Home / Blogs

Oklahoma Spammer Fighter Loses Even Worse

Last December I wrote about Mark Mumma, who runs a small web hosting company in Oklahoma City and his battle with Omega World Travel a/k/a cruise.com. Mumma lost his CAN SPAM suit agains them in December, but Omega’s countersuit for defamation went to trial last week, and I hear that the jury awarded Omega $2.5 million in damages, which Mumma is not likely to be able to pay.

This may be painted in some circles as a huge defeat for anti-spam activists, but it’s not. Mumma has been what one might call an intemperate litigant, as most impressively documented in an interview with Ken Magill. Press reports say that Omega would have settled with Mumma for an apology and no money, which considering Mumma’s string of losses was a pretty good offer. But he didn’t.

There are plenty of real anti-spam lawsuits going on, with real charges of behavior that is actually prohibited by law. A good example is the case that Project Honeypot filed last week against spammers who’d scraped addresses off their honeypot web pages. I look forward to following its progress.

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By John Levine, Author, Consultant & Speaker

Filed Under

Comments

Matthew Elvey  –  Jun 12, 2007 5:49 AM

Sure, Mark Mumma was intemperate, but, well, in terms of right and wrong, I see things pretty clearly: Cruise.com sent Mumma UBE (i.e. spam).  Mumma unsubscribed.  Cruise.com refused to heed his unsubscribe request, and instead spammed him.  They did this because they didn’t like his optoutbydomain.com - based method of unsubscribing, because heeding it would make their ‘marketing’ difficult.  It seems to me that Magill writes for the mainsleaze market - the folks that buy off officials to keep their ‘marketing’ from being blanket illegal. 

Oh, and John - Time Magazine says the UBE contained bogus header information.  CAN SPAM bans false/deceptive headers, so it seems like Cruise.com’s behaviour quite clearly WAS prohibited by law.  I guess we’ll have a better idea of the judges’ rationale when their decisions get posted.

John Levine  –  Jun 12, 2007 11:48 AM

Except that’s not what happened.  Mumma didn’t unsubscribe, he called them up and ranted at them, refusing to tell them what address he wanted them to stop mailing.  CAN SPAM is quite clear that a mailer can provide any reasonable opt-out procedure, and as far as anyone can tell, Cruise.com’s worst sin is that they don’t confirm signups.  They don’t have the most fabulous list management practices in the world, but it’s pretty clear that someone, perhaps Mumma himself, specifically forged a subscription in order to stir up trouble.  They don’t buy lists, they don’t try to hide.

Re the forged headers, the court dealt with that argument last December. Read my previous message which has a link to the decision. Again, their practices aren’t the absolute best, but if they were the worst we had to deal with, there wouldn’t be a spam problem.

Matthew Elvey  –  Jun 12, 2007 5:57 PM

Except that he did file and unsubscribe request.  He pointed them to optoutbydomain.com.  Seems pretty obvious to me.

From a technical standpoint, unsubscribing by doing this is an unsubscribe request for his email address that wouldn’t be a problem for Cruise.com to heed.  Surely you don’t dispute that.

BTW, is it established IF (and if they did, when) cruise.com went through the process described at optoutbydomain.com or not?

When you say “except that’s not what happened,” are you saying he didn’t do that, or that in terms of Right and Wrong, that method of unsubscription is Wrong, or that in terms of the law, it’s not required that cruise.com accept that form of unsubscription?  My point was explicitly about the ethics.

As for the headers:  I re-read the decision.

A header indicated the mail was from fl-broadcast.net, when that domain had no relationship to the senders.  In terms of avoiding spam filters, lying about where the mail from is a common trick.  So the judge was wrong to rule that this deception did not meet the “header information that is materially false or materially misleading” standard.  I dont’ know if Mumma attempted to make the judge aware that it was material because mail from known bad actors is routinely blocked (which reminds me of the DDoS uribl.com is currently undergoing.)

If every biz in the US did what Cruise.com did, we’d all die of a thousand^4 cuts.

Matthew Elvey  –  Jun 12, 2007 6:11 PM

Sorry, I misspoke when I said “If every biz in the US did what Cruise.com did, we’d all die of a thousand^4 cuts”; please strike that.

I’d search my logs for spam from cruise.com, but I’m not sure what to look for (Cruise.com? cruise? omega?) or how to identify what I found as coming from them.

