Slashdot Mirror
Lawsuits Against Spammers
apc writes "Pretty good overview of the state of the law
regarding spammers, and some stories about people who have sued them and won. Nice to see the topic getting mainstream attention."
It talks about several different states and several different people who
have won cases. I still think its fairly hopeless, but I also believe forging
SMTP headers should be legally punishable by castration.
This is why XNS (a next generation DNS replacement) needs to be adopted ASAP by the worldwide technical community. For example, here is the white paper on spam filtering. In a nutshell, if someone who is not on your acceptable email list wants to send you an email, they must first (and this is all automatically handled by the software) accept an agreement which dictates your exact privacy requirements. If it is a personal email with actual valid content, clearly they will simply accept the agreement and automatically be added to your list. On the other hand, bulk email spammers (hereafter referred to as "Dickwads") will probably not like the section talking about your fees for accepting bulk advertising. :)
The simplest reasons that spammers "get away with it":
1) Forged headers (SMTP auth would alleviate)
2) ISPs turn a blind eye or aren't as responsive as they should be. Many are repeat offenders which labels them "soft" on spam prevention.
A lot of people have already commented on #1 so I'm going to skip that one.
In short, the accountability should come to the ISP, because they are the ones you inevitably allow this to happen. @Home or similar could implement a per day limit on outbound emails, same for the fre services, Yahoo! and Hotmail. There needs to be a clearinghouse for spam notification, someone who tracks spam and spammers, period. Fines should be imposed on ISPs who allow bulk email to originate from their service. Their choice should be simple: don't let spam originate from your system or face the penalty (steep fines, this could be used to fund the clearinghouse). Leniency could be worked into this, an ISP may have X number of reports per day based on the number of IPs they have. X should shrink every year.
The clearinghouse should also be audited on a yearly basis and the results made public (what ISPs spam the most/least, amount of fines paid, etc)
Hammer of Truth
Block quoth the poster:
I still think its fairly hopeless, but I also believe forging SMTP headers should be legally punishable by castration.
There is a realistic protocol change that would make it impossible to spam without getting caught.
When the message arrives at the destination server, a confirmation packet is sent back to the alleged source with a checksum of the content of the message and a confirmation code. If the source has sent an email to the server that matches the checksum, it sends the confirmation code back to the server. If the server never recieves a reply with the confirmation code it sent out (in other words, if the alleged sender doesn't exist), it automatically deletes the email after 30 seconds. The whole cycle would last less than a second, depending on lag, so you wouldn't have to worry about losing email that you have sent unless you turn off your computer very quickly. This protocol would make it impossible to spoof IP/email addresses, etc, when sending email. Then the spammers could be tracked down easily and thrown in jail.
Repeal the DMCA!
Speaking as someone who's done data entry grunt work for one of these companies, I say with some small amount of authority that none of the money my company made came from any of the zany borderline pyramid scheme advertisements we mailed out on a daily basis to thousands of unsuspecting people.
All of the real money came from selling the rather impressive mailing list databases the company built up using the names of people who had responded to their mail in the past, whether to express interest, or request removal from the list. Technically, they were being removed from our list of mailouts, but they were only added to a database of names that were sold to various other companies on a regular basis.
The only real purpose of mailing out the ripoff advertisements was to see exactly which people would respond, and thus be more susceptible to other advertisements. Even the people who responded to request removal only verified that their own name/address was correct, and thus, their names only become that much more valuable for others to purchase.
The most effective way to avoid spam, whether through junk mail or e-mail, is to simply ignore and/or delete it, and hope that eventually your name's entry will be part of a list that's too old and outdated for other companies to be interested in purchasing.
It makes me very glad I stopped working for that company over a year ago, with my integrity still intact.
I run my own mail server, running qmail with the rblsmtpd daemon, pointing at several "underground", i.e. not for pay, black hole lists. In addition, there are spam _content_ filtering tools out there such as spamassassin, which looks for common telltale fingerprints in email. WORK FROM HOME, MAKE MONEY FAST, etc. etc. etc.
It can be done, with a little work.
I want to delete my account but Slashdot doesn't allow it.
