Archive for CAN SPAM

Thinning out the Inbox

On April 30 I posted an article Make May Day “Unwanted Email Unsubscribe Day” with tips on clearing your Inbox of unwanted email — not spam, but subscriptions you signed up for, but no longer had an interest in. The article was well received and it received a few comments, too.  (Surprisingly I received a lot of email about it).

One great comment came from David Bondelevitch at dB’s Blog, who said:

Not just the inbox; every once in a while I will run a search in my trash for the word UNSUBSCRIBE and click on most of them.

Be careful though, some e-mails use that link to phish, and all you are doing is confirming to them that it is a functional e-mail address.

Today, I am still thinning out the Inbox and unsubscribing to several emails.

I am also updating my subscriptions, too. Some of the email addresses I subscribed with are addresses I’m not interested in using as much as I used to. So in some cases I am going back the original signup web site and updating my subscription details.

Some of the companies I receive mail from have taken this into consideration, and they’ve included a “Update your Preferences” link at the bottom of the email. Some other haven’t prepared for this possibility. In extreme cases, I have had to unsubscribe one address and resubscribe with another.

So keeping the Inbox thin is just like keeping yourself thin. The work never ends, it’s an ongoing process.

Make May Day “Unwanted Email Unsubscribe Day”

I get way too much email. The bulk of my email isn’t even personal messages, but mostly bulk email messages from newsletter subscriptions, web site and online shopping offers, fan site updates, business networking updates, social networking updates, Twitter alerts, Facebook notices, etc.

I’ve been getting so many of these that the personal and direct business emails have been getting lost under it all in my Inbox. On top of that, my mail files has become so large that the file became corrupted, and I wasn’t able to delete some messages.

Usually I spend a little bit of time one or two days a week just going through my mail sorting and deleting. It gets hard to keep up with it all, and I am still missing important messages.

I finally concluded: “the best thing to do is to reduce the amount of email I receive”.

So the first of May is tomorrow. Often referred to as May Day, which reminds me of the distress call “Mayday!”. I have made this the day, starting today, that I sit down with my email, take a good look at these bulk mail messages, and I UNSUBSCRIBE to them.

Here’s what I did:

  1. In my Inbox I clicked the top of the column where it says “From”. This sorts all my mail into groups of people and organizations.
  2. Then I scroll through the list looking for the biggest groups. These probably send to me every single day of the week.
  3. If I don’t want to see their emails again, I open one and scroll down to the bottom to find the UNSUBSCRIBE link. Bulk mailers are supposed to include an unsubscribe link.
  4. I click the link, which takes me to their web site where I am clearly offered an option to UNSUBSCRIBE, or they notify me that I will no longer receive their emails. (They have 10 days to comply according to the FTC).
  5. After I’ve unsubscribed I close the email message, and then I delete all the other messages in that group.

So save yourself, your Inbox, and your sanity, and make today your Email Unsubscribe Day!

Spam Fighting Update

My blog post titled “I’m Fighting Acai Berry Spam Today” from August 14, 2008 is the 4th most read post on Skylarking. It has received a fair amount of commentary since April of this year. The comments have lead me to add an update to the post to clarify the intent and purpose of the article:

This post is about spam in general, using Acai Berry spam as an example. I aim to (1) illustrate that sometimes email addresses and web site addresses don’t match; and that when WHOIS is used, one may often find that they might not belong to the same person or organization. That should be a warning as to the legitimacy of the email message (or the site). Some readers have focused more on the email aspect of spam, but (2) much spam directs you to a web site. As some commenters have pointed out: email addresses can be spoofed, and tracking an email can be very difficult, BUT it is my opinion that web sites can be easier to track.

So my point is that spam is often associated with a web site, and discrepancies between a web site and an email message can often help determine the validity of the email and/or the site.

You can read the updated post and comments here.

Thanks to everyone who has commented, and added their thoughts, ideas, and knowledge concerning the subject. And thank you for leading me to elaborate further. I look forward to hearing more comments and thoughts on the subject.

33 percent of all spam ended yesterday

Sort of….

The FTC (Federal trade Commission) won a preliminary legal victory against the world’s largest spam gang  by persuading a Chicago Federal court to freeze the gangs assets and to order their spam network shutdown.

