Sponsor:
Just received not one, but two of these…
Never, never open documents or attachments of any kind from bogus looking email, no matter how alluring or interesting it may seem.
The mouse study isn’t that interesting to me, but the faked kidnapping sounds kinda funny…
Open these up and your computer will no doubt be enslaved as a “bot” in a “botnet” used to send spam.
I regularly receive sales pitch email from people I don’t know - like this one.
This happens, as expected, at my business email address at Return Path. About half the time I find, appropriately, an opt out link at the bottom, and I use it. The other half of the time I respond to the mail asking the sender to “unsubscribe” me.
For the most part I never hear from folks directly. In some cases I may get future messages - though I’m not sure since I don’t do any discrete tracking. In other cases I suspect I’m added to an opt out file. In rare cases I get a response - as I did last week. Here’s the thread:
Me: “Your commercial email to me requires you to provide an opt-out option (under Federal law – The Can-Spam Act of 2003). Please remove my email address from your list and confirm.”
Them: “Tom thanks for your email but since I personally emailed you it doesn’t. This was not a commercial email. However I will remove you from my database as you must not be in need of our services unlike many of the top players in your industry. Best of luck and please let me know if I can be of assistance in the future.”
Me: “The CAN-SPAM Act defines commercial messages as those for which ‘the primary purpose is to advertise or promote a commercial product or service.’ Just because your message to me was one-to-one doesn’t change its’ purpose.”
Them: No reponse.
So, it seems to me that the US Federal Can Spam Act is widely mis-understood when it comes to sales prospecting. The FTC recently issues some final rules last year, which I blogged about for Return Path, which went into effect in July 2008. In summary, the FTC made a few explicit provisions in their final rules for things like having an easy unsubscribe process, what constitues a valid “postal address”, etc… they did not materially change the law with regard to unsolicited sales prospecting messages, but they did provide guidance on it. I didn’t cover it in my blog post, but Morrison Foerster did in theirs - as did another presumably competent law firm Sonnenschein, Nath & Rosenthal.
Here are the relevant bytes from the PDF file of the Final Rule issued by the FTC:
Messages Sent to Effectuate or Complete a Negotiation - In the NPRM, the Commission asked under what circumstances an email sent to effectuate or complete a negotiation should be considered a “transactional or relationship message” under section 7702(17)(A)(i). Twelve of the 13 commenters addressing this issue 127 agreed that such messages should be deemed transactional or relationship messages or should fall outside the scope of the Act. 128 The Commission declines to alter the definition of “transactional or relationship message” to address communications for the purpose of effectuating or completing a negotiation because of the lack of any evidence in the record that such a modification would be necessary to accommodate changes in email technology or practices and to further the purposes of the Act. However, even without such a modification, the Commission continues to believe that, as it stated in the NPRM, to the extent that negotiation may be considered a “commercial transaction” that a recipient has previously agreed to enter into, such messages likely would be considered transactional or relationship under section 7702(17)(A)(i) if they were sent to facilitate or complete the negotiation.
Whoa, that’s a lot of legal mumbo jumbo - what’s all that mean? Well, the key takeaways in the above has to do with an email recipients expectation of the email they receive. In this case, I believe the FTC is saying, email sent to facilitate or complete a business negotiation where “the recipient has previously agreed to do so” is not a commercial message covered by Can Spam - it is a transactional relationship message covered by Can Spam. So that covers a mailer, or the ones sending me email, if they otherwise have my permission and I’m expecting mail from them in this regard.
In these cases, the messages I receive are completely unsolicited, and on that the FTC comments:
The Commission, however, does not interpret the term “transactional or relationship message” to include an initial unsolicited message that proposes a transaction and attempts to launch a negotiation by offering goods or services. Likewise, after a party has terminated a negotiation, an email from the other party seeking to restart the negotiations would not be a “transactional or relationship message.”
