Legend: new window outside link tools page glossary link
Classic spam: Is CAN-SPAM spam not spam?
The bottom line:Spammers continue to claim compliance with CAN SPAM as a rationalization for their unsolicited mailings. However, as in this case, the perps are usually not in full compliance with CAN SPAM (typically due to header forgery). Even if they were sticking to the letter of the law, however, this doesn’t mean that they aren’t sending spam, or that I can’t report such behavior to the providers involved.
Since the CAN SPAM act was passed into law at the end of 2003, we’ve begun to see a lot of unsolicited mail that claims to be compliant with the provisions of this new law (and therefore not spam). Indeed, it’s a good idea to be compliant with this law, otherwise you could get convicted, pay a fine, and go to federal pokey for as much as five years.
One question that some of us may have, however, is whether we should consider these new “legal” messages to be spam, and report them accordingly. Must we put up with them just because they’re “legal” (if in fact they are legal)? I will give you my own answer to this later on, but for now let’s look at a typical example of such a post-CAN SPAM message:
First, here’s the header:
Received: from ip3.com (184.108.40.206) by sc011pub.verizon.net
(MailPass SMTP server v1.1.1 - 121803235448JY)
with SMTP id <3-5213-125-5213-246034-1-1080587142>
for mta018.verizon.net; Mon, 29 Mar 2004 13:05:46 -0600
Subject: peacockt, just a small email list = BIG Residuals
Date: Mon, 29 Mar 2004 13:05:48 -0600
<< stupid business sales pitch snipped >>
Now, here’s the tail end of the mail, with the CAN SPAM disclaimer, doctored to reveal links, and taken from a browser window (for readability):
Note that the foot of this message gives the sender’s own gloss of the requirements of CAN SPAM, but it is not completely consistent with the actual text of the law. For example, it leaves out the provisions regarding header tampering, and claims that the message must include the actual name of the sender (I can’t find this literal requirement anywhere in the CAN SPAM law).
In fact, this footer appears to be a case of protesting too much: by insisting over and over that the message isn’t spam, the senders are really making you suspect that it is. You will note the Freudian question mark in the following: “This message is in compliance with the new CAN-SPAM Bill 2003?”
OK, so let’s get out our CAN SPAM checklist and look for ourselves.
What follows are my own interpretations based on my understanding of CAN SPAM and my analysis of this particular message. I ain’t a lawyer, so judge my remarks accordingly.
CAN SPAM says that you are sending forbidden “predatory and abusive commercial e-mail” if you do any of the following:
Make unauthorized use of a protected computer to send your mail. “Protected computer” here means a network server or host belonging to an ISP or an online business or institution (but probably not a home computer acting as an open proxy) (see 18 USC 1030(e)(2)(B)).
The originating mail host (220.127.116.11) is part of a block controlled by RIPE (Europe) and assigned to a German ISP; the machine at this address, or at any rate the network router that controls it, probably fits the definition of a “protected” machine, and its use was quite probably “unauthorized” if the ISP had an anti-spam policy. Furthermore, the case may be made that this foreign machine is being “used in a manner that affects ... communication of the United States.” One could argue the latter point, but I’m going to take it as a hit. RESULT: VIOLATES CAN-SPAM
“Materially” falsify header information contained in that mail (specifically, to make it look as though the mail comes from, or was sent on behalf of, a party that had nothing to do with it).
The sender here used an SMTP “HELO” host name of “ip3.com,” but as we have already seen, the actual originating address of the mail is 18.104.22.168; a DNS lookup of “ip3.com” yielded two addresses, neither of which was even close to this one.
To my mind, the HELO represents the sending mail host’s declaration of its identity to the receiving host; while SMTP does not require this HELO hostname to be truthful, common sense suggests that if you knowingly falsify the HELO, you are in effect lying about who you are (this is still the case even though we can use the actual IP address to verify the HELO).
Furthermore, the fact that the mailers of this message were able to falsify the HELO suggests that they were operating their own mail host (or going “direct-to-MX”), rather than using one operated by their ISP; this isn’t itself criminal or even particularly unethical, but is certainly suspicious. This seems then, on its face, to be a “material falsification.” RESULT: VIOLATES CAN-SPAM
Falsify the information you provide to an ISP in order to get the mail accounts or web domains you use in conjunction with the mail.
