Lawsuits Against Spammers

apc writes "Pretty good overview of the state of the law regarding spammers, and some stories about people who have sued them and won. Nice to see the topic getting mainstream attention." It talks about several different states and several different people who have won cases. I still think its fairly hopeless, but I also believe forging SMTP headers should be legally punishable by castration.

Technical / Social solution please

Instead of encouraging litigation, why don't we develop (easy) and attempt to gain acceptance (harder) of an authenticated e-mail format?

I would much rather see technical (or social) solutions to the spam problem... laws have a funny way of not going in our favor, don't they?

Re:Technical / Social solution please

Is there a technical solution?

Isn't the only advantage of an authenticated email format that the recipient can easily find out who the sender really is?

Knowing who the sender is doesn't prevent spam being sent from spam friendly servers abroad.

If the spam is sent from within your own country, this makes using the law against the perpetrator easier, it doesn't remove the need for the law.

Spam is an abuse of the email sysem. The collective opinion is that some characteristics of the emails are bad - otherwise there isn't much to distinguish it from legitimate mail. Because it is a social problem, laws are needed to combat it.
Spam is behaviour that we can't stop, therefore we need laws to discourage it.

another tactic?

I saw this idea else where, and it looks promising enough that I want to share ....

One could extend the SMTP protocol for mail delivery so that (non-favored?) senders were forced to jump through some computationally expensive hoop before mail to local users will be accepted.

Currently SMTP looks like this:

>>> 220 mailhost.domain.com ESMTP Sendmail 8.9.9/8.9.9; Fri, 11 Jan 2002 16:05:32 -0500 (EST)
>>> HELO host.domain2.com 250 mailhost.domain.com Hello host.domain2.com [155.108.129.30], pleased to meet you
>>> MAIL From: 250 ... Sender ok
>>> RCPT To: 250 ... Recipient ok
>>> DATA 354 Enter mail, end with "." on a line by itself 250 QAA00187 Message accepted for delivery
>>> QUIT 221 mail.domain.com closing connection

We could add something like (not real numbers):

>>> 220 mailhost.domain.com ESMTP Sendmail 8.9.9/8.9.9; Fri, 11 Jan 2002 16:05:32 -0500 (EST)
>>> HELO host.domain2.com 250 mailhost.domain.com Hello host.domain2.com [155.108.129.30], pleased to meet you
>>> MAIL From: 250 ... Sender untrusted, please give prime factor of 34576184516935692342934759132 to continue
>>> FCTR 345837413 250 Ok, you bothered...
>>> RCPT To: 250 ... Recipient ok
>>> DATA 354 Enter mail, end with "." on a line by itself 250 QAA00187 Message accepted for delivery
>>> QUIT 221 mail.domain.com closing connection

The beauty of this is, putting support in sendmail would mostly be sufficient, and it lets you effectively add a cost per message without any sort of micropayments scheme, or giving up anonymity. I'd be curious what your reader groupmind thinks about this, or if the idea has been tossed around before?

- Mike Earl

Personally, I do not know the feasibility of this angle, although I am sure some expert with be willing to point out the flaws.

Making spammers pay

I'm a student cryptographer and I'm working on a system which will provide authentication [signatures], privacy [via encryption] and at the same time make spam less feasible [you can do it but its easier to filter out].

The main thing I see is that the best idea is to somehow transfer costs back to the spammer. So an idea that forces the spamming computer to use up resources is fine.

similarly, a solution that causes you to spend time implementing more technical solutions is costing you time, and probably money.

bottom line: Make the spammer pay.

In my original example, the smtp could also be set to have several levels of trust, with corresponding levels of computional feedback for the sender.

Issues regarding new technology

Isn't the only advantage of an authenticated email format that the recipient can easily find out who the sender really is?

Well, not exactly. You're right in that that's all it technically does for us. However, this leads us to two potential advantages:

• When the spammer is identifiable, they don't tend to last long because the volume of incoming complaints tends to overload the ISP.
• It makes it easier to create a groupware blocking system - for example, 10,000 people subscribe, and the system requires three subscribers to complain about an address before it's blocked. A spammer sends spam and it hits 8237 of the subscribers. The first three to see it click the "this is spam" button, and the system automatically removes the mail from the inboxes of the other 8234 subscribers who got it and blocks all future email from the sender.

Knowing who the sender is doesn't prevent spam being sent from spam friendly servers abroad.

You're right, but again, the volume of incoming complaints (and denial of service attacks) tends to make the ISPs balk at hosting spammers. Once they're tracable, the attacks begin, and the ISPs dump the spammers.

The problem is, we need a completely new email system with authentication, and we need mail clients that handle both it and the current standard seamlessly... because practically nobody is going to make a hard switch over to a new email system that will prevent most of their friends and associates from emailing them, and very few people are going to be willing to run two separate email clients. It would be best if the server-side software supported both standards as well, so server admins don't have to feel that they're getting an additional piece of software to support. Moreover, everything has to support every major platform and some of the more prominent minor ones so it can support a massive switchover and won't piss off users of any particular platform by not properly supporting them.

Java, anyone?

Re:Technical / Social solution please

Just because we won't use the law, it doesn't mean they won't. I suspect that any truly effective technical solution will meet the same fate as ORBS and MAPS with lawsuits.

Re:Technical / Social solution please

You're right but it would take away spammer's anonimity.

It would also take away everyone else's anonymity. Given the number of people who get sued by corporations for telling truthful but disparaging things, and given the number of "whistle blowers" who end up out of a job, or worse, do you really think that we should give up the ability to send anonymous e-mail just to avoid the inconvenience of junk mail? I sure don't.

Better yet...