The spam gang, known by spamfighting agencies as HerbalKIng, had a networks of 35,000 computers which which could send out 10 billion spam messages a day.  Many of these computers were owned by people who didn’t know their computers had been remotely commandeered to send email on behalf of the spammers.  The network had ties in the United States, China, India, New Zealand, and Australia. The network was referred to as the “Mega-D Botnet”.

If you’re unfamiliar with the term “botnet, here’s an explanationation from SearchSecurity.com:

A botnet (also known as a zombie army) is a number of Internet computers that, although their owners are unaware of it, have been set up to forward transmissions (including spam or viruses) to other computers on the Internet. Any such computer is referred to as a zombie – in effect, a computer “robot” or “bot” that serves the wishes of some master spam or virus originator. Most computers compromised in this way are home-based. According to a report from Russian-based Kaspersky Labs, botnets — not spam, viruses, or worms — currently pose the biggest threat to the Internet. A report from Symantec came to a similar conclusion.

The network was purportedly responsible for a third of all spam at one point, and had been collecting $400,000 in Visa charges in one month.

The spammers had been sending messages hawking various pharmaceuticals and male-enhancement drugs. The charges brought against them are more than just spamming counts, but the charges also include making false claims about their product, selling pharmaceuticals without a prescriptions or doctor’s intructions, and selling drugs from countries such as Indie which aren’t regulated or approved for sale in the US.  Many of the drugs being sold had harmful side effects.

The FTC’s investigation aginst this organization had been ongoing for over 2 years.

Here’s a bio about HerbalKing from Spamhous spamfighting organization:

HerbalKing is a massive affiliate style spam program for snakeoil Body Part Enhancement scams (penis enlargement). It has also done spam campaigns for replica luxury goods, pharma (counterfeit pills) and porn. Spam arrives via botnets with spamvertised sites on “bulletproof” hosting offshore, particularly in China. The group also uses fast-flux hosting, running sites on hacked botnet PCs.

HerbalKing, with connections to India (possibly due to pharmaceutical supplies), rivals the traditional Eastern European spam gangs for volume and criminal botnet methods of its spam. “Tulip Labs” appears to be the source of HerbalKing’s herbal remedy products. The main operation may be run out of New Zealand or Australia by long-time spamming brothers Lance & Shane Atkinson. (see: http://www.geekzone.co.nz/juha/2237 )

There are hundreds of SBL listings related to HerbalKing but some may not be linked to this ROKSO due to the tremendous number of identities and domains used by the program. Lists of domains should be considered examples of that abuse of domain name space, not comprehensive lists of their registrations.

Read more at the FTC‘s web site; the NY Times; and the ars technica web site.

Post Comments or Questions with the link below. Keep up-to-date with Skylarking: By Email or RSS Newsfeed or on Twitter. You can also send questions with my email form.

Apple’s MobileMe: A New Spammer Resource

Users of, that is, subscribers to, Apple’s MobileMe service have found themselves getting more spam than usual, as well as some “phishing” scams aimed directly at them.  And spammers are getting fewer bouncebacks.

The problem lies in the iDisk online file storage service every subscriber is provided with. The service comes with a “public” folder which cannot be hidden or deleted. Every public folder starts with the address http://idisk.mac.com/ and then it’s followed by their username and “-Public”. A programmer can write code to automatically generate random user names using words and names straight out of a digital dictionary.

“Why do this with iDisk’s public folder space?”, you ask.

iDisk: A Sample Public Folder

iDisk: A Sample Public Folder

The username associated with a public iDisk folder is also the first half of their email address assigned to them with the MobileMe service.  The second half of their address is either @me.com or @mac.com.  This hack allows a spammer to determine the validity of email address. Any http://idisk.mac.com/username-Public address that doesn’t result in a “Account Error: Inactive” message — as the link above probably will — means that they’ve found a legitimate account. A legitimate account would come up with a page as shown in the picture at right.

Furthermore, if the public folder shows that there are files stored in that location, as the sample picture shows, a spammer could tailor a message referring to that file in an effort to get the user to reply and reveal personal information.

Imagine if you used this service: You upload some of your files or photos to it, and then, a few days or weeks later you get an email mentioning one or more of your files by name. If you hadn’t thought about your “public folder” being “public”, you might take the message very seriously. Even more so if the sender claimed to represent Apple. (Of course that spammer would be breaking the law by falsely identifying themselves. See my article “Spammers Get CANned”.)

