Tag Archives: CAN-SPAM Act

A Better Way To Measure The Spam Flood

Here’s an interesting take on spam which helps illustrate how big a problem it has become.

Florida-based email service ZeroSpam Net (0SpamNet) says (via email, afraid no URL available at time of writing) that current methods of measuring spam, as a percentage of total email traffic, has become meaningless.

Two years ago, seeing Spam grow from 60% to 70% in a month or two had some meaning. Over the last couple of months the impact of Spam growing from 85% to 90% has been lost by being reported as a percentage. That last 5% of growth as a percentage of total traffic represents a 50% growth in the total volume of Spam. Measurement of Spam volume as a percentage of total traffic is a poor indicator of the ever increasing size of the Spam problem.

Instead it proposes an index, which it calls the ZSN Spam Index, which accounts for spam and legitimate email growth against a constant reference value of 100 valid messages. This takes into account the increase in normal email traffic — roughly 12% per year. The index goes back to November 2002, with a value of 66.67 — i.e. about 67 spam messages for every 100 valid emails. Now the index is at 782.12. That’s 800 spam messages for every 100 valid ones. Gasp.

Here’s the chart (PDF).

Why do people never talk about CAN-SPAM anymore, I wonder?

Email Marketers Peer Into Your Inbox

Email marketers can now peer into your inbox to see whether their emails are getting through.

ExactTarget, an Indianopolis-based company that “delivers on-demand email software solutions for permission- based email marketing” to companies like The Home Depot, General Mills, Scotts and Bristol-Myers Squibb is now offering a service that peers into users’ inboxes at their local ISP to check whether their email marketing newsletters are getting through or getting binned as spam. The product: Inbox Detective.

According to ExactTarget, more than 20 percent of legitimate email never gets through spam filters — numbers, as Chris Baggott, co-founder and chief marketing officer of ExactTarget puts it, that “should be unacceptable to a marketer.”

The ExactTarget Inbox Detective, allows marketers “to peer into the Inbox at the top 21 ISPs to get a quick snapshot of their actual delivery rates”. From there marketers can “track what percentage of email is reaching the inbox, which are being redirected to the bulk folder and which are being discarded.” All this can be done “in real-time, so problem areas can be identified and adjustments can be made.”

Another thing the Inbox Detective does is “keep emails away from content filters, which are the most widely used spam prevention technique, and also often erroneously catch legitimate permission email”. This it does by analysing “email content against major spam filters and black lists before sending”, so the marketer can “receive real-time advice on what content changes are needed to maximize email delivery”.

While I can quite understand that there are lots of legitimate email marketing companies out there, and lots of companies trying to run legitimate email newsletters, the Inbox Detective, as described in the ExactTarget press release, raises some troubling questions about the privacy of users’ inboxes at their ISP.

And, if ExactTarget can peer into inboxes of email providers such as Gmail, AOL, Yahoo, Hotmail, MSN, Earthlink, Comcast, AT&T and RoadRunner, who else might be able to?

Are Spam Lawsuits A Waste Of Time?

Not everyone thinks the big boys are on the right track by pursuing spammers in the courts.

Postini, ‘the industry’s leading provider of email security and management for the enterprise’, says spam “cannot be solved by lawsuits and legislation alone”.

America Online, Microsoft, Earthlink and Yahoo announced on Wednesday that they had filed numerous civil lawsuits against spammers, charging them with violating the provisions of the two-month-old CAN-SPAM Act. Steve Kahan, corporate vice president for Postini, says, “We believe these law suits will only succeed against small unsophisticated spammers, while doing little to stop the overwhelming amount of spam clogging corporate America’s email boxes. We hope these lawsuits do not give people running email systems a false sense of security.”

Postini says that since CAN-SPAM it “has seen no reduction in the amount of spam directed at its customers”: 75-80% of all messages are spam, viruses and other malicious email. On March 3, Postini recorded its highest spam day ever, blocking 103,193,573 spam messages.

Of course, Postini would say all this. “We make sure our 2600 enterprise customers and ISP’s don’t have a spam problem,” says Kahan. “There’s no need for them to spend money suing spammers because we keep them totally protected.” But what about the rest of us, who don’t have an ISP willing to pony up for this kind of service?

