Legal
Profiting off spam
The FTC filed suit against Match.com for using fake accounts to entice people into signing up for accounts. (WA Post) Part of the FTC’s allegations include that Match flagged the accounts and prevented them from contacting paying Match users while simultaneously allowing the users to contact free Match users.
Read MoreApril 2017: The Month in Email
April was a big travel month for us. I went to Las Vegas for meetings around the Email Innovations Summit and to New Orleans, where Steve spoke on the closing keynote panel for the EEC conference.
I wrote several posts this month about privacy and tracking, both in email and in other online contexts. It’s increasingly a fact of life that our behaviors are tracked, and I wrote about the need for transparency between companies and those they are tracking. More specifically, I talked about the tradeoffs between convenience and security, and how people may not be aware that they are making these tradeoffs when they use popular mailbox tools like unroll.me. The folks over at ReturnPath added a comment on that post about how they handle privacy issues with their mailbox tools.
Steve contributed several posts this month. First up, a due diligence story about how service providers might look more closely at potential customers for their messaging platforms to help curtail spam and other fraudulent activity. He also looked at the history of “/8” IP blocks, and what is happening to them as the internet moves to IPv6. Steve also added a note about his new DMARC Validation tool, which rounds out a suite of free tools we’ve made available on our site. And finally, he showcased a particularly great email subscription experience from Tor.com — have a look!
I highlighted another post about companies doing things right, this one by Len Shneyder over at Marketingland. In other best practices news, I talked about bounce handling again (I mentioned it last month too), and how complicated it can be. Other things that are complicated: responding to abuse complaints. Do you respond? Why or why not?
Our friends at Sendgrid wrote a great post on defining what spammers and other malicious actors do via email, which I think is a must-read for email marketers looking to steer clear of such activity. Speaking of malicious actors, I wrote two posts on the arrest of one of the world’s top email criminals, Peter Levashov, and speculation that he was involved in the Russian hacking activity around the US elections. We’re looking forward to learning more about that story as it unfolds.
August 2015: The month in review
It’s been a busy blogging month and we’ve all written about challenges and best practices. I found myself advocating that any company that does email marketing really must have a well-defined delivery strategy. Email is such vital part of how most companies communicate with customers and potential customers, and the delivery landscape continues to increase in complexity (see my post on pattern matching for a more abstract look at how people tend to think about filters and getting to the inbox). Successful email marketers are proactive about delivery strategy and are able to respond quickly as issues arise. Stay tuned for more from us on this topic.
I also wrote up some deliverability advice for the DNC, which I think is valuable for anyone looking at how to maintain engagement with a list over time. It’s also worth thinking about in the context of how to re-engage a list that may have been stagnant for a while. A comment on that post inspired a followup discussion about how delivery decisions get made, and whether an individual person in the process could impact something like an election through these delivery decisions. What do you think?
As we frequently point out, “best practices” in delivery evolve over time, and all too often, companies set up mail programs and never go back to check that things continue to run properly. We talked about how to check your tech, as well as what to monitor during and after a send. Josh wrote about utilizing all of your data across multiple mail streams, which is critical for understanding how you’re engaging with your recipients, as well as the importance of continuous testing to see what content and presentation strategies work best for those recipients.
Speaking of recipients, we wrote a bit about online identity and the implications of unverified email addresses in regards to the Ashley Madison hack and cautioned about false data and what might result from the release of that data.
Steve’s in-depth technical series for August was a two-part look at TXT records — what they are and how to use them — and he explains that the ways people use these, properly and improperly, can have a real impact on your sends.
In spam news, the self-proclaimed Spam King Sanford Wallace is still spamming, despite numerous judgments against him and his most recent guilty plea this month. For anyone else still confused about spam, the FTC answered some questions on the topic. It’s a good intro or refresher to share with colleagues. We also wrote about the impact of botnets on the inbox (TL;DR version: not much. The bulk of the problem for end users continues to be people making poor marketing decisions.) In other fraud news, we wrote about a significant spearphishing case and how DMARC may or may not help companies protect themselves.
