"Plaintiff e360Insight, LLC is a marketer. It refers to itself as an Internet marketing company. Some, perhaps even a majority of people in this country, would call it a spammer. e360 sends e-mail solicitations and advertisements, for a fee, to millions of e-mail users. More than a few of those users are subscribers to Comcast, an Internet service provider. Many e-mail users do not want to see (or delete unread) the messages sent by e360. Even if every user wanted these e-mails, Comcast might well have its network overloaded by the mailings."

-- Judge James B. Zagel, e360Insight, LLC vs. Comcast Corporation,
Memorandum Opinion and Order filed April 10, 2008

We've been wondering what e360 hoped to gain with their recent lawsuits against Spamhaus and others. If they were trying to clarify the right of ISPs to protect their users from spam, then they've certainly done a good job -- especially in this particular case.

If it wasn't clear before, Judge Zagel's explanation should satisfy even the most pedantic of filtering opponents:

1. ISPs acting in good faith to protect their customers are not liable for blocking messages that some spammer claims are not spam
2. "...compliance with CAN-SPAM...does not evict the right of the provider to make its own good faith judgement to block mailings."
3. an ISP rejecting messages, during the SMTP session, that a spammer knowingly sent to them, does not constitute a "denial of service" attack against the spammer
4. saying "hey, you let those other spams through, why not me?" is just dumb (that's my interpretation, of course; the judge used more polite language)

It's statement #2 above -- the one about CAN-SPAM -- which will have the most direct and immediate effect on companies who try to walk the edge between spam and legitimacy. Complying with CAN-SPAM is the bare minimum required by law; as the courts have stated before any sender has to do a lot more to get their mail delivered into other peoples' inboxes.

Unfortunately, this case won't affect most spam. The near-unbelievable volume of messages sent every day are sent by individuals who don't even pretend to comply with any law, and who know that if they ever tried to file suit against Spamhaus or Comcast or anyone else they'd be laughed out of court -- and most likely arrested.

Even so, CAUCE thanks e360, Comcast, and Judge Zagel for providing us with a good laugh and a small ray of hope in the fight against spam.

Stay tuned for the results of Comcast's counter-suit against e360.

As most CAUCE supporters already know, forging From: or other commonly seen email headers is trivially easy. It's one of the most frustrating oversights in the creation of Internet email technology -- though of course that's only obvious in hindsight; it was just fine for the pre-Internet networks of the late 1970s and early-mid 1980s.

Since then, things have changed -- and the most interesting recent technological advancements in email have been in the realm of sender authentication, which encompasses ways to verify that the apparent sender of a message actually is the entity which sent it. Before you can answer the question "can I trust this message," you have to ask "who sent it?" -- but before authentication, there was often no way to know for sure.

The first authentication technology to catch the interest of the industry was Meng Wong's SPF, which also formed the basis for Microsoft's SenderID. In parallel, Yahoo! developed DomainKeys, which has now evolved into DKIM. All of these are free to use, though some have licensing requirements or patents which may prevent derivative works.

Having what looks like four entirely different technologies may seem confusing, and marketing tactics from some of the organizations involved certainly haven't helped. Luckily, our friends at the Messaging Anti-Abuse Working Group have published a new white paper, Trust in Email Begins with Authentication, which should help to clarify things. It provides a much-needed substantive overview of the authentication methods and practices currently in use, without inappropriate bias or attempts at coercion.

CAUCE hopes that this effort will raise the level of debate within the email industry, and lead to faster adoption of authentication technologies. Sender authentication will not, obviously, solve spam -- it has very little to do with spam, in fact -- but curtailing the bad guys' ability to send messages that look like they're from your bank or other trusted institution will certainly help.


[Some CAUCE Board members -- including the author of this article -- contributed to the MAAWG document, and are regular attendees of MAAWG events.]

I've always maintained that spam does not make one great, but Al Ralsky kept a relatively high profile for long enough that his unwelcome intrusions into our inboxes – and our friends' inboxes, and our parents' inboxes, and our children's inboxes – will be long remembered.

Today the entire email industry is cheering the arrest and indictment of Ralsky and his gang, which was reported in the Detroit Free Press this morning. It’s obviously good news for anti-spammers, who have been clamoring for prosecutions of illegal spamming activity for more than a decade. But it’s also wonderful news for the email marketing industry, which has been trying to show the world that they aren’t spammers. Now, the marketers can point to Ralsky’s illegal activities and state with one voice: “we do not do these awful things.”

But I think the marketers have to ask themselves: is there anything Ralsky was doing which isn’t illegal per se, but might still be considered spam-like in the eyes of your subscribers? Perhaps a subject line which is only slightly misleading – not enough to violate CAN-SPAM, but enough to violate the trust your subscribers have in your brand. Perhaps treating opt-in as a license to blast them over and over, until your message falls on deaf ears. If a sender acts like a spammer, even if they aren’t bad enough to get arrested, how different are they from Al Ralsky and his ilk?

And likewise, I think the anti-spammers have to consider whether following “big name” spammers is worth the effort. It seems certain that for every high-profile blowhard like Ralsky, there’s another dozen who are just as prolific – but, like most other criminals, never seek attention.

This is a great triumph for all who want to preserve email as a viable communications medium. We congratulate the United States Department of Justice and the FBI for their impressive work, and the Spamhaus Project for keeping a close eye on Ralsky’s activities for so long. But this is not the end of spam; far from it.

This article was also published by Return Path.

We were shocked, not so very many years ago, when AOL reported that spam was 30% of their incoming mail. Now, some of the world's largest ISPs report that it's well beyond 80% -- in some cases higher -- and increasing.

Back then we knew who the spammers were, they stayed in one place and thought of themselves as "high volume" email marketers -- but now, the leaders of the email marketing industry know they must respect permission, and can't engage in the spammy behavior of their predecessors. We predicted that a private right of action in civil court would be sufficient to keep those same marketers in line, and now we know that's correct -- but today, much of the spam volume is sent by career criminals and malicious hackers who won't stop until they're all rounded up and put in jail.