CRTC Fines Canadian Business CDN $1.1-Million for CASL Violations

And the other shoe has dropped.

In the first publicized application of penalties under Canada’s new anti-spam law, the CRTC announced earlier today that it has imposed penalties of $1.1-million Canadian (about $880K USD) against a firm for four separate violations. The violations include sending email without the consent of its recipients, and for sending mail without a functioning unsubscribe mechanism.

In the announcement, the CRTC identifies the target of the enforcement action as a Canadian company named Compu-Finder, whose mail promotes training courses to other businesses.

There are a couple of other interesting aspects to the action, aside from its novelty, and I wonder whether the CRTC will be able or willing to share additional details later on: Continue reading

Avoiding Spamtrap Disasters

Nothing can derail an e-mail marketing program so quickly and completely as sending mail to spamtraps. Businesses that are new to e-mail marketing are often unschooled in the hazards of spamtraps, so today we’ll take a crack at explaining what they are and how they work, and what senders can do to avoid spamtrap disasters.

Spamtraps are e-mail addresses that, by design, look and behave in most ways like ordinary, deliverable addresses. Once they’ve been added to a list of recipients, there’s really no way for senders to tell them apart.

The difference between spamtrap addresses and ordinary recipient addresses is that spamtrap addresses are never used to opt in to mail, or to send any mail at all. Owners of spamtraps use them to collect mail from, and generate data on senders who are harvesting, e-pending, or guessing addresses (or who are purchasing lists comprised of same) and who are sending to them without any kind of permission.

Continue reading

The Long and Short of URL Shorteners in E-mail

If you’ve spent any time at all with Twitter, you can’t have failed to notice the popularity of URL shortening services. Shorteners take long URLs and shorten them to just a few characters to help users keep URL length under the 30-character limit imposed on them by the microblogging service (not to mention the overall 140-character limit on tweets).

Senders who use social marketing alongside their e-mail campaigns are often tempted to use URL shorteners in their e-mail creative, often for a variety of reasons. Many of the most popular free services (,, and others) offer very slick-looking link tracking metrics dashboards. Senders like the idea (with good reason) of using a single interface to track link activity across all of their electronic marketing channels.

In addition, long URLs look ugly in the text version of their creative, which is displayed on old-school feature phones and some of the older (but still widely-deployed) versions of Blackberry smart phones. Links in the creative can wrap three or four times on a small phone screen, but a five-character link means that much more of the actual marketing message can be displayed without scrolling.

But there are a couple of compelling reasons why senders should think twice about using free link shortening services in their marketing e-mail.

Continue reading

Assessing ESP Liability Under The Canadian Spam Law

Much analysis and guidance has been written about the new requirements (and significant penalties) imposed on senders of unsolicited e-mail by the Canadian Anti-Spam Law set to go into effect in the fall. What seems less thoroughly addressed to my non-lawyerly eyes is what specific liability is created by violations of CASL upon the ESP used by their clients to transmit the infringing commercial electronic message (CEM).

I put the question to Neil Schwartzman, a long-time colleague and Executive Director of CAUCE North America, one of the very earliest anti-spam advocacy groups and the primary driver of CASL through its storied journey across the Canadian legislative landscape. Neil recently left ReturnPath to start, a firm offering expertise on CASL compliance. He and consulting legal counsel Shaun Brown of nNovation LLP respond:

Continue reading

More Spammer Performance Art

Freshly plucked from the +1 Bag O’ Fail comes another spammer web screed, whose author apparently hopes to become the locus of an organized movement to save Capitalism from the looming apocalypse that is Spamhaus, MAAWG, ReturnPath, and the ESPC.

When I first saw, I assumed it was another web site authored by longtime spammer Bill Waggoner. He created the ridiculous site, a rant about Spamhaus and SpamCop – but some cursory poking around in whois and ROKSO show that it’s actually a different spammer.

Stop the Haus appears to be the brainchild of Andrew Stephens/, who are listed on Spamhaus ROKSO for harvesting e-mail addresses and reselling them to bulk mailers (and possibly for sending to the harvested lists themselves).

It contains the same flavor of frothing, aluminum foil-capped lunacy on offer at Waggoner’s site, albeit with somewhat fewer migraine-inducing grammatical errors. The new twist here, though, is the development of a set of their own “blocklists” (his incorrect usage, not mine), including a list of “spam complainers who’s [sic] complaints are invalid due to can-spam compliance”.