220 foo.bar.com CASHMAIL System
HELO
250 foo.bar.com Hello
MAIL FROM: mom@aol.com
667 foo.bar.com accepts payment of 0 cents
DATA
..
MAIL FROM: unknown_spammer@hotmail.com
250 unknown_spammer@hotmail.com... Sender ok
RCPT TO: foo@bar.com
666 foo@bar.com requires payment of 200 cents
CASH: 82kd0xma893mcos0
667 foo.bar.com accepts payment of 200 cents
DATA
...
MAIL FROM: known_spammer@hotmail.com
250 known_spammer@hotmail.com... Sender ok
RCPT TO: foo@bar.com
666 foo@bar.com requires payment of 1.0e09 cents
CASH: 82kd0xma893mcos0
666 foo.bar.com detects fraudulent/forged e-coin. Forwarding to fbi.gov

Re:Technical solution

I think a better resolution to the problem is to enforce a certain amount of purity in the mail headers.

If you are spam, you should mark your message as being such. If you are a mailing list, you should mark your message as being such.

And then we need to have a network of trust between the mail servers. Something lightweight enough that it works 90% of the time. Servers who are trusted are trusted that they will send out mail with proper headers. Servers who aren't trusted will get their mail bounced most of the time.

Thus, spam can be dropped on the floor at the option of any mail server. And server admins who don't mark spam as spam are marked as untrusted servers. At the option of the country that the mail server exists in, this can be declared as fraud.

I wrote up some notes on it on my webpage [wirewd.com] but I'm not sure how well it would really work in practice.

Cool site

Reminds me of that cool site where U can set the SMTP headers and send anonymous mail to freak ppl out, mischiefmail.com methinks..

Double standard

Why are lawsuits against spammers (and castration!!) fantastic but against open source guys -- like the GAIM author sued by AIM-owner AOL -- terrible. You can't have it both ways. Either the law applies on the net or it doesn't.

Personally, I'd prefer no laws -- even for spammers.

Business opportunity

Let's hope some people see this as a business opportunity, and start a business or organization to sue on behalf of all of us who don't bother now, and collect a percentage. So that more of us can use our lawful right to make the spammers pay for their nuisance.

We could donate proceedings of successful spam litigation to open source projects or to the EFF.

What we need

What we need is national legislation against spam. There are too many state laws that legitimize spam in one way or another. This gives every spammer a one time get out of jail free card, and does nothing for spam problem in general. New spammers pop up all the time - it doesn't make sense to 'opt out' of every new spam list you get onto.

The article makes a good point about laws that require spam to be labeled. This isn't a solution, and there are also conflicting requirements between state laws. One law requires "ADV: ADLT" on the subject header, another law requires "ADULT ADVERTISEMENT". This is a perfect example of laws being too specific - legislation has no business dictating changes to the SMTP protocol. This isn't useful either: shouldn't spam laws apply to more than SMTP? Say, ICQ spam? Internal AOL spam?

This is why we need a national spam law. No conflicts, no SMTP requirements, no opt-out. Make spam illegal, period. Spam is harassment, theft of service, and usually fraudulent. It costs ISPs millions of dollars that are passed on to YOU. Companies lose productivity because of workers receiving spam.

If you think this is any different from junk fax laws, you're kidding yourself. Spam and junk faxes both hurt the recipient. Spam is not free speech. Spam is not a constitutional right. Banning spam IS the right answer.

Laws define both sides

The problem with a national law, with any law, is that it defines "safe turf" for both sides.

If Congress debated such a law, I'm sure that the DMA would yell and scream and "compromise" that it is willing to make it illegal to send unsolicited email of a criminal nature. Outlaw the pyramid schemes, outlaw the cock&tit creams that don't have FDA approval, etc.

Meanwhile, in the same spirit of compromise, it's now Federal law that companies can ignore repeated requests that you be removed from their spam lists because you have a bona fide business relationship. It doesn't matter that this "relationship" was a one-time purchase of a Christmas present a decade ago for a person who's long been out of your life - you might need another left-handed bacon turner some day and if they can't sent you reminders, you'll buy it elsewhere!

Likewise the legislation would undoubtably protect affiliated businesses - the reason I briefly got investment solicitations from my car insurance carrier, until I made it clear they were about to lose the latter account. It will even protect attempts to woo you away from existing businesses - you drive, so therefore you should hear about Fly-By-Night insurance rates. And Bob's detailing shop. And on and on and on....

I'm not saying that legislation would never be appropriate, just that it's too early to do it at the national level. Let's get a clear concensus that spam is a problem, then use the federal law *only* to normalize things like mandatory subject lines.

Check out my latest piece of spam !

DEAR FRIEND !

Tired of not making enough MONEY ? HOW ABOUT $3000 PER WEEK OR MORE !
No, this is not a joke, YOU TOO CAN QUIT YOUR JOB AND MAKE THE MONEY YOU DESERVE !

HOW ?

Very recently, I have discovered that anybody on the internet receives "SPAM" emails, and that it is usuall possible to sue those "SPAMMERS". Most often, "SPAM" originates from VERY LARGE COMPANIES who have a LOT OF MONEY MOST OFTEN, and these companies don't want to lose their reputation in the "SPAM" industry, therefore they are usually willing to give plaintiffs A LOT OF MONEY to settle their claims.

I CAN ALREADY HEAR YOU SAY "HOW CAN I SUE SPAMMERS TOO AND RECEIVE A LOT OF SETTLEMENT MONEY ?" !

IF YOU SEND ME A RESPONSE AT THE EMAIL ADDRESS AT THE BOTTOM OF THIS MESSAGE, I'LL INTRODUCE YOU TO MY NEW BOOK CALLED "HOW TO SUCCESSFULLY SUE SPAMMERS AND RECEIVE A LOT OF SETTLEMENT MONEY". MY BOOK NORMALLY COSTS IN EXCESS OF $85 FROM NORMAL RETAIL CHANNELS, BUT ONLY FOR YOU, I OFFER YOU THIS INCREDIBLE MONEY-MAKING TOOL FOR ONLY $19.99 !!

