Spammers Sneak Through CAN-SPAM Loopholes

This week on Security Levity, a sneaky trick that some spammers are trying, in an attempt to stay on the right side of the law.

Spammers Sneak Through CAN-SPAM Loopholes
When we think of 'spammers', we usually picture an offshore group of criminal individuals, pushing fake pills from websites that are outside the direct reach of U.S. law. But there's another group of spammers, who are closer to home. These are the home-grown, shady direct marketers who have crossed the line from legitimacy to spam.

These shady direct marketers play fast and loose with the law, but they don't want to go to jail. So they've developed some interesting tricks, exploiting what they believe are loopholes in the U.S. CAN-SPAM Act.

As you may know, CAN-SPAM permits marketers to send commercial email without first getting consent from the recipient. As I noted in November, this is different from the laws in most of the rest of the world. So it's not illegal to email someone, as long as you give them an easy way to opt-out of receiving any more commercial email from them, and quickly honor such requests.

Some 'enterprising' direct marketers have decided that if they frequently change the name of their company, they don't need to worry about paying attention to opt-out requests.

Here's a simplified example: let's imagine a company decided it was going to play dirty marketing tricks. We'll call our fictional company Spammer, LLC.

The first week of the spam campaign, the company might call itself Spammer1, sending email from sales@spammer1.com and linking users to a website at www.spammer1.com. The spammers would spam everyone they felt like sending email to, as long as they didn't scrape the email addresses from the web, falsify headers, or do anything else illegal.

Of course, people would send opt-out requests, which they'd pretend to honor. Except, in the second week of their campaign, they'd be calling themselves Spammer2 and send from sales@spammer2.com, spamvertising www.spammer2.com. This way, because they're pretending to be a separate company, they can ignore those pesky opt-outs.

In week three, they're sales@spammer3.com... and so on.

This seems to adhere to the letter of the law. The sender is honoring the opt-outs, in the sense that they won't be sending email to anybody more than once -- because the next time they send email, they're a separate, brand-new entity. All of the other CAN-SPAM requirements are being followed to the letter, of course. For example, quoting a physical address, truthful message subjects, etc.

Now, I'm not a lawyer, but there certainly seem to be a few U.S. based companies who believe this tactic is legal. Sorry, I won't be mentioning any names here!

Of course, I wouldn't recommend anyone actually try this. Quite apart from the fact that it's simply obnoxious, there are other good reasons. Spam filters that use good reputation services will filter bulk email from new and unknown senders. As each week's sender will appear to be new, the messages are unlikely to get through.

Ultimately, this is the downside of spam laws that codify an opt-out regime. As I noted in November, most of the rest of the world requires that marketers first get a user's permission. The gold standard laws are the ones that also specify the permission be 'informed' -- i.e., the user's not being tricked into giving permission and has sufficient information to make a choice.

Subscribe to the Security Watch Newsletter

Comments