The Ten Million Dollar Spam Law

Our neighbors to the north may be the last of the G8 countries to adopt an anti-spam law, but when it’s enacted later this year (as most analysts agree it will), Canada’s new law will be among the very strictest, creating penalties of up to 10-million Canadian dollars (or just under 9.87-million U.S. dollars) for businesses who send spam into or within Canada.

Bill C-28, dubbed the “Fighting Internet and Wireless Spam” Act (or “FISA”, for short) imposes new requirements on senders of just about every type of electronic messaging, including mandates that stretch well-past the minimal requirements for e-mail under the U.S. CAN SPAM Act of 2003.

Under CAN SPAM, senders are required to abide by a series of labelling requirements, provide a working unsubscribe mechanism, and honor unsubscribe requests within ten business days. CAN SPAM, however, has never required that senders obtain prior consent from recipients. FISA requires either explicit permission, or implicit permission in the form of an existing business relationship or a conspicuous publication of the recipient e-mail address. If the publication of the address is accompanied by an instruction not to send unsolicited e-mail, it doesn’t count as implicit permission. FISA creates a two-year window from the date an address was collected with implicit permission to try and convert it to explicit permission. If after two years explicit permission is not obtained, the sender must suppress the address. Both CAN SPAM and FISA explicitly preclude sending to addresses that have been automatically “harvested” from web sites.

CAN SPAM grants enforcement powers to the FTC, and gives ISPs the right to bring action against infringing senders themselves. FISA, in contrast, provides no criminal penalties, but allows both ISPs and individual recipients of spam to pursue civil action against senders.

The requirements seem to create significant new hurdles for senders, but authors of the Canadian law insist that the legislation is aimed squarely at only the worst of the worst offenders. FISA includes a “due diligence defense”, in which senders should not be held liable for violations if they can show they were making reasonable efforts to abide by the law when the offense was committed. Honest mistakes won’t count against senders.

Should U.S. senders be worried about the new Canadian law? Obviously, the law doesn’t apply if you’re not sending to recipients in Canada, but senders may not always know where (geopolitically speaking) the owner of a particular address receives their mail. However, if you’re already abiding by CAN SPAM and best common practices, you’re likely already in compliance.

The short answer is that (in theory at least) FISA is enforceable in the US, though the process is neither simple nor cheap. It takes about as much time and and money to obtain a judgement in Canada as it does in the U.S., so enforcement action is likely to be as rare, and therefore reserved only for the most egregious of offenders. Canadian plaintiffs would also have to find a U.S. court willing to enforce the judgement, which is by no means a given. However, there is an open pledge between the U.S. and Canadian governments to support law enforcement efforts across borders. Earlier this month, a Canadian court was willing to enforce a judgement obtained by Facebook in a California court against a Canadian spammer who racked up $873-million in fines for CAN SPAM violations. It will be instructive to see whether U.S. courts will be willing to reciprocate once FISA is enacted.

Within the e-mail community, the new law is regarded as further evidence of a trend in which legal requirements and best practices appear to be converging, albeit at a glacial pace. The take-away for senders, then, should sound familiar: adhere to CAN SPAM and best sender practices. Send to those who have granted permission, and try to engage with and obtain permission from any segments for whom you do not have it.

Reply-All: Minty Pheonix Edition

GoDaddy Seeks a Buyer

GoDaddy, the largest registrar of Internet domain names with over 43-million names under management, has hired a firm to shop the company to private equity groups, reported the Wall Street Journal over the weekend.

The news is of interest to deliverability and e-mail marketing professionals because of GoDaddy’s demonstrated willingness to enforce anti-spam rules in their standard terms of service. Those terms permit GoDaddy to suspend the domain names of its customers if it finds the domain is being used in unsolicited bulk e-mail.

Once the registrar decides to act, customers have the option to post a financial bond against future spam reports, or to move the domain to another registrar for a fee several times greater than the original cost of the registration.

It will be interesting to see whether the terms of service – or the willingness to enforce them – change in any way, if a deal is reached.

