An article at Government Technology comments on the recent rise of Mother's Day spam, referring to spammers trying to sell flowers, chocolates, and even baskets of fruit. They don't say who they have in mind, but from the list of products I'm guessing that they've been seeing the same spams that I have (and yes, The Fruit Company, we're looking at you).

Holidays are often an excuse for spammers to pull out the stops. No Christmas season is complete, for example, without a wave of spam promoting whatever unsaleable toy the spammers think they can unload (remember those little radio-controlled cars, anyone?). And Valentine's Day brings the flower shops out in force every year.

What the GovTech article doesn't mention is that many holiday-related spams aren't coming from the real 'outlaw' spammers, the hard-core don't-care-about-the-law botnet artists in the pillz'n'stocks sector. While some mothers might be thrilled to receive a pint of penis enlargement pills or three hundred shares in a dodgy smallcap stock, most prefer more traditional gifts. Traditional gifts require real product and a delivery infrastructure that the trash spammers aren't set up to provide.

Instead, holiday spam promotes companies that appear to be moderately reputable (or were seen as such, until spam started going out with their name on it). Instead of being sent via botnets, it's mostly posted through the various bulkmail operations that feed off syndicated and affiliate marketing companies. So, for example, spam pushing Grower Flowers and Gourmet Gift Baskets is being sent out by a bulkmailer that gets a lot of business from affiliate marketer Hydra Network. Spams advertising The Fruit Company are sent by what appears to be a different bulkmailer, but also redirect via Hydra Network's lynxtrack.com servers. Spam promoting Florist One is sent by a third bulkmailer, who mostly sends spam for clients of affiliate marketer AdKnowledge. And so on.

The bulkmailers serving the holiday spam market are mostly the bouncing bulkers that I've discussed before. They make their money by selling clicks and ad impressions to affiliate/syndicated marketing companies, who make their money by selling clicks and ad impressions to mainstream clients. Because of the separation between the client and the spammer, it's quite possible that the client is entirely unaware that their advertisements are being sent out as spam (it's also quite possible that they're not, or that they choose to turn a blind eye to the possibility). It's even possible that the affiliate marketers are unaware that some of their partners are wholly rogue, although the consistent correlation between particular spammers and particular marketers leaves some room for doubt on this issue. Has Hydra Network, for example, never received even a single letter of complaint about the bulkers who've been churning out ads for them month after month? That seems hard to believe, somehow.

So here's a question: what can be done about this pseudo-respectable spam? At the risk of sounding like a broken record, this was the kind of thing that we feared CAN-SPAM would make possible. Most of the bulkmailers in this sector take care to jump through the requisite hoops, providing addresses (real or invented) and 'opt-out' mechanisms that may or may not work. The messages are still unsolicited, of course, still sent to addresses scraped from websites and Usenet and traded around as 'verified opt-in mailing lists'. But if backed against a wall and asked to justify their actions, the marketers — and their clients — can always repeat the usual mantra: all our partners are fully CAN-SPAM compliant, all you have to do is unsubscribe.

That may be. But I'm still going to get my flowers and chocolate from someone else this year.

Update [19.05.2007] I've received a polite and helpful message from the Compliance Officer at Hydra Network, asking me to make clear that they do not tolerate or condone spam, and that they aggressively work to eliminate spammers from their affiliate network.