law.

What does it regulate?

CAN SPAM regulates commercial email. The act defines commercial email as:
The term “commercial electronic mail message” means any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service (including content on an Internet website operated for a commercial purpose).
Commercial electronic mail messages do not include “transactional” or “relationship” messages. These messages are defined as messages related to a specific transaction (such as receipts and warranty information) or related to a membership (such as a statement or renewal notice).

What are the requirements?

CAN SPAM is pretty simple in what it regulates.

  • Commercial mail cannot have any forgeries.
  • Every email must have physical address for the sender.
  • Every email must provide a way for the recipient to unsubscribe. There are a number of requirements around the unsubscribe process.
    • Users must be able to unsubscribe over the internet, either by replying to the mail or clicking on a link.
    • The reply address or link must be active and functional for at least 30 days after the email is sent.
    • Senders must not require payment for unsubscribes.
    • Recipients only have to provide their email address. They cannot be forced to supply any additional information.
    • Recipients cannot be required to send more than one email or visit more than one webpage to unsubscribe.
  • Unsubscribes must be effective within 10 days of receiving a request.
  • Unsolicited email is prohibited to wireless domains as defined by the FCC.
  • Advertising email must be clearly marked as advertising.
  • Sexually explicit email must be labeled with SEXUALLY EXPLICIT in the subject line.

These are pretty simple requirements. Note, that most of these apply to any commercial email, not just bulk or unsolicited email.

What are the penalties?

The law provides for fines and jail time. Fines can reach $16,000 per violation. Enhanced penalties, including treble damages and jail time, take effect if certain conditions are met. Some of these conditions include harvesting addresses, using false whois information, or making up email addresses.

Who enforces CAN SPAM?

CAN SPAM doesn’t have a private right of action. Enforcement is by federal or state agencies or commercial email providers. Some of the webmail providers have sued spammers for CAN SPAM violations. Mailbox owners, such as businesses, may have standing to sue for CAN SPAM. A series of cases brought by individuals has really killed the ability of individuals to sue under the act.

Is there more?

There is, and you can read the FTC summary if you’re interested. The FTC talks about primary purpose and what’s transactional and what happens when there is more than one sender for a message.

How can you comply?

Compliance is pretty simple. I recommend clients just follow the rules for every email they send out. The rules are so basic, that there is no harm in applying them to emails that might not be covered. I tell clients to do the following for all their commercial email:

  • Include your physical address in every email.
  • Provide a simple unsubscribe link in every email, even transactional ones.
  • Use a valid address in whois, and avoid privacy protection services for email domains.

That’s really CAN SPAM compliance in a nutshell.
For many of my B2B spammers these days, compliance seems overly difficult and complicated. Most of them don’t have unsubscribes. Almost none of them have a physical address in the mail. For the senders who harvested my address off LinkedIn, enhanced penalties apply. As a business owner I could probably successfully file suit against some of these spammers. But that seems time consuming and ineffective.
I’ve been trying to work out new ways to deal with this. I’m considering supplying links to some blog posts here. I may also include a proposal for them to hire me so I can help them send mail that complies with CAN SPAM.
 

Related Posts

Do you have an abuse@ address?

I’ve mentioned multiple times before that I really don’t like using personal contacts until and unless the published or official channels fail. I don’t hold this opinion just about resolving delivery issues, but also use official channels when reporting spam to one of my addresses or spam traps.
My usual complaints contain a plain text copy of the mail, including full headers and a short summary of the email address it was sent to. “This is an address that was part of a leak from…” or “This is an address scraped off my website. It’s been removed from the website since 2004” or “This address isn’t used to sign up for any mail.”
Sadly, there are a number of “legitimate” ESPs that don’t have or don’t monitor their abuse address. In some cases it’s an oversight or a break down of internal mail handling. But in most cases, it’s a sign that the ESP doesn’t actually handle abuse.
It’s frustrating to watch an ESP post long blog posts about “best practices” and “effective delivery” and “not spamming” and yet not be able to actually stop their own customers from spamming. It’s not even that I necessarily want them to disconnect their spamming customers (although that would be nice) but suppressing the address that I’ve told them was a spamtrap seems trivial. And yet, a month after my first complaint and weeks after escalating to a personal contact, I’m still getting spam.
The 5 things every ESP should do to handle spam complaints.

Read More

Are botnets really the spam problem?

Over the last few years I’ve been hearing some people claim that botnets are the real spam problem and that if you can find a sender then they’re not a problem. Much of this is said in the context of hating on Canada for passing a law that requires senders actually get permission before sending email.
Botnets are a problem online. They’re a problem in a lot of ways. They can be used for denial of service attacks. They can be used to mine bitcoins. They can be used to host viruses. They can be used to send spam. They are a problem and a lot of people spend a lot of time and money trying to take down botnets.
For the typical end user, though, botnets are a minor contributor to spam in the inbox. Major ISPs, throughout the world, have worked together to address botnets and minimize the spam traffic from them. Those actions have been effective and many users never see botnet spam in their inbox, either because it’s blocked during send or blocked during receipt.
Most of the spam end users have to deal with is coming from people who nominally follow CAN SPAM. They have a real address at the bottom of the email. They’re using real ISPs or ESPs. They have unsubscribe links. Probably some of the mail is going to opt-in recipients. This mail is tricky, and expensive, to block, so a lot more of it gets through.
Much of this mail is sent by companies using real ISP connections. Brian Krebs, who I’ve mentioned before, wrote an article about one hosting company who previously supported a number of legal spammers. This hosting company was making $150,000 a month by letting customers send CAN SPAM legal mail. But the mail was unwanted enough that AOL blocked all of the network IP space – not just the spammer space, but all the IP space.
It’s an easy decision to block botnet sources. The amount of real mail coming from botnet space is zero. It’s a much bigger and more difficult decision to block legitimate sources of emails because there’s so much garbage coming from nearby IPs. What AOL did is a last resort when it’s clear the ISP isn’t going to stop spam coming out from their space.
Botnets are a problem. But quasi legitimate spammers are a bigger problem for filter admins and end users. Quasi legitimate spammers tend to hide behind ISPs and innocent customers. Some send off shared pools at ESPs and hide their traffic in the midst of wanted mail. They’re a bigger problem because the mail is harder to filter. They are bigger problems because a small portion of their recipients actually do want their mail. They’re bigger problems because some ISPs take their money and look the other way.
Botnets are easy to block, which makes them a solved problem. Spam from fixed IPs is harder to deal with and a bigger problem for endusers and filters.

Read More

Don't like opt-outs? Target your program better.

I get a LOT of spam here. Most of it is marked and trivial to get rid of. Some of it is what I would call semi-legitimate. It’s a real product, but I never asked to receive any information from this company and am not actually part of their demographic. For one time things I just hit delete and move on. Life is too short to complain or opt out of every spam I get. (Tried that, got more mail)
But sometimes if the same sender keeps bothering me, I will send back an email asking them to cease contact. I recently had an occasion where someone sent an initial email trying to sell me bulk SMS, online video and other services. I ignored it because we’re not in the market for any of these services. A week later I get a followup asking why I hadn’t provided feedback to them and if there was a better person to talk to at the company. I looked for a way to opt-out of this message stream, but there wasn’t one. I send a reply telling them we were not interested in speaking to them and to please cease all communication. (“You didn’t receive feedback because I have no interest in talking to you. Please cease all future contact.” Admittedly that was terse, but it was polite.)
My request to cease communication was not well received, nor was it honored. Mind you, they first contacted me trying to sell me services that are totally off what we offer. When I asked them not to contact me, they turned it around that we’d lost business.

Read More