That said, Postini are probably right about the lawsuits. Spam is processed outside the U.S. and other territories getting tough on spam. The only way to close down spammers, in my view, is to go after the people using their services. Spammers don’t sell the goods, they just market them.

Stopping Spammers and Scammers By Patrolling Their Shopfront

America’s new anti-spam CAN-SPAM Act is a great way to stop spam, so long as the spammer is legit. The problem is, most spammers aren’t.

Mass.-based software company Ipswitch Inc. estimate that more than two-thirds of all spam is deceptive, meaning that spammers disguise the links to their website “behind unrelated graphics and pictures, or by camouflaging their site as a commonly used consumer e-tail site”. Some of this, of course, is real business (however sleazy) but a lot of it is scamming. From Ipswitch’s press release it’s not quite clear whether their software is aiming at the former, the latter or both.

“Over two-thirds of all spam messages include deceptive content intended to trick the recipient into believing the sender represents a legitimate business,” said John Korsak, messaging product marketing manager at Ipswitch. “Because of their legitimate look and feel, recipients do not associate these types of messages as spam when they appear in their email in-box. To protect people from unknowingly sharing private financial details, it is critical email providers employ a URL Domain Blacklist to verify the sender’s true identity.” That kind of sounds like most spam is scam, which can’t be right. It’s bad, but it is not yet that bad.

Anyway, the URL Domain Blacklist is one filter in 20 in Ipswitch’s IMail Server — the others are Bayesian Statistical filtering, Reverse DNS Lookups, SMTP filters, and whathaveyou — which “unmasks illegitimate spam messages by looking at the actual underlying link and comparing it to a growing list of more than 18,000 repeat spammers”.

It’s not a bad idea. Links are the one things all spams and scams have in common, and they’re relatively easy to identify, unlike text (which can be disguised by clever use of HTML, the language used to create webpages, or by images). But there are still problems, and the press release (and website) are maddeningly imprecise about what, exactly, is being targetted here: Spam or scam?

If it’s the latter, I don’t think URL blacklists are going to be much help. From what we know of phishing scams, the main email-based scam, the website addresses that scammers want us to go to don’t last very long — sometimes only a few hours — meaning that you need to have a very long and rapidly updating list of known scammers. And while Ipswitch is probably right in arguing that they don’t get many false positives — good email mistaken for spam — I don’t think that’s the problem here. The problem is you’re chasing the one element in your average scam email that’s changing most: The scammer’s Internet shopfront. That can be set up and pulled down in a matter of minutes.

Marketers Baffled By Spam Laws

This new spam law, so far, is taking us nowhere.

A new survey conducted by email marketing service Blue Sky Factory reckons that nearly half of email marketers aren’t sure whether the stuff they send out is compliant and more than half admit that they do not understand the new U.S. laws (called, catchily but inaccurately, CAN-SPAM). Marketers, needless to say, aren’t happy: almost 40 percent do not believe the new laws will have a positive influence on the online relationship between businesses and their consumers. (A PDF version of the survey is available here.)

This seems to be the prevailing view at a conference in San Francisco, where WIRED reports that a lot of folk are nervous, since the law carries heavy penalties not just against marketers but the folk selling the product they’re peddling. This may be no bad thing, of course: The story quotes someone from dating site Date.com as saying his company now has a “a strict policy on privacy and bulk e-mailing” in place. Others complain that the law gives too much leeway to Internet Service Providers to block stuff that looks like spam, so they find that their emails are getting stopped even when they’re complying with CAN-SPAM.

Nowhere, so far, is mentioned the alternative: RSS. To me it seems a logical step. RSS feeds don’t get blocked, control over receiving or not receiving is in the hands of the reader, and it’s cool. Get with the program, email marketers.

A Way Forward For RSS?

