Slashdot Mirror

← Back to Stories (view on slashdot.org)

UCE Fallout - Newsletter/Mailing List Confirmations are SPAM?

Posted by Cliff on from the even-innocent-communication-is-now-suspect dept.

battlemage asks: "According to this Article [heise.de; Google translation - pretty unreadable], a german court decided on 9/19/02 that the common confirmation E-Mails sent to new subscribers of newsletters could be considered unsolicited e-mail, aka SPAM, if they are sent to somebody who did not actually subscribe. According to German laws, this could actually mean fines for the site running the newsletter. They said it was the site owners obligation to prove that somebody actually requested such e-mail. The question is, how would that be possible without e-mail and without cost-intensive Passport/ID/CreditCard-Checks? I do work on a website in my free-time, and we would probably like to offer newsletters in the future, but I'm now unsure how we could do that." Mailing list and newsletter admins in other countries might do well to keep an eye on this in case such laws migrate to their area.

36 comments

  1. Do it like the list servers. by Anonymous Coward · · Score: 0

    Only send your newsletter to subscribers who sent you a "SUBSCRIBE" mail.

    1. Re:Do it like the list servers. by Mr+Z · · Score: 2, Insightful

      It sounds like the problem list operators face is that Person A may forge a subscription request from Person B (say, as a prank). The confirmation letter that Person B receives but did not request is considered actionable spam. This places the list operator in a pickle.

      The irony is that the confirmation letter is the primary mechanism to prevent pranksters from signing up thier targets en masse to a series of mailing lists.

      I think the intention is to punish those who send confirmation messages for which there is no outside subscription request as spam. That is, remove prankster Person A from the above sequence, and insert the list operator in their place. Such a scenario is similar to the "you've been preapproved to receive this blah blah; call 900-xxx-xxxx with confirmation number" type of snail-mail spam we receive.

      I would think the list operator could probably shed liability in the prankster case by claiming that the subscribe request was made under false pretenses, and so the list operator himself was defrauded. Thus, the spam is the liability of the person sending the forged subscription request and not the list operator or the recipient.

      --Joe
      --
      Program Intellivision!
  2. Re:oh my god!! by Anonymous Coward · · Score: 0

    Hey, where do trolls hang out nowadays?

  3. Just an idea... by Xner · · Score: 3, Insightful
    My knowledge of the german language is sketchy, my knowledge of german law is absolutely non-existent. I would like though to try and propose a possible work-around.

    What about going full-disclosure about it?
    What about providing all the details of the request in the confirmation email, including timestamp, IP adress, browser ID, referrer, etc?

    In that way, the recipient can see who was responsible for signing up and can take out their issues on them.

    Of course, the operator of the mailing list should be ready and willing to provide the same information under oath to a court of law.

    --
    Pathman, Free (as in GPL) 3D Pac Man
  4. TOU by Trane+Francks · · Score: 3, Interesting

    Write it into the terms of usage agreement for joining the newsletter that the user agrees to accept a confirmation e-mail to a user-specified e-mail address. To protect the user, create a server-side database that monitors sign-ups and disallows multiple-signups within a 24-hour period. Additionally, accounts for which no confirmation is received in, say, a 72-hour period would then be moved to an "unconfirmed" database. A user would get a second chance to join and ask for confirmation on this address and, if still unconfirmed, the account would be marked void.

    These are just some ideas on how to take care of it. Unfortunately, there's no real way to do this on the client side....at least none of which I can think.

    --
    ...a FreeDOS contributor: http://www.freedos.org/
    1. Re:TOU by Anonymous Coward · · Score: 0

      The problem is that the user never visited the webpage. Thus he wouldn't see or accept your terms of usage. The first confirmation email is already spam, technically speaking.

    2. Re:TOU by Anonymous Coward · · Score: 0
      The problem is that the user never visited the webpage. Thus he wouldn't see or accept your terms of usage. The first confirmation email is already spam, technically speaking.

      Or just refuse to sign up anybody whose address ends in .de. People from Germany wanting to join can still contact the list administrator to be signed up manually... Anybody knows how to implement such a restriction on the subscriber address in mailman or majordomo?

  5. email the newsletter first by NevermindPhreak · · Score: 1

    you could have the newsletter subscribers email the newsletter maker first, with something like "subscribe" in the subject line. of course, theres always the possibility of forged email headers, making it seem like the email is coming from someone else, but i imagine that would be eaisier to defend in court

    1. Re:email the newsletter first by Anonymous Coward · · Score: 0

      Exactly. Of course web based list subscription is preferred, because it makes selecting the desired list easier for the user. But the situation is that I get fake "newsletter confirmation notices" which are only sent to confirm my email address for a spammer database. I'm sure I'll see spam itself disguised as newsletter description in a fake confirmation mail very soon. This is a problem which needs to be solved. We wouldn't want the judge to create a permanent loophole.

  6. Re:oh my god!! by Anonymous Coward · · Score: 0

    You youngsters don't know what it is to troll. Why, back in the day, before WIPO committed suicide, I remember when trolls would get 50 responses or more. Your puny first poster will be lucky to get 3 responses.