Still Spamming…
This morning I woke up to news that Sanford Wallace pled guilty to spamming. Again.
Sanford was one of the very early spammers (savetrees.com). He moved to email from junk faxing when Congress made junk faxing illegal in 2005. He sued AOL when AOL blocked his mail. He lost and the courts maintained that blocking spam was not a violation of the sender’s rights. Sanford then moved on to using open relays to avoid blocks. He was eventually disconnected from his backbone provider (AGIS) for abuse. Sanford sued AGIS for breach of contract and was reconnected for a brief period of time.
After his disconnection from AGIS, Sanford and a few of the other folks proposed a backbone provider that allowed bulk email marketing. That never really went anywhere.
Reading these old articles is a major blast in the past. The legal case between AGIS and Cyberpromotions was the event that led to my involvement in email marketing and spam. I even spent a Saturday afternoon in the late 90s with about a dozen people on a con call with Sanford and Walt talking about his backbone idea. My position was pretty simple: it wasn’t going to work, but as long as there was consent it was his network and he could do what he wanted.
I kinda lost track, just because he moved onto other ways of advertising and I got deeper and deeper into deliverability consulting. He did show up on my radar a few years ago when Facebook sued him for breaking into user accounts and using those accounts to spam. He lost a $711 million dollar judgement to Facebook, but given he didn’t have the resources the judge in that case recommended criminal charges.
Criminal charges were filed a few years later. Yesterday, Sanford pled guilty to fraud and criminal contempt as well as violating a court order to stay off Facebook’s network.
He now faces $250,000 in fines and up to 16 years in jail. Given his history, I expect he’ll figure out some way to still send spam even if he’s locked up.
Sanford is one of the reasons so many folks have such a low opinion of anyone who describes their business as “legitimate email marketing.” Sanford used the same phrase back in the late 90s. Of course no one, with the possible exception of him, actually believed that. But when someone like that adopts the moniker “legitimate email marketer” it’s hard to take them seriously when someone like Sanford has been using that since the late 90s.
This month in email: October 2013
What did we talk about in October? Let’s take a look back over this month.
Read MoreOn Discovery and Email
If you’re involved in any sort of civil legal action in the US Courts – whether that be claims of patent violation, defamation, sexual harassment or anything else – there’s a point in the pre-trial process where the opposing lawyers can request information from you, and also from any third-parties they believe may have useful information. This phase is called Discovery.
US civil discovery has very few limits: you can demand, backed by the power of the court, any material or information that might be reasonably believed to lead to admissible evidence in the case. That’s much, much broader than just relevance, and it allows fairly prolonged fishing expeditions not just for admissible evidence, but also for background information that will allow the opposing legal team to better understand both the case and the people and companies involved in it. Often the discovery phase leads to both sides agreeing on how strong a case it is, and deciding to settle or drop it rather than taking it to trial.
One aspect of discovery is interrogatories and depositions – asking someone a list of questions, and having them reply in writing or in person. While most people will be honest in their replies in that situation, they’re under no obligation to be helpful or cooperative beyond answering, minimally, the questions they are posed. (In a spam case I was involved in as an expert many years ago one of the lawyers was explaining what the oppositions lawyers might ask and told me “If they ask ‘What do you recall was said about <X>?’ you can tell them that I said he was an asshole.”). The information from these can be vital, but it’s a lot of effort to acquire, and unless you already know enough to ask the right questions you might not discover anything useful.