Reply-All: The Short-Week-Following-the-Long-Weekend-Edition Edition

A blogger for computer and Internet security giant Sophos sounded the red alert Tuesday, announcing that a “primary WHOIS registry” (huh?) had been hacked, and records of  sites belonging to Microsoft and Google had been vandalized.  Indeed, a WHOIS search on a UNIX box returned some uninteresting DNS performance art. The author of the blog post didn’t realize he was using, essentially, a modified substring search, so he was seeing a variety of  inexact matches containing records from a mess of DNS servers – all unrelated to the companies in question. The original post was replaced with an apology and redaction within a few hours, but not before a standard complement of rotten tomatoes had been tossed in their general direction.

Marketing industry reporter extrordinaire Ken Magill serves up another scoop: after fewer than five days in the saddle, the new CEO of Lyris is reportedly ready to lay off about 15% of it’s work force (somewhere between 40 and 45 jobs). The downsizing is apparently part of a shift in corporate strategy away from small business senders in favor of larger companies that send in higher volumes. Some within the company are reportedly wondering (out loud, to Magill) whether the job slashing is part of a move to make the company appear more attractive to a prospective buyer.

Microsoft cut the legs out from under the Waledac spam ‘botnet by seizing 276 domains used for command and control. Microsoft filed a suit against Waledac operators, in which it sought an award of the c&c domains. The botnet operators have 14 days to appeal the default judgment (thereby revealing their identities), which no one really expects they’ll do.  Unlike previous attempts at take-downs, it looks like this one is sticking.

“Houston, we have a problem … it’s called ‘spam’,” tweeted NASA’s Lunar Science Institute, as the “here you have”/VBMania e-mail trojan spread like wildfire across the Intarwebs Thursday, choking and overwhelming e-mail servers and stealing user passwords as it went. Various media outlets reported that the worm has hit NASA, Google, Coca Cola, Comcast, and ABC/Disney, and the Department of Homeland Security.

And to kick your weekend off with a smile, here’s a chuckle from cartoonist Brad Colbow about opting out of retail e-mail campaigns. Remind you of any clients you know?

Spamhaus lists Google

I’m sitting at my desk sipping first coffee of the day when a colleague floats a message over the transom of an e-mail related listserv with the subject line “Spamhaus now listing Google Outbounds”. Colleague owes me a new keyboard.

It does appear that Spamhaus is listing fifteen different Google hosts. However, Gmail users shouldn’t be reaching for their torches and pitchforks just yet. It does not appear that any machines that actually handle mail for Gmail are listed.

Instead, Spamhaus is listing a basketful Google Docs machines for their long history of hosting images and redirectors for the associated Canadian Pharmacy ROKSO listing.

Will Google notice? That really depends on whether any Google customers notice. Stay tuned.

Block Lists and the Death of a Thousand Cuts

Author’s Note: Since this writing, block lists operated by SORBS have had a pair of spectacular, catastrophic failures resulting in the inadvertent and wholly spurious characterization of enormous chunks of the Internet as sources of spam, or dynamic IP space, or both. Poor infrastructure planning and operational security precluded a graceful recovery; in fact, it was nearly a week before operations returned to normal. As such, use of GFI/SORBS as a reliable source of data on production mail servers is deprecated. My colleague Steve Atkins at Word to the Wise provides an exhaustive review of the problems leading up to and exacerbating the failures, and summarizes them neatly.

If you’re sending high volumes of e-mail, sooner or later you’ll find yourself on a block list. It doesn’t matter that all of your list segments are quadruple opt-in; like death and taxes, it’s inevitable. The secret to surviving (and correcting) a listing is to be ready before it happens. Here’s what you need to know now, before you find yourself listed.

Stay Cool. No one ever got a listing removed by screaming down a phone line or threatening legal action. Don’t expect (or demand) a good customer service experience from a block list – you are not their customer.

