BusinessWeek has a great article about the FTC and how they’ve evolved to become a fixture in the war against spam and online fraud. They have a server that holds over 314 million spam messages and receives over 200,000 more a day. Investigators analyze the messages in their efforts to track down spammers and prosecute them under the CAN-SPAM law. Successful investigations lead to spammers being fined and sometimes jailed. They’ve also begun moving into the areas of social networking and identity theft.

I wonder though, of all the spam messages they collect what percentage originates from somewhere other than the U.S. Most hardcore spamming operations are safely overseas on bullet proof hosts in countries that don’t investigate or prosecute cybercrime either due to lack of understanding, lack of resources, or law enforcement corruption. Since these spammers can be convicted and fined without having to actually appear in court, yet can’t be made to pay up unless they enter the U.S., it seems such investigations could all be done in vain. Suing spammers doesn’t work well either – they just declare bankruptcy and move on to a new scam. There have been a few cases lately about spammers who’ve gotten themselves pretty hefty jail sentences but again, it doesn’t really work when the spammer is overseas somewhere.

So yes, the FTC is doing a great thing by investigating spammers and holding them accountable under the CAN-SPAM Act, but fighting spam will only be truly effective when all countries do so together and have similar anti-spam laws.

Federal authorities say two men accused of running a spam campaign in Columbia Missouri that targeted college students reaped in the profits to the tune of over $4 million.  Investigators say Amir Shah, Osmaan Shah, and Paul Zucker began their spamming activities in 2004. They created programs designed to harvest the email addresses of students at over 2,000 colleges, starting with those at the University of Missouri at Columbia.

The spam messages hawked products such as tooth whiteners and a social networking site called Noog.com and claimed to be from officially authorized campus representatives and alumni owned businesses. To avoid detection they used a bullet proof hosting company in China that ignored take down requests and bought proxies. They also faked the headers and reply-to addresses in their messages, a blatant violation of CAN-SPAM laws. When a college complained, the addresses of their students were simply taken off the list.

The men made their money by both selling the products they offered in their spam messages and by affiliate marketing, using their spam to inflate their referrals. They tried to hide their profits by buying properties and funneling it to overseas accounts.

The Shahs and Zucker were indicted on 35 counts of fraud in connection with email, 6 counts of fraud in connection with a computer, and 1 count of conspiracy. All three charges are felonies and they face over 60 years in prison if convicted. Zucker pleaded guilty last week. The Shahs had originally entered a not guilty plea but were expected to change that to a guilty plea last week, but cancelled their hearing after Zucker pled guilty.

With so much spam choking email channels on the Internet–some estimates peg spam volumes at as much as 95 percent of all email traffic–you’d think they’d be more lawsuits against the perpetrators of the junk. That’s not the case, however, and there are more than a few reasons why that’s so.

Terry Zink, at his Anti-malware blog, argues that the reason spammers aren’t prosecuted is they locate themselves in jurisdictions that tolerate the junksters for various motivations. “Some of the worst criminals in [the] spamming underworld are located in [E]astern Europe and Russia,” he writes. “Many of them are known to the authorities but they are not pursued by [those] authorities.”

A quick look at the latest Spamhaus list of the world’s Top 10 Worst Spammers shows that Zink’s analysis is right on the money. Seven of the top 10 junko artists are from Russia or one of its former republics.

Among the culprits fingered by Spamhaus were three from the Russian Federation–Leo Kuvayev, of Bad Cow, which deals in pirated software, knock-off pharmaceuticals, porn spam and payments collections, and botnet viruses; Peter Severa/Peter Levashov, a partner with a number of spam gangs; and Ruslan Ibragimov, of send-safe.com, creator of stealth spamware and operator of a spam distribution network from compromised computers and hijacked open proxies.

Spammers based in the Ukraine were Canadian Pharmacy, which operates a botnet spam distribution network and a number of spam websites; Alex Blood/Alexander Mosh/AlekseyB/Alex Polyakov, a massive botnet operator and purveyor of child porn, pharma and mortgage spam; and Yambo Financials, a distributor of child, animal and incest porn, as well as pirated software and pharma spam.

Continue reading Why spammers slip through jaws of legal beagles»

A new study has revealed that many businesses have been pushing the envelope as far as the CAN-SPAM Act goes. It found that 39% of major online retailers force users to go through 3 or more clicks to unsubscribe from a mailing list, up from 7% in 2008, and 30% send 2 or more emails after the unsubscribe request has been received.  This is not a good trend, in fact it can get a business in hot water.

