Affiliates: what is a company's responsibility

Many of my clients come to me when they end up with delivery problems due to the actions of affiliates. These can either be listings in some of the URL blocklists (either public or private) or escalations of IP based listings. In many of the cases I have dealt with affiliates, the affiliates have sloppy mailing practices or are out and out spammers.
Recently the FTC settled with Cyberheat over their liability for the behaviour of their affiliates. In this settlement Cyberheat is required to monitor their affiliates as follows:

  • Contractually requiring the affiliate to identify any subaffiliates it intends to us
  • Providing each affiliate a copy of the Order
  • Obtaining from each affiliate an express agreement to comply with the Order and the CAN SPAM Act
  • Contractually requiring each affiliate that intends to use email marketing to provide Cyberheat, at least 7 days before the campaign, the email address from which the email will be sent, the subject line, the proposed dates the email will be sent, the email addresses to which the email will be sent, and a certification regarding how the addresses were obtained
  • At least 3 days prior to an email campaign being conducted, Cyberheat must review the campaign for compliance with the CAN SPAN Act and provide written acknowledge that it has reviewed the campaign and that it complies with the CAN SPAM Act, and
  • Requiring each consumers that signs up for Cyberheat service to identify the manner through which they heard of the service. If they heard of the service via email, Cyberheat must monitor the affiliate that sent the email for continued compliance with the CAN SPAM Act.

These conditions are very similar to the conditions I helped some clients establish when they ended up on the SBL due to the behaviour of their affiliates. We did set contractual limits on what the affiliates could do, and require they comply with an AUP. We also set out a vetting process to verify that the affiliate would not send spam. Questions all affiliates had to answer included:

  1. Company name, address, domain, opt-in policies
  2. Main website
  3. Outgoing mail IP(s)
  4. Domains used in email
  5. Where do they get their email addresses?

Each candidate must pass the at a minimum checks:

  • Check the opt-in policies as listed on the website.
  • Check mail IPs on spamhaus and other blacklists
  • Check rDNS on IPs
    • Is their reverse DNS set up
    • Is it reasonable
    • what is rDNS of nearby space
  • Check whois record
    • How new is the record
    • Is there valid contact information in the record?

Additionally, a unique address will be signed up at every affiliate.

One of the difficulties my client and I discovered while vetting affiliates is that many affiliate programs hide their mailing IPs and will refuse to reveal any information about where the mail comes from. This makes it difficult, if not impossible, to determine if they are associated with any reports of spam.
I have yet to find the silver bullet for determining the cleanliness of an affiliate program. I think it is clear, though, that the FTC expects companies to know who their affiliate mailers are and to not patronize affiliates who are sending spam.
Hat tip: Venkat

Related Posts

Do you know where your addresses go?

Being a deliverability consultant, I end up signing up for a lot of lists and providing email addresses to a lot of different websites I may not normally trust with my email address. The only way to manage the resulting volume of email is using a disposable address system. There are a number of commercial versions, but we built our own system.
Any time I need to sign up with a client, I create a new email address. Part of the address creation process involves making notes about where and when the address was used. When mail is received at any of the email addresses I have used, that email is appended with the data I provided at the time I signed up and forwarded to a mailbox on my main system. If an address ends up compromised or sold and getting too much mail, I can just turn it off. This system allows me to freely hand out addresses, without a large amount of mail ending up in my primary mail box.
Disposable addresses great way to monitor what my clients are doing with my email address. I have found, in at least 2 cases, that my clients are doing nothing wrong, but there are leaks in their process that lets email addresses get out to spammers. My reports of data leaking were the first they knew about any problems with their vendors or customers.
I strongly recommend any marketer who shares any data, include in that data test or seed accounts. Sign up for your own lists, using unique addresses, so that you can see what kind of mail your subscribers are receiving once they sign up at your site. If you are providing data to customers or vendors, include unique test data in each list. If you start getting unexpected mail to those addresses, you can track back to the specific vendor with the data problem.
Your email address list is one of the biggest assets your company has. Protect that asset by monitoring what others are doing with it.

Read More

Blacklisted on FiveTen: no big deal

Al posted an analysis on DNSBL Resource about the effectiveness of the FiveTen blacklist.
He says:

Read More

Greylisting: that which Yahoo does not do

Over the last couple days multiple people have asserted to me that Yahoo is greylisting mail. The fact that Yahoo itself asserts it is not using greylisting as a technique to control mail seems to have no effect on the number of people who believe that Yahoo is greylisting.
Deeply held beliefs by many senders aside, Yahoo is not greylisting. Yahoo is using temporary failures (4xx) as a way to defer and control mail coming into their servers and their users.
I think much of the problem is that the definition of greylisting is not well understood by the people using the term. Greylisting generally refers to a process of refusing email with a 4xx response the first time delivery is attempted and accepting the email at the second delivery attempt. There are a number of ways to greylist, per message, per IP or per from address. The defining feature of greylisting is that the receiving MTA keeps track of the messages (IP or addresss) that it has rejected and allows the mail through the second time the mail is sent.
This technique for handling email is a direct response to some spamming software, particularly software that uses infected Windows machines to send email. The spam software will drop any email in response to a 4xx or 5xx response. Well designed software will retry any email receiving a 4xx response. By rejecting anything on the first attempt with a 4xx, the receiving ISPs can trivially block mail from spambots.
Where does this fit in with what Yahoo is doing? Yahoo is not keeping track of the mail it rejects and is not reliably allowing email through on the second attempt. There are a couple reasons why Yahoo is deferring mail.

Read More