When people think of spam, they most often think of the flood of ads for penis enlargements, cheap Viagra, pornography, so-called 'OEM' software, fake diplomas, stock spam and 419's, and all the other trash that fills our mailboxes. Typically sent through networks of hijacked PCs, this kind of spam doesn't even pretend to be legal or respectable. But alongside this 'outlaw spam', there's a second type. A relatively small number of operations are systematically sending large quantities of mail that — at least superficially — complies with the rather lax requirements of the CAN-SPAM Act. Using servers of their own to send and direct traffic, the 'bouncing bulkers' funnel recipients through a web of click-counters and 'affiliate marketing' hosts to a final destination website that may often belong not to some backroom pill salesman or software pirate, but to a nationally- or internationally-known company.

The typical characteristics of these operations can be briefly summed up.

• They all send unsolicited mail, but they use their own servers to do so.
• Their messages contain several URLs that point to 'throwaway' redirection domains with nonsense names.
• The redirection domains mentioned in the messages change from week to week or even day to day.
• If you click one of the URLs, you will be bounced through five or six redirectors before eventually landing on the target site.
• One or more of the redirectors will usually belong to an 'affiliate marketing' company like commissionparadise.com, clicksmartaffiliates.com or lynxtrack.com.
• The registration information for the redirector domains is usually false or hidden by a private registration.
• The redirector domains contain little or no information to identify the real domain owner; at most, there may be an 'unsubscribe' form.
• Messages are sent to addresses 'scraped' from the web or WHOIS data, or purchased as part of a 'spam list'.
• The messages conform at least superficially to the requirements of the CAN-SPAM Act, including a reasonably informative subject line, a physical address, and a 'removal method'.
• The messages contain web bugs and coded URLs to identify the email recipient.

The chain of bounces can be quite elaborate. To give an example, if you access one spam-advertised URL that points to 'solarshine.net', the server issues a '302 Found' response that sends you to 'mzvpwtb.com'. This host issues a second '302 Found', routing the request on to 'nbjmp.com', which replies with '301 Moved Permanently', sending you to a second URL on the same host. That URL loads a page that contains a META refresh tag that causes the user's browser to load the final target page at 'web-detective.com'. Other variants use Javascript or META refresh tags to steer the user to the next site. The process is transparent to the user — most users will not even notice that they have been bounced from server to server — but at each stage, the various redirectors get a chance to log whatever information is contained in the URL or cookies sent by the user's browser.

You should be careful about clicking these links, incidentally, because the email address of the recipient is encoded in the link. Following the link confirms to the spammer that you've read their mail. In some cases, the address is encoded directly using a trivial substitution cipher. In other cases, the encoding may be more complex or the spammer may use a reference number instead of an address. The messages are also 'web-bugged' using the same encoding scheme, so even opening the message may be enough to ring the spammer's doorbell if you're not careful.

As mentioned above, the original messages are at least superficially CAN-SPAM compliant. Of course, the messages are sent to addresses that have been scraped from websites and WHOIS records or sold on by spam-list vendors, but CAN-SPAM only punishes that when the spammer has violated one of the other conditions — which is just one of the reasons why CAN-SPAM is really a spammer's charter.

It's not easy to work out who the real senders are. Some of them use private registrations to conceal their WHOIS contact data, while others register domains to dropboxes whose real owners can't be identified. In some cases, the contact data may be forged. The redirector sites themselves don't usually contain any identifying information: if you play around with the URLs a bit, you may eventually land up on a page with an unsubscribe form which might or might not mention the name of a (possibly fictitious) company.

The 'client' lists for these spammers run the whole gamut from the most dubious get-rich-quick and work-at-home schemes through small web-only businesses (which might also be termed 'spam-only' businesses, as they don't seem to advertise any other way) right up to some well-known national or multi-national corporations. Some of them even send stock spam (usually just a few messages, rather than the deluge we get from the botnet spammers). Because the penultimate redirector is usually a site belonging to a 'reputable' marketer, the owner of the final destination site has plausible deniability. They can always claim that they hired an affiliate marketing company to promote their products and that they are shocked, just shocked to learn that their good name ended up on a spam. The affiliate marketers, if pressed, can disclaim all responsibility and say that the spams were sent by persons unknown who are exploiting the affiliate system.

The real relationship between the spammers and the affiliate marketers — and their clients — is unknown. If the spammers are exploiting the affiliate system, they're doing so on a large scale, and I don't see any sign that the affiliate marketers are doing much to prevent this abuse. It's hard not to assume that there's some kind of complicity. In any case, 'affiliate' marketing schemes are pretty much an incentive to send spam, something that the marketers seem to tacitly accept. Those who have a reputation to protect officially disapprove of spam, but in practice most seem to be happy to accept clicks from anywhere.

Some of these operations are shown on my bulkmailers list as 'Unknown Bulkmailer'. Although the list currently contains eight distinct 'unknowns', there's reason to believe that some may be the same operation in different forms: in many cases, they appear to share customer lists and have other common features.

The bulkers are careful not only to change the names of their redirectors continuously, but also to scatter them around. For example, take a look at the redirector 'angelwingisbreaking.com' and you'll find that it's hosted in a netblock owned by Nine Star Advertising LLC. Nine Star has a California address, but their netblock is in Turkish IP space. A sister redirector site, 'magneticrecharge.net', is in TimeWarner Telecom netspace. A third, 'pullingoxygen.org', is located in an IP block belonging to Wholesale Internet of Missouri. All of this makes it harder for DNS-based blocklists to block them reliably.

These operations are perfect examples of what the ill-conceived CAN-SPAM Act has created. Their owners are well aware that their practices are abusive: senders of legitimate, solicited mail don't need to use redirectors that change their names and locations every week to avoid spam filtering. (Of course senders of legitimate email also don't send to 'scraped' or invented addresses and then put messages on their sites saying "You requested to receive this mailing by subscribing to one or more of our offers"). But it's relatively easy for them to comply — or give the appearance of compliance — with the CAN-SPAM Act, and to set up a structure that creates a separation between the spammer and their 'customers'.

Without being a fly on the boardroom wall, it's hard to tell how far the big-name 'clients' of these spam networks are actually complicit. Some, at least, must be aware of spam being sent in their name. A legal action brought by Hypertouch against coffee-maker Gevalia was settled out of court, but the flood of Gevalia-related spam sent by up to five bulkmail operations still goes on. Is someone 'gaming' an affiliate program set up on Gevalia's behalf, or are the spams bought and paid for by someone at Gevalia?

The "smoke and mirrors" approach used by the bulkmailers makes it almost impossible to say who's pulling the strings and signing the checks. And that, presumably, is the whole point.