When you’re competing against the ruthless efficiency and trustworthiness of the ‘report spam’ button, your email opt-out process needs to be friction-free and provide options ISPs can’t give their users,” said Chad White, Research Director at Responsys and author of the study. “But an examination of the unsubscribe processes of the largest online retailers shows plenty of room for improvement on both those points.”

The study also found that 4% of the top 100 online retailers refuse to honor opt-outs, a blatant violation of the CAN-SPAM Act. Passed in 2003, the CAN-SPAM Act makes it unlawful for retailers to ignore opt-out requests and mandates that they make the process as clear and easy as possible and specifically says a user who wishes to unsubscribe must not have to do anything more than sending a reply email or visiting a single webpage.

It’s crucial to make sure your company is in compliance with CAN-SPAM. Not only could not doing so land you in legal hot water, but making unsubscribing from your mailings a hassle could lead to frustrated customers flagging your messages as spam. If their ISP gets enough such reports you could find your mailings blacklisted all together and that will keep untold numbers of customers who actually want your info from seeing it!

Online jewelry retailer Bidz.com has announced that the FTC has decided not to pursue charges related to its investigation of the company’s email practices. The investigation, which was in response to numerous consumer complaints regarding the company’s alleged refusal to honor opt-out requests, began in 2009. The CAN-SPAM Act mandates that businesses must include clear and easy to follow unsubscribe instructions on all commercial email and honor all opt-out requests or face stiff fines.

“We are pleased with the decision of the FTC staff, as we have cooperated fully throughout the investigation,” said David Zinberg, the Company’s Chief Executive Officer. “We take very seriously our, and our marketing partners’, obligations relating to email marketing. This favorable result will allow us to concentrate on our core business.”

The company settled a lawsuit related to the spam complaints last month shortly after a U.S. District Court judge denied the plaintiff’s request for class action status, a move that may have helped contribute to the FTC’s decision.

Bidz.com, an auction site similar to eBay but offering jeweley, gifts, and fine art only, has a long history of troubles. Last year the SEC opened an investigation into its inventory accounting practices and it also found itself the target of several lawsuits accusing the site of shill bidding. A separate class action lawsuit was also filed against them, accusing them of securities fraud.

While the company insists there has been no wrong doing and the SEC is still investigating, it’s clear they have some serious PR messes to clean up.

There is a growing sentiment in some business circles that spam can be clearly defined by what is and isn’t allowed under the typical anti-spam legislation enacted by governments these days.

In the US the CAN-SPAM act of 2003 (the acronym drawn from the bill’s full name “Controlling the Assault of Non-Solicited Pornography And Marketing”) effectively legalized spam by applying three basic requirements to commercial emails:

• Visible and operable unsubscribe mechanism, with requests honored within 10 days
• Accurate content such as From: fields and subject lines, and includes a legitimate physical address of the advertiser
• Not sent via open relay, does not contain false headers, and is not sent to harvested email addresses

Some organizations have taken this legal standard and run with it, sending commercial email to addresses obtained through bought lists, co-registration, incentive offers, and other innocuous means such as when filling out forms or dropping business cards into prize draws at conferences.

And to comply with the unsubscribe requirements they use onerous mechanisms for unsubscribe requests instead of simple one-click methods.

And while doing all of this they insist that it’s not spam.  After all, the law says so.  It’s just perfectly legitimate email marketing.

You Don’t Get to Decide

I’m sorry, but you don’t get to decide that.  And by “you” I mean businesses.  Businesses and their marketing departments who look at email as a fast, convenient way to reach a lot of people with their very important messages.

Now for the purposes of this discussion I’ll make some definitions clear.  I’m not talking about the kind of spam that botnets send out to try and trick people into buying fake pharmaceutical goods or a counterfeit watch. Continue reading Who Gets to Decide if it’s Spam? Not you, Mr Marketer»

The CAN-SPAM Act is supposed to protect us from unwanted commercial email but some U.S. based spammers, who usually call themselves direct marketers, have found a loophole to get around the requirements placed on them by the law.

CAN-SPAM says commercial emailers must provide a clear and easy way for recipients to opt out of receiving further messages and they must promptly honor those requests. What some sleazy marketers have found however, is that they can get around having to do so by changing their name. They send a blast of spam as XYZCompany at XYZ.com. They get a flurry of opt out requests and instead of honoring them, they change their name to XYZCompany1 at XYZ1.com.  More spam sent, more requests received, and they change their name again, this time to XYZCompany2 and XYZ2.com.

