June 4th, 2009
Just received not one, but two of these…
Never, never open documents or attachments of any kind from bogus looking email, no matter how alluring or interesting it may seem.
The mouse study isn’t that interesting to me, but the faked kidnapping sounds kinda funny…
Open these up and your computer will no doubt be enslaved as a “bot” in a “botnet” used to send spam.
March 31st, 2009
can spam . compliance . Email . FTC . legal . permission email
I regularly receive sales pitch email from people I don’t know – like this one.
This happens, as expected, at my business email address at Return Path. About half the time I find, appropriately, an opt out link at the bottom, and I use it. The other half of the time I respond to the mail asking the sender to “unsubscribe” me.
For the most part I never hear from folks directly. In some cases I may get future messages – though I’m not sure since I don’t do any discrete tracking. In other cases I suspect I’m added to an opt out file. In rare cases I get a response – as I did last week. Here’s the thread:
Me: “Your commercial email to me requires you to provide an opt-out option (under Federal law – The Can-Spam Act of 2003). Please remove my email address from your list and confirm.”
Them: “Tom thanks for your email but since I personally emailed you it doesn’t. This was not a commercial email. However I will remove you from my database as you must not be in need of our services unlike many of the top players in your industry. Best of luck and please let me know if I can be of assistance in the future.”
Me: “The CAN-SPAM Act defines commercial messages as those for which ‘the primary purpose is to advertise or promote a commercial product or service.’ Just because your message to me was one-to-one doesn’t change its’ purpose.”
Them: No reponse.
So, it seems to me that the US Federal Can Spam Act is widely mis-understood when it comes to sales prospecting. The FTC recently issues some final rules last year, which I blogged about for Return Path, which went into effect in July 2008. In summary, the FTC made a few explicit provisions in their final rules for things like having an easy unsubscribe process, what constitues a valid “postal address”, etc… they did not materially change the law with regard to unsolicited sales prospecting messages, but they did provide guidance on it. I didn’t cover it in my blog post, but Morrison Foerster did in theirs – as did another presumably competent law firm Sonnenschein, Nath & Rosenthal.
Here are the relevant bytes from the PDF file of the Final Rule issued by the FTC:
Messages Sent to Effectuate or Complete a Negotiation – In the NPRM, the Commission asked under what circumstances an email sent to effectuate or complete a negotiation should be considered a “transactional or relationship message” under section 7702(17)(A)(i). Twelve of the 13 commenters addressing this issue 127 agreed that such messages should be deemed transactional or relationship messages or should fall outside the scope of the Act. 128 The Commission declines to alter the definition of “transactional or relationship message” to address communications for the purpose of effectuating or completing a negotiation because of the lack of any evidence in the record that such a modification would be necessary to accommodate changes in email technology or practices and to further the purposes of the Act. However, even without such a modification, the Commission continues to believe that, as it stated in the NPRM, to the extent that negotiation may be considered a “commercial transaction” that a recipient has previously agreed to enter into, such messages likely would be considered transactional or relationship under section 7702(17)(A)(i) if they were sent to facilitate or complete the negotiation.
Whoa, that’s a lot of legal mumbo jumbo – what’s all that mean? Well, the key takeaways in the above has to do with an email recipients expectation of the email they receive. In this case, I believe the FTC is saying, email sent to facilitate or complete a business negotiation where “the recipient has previously agreed to do so” is not a commercial message covered by Can Spam – it is a transactional relationship message covered by Can Spam. So that covers a mailer, or the ones sending me email, if they otherwise have my permission and I’m expecting mail from them in this regard.
In these cases, the messages I receive are completely unsolicited, and on that the FTC comments:
The Commission, however, does not interpret the term “transactional or relationship message” to include an initial unsolicited message that proposes a transaction and attempts to launch a negotiation by offering goods or services. Likewise, after a party has terminated a negotiation, an email from the other party seeking to restart the negotiations would not be a “transactional or relationship message.”
Aha, so there you go, plain as day. You can send me at least one unsolicited commercial email – under Can Spam. Yeah, that alone kinda stinks. However, in sending that message you ahve to comply with the base requirements of the law -which include:
Not too much to ask! Sheesh.
To be fair, it is somewhat understandable that folks don’t understand Can Spam. Just read the excerpts above – I have to read it at least twice and really think about it to make sure I’m interpreting correctly – and even then, I’ll talk it through with someone to be sure. However, if you send commercial email as part of your business, you have a responsibility to figure out if you are compliant or not. When I consult or advise folks, and when I reply to them as above, I always make clear that “I Am Not A Lawyer” and that they should consult theirs to determine their actual standing.
Doing the right thing always takes some effort – but at the end of the day, you’ll feel better right? And, the FTC and state Attorney Generals won’t have a reason to talk to (or prosecute) you. Finally, you’ll be more respected. The folks that send me solicitations that I can opt out from, they don’t earn a spot in my “banned for life” bucket – I’ll still consider business from them someday. The ones that don’t – don’t bother coming back. How do you want your prospective customers thinking of you?
Do the right thing and they will think better of you.