Because, as we all know, if it complies with CAN SPAM, it can’t possibly be spam.

When Blacklists Die

Update: It appears that the Fiveten DNSBL was resurrected from the dead on or about November 22nd (thanks, Al Iverson).

Blacklists have been popular targets for complaints and criticism for years. Senders complain they are too stringent and lack transparency. The anti-spam community howls with outrage when they’re not as aggressive as they think they should be.

One blacklist in particular, called the block list, has been a thorn in the side of ESPs since 2001 – but not because lots of ISPs use the list to block mail. In fact, they don’t; the list generates too many false positives, and as my colleague Al Iverson so memorably demonstrated a few years ago, you’d get significantly better results by randomly blocking any mail from an IP address in which the number 7 appears.

The list operator is a guy named Carl Byington, and I’ve been reading what he has to say about spam and e-mail for years. He’s a smart, reasonable guy who’s always been honest about the nature of his list. He lists sources of bulk e-mail for a broad range of reasons, and he’s quick to agree with anyone who points out that his listing criteria are not useful for filtering decisions in a high inbound e-mail volume production environment. But it’s his list, and he can do with it what he pleases – and ISPs and other network operators are similarly free to ignore it.

ESPs, on the other hand, have been getting an earful from their customers about Fiveten for a long time.

When a sender runs into deliverability problems, they’ll often turn to web sites that offer to look up an IP address on a bazillion block lists all at once. In altogether too many instances, they discover they’re listed by Carl. They’ll fire off a few angry e-mail messages or phone calls to their poor, harried deliverability guy. It always seems to take a few days to explain why the listing is almost certainly not the root cause of their deliverability issue, and to redirect time and energy back to the real issues.

This weekend, Fiveten went dark. On Friday, any lookup at the site yielded a response reading “ has been retired.” As of this writing, the domain doesn’t answer at all. Carl hasn’t provided any public explanation for his decision to decommission his list, and he really doesn’t have to. No one has to pay money to use his list, and maintaining a list takes more time, energy and resources than most folks realize. I suspect Carl simply ran out of one or more.

Senders have a love-hate relationship with blacklists; they do a good job of keeping the deluge of pill spam, virus and malware messages at bay, and are an important reason why e-mail remains a viable channel for marketing and commerce. But when senders find themselves at the pointy end of a listing, it’s easy to understand why they may find themselves unable to muster much sympathy. They often feel as though the listing must be capricious, or even malicious.

The demise of Fiveten demonstrates that, contrary to all the complaints over the years, block lists as a category generally are not capricious. It turns out that market forces are as immutable for block lists as for any business, and block lists operators are just as answerable. Over-aggressive listings are not useful to ISPs, because they tend to generate false positives by blocking wanted mail. When a list isn’t useful anymore, ISPs stop using it, and it goes away.

Blacklists will continue to exist and operate much as they always have, and I predict that both senders and anti-spammers will continue to complain about them just as loudly. If either side were to stop – well, that’s when I’d start to worry whether blacklists are still doing a good job.

Reply-All: Lumber Cartel (TINLC) Edition

Back in the day, a spammer who found himself on the wrong side of an e-mail block list publicly asserted in all seriousness that anti-spam activities are funded in secret by a shadowy cartel of lumber producers who were seeing their margins from paper production erode as marketers made the shift from postal junk mail to e-mail. It became a sort of running joke in the usenet newsgroup One of the straw arguments frequently mounted by spammers to justify their business model was the environmental friendliness of e-mail. We now have a credible estimate of the carbon foot print of e-mail: about 135kg per user, annually – or the equivalent of a 200-mile drive in a car. Turns out e-mail isn’t all that green.

Facebook this week announced three more spam-related lawsuits, and among the defendants they’ve named is a guy named Steven Richter. A bunch of blogs and media outlets assumed this is the same Steve Richter, who is the father of spammer Scott Richter and president of his son’s company Media Breakaway, LLC. The company was quick to respond with a press release, pointing out that the named defendant is actually a different Steve Richter.

ISPs who use SORBS blocklist data for e-mail filtering woke up one morning two weeks ago to discover that they were unintentionally blocking mail from great swathes of the Intarwebs, including Yahoo!, Apple, and Google Groups. SORBS operator Michelle Sullivan at first claimed they were the target of a massive DDOS attack, but later disclosed that they had inadvertently placed a bunch of historical block list entries in their current listings database during a server migration. Oy.

