SpamArrest is Spamming

"What SpamArrest is doing is similar to Microsoft spamming everyone who ever sent mail to your hotmail.com account, or AOL spamming everyone who emailed an aol.com account, and so on. But it's even worse because SpamArrest -- as a purported anti-spam service whose website warns users of the 'exponentially increasing problem of spam' -- should know better."

(It's actually worse than this quote suggests, as SpamArrest are spamming lots of people who have not only never sent email to an @spamarrest.com email address but also never sent mail to any customer of SpamArrest. Not that it would be OK or 'not spam' even if they were only sending mail to people who had mailed their customers).

Who?

SpamArrest is a fairly broken challenge-response spam-filtering system.

As part of their spam filtering they harvest the email address of everyone who sends email to one of their users, or who sends email to a mailing list one of their users is subscribed to.

They've recently decided to spam all of those harvested addresses. One example can be found here but I've seen dozens of other reports.

The spam sent violates California state law, and probably some others.

Their take on Spamming

When asked about this, Daryn Nakhuda believes their unashamed spam is a perfectly legitimate marketing approach:

I'm not going to attempt to justify our marketing efforts with you; However
I do want to provide you with the following facts to debunk some of the
rumors I've seen.

1. Every person who got this email from us has either sent an email to one
of our customers, or been added to one of our customer's whitelist
explicitly.  There was no dictionary attack.

2. We complied with both our own privacy policy, as well as
industry-accepted rules for sending email; such as 1. a valid return
address, 2. a functioning opt-out link, and 3. a clear subject line
including the advertising prefix "ADV:", which people who have spam filters
can look for and filter.

3. Our privacy policy is at http://spamarrest.com/privacy.jsp . You can
click the link and read it without any fear (in regards to Bill
Ries-Knight's warning). We do not use any stealthy means of capturing your
email address; you have to type in it, or send an email to one of our
customers.

4. We are a legitimate spam prevention service. Our website is not a false
front for a spamming business. Our customers prefer our sender-based
verification model to other content-filtering methods, and find our service
very successful in stopping the junk from entering their inbox.

5. I know people fear the opt-out link, but I want to reassure you and your
readers that clicking on this link is 1. safe, and 2. the only sure way to
remove your address from receiving future spam arrest promotions.

The number of critical points where this statement diverges wildly from reality is concerning.

Suggestions

To avoid spam from spamarrest in the future I would strongly suggest everyone who doesn't want spam from spamarrest

  1. block all email from @spamarrest.com email addresses
  2. block all email from 66.150.163.128 - 66.150.163.191 (66.150.163.128/26) and 63.251.163.144 = 63.251.163.159 (63.251.163.144/28)
  3. avoid ever sending any email to any @spamarrest.com address (including support@spamarrest.com and abuse@spamarrest.com as they are harvested too)
  4. remove all @spamarrest.com email addresses from all mailing lists
  5. remove all email addresses that cause a spamarrest challenge from all mailing lists

It isn't adequate to just remove any @spamarrest.com email address from a mailing list as any email address can be subscribed to a mailing list, then forwarded to spamarrest to cause challenges and harvest the mailing list participants email addresses.

SpamArrest are unavailable for comment by 'phone (their listed contact number on their website leads to a 'full' voicemail box and their registered contact information appears to be false - the voice number goes to a fax line). Their provider, Internap, are deeply confused as to whether they permit their customers to send spam or not.

Some relevant links:

Steve Atkins