Here’s an interesting twist to RSS (Real Simple Syndication, a way to channel material into feeds) that shows the format could have a life beyond blogs.

iUpload, “a net-native content management solution provider”, has just introduced a free service that allows companies to avoid the legal pitfalls and technology filters of the spam world to send content to users who want it. MailbyRSS allows the company to send content out by email, which is then converted to RSS, which the subscriber can then add as a feed to his/her RSS feed reader. Benefits? It bypasses the whole blog thing, it is easy to update, it avoids their usual emailings getting caught in spam filters (or in contravention of the new CAN-SPAM Act).

Not a bad idea. Though a wonderful tool, RSS is still stuck in the slow (read: unexploited commercially) lane, but something like this may help push it out there. The great thing about RSS is that control remains with the user, who doesn’t have to hand over any personal data — even an email address — to get a feed, and can pull the plug any time, simply by deleting the feed. It’s the antidote to spam. Now there needs to be a way to build and manage RSS content, something MailbyRSS may help to achieve.

No Sign Of Letup On Spam So Far

Unsurprisingly, the new U.S. anti-spam law has had no effect whatsoever.

Commtouch, a provider of anti-spam solutions, said it saw no significant change in the number of spam attacks in the first week of 2004, and that less than 1% of all bulk email complied with the new CAN-SPAM regulations.

Although Commtouch notes it is too early to tell, as spammers are still on holiday, I’ve noticed no slowdown at all. This is not unexpected, since most spammers operate outside the law – when was the last time you had a legitimate-looking junk email that was not trying to disguise itself?

But it’s not just the really sleazy guys still doing it. MX Logic, another anti-spam provider, looked at a random sample of over 1,000 unsolicited commercial emails during the course of a seven day period beginning New Year’s Day and found only three of the messages complied with the CAN-SPAM Act. “Calling this a high rate of non-compliance would be a gross understatement,” said Scott Chasin, MX Logic’s chief technology officer. “It is no surprise that rogue spammers would fail to comply, but the non-compliant messages we saw appeared to be from all types of companies.”

This could be just reputable (I use the term loosely) email marketers not getting up to speed on something that was only signed into law on December 16. If you are an email marketer and you do want to comply, here’s a checklist of what you should do, courtesy of Intermark Media, itself a an email marketer (the list is somewhat revealing to us normal folk, in that it shows what kind of tricks spammers tend to do to give the impression everything is hunky dory and that, at some point of personal weakness, we actually agreed to receive spam from them):

— Collect this information on every member of your opt-in database: IP address, date and time of opt-in, and source URL of sign-up.
— Be wary of any list managers who do not require this sensitive information from you as it is of crucial importance that all parties involved have it.
— Provide a clear opt-in process for the consumer.
— State your intentions in your privacy policy.
— Make your privacy policy easily accessible to the consumer.
— Upon receiving a customer’s permission to send offers you should notify them of their consent. This also allows the consumer to become double opt-in or unsubscribe from receiving any offers.
— Upon receiving a database to manage always run a permission email to the database in order to notify the consumers that you are the source of the emails they will be receiving and this will allow them to unsubscribe from your mailings or become double or even triple opt-in.
— Never change the headers that you send emails from.
— Use valid and relevant from and subject lines for all campaigns.
— Do not use misleading subject lines for any purposes, including creating new responsive lists from recipients that open or click on a campaign.
— If you receive a subject line you feel is questionable ask the advertiser to provide another one.
— Make sure the email address you are sending campaigns from is valid and working.
— In the footer, provide an explanation of why the consumer is receiving the ad.
— In the footer, provide your company’s valid postal address. If you are managing a client’s list, make sure their address appears as well.
— Make sure every campaign has a valid, working and obvious unsubscribe mechanism that easily removes the consumer from your database.
— Keep a real-time update of unsubscribes and remove them from your database and the databases of all parties involved.
— Do not email to consumers who unsubscribe from your database.
— Do not allow others to email to consumers who have unsubscribed from your database.

Who Are The White Knights In The War On Spam?

I know this appallingly cynical of me, but I can’t help worrying about the most recent development in the War On Spam. That, in case you hadn’t heard, is the news of a ‘fighting cooperative’ as Jupiter Research’s Microsoft Monitor puts it, between Microsoft and New York State attorney general Eliot Spitzer, who have together filed lawsuits against alleged spammers Synergy6 and Scott Richter, among others. Spitzer was one of the key players in the government’s five-year antitrust case against Microsoft.

