Internet and e-mail policy and practice
including Notes on Internet E-mail


Click the comments link on any story to see comments or add your own.

Subscribe to this blog

RSS feed

Home :: Email

06 Jun 2010

Does CAN SPAM cover affiliate spam? Email

Affiliate marketing is a popular way to advertise on the Net. A company signs up affiliates, or more often an intermediary that signs up the affiliates, and pays for each lead or each sale. Web affiliate marketing is fairly respectable (check out my Amazon affiliate store and the links on my airline ticket web site) but mail affiliates, particularly mail affiliates through intermediaries, are a cesspit. While there are doubtless mail affiliates that behave themselves, there are far too many of them that sign up and spam like crazy on the somewhat accurate theory that the more spam they send, the more responses they will get and the more leads they'll have to sell, with the only downside being that they might have a cheap hosting account cancelled.

The marketers and intermediaries invariably make the affiliates promise not to spam, but since they don't know what addresses the affiliates are mailing to, and see only the leads and (maybe) the occasional complaint from recipients of the ads, it's extremely difficult to monitor what the affiliates are doing. Moreover, it is very hard to build a substantial true opt-in mailing list, and if you have a good list, its value for your own business is too great to be worth annoying the people on it by sending third-party ads. Hence affiliates have to use lousy lists, such as purchased lists of dubious provenance, addresses mechanically scraped off web sites. It's an open secret in the business that the business is full of sleazeballs who will cheerfully do things like using a suppression list provided by marketer A as a prospect list for marketer B.

With this in mind, does a marketer bear responsibility under CAN SPAM for mail that affiliates send? The answer, both from the wording of CAN SPAM and from simple logic, should be of course it does, but the sad tale of ASIS vs. Azoogle suggests that judges think it doesn't, at least not in the Ninth Circuit.

ASIS is a small ISP in California which has filed a variety of CAN SPAM suits. In 2005 they sued a group of defendants including Azoogle, a lead generation company, claiming that Azoogle was responsible for thousands of mortgage spams, which were a hot item back during the real estate bubble.

Azoogle, whose mailing practices were bad enough to get into the Spamhaus ROKSO list, although they were out of it by the time the suit was filed, had a well known ad program called Low Rate Advisors and Christian Mortgages USA. The mortgage frenzy was so great that Azoogle couldn't generate enough leads on its own from its affiliates, so they bought leads from third party vendors that generated their own leads. The part of the decision describing this has large sections blacked out, so we don't know what else they were doing.

Since it is often difficult to tell who the ultimate beneficiary of affiliate spam is, ASIS did a little detective work, responding to some of them with a fake name and a phone number that went to an answering machine. They got a bunch of calls and (condensing several years of court record here) many of them traced back to Azoogle. ASIS' experts looked at the spam and found that it was sent from random scattered domains and IP addresses, characteristic of botnet spam, which among other things hides the true origin of the mail, illegal under CAN SPAM. While this wasn't a slam dunk, this should have been a strong case for ASIS and they should have won. But not only did they lose in 2008, with their loss upheld on appeal in December 2009, they lost so badly that last month the judge slapped them with $800,000 in costs and sanctions. What happened?

One thing that happened is that Azoogle out-lawyered and out-experted them. Azoogle's expert was Fred Cohen, whom I have encountered in other cases. Using what I've called the space aliens defense, as in "maybe space aliens did it", he cast doubt on of ASIS' analysis, including absurd claims like saying that maybe it was an onion router rather than a botnet. (This is absurd both because real onion routers like Tor don't allow mail at all, and there aren't enough onions in the world to account for a fraction of the addresses from which botnets send spam.) Azoogle's lawyers also appears to have persuaded the court that since the third party lead companies promised they didn't spam, that they were shocked, shocked, to find otherwise. Again, this is absurd, everyone in the industry knew that if you let people mail at all for mortgage lead generation, it was all spam all the time.

We all seem to agree that it is hard to the point of impossibility to do e-mail lead generation without someone down the chain of affiliates and third party companies sending spam that's illegal under CAN SPAM. I'd think that meant that you can't do lead generation that way, but apparently in California it now means that recipients just have to put up with the spam and have no meaningful recourse.

The court said:

Even assuming Asis might have reasonably believed when it initially named Azoogle as a defendant that it would establish standing - a question that turned on an as-yet unresolved issue of law - there was never any evidence that Azoogle sent or procured the emails on which Asis based its claims.

I think the court is just wrong here; based on what I read, assuming you believe that CAN SPAM means what it says, there was plenty of evidence to link Azoogle to the spam, and proceed to discovery to see if Azoogle's own records about affiliate and ad campaigns match the spam.

This explains why ASIS lost, but why did they get sanctioned?

ASIS clearly annoyed the court by chronic sloppiness. The court's decision is full of notes where ASIS said one thing and later contradicted themselves. Many of them are unimportant, e.g., the URL of a site pointed to by a spam, but they undermine ASIS already shaky credibility. They also made claims about their costs to deal with spam that were just silly, claiming that staff time helping users configure their mail software was 100% due to spam. They clearly had real costs from spam, and it was foolish to pad the numbers.

The evidence in spam cases always involves a mass of details, both because there is a lot of spam, because the details of evidence linking it back to the senders is complex, and because CAN SPAM has complex requirements for plaintiffs. Neatness counts.

But the real problem was the misguided precedents from Gordon vs. Virtumundo. leading the court to conclude that ASIS had no damages and hence no standing to file suit. ASIS uses the popular Postini filtering service to handle its inbound mail. The court seems to have concluded that since they were paying Postini anyway, any spam that Azoogle might have sent caused no incremental cost. ASIS also collected a lot of the spam by redirecting addresses of former customers into a spamtrap, an entirely normal technique that Azoogle and its expert Cohen persuaded the court was "soliciting" the spam.

Again, this idea that there is a miasma of spam from which recipients choose to pluck messages is absurd. The only reason ASIS, or anyone else, needs a service like Postini is that spammers specifically send their junk to addresses in ASIS' domain. If spammers weren't sending the spam to them in the first place, nobody would need Postini, and spam traps wouldn't collect any spam.

I commented on this suit two years ago when the decision was first made, hoping some of the obvious mistakes would be fixed on appeal, but none of them were.

It's hard to know what to make of this, other that it's too dangerous at this point to file a CAN SPAM suit in the Ninth Circuit unless you are a giant ISP who does its own spam filtering and can show detailed spreadsheets identifying the costs attributable to each spam. We've seen some motion in California courts to push back against Gordon; I hope this case, which was decided two years ago, is a throwback and not a trendsetter.

  posted at: 01:08 :: permanent link to this entry :: 0 comments
Stable link is


My other sites

Who is this guy?

Airline ticket info

Taughannock Networks

Other blogs

It turns out you don’t need a license to hunt for spam.
62 days ago

A keen grasp of the obvious
Italian Apple Cake
620 days ago

Related sites

Coalition Against Unsolicited Commercial E-mail

Network Abuse Clearinghouse

My Mastodon feed

© 2005-2024 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.