DON'T PASS UP YOUR CHANCE TO MAKE THE MONEY YOU DESERVE. SEND ME A RESPONSE RIGHT NOW, OR CALL ME AT THE NUMBER BELOW.

THANK YOU DEAR FRIEND !

email: SUCKER_RESPONSE@HOTMAIL.COM
phone: 1-800-YOU-SUCK

**********

THIS IS A ONE-TIME EMAIL, YOU DO NOT NEED TO DO ANYTHING IF YOU DO NOT WISH TO RECEIVE ANYMORE INFORMATION ABOUT THIS INCREDIBLE OFFER.

The solution to spam.

The only reason spam is so prevalant is because there are still enough suckers out there who respond to it and buy into the schemes. We need to do one of two things. Either successfully educate the suckers so the spam becomes uneconomical, or compile a real list of suckers and find a way to convince the spammers to ONLY spam them, and not the rest of the world.

Neither of these things will happen, unfortunately.

-Restil

When will help arrive?

Most of us hate spam, but there are always those stupid users that click on every email promising another money-making opportunity. If you make an authenticated-mail protocol, that means everyone needs to use it, but those people targeted by spammers are the late adopters of new tech, so I don't think it would work too well.

www.xns.org

This is why XNS [xns.org] (a next generation DNS replacement) needs to be adopted ASAP by the worldwide technical community. For example, here is the white paper [xns.org] on spam filtering. In a nutshell, if someone who is not on your acceptable email list wants to send you an email, they must first (and this is all automatically handled by the software) accept an agreement which dictates your exact privacy requirements. If it is a personal email with actual valid content, clearly they will simply accept the agreement and automatically be added to your list. On the other hand, bulk email spammers (hereafter referred to as "Dickwads") will probably not like the section talking about your fees for accepting bulk advertising. :)

Re:www.xns.org

I like this.

But I can't see any reasable hope of pursuading people to replace DNS. But I suppose people won't care what kind of name lookup their email software is doing.... Hmm...

Or what about something like ICQ where you can say who you want to be able to receive communciations from. Anyone else you have to authorize before they can send you an actual message. I doubt spammers could be bothered to do this, they'd go find some other way to annoy people.

How about doing this?

Your email program looks at the headers of emails being received. If the message is from someone in your address book, or is from someone you sent an email to *recently*, or is from a recognised mailing list then you get the email.

If it does not fit any of those conditions, it must first validate the sender. To do this it sends back a message to the senders From address with instructions saying under what terms you are prepared to accept the email, and a code to send back saying that you accept those terms. Your client would then accept one, and only one message from that address to be delivered to you. If you want to accept more in future you can add them yo your local address book.
The fact that the "spammer" must explicitly accept your terms for accepting your email would give a lot more legal protection to filtering and blacklists of known spammers.

Hmm. Must think about this some, and implement something!

Re:www.xns.org

What makes you think that spammers who abuse and break various rules, regulations, and often laws will suddenly fall into line but until automatically agreeing to a meaningless unenforcable click-through license?

Sorry, doesn't sound like it will help stop "dickwads". Its just making new rules that they will break.

Ooh, a slashdot story on spam

Let me summarise:

Spam is Free Speaaech (A Troll)

No it isn't (Baittaker543)

Yes it is (Anonymous Spammer) 30 post thread snipped

No more government regulation (aynrand666) All problems have a technical solution. Just hit delete.

My webserver got RBL'd (warfire) So I've come here to cry instead of ditching my low-file ISP. Your technical solutions are no good.

I know more than you do (karmawhore23) I [spews.org] am [ordb.org] cleverer [sf.net] than you [slashdot.org].

Put the ball in the court of the ISP

The simplest reasons that spammers "get away with it":

1) Forged headers (SMTP auth would alleviate)
2) ISPs turn a blind eye or aren't as responsive as they should be. Many are repeat offenders which labels them "soft" on spam prevention.

A lot of people have already commented on #1 so I'm going to skip that one.

In short, the accountability should come to the ISP, because they are the ones you inevitably allow this to happen. @Home or similar could implement a per day limit on outbound emails, same for the fre services, Yahoo! and Hotmail. There needs to be a clearinghouse for spam notification, someone who tracks spam and spammers, period. Fines should be imposed on ISPs who allow bulk email to originate from their service. Their choice should be simple: don't let spam originate from your system or face the penalty (steep fines, this could be used to fund the clearinghouse). Leniency could be worked into this, an ISP may have X number of reports per day based on the number of IPs they have. X should shrink every year.

The clearinghouse should also be audited on a yearly basis and the results made public (what ISPs spam the most/least, amount of fines paid, etc)

Re:Put the ball in the court of the ISP

2) ISPs turn a blind eye or aren't as responsive as they should be.

YES! Most times that I get spam, I trace down the headers to find the source and report the spam to the ISP hosting the address, and the spam stops.

MOST times. It took a while to get through to hinet.net about their 'tom lee designs' spammer, but even then, when I finally got through to somebody the spam was stopped.

For the last three months, I've been dealing with wads of spam from what I believe to be the same spammer due to the headers:

• They all have the same style of random-fake-hotmail.com addresses
• They all bounce through hijacked foreign servers
• They all have the same 'X-Mailer' header ('X-Mailer: Microsoft Outlook Express 5.50.4133.2400')
• They are repetitions of the same 5-8 advertisements (most for dubious semi-medical supplements e.g. 'increase your ejaculation 581%','stop hair loss', etc. on www.poxteam2001.com)
• And, of course, they ALL come from the same bank of apparently Texan addresses on prserv.net (slip.12.64.*.mis.prserv.net).

The ISP in question is AT&T Global. (mail to abuse@prserv.net ends up at postmaster@attglobal). For the last three months or so, I've diligently forwarding the messages, with headers, to abuse@prserv.net (or postmaster@attglobal.net). Until recently, they've been universally coming back with form-letters saying 'this problem has already been reported'. Sometimes the spam stops for a day or two, sometimes it doesn't.

