Last week a Utah court issued a default judgement under CAN SPAM in Zoobuh vs. Better Broadcasting et al. I think the court’s opinion is pretty good, even though some observers such as very perceptive Venkat Balasubramani have reservations.

The main issues were whether Zoobuh had standing to sue, whether the defendants domain names were obtained fraudulently, and whether the opt-out notice in the spam was adequate.

Standing

The standing issue was easy. Zoobuh is a small ISP with 35,000 paying customers who spends a lot of time and money doing spam filtering, using their own equipment. That easily met the standard of being adversely affected by spam, since none of the filtering would be needed if it weren’t for all the spam.

Domain names

CAN SPAM prohibits “header information that is materially false or materially misleading.” The spammer used proxy registrations at eNom and Moniker. The first subquestion was whether using proxies is materially false. Under the California state anti-spam law, courts have held that they are, and this court found that the California law is similar enough to CAN SPAM that proxies are materially false under CAN SPAM, too.

Venkat has reservations, since in principle one can contact the domain owner through the proxy service, but I’m with the court here. For one thing, even the best of proxies take a while to respond, and many are in fact black holes, so the proxy does not give you useful information about the mail at the time you get or read the mail. More importantly, businesses that advertise are by nature dealing with the public, and there in no plausible reason for a legitimate business to hide from its customers. (Yes, if they put real info in their WHOIS they’ll get more spam. Deal with it.)

CAN SPAM also forbids using a “domain name, ... the access to which for purposes of initiating the message was obtained by means of false or fraudulent pretenses or representations.” Both eNom and Moniker’s terms of service forbid spamming, so the court found that the senders obtained the addresses fraudulently, hence another violation. Venkat finds this to be circular reasoning, arguing that the court found the spam to be illegal because the spam was illegal, but in this case, he’s just wrong.

Despite what some bulk mailers might wish, CAN SPAM does not define what spam is, and mail that is entirely legal under CAN SPAM can still be spam. eNom’s registration agreement forbids “if your use of the Services involves us in a violation of any third party’s rights or acceptable use policies, including but not limited to the transmission of unsolicited email”. Moniker’s registration agreement prohibits “the uploading, posting or other transmittal of any unsolicited or unauthorized advertising, promotional materials, “junk mail,” “spam,” “chain letters,” “pyramid schemes,” or any other form of solicitation, as determined by Moniker in its sole discretion.” There is no question that the defendants sent “unsolicited email” or “unsolicited advertising” and there’s nothing circular about the court finding that the defendants did what they had agreed they wouldn’t.

Opt out notice

The third issue is whether the spam contained the CAN SPAM required opt out notices. There were no notices in the messages themselves, but only links to remote images that presumably were supposed to contain the required text. As the court said:

The question presented to the Court in this case is whether Required Content provided in the emails through a remotely hosted image is clearly and conspicuously displayed. This Court determines that it is not.

One issue is that many mail programs do not display external images for security reasons or (as in my favorite program Alpine) because they don’t display images at all. The court cites multiple security recommendations against rendering remote images, and concludes that there’s nothing clear or conspicuous about a remote image. Even worse, the plaintiffs said that the remote images weren’t even there if they tried to fetch them,

The real point here is that the senders are playing games. There is no valid reason to put the opt-out notice anywhere other than text in the body of the message, which is where every legitimate sender puts it.

Summary

Overall, I am pleased at this decision. The court understood the issues, was careful not to rely on any of the plaintiff’s claims that couldn’t be verified (remember that the defendant defaulted, so there was no counter argument) and the conclusions about proxy registrations and remote images will be useful precedents in the next case against spammers who use the same silly tricks.