CAN-SPAM Update: Have You Complied With the New Rules Yet?

The Federal Trade Commission's latest update on CAN-SPAM
regulations take effect July 7th, 2008. Is your email compliant?
Not sure?

We have the nitty-gritty on what the new provisions mean to email
marketers. The updates include:

- Good news (what didn't change)

- Five major provisions to review

- Definition of a sender

- How to handle re-subscribes

The Federal Trade Commission's latest updates to the Controlling the
Assault of Non-Solicited Pornography and Marketing Act of 2003
(CAN-SPAM) becomes enforceable on July 7, 2008. So, it's prime time
for a look at the updates - and at CAN-SPAM in general - to make
sure your email programs remain on the up and up.

Most email marketers didn't know all of the act's requirements two
years ago when the FTC last updated CAN-SPAM, according to a Web
Surveyor survey. No offense, but we doubt that many of you have been
grilling yourselves on the details since then.

"CAN-SPAM is something to keep front of mind for any campaign that you
run," says Ana Lucia Dunkle, Relationship Marketing Manager, A&E
Television Networks. "Obviously, you want to keep your marketing goals
as a top priority. But, in terms of your reputation as a sender, you
have to put [huge] importance on following the rules. When we heard
about the updates, right away we went back over our practices simply
to make sure that we will still be doing what we should be doing."

Dunkle and her team didn't procrastinate to make sure A&E was still
compliant.

The Good News

First, some good news:

- CAN-SPAM terminology is now better defined, giving marketers clearer
standards - that's a baby step in the right direction.

- We know exactly who a "sender" is now.

- The FTC kept the 10-day mandatory opt-out requirement in place after
mulling cutting it to three days.

- Nothing in CAN-SPAM will get you in legal trouble if you are sending
*permission-based* emails. (Note: We aren't attorneys; please check
with your own legal counsel.)

- The FTC will not designate additional "aggravated violations." In
other words, it won't go out of its way to engage in witch hunts.

5 Changes: A Close Look

To be clear, the new provisions are not cataclysmic, but they do touch
on a few points many marketers need to contend with.

The five key provisions from the FTC's 109-page document:


-> Provision #1. Unsubscribe requirements

You cannot require an email recipient to:

o Pay a fee

o Provide information other than their email address and opt-out
preferences

o Take more than these opt-out steps:

- Send a reply email message

- Visit a single Web page

Prohibiting a fee probably won't affect Sherpa's readers. But those of
you who make subscribers visit multiple Web pages to unsubscribe will
need to make some changes. Brands that require log-ins and passwords
to unsubscribe at a preferences center, for instance, need to change
their process, says Jeff Mills, Director of Sales & Strategy, eROI.

Mills offers a prime example: You get the mail for someone who no
longer works at your company. They signed up for a chunk of those
emails with a log-in and password. You can't unsubscribe because you
don't have that information. What do you do?

"Moving forward, for those marketers, making a sweeping change from
the current system to most likely a legacy Web system that doesn't
require a log-in - it's a much more daunting task than people on the
outside realize."

One option we've heard about: Embed individual passwords in the
unsubscribe URL. Then, when they click the unsubscribe button, no
log-in is needed. But such a process might be time-consuming. Check
with your ESP for possible solutions.


-> Provision #2. Definition of `sender'

A `sender' is now defined as the entity whose goods, services,
business, organization, etc., are advertised in a commercial email
message. This clarification makes it simpler to know which of multiple
parties advertising in a single email message is responsible for
complying with CAN-SPAM's opt-out requirements.

Take special note if you mail on behalf of other advertisers. This
modification allows for a `designated sender' - a single party that
will be responsible for complying with CAN-SPAM in those situations
where multiple parties may advertise in the same message.

For the most part, the name in the `From' line of an email becomes the
designated sender. They must comply with all provisions and follow
common best practices (i.e., listing a physical postal address and
presenting an in-message opt-out mechanism).

Note that a designated sender is not *required* in multi-party email
ads. Identifying an entity in the `From' line is mandatory, but the
FTC rule "does not eliminate the possibility that a message may have
more than one sender."

So, does each advertiser *need* to provide an opt-out link and a
postal address in a multi-party email? No, only the designated sender.