I even looked up their contact number on whois and called THAT a few times (the only human beings there seem to be overworked and underpaid tech support people). The last few days, I've been getting my reports returned in a form letter stamped 'not our domain', as if whoever's getting my messages at AT&T Global is either 'in on it' or just doesn't want to deal with it any more (or perhaps is's just a 'new guy' who's not used to dealing with the headers, or thinks that only AT&T Global user's complaints about spam from their network should be dealt with)....

Point is, with roughly 80 spam messages from the same spammer forwarded, the spam has continued unabated, and I honestly wonder if some salesdrone at AT&T Global's Austin, Texas area POP has an 'understanding' with the spammer and has been willing to re-sign him every time he gets kicked off. Unfortunately, none of the emails I've sent to 'postmaster@attglobal.net' requesting more information about the spammer (including requests on the order of 'who do I contact to find out the proper legal procedure for obtaining the spammer's identity so that I can look into taking action myself') simply come back with more form-letters, or are unanswered...

I called them again today (after last night's two spams came back from them stamped 'not our domain') and for the first time, actually got to speak to someone in the postmaster department. She actually seemed helpful and polite, so hopefully something might finally be DONE about this spammer...

So, anyway, to get back to the point - the ISP's are the ones who have the power to do something about spammers on their network, and if they choose not to, there ought to be some sort of recourse. Small ISP's, you can complain to their upstream provider, but when you're dealing with AT&T Global?....

'scuze the verbosity of this post - this particular spammer/ISP issue has me pretty irritated at the moment...

The Solution: email protocol that stops spoofing i

Block quoth the poster:
I still think its fairly hopeless, but I also believe forging SMTP headers should be legally punishable by castration.

There is a realistic protocol change that would make it impossible to spam without getting caught.

When the message arrives at the destination server, a confirmation packet is sent back to the alleged source with a checksum of the content of the message and a confirmation code. If the source has sent an email to the server that matches the checksum, it sends the confirmation code back to the server. If the server never recieves a reply with the confirmation code it sent out (in other words, if the alleged sender doesn't exist), it automatically deletes the email after 30 seconds. The whole cycle would last less than a second, depending on lag, so you wouldn't have to worry about losing email that you have sent unless you turn off your computer very quickly. This protocol would make it impossible to spoof IP/email addresses, etc, when sending email. Then the spammers could be tracked down easily and thrown in jail.

Jerry Cerasale can kiss my ass.

U.S. businesses generally oppose restrictions, equating advertising with free speech.

"If you ban me from this type of medium, you have severely limited my ability to enter into the marketplace," said Jerry Cerasale of the Direct Marketing Association.

God DAMN IT, for the LAST time, spam is not a free speech issue, it's a property rights issue. My computer is NOT a public utility for every sleazy marketing dink in the world to use at MY expense.

If Mr. Cerasleazy wants to "enter the marketplace", he can damn well pay for his advertising.

-jcr

Re:Jerry Cerasale can kiss my ass.

The analogy I like to use is:

You have the right to sell your product, but you do not have the right to break my window during dinner hour, climb in, come to me and interrupt my dinner to scream in my face that "MY PRODUCT WILL INCREASE YOUR EJECULATION 581%!!!!!" without even looking first to see if I'm a women.

Full text of Cerasale interview

"If you ban me from this type of medium, you have severely limited my ability to enter into the marketplace," said Jerry Cerasale of the Direct Marketing Association.

This is revealing, however the real text of the interview is more so:

Interviewer: I'm calling regarding Congressional action on spam.

Jerry Cerasale: If you ban me from this type of medium, you have severely limited my ability to enter into the marketplace.

I: But surely with all the ads for porn, casinos and viagra substitutes that you'd be competing with, it's not going to be of any use to you anyway.

JC: You're not listening. I said if you ban me from entering the marketplace. You can ban everybody else.

I: So you're saying you want to ban everybody except Jerry Cerasale from using spam?

JC: No, I want to ban unethical marketers from using spam.

I: How do you define unethical marketers?

JC: They're the ones that forge stuff and won't honor remove requests.

I: So won't they just start following that law and you'll still have the volume problem?

JC: No, because they're unethical marketers.

I: So who are the ethical marketers

JC: They're the DMA members

I: So if the unethical marketers join the DMA do they become ethical marketers?

JC: Of course.

I: Even if they still forge and don't honor remove requests?

JC: Yes. If they join the DMA, then what they are doing is ethical marketing.

I: Surely all the spammers will just join the DMA then and they can all spam.

JC: That's OK.

I: But then won't email be useless for everybody because of the volume? After all, there's got to be hundred of millions of potential marketers out there who might want to use it.

JC: Yes.

I: So you're opposed to laws that will make spam unusable for marketing?

JC: Yes.

I: But you realise that if the laws aren't passed, spam will be unusable for anything.

JC: Yes.

I: Including marketing.

JC: Yes.

I: So really your opposition to laws banning spam achieves nothing to protect it for marketing, and just succeeds in destroying it for everybody.

JC: That's right - if me and my DMA buddie's can't use it for our purposes, then nobody can use it for any purposes.

I: Isn't that a little childish.

JC: Well since they won't play by my rules I would take by bat and ball and go home, but I don't own the bat or the ball, so the only way I can stop them from playing is by destroying the bat and the ball.

I: Mr Cerasale, thank-you for your time.

JC: My pleasure.

The root of the problem

The problem isn't going to be solved by suing spammers. why? Well,
because spammers are spread out around the globe
Because spammers highjack networks to send out their bulk mail
Because a lot of spammers aren't even legit cies
Because it is too easy to spam from a bogus account, or for that matter from pretty much any email account using a bot that anybody can write.

All in all, spamming is as controllable as peer-to-peer, as long as people really want to spam, there's not much you can do against it. As long as there's money to make, people that don't have money will be tempted, and unfortunatly a lot of those people are in countries in which there is little or no legislation (not that's it's better in more developped countries)...

