ROKSO Home  |  ROKSO FAQs & Policies  |  About Spamhaus  |  FAQs
The Register of Known Spam Operations
Brian Kramer / Expedite Media Group

Evidence Menu:

Brian Kramer / Expedite Media Group Index

Country: United States
State: Illinois
Massive spamhaus. Kicked off of MCI, Anet, Mzima, Uninet, SingTel, Yipes, Servercentral, WilTel, Triara in Mexico, Broadwing, a Panamanian host, Schlund and lastly Speakeasy - just between Jul-Oct 2005!

Brian Kramer / Expedite Media Group SBL Listings History
Current SBL Listings
Archived SBL Listings

Media: Candidates, Known Spammers, and CAN-SPAM

Candidates, Known Spammers, and CAN-SPAM, Part 1
   E-Mail Marketing

BY Jeanne Jennings | March 27, 2006

What would you do if you learned your e-mail was sent from an IP address listed by Spamhaus as "being assigned to, under the control of, or providing service to a known professional spam operation"? How about if you found out the server it was sent from was blacklisted on a regular basis? Or that someone who bore no resemblance to the "target audience" in your third-party list rental agreement received your e-mail? And what if you suspected at least some of the e-mail addresses on the list were harvested, which is listed as an "aggregated violation" under the CAN-SPAM Act of 2003?

Think it can't happen to you? You would be surprised. This is exactly what happened -- all at one time -- to a political organization that sent a just-before-the-election e-mail missive in support of its candidates. In this column, I'll present the case study and discuss a loophole in CAN-SPAM you might want to weigh in on as a commercial e-mail marketer.

In two weeks, I'll cover the business issues of the case. They go beyond the "spam tarnishes your image" arguments into real-world questions about whether these campaign got what they paid for. I'll also provide tips for protecting your commercial, political, or nonprofit organization against similar situations.

The Case Study

People I spoke with at the political campaign told me they contracted with a political consultancy to procure the e-mail addresses and handle the send. Their target audience consisted of those who met all the follow criteria:

* They were registered voters affiliated with their political party.

* They live in their voting district.

* They voted in one or both of the most recent primaries in their district.

The organization developed an e-mail and sent it to the addresses on the list.

I was one of the people who received it. Just to be clear:

* I'm a registered voter, but I'm not affiliated with their political party.

* I don't live in their voting district, which is over 500 miles from my home, nor have I ever lived there.

* I didn't vote in either of these primaries in their voting district (obviously).

The e-mail came to an address I never use to opt in; the only place it's appeared is within my ClickZ columns as a feedback device, before ClickZ migrated to e-mail forms a few years back. Apparently, the e-mail address was harvested off ClickZ's Web site and added to this list, without permission and, seemingly, without the demographic information that was supposed to be used to segment the list.

I was intrigued, so I dug further. When I typed the IP address of the server the e-mail was sent from into SpamCop, I learned the server was currently blacklisted and would continue to be for another 23 hours. To date, it's been blacklisted for a total of 19.3 days. I later learned from SenderBase the server had sent its first e-mail barely a month before, so it's been blacklisted for two-thirds of its short life.

SpamCop also told me why it had blacklisted the server:

* The system has sent mail to SpamCop spam traps in the past week.

* SpamCop users reported system as a source of spam about 40 times in the past week.

Spam traps are e-mail addresses placed on the Web as bait. If they receive e-mail, it's because they've been harvested. That confirmed how they probably obtained my e-mail address.

When I checked out the IP address at Spamhaus, I learned it was listed on the Register of Known Spam Operations (ROKSO) and was "assigned to, under the control of, or providing services to a known professional spam operation."

The ROKSO profile provided a U.S. postal address for the spam organization, although this particular server was listed as being in Hanoi, Vietnam. The profile said it had been kicked off of numerous Web-hosting services in the States and a number of other countries -- and that's just from July to October 2005. It also said the company had been known to work with other companies and individuals listed on the ROKSO in the past, including the former "Spam King" Scott Richter.

Despite all this, the e-mail itself seemed legitimate and sincere. It included the following assurances:

* We support responsible and ethical e-mail marketing practices.

* We encourage and support best practices in responsible e-mail marketing.