Asking someone to provide documents is another aspect. That might be a literal paper document, or I’d guess more commonly nowadays, electronic data. “Provide copies of any email your employees sent or received that mentioned <plaintiff’s company>.”, “From what IP addresses at what times did this user log in to your system?” …
As someone who does data analysis I love electronic documents. It’s relatively easy to mechanically grovel through thousands of pages of data and crunch it into summaries that you can use to make decisions, or to focus on a useful subset. Give me someones mailbox and I can do the easy stuff, like find any mention of a company, or any link to a companies website. But I can also find the messages they sent while they weren’t in the office. I can do semantic analysis and find the emails that use angry language. I can find all the attachments that were used, open them up and analyze the contents. I can sometimes find where in the world they were when the email was sent – down to which hotel bar, or which office in a building. I can crunch the routing data of their mailbox (and other peoples) and see who they communicated with – and make recommendations as to whether it would be worthwhile to subpoena those people. I can build relationship graphs. And all this applies not just to their work mailbox, but also their private gmail addresses, if it’s a reasonable assumption that any communication there might lead to any relevant evidence – and, well, it’s always a reasonable assumption. (And that’s just email – I can often pull similarly useful data out of web logs and forum posts and so on too).
The discovery process can be long, and can consume a lot of resources (time, legal fees) and work focus from the people targeted by it. Making analysis easier (and hence cheaper) makes it reasonably possible to expand and extend the discovery process to find additional data. Whether that’s good for you or not depends on the details of the case and whether you are the one doing the discovery.
None of this is intended to be legal advice, nor even a description of the process by someone with any legal training – it’s just some aspects I’ve noticed from my limited experience of the process as an expert working with some very good lawyers.
Finally, another piece of advice a lawyer I was working with gave me some years ago was “Always assume that anything you write anywhere may be made available to opposing counsel. And when it comes to legally sensitive matters, use email just for sending copies of documents that will be provided to opposing counsel and for scheduling ‘phone calls where you’ll discuss other details. Nothing else.”.
RPost – email and patents
Who are Rpost?
Rpost are an email service provider of sorts. You may not have heard of them, as they focus on a fairly niche market – electronic contract and document delivery. Their main services are “Registered Email” – which provides the sender of the message with proof that the recipient has read the message, and proof of the content of the message, and “Electronic Signatures” – which allows users to send documents signed cryptographically, or with a real signature scrawled with a mouse. This is all the sort of thing that would be mildly useful for exchanging contracts via email rather than by fax. Laura and I talked with them some years ago, and decided it was a reasonably useful service, but one that would be difficult to monetize.
They’ve recently started claiming infringement on their patents, so I thought I’d take a look at their actual product to see what it had evolved into.
Their current website has some very visible bugs in it’s HTML, and while it mostly looks pretty, the workflow isn’t terribly compelling. I signed up for a free account and sent myself an email. I saw the word “patented” and lists of trademarks prominently on many of the pages.
There’s no obvious way to see messages I’ve sent through their web interface, nor is there any inbox or way to see delivery status from the web interface. Rather you’re sent email to your real email account about each message. Rpost were originally focusing on MUA plugins, and that seems to still be their main approach, with the web interface more of an afterthought. They list 22 MUA plugins, in their Apps marketplace. They don’t have one for Mail.app (the MUA shipped with OS X) nor for any other Mac mail client. They do list a client for iPhone, but clicking on it shows that it’s not been released yet. Web interface it is, then.
I’d assumed that the proof of reading would be handled in the same way other “secure” messaging services tend to work – the email sent contains a link to a web page, and opening that link (optionally after entering a password) to see the real message is the “proof” that the mail was read. It turns out that’s not the case. The full message is in the email that’s sent. The “proof” that it was read is our old friend the single pixel tracking gif. It’s standard open-tracking, nothing more, with all the accuracy and reliability issues that implies. I also get mail telling me about the delivery (subject, recipient, timestamp, message-id) and a promise that I’ll get a “RegisteredReceipt™” in two hours.
On the technical side of things, RPost are using SPF correctly. They are not using DKIM to authenticate the message, nor any sort of in-band cryptography such as S/MIME or PGP. They’re including Return-Receipt-To, Disposition-Notification-To and X-Confirm-Reading-To headers, in the hope that the recipients MUA will send a notification to one of them. Most MUAs don’t – it’s considered a privacy / security violation, generally. I wonder if the RPost MUA plugins make your MUA respond to one of those?