Suing spammers will only stop the big boys

Suing spammers will only stop the likes of Flooz.com (as quoted in the linked to article) and other large sites from sending spam (i.e., eBay/Buy.com, two companies I can't seem to unsubscribe from). I don't know about you, but the vast majority of spam I get is from individuals or very small companies, at least I'd assume it is. It's usually racked with spelling errors and grammatical no-no's, and are not ads for the latest mega-eCommerce site's sales, but for Viagra, toner cartridges, incredible wealth from a home-based business, "legal" ecstacy-type drugs, penis-lengtheners, and, of course, the usual solicitations from horny 18 year old lesbian cheerleaders.

Many of these spammers send from hotmail.com or from email addresses that are not in the US. So how would I go about suing them? Even assuming that I could sue them, how could I manage to go about collecting my settlement from them?

I'm afraid suing is not the answer to ending all spam, just a small class of spam.

At least this spam story is better than the last

When Spammers try to sue you (posted last week) [slashdot.org]

I have a feeling that should changes be made, the spammer (who shall remain nameless) mentioned in the story will be living in a cardboard box in the streets of Chicago. And for lunch every day, he will only be able to afford cans of SPAM Luncheon Meat

(I wish /. would allow me to post ASCII art of a can of SPAM Luncheon Meat). Oh well, guess I'm lame.

No female spammers

castration ? Does that mean all spammers are males ?

oNumber solved the spam problem, and it works

Signup at http://www.oNumber.net, and exchange oNumbers with friends. Avoid putting e-mail address on business cards etc and use oNumeber instead. By using the guest list system, only authorized people get to see your actual contact info. It's not free, but it's free of advertising and O'WONDER (who own oNumber) will not sell or release your info to anyone. Slashdot reader feedback encouraged.

RBL and SpamAssassin

I run my own mail server, running qmail with the rblsmtpd daemon, pointing at several "underground", i.e. not for pay, black hole lists. In addition, there are spam _content_ filtering tools out there such as spamassassin, which looks for common telltale fingerprints in email. WORK FROM HOME, MAKE MONEY FAST, etc. etc. etc.

It can be done, with a little work.

Bernard Schifman

Bernard Schifman may then sue you for trying to sue him for sending spam.

Don't the porn spammers realize?

I must have recieved 200 e-mails on "farm action" and "hot family sex." I've never visited any such site nor have I ever responded to their e-mails... what makes them think that I'm suddenly gonna be interested in these deviant sexual activities... they should offer uhm... I dunno... NORMAL sexual behavior? I mean, hot playmates and stuff. They've gotta get their act together and stop catering to this select audience of sickos -- rather, they should attempt to appeal to the masses.
Sorry. Venting. Thank you.

The laws in iowa

I was delighted the other day to find out that Iowa had an anti-spam law. I promptly requested 'remove' on all the 'psudo-opt-in' type spam (no, buying a list from someone does not mean that the people on it want your crap). Of course, under Iowa law I need to opt out before I can do anything, unless the spam is forged.

One of the 'university diploma' spams was illegal under Iowa law (invalid return address), but, of course how do you sue for something like that? I tried looking on reverse phone number sites to see who owned the phone number advertised, but nothing showed up.

Are there any ways to find out who sends these out without incurring a large expense?

Hrm, I wonder how long before someone starts sending out "make money suing spammers, call today for your free kit." spam.

Truth in Advertising approach

I think it's time to apply Truth in Advertising standards to spam.

You say your product will help me lose weight? We send a rebuttal picture of your naked fat ass to everyone you know.

You say your product will make my penis gain 3"? We get testimonial from your two mercy fucks about how you need to use this product yourself.

You say your product will get me hot dates every weekend? We distribute a copy of your busy social calendar - with a note that you were stood up for the sole entry, your Jr. Prom in 1989.

And lest we forget it, you say your product will net me $50,000 in only 10 weeks? We show your credit card bills, and how even Miss Cleo has cut you off as a deadbeat.

The best thing of all si that this doesn't really require any new laws. (Well, the suggestions above do, but not the concept.) Don't just nail the spammers with small fines for sending spam, hit them with large fines for fradulant advertising, participation in criminal enterprises, etc.

Are the lawsuits worth it?

I've sued phone spammers, the type who use a machine that calls people and plays a recording, which as been blatantly illegal for almost 10 years.

I've won, but it takes more work than the $500 you win is worth even when you do win, and on average it's something you do only on principle and not for money.

And thus few do it. When I have been in court the judges/commissioners have said they don't often (if at all) see these cases.

Laws are not the answer to spam. In spite of what people say it is not just a question of "it's not a free speech issue it's a property issue."

Spam involves rights in conflict. It's a free speech issue AND a property issue AND a privacy issue, all in one. The answers are not so simple as these laws suggest.

Help: Spammers with Fax-Numbers to reply

i would be very happy if anybody could tell me a solution what to do with spammers, who only use Fax-Numbers to respond. I have a massive problem with a guy who is using my domainname as sender adress. He always sends via open relays in taiwan, korea and all these countries and he always includes to fax numbers in the US. I do get an average of 500 bounces per day from mails this guy sent, because the recipient does not exist. Since he uses my domain i get these bounces every day. I am now collecting every day IPs of the open relays this guy uses and submitting them to ordb.org Open Relay DataBase, but obviously this is not the way to stop this.

I read alot on pages dealing with spam, many of them were pointing to ftc.gov which one should contact if a company of the US is doing spammings. But besides reporting that guy what can one do. i cannot phone up the telco and ask them to shut down these well known numbers (i saw procmail recipies of other people who in their spamfilters had these fax numbers included)

any hints or help would be greatly aprreciated

What about....

What about spamming on instant messaging systems such as ICQ? I know that I can (and have) blocked people who are not friends, but are there any laws against spamming of that sort? Or do we just have to wait until it becomes a larger industry?