Now, don’t get me wrong. It’s good that someone’s going after spammers. And they may well have the right guys. Spamhaus has Richter high up on its list of top spammers, and Spitzer described him as the third largest spammer in the world, delivering 250 million spam e-mails per day. And having Microsoft onside definitely has its rewards: As part of a six-month investigation, Microsoft set up honey traps, capturing 8,000 spam mails in one month containing, according to Spitzer, “40,000 false statements.” New York State will seek $500 in damages for each false statement. Microsoft’s lawsuits, filed in Washington State, seek more than $18 million in damages.

But while Jupiter and others focus on the positive aspects of Microsoft’s improving relations with the government, what exactly is Micosoft doing sueing spammers? While they have the technical muscle to help catch the spammer, (and this is not the first time they’ve gone after spammers in the courts, as TechDirt points out), my suspicion is that spammers are being pursued not because they’re a nuisance to us users, but because they’re getting in the way of making the web a marketers’ dream playground.

Spam is hell for the inbox and is giving a bad name to all forms of e-marketing. That’s bad for us, but more importantly it’s bad for big business, as Microsoft general counsel Brad Smith explains: “Deceptive and illegal spam, like the kind we’re attacking today, is overwhelming legitimate e-mail and threatening the promise and potential of the Internet for all of us. We appreciate the attorney general’s leadership on what is arguably the biggest technology menace consumers are facing. Together we are stepping up efforts to help consumers take control of their inboxes again.”

Indeed, it’s telling that Microsoft has, according to the anti-spamming community, been instrumental in watering down anti-spamming legislation which might have done a more thorough job of stopping junk mail. Of course, I’m not defending spam. It’s ugly, and getting worse. And Microsoft are improving their spam filtering: Outlook 2003 has it, and they just upgraded it again yesterday.

But in helping get rid of it we may unwittingly be committing ourselves to a regimented future online, of standards — IDs, Digital Rights Management, microtolls — controlled by the big corporates. Or at the very least, leave the ground free for spam from the mainstream — mainsleaze spam, as California State Senator Debra Bowen put it: “Microsoft doesn’t want to ban spam, it wants to decide what’s ‘legitimate’ or ‘acceptable’ unsolicited commercial advertising so it can turn around and license those e-mail messages and charge those advertisers a fee to wheel their spam into your e-mail inbox without your permission.”

Do You Know Anyone Who Buys From Spammers?

There’s another campaign on the road: This time it’s telling you not to buy anything advertised on spam. I don’t know anyone who would do this kind of thing, but there you are. According to Mike Adams (“President & CEO, Arial Software, LLC, Permission Email Pioneer and founder of the “Spam. Don’t Buy It.” public education campaign”) says: “While Internet users are rightfully raising their voices and urging legislators to outlaw spam, few users examine their own contribution to the problem. It is true that the primary blame for spam falls on spammers, but it is equally true that spam wouldn’t exist at all if Internet users stopped buying products offered by spammers.”

His argument: “Every user’s inbox is a reflection of what Internet users are buying through spam. No spammer sends emails in the interests of the public good: they do it for profit, and that profit is only generated when Internet users open spam, read spam, and buy from spam. To stop spam, we have to stop buying from spam. That’s why I have created the “Spam. Don’t Buy It.” campaign, to help educate Internet users on their role in the ongoing spam problem.”

Actually, the website does have some interesting bits. I’m just not quite sure what a “Permission Email Pioneer” is.

Spam Law Passed, Not Many Impressed

The U.S. Congress has passed the anti-spam bill, after the House voted to approve minor Senate amendments, The Register reports. Not everyone thinks it’s a good idea. The Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act does more harm than good in the fight against spam, according to critics.

The bill criminalises common spamming tactics, such as using false return address. But it overrides Californian laws which had allowed spam recipients to sue spammers. The bill requires online marketeers to act on requests to “opt out” of future emails, unlike European Union legislation which requires them to seek the permission of consumers first.

The Can-Spam Act is expected to be signed into law by President Bush before the start of next year.