Aha, so there you go, plain as day. You can send me at least one unsolicited commercial email - under Can Spam. Yeah, that alone kinda stinks. However, in sending that message you ahve to comply with the base requirements of the law -which include:
- No False or Misleading Header Information - basically don’t fake who you are
- No Deceptive Subject Line - basically, no lying or word trickery to get me to open the message
- Give Recipients an Opt Out Method - and it must be easy to use, no logins allowed, single web page, no extra questions
- Identify as Commercial Message and include a Valid Physical Postal Address
Not too much to ask! Sheesh.
To be fair, it is somewhat understandable that folks don’t understand Can Spam. Just read the excerpts above - I have to read it at least twice and really think about it to make sure I’m interpreting correctly - and even then, I’ll talk it through with someone to be sure. However, if you send commercial email as part of your business, you have a responsibility to figure out if you are compliant or not. When I consult or advise folks, and when I reply to them as above, I always make clear that “I Am Not A Lawyer” and that they should consult theirs to determine their actual standing.
Doing the right thing always takes some effort - but at the end of the day, you’ll feel better right? And, the FTC and state Attorney Generals won’t have a reason to talk to (or prosecute) you. Finally, you’ll be more respected. The folks that send me solicitations that I can opt out from, they don’t earn a spot in my “banned for life” bucket - I’ll still consider business from them someday. The ones that don’t - don’t bother coming back. How do you want your prospective customers thinking of you?
Do the right thing and they will think better of you.
Tags: can spam, compliance, Email, FTC, legal, permission email
Caught this post by Silicon Valley Insider on the Numa Numa guy jammin’ out to the Geico remix of Rockwell’s “Somebody’s Watchin Me”. The Geico lizard is back there, but doesn’t do much. Numa Numa dude is a lip synching stud. Me, I just dig the tune. Enjoy!
As discussed in my last most, Sneaky Email Sucks, spammers are driven to find clever ways to represent (or mis-represent I guess) text or words in their messages.
Since text can be easily analyzed and through bayesian processes deemed “spammy” or “not spammy” rather easily, spammers try to do things like use images to print their text on instead. When anti-spammers countered that by hash analysis/fingerprinting the images for comparison, spammers added random noise to their images. The text obfuscation battle continues.
In this case, the spammer cleverly uses basic HTML table, coloring various cells in the rows and columns to spell out “V I A G R A”. It reminds me of when occupants of tall buildings in a city somewhere, for a special event like the Superbowl, or maybe just a stunt for a TV comercial, turns on lights only in particular windows of the skyscraper for the same effect.
It’s the first time I’ve seen this HTML table approach to slipping spam in (and it got into my inbox in Outlook) - so while I can’t say that it is a new technique for sure, it seems to have worked. No doubt the filtering companies will pick up on this one. Gosh it’s easy to break systems - Captain Obvious here I know - it is much easier to be a bad guy than a good guy with email. That blows.
This is a simple example of text obfuscation - if you want to really geek out on the subject, check out the paper: Fighting Unicode-Obfuscated Spam.
Having just hastily pulled together my last post on “Phishing” - I’ve been keeping a keen eye on my inbox for more interesting examples of evil email. A new message caught my eye - a good example of bad email - possibly evil, but sneaky at best.
Here are some key elements worth calling out:
[1] Once again, listed in my inbox the message looks innocuous enough. I recognize Reunion as Reunion.com - I’m not a member but occasionally see these types of invites, similar to other social space sites like Facebook, Linkedin, Plaxo, etc…
[2] Mozilla has protected me again - like with Mozilla Firefox screening links I click to known bad websites, Mozilla Thunderbird blocks any images from rendering - particularly from senders that are not in my address book. They give me the option of allowing this if I choose - presumably for senders I know. This is a common feature in email tools.
[3] Ah, here we see a bit more than we did in the Inbox listing [1]. Now I see a bit of trickery - Reunion Request is plain enough but now I see the local/user part of the sending email address is reun-ion.request@ and the domain portion is mutebrmodern.net. Why would anyone have to jack up the user portion of their email that way? It’d be like me being to-mba.rtel@somedomain.com. And that domain, if this is from Reunion - who the heck is mutebrmodern.net? It’s not out of the ordinary to have other domains send on your behalf, particularly if as a business you contract it, but as a user/recipient, your radar should be up at this point.