What can be done? It’s up to the U.S. to change the law to say that direct marketers and commercial emailers must get permission from consumers BEFORE sending any of their spam. In doing so the U.S. will fall into line with spam laws in most other countries.

Will this happen? That’s anyone’s guess. The Supreme Court’s decision to allow businesses to spend as much as they want on political campaigns may have a less than pleasant effect on the law. In the meantime, if your company is using this practice, stop. It’s not legal and it’s not good business.

Australian financial services firm CommSec was fined $55,000 (roughly $48K US) for violating that country’s Spam Act. The Australian Communications and Media Authority (ACMA) levied the fine after it launched an investigation into the company’s mail campaigns and found they were in violation of the Spam Act. That Act, like the CAN-SPAM Act, requires that all commercial email include a way to unsubscribe and that emailers honor those requests. The ACMA’s investigation, prompted by numerous consumer complaints, found that the company’s emails had no unsubscribe directions and that they ignored requests from consumers who asked to be taken off their mailing list.

          “ACMA expects that Australian businesses take note of this outcome,” ACMA chairman Chris Chapman said. “Under the Spam Act, every person has the right to unsubscribe from receiving commercial electronic messages and to have that request acted on effectively and quickly. The failure to act on a request can result in significant penalties if a business is found to have breached the Act.”

CommSec sent over 6 million advertising emails in 2009. The company says it has agreed to have an independent consultant to review its compliance systems and to also provide additional training to its staff.

A CAN-SPAM court decision may hurt the private domain registration business.

Spammers hiding behind private registration of domain names to spread junk email received a slap in the face recently by a federal district court in California. In their attempt to nullify the U.S. CAN-SPAM Act the garbage pedlars argued, among other things, that the law was unconstitutionally vague because anyone trafficking in private domain registrations could be held liable for materially falsifying an identity under the statute.

Ironically, private domain registrations were created to protect domain owners from spammers, scammers, telemarketers and other unsavory types. Under the process, domain owners who want to keep their personal  information private enlist another company, a proxy registrar, to register their domain for them. The domain owner retains control of the domain, but for public purposes, such as listing in the WHOIS directory, the proxy’s contact information is listed as the owner of the domain. The rub to the process, though, is that anyone can use it–even spammers seeking to hide ownership of their domains. It’s a  pair of such spammers that found themselves  appealing their prosecution before the Ninth Circuit Court of Appeals.

The case, U.S. v. Kilbride, involved a pair of porn spammers operating through a company based in the small African nation of Mauritius. Their spam, which generated 662,000 complaints with the U.S. Federal Trade Commission, violated CAN-SPAM in a number of ways including forged headers, fake email addresses and phony contact information. A jury, after a three week trial, convicted the defendants of criminal CAN-SPAM violations and other charges. One smut circulator received a 6.5 year prison term; the other, five years in the Big House.

In their arguments before the court, the skin merchants asserted that CAN-SPAM is too vague in its definition of material falsification to meet constitutional standards because it criminalizes private registration of domain names. The court, however, wasn’t buying that contention. “We fail to perceive any vagueness on this point,” the judges opined.

Passed in 2003, CAN-SPAM provides penalties for anyone, among  other things, who “materially falsifies header information in multiple commercial electronic mail messages and intentionally initiates the transmission of such messages” or “registers, using information that materially falsifies the identity of the actual registrant, for five or more electronic mail accounts or online user accounts or two or more domain names, and intentionally initiates the transmission of multiple commercial electronic mail messages from any combination of such accounts or domain names…” Continue reading Private registration no defense for spammers»

Facebook announced on Thursday that it has won its lawsuit against notorious spammer Sanford Wallace. A judge in San Jose, CA awarded the site a $711 million judgement, the second largest in history to be awarded under the CAN-SPAM Act.

“While we don’t expect to quickly collect the full amount, we’ll work hard to get everything we can,” Simon Axten, a privacy and public policy associate at Facebook, said in a statement.

The suit was filed in February and accused Wallace and his accomplices Adam Arzoomanian and Scott Shaw of running a spamming and phishing scheme on the site. The trio sent messages to Facebook members that contained links leading to malicious sites that stole their login info. They used that info to spam everyone on the compromised account’s friends list. In addition to the hefty judgement the three spammers face possible prison sentences.

Wallace is no stranger to the legal system. MySpace won a $234 million judgement against him last year and in the last decade he has been sued by AOL, CompuServe, Earthlink and many other ISPs. He usually ignores the suits and refuses to show up in court. Earlier this year he filed for bankruptcy to avoid MySpace’s attempts to collect their judgement.