In addition, it had an unsubscribe link and the U.S. postal address of the campaign that sent it. I decided to contact the campaign and ask about the send.

To the campaign's credit, people were very forthcoming and willing to speak with me. They seemed honestly surprised by what I was telling them about their e-mail. They asked for more information on what I'd learned, and I provided it. They gave me information on the send and contact information for the consultancy they'd worked with (which refused to speak with me on the record). One of the candidates even got involved, sending an e-mail with the following:

Thank you for giving us information on the company we used for this e-mail campaign.... You can be sure that I will be asking some questions of the company.... It is not my desire to use, nor will I tolerate, a company that violates the law.

Here's the rub: bad as this all sounds to anyone doing legitimate e-mail marketing, this campaign didn't violate the letter of the law.

Political campaigns are exempt from CAN-SPAM regulations. But did Congress intend to give them permission to harvest e-mail addresses and knowingly send to lists built via harvesting, both of which are "aggregated violations" under CAN-SPAM?

I asked Trevor Hughes, executive director of the Email Sender & Provider Coalition and an attorney specializing in spam issues. He confirmed the harvesting section of the CAN-SPAM act was directed specifically at commercial e-mails and added, "There are strong protections on political speech, which extend to use of e-mail. This doesn't seem like an FTC issue, as they only regulate commercial e-mail. It's more a question of political speech."

What do you think? Should political campaigns be prohibited from harvesting and using harvested e-mail addresses? How about other "aggravated violations," such as dictionary attacks (define)? Or should political parties, elected officials, and candidates adhere to the same CAN-SPAM guidelines commercial e-mailers are obliged to? Write to your congressional representatives and please share your thoughts with us, too.

Until next time,


Candidates, Known Spammers and CAN-SPAM, Part 2
   E-Mail Marketing

BY Jeanne Jennings | April 10, 2006

In my last column I presented a real-life case study about an organization that discovered:

* Its e-mail was being sent from an IP address listed on the Spamhaus Register of Known Spam Organizations (ROKSO) as "being assigned to, under the control of, or providing service to a known professional spam operation."

* The server it was sent from was blacklisted on a regular basis.

* At least one person who bore no resemblance to the "target audience" in its third-party list rental agreement received its e-mail.

* At least one e-mail address on the list was harvested, which is listed as an "aggregated violation" of the CAN-SPAM Act of 2003.

We could talk about the definition of spam, how this type of e-mail hurts the a brand's (in this case, the political candidate's) credibility, and why Seth Godin's mantra of "anticipated, personal, and relevant" is still the best way to conduct e-mail marketing. But I want to go a different direction. Today, I'll examine the business issues raised by situations like this one.

No matter where you fall on spam issues, you have to question whether this e-mail campaign was a good business investment for the organization. Reasonable questions to ask in this case include:

* What percentage of the list met the list criteria specified in the contract? What percentage didn't? How many unqualified names did the organization pay for?

* What percentage of the list was harvested or otherwise gathered in a non-CAN-SPAM compliant fashion? How much of the organization's budget went toward renting these names?

* What percentage of the send was blocked by spam filters (since the server was blacklisted on a regular basis)? How much of the organization's money was spent to send e-mail that didn't make it to the inbox?

* What level of public backlash might have occurred had the organization's dealings with someone on the ROKSO list been featured in local papers before the election? Was the potential upside of the e-mail campaign justified by the potential downside of negative PR?

Want to factor the e-mail's results into your decision about whether this was a sound business investment? Unfortunately, they won't be much help. The e-mail's primary call to action -- go to the polls and vote for our candidates -- isn't one that can be directly measured from the e-mail send. Metrics provided to the organization show a 43 percent open rate and a 2 percent CTR (define), although it's uncertain whether these are based on total or unique opens and clicks.

So was this e-mail campaign good campaign business? How would you feel if you found yourself in this position? It's probably not something you'd want to experience firsthand. Here are some tips you can use, whether you're a political campaign, an association, or a regular for-profit enterprise, to keep yourself and your organization out of these types of situations.

