3 new CAN SPAM cases

Xmission, a Utah ISP, has filed suit against 3 companies alleging violations of CAN SPAM. The cases were filed in the Utah District Court in April and June. I’ve downloaded some of the documents and complaints and they are now in RECAP. I’ve also included the complaints here (and the links from here on out are almost all .pdfs of the court documents).
Xmission v. Adknowledge (Case 2:15-cv-00277).
Xmission v. Clickbooth (Case 2:15-cv-00420).
Xmission v. Thompson and Company (Case 2:15-cv-00385).
In all the cases Xmission is alleging similar violations of CAN SPAM.
Falsified header information: part 1
Xmission asserts that the domains in the headers were spoofed, unregistered or belonged to an unrelated 3rd party. One of the complaints listed subject lines of the emails sent, so I dug through my spam folder for similar emails. I found a few examples of what I suspect are the spams mentioned in the suit.

Received: from lijiboyulecheng7.com (unknown [114.98.67.145])
    by mx.wordtothewise.com (Postfix) with ESMTP id C5BAB17EC50
    for <lxxxxx@xxxxxx.xxx>; Mon, 22 Sep 2014 16:46:00 -0700 (PDT)

lijiboyulecheng7.com doesn’t exist in DNS and is an unregistered domain. That same spam had a from address of: Awards <RewardsDepartment@lijiboyulecheng7.com>.
While I don’t know for sure that these are the specific emails in question, there is a lot of spam being sent from unregistered or invalid domains. It’s not hard to argue this is a CAN SPAM violation.
Falsified header information: part 2
Xmission asserts that the domains were acquired under false pretenses. They go so far as to say that the domains that were registered were done so for the sole purpose of sending spam and in violation of the registrar agreements.
Registering lots of domains, only to use them for a short period of time, is a common tactic among spammers. I don’t know if I’d go so far as to say it’s a CAN SPAM violation, but the Xmission reading of the law may persuade the judge.

“Header information that is technically accurate but includes an originating electronic mail address, domain name, or Internet Protocol address the access to which for purposes of initiating the message was obtained by means of false or fraudulent pretenses or representations shall be considered materially misleading.” 15 U.S.C. § 7704(a)(1)(A).

Using automated means to create addresses
Xmission alleges that the defendants used scripts to create both the recipient and the sender addresses. CAN SPAM doesn’t mention anything about scripts to create sender addresses, or domains, so I think this is a bit of a stretch for Xmission. And I haven’t seen any evidence these spammers are creating addresses. Overall, I think the aggravated damages is going to be a very hard sell for Xmission. Did the authors of CAN SPAM intend for the automated address provision to be used against the sender address. I’m pretty sure they didn’t.
But it’s hard to argue that the domains that Xmission did mention were somehow not automatically created:

Defendants transmitted e-mails to XMission customers through the following domains: 00261.net; 00374.net; 00596.net; 00689.net; 001268.net; 048588.com; 0959.org; 17000666666.com; 1700099999.com; 323333.net; 366666666.com; 466666666.com; 888338.net.

The founder of XMission, Pete Ashdown, did submit a declaration in the Clickbooth case. This declaration provides some extra details about spam coming into Xmission. The data points I found most interesting were:

  • Xmission has 13 servers just to handle incoming spam.
  • Xmission has 2 full time staffers to manage incoming mail, deal with complaints and adjust filters.
  • Xmission spends between 100K and 200K dollars per year on anti-spam technology.
  • Xmission uses both URIBL and Spamhaus as part of their filtering.
  • Even with these two blocklists, between 40 and 85% of mail coming into Xmisison is spam.
  • Xmission clicked unsubscribe on links in emails and saw no effect.

Of all the cases, only Adknowlege has responded to the complaint, and they deny everything and ask for summary judgement as “they don’t own the sending domains in question.” The judges in the Adknowledge and Clickbooth cases have ordered that both companies are to accept a list of domains from Xmission and cease mailing to them.
Xmission has put a lot of energy into this case, and they have actually avoided a lot of the problems I’ve seen in other CAN SPAM cases brought by ISPs. It seems to me that this is a case on principle for them as much as it is about recovering damages. They’re also the first group I’ve seen go after the advertiser (URL owner) as well as the sender. This is a provision in CAN SPAM that I don’t think the FTC has even enforced. We’ll see what happens.

Whois privacy protection
When to include a physical address

Related Posts

Legal analysis of Hypertouch v. Valueclick

Venkat has an analysis of the Hypertouch v. Valueclick case and recent appeals court ruling.

Read More

Don't like opt-outs? Target your program better.

I get a LOT of spam here. Most of it is marked and trivial to get rid of. Some of it is what I would call semi-legitimate. It’s a real product, but I never asked to receive any information from this company and am not actually part of their demographic. For one time things I just hit delete and move on. Life is too short to complain or opt out of every spam I get. (Tried that, got more mail)
But sometimes if the same sender keeps bothering me, I will send back an email asking them to cease contact. I recently had an occasion where someone sent an initial email trying to sell me bulk SMS, online video and other services. I ignored it because we’re not in the market for any of these services. A week later I get a followup asking why I hadn’t provided feedback to them and if there was a better person to talk to at the company. I looked for a way to opt-out of this message stream, but there wasn’t one. I send a reply telling them we were not interested in speaking to them and to please cease all communication. (“You didn’t receive feedback because I have no interest in talking to you. Please cease all future contact.” Admittedly that was terse, but it was polite.)
My request to cease communication was not well received, nor was it honored. Mind you, they first contacted me trying to sell me services that are totally off what we offer. When I asked them not to contact me, they turned it around that we’d lost business.

Read More

Spam disclaimer of the day

Things are extremely busy here so blogging is not getting quite the attention it should. I hope to return to more extensive posts soon. Meanwhile, you’ll have to put up with short posts.
Today is a disclaimer I received in a spam. This is one of my addresses that has, somehow, ended up on UK-specific lists.

Read More