Companies should be doing the suing!

I think companies like MSN/Microsoft/Hotmail, yahoo, excite and @home should be doing the suing.
Everytime someone forges an e-mail address using their domain name, and someone forwards it to abuse@something.com then it costs them money to research it. It could also be considered slander if someone sends you an e-mail from something like animalsex@microsoft.com.

Don't they care about their PR? I mean now I think that Microsoft has something to do with bestiality. How do I know that it wasn't really from them?? I'll just keep assuming that till proven otherwise.

Class action lawsuits

I think companies like MSN/Microsoft/Hotmail, yahoo, excite and @home should be doing the suing.

Well, maybe, perhaps not. Companies will sue if it's in their interest. If their network becomes good enough to handle the congestion from spam, and the amount of spam doesn't vary too much as a customer moves from ISP to ISP, it's conceivable that the providers might begin to view spam as the customer's problem (as they pretty much do now). And even if they do start suing- who benefits from that directly? Besides the obvious value as a deterrent to spammers, there isn't much justice being done if the plaintiffs are all going to be large ISPs. The parties most damaged by spam are the end users and especially the smaller ISPs.

I always thought class action lawsuits by the actual recipients of spam are the most logical way to counter spam if the approach is going to be via the courts. After all, have you ever received a single, individual spam that's caused you to consider taking the case to court against that particular spammer, with lawyers and court costs and all that hassle? With a judge that might ask "well why didn't you just hit delete?" And getting that single spam email message isn't really what you're suing over. It's the degradation of your daily routine, the tedium of having to delete a hundred emails a day year in and year out, the loss of almost a day of your life per year deleting countless messages about herbal Viagara and credit repair software and diplomas from prestigious non-accredited universities and hair loss and government grants info packages and an EZ way to consolidate debt and reducing all payments by 60% and frisky teens. Going to court over a single spam seems to miss the point. And it's expensive and inconvenient to sue as an individual, so a spammer might very well recognize that his individual spam probably isn't going to elicit a lawsuit if it isn't outrageous enough for a spammed plaintiff to choose as THE spam (out of the 10000 in his box) that he's going to go to court over. In fact, people tend to sue when the spam particularly offends them (e.g. when it talks about sex with minors, or has nude photos in it and is received by a minor). Unless things proceed to the point where every spam message sent out results in a lawsuit, a spammer that keeps his emails polite and sticks ADV in the header is pretty much safe from being sued. So you don't even get much of a deterrent effect.

Unless we switch to using class action suits, which don't have these problems if someone with the resources starts consistently nailing all spammers with them. It's much easier than taking a case to court yourself. Someone is doing the suing for you and you get to hang on like a million other freeloaders and enjoy the fruits of your class action. I almost wouldn't mind getting spam if I knew there was a chance that I could stick it to the spammer for a few cents along with thousands of other people. If I even got a fraction of a penny on average per message, we could still be talking about some serious money. And it certainly wouldn't be too hard to set up. In fact (if this were 1999) you could probably build a dot-com out of it somehow, to coordinate the spam submissions, identify plaintiffs and defendants, litigate in court, hire collections agencies, and process the payments back to all plaintiffs. That's more of a business plan than many dot-coms had. I think that if there weren't so many jurisdictional problems with the idea in general (and if there were more spam laws) someone would try this.

I mean now I think that Microsoft has something to do with bestiality. How do I know that it wasn't really from them??

Strictly speaking, even if it turns out the email wasn't from Microsoft, it still doesn't prove that Microsoft has nothing to do with bestiality.

Hash Cash

Here's an interesting method of reducing spam called HashCash [cypherspace.org]:

"Hash cash is an electronic payment system based on spent CPU cycles computing partial hash collisions. It finds particular use as a system for reducing unsolicited mail by requiring senders to include a small "payment" with each message.

Basically, you have to spend a certain amount of CPU time to send each message so sending large amounts of spam requires much more work. The reason n-bit partial hash collisions are used "is that they can be made arbitrarily expensive to compute (by choosing the desired number of bits of collision), and yet can be verified instantly." Sounds like an interesting idea, no? They've even produced a high rate of inflation for HashCash [cypherspace.org] because of Moore's Law. Plus it has a funky name

--jobby

Digital Postage is the only answer

Unsolicited bulk email is used with such frequency because it is so incredibly cheap. This convinces those who use it, that it has a positive return on investment. In order to reduce the amount of spam, it is necessary to increase the cost of sending it. Digital postage is the only way to reduce spam.

This would be analogous to the stamps used on snail mail, now. If nobody else steps up to the plate, some corporations will try to do this for a profit, or national governments will try to do it for control. The better solution, however, is some sort standards-based decentralized digital postage, where everyone can issue their own estamps. It is then up to each individual to decide, how much a spammer has to pay to get to their inbox.

Of course to be widely adopted, this has to be well integrated into email clients. It also has to be completely painless to insure that your friends always have enough of your stamps on-hand.

Once in place, the benefits include:
- less spam
- no need for email size limits, because there would be an obvious mechanism to allow billing for arbitrarily large emails
- automatic payment method for email based customer support

Sexist Punishment...

but I also believe forging SMTP headers should be legally punishable by castration.

So what you are saying is that only men can be punished for SPAMMING in your mind? I am sure there are women SPAMMING out there too! What part of their anatomy are you going to cut off? The National Organization for Women would like to know...

You can't legislate against stupidity

Read up on Bernard Shifman [petemoss.com]

I know hes been featured here on slashdot [slashdot.org], but Shifman just goes to prove you can't legislate against stupidity

Since congress likes free speech so much...

Start forwarding all the spam to Congress.

Non-domestic cases

What about countries without governments? What if someone spams from overseas? Or from a country with other problems on it's hands like Somalia, or Iraq? There isn't a way to punish them legally.

That's not the hacker spirit!