Protecting Yourself

The e-mail list rental market, especially in the business-to-consumer (B2C) space, can be a minefield. You can't work on faith and hope the people you're dealing with are being straight with you. "Trust, with verification" is definitely the approach to take. Some best practices:

* Be skeptical of below market rate rental fees. According to Worldata's Fall 2005 index, opt-in B2C e-mail addresses rent for $167 per thousand on average; business-to-business (B2B) lists are setting companies back an average $281 per thousand. Special selections, such as political affiliation, physical location, or past activity (in this case, voting), usually add $10 per thousand or more each to a list rental fee.

When I spoke with political campaign staffers, they couldn't tell me how much they'd spent on the list rental for this send. When I did a quick calculation based on a mere $100 CPM (define), they stated it was unlikely their budget would have accommodated an expenditure of that size.

You get what you pay for. The lower the price, the more likely there's something not quite right with the list. Buyer beware.

* Be completely comfortable with how the list is built. Confirm there was an explicit, knowing opt-in by registrants. Don't just take someone's word for it. Ask to see the Web page or the offline form that was used to obtain the opt-in.

If you're asking for very specific criteria, things like political affiliation, physical location or past activity, find out how this data was collected. Be sure the list source had a reasonable likelihood of being able to obtain the information. If you ask for something very specific, be skeptical if the vendor has "exactly that," particularly if they have it in a large quantity.

* Be completely comfortable with who handles the send. Ask for the company's name as well as the IP addresses of all the servers it sends from. Check them out. I like SenderBase because it aggregates information from a number of anti-spam sources. Look for recent issues; a spam complaint last week or last month is much more worrisome than one five years ago. It goes without saying that anyone who's profiled on the ROKSO list is probably not someone you want to do business with.

* Know whom you're dealing with. Research everyone involved with your e-mail initiative, including consultants, contractors, and vendors you deal with directly as well as their subcontractors, affiliates, and partners. A Google search is good; a SenderBase search (which you can do by IP address or domain) is better. Find out if they're active players in the e-mail community via their involvement with respected industry associations, online or print publications, or conferences.

You can delegate tasks, but not responsibility. In the end, it's your brand name that's front and center on the e-mail message, not your vendors' or their subcontractors'. Be comfortable about putting your name out there with their work behind you.

* Build remedies into the contract. If something goes bad, what are your options? If the e-mail addresses don't match your target audience criteria, do you still pay for them? If the e-mail addresses were harvested, do you still pay? If the server was blacklisted during the send, do you still pay?

You can add clauses addressing these types of concerns into the e-mail list rental agreement, but this isn't done very often. Some list rental companies push back on putting these types of things in the contract; they may not be comfortable "vouching" for the legitimacy of their e-mail addresses or the ability of the server to avoid spam filters. If this is the case, think twice about working with them.

* Don't be so set on doing e-mail marketing that you shoot yourself in the foot. A lot of organizations stumble into questionable e-mail practices that end up tarnishing their brands (or candidates). Many say they didn't know any better. That doesn't erase the damage.

Educate yourself. Reading ClickZ on a regular basis is a good start. Take advantage of the many free e-mail newsletters out there about e-mail marketing. If you can, attend a few paid Webinars or conferences. The more you know, the better you can protect yourself.

Your Turn

Are there other steps your organization is taking to safeguard against these types of situations? See the "send feedback" link below? You can use it to start a dialogue with me and other readers. I encourage you to do so!

Until next time,


The Register of Known Spam Operations (ROKSO) collates information and evidence on entities with a history of spamming or providing spam services, and entities affiliated or otherwise connected with them, for the purpose of assisting ISP Abuse Desks and Law Enforcement Agencies.
The address of this ROKSO record is:

The above consists of information in the public domain. The Spamhaus Project makes every effort to avoid errors in information in the ROKSO database, and will correct any errors as soon as it is able to verify the correction, but accepts no responsibility or liability for any errors or omissions, or liability for any loss or damage, consequential or otherwise, incurred in reliance on the material in these pages. The Spamhaus Project makes no warranties or representations as to the accuracy of the Information in ROKSO records. The information in the ROKSO database is for information purposes only and is not intended as legal advice of any kind.

For information on contacting the ROKSO Team regarding any factual errors in this record, see the ROKSO FAQs.
© 1998-2018 The Spamhaus Project Ltd. All rights reserved.
Legal  |  Privacy