Anyone Can See The Files?

Anyone can see or read the names of your public files, assuming they find your public folder, but they won’t be able to access, open, or download them unless they take a guess at your login information, too; so make sure you use a good password and not your birthday or pet’s name.  They can’t upload anything to your folder either, unless they figure out your login info.

Simply said, Apple’s MobileMe iDisk service gives spammers a handy way to determine valid email addresses, so they get fewer, if any, bouncebacks and undeliverable messages. The names of files stored on iDisk could be used to make the spammer or phishers message appear legitimate.

Phishing. For those unfamiliar with this term, simply stated, it is an email message designed to get the recipient to reveal personal information such as account numbers or login information. The sender poses as well-known service or someone offering an enticement to respond. Popular targets have been eBay, PayPal, and online banking users.

In the iDisk problem discussed here, the phisher can determine if a username and email address exists. Furthermore, If the account owner stores files publicly on the service, the names of files can be referred to in a phishers email message to shore up their credibility.

Post Comments or Questions with the link below. Keep up-to-date with Skylarking: By Email or RSS Newsfeed or on Twitter. You can also send questions with my email form. I’m looking forward to hearing from you.


I’m Fighting Acai Berry Spam Today

Clarifying the
Meaning of Spam

The term spam refers to email that has the purpose of promoting and selling a product or service. Furthermore, the email message has to be from an organization or individual that you didn’t request information from, nor did you tell them that it was okay to contact you. The FTC defines spam as “unsolicited commercial email” or “UCE” for short. If you tell a company it’s okay to send you email, then that applies to all email from that company unless otherwise specified.

FTC Law, Commercial Email:
CAN SPAM ACT 2003

  • Bans false or misleading ‘Header’ information. The “From” and “To” info must be accurate.
  • Prohibits deceptive “Subject” lines. The subject must match the content of the message.
  • Message must have an “opt out” or “unsubscribe” method. The link must
    be good for 30 days, and must be honored in 3 business days. (Previously 10 days
    was the allowance, but this changed in July 2008)
  • Message must list a legitimate physical address. The sender cannot register the address under an assumed name either.
  • Message must clearly state that it is an advertisement.

Update and Clarification (May 6, 2009):  This post is about spam in general, using Acai Berry spam as an example. I aim to (1)  illustrate that sometimes email addresses and web site addresses don’t match; and that when WHOIS is used, one may often find that they might not belong to the same person or organization. That should be a warning as to the legitimacy of the email message (or the site). Some readers have focused more on the email aspect of spam, but (2) much spam directs you to a web site. As some commenters have pointed out: email addresses can be spoofed, and tracking an email can be very difficult, BUT it is my opinion that web sites can be easier to track. (Read my “Spam Fighting Update”).

The original article begins here:

I hate spam.

I mean I really hate spam.  I don’t just delete it, I report it. I send it to the FTC’s spam@uce.gov email address so they can record it. If I get really bothered about it, I contact the company that registered the name for the owner of the email address and let them know that someone is using their service for spamming.  A lot of decent companies don’t like to hear about that.  It can hurt their law abiding users. How’d you like to learn that your emails don’t go through because someone on the same service as you was spamming, and getting everyone else blocked because of it?

For about two weeks now I’ve been receiving emails claiming to be from the “American Health Association” telling me how to lose weight with various products made from Acai Berries. After clicking unsubscribe links (when available) and deleting, I began to “get testy” when they continued rolling in. So I started fighting back.

The Law Is On Our Side

Let’s see what laws and such are on my side and yours here.

  1. Web and email addresses have to be registered to an owner or registrant. It is illegal to do so under an assumed name.
  2. Commercial messages (they wanted me to buy these berry products) must by law contain truthful addressing info both in email and in the physical world. And, once more, no assumed names are allowed. A physical address must be included.
  3. Many other nations have teamed up with the US to fight spam, so even if these spammers aren’t in the US, the country they live in may work with the US to fight spam.
  4. Many reputable internet and email services will not allow their clients to use their systems for the delivery of spam.

How did I fight back?