Block Lists Don’t Block Mail. In the initial panic following the discovery of your listing, it’s easy to forget that block lists don’t actually block any mail; it’s your recipients’ mail servers that do all the blocking. The filters used by many ISPs and companies reference data from block lists, reputation scoring firms, and especially feedback from their customers to inform their filtering decisions. If significant numbers of your recipients are reporting your mail as spam, stop worrying about the listing. It’s time to take a hard look at your list hygiene, acquisition and sending practices.

Some Block Lists Matter More Than Others. The vast majority of public block lists don’t matter at all. There are plenty of web sites that offer to look up your sending IP on hundreds of lists all at once, but unless you’re listed on one of only about a half-dozen, you probably have nothing to worry about.

So which are the ones worth worrying about? Any of the lists operated by, the CBL, URIBL, CloudMark CSI, SpamCop, Barracuda Central, and sometimes SURBL and SORBS. The cast of characters changes a little from time to time, but these are usually the heavy lifters.

Different Lists Do Different Things. A listing on the Spamhaus SBL means something very different from a listing on URIBL, which is entirely different again from a listing on Spamhaus PBL. Only one of these (SBL) is a list of suspected spam sources. The URIBL lists domains that appear in spam. The PBL is a list of IP space from which unauthenticated e-mail is not supposed to be sent. Don’t assume you’ve been listed because someone thinks you’re sending spam; make sure you understand the reason for your listing before you waste time fixing a problem you don’t have.

Many Block Lists are Automated. Some block lists operate with as little human input as possible. The URIBL is a good example. It automatically adds the domains it sees in the links contained in spam, so that users of the list can block mail based on presence of those domains. The good news is that delisting is pretty straightforward – just submit a short request on their web site. But expect the listing to be reinstated automatically if it sees more spam that contains links to the offending domain.

Avoid the Death of A Thousand Cuts. The most dangerous block lists are the private, home-grown lists created and maintained by IT professionals at the companies you’re sending to.  These lists are unpublished, unqueriable, and are controlled by harried mail administrators who don’t have time to check every few weeks to see if it’s okay to delist you.

Once you land in one of these lists, the effect is very localized, but extremely difficult to reverse. Land in enough of these lists, and you’ll notice significant deliverability problems with your target niche – the death of a thousand cuts. Ironically, one of the benefits of the large, centralized block lists for senders is that it takes just one delisting to get mail unblocked across great swathes of the Internet. It’s a lot easier than contacting every domain you send to, one by one.

Block lists seem a lot less scary once you understand how they’re assembled and used. If you find yourself listed, keep calm, find out why, and gather the data together you need to fix it.

Relevance Is The New Permission?

I’ve been meaning to blog more about this article for a while, in which Sherry Chiger examines the pros and cons of single and double opt-in permission for e-mail. Her opening line is a real attention-grabber – I nearly fell out of my chair when I first read it: “Once upon a time—say, 10 years ago or so—double opt-in was the gold standard of permission-based e-mail.”
Maybe what Ms. Chiger is trying to say is that double opt-in is not the only acceptable standard of permission – which is absolutely true. But it sure has a lot going for it: it’s simple to implement; easy to automate; easy for senders to measure; and happens in-band. For these reasons among others, it’s the best kind of permission to have, and that’s why it’s (still!) the gold standard.
But obtaining permission – even the gold standard – has never been a panacea for delivery issues. The problem with any flavor of permission is that, within the e-mail protocol, there is no way for senders to reliably assert what kind of permission they’ve been given. That means ISPs can’t measure permission per se; instead, they must measure spam complaints and other metrics as a proxy for permission. In other words, if a sender’s message is relevant to the recipients, the performance of a message sent without permission is often indistinguishable from permission-based messages.
Some in the sending community take this as proof that relevance is more important than permission – and this may be the point that Ms. Chiger is trying to make. I disagree. I think the real conclusion to be drawn is that there is no better indicator of relevance than permission – and that’s why permission is so valuable.
I talk to a lot of frustrated senders who’ve segmented their lists dozens of different ways to try and infer what messages are relevant to which recipients. They burn a lot of time, energy and reputation trying to force relevance. I’ve never understood why this is preferable to just asking the recipient for permission.