  7. Subscribe via mail by Bazzargh · · Score: 2

    Its incredibly easy to implement; when they submit their details, give them a link to an email whose subject or address contains a confirmation key.

    This might be a Good Thing for another reason. Whitelist antispam solutions can auto-subscribe you to mailing lists, if the list works by send out a 'reply to join' message after you fill in a web page. If that practice was banned, implementing white lists would be safer.

    -Baz

  8. Human translation by soegoe · · Score: 5, Informative
    Court forbids sending unsolicited newsletter activation mails

    After companies offering e-cards, now senders of online newsletter could face extinction. In the opinion of the Berlin regional court, the unsolicited sending of a newsletter subscription by e-mail is an illegal advertisement.

    The applicant for the decision from September 19th, 2002, had received an e-mail, in which he was asked to click an activation link in order to be added to a newsletter mailing list. If he did not wish to be added, he should just delete the mail. The applicant considered this UCE and requested a cease & desist against the operator of the information service.

    The court confirmed in its decision again the current public opinion that the unsolicited sending of an e-mail with commercial contents constitutes an illegal interference with the business of companies receiving them. Private persons also have a right to be spared from such mails as stated in 1004, 823 sect. 1 of German Civil Law.

    The newsletter operator's objection that the applicant had signed in for the mailing list himself was not accepted by the court. In its opinion, the operator must prove that the applicant signed in personally. This couldn't be proved by the provider. The decision is seen controversially among jurists. The opt-in method for newsletters the decision is based on is used widely throughout the internet and was considered legally unobjectionable up to now.

  9. Just to put this clear... by soegoe · · Score: 4, Informative
    Okay, some people don't seem to "get" the problem stated in the article, so just for clarification:

    The newsletter operator used the standard procedure: Subscribe on the website, get a confirmation mail, reply to the mail. In the court's opinion, the problem is: Someone signs up for you, you get a confirmation mail you didn't ask for, so this is spam, so this is illegal. The only way to circumvent this would probably be digital signatures used during subscription.

    By the way: Yes, this decision is also considered crazy among German geeks.

    1. Re:Just to put this clear... by Anonymous Coward · · Score: 0

      Not so fast. I think the judge did the right thing. I do get fake confirmation messages and it's only a matter of time before this loophole is exploited on a large scale. If there were a standard email header to identify mail as coming from a mailing list, one could easily filter out all mails with that header which don't include a token that was given to the list server during subscription.

    2. Re:Just to put this clear... by n.wegner · · Score: 1

      That's not the only way. The list operator could just move the opt-in procedure to an email system (to:list, subject:subsribe) instead of the webpage, which makes more sense than that other option you mentioned.

    3. Re:Just to put this clear... by soegoe · · Score: 1
      The list operator could just move the opt-in procedure to an email system

      As was already mentioned in another thread, e-mail headers can be faked ad libitum, so none the better...

    4. Re:Just to put this clear... by soegoe · · Score: 2, Interesting
      I do get fake confirmation messages

      So do I. I consider them "the usual spam", nothing more, nothing less. I also get fake "Reply to your question" spam. Does that mean we have to outlaw all Reply buttons in e-mail clients?

      I agree with you in that the system - like so many others - can be exploited. The problem is that forbidding it does (in my opinion) more harm than good. What we have to do is go against spam and the spammers, not shut down the channels they (might) abuse.

      Don't mix up the medium with the message. Don't shoot the messenger.

    5. Re:Just to put this clear... by Anonymous Coward · · Score: 0

      If someone sends me a fake "Re:", that is spam, too, and would I take him to court for it, he'd better have a way to prove that I sent a mail to which he replied. With the current state of email, to prove of course means to make plausible. But while I would accept plausible email headers, an http-log wouldn't be enough in my opinion.

      I think going after spammers by dragging them to court is an exercise in futility. We have to shut down the channels which they abuse, but we have to do it by providing better channels which are not as easily abused.

    6. Re:Just to put this clear... by n.wegner · · Score: 1

      Some verification is probably a better legal defense than no verification.

    7. Re:Just to put this clear... by beebware · · Score: 4, Interesting

      But surley the site operator had the subscribers IP address as well? I know a few times when I've joined mailing lists via the web, I've received an email along the lines "A request was made at xx-xxx-xx xx:xx:xx from IP address xx.xx.xx.xx to subscribe you to this mailing list. To confirm your subscription, please reply to this mail or click this link. If this subscription is in error, you do not need to do anything".

      This way both parties have knowledge of who attempted the sign up: if the email account owner claims the message is spam, then at least the mail-admin has got a third-party to blame.

    8. Re:Just to put this clear... by John+Hasler · · Score: 2

      > But surley the site operator had the subscribers > IP address as well?

      I get a different IP address every time I dial up my ISP. And then there's proxies...

      --
      Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
    9. Re:Just to put this clear... by Neon+Spiral+Injector · · Score: 2

      ISPs log what user/phone number logged on at what time and was assigned which IP.