I think a better resolution to the problem is to enforce a certain amount of purity in the mail headers.
If you are spam, you should mark your message as being such. If you are a mailing list, you should mark your message as being such.
And then we need to have a network of trust between the mail servers. Something lightweight enough that it works 90% of the time. Servers who are trusted are trusted that they will send out mail with proper headers. Servers who aren't trusted will get their mail bounced most of the time.
Thus, spam can be dropped on the floor at the option of any mail server. And server admins who don't mark spam as spam are marked as untrusted servers. At the option of the country that the mail server exists in, this can be declared as fraud.
I wrote up some notes on it on my webpage but I'm not sure how well it would really work in practice.
Gentoo Sucks
I was delighted the other day to find out that Iowa had an anti-spam law. I promptly requested 'remove' on all the 'psudo-opt-in' type spam (no, buying a list from someone does not mean that the people on it want your crap). Of course, under Iowa law I need to opt out before I can do anything, unless the spam is forged.
One of the 'university diploma' spams was illegal under Iowa law (invalid return address), but, of course how do you sue for something like that? I tried looking on reverse phone number sites to see who owned the phone number advertised, but nothing showed up.
Are there any ways to find out who sends these out without incurring a large expense?
Hrm, I wonder how long before someone starts sending out "make money suing spammers, call today for your free kit." spam.
autopr0n is like, down and stuff.
I've sued phone spammers, the type who use a machine that calls people and plays a recording, which as been blatantly illegal for almost 10 years.
I've won, but it takes more work than the $500 you win is worth even when you do win, and on average it's something you do only on principle and not for money.
And thus few do it. When I have been in court the judges/commissioners have said they don't often (if at all) see these cases.
Laws are not the answer to spam. In spite of what people say it is not just a question of "it's not a free speech issue it's a property issue."
Spam involves rights in conflict. It's a free speech issue AND a property issue AND a privacy issue, all in one. The answers are not so simple as these laws suggest.
Has it been over a year since you last donated to the Electronic Frontier Foundation
i would be very happy if anybody could tell me a solution what to do with spammers, who only use Fax-Numbers to respond. I have a massive problem with a guy who is using my domainname as sender adress. He always sends via open relays in taiwan, korea and all these countries and he always includes to fax numbers in the US. I do get an average of 500 bounces per day from mails this guy sent, because the recipient does not exist. Since he uses my domain i get these bounces every day. I am now collecting every day IPs of the open relays this guy uses and submitting them to ordb.org Open Relay DataBase, but obviously this is not the way to stop this.
I read alot on pages dealing with spam, many of them were pointing to ftc.gov which one should contact if a company of the US is doing spammings. But besides reporting that guy what can one do. i cannot phone up the telco and ask them to shut down these well known numbers (i saw procmail recipies of other people who in their spamfilters had these fax numbers included)
any hints or help would be greatly aprreciated
Lord "not Gargamel's Cat!" Azrael
The problem with a national law, with any law, is that it defines "safe turf" for both sides.
If Congress debated such a law, I'm sure that the DMA would yell and scream and "compromise" that it is willing to make it illegal to send unsolicited email of a criminal nature. Outlaw the pyramid schemes, outlaw the cock&tit creams that don't have FDA approval, etc.
Meanwhile, in the same spirit of compromise, it's now Federal law that companies can ignore repeated requests that you be removed from their spam lists because you have a bona fide business relationship. It doesn't matter that this "relationship" was a one-time purchase of a Christmas present a decade ago for a person who's long been out of your life - you might need another left-handed bacon turner some day and if they can't sent you reminders, you'll buy it elsewhere!
Likewise the legislation would undoubtably protect affiliated businesses - the reason I briefly got investment solicitations from my car insurance carrier, until I made it clear they were about to lose the latter account. It will even protect attempts to woo you away from existing businesses - you drive, so therefore you should hear about Fly-By-Night insurance rates. And Bob's detailing shop. And on and on and on....
I'm not saying that legislation would never be appropriate, just that it's too early to do it at the national level. Let's get a clear concensus that spam is a problem, then use the federal law *only* to normalize things like mandatory subject lines.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
This is an easy social solution for end users. In my experience, spammers screen out possible users by username. So the key is to choose a name most spammers won't screen.
:-) )
Examples of bad usernames follow. Scroll down for summary.
________________________________
Here are some bad usernames, and the reasons why.
Username: morgan@mail.com
Spammer's reaction: Morgan's a guy's name! I'll send him pr0n! (Never mind that I'm a heterosexual female.
Username: blahblah1969@mail.com
Spammer's reaction: 69! I'll send this guy pr0n!
Username: nerd@mail.com
Spammer's reaction:This guy's a nerd that never got laid! I'll send him pr0n AND computer products!
Username: princess@mail.com
Spammer's reaction: Princess, eh? I'll send her all my products!
Username:ironknuckle@mail.com
Spammer's reaction: He must lift weights. I'll send him stuff to build his body!
Username: hasaki@mail.com
Spammer's reaction: My Japanese friend will like this guy. (Sends Japanese spam.)
Username: nurdchik8@mail.com
Spammer's reaction: Well, it's possibly nerd, maybe a female, and what does that 8 mean? I don't have pr0n, would he or she like computer stuff? What does 8 mean again? (Skips name.)
___________________________________
End of examples. Summary follows.
If you're an end user, avoid the following:
*Obvious gender references
*Numbers that could be construed as sexual references, or birthday years
*Names that may be perceived as a potential marketing group (princess, superstrongWWF)
*Names that may indicate you are a certain nationality or ethnic group
This doesn't prevent you getting spam completely. At least you'll start off spam free with the right username, like I have.
Block quoth the poster:
That would just force spammers to use their own servers to spam, and there is enough of that going on already...
No, I mean the destination server. When you send an email to "user@domain.com", the email goes to the "domain.com" server and is stored there until the user downloads it. The spammers would have to either control your ISP, or somehow intercept the packet with the conformation code to be able to spam without revealing their IP address. A bit of cryptography would make it prohibitively difficult to send mass spam the latter way.
Repeal the DMCA!
"It is a greater offense to steal men's labor, than their clothes"
Read up on Bernard Shifman
I know hes been featured here on slashdot, but Shifman just goes to prove you can't legislate against stupidity
Try calling your state's attorney general's office and explaining the situation to them. Sometimes they can be surprisingly helpful, particularly if you can do a good job of explaining yourself (like pointing out repeatedly that they're doing this *incredibly* *loathesome* thing in *your* *name* and that it's just *destroying* the good name of your business) and can come off as genuinely hurt and confused.
If you got any threatening complaints about the spam, you could bring those up too, and claim that you fear for your life because of what this person is doing in your name.
The police might be willing to help, too.
You have public law enforcement resources. Use them. It's not just the RIAA and MPAA that have a right to call in the cops. You do too. Go for it. If THEY catch the spammer, and prosecute them for identity theft, defaming you, or whatever, the spammer will be in for a lot worse than having their relay shut down.
It originates from a spammer in Poland. You probably opened the email as HTML. If you look at the source, you will see all the graphics have your email address in them eg http://www.incestsex.con/?from=you@work-email.con
Once he has your address, its like herpes, you'll never get rid of him. Enjoy all the spam you will be getting from him in the future.
HOWEVER, if there is someone you hate, (for instance, a spammer), type his name instead of yours after the URL to one of these sites. Come to think of, DON'T -- a spammer probably would like HOT LOLITA SEX.COM
First, legislation is a good step, but it will not stop spam. Because the net is really world-wide. No US law is going to stop spam from Korea or Moldova.
Second, about 25% of spam I get is from first-time spamers. Every day some idiot salesman invents this new cool way of advertising. He might quite sincerely not understand the difference between direct mail and spam. He will learn eventually, but we would get spam anyways.
The real solution is to charge sender for sending mail. E-money won't work in the near future - there is no infrastructure for it. Instead, the mail recepient should bill his own ISP for every piece of mail. The per piece price cannot exceed a certain amount (let's say $1 or $5 or even $0.15). The ISP charges the sender's ISP for the cost and processing fee. The sender ISP passes the cost to the sender.
The infrastructure could be built the same way as HTTPS. If an ISP wants to participate, it gets a certificate from a root authority, sets a server for "SMTPS" and for billing. The SMTPS session is signed. There could be some price negotiation between SMTPS servers too. SMTPS would have to be properly amended.
This would be very similar to peering agreements between ISPs. The system could get started if 3-4 large digital carriers agreed on the standard. Others could join later.
I think companies like MSN/Microsoft/Hotmail, yahoo, excite and @home should be doing the suing.
Well, maybe, perhaps not. Companies will sue if it's in their interest. If their network becomes good enough to handle the congestion from spam, and the amount of spam doesn't vary too much as a customer moves from ISP to ISP, it's conceivable that the providers might begin to view spam as the customer's problem (as they pretty much do now). And even if they do start suing- who benefits from that directly? Besides the obvious value as a deterrent to spammers, there isn't much justice being done if the plaintiffs are all going to be large ISPs. The parties most damaged by spam are the end users and especially the smaller ISPs.
I always thought class action lawsuits by the actual recipients of spam are the most logical way to counter spam if the approach is going to be via the courts. After all, have you ever received a single, individual spam that's caused you to consider taking the case to court against that particular spammer, with lawyers and court costs and all that hassle? With a judge that might ask "well why didn't you just hit delete?" And getting that single spam email message isn't really what you're suing over. It's the degradation of your daily routine, the tedium of having to delete a hundred emails a day year in and year out, the loss of almost a day of your life per year deleting countless messages about herbal Viagara and credit repair software and diplomas from prestigious non-accredited universities and hair loss and government grants info packages and an EZ way to consolidate debt and reducing all payments by 60% and frisky teens. Going to court over a single spam seems to miss the point. And it's expensive and inconvenient to sue as an individual, so a spammer might very well recognize that his individual spam probably isn't going to elicit a lawsuit if it isn't outrageous enough for a spammed plaintiff to choose as THE spam (out of the 10000 in his box) that he's going to go to court over. In fact, people tend to sue when the spam particularly offends them (e.g. when it talks about sex with minors, or has nude photos in it and is received by a minor). Unless things proceed to the point where every spam message sent out results in a lawsuit, a spammer that keeps his emails polite and sticks ADV in the header is pretty much safe from being sued. So you don't even get much of a deterrent effect.
Unless we switch to using class action suits, which don't have these problems if someone with the resources starts consistently nailing all spammers with them. It's much easier than taking a case to court yourself. Someone is doing the suing for you and you get to hang on like a million other freeloaders and enjoy the fruits of your class action. I almost wouldn't mind getting spam if I knew there was a chance that I could stick it to the spammer for a few cents along with thousands of other people. If I even got a fraction of a penny on average per message, we could still be talking about some serious money. And it certainly wouldn't be too hard to set up. In fact (if this were 1999) you could probably build a dot-com out of it somehow, to coordinate the spam submissions, identify plaintiffs and defendants, litigate in court, hire collections agencies, and process the payments back to all plaintiffs. That's more of a business plan than many dot-coms had. I think that if there weren't so many jurisdictional problems with the idea in general (and if there were more spam laws) someone would try this.
I mean now I think that Microsoft has something to do with bestiality. How do I know that it wasn't really from them??
Strictly speaking, even if it turns out the email wasn't from Microsoft, it still doesn't prove that Microsoft has nothing to do with bestiality.
I had another idea, it's a little extreme, but I think it's an idea that can be built off of.
I'm a member of a forum that talks about a particular interest of mine. Basically, I log in to a site, and my friends that are online (of that particular interest, obviously I won't find my mom on a CG Art board...) show up and I can message them and check out the recent posts. There is a personal messaging system there so I can send private messages to people. If somebody sends me one, I get a notification on the home page.
Basically, I've obscured the method it takes to get a hold of me. A good chunk of my friends are on that forum, a coupla more are on another forum, and the rest including family are on icq. I've basically weined myself from the need for e-mail. I wouldn't have it at all if sites didn't require it for authorization.
This makes it a lot harder for a spammer to reach me. If every site has a different (and constantly mutating) method of sending messages around, then it's so much harder for spammers to get through.
Whatcha think, sirs?
"Derp de derp."