Legal enforcing laws instead of finding a technical solution that makes spoofing SMTP impossible in the first case? You should know better than that!

Long way to go, eunuchs!

legally punishable by castration

Long way to go, eunuchs!

It has to be said.. sorry...

That'll make them think twice before they pull another /Bernie/ /Shifman/ !

taiwan

i just want to know how to get rid of taiwanese spam that crashes my computer when it tries to download.

i'm using spamcop but it just keeps mutating and multiplying.

Forward SPAM to spammers

I get a lot of SPAM, it came all of a sudden and hasn't let up and the jerks won't take me off their list (okay, I was a little optimistic). So, I took the time to find the email addresses of the spammers (from their own web sites, from WHOIS, etc), and I simply add them to my "SPAM" filter which then sends a copy of each piece of SPAM I get to all of these addresses.

Will this fix the problem? No. Am I adding to the bandwidth waste, yeah. Sorry, but it was the best solution I could come up with.

One of the biggest offenders is a company in San Francisco. I live in Virginia and thought I'd try to sue them under VA law. The problem is collecting on an out-of-state spammer is difficult. So, I spoke to my cousin who is a lawyer in San Francisco and asked him if I could sue them under CA. law. For one thing, CA. allows for 5 times the compensation per e-mail than VA, which was very appealing. Unfortunately he said it probably wouldn't apply to an out-of-state recpient of the SPAM.

So, really, the only way to get rid of it in the States is to make a national law that's tough and easy to enforce. Otherwise, do what I do, pester them.

Relatively inexpensive technical solution

First, legislation is a good step, but it will not stop spam. Because the net is really world-wide. No US law is going to stop spam from Korea or Moldova.

Second, about 25% of spam I get is from first-time spamers. Every day some idiot salesman invents this new cool way of advertising. He might quite sincerely not understand the difference between direct mail and spam. He will learn eventually, but we would get spam anyways.

The real solution is to charge sender for sending mail. E-money won't work in the near future - there is no infrastructure for it. Instead, the mail recepient should bill his own ISP for every piece of mail. The per piece price cannot exceed a certain amount (let's say $1 or $5 or even $0.15). The ISP charges the sender's ISP for the cost and processing fee. The sender ISP passes the cost to the sender.

The infrastructure could be built the same way as HTTPS. If an ISP wants to participate, it gets a certificate from a root authority, sets a server for "SMTPS" and for billing. The SMTPS session is signed. There could be some price negotiation between SMTPS servers too. SMTPS would have to be properly amended.

This would be very similar to peering agreements between ISPs. The system could get started if 3-4 large digital carriers agreed on the standard. Others could join later.

Joke

Here's the joke:

"If you ban me from this type of medium, you have severely limited my ability to enter into the marketplace," said Jerry Cerasale of the Direct Marketing Association.

Here's the punchline:

Jerry Cerasale
Direct Marketing Association
Washington Office
1111 19th St NW
Washington, DC 20036
UNITED STATES
phone: (202)955-5030
fax: (202)955-0085
web: http://www.the-dma.org

Contact List by Subject
Accounts Payable
webmaster@the-dma.org 212.768.7277, ext. 1353
Advertising - Print
webmaster@the-dma.org 212.768.7277, ext. 1423
Advertising - Web Site
kebeling@the-dma.org 212.768.7277, ext. 1554
Awards - ECHO
echo@the-dma.org 212.768.7277, ext. 1397
Benefits Program
twalsh@the-dma.org 212.768.7277, ext. 1423
DMA Store - Books & More
lrc@the-dma.org 212.768.7277, ext. 1930
Chapters
chapters@the-dma.org 212.768.7277
Conference Registration
customerservice@the-dma.org 212.768.7277, ext. 1500
Conference Programming
conference@the-dma.org 212.768.7277, ext. 1513
Conference Exhibitors
conference@the-dma.org 212.768.7277, ext. 2469
Conference Speakers
conference@the-dma.org 212.768.7277, ext. 1528
Consumer Assistance
consumer@the-dma.org 212.790.1488
Councils
councils@the-dma.org 212.768.7277
Council Membership
councils@the-dma.org 212.768.7277
Council Events
councils@the-dma.org 212.768.7277
DMA Interactive
webmaster@the-dma.org 212.768.7277, ext.1629
Direct Connect
councils@the-dma.org 212.768.7277, ext. 1575
directvoice
mmicali@the-dma.org 212.768.7277, ext. 2422
Direct Marketing Educational Foundation
dmef@the-dma.org 212.768.7277, ext. 1817
The DMA Government Affairs Online Member Outreach Program
Governme@the-dma.org 212.768.7277, ext. 2405
Government Affairs
Governme@the-dma.org 212.768.7277, ext. 2405
Human Resources
hr@the-dma.org 212.768.7277, ext. 1338
International Services
Internat@the-dma.org 212.768.7277, ext. 1786
Library
lrc@the-dma.org 212.768.7277, ext. 1930
Membership - Joining DMA
membership@the-dma.org 212.768.7277, ext. 1155
Membership - Renewal
membership@the-dma.org 212.768.7277, ext. 1155
Seminar Information
customerservice@the-dma.org 212.768.7277, ext. 1500
Seminar Registration
customerservice@the-dma.org 212.768.7277, ext. 1500
President's Office
Presiden@the-dma.org 212.768.7277, ext. 1604
Press Contact
Privacy
privacy@the-dma.org 212.768.7277, ext. 2408
Research
lrc@the-dma.org 212.768.7277, ext. 1637
Sweepstakes
Sweep@the-dma.org 212.768.7277, ext. 2475
Washington Report
Governme@the-dma.org 212.768.7277, ext. 2418
Web Site
webmaster@the-dma.org 212.768.7277, ext. 1629

Since he considers spam a legitimate business practice, make sure you forward all your "HOT WET PUSSY!" emails to him so he doesn't miss out on any great deals.

