Interpretation of the dictionary attack portion of the CAN-SPAM laws?
April 29, 2007 11:28 AM   Subscribe

I have a question about the interpretation of the CAN-SPAM laws. Specifically about the interpretation of: "(ii) the electronic mail address of the recipient was obtained using an automated means that generates possible electronic mail addresses by combining names, letters, or numbers into numerous permutations."

Lets assume I have a record for a person containing 30+ fields relating to his place of work, phone number, address, title, company's revenues, employees, the SIC for his job, etc. I also have his first name, last name, his company's domain name, and the email address naming convention for his company:

First Name: John
Last Name: Doe
Convention: First Name DOT Last Name

Is it then prohibited to "obtain/generate":

To add to his current record?
To use for newsletter/marketing purposes?

This seems contrary to the above, which specifies generating numerous permutations. The quote from above was found here:


This also seems contrary to using "dictionary attacks" which are random, while this method of generation is not random, although it is true that sometimes it may not be a correct/working/usable address that is created.

I'm asking this question mostly with respect to subscribers to trade publications for business professionals, but it could also be for anyone who meets the above criteria.
posted by anonymous to Law & Government (12 answers total)
I'm not a lawyer, but I would read the text you quoted as applying to dictionary attacks. I don't think I would say that applies here (although it could be argued that this is just a very specific kind of dictionary attack constructed from a pretty good educated guess).

Still, if you are determining the recipient's mail address based on their name and their company conventions, then it seems pretty clear the person didn't give you permission to send, so I'd recommend against going down this route even if you decide it doesn't violate the law.
posted by willnot at 11:47 AM on April 29, 2007

IANAL but I did work in the marketing department of a law firm. We were told not to do exactly what you describe, for legal reasons.
posted by desjardins at 12:05 PM on April 29, 2007

It seems that what you're proposing does run afoul of the plain text of the law, at least if you're planning on doing it on an entire database of people.

You'll have employed an "automated means that generates possible electronic mail addresses by combining names, letters, or numbers into numerous permutations," to obtain the email address of the recipient.
posted by Mr. President Dr. Steve Elvis America at 12:27 PM on April 29, 2007

To clarify, the law doesn't appear to say that your automated process must produce numerous emails for each recipient. It says that the automated process must produce numerous emails, and the recipient's email must be derived from that automated process.
posted by Mr. President Dr. Steve Elvis America at 12:29 PM on April 29, 2007

You say you "have a record for a person." Did this person give you his information and ask you to send him your email newsletter? If he did not, you shouldn't subscribe him to anything.

Where I work, we frequently get lists from outside sources of contact emails for people we think might be interested in subscribing to our newsletter. What we do with those emails is send them each one personal message that tells them how we got their email address, why we think they might be interested in hearing from us, and what we do. We tell them that this is a one-time message and that they will never hear from us again unless they choose to. We then give them instructions for signing up for future communications from us. If they sign up, they receive our newsletter from then on. If they do not, they never hear from us again. I can't vouch for the legality of this method, but we've done it hundreds of thousands of times and don't receive many complaints about it, and we've never had legal action taken against us.
posted by decathecting at 12:51 PM on April 29, 2007

I don't think you are outright violating the language that you cited. There really needs to be a little more information here; for example, if you purchased the subscriber list and are planning an email campaign (when you bought the mailing addresses for a direct mail campaign), you are violating the agreement with the list vendor AND spamming because you do not have a prior relationship with the recipients and they didn't opt-in to receive email communications from you. If you are the publisher of that trade magazine and it is your subscriber database, you may have a little more leeway, but IANAL. Overall, the crux is that none of these people have opted-in to receive email communications from you. By "creating" email addresses from naming conventions and sending communications, you are essentially violating the spirit of the CAN-SPAM act, though maybe not the laws themselves.

If you are the owner of the list, you may want to consider sending an introductory email that makes it clear your relationship, and then asks if they would like to opt-in to your newsletter or other marketing communications. Do not just add them without their knowledge to a list and start sending communications.

i.e. "XYZ Publications has just launched a weekly newsletter with additional insider content like that of our informative trade publications. As a valued subscriber of XYZ Monthly, we are offering you the opportunity to receive the newsletter packed full of news and information on ABC and 123. You may opt-in by visiting our site at ____ (include a hyperlink)." You need to also give them an opt-out button on that email if you send it.

On preview, decathecting.
posted by ml98tu at 12:55 PM on April 29, 2007

if you know the specific existing guy's name is john doe and you deduce on the basis of your knowledge of addressing conventions that his personal email is, it's a little farfetched to call this an automated process, no? it's a process of logical deduction such as one might use innumerable times in daily life. furthermore: you have indeed used your knowledge of the addressing system to generate john doe's email address, which might arguably be called an automated process, although i wouldn't say so; but you certainly haven't combined "names, letters, or numbers into numerous permutations." indeed, even if you deduced the addresses of the entire million-strong staff of, would that amount to combination into "numerous permutations" or just one systemic permutation? IANAL.
posted by londongeezer at 12:56 PM on April 29, 2007

londongeezer, if a person were to review each record in the database, and, using the information in the record, guess the person's email address, this might not be an automated process. If the computer performs this task itself, though, that's clearly an automated process.

As for the rest, the Asker is clearly suggesting combining "names" and "letters" into "numerous" permutations. In your hypothetical example, one million is surely "numerous" and each email address is a "permutation" of the "names" and "letters" in the database.

The law doesn't just forbid generating all possible permutations from a list of names. It forbids generating numerous such permutations.
posted by Mr. President Dr. Steve Elvis America at 1:24 PM on April 29, 2007

not a lawyer, but it would seem that any method of "guessing" an address for the purpose of adding someone to a newsletter list is still spamming no matter how well informed or educated the guessing procedure

you are aware of the penalties? it's thousands per incident and one email to one address is considered one incident

again, not a lawyer, but my understanding is there's no legal way to build these lists by starting with an email, people need to provide consent in advance by opting in, specifically to receive emails, via some other medium such as a web site before the first email arrives in their inbox or that first email is a surprise and spam
posted by scheptech at 1:24 PM on April 29, 2007

If you're going to "add it to his current record" but not send email to the address, then what's the point? Obviously, if you want to obtain this address, you're doing so in order to send him email (or to give/sell the address to someone else who will send him email).

So maybe the answer to this question depends on the nature of the email you're planning to send, and how that stacks up against the other parts of the law, and in what context you obtained the information you already have.
posted by staggernation at 2:36 PM on April 29, 2007

I find it annoying as hell when I get messages this way at my work address. I intentionally wouldn't patronize a business which does it.
posted by loiseau at 3:47 PM on April 29, 2007

Seconding loiseau.
posted by flabdablet at 6:38 PM on April 29, 2007

« Older Medic!   |   Zwei rauchbier, bitte! (Aber wo?) Newer »
This thread is closed to new comments.