Affiliates: what is a company's responsibility

Many of my clients come to me when they end up with delivery problems due to the actions of affiliates. These can either be listings in some of the URL blocklists (either public or private) or escalations of IP based listings. In many of the cases I have dealt with affiliates, the affiliates have sloppy mailing practices or are out and out spammers.
Recently the FTC settled with Cyberheat over their liability for the behaviour of their affiliates. In this settlement Cyberheat is required to monitor their affiliates as follows:

  • Contractually requiring the affiliate to identify any subaffiliates it intends to us
  • Providing each affiliate a copy of the Order
  • Obtaining from each affiliate an express agreement to comply with the Order and the CAN SPAM Act
  • Contractually requiring each affiliate that intends to use email marketing to provide Cyberheat, at least 7 days before the campaign, the email address from which the email will be sent, the subject line, the proposed dates the email will be sent, the email addresses to which the email will be sent, and a certification regarding how the addresses were obtained
  • At least 3 days prior to an email campaign being conducted, Cyberheat must review the campaign for compliance with the CAN SPAN Act and provide written acknowledge that it has reviewed the campaign and that it complies with the CAN SPAM Act, and
  • Requiring each consumers that signs up for Cyberheat service to identify the manner through which they heard of the service. If they heard of the service via email, Cyberheat must monitor the affiliate that sent the email for continued compliance with the CAN SPAM Act.

These conditions are very similar to the conditions I helped some clients establish when they ended up on the SBL due to the behaviour of their affiliates. We did set contractual limits on what the affiliates could do, and require they comply with an AUP. We also set out a vetting process to verify that the affiliate would not send spam. Questions all affiliates had to answer included:

  1. Company name, address, domain, opt-in policies
  2. Main website
  3. Outgoing mail IP(s)
  4. Domains used in email
  5. Where do they get their email addresses?

Each candidate must pass the at a minimum checks:

  • Check the opt-in policies as listed on the website.
  • Check mail IPs on spamhaus and other blacklists
  • Check rDNS on IPs
    • Is their reverse DNS set up
    • Is it reasonable
    • what is rDNS of nearby space
  • Check whois record
    • How new is the record
    • Is there valid contact information in the record?

Additionally, a unique address will be signed up at every affiliate.

One of the difficulties my client and I discovered while vetting affiliates is that many affiliate programs hide their mailing IPs and will refuse to reveal any information about where the mail comes from. This makes it difficult, if not impossible, to determine if they are associated with any reports of spam.
I have yet to find the silver bullet for determining the cleanliness of an affiliate program. I think it is clear, though, that the FTC expects companies to know who their affiliate mailers are and to not patronize affiliates who are sending spam.
Hat tip: Venkat

Related Posts

What to expect from your delivery consultant

Every once in a while I get a phone call asking me what delivery consultant do. What can I do for them? How can I help them? Delivery consulting is a very new field and it is understandable a lot of people do not know what we do.
The overall delivery consulting process here a Word to the Wise involves collecting detailed information about your mailing program and your technical setup, like:

Read More

Greylisting: that which Yahoo does not do

Over the last couple days multiple people have asserted to me that Yahoo is greylisting mail. The fact that Yahoo itself asserts it is not using greylisting as a technique to control mail seems to have no effect on the number of people who believe that Yahoo is greylisting.
Deeply held beliefs by many senders aside, Yahoo is not greylisting. Yahoo is using temporary failures (4xx) as a way to defer and control mail coming into their servers and their users.
I think much of the problem is that the definition of greylisting is not well understood by the people using the term. Greylisting generally refers to a process of refusing email with a 4xx response the first time delivery is attempted and accepting the email at the second delivery attempt. There are a number of ways to greylist, per message, per IP or per from address. The defining feature of greylisting is that the receiving MTA keeps track of the messages (IP or addresss) that it has rejected and allows the mail through the second time the mail is sent.
This technique for handling email is a direct response to some spamming software, particularly software that uses infected Windows machines to send email. The spam software will drop any email in response to a 4xx or 5xx response. Well designed software will retry any email receiving a 4xx response. By rejecting anything on the first attempt with a 4xx, the receiving ISPs can trivially block mail from spambots.
Where does this fit in with what Yahoo is doing? Yahoo is not keeping track of the mail it rejects and is not reliably allowing email through on the second attempt. There are a couple reasons why Yahoo is deferring mail.

Read More

Ken speaks the truth

Ken Magill has a great article up today about how many marketers expect their ESPs to fix their delivery problems when in reality the marketers policies and practices are the real problem.

Read More