Using opaque cookies in the Return-Receipt-To: etc. email addresses makes sense, as you can then use receipt of mail to one of those addresses as “proof” that the recipient opened the email. Unfortunately, the email addresses RPost use in those fields are trivially derived from the Message-ID – you take the local part of the Message-ID and add “read@rpost.net” on the end. And RPost include the Message-ID of the message in the notification they send to the sender. So it would be very easy for an unscrupulous sender to send a fake notification that would make it appear the recipient had opened an email when they hadn’t.
There are several email specification violations in the mail sent – the Resent-Message-ID is truncated, and syntactically invalid, the Resent-Date field is syntactically invalid, the email addresses used in the Return-Receipt-To, Disposition-Notification-To and X-Confirm-Reading-To fields are a little broken – in a way that I’m pretty sure leaves them syntactically invalid. The body of the message is HTML, and it violates basic HTML specifications – it has invalid comments, and it nests entire HTML documents inside paragraphs – “… <p><html><head><meta content type></head><body> … stuff …</body></html></p> …”.
One of the important things to do when sending email that you want to be delivered is to try and look like legitimate email, and not like spam. As well as the syntax issues, the mail uses unusual capitalization of several headers (“to:” is valid, but you’ll always see “To:” in legitimate email) and it sends the message as HTML only, not as multipart mime with a plain text alternative. All those things give the mail sent via RPost a spamassassin score of 4.4, with a squeaky clean subject and body. It wouldn’t take much in the message provided by the user to push that the extra 0.6 to reach a SpamAssassin score of 5.0 and end up in the junk folder.
Fines for not honoring unsubscribes
Virgin Blue has been fined $110,000 by the Australian government for not honoring unsubscribes.
Read MoreAbout that spam suit
John Levine has a longer blog post about the Smith vs. Comcast suit. Be sure to read the comment from Terry Zink about the MS related claims.
Read MoreFirst amendment and spam
One common argument that spammers use to support their “right” to spam is that they have a first amendment right to free speech. My counter to this argument has always been that most networks are private and not government run and therefore there is no first amendment right involved. I have always hedged my bets with government offices, as these are technically government run and there may be first amendment issues involved if the government office blocks email.
Recently the Third Circuit Court of Appeals ruled on Ferrone v. Onorato, No. 07-4299, 2008 WL 4763257 (3rd Cir. October 31, 2008) addressing this issue specifically. Evan Brown at InternetCases has a post up about the court’s finding. He says:
Yahoo suing lottery spammers
Yahoo filed suit against spammers using the Yahoo trademarks in lottery spam on May 19th.
$234M default judgment against spammers
MySpace has won a 234 million dollar judgment against Walt Rines and Sanford Wallace.
“MySpace has zero tolerance for those who attempt to act illegally on our site,” [MySpace Chief Privacy officer] Nigam said in a statement. “We remain committed to punishing those who violate the law and try to harm our members.”
These are two of the spammers responsible for me learning to read headers and report spam. Both of them have previous judgments against them. Wallace sued AOL to force AOL to accept his mail. Eventually the judge ruled against Cyber Promotions and Wallace.
FTC Rulemaking on CAN SPAM
The FTC announced today they will be publishing clarifications to CAN SPAM in the near future. According to the FTC
Read MoreSpammers in the news
Eddie Davidson was sentenced yesterday to 21 months in jail for falsifying headers and tax evasion.
Sanford Wallace (the spammer that prompted me to start figuring out how to read headers) lost his suit with MySpace for failure to comply with court orders and failing to turn over documents.
Scott and Steve Richter are in the Washington Post today in an article discussing hijacked IP space. Reading the Post article, though, it appears that Scott legitimately bought a business with a /16 and there is no hijacking going on. Spammers have hijacked IP space illegitimately in the past, but this does not seem to be the case.
