Spam Arrest: I Think I’ll Stay as Far Away as Possible
Today a client received an e-mail bounce-back from Spam Arrest, which provides a challenge-response system to stop automated junk mail. The first time a sender sends e-mail to a protected recipient, the sender must follow a link in the bounce-back message to a web page where, following user entry of a one-time verification code, the sender is identified as a legitimate e-mail sender.
During the past several years I have gone through the Spam Arrest verification process a few times and never thought much of it. But when I followed the link in the client’s e-mail, I saw something that, to the best of my knowledge, I had never seen before: the Sender Agreement reproduced toward the end of this post.
I was pretty shocked. In effect, the agreement requires that the sender send commercial e-mail only if the recipient has opted-in. Furthermore, the sender agrees to pay the recipient and Spam Arrest $2,000 for each violation of the agreement!
I’m not a spammer, but I do send a monthly e-mail to hundreds of recipients on an opt-out, rather than opt-in, basis in accordance with the CAN-SPAM Act of 2003. Nevertheless, if I were to agree to the terms of the Sender Agreement, I would subject myself to liability for liquidated damages of $2,000 per month. As a result, the next time I receive a Spam Arrest bounce-back, I probably will be forced to cease e-mail communication with the intended recipient.
Here are my thoughts about how Spam Arrest should be approached:
- Recipients / prospective Spam Arrest customers – Be sure that you want to impose an agreement that may be impossible for some legitimate senders to satisfy.
- Senders – Stay as far away from Spam Arrest as possible.
SENDER AGREEMENT – By clicking the “VERIFY” button above, and in consideration for Spam Arrest, LLC forwarding your e-mail (and any e-mails you may send in the future) to the intended recipient (the “Recipient”), you agree to be bound by the following Sender Agreement:
You represent and warrant to Spam Arrest and the Recipient that any e-mail you desire to send to the Recipient is not “unsolicited commercial e-mail” i.e., the e-mail does not primarily contain an advertisement or promotion of a commercial product, service or Web site; unless the Recipient expressly consented to receive the message, either in response to a clear and conspicuous request for such consent or at the Recipient’s own initiative. Further, you represent and warrant that your transmission of any e-mail does not violate any local, state or federal law governing the transmission of unsolicited commercial e-mail, including, but not limited to, RCW 19.190.020 or the CAN-SPAM Act of 2003. You understand and acknowledge that it is fair and reasonable that you agree to abide by the restrictions set forth in this agreement. You acknowledge and agree that this agreement is central to Spam Arrest’s decision to forward your e-mails to the Recipient. Accordingly, if you violate this agreement, Spam Arrest and the Recipient shall be entitled to (1) temporary and/or permanent injunctive relief to restrain any further breaches or violations of this agreement; and (2) damages in the amount of two thousand dollars ($2,000.00) for each violation of this agreement. You acknowledge that such remedies are appropriate and reasonable in light of the costs and expenses Spam Arrest incurs as a result of eradicating and filtering unsolicited commercial e-mail. You acknowledge that the $2000.00 remedy is a reasonable estimate of Spam Arrest’s and the Recipient’s actual damages. This agreement is governed by the laws of the State of Washington and the exclusive venue for any action related to this agreement shall be held in the state and federal courts located in Washington. You hereby waive any right to object to venue or jurisdiction based on inconvenient forum, lack of personal jurisdiction or for any other reason.
This blog does not provide legal advice and does not create an attorney-client relationship. If you need legal advice, please contact an attorney directly.
Skip
6/17/2009 | 1:42 pm Permalink
So if I put on a funny hat and fake mustache, go to a Starbucks, forward these emails to a random guy with a laptop (who’s using Starbucks’ Wi-Fi and IP address), offer him a cup of coffee for completing the verification process, and he does from his email address, what happens?
Dana
6/17/2009 | 2:28 pm Permalink
@Skip
You’re out $4 and your face itches?
The random guy peppers the recipient with endless spam – implicating you and making it appear that Spam Arrest has failed? (I gather this is your point.)
Perhaps I should ask Spam Arrest to comment.
Michael
6/17/2009 | 3:12 pm Permalink
@Dana
The agreement is there to protect our users. The challenge response system is the most effective anti-spam system out there, but we still include other safeguards and this agreement is one of them. While we’re not concerned with a single person authorizing a spam email or two, we do want to cover the possibility that sometime in the either near or distant future, the world will change such that human labor is so cheap that spammers will opt to use real email addresses and simply hire armies of workers to complete these challenges.
Again, we don’t see this happening anytime soon but it could and we want to be able to protect our customers.
Dana
6/18/2009 | 6:03 pm Permalink
I sent Spam Arrest an e-mail that (a) recommended a way to alter the terms of the Sender Agreement that would be more reasonable to senders, while still protecting Spam Arrest’s interests, and (b) asked for a reply to Skip’s scenario in Comment #1.