The Registrant / Owner of the Email Address. If the message was from the “American Health Association” then its email address — according to my Google search — would be either “@ahahealth.com” or “@americanhealthfoundation.com”.

Instead the email addresses pointed to “@brightbat.com” and “@prodemosite.com” among others. So there’s an FTC violation for false or misleading header information.

Want to know the registrant/owner of an “@whatever.com” address? Just go to Google and search for “whois whatever.com”. There’s no space in whois, and don’t include the quotation marks either. So I did a search for whois brightbat.com and whois prodemosite.com. Both came up with private or anonymous listings, they were both registered through the same service and one was registered just yesterday (a one day old address) and the other was registered in mid July.  Go to Google and try searching for them yourself. Oh, heck, here’s the direct link to brightbat’s listing and here’s prodemosite.

Also, the addresses were registered through a company in the UK, and the UK works with the US to fight spammers.

I contacted the private registration service, PrivacyProtect.org, and reported the owners of these two addresses. Privacy Protect will reveal the registry information if they deem it appropriate. I let them know the owners of these addresses were sending spam messages in violation of the provisions of the FTC’s CAN SPAM Act. I also forwarded copies of the emails to them at abuse @ privacyprotect.org.

What Other Violations Were In Those Emails?

You can follow along with the violations by taking a look at the legal requirements for commercial email messages listed in the yellow box at right. Several people have received up to three or more years in jail for violating these laws.

Back to the Acai berry violations:

  1. Along with the misleading email names (claiming to be the AHA when they weren’t), they also
  2. failed to mention the messages were advertising
  3. failed to include a postal address
  4. In several cases they failed to include an unsubscribe link, and in some cases the link didn’t work. All violations.

What Else Did I Learn?

The people at PowerSupplements, a manufacturer of Acai berry products wasn’t to thrilled to hear about the Acai berry spam. That was according to a report at SpamFighter.com, a provider of spam filtering software at www.spamfighter.com.

So if you decide you’d like to join the fight against spam you can follow my lead.

  1. Look for the same violations I looked out for.
  2. Forward spam to the FTC at spam@uce.gov.  (UCE stands for unsolicited commercial email).
  3. Want to go the extra mile? Go to Google, and do a whois search on the email address it came from.  Just use the part of the address that comes after the @ symbol, don’t use the whole address. Then find out where the reistered the address. For example, whois brightbat.com. Then find out who the registrar is and let them know a user of their service is sending out spam.

If anyone has a question, please email them to me using the Contact link, or, if it relates to today’s message, please use the Comment and Question link below. Follow me on Twitter. I’m looking forward to hearing from you.


More Spammer News

A few more spammer related news items have popped up in the past few days.

  • Tues., July 22: Seattle spammer, Robert Soloway, age 29, was sentenced to 40 years in prison for mail fraud, spam, and tax evasion charges. He also sold spamming software and services. His sentencing also included three years of supervised release, and 200 hours of community service. A later hearing will determine the total amount of restitution Soloway owes to the victims of his spamming. (AP, DOJ, NetworkWorld)
  • Sun., July 20: Edward “Eddie” Davidson, age 35, walked away from a federal prison camp in Florence, CO. Davidson, who was serving 21 months in federal prison, is now officially in “escape” status. He was last seen in Lakewood. U.S. Marshals are leading the search for Davidson. The FBI, IRS, and the Rocky Mountain Safe Streets Task Force are aiding in the search. (AP, FBI, NetworkWorld)

One More Way to Deal with Spam — Unsubscribe

Another way to deal with spam or “Unsolicited Commercial Email (UCE)” is to use the required Unsubscribe link all the way at the bottom of the message.

“I Don’t See an Unsubscribe link?”

Then the “spammer” has violated the CAN SPAM Act which also requires an “Unsubscribe Mechanism” in every commercial email message. Forward the message to the Federal Trade Commission (FTC) at spam@uce.gov. You’ll find the “Forward” button on the same row as your “Reply” button.

“I Clicked Unsubscribe, But I Got an Error Message”

That’s another violation for the spammer. There must have an electronic Internet based method of unsubscribing, and it must be functional. Forward the message to spam@uce.gov.

“All This Forwarding, It’s Too Much For Me”

Fair enough. Some email services have a “Spam” button. If you are currently reading the spam message, just look for a button labeled “Spam” or “Junk” and click it. The email address for that message will be added to a spam filter and blocked. Just be sure you don’t want to hear from that person again.