Legal filings this week
It has been one of those weeks here and there have been a couple legal things that have come up that I have not had the time to blog about.
One is a post over on Eric Goldman’s blog by Ethan Ackerman discussing the Jeremy Jaynes case. It is quite an info heavy post, but well worth a read.
In addition to not having the time to fully read Ethan’s post and understand the legal subtleties he is discussion, I have not quite had the time to blog about two e360 filings that showed up this week.
The first is a filing by Spamhaus’ lawyers asking for the judge to compel e360 to participate in the discovery process. If you remember e360 won a default judgment against Spamhaus for over $11M. Spamhaus filed an appeal and the Seventh Circuit Court upheld the judgment but vacated damages. Spamhaus and e360 were ordered to conduct discovery on the damages.
I would assume that e360 would be eager to demonstrate the amount of damages Spamhaus caused them, but it appears this is not the case. According to the filing e360 has been missing deadlines and even skipped a planned deposition. The exhibits show numerous email conversations between the lawyers, with e360’s lawyers making repeated promises to deliver, and then failing to follow through.
There are a couple statements in the filing that stood out. First, this paragraph which contains a statement that should have e360’s lawyers shaking in their shoes.
Judge rules in e360 v. Comcast
Yesterday Judge Zagel ruled on Comcast’s motion for judgment on the pleadings. I think the tone of the ruling was clear in the first 3 sentences.
Read MoreEmail related laws
I’ve been working on a document discussing laws relevant to email delivery and have found some useful websites about laws in different countries.
US Laws from the FTC website.
European Union Laws from the European Law site.
Two documents on United Kingdom Law from the Information Commissioner’s Office and the Data Protection Laws.
Canadian Laws from the Industry Canada website.
Australian Laws from the Australian Law website.
e360 v. Comcast: part 4
Today I have a copy of the e360 briefing on Comcast’s motion for judgment on the pleadings.
On a superficial level, the writing of e360’s lawyers not as clear or concise as that of the Comcast lawyers. When reading Comcast’s writings it is clear to me that the lawyers have a story to tell and it has a beginning, a middle and an end. They take the reader through the setup, then through the evidence and case law, then proceed to the remedies requested. There is a clear narrative and progression and it all makes sense and the reader is never left standing. This briefing meanders hither and yon, prompting one person to ask was this written on the back of a placemat in crayon.
I still think e360 is misunderstanding or misstating some crucial facts in this case.
e360 argues that because they comply with CAN SPAM, then their mail is therefore not spam. This is not true (see Al’s post, and my post and John’s post). Complying with CAN SPAM does not mean you are not sending spam. I will go even farther to say that sending super-duper-double-confirmed-with-a-cherry-on-top-opt-in email does not mean you will always get through an ISPs filters. The ISPs have moved away from being in the position of having to decide between a mailer who insists a recipient opted in and a recipient who marks mail as spam. Now, the ISPs look at complaints and if you annoy your recipients, then the ISP is going to filter that mail. It is all about relevancy. It is all about not sending mail that is going to make those users hit the “this is spam” button. And endusers have never cared about permission, spam is email they do not want and if you send it, they will complain about it.
They also seem to have this impression that Comcast is letting all e360’s competitors send email to Comcast. Again, it is all about relevancy. If e36o’s competitors are sending mail that users do not complain about then yes, that mail is going to get through. The problem here is not that Comcast is picking and choosing which ESP gets to mail the users, it is that the recipients are choosing which emails they do not object to. Send emails recipients find useful and relevant, and it does not matter that you scraped their address off a website, they will not report it as spam.