Spam Arrest did not reply to my proposed change to the terms, but did respond to the scenario, suggesting that if a third party has access to the sender’s bounce-back from Spam Arrest, then the sender is fortunate if all that happens is the third party submits a Spam Arrest verification.
My e-mail exchange with Spam Arrest follows, slightly condensed and reordered so you can read from top to bottom:
====================
From: Dana Shultz
Sent: Jun 17, 2009 2:37:11 PM
Subject: Spam Arrest Q on My Blog – -CF
The following contact form was submitted by “Dana Shultz”:
Contact Phone Number: 510-547-0545
———————————-
Please see my blog post, and comments, at
https://danashultz.com/2009/06/17/spam-arrest-i-think-ill-stay-as-far-aw
ay-as-possible/
Can you provide an answer to what would happen if the hypothetical raised in the first comment occurred?
====================
From: Spam Arrest Support [mailto:[email protected]]
Sent: Wednesday, June 17, 2009 3:41 PM
To: Dana Shultz
Subject: RE: Spam Arrest Q on My Blog – -CF (#8624-137105871-0224)
Hi Dana,
We posted a comment, but we just wanted to clarify the answer again. The purpose of the agreement is not to charge individuals who send an email that their friend happens to flag as spam nor is it even there to stop a small company who decides to authorize a few promotional emails. The agreement is put there to protect against a situation that has not happened yet, and that is one where a spammer somehow gets the resources to authorize millions of emails.
Right now, the inherent labor cost of authorizing replies from a huge spam campaign already proves to be too large for any spammer to absorb but we don’t exclude the possibility that this might change in the future.
Anyway, thanks for taking the time to write us. If you have any questions, just ask. Also, if
you’re still squeamish about clicking that link and authorizing your email, just send the link to support and we’ll authorize it for you.
Michael
Spam Arrest
====================
From: Dana H. Shultz
Sent: Jun 17, 2009 11:05:04 PM
Subject: RE: Spam Arrest Q on My Blog – -CF (#8624-137105871-0224)
Michael –
Thank you for the prompt reply. There are two issues that I hope you can address.
First, given the protection Spam Arrest is seeking, the language of the Sender Agreement is broader than it need be. Specifically, I have to agree that I will send commercial e-mail only to a recipient who has opted in. I use an opt-out approach, but what I send is not spam – it is commercial e-mail to people with whom I already have a relationship. I believe everyone (including Spam Arrest) would be better served by language that allowed e-mail that based on opt-in or to a recipient with whom the sender already has a business or personal relationship. (Your statement that mass-spammers are the intended target provides little comfort, because that limitation is not included in the Sender Agreement.)
Second, the first user comment posed a hypothetical situation where someone other than the actual sender of the bounced e-mail gains access to the bounce-back and does the verification. What would be the negative consequences for anyone involved in this type of situation?
Regards,
Dana
====================
From: Spam Arrest Support [mailto:[email protected]]
Sent: Thursday, June 18, 2009 4:33 AM
To: Dana H. Shultz
Subject: RE: Spam Arrest Q on My Blog – -CF (#8624-137105871-0224)
Hi Dana,
We appreciate your reply.
With regards to your scenario where someone gets the verification email, I suppose that the only way that would happen is if the individual had access to someone else’s mail. If all they’re doing is replying to verifications, then I’d say that person with the compromised email was very lucky. Again, the purpose of the agreement is not to get $2,000 where ever we can. To this date, no spammer has yet to defeat the challenge/response process and thus we’ve never had to pursue the agreement. We’d have no interest in pursuing anything smaller than an entity that found a way to mass authorize emails to a large section of our user base.
Thanks again for writing.
Michael
Spam Arrest
Rita Risser
6/25/2009 | 12:46 pm Permalink
Michael from Spam Arrest says “We?d have no interest in pursuing anything smaller than an entity that found a way to mass authorize emails to a large section of our user base.” – Well then, they can write the agreement that way!
Personally, I have never liked spam arrest because I know they are collecting my email address. Why should I give it to them? It particularly ticks me off when someone who I don’t know but who is legitimate, say a colleague in a professional association, sends me an email and when I reply I have to go to spam arrest. The least they could do is put me on a white list of something when they send me the email. Next time I get a spam arrest verification I will either just not reply to the person or call them on the phone.
Dana, you should put this out on PRWire, examiner.com, etc. People need to know!
Dana
6/25/2009 | 1:06 pm Permalink
@Rita Risser
Thanks for the suggestion (and your support). I just started trying to get this out to the press.
Gary Katz
6/25/2009 | 5:03 pm Permalink
Dana happened to come across a Spam Arrest verification request from me today, ironically. I have been testing Spam Arrest because I have so much junk in my e-mail box I can’t even conceive the set of rules to filter it out.
I’m still trying to figure out how Spam Arrest works and I hope I’ve managed to authorize everyone appropriate so they don’t need to go through the verification challenge process. Obviously, in this case I missed Dana. But fear not Dana, I have authorized your e-mail. If you get another verification challenge, something is wrong on the technology end.