The Spamhaus Project

news

French government provides spam lists

by The Spamhaus TeamMay 30, 20175 minutes reading time

Jump to

Introduction

The government of France provides lists of email addresses to French political candidates for them to use when sending campaign emails. Unfortunately these lists have many spamtrap addresses on them. Our spamtrap email addresses cannot have been legitimately subscribed to this list, and most assuredly do not belong to French voters. The presence of spamtraps is evidence that other addresses on the list did not "opt in" to that list.

Possibly worse, it appears that these lists might have been provided directly to the candidates. Email addresses are generally considered to be private information, and address owners do not expect their private information to be distributed beyond the permission which they grant. Distributing lists to third parties places recipient email addresses "in the wild," causing the owners of those email addresses to lose control of their use. A centralized "unsubscribe" mechanism is not possible with such distribution. The email addresses on widely distributed lists become vulnerable to data theft because lists are kept in many different locations with untested security provisions.

We learned of this issue recently when two different French candidates became entangled in two of our automated spam detection systems, the DBL and the CSS. The candidates whose IPs and domains were listed by us, when contacting us to resolve the listings, independently told us that the lists they were sending to were provided by the French government:

"I am a candidate for the French election next week and need to send as soon as possible an email to the 100000 people eligible to vote to explain my program and motivations. Emails has been given by french authorities."

"Our lists are opt-in and have been provided by the French Government."

Politicians around the world are often entirely too willing to ignore the "rules of the road" on the Internet. We frequently hear the age-old excuse, "but my unsolicited bulk email isn't spam" from those who contact us. That excuse has been used by spammers since before Spamhaus existed. The problem with this excuse is that "unsolicited bulk email" is the very definition of spam.

The US CAN-SPAM law carves out specific exemptions for political spam, and so do laws in other jurisdictions, but these laws only define which spam is allowed by law and which is not in a specific legal jurisdiction. Those laws do not define what spam is, nor do they recognize the international nature of email and email addresses. While some political spam may be legal, it is still spam.

To the recipient who never asked to receive incoming bulk email, your important political message is just another piece of junk that got past their spam filters and landed in their inbox. To mail administrators who manage the mail servers that must process these unsolicited and unwanted messages, it's just more resources wasted coping with junk that nobody asked for or wants.

The law might not be of much use in stopping spam from lawmakers who refuse to classify their unwanted bulk email with that sent by non-politicians, but users are not helpless. They can, for example, refuse to do business with companies that spam, or they can not vote for politicians that spam. The Boulder Pledge "never to purchase anything offered through the result of an unsolicited email message" is still followed by many people, at Spamhaus and elsewhere.

A government could maintain, at least in theory, a legitimate mailing list of interested citizens who want to receive campaign mailings. It would require that proper expectations be set. The topic and general content of the emails should be established. The government would also need to explain how the list will be managed, who will send email to it, and where users can subscribe, manage their subscriptions, and remove themselves from it. In addition, users should be given some idea of the volume and/or frequency of emails.

Email address collection must use confirmed opt in (COI) for all sign-ups, and in addition implement a CAPTCHA on any web forms to prevent "subscription bombing". The email addresses would need be stored securely, encrypted with limited access to the key.

Subscribers' email addresses would not be distributed to the candidates. Instead, the candidates would submit their content to the list operator, who would do the mail-merge and actual sending. That model is known in the bulk emailing trade as "list rental." It is legitimate because subscribers' email addresses remain under the control of the same organization that solicited the subscriptions. (Permission to send bulk email to a particular email address or list is not transferable.)

The list owner or manager of any bulk email list is responsible for the integrity of the list data. Bounces and unsubscribes must be removed promptly, and non-responding email addresses must be weeded out after a reasonable period of time (three to six months). Finally, the list must be mailed frequently enough to detect abandoned mailboxes before they churn to other owners and other uses.

It is not always easy to maintain a good, clean bulk emailing list, but legitimate bulk senders do it routinely. Anybody can do it if they learn how and follow best practice.

France might be attempting to use such a "list rental" model. Both the examples we encountered were sent from SendinBlue's network. SendinBlue is an established ESP in France. It has the capability to properly manage a list rental service.

France and SendinBlue, please take this hint that the list you are providing to your political candidates is dirty, full of spam traps, and desperately in need of a thorough cleaning and a permission pass as described in our Marketing FAQ.

We removed the IPs and domains used by the two political candidates who contacted us from our lists, and pointed the candidates to the following information.