If one of your advertising partners is caught violating the rules,
however, having your address and opt-out mechanism in the message may
be the most sure-fire piece of evidence to suggest that you were
trying to comply. Being able to include your info may be something you
should request from the designated sender.


-> Provision #3. P.O. Box address OK

A `sender' can use an "accurately-registered" post office box or
private mailbox. This will meet the rule that a commercial email
present a "valid physical postal address." Prior CAN-SPAM rules did
not make that clear.

Emailers following best practices should already be posting a physical
address in their templates. But the FTC's go-ahead to use postal boxes
gives some relief to those bedroom-and-garage eretail startups and
eBay entrepreneurs who don't want business mail delivered to their
homes.


-> Provision #4. Definition of `person'

Get ready for a bit of legal jargon: A `person' now is not limited to
a human being. An FTC `person' includes groups, institutions,
unincorporated associations, businesses of all sizes and nonprofits,
as well as human beings. This definition leaves no doubt now that
nonprofits must abide by CAN-SPAM.

In short, if an email is perceived as promotional, CAN-SPAM applies to
that sender - nonprofits included.


-> Provision #5. Forward to a Friend

Brands doing `forward-to-a-friend' viral emails - where participants
are rewarded, incentivized or induced - must adhere to CAN-SPAM rules.
They must honor opt-out requests and provide a physical address to
people who receive the forwards.

"Under the new rules, an advertiser is considered the `sender' of the
forwarded email, and thus responsible for scrubbing the friend's name
against its `Do Not Email' list and ensuring that the forwarded
message has a functioning opt-out mechanism - among other
requirements," says Terri Seligman, Partner, Loeb & Loeb, LLP.
"However, in contrast to the FTC's earlier proposed rules, the final
rule acknowledges that simply encouraging consumers to forward a
message, without [incentives or rewards], does not subject the
advertiser to `sender' liability under CAN-SPAM."

A Web page that uses a `click here to forward' feature that lets
recipients forward a message or link to someone else - without
providing any further encouragement to do so - also is exempt.

CAN-SPAM Overview: `Do Not Email' Pain Point

OK, you have the latest on CAN-SPAM updates. Here's a refresher on a
couple of the act's key rules:

First, CAN-SPAM requirements might seem simple to comply with - just
implement your postal address and an opt-out link onto your email
template and abstain from `deceptive' subject lines, etc. But many
marketers overlook DNE (Do Not Email).

The act says, "Recipients of commercial electronic mail have a right
to decline to receive additional commercial electronic mail from the
same source."

This seems easy - just allow for opt-outs. But it's difficult for many
organizations to implement DNE because the opt-out isn't just for the
particular list that sent the mail. The opt-out applies to any
promotional email any list or staffer from your brand might send ever
again.

Example:

Company X sends a 20% off widgets sales alert to its house list. The
recipient, John@ISP.com, decides to opt out. Company X must remove (or
suppress) that email address from every single promotional mailing
that it sends, or is sent on its behalf, from now on.

Sound simple? Consider all the lists and databases that John@ISP.com
might be on. Perhaps an outside sales rep at Company X decides to send
a sales pitch to John@ISP.com. How about a Company X reseller or
distributor? What if Company X has an affiliate program? Perhaps it
has other widget-selling locations, branches, or franchises? Not to
mention a permission opt-in list that Company X's marketing team might
rent in the future.

All of these have to remove (or suppress) John@ISP.com before sending
a commercial message - even if that message complies with CAN-SPAM.
Company X could be sued if they don't.

However, is Company X in real danger if they ignore the suppression
rule and allow commercial email to be sent to John@ISP.com? Most
lawsuits will be filed against the big, obvious targets, such as
emailers that send offensive or deceptive messages to non-permission
lists. Even though you probably won't get caught, you are still
breaking the law.

When dealing with CAN-SPAM issues, it's best to talk to an attorney.
It's always better to err on the side of caution. The damage that can
be done to your reputation because of a single publicized legal bout
with spam could permanently damage your marketing career.

Re-subscribing is another CAN-SPAM gray area. Better-safe-than-sorry
interpretations say that marketers should never, ever send anything to
that address anymore. And any queries from a DNE-list address should
go unanswered.

