When Spammers Use YOUR E-Mail Address?

AlphaOne asks: "Is there any legal recourse (in California or otherwise) for a spammer sending mail out with MY e-mail address as the forged 'from'? I have received an (only one for now, thankfully) 'undeliverable' message for an e-mail I never sent. Upon closer investigation, it looks like a bounce from a much larger mailing for a porn site. To make matters worse, the message is JavaScript encoded and I had to spend about 30 minutes decoding the message just to figure out who the spammer could potentially be. I'm confident I know at least who was paying for the spamming, but I may not be able to directly track down the spammer him/herself (as is so often the case). Does anyone know of a precident in a case like this? Is it worth litigating if I get bombarded with bounces, hate-mail, removal requests, or anything else?" SPAM is one thing, but cowardly spammers who have to use someone else's address for their crap advertisements is something else. What can one do in this situation?

Recourse, and precedent...

[Caradoc]

The infamous "flowers.com" case from Texas provides clear precedent for damages resulting from the use of someone else's e-mail address (or domain.)

Here's a good URL to print out and hand to your lawyer:

http://www.isoc.org/whatsnew/parkerjudgement.htm l

Other commentary from ZDNet:

http://www.zdnet.com/eweek/opinion/1201/01isigh. ht ml

"The judgment is interesting not just for the monetary damages (which seem small to me), but for the reasoning used by the judge: "The defendant's unauthorized use of that address constitutes a common-law nuisance and trespass," wrote Travis County District Judge Suzanne Covington. She also found that the reputation of flowers.com would be permanently damaged if "the hated practice" wasn't stopped immediately."

Contact a Lawyer, and The Police

[scotpurl]

This is a plain theft-of-identity case. They used your name, engaged in public activity that made you look bad, and it's going to cost you time and money to clean it up. (Start keeping a diary of when you work on something, and how long.) Also start contacting ISP's. Yours is a great first stop. Have them pull logs and such, and archive them. That's part of the proof that you did nothing.

Civil suit is fastest, as the Police in some parts of the country are either "duh" or "we're understaffed." Jourisdiction is another one. Civil suits have a wonderful way of cutting across boundaries.

Yeah, you'll spend a coupla grand on a lawyer, but I'll pledge $100 for your lawyer fund, right now.

Two Rumplestilskins for the price of one?

[AtariDatacenter]

In a way, it sounds like an interesting way to do a Rumplestiltskin type attack. You send the email to one (guessed) address. You send the email from another (guessed) address. If the name your sending it to is bogus, then it bounces back to the other name you guessed.

I hate the idea already.

Re:Actually there are several tools you can use

[jfunk]

Your fake email address is indeed fake. You might want to change it though.

nowhere.com is a real address. I'm not sure if they'd be happy with you using their domain in such a manner.

I recommend using a fake TLD instead of .com so that there would be no chance of you causing them problems. Use nowhere.fake instead.

Go after their business license

[coyote-san]

IANAL, but this happened to me last year. Their return address required a broken MSIE browser to parse, but my ISP was able to track them down. A polite note, ISP-to-ISP, about facilitating criminal fraud through impersonation since they were accepting messages sent with bogus headers got quick results. My position, which my ISP may have forwarded, is that I'm a reasonable person. I'm not looking for damages, I'm looking for LICENSING FEES. Specifically, the licensing fee required for retroactive permission to use my domain name in commercial solications by any entity other than my own business. (That business, technically, owns my domain, not me.) Since I'm oh-so-reasonable, this retroactive permission costs $500 per message, $2k per bounce message. Unless documentation of all messages sent is provided, our contract assumes one bounce message out of every 100 messages, plus a 50% surcharge for failure to maintain adequate documentation. So, for 250 messages please remit: TABLE DELETED BY SLASHDOT CENSORS The spammer had no reasonable expectation of any company being indifferent to the misuse of its corporate property, so they either committed a criminal offense or agreed to be bound by the terms of a contract. Since they didn't bother to contact me prior to this use, they implicitly agreed to its terms.Of course, I never expected to collect $20 million. But any ISP with a grain of salt would realize that small charges, multiplied by thousands of acts, would be enough that a contigency based lawyer could decide it was worth it to file a suit naming that ISP as co-defendant. In this case, since I didn't have an active web site at the time, it might have been marginal. But now that I'm bringing a web site online it will definitely include a legal notice that sending forged message without prior written approval constitutes acceptance of a binding contract, arbitrated in *my* state, to pay licensing fees. Minimum $5 million retainer, in cash, non-negotiable. Heck, for $5 million, I'll sell them my domain name. :-) It might hold up in court, it might not, but it should scare the pants off of their attorneys because it clearly prior notification of a contract. Contracts don't require signatures, they only require an overt act indicating consent. Such as sending a forged email header, something explicitly covered in that contract as an indication of acceptance - and something which a reasonable person would never do by accident. Especially hundreds of times with different bogus users and message content.

Congratulations, you've been Joe'd

[frankie]

Welcome to the club. This type of attack is called a Joe Job in geek speak. It's pretty common, especially if you've ever succeeded at getting a spammer booted off his provider. You should visit the SpamCop newsgroups; they are old hands at this and helped me with the same situation in mid-April.

My Joe was also a Javascript encoded porn ad -- it might have been the exact same spammer. Here's a clipping for comparison:

Received: from [195.6.76.211] (195.6.76.211) by amyris.wanadoo.fr; 20 Apr 2001 16:05:27 +0200
Message-ID: 00000b300739$00002642$00001399@62.168.16.146
To: Undisclosed Recipients
From: fuy1@umbc.edu
Subject: Just For You
[...headers abridged...]
html head title HardCore /title
meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-88= 59-1"
/head
body bgcolor=3D"#FFFFFF"
script
function Merlin( s ) { var sRet=3D""; for(j=3D0; j=3D8364) {n =3D 128;} sRet +=3D String.fromChar= Code( n - 3 ); } return( sRet ); }

The decoder tool at NetDemon revealed that the spam was for lolital.com and visit-x.net. I contacted their hosting providers as well as wanadoo.fr (the open relay) but I don't think anything came of it.

On the bright side, not a single angry recipient wrote back to me to complain. I guess everyone really does delete spam on sight ... or maybe they happily clicked to see HardCore Teens. ;-(

How about Libel / Slander?

[MadCow42]

Of course, IANAL, but doesn't this smell like Libel and/or Slander? In effect, they have slandered your name by making it look like you're advertising/promoting/advocating porn. This is especially true because of the type of spam they sent.

Libel and Slander cases can have pretty hefty payouts... your "good name" and "reputation" are damaged, and are worth money.

Lawsuits are never something that you want to do, but being slandered by spammers is something that you should NOT let continue. If you DON'T do anything, it's worse.

MadCow.

Spammer using your e-mail.

[dana_nutter]

File a criminal complaint and get a lawyer for a big lawsuit. Spamming alone is a misdemeanor offense in CA. Forgery is more serious.

There is a lot of information on these types of subjects at: www.suespammers.org. The discussion list is full of shared information on such cases.