      Some proxies (like the ones provided by ISPs) also log the IP making the request along with a time stamp.

    10. Re:Just to put this clear... by WalterSobchak · · Score: 1

      I am a German Geek, and thought this was crazy...

      Untill I recalled this email "Thanks for subscribing to the SuperPorn eMail Newsletter. To confirm blah blah blah". This clearly was Spam disguised as a confirmation eMail. My tip (and what I and a lot of people do) is to log the IP of the inital submitter. I want to know more about this specific case until I cry "idiot judges". It could have been someone sending spam disguised as confirmations.

      Just a thought -- Alex

      --
      Absinthe makes the heart grow fonder
  10. subscribing as other person.. by gl4ss · · Score: 2

    ..is fraud, yeah?

    like, it's not legal to order pr0n to your teacher.. with teacher as the paying recipent..

    --
    world was created 5 seconds before this post as it is.
  11. Apologies from those who don't sprecche.... by iq+in+binary · · Score: 2, Informative

    But aside from that, this company actually did not send this e-mail solicited.

    In otherwords, it wasn't a confirmation letter, it was an invitation. As well, if the e-mail had stated specifically that it was a confirmation and that the user had to have given them reason to send the e-mail, this case wouldn't have gotten as far as the court steps.

    --
    Of all the Universal Constants, here's one I know: Nice guys finish last ;)
  12. a possibility: pgp by Khopesh · · Score: 2

    most sites still need to confirm that an email address exists, but many of them deliver plain-text passwords.

    pgp keys could solve this, if tied to a certified third-party the way they are supposed to be. they could (should) eventually replace passwords altogether, with or without a period of secondary usage (secondary password, instead of maiden name).

    problem is most people (even a large number of /. readers) don't have keys, and many who do (like myself) have not bothered to register them with big validation groups.

    --
    Use my userscript to add story images to Slashdot. There's no going back.
  13. Re:a possibility: smarter courts? by MacAndrew · · Score: 2

    This could be the fault of dumb laws or confused judges, it is unclear here. But unless you agree in principle with the court's ruling, the absolute best thing would be to deal with the source of the problem --- and it's not the newsletters! Authentication and signatures and so on are a long way from practical use, and surely they're unnecessary here. A responsible mailer requires confirmation from the user (authentication) and does nothing further if none is forthcoming. Sounds pretty good.

    See how quickly a good idea (outlaw spam) can become a dumb idea (impede desirable mail)?

  14. Email this a friend by tdemark · · Score: 2, Insightful

    Wouldn't this ruling make all "Email this to a friend" links illegal?

    If I understand the ruling, if Person A causes site B to send an email to Person C, then Site B spammed Person C.

    How is this any different than the Email a friend feature of many sites?

  15. Interesting But a quick fix is there by pauldy · · Score: 3, Insightful

    if the last 3 digits of the email are .de the redirect the user to a page that says something to the effect.

    Due to the stringent confusing laws in Germany this site cannot afford the potential of being held liable for spam in Germany therefore you must use another e-mail account like those you can get for free at yahoo.com or yada yada.

    Seems you would at least be doing your part to make sure no one is using your site to flood someone elses mailbox.

  16. A definition of spam by Russ+Nelson · · Score: 3, Informative

    Here's a definition of email spam. A confirmation isn't bulk, so it's not spam. Did anybody make that point to the judge? That spam is not just any old unwanted email?
    -russ

    --
    Don't piss off The Angry Economist
  17. How can you ever reply to an email by Chacham · · Score: 2, Insightful

    How can you ever reply to an email? If the FROM header is forged (or even the REPLY-TO) a reply of any sort would be unsolicited. Otherwise, I'd say, let people subscribe by email (instead of through the web) then the reply would be solicited.

    It makes one wonder. The purpose of the confirmation is *specifically* to keep the addresse from getting unsolicited emails. Making that UCE, it just plain silly.

    --
    Have you read my journal today?
  18. Interesting Idea by finity · · Score: 2, Interesting

    People who run news servers or list servers or whatever could, instead of sending out emails, run their own, kinda, pop server. People wouldn't send emails to it, but when you wanted to check the latest update or whatever, your email client would check the server for email and if there was an update, well it'd be there waiting for you.
    Has anyone thought of this before?

    1. Re:Interesting Idea by Anonymous Coward · · Score: 0

      It's called "the web" - message board, to be precise.

    2. Re:Interesting Idea by vegetablespork · · Score: 1
      Funny, but it's really not the same thing. Someone who wanted to keep up with a list could simply add another pop account to their email client, and the messages would then appear in their inbox. There would be no need to manually check web sites or other proprietary message boards.

      If you had said "it's called 'Usenet'," I might have been able to partially agree.

      --

      Call (206) 338-5780 COLLECT for information about a genuine BA, BS, MA, MS, MBA, or Ph.D.

  19. Well it really is spam... by phr2 · · Score: 2

    but the perpetrator is the person who signed up for you, not the newsletter operator. Correct remedy is make the request forger liable.