What is spam and why is it bad?

Dave Lugo 10/28/2000

Introduction
Pitfalls of some common practices
Definitions
Resources for more information

What is spam?

Spam is unsolicited bulk e-mail.

Why is spam bad?

Spam is bad because it shifts the cost of advertising to the recipients. It is similar to junk unsolicited faxes. It can also be compared to an unwanted collect call to your telephone.

Spam is against the acceptable use policy/terms of service of every reputable ISP, is illegal in several US states, and can result in large portions of the Internet "shunning" your company at the network level e.g.: blocking packets or not accepting your e-mail.

There are various marketing organizations that claim to have a "solution to the spam problem" or a "code of conduct" that addresses the issue, but most fail to take into account several important facts:

There are real, non-zero costs involved with e-mail: network bandwidth, disk space, etc. These costs are largely borne by the recipients, not the sender.

The economics of junk e-mail are completely dissimilar to those of junk postal mail.

Case law does not support a right of e-mailers to send unsolicited materials.

E-mail boxes are (effectively) the property of the box owner.

The Internet is comprised of private networks, and as such, they make the rules under which they will accept e-mail.

The cost-shifting aspects of bulk e-mail make it very attractive for senders, and very unattractive for recipients: both private network owners and mailbox owners have to deal with the consequences.

What your organization needs to remember is this:

If your organization fails to respect the rights of private networks to set the conditions under which they will accept e-mail, you will most likely be less than successful on the Internet.

If your organization originates UBE, or contracts for UBE to be sent on its behalf, you expose yourself to one or more of the following very real risks:

Your organization's reputation suffering.

Your ISP or ASP terminating your service for violations of the AUP/TOS you are bound by.

Your IP address(es) or domain name(s) placed on any number of cooperative and/or private "blacklists".

Your organization being sued in a civil action, or having to deal with criminal charges.

"Great!" you say, "We don't send unsolicited bulk email."

That's good to hear. Your organization still needs to be aware of some ways that it might be unknowingly exposing itself to charges of spamming. The list below is not all-inclusive; the examples just serve to illustrate how some practices that may seem to be trouble-free aren't.

Scenario #1 - Purchasing lists of addresses

"Our company never sends unsolicited bulk e-mail, we buy or rent lists of opt-in addresses."

Well, unless the address owners on that newly purchased list can reasonably assume that your e-mail to them is solicited, it's not. They never gave you their informed consent.

If you are using such a list you should insist that the provider show you evidence that the addresses were collected in a manner that leaves no doubt as to their confirmed opt-in nature, as it applies to your mailing. If there is any doubt, you should not send e-mail to the addresses on that list.

Scenario #2 - Merging with or purchasing another company, and e-mailing to a list that came as part of the merger or purchase.

"Our company, UpAndComing Inc. bought AlmostOutOfCash Inc., and their customer list was part of the deal."

If Company A buys Company B, Company A should not summarily incorporate Company B's mailing lists into its own. A notification to Company B's mailing list informing the subscribers of the purchase/merger, and that they may subscribe to a new list is acceptable.

Company A automatically adding Company B's list to their own without the prior, expressed consent of the address owners is not acceptable.

Scenario #3 - Accepting unconfirmed subscriptions.

"We don't know how you were placed on our list."

Accepting unconfirmed subscriptions is extremely risky. It has become all too common on the Internet for unscrupulous individuals, both outside a company (as a means of harassment), and inside a company (a salesman that has to make quota), to add addresses to lists without using a closed-loop method of confirming that the address owner has agreed to be added to a list.

You also should keep records of all subscription requests, as well as records of the confirmations of those subscriptions, as you may be asked to produce such evidence when someone has: a) forgotten they knowingly subscribed to a list; b) had their address submitted for subscription without their knowledge and consent.

Scenario #4 - Not providing an easy method of unsubscribing.

"If someone wants to be removed, they can call or fax a removal request."

All solicited bulk e-mail you send should provide an easy way for the recipient to unsubscribe from a list. Either an unsubscribe e-mail address or link to a web page should be provided. If you make it difficult to be removed from a list, you can expect to receive complaints.

Scenario #5 - Not processing unsubscribes in a timely manner

"We process unsubscribes every two weeks."

