One interesting e-mail that recently found its way into my inbox was from an organization calling itself the “National Anti Spam Registry.” The site is filled with American flags and the Statue of Liberty and references to the recently-signed and about to go into effect federal CAN-SPAM act.
As I wrote in my recent analysis of that law, CAN-SPAM calls in Section 9 for a report by the FTC to relevant congressional committees to set forth a plan for “a nationwide marketing Do-Not-E-Mail registry.” This report would include an analysis of potential problems with such a list (and boy, would there be a lot of problems); and also specifically deal with childrens e-mail accounts.
The legislation also specifically mentions that the registry is not to be implemented less than 9 months after the enactment of the act. Its scheduled, I believe, for January 1, 2004, meaning that October 1, 2004 is the earliest that we could see its “nationwide marketing Do-Not-E-Mail registry.”
So now the NASR appears. If its not the registry envisioned by the new law, what is it?
Despite the flag waving, its authenticity is difficult to determine. The site is filled with misspellings and grammatical errors. Some of what the site claims to do is plainly phony, some of it tempting, but suspicious, and some of it is impenetrable gobbledygook.
But who is behind the National Anti Spam Registry? The only contact information on the page, apart from a few e-mail addresses, is a postal box in Hammond, La. Much more interesting is the Whois information for nationalantispamregistry.com. The addresses for all the contacts is in Tonawanda, N.Y., which is on the Niagara river just north of Buffalo.
On closer inspection, the zip code looks wrong (in fact, its not a valid zip code), and there doesnt appear to be a street with that specific name from the record in Tonawanda.
Now, its not illegal to put inaccurate information in Whois records, and its arguably a wise thing to do, but its suspicious from an organization trying to engender trust in the public. The phone contact is a Hammond number.
The FAQ and other descriptions describe a service that sounds vaguely like a centralized opt-out facility. One major criticism of the law is that it doesnt mandate opt-in relationships, but rather mandates that marketers honor opt-out requests. So the idea of the NASR is that you register with them and they handle all the opt-outs.
At the same time, its hardly clear that such a thing is possible; unless you grant the National Anti Spam Registry control over your mail account, it would be difficult indeed to do what they appear to be claiming to do.
Besides, this plan assumes that the opt-out will be honored. The NASR “How to avoid spam” page itself says “If you are receiving junk email NEVER respond to them and NEVER request to be removed, you are just confirming to the spammer that your email is active.” So how will this company opt-out for you without having the same problem?
The site also says “you can register your email address free to be submitted to the F.T.C and be included in the National Do Not Email registry.” Guess what: when there is such a registry you will be able to register your address yourself, almost certainly for free, and in all likelihood third parties wont be able to register you.
This pitch, in particular, reminded me of the first spam on Usenet years ago. It came from a lawyer offering to help people register for the green card lottery, which can be done for free, directly by individuals. As I recall, there was quite a stink that someone had posted off-topic messages on a newsgroup! It seems so quaint now, but eventually Usenet was ruined by such people, just as they are now trying to ruin Internet e-mail. The FTC recently shut down such an operation that posed as a government agency.
The Interview And The
So I called the phone number from the Whois record to ask the Registry what was up. Surprise—an actual human being answered, took a message and said that the NASR would call me back later that day.
Of course, I didnt hear from them again. Looks like the information we get about the NASR will have to come from their site, for what little thats worth.
In any event, youd expect an anti-spam registry to be sensitive about the use of private information, such as, just for example, your e-mail address. Instead, it appears that private information can be passed around to strangers and their friends, as long as they become part of the “National Anti Spam Registry group.”
Heres the text in question:
This doesnt give me a warm fuzzy about registering with the National Anti Spam Registry Corp. It tells me that I will get e-mail from other companies with which I did not register. “Anti Spam Registry” indeed! In addition, I dont take much comfort from the companys assertion that I can opt out later.
So CAN-SPAM is not even up and running and were already seeing entrepreneurs sleazing off of it. Not an uplifting story; perhaps the more they try to fix the problem the worse it will get.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
More from Larry Seltzer