-Legion

Lawsuits *will* be effective

A single lawsuit won't do anything to stop spam, but once fifty or one hundred people start suing, it will get too expensive for many spammers. In Washington State, we've nearly a dozen folks filing lawsuits, some of them going for some serious amounts -- to the tune of tens or hundreds of thousands of dollars.

If you've got spam with a phone number or ordering address in it, you can (usually) track it down to a specific company or person. If it's only got a URL, like those mortgage spams, Washington litigants are filling out the contact forms on the site, then going after the mortgage company that contacts them. When these mortgage companies get hit with a lawsuit, they either want to settle right quick, or they rat out the spammer they hired. I've been focusing on spam with phone numbers, as I find it relatively easy and fun to track down the company behind the number. It may not always be easy to find the spammer, but it's not rocket science either. Anyone can do it given a little bit of time.

The Seattle Times had a good article [nwsource.com] on Saturday about the anti-spam law, some folks who've been using it, their wins, and the troubles they've encountered with the court system. The biggest issue in Washington is that court clerks and judges aren't fully educated about procedural issues like whether one can sue an out-of-state defendant or for punitive damages in small claims court. (The answer to both is yes.) It's been pretty frustrating for us "trailblazers," as the judges are saying contradictory and often quite stupid stuff.

Here's some nifty links:

• AboutSpam.com [aboutspam.com] - Bruce Miller's site
• Peacefire anti-spam suits [peacefire.org] - Bennett Haselton's site
• Smallclaim.info [smallclaim.info] - my site

For a copy of my 24 page zine, Zen and the art of small claims, send some stamps to PO Box 95227, Seattle, WA 98145. You can also just read it online at my site, but any zinester knows that it's just not the same.

What do they eat?

Do those spammers eat SPAM [mbnet.fi] while in prison?

Just wondering...

Why doesn't Cauce.org have any solutions posted?

I submitted this to askSlashdot and it's also in my journal entries, but shouldn't cauce.org have some proposed solutions to ending the spam problem? As in, laws that they think would actually work to benefit consumers, or mail server specs that would actually work to stop spam?

Technical solution

Authentication is perfectly acceptable - it would require a secure protocol and/or some sort of ISP resposbility. Anonymous Mail is simply a mad idea, and unnecessary, and after all, standard SMTP would still be in use anyway.

My personal solution to unsolicited mail...

This is an idea that has been bouncing around my head for a while, I hope to implement it some day.

I'm having problems with getting too much unsolicited mail too. The idea I had borrows from something I saw at http://www.godaddy.com when I went to do a whois on my records. Here's the idea:

First, I need a mailserver that will *only* accept incoming emails from a certain domain, the domain of my website. Then I set up my website with a form used to send me email. Then, and this is where I borrow from www.godaddy.com, throw up a random number on the screen using .gif or .jpg images (not text!!!), the user must manually type in that number for the message to be accepted. Then the webserver sends the message to my mailserver. If sombody attempts to send an email to my mailserver and it is from the wrong domain, or it doesn't have the right number, then *flush*.

Is this the perfect solution? Well, no. It kind of puts a block to forwarded mail. (Although if I blocked forwarded mail alltogether I think my mailbox would be a lot less messy...)

It's possible that some day somebody'd come up with a spider that can read the numbers and fake it, but my feeling was that if everybody customized their websites with their own fonts etc, it'd be hard to make a general purpose spider that can spam everybody.

If I ever get a static IP, it's something I intend to try. :)

Websites a good way to avoid spam?

I had another idea, it's a little extreme, but I think it's an idea that can be built off of.

I'm a member of a forum that talks about a particular interest of mine. Basically, I log in to a site, and my friends that are online (of that particular interest, obviously I won't find my mom on a CG Art board...) show up and I can message them and check out the recent posts. There is a personal messaging system there so I can send private messages to people. If somebody sends me one, I get a notification on the home page.

Basically, I've obscured the method it takes to get a hold of me. A good chunk of my friends are on that forum, a coupla more are on another forum, and the rest including family are on icq. I've basically weined myself from the need for e-mail. I wouldn't have it at all if sites didn't require it for authorization.

This makes it a lot harder for a spammer to reach me. If every site has a different (and constantly mutating) method of sending messages around, then it's so much harder for spammers to get through.

Whatcha think, sirs?

so many solutions, so much bullshit

Just keep heaping it on...

Laws won't work. Not now, not ever. There's no way in hell you're going to get all 300+ countries in the world to agree - and enforce - anti-spam laws. Many of these countries don't give a rat's ass if you've got a hardon about spam and will tell you to go fuck yourselves if you try to impose foreign law upon them. As is their right.

Your politicians will never use extreme measures to try to get anti-spam laws. No one will ever go to war over spam, or enforce an embargo of any kind. Spam just isn't that important.

Authentication of email, for those who haven't thought it through, allows dictatorial governments to more easily track dissidents. Especially in harsh regimes that tend to put a bullet in a dissident's head. Yeah, real bright solution, authentication is. Of course, those of us in the First World, excepting the U.S. which continues to rocket towards hell in a handbasket, generally don't have to worry about being shot by pissed off government types, so fuck the rest of the world, eh?

Deal with it, like we always have. Complain. Block spammers. Subscribe to blacklists. Find something more important to get your panties in a wad about.

Max

Make spammers pay

Go to www.overture.com, enter "bulk email" and click on some of the links.

Re:Castration?

But what if you're a female spammer/editor?

Re:Castration?

Hmm, considering that this is a website about Linux, and that most of the editors use ONLY Linux, how would they go about testing this? Under Wine? And if it gave an error, would that have been a Wine error, or an XBox emulation error?

The story was interesting, not because it was a hoax, but because it might NOT have been a hoax.

Re:"should be punishable by castration"

...or perhaps you aren't funny.

Re:Forging headers?

ISPs should agree to pull the plug on those who do not close their open relays, just like @home did with people not able to patch their bloody IIS.