Click the comments link on any story to see comments or add your own.
Subscribe to this blog
09 May 2008
ASIS is a small ISP in northern California. Azoogle is an online lead broker with a history of extremely poor e-mail practices, although they have cleaned up their act enough in recent years to get off the Spamhaus blacklists. ASIS sued Azoogle under CAN SPAM, Azoogle moved for summary judgement, which was granted. Although I can't tell whether Azoogle was responsible for the specific spam in the suit, the reasoning the judge used to throw out the suit is just plain wrong, and the suit should have been allowed to continue.
The first issue is standing. Under CAN SPAM, only providers of "Internet Access Service" can sue if they are "adversely affected" by the spam. ASIS is a real ISP, albeit a small one, with real users with real e-mail accounts who need real spam filtering. Nonetheless, the court found that they didn't have standing. Azoogle argued that ASIS uses Postini to filter its spam, so they weren't adversely affected because the spam never arrived at their system, or wouldn't if ASIS hadn't turned some abandoned accounts into spam traps. Relying on the dreadful Gordon vs. Virtumundo decision, the court reasoned that unless ASIS can show that it had specific damages attributable to the exact messages at issue, they have no standing. In the Gordon case, Gordon had no users other than himself, and it was pretty clear that he was running his mail server primarily as a spam trap to gather material for lawsuits, leading the judge to conclude that he had no real adverse affects.
None of that applies here; ASIS pays Postini to keep the mailboxes of their real users usable, and ASIS testified that they spend considerable time dealing with user spam complaints and helping users configure their spam filters. To follow the court's reasoning, if a thousand people are spamming you, the first 999 get out of jail free since you'd have to use a spam filter anyway for the 1000th one. That's just nuts, and I certainly expect that will be reversed on appeal, since if not, it makes CAN SPAM useless unless you happen to be hammered by a particular spammer so hard that you can identify specific efforts you had to make to deal just with that spammer's mail.
The other mistake was to grant judgement on whether Azoogle "procured" the messages. Since, as is often the case, it was very hard to tell who was sending the spam, ASIS responded to a few messages with a fake name and a real phone number and lo and behold, they got calls from mortgage brokers who had bought the lead from Azoogle. It turned out that there was a chain of at least two other businesses through whom they'd bought the lead. Azoogle basically asserted that those two businesses were fine upstanding organizations, and that bad guys had copied their web sites, so it couldn't be their fault, and the judge just bought it. Again, this is just nuts. Without knowing the details (which are hard to tell because most of the discussion of Azoogle's lead acquisition practices is redacted with black ink in the published decision), the undisputed fact that Azoogle bought leads originated by the spammer should be enough to continue the case and find out what their actual relationship with the twisty maze of buyers, sellers, and spammers actually was.
There's other problems, like the defendant's expert asserting, apparently with a straight face, that spam that was obviously sent by a botnet through hijacked user PCs might have been sent through an onion router or an anonymizer, although those weren't as key to the decision.
I gather this decision has been appealed, as it well should be, and I trust that a court which understands the issues better will reinstate it.
Update: Justin asks how you could tell an onion router or anonymizer from a botnet. The short answer is that the only popular onion package, Tor, doesn't pass port 25 connections unless the people operating each node specifically enable it which they don't, Anonymizer is a commercial service that sends its mail from its own servers, and all the other anonymous forwarders I can find are web only. More to the point, although you are right that it's plausible that someone could have forged one message, this case is about upwards of 10,000 of them, and there's no way to send messages in bulk through random IP addresses but a botnet.
My other sites
© 2005-2018 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.