All unsubscribe requests should be promptly processed.

You should also seriously consider using non-delivery notifications (NDN) you receive as a way to assist your organization in pruning dead addresses from your mailing lists. While a single NDN for someuser@example.com may be a false indication (misconfigured email server or similar), if you receive more than one NDN for the same address it is probably dead, and should be removed.

If you ignore non-delivery notifications you receive you risk being blocked by remote networks that perceive you as not responsibly managing your mailing lists.

Scenario #6 - A broken or ineffective remove mechanism

"Just use the remove link or address we provide"

You may need to provide an alternate method of processing removes. Automated processes occasionally fail, or an address owner may want to provide feedback to you as part of their remove request. The remove mechanism should not require a password or other information unless that information is contained in the mailing itself. You can provide a phone number in your mailings, or a "fail safe" e-mail address for problems related to removal. These are just some of the ways you can put in place a method to alert your organization to potential problems with your "remove mechanism".

You should also ensure that any removal requests sent to your whois/Internic listing are also properly handled. Technical people commonly use whois listings to derive contact information for alerting a domain to problems.

Definitions

Let's define some terms using the definitions generally accepted by the private networks that comprise the Internet community.

Unsolicited Bulk E-mail (aka "spam")

Let's define the individual words first:

unsolicited Sent without the recipient's prior, informed consent.

bulk The same or substantially the same message sent to multiple recipients. This can be either as a single e-mail addressed to many recipients, as many e-mails each addressed to one or more recipients, or as a mail-merge.

e-mail A message sent via computer, using commonly accepted communication protocols between the source and destination e-mail servers.

Confirmed Opt-in / Closed-loop Subscription / Double Opt-in

The above terms are interchangeable. What they mean is that after an initial request to add an address to a list, the address owner confirms the subscription request.

This is usually accomplished by means of an e-mail message sent to the subscriber to which he or she must reply, or containing a unique URL which he or she must visit, in order to complete the subscription.

This is extremely important because if an address has been improperly submitted for addition to a list, it is the responsibility of the list maintainer to ensure that the subscription request not be fulfilled

A list maintainer must not add an address that has been submitted for addition to a list until the address owner knowingly confirms the validity of the initial request.

A confirmation request that states, "You have been added to our list, please reply to be removed" does not meet the criteria for confirmed opt-in.

However it is implemented, a fundamental requirement of all lists is for confirmation of all new subscriptions.You should also keep records of all subscription requests and confirmations.

Address Owner

The person who originates and receives e-mail for a particular address. The owner or compiler of a list the address happens to be on is not the address owner.

Where can I find more information regarding the generally accepted standards the Internet community uses, and related issues?

Below are some starting points for more information.

Basic Mailing List Management Principles for Preventing Abuse
http://www.mail-abuse.org/manage.html

RFC-2635 - Don't Spew, A Set of Guidelines for Mass Unsolicited Mailings and Postings (spam*)
http://www.faqs.org/rfcs/rfc2635.html

The E-mail Abuse FAQ
http://members.aol.com/emailfaq/emailfaq.html

Frequently Asked Questions About Spam
http://spam.abuse.net/faq.html

Coalition Against Unsolicited Commercial Email
http://www.cauce.org/

The Forum for Responsible and Ethical E-mail
http://www.spamfree.org/

Suespammers.org - A Legal Resource
http://www.suespammers.org/

Network Abuse Clearinghouse
http://www.abuse.net/

Limiting Unsolicited Bulk Email
http://www.imc.org/imc-spam/

Final comments to the FTC on UBE
http://www.vtw.org/uce/report/

In Other Languages:

French
http://perso.magic.fr/roumazeilles/spamantf.htm

Japanese
http://www.ayamura.org/interop98/

Spanish
http://www.fcaglp.unlp.edu.ar/~esuarez/spam/index.shtml

Danish
http://www.fabel.dk/

unsolicited	Sent without the recipient's prior, informed consent.
bulk	The same or substantially the same message sent to multiple recipients. This can be either as a single e-mail addressed to many recipients, as many e-mails each addressed to one or more recipients, or as a mail-merge.
e-mail	A message sent via computer, using commonly accepted communication protocols between the source and destination e-mail servers.