Just in time for Halloween, notorious spammer (and unintentional comedian) Bill Waggoner has risen from the grave with the launch of (you may want to mute audio before you click through). His new site solicits contributions to be used (somehow) against Steve Linford of Spamhaus and SpamCop founder Julian Haight (never mind that Haight hasn’t had a thing to do with SpamCop for years).

The Ten Million Dollar Spam Law

Our neighbors to the north may be the last of the G8 countries to adopt an anti-spam law, but when it’s enacted later this year (as most analysts agree it will), Canada’s new law will be among the very strictest, creating penalties of up to 10-million Canadian dollars (or just under 9.87-million U.S. dollars) for businesses who send spam into or within Canada.

Bill C-28, dubbed the “Fighting Internet and Wireless Spam” Act (or “FISA”, for short) imposes new requirements on senders of just about every type of electronic messaging, including mandates that stretch well-past the minimal requirements for e-mail under the U.S. CAN SPAM Act of 2003.

Under CAN SPAM, senders are required to abide by a series of labelling requirements, provide a working unsubscribe mechanism, and honor unsubscribe requests within ten business days. CAN SPAM, however, has never required that senders obtain prior consent from recipients. FISA requires either explicit permission, or implicit permission in the form of an existing business relationship or a conspicuous publication of the recipient e-mail address. If the publication of the address is accompanied by an instruction not to send unsolicited e-mail, it doesn’t count as implicit permission. FISA creates a two-year window from the date an address was collected with implicit permission to try and convert it to explicit permission. If after two years explicit permission is not obtained, the sender must suppress the address. Both CAN SPAM and FISA explicitly preclude sending to addresses that have been automatically “harvested” from web sites.

CAN SPAM grants enforcement powers to the FTC, and gives ISPs the right to bring action against infringing senders themselves. FISA, in contrast, provides no criminal penalties, but allows both ISPs and individual recipients of spam to pursue civil action against senders.

The requirements seem to create significant new hurdles for senders, but authors of the Canadian law insist that the legislation is aimed squarely at only the worst of the worst offenders. FISA includes a “due diligence defense”, in which senders should not be held liable for violations if they can show they were making reasonable efforts to abide by the law when the offense was committed. Honest mistakes won’t count against senders.

Should U.S. senders be worried about the new Canadian law? Obviously, the law doesn’t apply if you’re not sending to recipients in Canada, but senders may not always know where (geopolitically speaking) the owner of a particular address receives their mail. However, if you’re already abiding by CAN SPAM and best common practices, you’re likely already in compliance.

The short answer is that (in theory at least) FISA is enforceable in the US, though the process is neither simple nor cheap. It takes about as much time and and money to obtain a judgement in Canada as it does in the U.S., so enforcement action is likely to be as rare, and therefore reserved only for the most egregious of offenders. Canadian plaintiffs would also have to find a U.S. court willing to enforce the judgement, which is by no means a given. However, there is an open pledge between the U.S. and Canadian governments to support law enforcement efforts across borders. Earlier this month, a Canadian court was willing to enforce a judgement obtained by Facebook in a California court against a Canadian spammer who racked up $873-million in fines for CAN SPAM violations. It will be instructive to see whether U.S. courts will be willing to reciprocate once FISA is enacted.

Within the e-mail community, the new law is regarded as further evidence of a trend in which legal requirements and best practices appear to be converging, albeit at a glacial pace. The take-away for senders, then, should sound familiar: adhere to CAN SPAM and best sender practices. Send to those who have granted permission, and try to engage with and obtain permission from any segments for whom you do not have it.

Reply-All: Minty Pheonix Edition

GoDaddy Seeks a Buyer

GoDaddy, the largest registrar of Internet domain names with over 43-million names under management, has hired a firm to shop the company to private equity groups, reported the Wall Street Journal over the weekend.

The news is of interest to deliverability and e-mail marketing professionals because of GoDaddy’s demonstrated willingness to enforce anti-spam rules in their standard terms of service. Those terms permit GoDaddy to suspend the domain names of its customers if it finds the domain is being used in unsolicited bulk e-mail.

Once the registrar decides to act, customers have the option to post a financial bond against future spam reports, or to move the domain to another registrar for a fee several times greater than the original cost of the registration.

It will be interesting to see whether the terms of service – or the willingness to enforce them – change in any way, if a deal is reached.