Comcast points out that under the Communications Decency Act (CDA) they are not liable for blocking content. The CDA provides for “Good Samaritan” blocking and screening of content under 2 separate circumstances: 230(c)(1) and 230(c)(2). 230(c)(1) says
e360 v. Comcast: part 3
A couple weeks ago I posted about e360 suing Comcast. The short version is that e360 filed suit against Comcast to force Comcast to accept e360’s email. Comcast responded with a motion for judgment on the proceedings. This motion asked the judge to rule on e360’s case without going through the process of discovery or depositions or all the normal wrangling associated with a legal case. Comcast appears to be saying to the judge even if everything e360 alleges is true, we have done nothing wrong.
The judge asked for each party to prepare full briefs on the motion. e360’s response is due tomorrow and the Comcast reply to that is due on March 27.
Comcast does not appear to be content with just having the case dismissed. Today they filed a counterclaim and third-party complaint. The counterclaim is against e360, the third-party complaint incorporates David Linhardt, Maverick Direct Marketing, Bargain Depot Enterprises, Northshore Hosting, Ravina Hosting, Northgate Internet Services and John Does 1-50. Docs are up over on SpamSuite.
Comcast states the nature of the action in 4 short paragraphs.
e360 v. Comcast: part 2
Yesterday, I talked about e360 filing suit against Comcast. Earlier this week, Comcast responded to the original filing with some filings of their own.
Read Moree360 v. Comcast: part 1
A few weeks ago I very briefly touched on the recent lawsuits filed by e360 against Comcast and a group of anti-spammers. In the Comcast suit (complaint here) e360 argues that Comcast is unfairly and incorrectly blocking e360’s email and are liable for damages to e360’s business.
They have a number of claims, including
e360… AGAIN
This time e360 is in court suing a number of individuals for calling him a spammer.
Mickey has docs up on SpamSuite.com and Ken Magill has written about it as well.
Dave has also responded to ReturnPath, through Ken, with a public letter explaining why his statement disagrees with ReturnPath’s statement about his acceptance into the SenderScore Certified program.
Rumor has it that Dave is claiming he is out of money. If that’s true, who is funding these cases?
e360 in court again
Today’s edition of Magilla Marketing announced that Dave Linhardt and e360 have sued Comcast. Spamsuite.com has the text of the complaint up.
On the surface this seems quite silly. e360 is alleging a number of things, including that Comcast is committing a denial of service attack against e360 and locking up e360’s servers for more than 5 hours. Additionally, e360 is laying blame at the feet of multiple spam filtering companies, including Spamhaus, Trend Micro and Brightmail.
One of the more absurd claims is that Comcast is fraudulently transmitting ‘user unknown’ messages. At no point do they explain how or why they think this is the case, but simply assert:
Al Ralsky Indicted
Al Ralsky is a very prolific spammer and his name is well known among ISP abuse desks. Along with 10 other people he was indicted today after a 2 year investigation by the Justice Department, according to an article published today by the Detroit Free Press.
Read MoreUseful websites
I’ve been working on a document discussing laws relevant to email delivery and have found some useful websites about laws in different countries.
US Laws from the FTC website.
European Union Laws from the European Law site.
Two documents on United Kingdom Law from the Information Commissioner’s Office and the Data Protection Laws
Canadian Laws from the Industry Canada website.
Australian Laws from the Australian Law website
7th circuit court ruling in e360 v. Spamhaus
Mickey has some commentary and the full ruling up on Spamsuite. In short the appeals court affirmed the default judgment, vacated the judgment on damages and remanded the case back to the lower court to determine appropriate damages.
There are a couple bits of the ruling that stand out to me and that I think are worthy of comment.
Spamhaus made a very bad tactical decision by initially answering and then withdrawing that answer. The appeals court ruled that action signaled that Spamhaus waived their right to argue jurisdiction and that they submitted to the jurisdiction of the court. Based on this, the appeals court upheld the default judgment against Spamhaus. Not necessarily the outcome any of us wanted, but that doesn’t set any precedent for future cases unless defendants answer and then withdraw the answer. Specifically on page 12 of the ruling the court says: