Lawsuits Against Spammers

apc writes "Pretty good overview of the state of the law regarding spammers, and some stories about people who have sued them and won. Nice to see the topic getting mainstream attention." It talks about several different states and several different people who have won cases. I still think its fairly hopeless, but I also believe forging SMTP headers should be legally punishable by castration.

Technical / Social solution please

[Tom7]

Instead of encouraging litigation, why don't we develop (easy) and attempt to gain acceptance (harder) of an authenticated e-mail format?

I would much rather see technical (or social) solutions to the spam problem... laws have a funny way of not going in our favor, don't they?

Re:Technical / Social solution please

[hogsback]

Is there a technical solution?

Isn't the only advantage of an authenticated email format that the recipient can easily find out who the sender really is?

Knowing who the sender is doesn't prevent spam being sent from spam friendly servers abroad.

If the spam is sent from within your own country, this makes using the law against the perpetrator easier, it doesn't remove the need for the law.

Spam is an abuse of the email sysem. The collective opinion is that some characteristics of the emails are bad - otherwise there isn't much to distinguish it from legitimate mail. Because it is a social problem, laws are needed to combat it.
Spam is behaviour that we can't stop, therefore we need laws to discourage it.

Re:Technical / Social solution please

[Deagol]

Just because we won't use the law, it doesn't mean they won't. I suspect that any truly effective technical solution will meet the same fate as ORBS and MAPS with lawsuits.

Re:Technical / Social solution please

[garett_spencley]

I completely agree. I relate SMTP to TCP/IP. It's very simple which is why it caught on but it just doesn't live up to today's standards.

All of this litigation, while a worthwhile cause, is like security through obscurity. While it may be a deterrent for some people, lots will do it anyway.

So what we need is a new e-mail protocol that will make forgeing at least non-trivial but attempt to make it 100% impossible.

Ideally it would even be backwards compatible with SMTP so that older e-mail clients would work with newer servers.

--
Garett

Re:Technical / Social solution please

[garett_spencley]

You're right but it would take away spammer's anonimity.

To further this the new protocol would also have to be better at authenticating as the parent poster said. But this can already be implemented to an extent with our current protocol by denying access to SMTP services from anyone who's host does not belong to certain domains.

That still won't elliminate spam all together since many companies spam using their own servers. But at least if you force spammers to do it in the open then at least you can prove that they were the ones who spammed you and can charge them with fraud, false advertising, sexual harrasment (if the add contains sexual material) etc.

It will reduce spam considerably and probably make it a lot less "annoying" since the adds will be more up to par with junk mail. It will still be a problem but it won't be nearly as big of one and then we can use the litigation to regulate it and if there is a God elliminate it :O)

--
Garett

Re:Technical / Social solution please

[Jay+L]

I thought a lot about stamped e-mail in a previous life as a mail systems developer. Our VP of development was really hot on the idea, since it would solve both the authentication problem and the no-incentive-for-targeting problem. You wouldn't even have to make it backwards-compatible; just create a new tier of "first-class" e-mail. Two big problems though:

1. Technical: It would be very, very expensive to process e-mail stamped with some form of digital cash. You're adding lots of crypto calculations, database lookups, and some sort of synchronization scheme that scales up to whole-Internet level. Large sites would likely have to have crypto plug-in hardware to do this at all efficiently.

2. Political: You'd have to get a significant number of ISPs on board, and these days most spam is NOT sent directly through the big ISP mail servers anyway.

It's a neat concept but there are too many problems. It ended up not being worth it.

Re:Technical / Social solution please

[BitterOak]

You're right but it would take away spammer's anonimity.

It would also take away everyone else's anonymity. Given the number of people who get sued by corporations for telling truthful but disparaging things, and given the number of "whistle blowers" who end up out of a job, or worse, do you really think that we should give up the ability to send anonymous e-mail just to avoid the inconvenience of junk mail? I sure don't.

Double standard

Why are lawsuits against spammers (and castration!!) fantastic but against open source guys -- like the GAIM author sued by AIM-owner AOL -- terrible. You can't have it both ways. Either the law applies on the net or it doesn't.

Personally, I'd prefer no laws -- even for spammers.

Re:Double standard

[CaptainSuperBoy]

Well, AOL had a trademark complaint about GAIM. This has absolutely nothing to do with spam - what are you saying? If you're against one lawsuit, you shouldn't support any laws whatsoever? I guess you disagree with some trademark laws, so you believe that we should live in anarchy because SOME laws are bad.

Re:Double standard

[fotoLilith]

Personally I favor taking the spammers out to the woods and beating them with socks filled with 8balls, then sticking the fleas of a thousand bloody camels in their arses. But I suppose that is just too "Home-grown George W. Justice" for some. ;-) But yeah, spammers spend a few pennies (if that) per email address, so if they send out thousands (yeah, that's a foreign concept. ;-) ), and a few test-tube babies fall for the ploy, they profit. But, as for lawsuits: how many LEGAL businesses truly utilize this method to reach the public?

Business opportunity

[yggdrazil]

Let's hope some people see this as a business opportunity, and start a business or organization to sue on behalf of all of us who don't bother now, and collect a percentage. So that more of us can use our lawful right to make the spammers pay for their nuisance.

We could donate proceedings of successful spam litigation to open source projects or to the EFF.

What we need

[CaptainSuperBoy]

What we need is national legislation against spam. There are too many state laws that legitimize spam in one way or another. This gives every spammer a one time get out of jail free card, and does nothing for spam problem in general. New spammers pop up all the time - it doesn't make sense to 'opt out' of every new spam list you get onto.

The article makes a good point about laws that require spam to be labeled. This isn't a solution, and there are also conflicting requirements between state laws. One law requires "ADV: ADLT" on the subject header, another law requires "ADULT ADVERTISEMENT". This is a perfect example of laws being too specific - legislation has no business dictating changes to the SMTP protocol. This isn't useful either: shouldn't spam laws apply to more than SMTP? Say, ICQ spam? Internal AOL spam?

This is why we need a national spam law. No conflicts, no SMTP requirements, no opt-out. Make spam illegal, period. Spam is harassment, theft of service, and usually fraudulent. It costs ISPs millions of dollars that are passed on to YOU. Companies lose productivity because of workers receiving spam.

If you think this is any different from junk fax laws, you're kidding yourself. Spam and junk faxes both hurt the recipient. Spam is not free speech. Spam is not a constitutional right. Banning spam IS the right answer.

Re:What we need

[edstromp]

A national law will get you no where. Over 90% of the spam I receive doesn't originate in the United States. International law *might* get you a little somewhere, but it will never pass, and even if by some act of god did pass, it would never be enforced.

The correct technical solution is to filter your e-mail. No laws to sneak up and get us later, and we can improve the filter to our likeing at any point. I find www.spamcop.net to work wonders for my inbox. Not only does it block the unwanted mail very accuratly, but it simplifies the complain-to-the-system-admin's process.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Jerry Cerasale can kiss my ass.

[jcr]

U.S. businesses generally oppose restrictions, equating advertising with free speech.

"If you ban me from this type of medium, you have severely limited my ability to enter into the marketplace," said Jerry Cerasale of the Direct Marketing Association.

God DAMN IT, for the LAST time, spam is not a free speech issue, it's a property rights issue. My computer is NOT a public utility for every sleazy marketing dink in the world to use at MY expense.

If Mr. Cerasleazy wants to "enter the marketplace", he can damn well pay for his advertising.

-jcr

Re:Jerry Cerasale can kiss my ass.

[damiam]

The analogy I like to use is:

You have the right to sell your product, but you do not have the right to break my window during dinner hour, climb in, come to me and interrupt my dinner to scream in my face that "MY PRODUCT WILL INCREASE YOUR EJECULATION 581%!!!!!" without even looking first to see if I'm a women.

Technical solution

[jbf]

Make people send you digital cash with each email. You return it if the email isn't spam (if you don't return it for nonspam, then you're a bastard) Unfortunately, it's impossible to make this work in a back-compatible way, so...

Example protocol:

220 foo.bar.com CASHMAIL System
HELO
250 foo.bar.com Hello
MAIL FROM: spammer@mail.com
250 spammer@mail.com... Sender ok
RCPT TO: foo@bar.com
666 foo@bar.com requires payment of 20 cents
CASH: 82kd0xma893mcos0
667 foo.bar.com accepts payment of 20 cents
DATA
...

I think some work in the IETF has been done on spam prevention, but no one has even tried to standardize it.

The root of the problem

[SevenTowers]

The problem isn't going to be solved by suing spammers. why? Well,
because spammers are spread out around the globe
Because spammers highjack networks to send out their bulk mail
Because a lot of spammers aren't even legit cies
Because it is too easy to spam from a bogus account, or for that matter from pretty much any email account using a bot that anybody can write.

All in all, spamming is as controllable as peer-to-peer, as long as people really want to spam, there's not much you can do against it. As long as there's money to make, people that don't have money will be tempted, and unfortunatly a lot of those people are in countries in which there is little or no legislation (not that's it's better in more developped countries)...

Suing spammers will only stop the big boys

[Skim123]

Suing spammers will only stop the likes of Flooz.com (as quoted in the linked to article) and other large sites from sending spam (i.e., eBay/Buy.com, two companies I can't seem to unsubscribe from). I don't know about you, but the vast majority of spam I get is from individuals or very small companies, at least I'd assume it is. It's usually racked with spelling errors and grammatical no-no's, and are not ads for the latest mega-eCommerce site's sales, but for Viagra, toner cartridges, incredible wealth from a home-based business, "legal" ecstacy-type drugs, penis-lengtheners, and, of course, the usual solicitations from horny 18 year old lesbian cheerleaders.

Many of these spammers send from hotmail.com or from email addresses that are not in the US. So how would I go about suing them? Even assuming that I could sue them, how could I manage to go about collecting my settlement from them?

I'm afraid suing is not the answer to ending all spam, just a small class of spam.

Re:Suing spammers will only stop the big boys

[Todd+Knarr]

IMHO if I subscribe to a business or purchase a product, the only e-mail I should receive is information specifically about what I subscribed to or bought. Eg., if I sign up for eBay I should by default only get information about changes to my eBay account. Anything beyond, eg. information about eBay services I didn't sign up for, is unsolicited commercial e-mail. Until the company takes over paying for my access to my e-mail, the burden's on them and it's not my responsibility to track down and decline everything they'd like to send me.

oNumber solved the spam problem, and it works

[Wonderkid]

Signup at http://www.oNumber.net, and exchange oNumbers with friends. Avoid putting e-mail address on business cards etc and use oNumeber instead. By using the guest list system, only authorized people get to see your actual contact info. It's not free, but it's free of advertising and O'WONDER (who own oNumber) will not sell or release your info to anyone. Slashdot reader feedback encouraged.

Re:Put the ball in the court of the ISP

[Dr.Dubious+DDQ]

2) ISPs turn a blind eye or aren't as responsive as they should be.

YES! Most times that I get spam, I trace down the headers to find the source and report the spam to the ISP hosting the address, and the spam stops.

MOST times. It took a while to get through to hinet.net about their 'tom lee designs' spammer, but even then, when I finally got through to somebody the spam was stopped.

For the last three months, I've been dealing with wads of spam from what I believe to be the same spammer due to the headers:

• They all have the same style of random-fake-hotmail.com addresses
• They all bounce through hijacked foreign servers
• They all have the same 'X-Mailer' header ('X-Mailer: Microsoft Outlook Express 5.50.4133.2400')
• They are repetitions of the same 5-8 advertisements (most for dubious semi-medical supplements e.g. 'increase your ejaculation 581%','stop hair loss', etc. on www.poxteam2001.com)
• And, of course, they ALL come from the same bank of apparently Texan addresses on prserv.net (slip.12.64.*.mis.prserv.net).

The ISP in question is AT&T Global. (mail to abuse@prserv.net ends up at postmaster@attglobal). For the last three months or so, I've diligently forwarding the messages, with headers, to abuse@prserv.net (or postmaster@attglobal.net). Until recently, they've been universally coming back with form-letters saying 'this problem has already been reported'. Sometimes the spam stops for a day or two, sometimes it doesn't.

I even looked up their contact number on whois and called THAT a few times (the only human beings there seem to be overworked and underpaid tech support people). The last few days, I've been getting my reports returned in a form letter stamped 'not our domain', as if whoever's getting my messages at AT&T Global is either 'in on it' or just doesn't want to deal with it any more (or perhaps is's just a 'new guy' who's not used to dealing with the headers, or thinks that only AT&T Global user's complaints about spam from their network should be dealt with)....

Point is, with roughly 80 spam messages from the same spammer forwarded, the spam has continued unabated, and I honestly wonder if some salesdrone at AT&T Global's Austin, Texas area POP has an 'understanding' with the spammer and has been willing to re-sign him every time he gets kicked off. Unfortunately, none of the emails I've sent to 'postmaster@attglobal.net' requesting more information about the spammer (including requests on the order of 'who do I contact to find out the proper legal procedure for obtaining the spammer's identity so that I can look into taking action myself') simply come back with more form-letters, or are unanswered...

I called them again today (after last night's two spams came back from them stamped 'not our domain') and for the first time, actually got to speak to someone in the postmaster department. She actually seemed helpful and polite, so hopefully something might finally be DONE about this spammer...

So, anyway, to get back to the point - the ISP's are the ones who have the power to do something about spammers on their network, and if they choose not to, there ought to be some sort of recourse. Small ISP's, you can complain to their upstream provider, but when you're dealing with AT&T Global?....

'scuze the verbosity of this post - this particular spammer/ISP issue has me pretty irritated at the moment...

Don't the porn spammers realize?

[cliffy2000]

I must have recieved 200 e-mails on "farm action" and "hot family sex." I've never visited any such site nor have I ever responded to their e-mails... what makes them think that I'm suddenly gonna be interested in these deviant sexual activities... they should offer uhm... I dunno... NORMAL sexual behavior? I mean, hot playmates and stuff. They've gotta get their act together and stop catering to this select audience of sickos -- rather, they should attempt to appeal to the masses.
Sorry. Venting. Thank you.

Companies should be doing the suing!

I think companies like MSN/Microsoft/Hotmail, yahoo, excite and @home should be doing the suing.
Everytime someone forges an e-mail address using their domain name, and someone forwards it to abuse@something.com then it costs them money to research it. It could also be considered slander if someone sends you an e-mail from something like animalsex@microsoft.com.

Don't they care about their PR? I mean now I think that Microsoft has something to do with bestiality. How do I know that it wasn't really from them?? I'll just keep assuming that till proven otherwise.

Digital Postage is the only answer

[Curt+Cox]

Unsolicited bulk email is used with such frequency because it is so incredibly cheap. This convinces those who use it, that it has a positive return on investment. In order to reduce the amount of spam, it is necessary to increase the cost of sending it. Digital postage is the only way to reduce spam.

This would be analogous to the stamps used on snail mail, now. If nobody else steps up to the plate, some corporations will try to do this for a profit, or national governments will try to do it for control. The better solution, however, is some sort standards-based decentralized digital postage, where everyone can issue their own estamps. It is then up to each individual to decide, how much a spammer has to pay to get to their inbox.

Of course to be widely adopted, this has to be well integrated into email clients. It also has to be completely painless to insure that your friends always have enough of your stamps on-hand.

Once in place, the benefits include:
- less spam
- no need for email size limits, because there would be an obvious mechanism to allow billing for arbitrarily large emails
- automatic payment method for email based customer support

Issues regarding new technology

[TheMCP]

Isn't the only advantage of an authenticated email format that the recipient can easily find out who the sender really is?

Well, not exactly. You're right in that that's all it technically does for us. However, this leads us to two potential advantages:

• When the spammer is identifiable, they don't tend to last long because the volume of incoming complaints tends to overload the ISP.
• It makes it easier to create a groupware blocking system - for example, 10,000 people subscribe, and the system requires three subscribers to complain about an address before it's blocked. A spammer sends spam and it hits 8237 of the subscribers. The first three to see it click the "this is spam" button, and the system automatically removes the mail from the inboxes of the other 8234 subscribers who got it and blocks all future email from the sender.

Knowing who the sender is doesn't prevent spam being sent from spam friendly servers abroad.

You're right, but again, the volume of incoming complaints (and denial of service attacks) tends to make the ISPs balk at hosting spammers. Once they're tracable, the attacks begin, and the ISPs dump the spammers.

The problem is, we need a completely new email system with authentication, and we need mail clients that handle both it and the current standard seamlessly... because practically nobody is going to make a hard switch over to a new email system that will prevent most of their friends and associates from emailing them, and very few people are going to be willing to run two separate email clients. It would be best if the server-side software supported both standards as well, so server admins don't have to feel that they're getting an additional piece of software to support. Moreover, everything has to support every major platform and some of the more prominent minor ones so it can support a massive switchover and won't piss off users of any particular platform by not properly supporting them.

Java, anyone?

Making spammers pay

[Alien54]

I'm a student cryptographer and I'm working on a system which will provide authentication [signatures], privacy [via encryption] and at the same time make spam less feasible [you can do it but its easier to filter out].

The main thing I see is that the best idea is to somehow transfer costs back to the spammer. So an idea that forces the spamming computer to use up resources is fine.

similarly, a solution that causes you to spend time implementing more technical solutions is costing you time, and probably money.

bottom line: Make the spammer pay.

In my original example, the smtp could also be set to have several levels of trust, with corresponding levels of computional feedback for the sender.

Re:another tactic?

[tomstdenis]

Hmm? You hash the message so you can't just store them on a CD.

The idea is not to stop people from SENDING spam its to stop you from having to SEE the spam.

For a message to be valid you must first make up a bignumber

K = random || hash(message) || time

Then you send to the user K^(2^T) mod N.

You're "attack" won't work since each user has their own N. So if you want to build up a huge table of valid numbers you can, but they will only work for one user.

I'd suggest you actually read the posting before attacking it.

Re:another tactic?

[vadim_t]

Nice idea, but only for normal people. I'm sure you don't send thousands of emails a day, so this doesn't bother you, but the Linux Kernel mailing list does...

Re:another tactic?

[GSloop]

Tomstdenis - if you want to not see it, use spamassassin - works great -

Oh, I forgot, you're a MS Bigot, so it will probably be a real bugger to get this to run properly on NT - what an advantage huh - unless MS provides it/thought of it, you can't get it...

I virtually NEVER have to see mail from spammers using spam assassin. (I do get a few false positives...)

The point is not to prevent me from seeing spam, but from having to pay to get spam. I _DO_ pay for bandwidth - I'm not a flat rate for bandwidth user, so I do care what I have to pay for...

Lastly, the only way to really make a dent in spamming is the following, which I have already mentioned here before...

===== Quote ====
Most of the spam I get now, is from companies that are using "contractors" to spam, or spam from offshore (i.e. China) ISP's. The advertised product is from the US often, but the advertisee is not. Therefore, shutting down the "spammer" isn't going to do anything.

Now I don't know how to practically impliment this, as there are some pitfalls, but with some decent legislation, we could make it possible to target the beneficiary of the spam. That makes it possible to attack the real reason for the spam - where we can use our laws etc to attack it.

Sure, there will be spam that also has you send you money to China/Afganistan etc, but that will make the spam much less profitable, as most people won't do so. Lastly, most people will use credit cards, and I assume that most SPAM scams are frauds too, so the chargebacks will be hell for the spam beneficiary.

Anyway, it just seems that we can't just attack the spammer, we really need to attack the beneficiary. Then the spammers will go away, as they can't find anyone to demand their services.

=======

Until we make it too costly to benefit from SPAM, we won't solve the problem. The costs must outweigh the revenue.

Finally, as per your proposal. Are you planning to rewrite and distribute and impliment all the patches to sendmail, qmail etc for the SMTP dameons? Not to mention all the other SMTP RFT servers out there? That's a massive task, and one that isn't likely to get done any time soon. A better approach is to attack this with the law.

I shouldn't have to put up a taller fence to prevent you from littering in my yard. That's the approach here. It may work, but it smells.

Re:another tactic?

[GSloop]

I'm sure that ISP's who process LOTS of mail (hundreds of thousands or millions of mails) a day would be glad for the 5-10 second delay for each mail...

That's a huge computational cost, and doesn't have a prayer of making it...

My soltution attacks the profitability - a market solution if you wish - it might not be the only solution, but it could work to make SPAM unprofitable, and thus once unprofitable, kill it.