[4] Now this is really sneaky - back in the early days of email, there was only plain text formatting. Eventually HTML formatting made it to email providing a richer aesthetic appearance for content, similar to web pages. It can be useful, but some email programs can struggle with display of HTML code. At first blush it appears that something has gone wrong with my email program, Thunderbird, trying to render the message. Gosh, I am having trouble reading this message so I guess I better click the link right? More on that in a moment…
[5] Quick mention to take note of my email address in he URL/link in the message - shows me that the message is “personalized” but also a flag that I’m being tracked - when I click, someone, somewhere will know it was me.
[6] You have virus protection on your computer, right? I do. Make sure your anti-virus software scans your email, inbound and outbound. I’ve used AVG by Grisoft for several years. It is a fantastic program, and is free for individual, non-business purposes.
So back to point [4] - I’m not necessarily buying this - the error message “Having trouble viewing this message?” looks odd - not like what I’ve seen before in my email program. Now, I’m an email guy and have regularly scrutinized email as part of my job for years, so I don’t expect others to know this, but you can look at the raw source of an email to get even more insight. In Thunderbird a handy shortcut, Ctrl-U, does this. Here are some notable and telling things about this message from analyzing the raw message:
[7] Looking at the transmission details of the email recorded in the message headers, I see that the mail was delivered to my email server from yet another unknown domain, lsrree217.closerdried.net. As I said, it is not uncommon for legitimate companies to outsource delivery of email, but there is usually clear accountability and transparency in the domain names of those legitimate email service providers. I’m getting the feeling here that someone is purposely trying to not be known here.
[8] Further down in the message I see the plain text portion of the source message and my suspicions are confirmed - my email program Thunderbird didn’t have a problem showing the message and prompt me with “Having trouble view this message?” - that’s what the email author typed in - that is the message! Further review of the message source shows that this is the case in the HTML portion of the message as well. Okay, now I’m certain the sneakiness here is intentional.
[9] Here is more sneakiness/evilness - something those in the anti-spam space refer to as “hashbusting”. Sophos has a good example of it on their blog in which they describe it as “Hash busters are the seemingly random words or sentences located at the bottom of a spam message, used to try and bypass a variety of anti-spam techniques“. In the Sophos example the spammer puts the words where they are visible to he end recipient. In my case, the rendered message didn’t show this because the sender hid the random words in some HTML tags that aren’t visible.
Okay, so I’m convinced this isn’t even quasi-legit at best at this point, but I’ll bite - let’s click the link.
[10] mylife… what is that? Isn’t this supposed to be Reunion? In this case I happen to know that Reunion recently re-branded as mylife. Looking at the web address I see it starts with http://affiliates.mylife.com which is the bonafide mylife (formerly Reunion) website. Apparently Reunion has an affiliate member who advertises on their behalf, who not only uses sneaky and evil tactics, but hasn’t adjusted for the new brand!
[11] What the heck does this say? One of the things we encourage emailers and web site operators to do is to be openly transparent and accountable. Notices and disclosure in teeny type with low contrast is simply untrustworthy on the face of it. Bad job here mylife.
[12] This web page comes with a third-party seal of trust from Truste. These can be easily faked as well, but clicking on it shows it is legitimate.
[13] Again, check the website URL and validate that it makes sense and meets your expectation. In this case the Truste logo goes to a truste.org site and appears to make sense referencing the [14] mylife.com page we clicked from.
So, that’s a lot of analysis from one email. If anything, it exemplifies how easy it is for mailers to be sneaky in their email and how hard it is for consumes to understand what’s legit and what isn’t. In this case, Reunion appears to operate an affiliate program. That’s not uncommon for businesses on the Internet - but it take s policing - I’m betting (and hoping) that they aren’t aware of this particular affiliates behavior. I’ll pass this information along to them - in the hope that they will terminate this bad actor from their affiliate membership.
If you’ve got a good product, you shouldn’t have to trick people to come to find out more about it.