Several website links are included in this mail. Leaving aside those that just appear to be image drops or remove links, we are left with the site that the mail is pitching, at “capturingedge.biz.” This domain is registered in France at GANDI (http://www.gandi.net/whois), and the registration contains a pair of apparently valid postal addresses for a company named “HDTI, Inc.” in Henderson, Nevada and Bellevue, Nebraska. At this point, I can’t say that these mailers have falsified this information. RESULT: INCONCLUSIVE.
Pretend to be the legitimate “owner” of IP addresses you use in conjunction with the mailing.
My analysis of the message and the header doesn’t reveal anything that might run foul of this portion of the law; the spammer appears to have made legitimate contracts to use the website IP addresses, and the same is probably true of the address from which the mail came. In any case, we can’t really tell here without possibly serving subpoenas on the operators involved. We’ve already nailed him for the forged HELO, so I won’t double-dip. RESULT: MEETS CAN-SPAM.
Furthermore, CAN-SPAM requires all commercial electronic mail messages (or CEMMs, as it calls them), to have
Clear notification that they are advertisements.
You can’t be in any doubt but that this message is an advertisement. RESULT: MEETS CAN-SPAM
A subject line that is not calculated to deceive the recipient as to the nature of the mail.
Gotta give ’em this one too, the subject line here (unlike those of many spams) does have a spamvertising flavor to it. RESULT: MEETS CAN-SPAM
A working removal mechanism (a return e-mail address or web link) that is actually honored.
As we see in the picture above, the mail does provide a removal link. As I write, the link was available, hosted by a machine on Chinanet. The frogcapture.net domain for this link was registered at GANDI by the same parties as the capturingedge.biz domain. Of course, we have no idea whether this link actually does anything other than drop your e-mail address into a “laundered” list to get more spam. RESULT: INCONCLUSIVE
The valid postal mail address of the sender of the mail.
Yes, the message gives a postal address, except that it’s in London (as is, presumably, the telephone number, I don’t have access to a reverse lookup to confirm this). Still, the address appears to exist, being a few blocks from Wembley Stadium. I found one reference to a UK firm named “Vitesse Security” (referring to them as a security alarm installation service), but none to “Vitesse Comms.” The e-mail address points to a free hosting service called “ukadvisors.com;” there is no index page at www.vitessesecurity.ukadvisors.com (although the mail does fetch a couple of images from this “subdomain”). One might well ask why an outfit based in Nevada (or is it Nebraska?) declares a postal address thousands of miles away in London. RESULT: INCONCLUSIVE.
Finally CAN-SPAM lists a number of technical violations that are of less interest to us at present (such as a prohibition on “dictionary attacks” and address harvesting). We have no way to know whether HDTI, or Vitesse (or whoever sent the mail) did any of these things, so we’ll just pass over this section of the law.
So, as far as I can tell, this message flunks the CAN-SPAM test (due to header falsification, and to possibly unauthorized use of a “protected computer” to send the spam), and may contain other violations of the law that I am unable to verify from where I sit. Also, why should this operator whine about being compliant with CAN-SPAM when he’s (apparently) in the UK and beyond the reach of U.S. federal law enforcement? So much for this guy go ahead and file him under “spammer.” Just because a pig wears a sign around his neck saying "I’m not a pig" doesn’t mean that he isn’t one.
But what if this message were squeaky-clean insofar as CAN-SPAM is concerned? Does this mean we couldn’t do anything about it? Here’s the way I look at it:
You have a perfect right to complain about unsolicited bulk e-mail you don’t want to receive. What is done by others with your complaint is another matter, bound up in contract and commercial law, as well as (now, with CAN-SPAM) criminal law. Nevertheless, you are still quite entitled to complain as the recipient of untargeted, unsolicited mail.
Spam was quite legal in the U.S. (at least on the federal level, and in all but a few states) before CAN-SPAM, but you could still complain about it as a violation of an ISPs acceptable-use policies.
Spam is less legal now, and most ISPs still retain their anti-spam AUPs (which are almost always more stringent than CAN-SPAM), and you still retain your right to complain about messages you don’t want to get.
So, there you have it: it all comes down to my rule #2. Rule #2 rules!
The results are only just beginning to trickle in as I write, and there are a couple of CAN-SPAM prosecutions in the works, but so far the consensus within the anti-spam community seems to be that CAN-SPAM is not the “silver bullet” that will end spam as we know it. At best, the threat of federal prosecution may be deterring some mainline businesses from deciding to use spam, but our regular cohort of serial “whack-a-mole” spammers seem to be continuing their mailings with no particular hindrance.