“I Tried All This, and I Got Another Message From The Same Sender”

If you used the Unsubscribe option, then the sender was required to remove your email address within three business days. They’re just looking for trouble, aren’t they? You can now take a few minutes to file a complaint with the FTC using the “FTC Complaint Assistant”. It’s also available in Spanish. Plus they have a special service, Military Sentinel, designed for complaints from members of the Armed Forces and their families. Your tip might just be the one that helps send another spammer to jail.

Read more about the FTC Complaint Assistant.

Related Articles

Please post a Comment or Question with the link below. You can also keep up-to-date with Skylarking by Subscribing by Email or by RSS Newsfeed. You can also respond by email at info @ skylarknetworks.com. I’ll do my best to answer your question either here on Skylarking or by email.


Best Tactics for Dealing with Spam

Commercial email” is any email whose primary purpose is advertising or promoting a commercial product or service, including content on a Web site, an order confirmation, or a periodical subscription. “Spam” is “unwanted” or “unsolicited commercial email” (UCE).

The CAN SPAM Act outlined proper business practices for commercial email senders. Last week in my article, Spammers Get Canned, I listed these requirements, but today I would like to discuss them from a recipients viewpoint. To illustrate this point I will use an email message that I received just last week. You may have received the same message I did.

My Name is Shaye, and I am located in the State of New York.

I am an online Travel Agent, and would like to share my weekly news letters with you. Please feel free to check out my website and see all the different things we offer, other then just the basics of travel.

[web site address removed]

Somehow I received your email, and thought I would ask your permission to add you to my Email List. If you wish to be added to this List, just hit reply and tell me your name, and email address that you want it sent to.

If you don’t want to be added to this List, just hit reply and tell me no thanks. No hard feelings.

If you know of anyone who might be interested in this website and or this news letter, please email me and let me know.

My advertising is word of mouth, so the more the merrier.

If you have any questions, please feel free to drop me a line via email [address removed].

Shaye

Regardless of whether or not I know Shaye or his company, this message is commercial because he is promoting his travel agency and web site, and he has violated several provisions of the CAN SPAM Act: he fails to fully identify himself or his company, and he doesn’t provide a postal address. All violations of the CAN SPAM Act. Additionally, most companies would state how they acquired my email address, but Shaye only says, “Somehow I received your email”.

Sorry, Shaye, not good enough. You’ve become eligible for an $11,000 fine from the FTC.

What Should I Do?

Should I delete Shaye’s message? Many people would just grumble and delete the email message, but that doesn’t mean Shaye won’t try to contact me or someone else again, and I don’t want to hear from Shaye again.

Shaye clearly violated the CAN SPAM Act, and there’s no telling how many others he has sent this message to. Some of those people might even be friends of mine. Shaye could get a fine of $250 for each email he sends out, but only if he is reported, charged, and convicted.

Where can I report Shay? There are a variety of places I could report Shaye to simply by clicking Forward on his message instead of delete:

  1. The Federal Trade Commission: The FTC keeps a database of unsolicited emails that can be used by law enforcement (State and Federal Agencies, etc.) to pursue action against spammers. To add Shaye’s email, I just click “Forward” on his message, and address it to spam@uce.gov.
  2. Shaye’s Internet Provider: Shaye had an email account, as his email ended with @aol.com. I can forward his message to abuse@aol.com, and let them know what one of their members is up to.
  3. My Internet Provider: I can also Forward a copy to abuse@ whoever my email provider may be. If I use Yahoo, it would be abuse@yahoo.com. If I use Optimum Online, it would be abuse@optonline.net. If I use Verizon, it would be abuse@verizon.net.

Should I take Shaye up on his offer to reply and say “No Thanks”? I could do that. According to the CAN SPAM Act, Shaye would then have 10 business days to remove me from his list. If my email reply comes back as undeliverable, then Shaye has violated CAN SPAM again. That’s another $11,000 fine from the FTC, Shaye. If my reply doesn’t come back, and after 3 business days I get another email from Shaye; that’s another $11,000 fine. (Note: The original law gave senders 10 business days to remove an email address from their mailing list, as of July 7, 2008, the law requires an address be removed within 3 business days.)