Caught this post by Silicon Valley Insider on the Numa Numa guy jammin’ out to the Geico remix of Rockwell’s “Somebody’s Watchin Me”. The Geico lizard is back there, but doesn’t do much. Numa Numa dude is a lip synching stud. Me, I just dig the tune. Enjoy!
As discussed in my last most, Sneaky Email Sucks, spammers are driven to find clever ways to represent (or mis-represent I guess) text or words in their messages.
Since text can be easily analyzed and through bayesian processes deemed “spammy” or “not spammy” rather easily, spammers try to do things like use images to print their text on instead. When anti-spammers countered that by hash analysis/fingerprinting the images for comparison, spammers added random noise to their images. The text obfuscation battle continues.
In this case, the spammer cleverly uses basic HTML table, coloring various cells in the rows and columns to spell out “V I A G R A”. It reminds me of when occupants of tall buildings in a city somewhere, for a special event like the Superbowl, or maybe just a stunt for a TV comercial, turns on lights only in particular windows of the skyscraper for the same effect.
It’s the first time I’ve seen this HTML table approach to slipping spam in (and it got into my inbox in Outlook) – so while I can’t say that it is a new technique for sure, it seems to have worked. No doubt the filtering companies will pick up on this one. Gosh it’s easy to break systems – Captain Obvious here I know – it is much easier to be a bad guy than a good guy with email. That blows.
This is a simple example of text obfuscation – if you want to really geek out on the subject, check out the paper: Fighting Unicode-Obfuscated Spam.
I took note of a local article this week that referenced phishing as “fishing”. I figure it was a spell checker that caught it, but still it made me wonder if average folks still don’t understand what “phishing” is.
The FTC and other US government agencies sponsor and operate the website OnGuardOnline.gov which “provides practical tips from the federal government and the technology industry to help you be on guard against Internet fraud, secure your computer, and protect your personal information.”
On phishing, they provide some great educational information and tips – explaining phishing as:
Phishing is a scam where Internet fraudsters send spam or pop-up messages to lure personal and financial information from unsuspecting victims.
For a more comprehensive break down, check Wikipedia.
Better yet, here is Phishing Explained in Three Minutes by CommonCraft:
UPDATE: I learned of one more great tutorial on phishing scams by PayPal through an email they sent today – totally worth checking out!.
Surely you’ve seen these message. I had a great example land in my inbox this week, so I thought I’d quickly demo it here.
First, you can see it in my “Deleted” folder after I did some routine purging of email in my Return Path account. A few things to point out, sorted by “Sender” you can see I have a bunch of legitimate Facebook notices, from the bonafide Facebook corporation.
But, I also have this additional notice from the Facebook Upgrade Center. Looks totally legit along side other messages from Facebook in my inbox. Note the From: address is info@facebook.com. This is called spoofing and it is an inherent problem with email on the Internet. It is the reason that add on protocols for “email authentication” exist, providing legitimate senders, like the bonafide Facebook, a way for ISPs to validate return email addresses that spammers like to forge. Email authentication is its’ own topic and there are tons of resources – but I’ll tackle that in a later post. For the most part just realize that legitimate senders are using it to help ISPs identify them as the good guys and not scammers.
So, the From: line is spoofed, and most studies on consumers and email show that email users make their assessment of spam versue mail they want by assessing the From: line first and the Subject: line second. In this case both are believable as legitimate.
It is always good to be suspicious, and one way to protect yourself is to scrutinize the website links in email. In this message, you can see the URL of the link they included starts out with “http://login.facebook...” – so at a glance, seems fine, but it continues with “...default.videomessageid-vrblqkto9.sessionnewid83.com”
The most important part of web site links, relative to the owner operators, is discerned by looking at the domain and link from right to left. Starting with .com or .net or .org or whatever Top Level Domain is in the link, you can see now in this example that Facebook probably does not operate sessionnewid83.com. This is probably the result of “domain tasting” – a method that identity theives use to register domain names cheap and use the domain for spam and identity theft during a trial “grace period”. So not only do they abuse the domain but they can get their money back afterwards! Registrars are being pushed to fix this problem – friend John Levine has posted details on that here.
Okay, now the thing is, it is best to not click these links at all. It is possible for the landing pages to have rogue code that could infect your computer at that point alone. But if you don’t notice these small details or aren’t paying attention, you do, and that’s why phishing works!
The good news is that, today, major browser providers, Firefox and Internet Explorer all have built in Phishing filters. In my case, with Firefox, I click the link and here is what I get:
Phew! Thanks Firefox! I’ve known about phishing filters in browsers for a while, but this was the first time I’ve seen a phishing filter trigger live for me on a click. You can read more about these browsers phishing filter capabilities here:
Internet Explorer Phishing Filter
Firefox Phishing and Malware Protection
So, always scrutinize your email, pay attention to links, and make sure your are upgraded and protected with the latest browser technology. It is just too easy to be a bad guy these days, but the good guys continue to fight back.
Return Path 10Beyond Monkey Mind Labs Only Once Risdon News DistanceWeb Kevin Menzie :: I Was Just Thinking… Longmont Tigers E-mail, tech policy and more Before & After Feld Thoughts Lifehacker Deliverability.com An unread blog is not worth writing – Socrates Another Not That You Asked Blog