John Levine  –  Jun 12, 2007 6:27 PM

Except that he did file and unsubscribe request.  He pointed them to optoutbydomain.com.  Seems pretty obvious to me.

Aw, come on.  Imagine for a moment that you are an ESP. Some guy calls you on the phone and rants at you in loonytoon fashion, calling you a spammer, demanding you stop sending him mail, but he won’t tell you his address.  On the umpteenth phone call, he points at some web site that has a list of domains and demands that you remove every address in all of those domains. You have no idea where the list came from, and no reason to believe that he speaks for the domains’ owners or users.  What would you do? I wouldn’t use Mumma’s list, either.

I’d search my logs for spam from cruise.com, but I’m not sure what to look for (Cruise.com? cruise? omega?) or how to identify what I found as coming from them.

As the decision said, cruise.com’s name and contact info are all over the mail they send.  If you can’t figure out what’s from them, you need better logs.

As I have said many times before, they’re not perfect, but if they were the worst we had to deal with, there wouldn’t be a spam problem.

Matthew Elvey  –  Jun 12, 2007 7:32 PM

The best way I can answer that is to mention the mortgage spammer who insisted I’d opted into their spew and went so far as to provide me and their ISP with a piece of paper claiming I’d been to some event in San Diego and showing an email address that looked vaguely like mine on a piece of paper, in handwriting that was nothing like mine.

I’m not sure if you or anyone else who’s credible is saying that what you say I should imagine happening actually happened. You say there’s “no reason to believe that he speaks for the domains’ owners or users.” However, if I try and opt out a domain I don’t own, at optoutbydomain.com, I find that it’s not possible.

This exactly matches what the site says:

You must be the owner of the domain

Only domain owners can join the OptOutByDomain.com database. More specifically, you must be listed in your domain’s registrar record as one of the domain contacts, either Owner, Admin, Technical or Billing contact. Domains that utilize a privacy feature known as a Proxy registration are not eligible to join OptOutByDomain.com.

I conclude from my testing that I can trust Mumma to run OptOutByDomain.com as it is documented to run more than I would trust someone who thinks that bulk mailers shouldn’t have to verify the email addresses to which they send bulk mail. I am aware of a concerted effort (coordinated spin) to make unverified opt-in respectable, e.g. see http://groups.google.com/group/...

So what would I do? I’d use the list.

So it seems you concede he did indeed unsubscribe, but his method is Wrong because his verifiably verified-opt-in list is somehow less trustworthy than an UNverified opt-in list. Well, I disagree.

John Levine  –  Jun 13, 2007 5:58 PM

I would think this would be obvious, but in the U.S., courts are charged with enforcing actual laws, rather than imaginary laws that we might wish had been passed instead.

The highly imperfect CAN SPAM act says that mailers have to provide a working opt-out process.  It does not say that recipients can invent an opt-out process and demand that mailers use it. Mumma, for whatever reason, refused to do what the law said and instead did all sorts of other stuff.  He has only himself to blame for losing this silly lawsuit.

Incidentally, it is so 1999 to insist that signup confirmation would solve the world’s spam problems.  There are plenty of ways to end up with a dirty list even with every address legitimately confirmed, and there are plenty of unconfirmed lists with vanishingly low error rates, as low or lower than COI lists.  (Do you know anyone else who gets mail from cruise.com without signing up for it?  The only person I know in that position is Ken Magill, and him only when someone on a cable modem in Oklahoma City signed him up a few hours after his infamous interview with Mumma.)

As I keep saying, if our goal is to get rid of spam, we need to work on that, and not to get distracted with non-problems.

Matthew Elvey  –  Jun 15, 2007 8:56 AM

Yes, CAN SPAM act says that mailers have to provide a working opt-out process.  CAN SPAM does not say that recipients can’t invent an opt-out process and demand that mailers use it.  It is silent on that topic.  IMO, Mummas opt-out process is quite reasonable and legal, but cruise.com didn’t follow it, AFAIK.  You think it’s unreasonable.  Does the law provide statutory penalties if it’s not followed?  This case says no.

But there’s a lot we agree on:  Irrespective of Right and Wrong, the law in part of the US is now clear: Only quite blatant spam is considered illegal by the court.  The good news is that still only a small fraction of spam is now not blatantly illegal.  The bad news is more of it will morph to be legal.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

IPv4 Markets

Sponsored byIPv4.Global

Cybersecurity

Sponsored byVerisign

Domain Names

Sponsored byVerisign

DNS

Sponsored byDNIB.com

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix