Internet and e-mail policy and practice
including Notes on Internet E-mail


2013
Months
Jun

Click the comments link on any story to see comments or add your own.


Subscribe to this blog


RSS feed


Home :: Email


11 Jun 2013

CAN SPAM issues in Zoobuh v. Better Broadcasting Email

Last week a Utah court issued a default judgement under CAN SPAM in Zoobuh vs. Better Broadcasting et al. I think the court's opinion is pretty good, even though some observers such as very perceptive Venkat Balasubramani have reservations.

The main issues were whether Zoobuh had standing to sue, whether the defendants domain names were obtained fraudulently, and whether the opt-out notice in the spam was adequate.

Standing

The standing issue was easy. Zoobuh is a small ISP with 35,000 paying customers who spends a lot of time and money doing spam filtering, using their own equipment. That easily met the standard of being adversely affected by spam, since none of the filtering would be needed if it weren't for all the spam.

Domain names

CAN SPAM prohibits "header information that is materially false or materially misleading." The spammer used proxy registrations at eNom and Moniker. The first subquestion was whether using proxies is materially false. Under the California state anti-spam law, courts have held that they are, and this court found that the California law is similar enough to CAN SPAM that proxies are materially false under CAN SPAM, too.

Venkat has reservations, since in principle one can contact the domain owner through the proxy service, but I'm with the court here. For one thing, even the best of proxies take a while to respond, and many are in fact black holes, so the proxy does not give you useful information about the mail at the time you get or read the mail. More importantly, businesses that advertise are by nature dealing with the public, and there in no plausible reason for a legitimate business to hide from its customers. (Yes, if they put real info in their WHOIS they'll get more spam. Deal with it.)

CAN SPAM also forbids using a "domain name, ... the access to which for purposes of initiating the message was obtained by means of false or fraudulent pretenses or representations." Both eNom and Moniker's terms of service forbid spamming, so the court found that the senders obtained the addresses fraudulently, hence another violation. Venkat finds this to be circular reasoning, arguing that the court found the spam to be illegal because the spam was illegal, but in this case, he's just wrong.

Despite what some bulk mailers might wish, CAN SPAM does not define what spam is, and mail that is entirely legal under CAN SPAM can still be spam. eNom's registration agreement forbids "if your use of the Services involves us in a violation of any third party's rights or acceptable use policies, including but not limited to the transmission of unsolicited email". Moniker's registration agreement prohibits "the uploading, posting or other transmittal of any unsolicited or unauthorized advertising, promotional materials, "junk mail," "spam," "chain letters," "pyramid schemes," or any other form of solicitation, as determined by Moniker in its sole discretion." There is no question that the defendants sent "unsolicited email" or "unsolicited advertising" and there's nothing circular about the court finding that the defendants did what they had agreed they wouldn't.

Opt out notice

The third issue is whether the spam contained the CAN SPAM required opt out notices. There were no notices in the messages themselves, but only links to remote images that presumably were supposed to contain the required text. As the court said:

The question presented to the Court in this case is whether Required Content provided in the emails through a remotely hosted image is clearly and conspicuously displayed. This Court determines that it is not.

One issue is that many mail programs do not display external images for security reasons or (as in my favorite program Alpine) because they don't display images at all. The court cites multiple security recommendations against rendering remote images, and concludes that there's nothing clear or conspicuous about a remote image. Even worse, the plaintiffs said that the remote images weren't even there if they tried to fetch them,

The real point here is that the senders are playing games. There is no valid reason to put the opt-out notice anywhere other than text in the body of the message, which is where every legitimate sender puts it.

Summary

Overall, I am pleased at this decision. The court understood the issues, was careful not to rely on any of the plaintiff's claims that couldn't be verified (remember that the defendant defaulted, so there was no counter argument) and the conclusions about proxy registrations and remote images will be useful precedents in the next case against spammers who use the same silly tricks.


posted at: 11:46 :: permanent link to this entry :: 2 comments
posted at: 11:46 :: permanent link to this entry :: 2 comments

comments...        (Jump to the end to add your own comment)


The Goldman blog post was actually authored by Venkat Balasubramani, you should update the reference. Venkat more-or-less idled his own Spam Notes blog a while ago and occasionally posts on Eric's blog instead.

And oh man, I love both the DbP and opt-out findings here. Good to see.

(by Al Iverson 11 Jun 2013 10:46)



Oops, you're right. Post updated.

(by John Levine 11 Jun 2013 11:45)


Add your comment...

Note: all comments require an email address to send a confirmation to verify that it was posted by a person and not a spambot. The comment won't be visible until you click the link in the confirmation. Unless you check the box below, which almost nobody does, your email won't be displayed, and I won't use it for other purposes.

 
Name:
Email: you@wherever (required, for confirmation)
Title: (optional)
Comments:
Show my Email address
Save my Name and Email for next time

Topics


My other sites

Who is this guy?

Airline ticket info

Taughannock Networks

Other blogs

CAUCE
It turns out you don’t need a license to hunt for spam.
4 days ago

A keen grasp of the obvious
Italian Apple Cake
563 days ago

Related sites

Coalition Against Unsolicited Commercial E-mail

Network Abuse Clearinghouse



© 2005-2020 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.