What I Did Do

I took another acceptable response toward Shaye’s message. I contacted the company Shaye claimed to represent. I wanted to see if the site he was promoting was legitimate, or if he was trying to send me to some other site instead. If the address in the address bar at the top of my browser differed from the one he sent me, there was another possible $11,000 fine for Shaye for misleading information.

I went to the web site he was promoting, and it appeared to be a legitimate travel web site, but there was no mention of anyone named “Shaye” on the site. Nor was there a mention of a “New York Agent” as Shaye claimed to be. In fact, the address on the site was for a company based in Illinois. They struck me as the type of company that would take a CAN SPAM violation seriously.

Perhaps Shaye wasn’t associated with this company at all? Maybe he didn’t know the CAN SPAM requirements? Maybe he did, but didn’t care?

Next I checked out the company’s “Privacy Policy” link at the bottom of the web page. (Thanks to a California law passed in 2004, commercial web sites are required to post a conspicuous privacy policy link.) The terms of the privacy policy can be legally enforced and challenged. Under their privacy policy I found some useful information:

  • The company does get email addresses from partner companies.
  • They will not sell or share my personal information with third parties, but only with their agents.
  • They provide unsubscribe links in their emails. (Shaye didn’t.)
  • “If you have received unwanted, unsolicited email sent via this system or purporting to be sent via this system, please forward a copy of that email with your comments to us for review”

Bingo! That last point included an “abuse” email address I could write to. I forwarded Shaye’s email to that address.

What Happened Next?

This Monday morning I received an email from the company that Shaye claimed to represent. It came from a representative of the “Legal Support and Compliance Department”. I checked the “From” part of the email message, it clearly showed the email address was from the same .com address as the travel web site I had seen. The email also showed that they had sent a copy “To:” the same aol.com email address Shaye had contacted me through. I could also see that they were courteous enough not to include my email address, so Shaye wouldn’t know who had reported him. They also included a copy of the email message Shaye had sent me.

Here’s what they had to say to Shaye. I have altered portions —enclosed in parentheses— to protect the innocent.

Shaye:

(Our company) has recently received allegations that you are sending Spam email to YTB agents and prospects (Please see email below). (Our company) takes Spam solicitation very seriously and we wanted to contact you to get this matter resolved.

Spam email can be subject to an $11,000 penalty per email according to the Federal Can Spam Act. You can find further information about these penalties by visiting the following site: http://www.ftc.gov/bcp/conline/pubs/buspubs/canspam.shtm

In order to send solicitations correctly you first need to review your contact list. This list should contain contact information for those to whom you know or who have requested information from you about (our) opportunities. Also, please included in each email you send an opt-out option so those who receive your email can opt-out at any time if they no longer wish to be contacted. (Our company) understands that this allegation could be a simple mistake on your part or the person you contacted did in fact give you their contact information but has forgotten. The opt-out option should satisfy those who receive your email but no longer wish to be solicited for the (our company’s) opportunity.

I was happy with the results. The company appeared reputable, and they were courteous enough to let me know that they took action, and that they try to keep their agents and representatives informed of proper business practices. It was also clear from their email that I wasn’t the only person who complained to them.

If You Receive Spam: “Don’t Just Delete It, Report It”

Your best response is to forward the message to the FTC at spam@uce.gov and to your Internet email provider at their abuse@ email address. (For Yahoo, it would be abuse@yahoo.com; for Verizon, it would be abuse@verizon.net; etc.)

Related Articles:

Please post a Comment/Question with the link below. You can also keep up-to-date with Skylarking by Subscribing by Email or by RSS Newsfeed. You can also respond by email at info@skylarknetworks.com. I’ll do my best to answer your question either here on Skylarking or by email.


 

Spammers Get Canned

Surprisingly, spammers getting jail time doesn’t get much press, but several major spammers have been put away this past year, and the latest one, a 27 year old Brooklynite, Adam Vitale, was sentenced to 30 months in prison yesterday. 24 to 30 months is the current limit of the Federal CAN SPAM Act of 2003. Yes, that’s the name, CAN SPAM. It stands for “Controlling the Assault of Non-Solicited Pornography and Marketing”.

What is the CAN SPAM Act of 2003?