We at Sherpa believe that you can return a DNE-list address to active
status if they choose to re-subscribe. But take extreme care and log
all contacts showing who contacted whom first. If you get a new
subscription request from a DNE-list address, treat it with kid
gloves. Your email vendor can suggest alternatives based on your
operating system, but here are two possibilities:

- At your Web site, requests coming from DNE-list addresses from a Web
form can trigger a warning page or pop-up alert reminding users that
they had previously opted out of email. It asks them to confirm the
request. If you get an affirmative, first remove the address from your
DNE list and then proceed with the subscription process.

- Email subscription requests can trigger an auto-responder message
with the same warning and confirmation request that would go on a Web
page. You might have to override your DNE protection to send that
email, though.

Requests that come from alternative channels - point-of-purchase
forms, customer-service dealings, etc. - must be handled almost case
by case. Again, your database manager or ESP might suggest a
more-productive method. We can't tell you exactly how to do it. But it
will depend on how your list software works and how you have
configured it to check against your DNE list for matching addresses
and preventing accidental mailings.

Also, it might not be a bad idea to incorporate a sentence or two
pointed at the rejoining subscribers in your welcome message: "And
thank you to those who have come back to our newsletter to learn more
about our products."


http://www.marketingsherpa.com/
http://ftc.gov/opa/2008/05/canspam.shtm
http://www.ftc.gov/bcp/conline/pubs/...s/canspam.shtm
http://www.google.com/search?hl=en&q...=Google+Search


cordially, as always,

rm

Obfuscated script code in malicious PDF files

One of the features of the Portable Document Format (PDF) is the
ability to embed JavaScript code within the document. With this
powerful scripting language at hand, the multimedia possibilities of
PDF documents can be enhanced by adding some interactive magic to it.
Of course, it didn't take long for malware authors to abuse this
interface for their evil deeds and they began to include malicious
scripts into PDF documents. In order to avoid detection, they are
already using strong obfuscation techniques and it's getting even
harder to manually decode and analyze these scripts if the origin of
the document is unknown. The reason for this is the key for the
decryption algorithm being outsourced -- it's not included with the
script anymore.

The nasty, unreadable script code is encrypted inside the malicious
PDF document. In order to execute the script -- or for a virus
scanner to detect it -- it first needs to be extracted from the
compressed stream of the PDF that it is stored in. A subsequent
closer look reveals the decoder using the 'location.href' property
-- which returns the current document's location (URL). Without
having the correct URL, attempts to decode the script will fail
and you'll only get rubbish, as the document's location is the
key used to encrypt the script.

But once the correct URL is provided as the script's key, it can
easily be decoded -- to another piece of obfuscated JavaScript code.
After having decoded that one as well, the original plain script code
becomes visible, unravelling exploit code that attempts to install
further malware.

http://www.google.com/search?hl=en&q...=Google+Search


cordially, as always,

rm

On Tue, 1 Jul 2008, Realto Margarino wrote:

> CAN-SPAM Update: Have You Complied With the New Rules Yet?

> - The FTC kept the 10-day mandatory opt-out requirement in place after
> mulling cutting it to three days.

LOL, it should be an OPT-IN in the frickin first place, doesnt go far
enough, but thats of no concern to me really, since my daily spam reports
still shows SA nukes only about 1% from the U.S and Europe with 95% still
from Asia (TW in particular), interestingly though, the earlier reports of
China getting tough appear true, they have dropped right off and are well
behind (TW,PH,IN,VN,ML,PK,HK,CN,TH) so well done to Chinese Govt for doing
something about it.


--
Cheers
Res
--- Usenet policy, and why I might ignore you ---
1/ GoogleGroups are UDP'd on my nntp server. If you use them, don't
waste your time or energy replying to me.

2/ If only cleanfeed filtered out trolls as well as spam, usenet would be
a nicer place.

Res <res@ausics.net>:
>
> from Asia (TW in particular), interestingly though, the earlier reports of
> China getting tough appear true, they have dropped right off and are well
> behind (TW,PH,IN,VN,ML,PK,HK,CN,TH) so well done to Chinese Govt for doing
> something about it.

Ah, they're just trying to pee off the US based bot masters, the
world's most prolific spammers.


--
Any technology distinguishable from magic is insufficiently advanced.
(*) http://blinkynet.net/comp/uip5.html Linux Counter #80292
- - http://www.faqs.org/rfcs/rfc1855.html Please, don't Cc: me.