According to the FTC, the CAN SPAM Act sets the following requirements for commercial (ie sales or promotional) email:

  1. It bans false or misleading header information. The email’s “From,” “To,” and routing information – including the originating domain name and email address – must be accurate and identify the person who initiated the email.
  2. It prohibits deceptive subject lines. The subject line cannot mislead the recipient about the contents or subject matter of the message.
  3. It requires that an email give recipients an opt-out method. The sender must provide a return email address or another Internet-based response mechanism, in the message, that allows a recipient to ask the sender not to send future email messages to that email address. (Recipients have 30 days to opt-out, and senders have 10 business days to comply). (Revision: A revision activated in July 2008 requires the sender complies within 3 business days.)
  4. It requires that commercial email be identified as an advertisement and include the sender’s valid physical postal address. Messages must contain clear and conspicuous notice that the message is an advertisement or solicitation and that the recipient can opt out of receiving more commercial email. It also must include a valid physical postal address.

Furthermore, the CAN SPAM Act allows:

  1. Each violation of the above is subject to fines of up to $11,000.
  2. Deceptive commercial email is subject to laws banning false or misleading advertising.
  3. Additional fines are provided for violators who:
    1. “harvest” email addresses from web sites or services that have published a notice prohibiting such activity
    2. generate random email addresses (a dictionary attack) with the intent of “stumbling” across a few genuine email addresses
    3. use software to register for multiple email accounts to send commercial email
    4. relay emails through a computer or network without permission
  4. The law allows the Dept. of Justice to seek criminal penalties, including imprisonment, for commercial emailers who do – or conspire to:
    1. Use another computer without authorization to send commercial email from or through it
    2. Use a computer to relay multiple commercial email messages to deceive or mislead recipients or an Internet service about the message’s origin
    3. Falsify header information (see no. 1 up top) in multiple email messages and initiate the transmission of such messages
    4. Register for multiple email accounts or domain names using information that falsifies the identity of the actual registrant
    5. Falsely represent themselves as owners of multiple Internet Protocol addresses that are used to send commercial email messages.

More about Yesterday’s Sentencing

Starting in 2005, the US Secret Service had a confidential informant communicate with Vitale and his partner, Todd Moeller, via instant messaging chats. One of the two young men had already been profiting from spamming stock market scams.

The informant hired the men to promote computer software through their spam activities. This resulted in around 250,000 email messages being sent to 1.2 million AOL subscribers. The emails contained falsified header information, and they were relayed through other computers and internet services without permission.

In June 2006, Vitale and Moeller pled guilty to charges of sending emails in a scheme to bypass spam filters. Moeller was sentenced in Dec. 2007, to 27 months in prison. Both also received 3 years of supervised release, and must each forfeit over $183,000 in illegal gains. Vitale was sentenced on July 15, 2008.

Other Recent Spammer Sentencings and Indictments

  • 3/18/2008: Daniel Mascia, 24, of West Haven, CT, pleaded guilty in Hartford to one count of conspiracy to commit fraud in connection with access devices and one count of fraud in connection with electronic mail. The charges relate to a “phishing” and “spamming” scheme that targeted AOL subscribers.
  • 3/14/2008: Robert Alan Soloway, 29, pleaded guilty in Seattle to Mail Fraud, Fraud in Connection with Electronic Mail, and Willful Failure to File a Tax Return. Soloway, indicted in May 2007, has been dubbed the “Spam King” by investigators. The most serious charge, mail fraud, is punishable by up to 25 years in prison.
  • 1/03/2008: Alan Ralsky, age 52, and ten others, indicted in international illegal spamming and stock fraud scheme.
  • 12/04/2007: Min Kim, 24, of Denver, CO was sentenced to 30 to 37 months, instead of 24 to 30, because he kept books tracking his $250,000 in profits. This is the first time that profits were a considerable factor in sentencing and it opens the way for longer sentences in the future.
  • 9/17/2007: Joshua Eveloff, 27, receives 6 months, 5 years supervised release, and $9,100 in penalties in San Diego for 3 months of spamming in 2004.

Related Links:

Post Comments or Questions with the link below. Keep up-to-date with Skylarking: By Email or RSS Newsfeed or on Twitter. You can also send questions with my email form. I’m looking forward to hearing from you.