Lawsuits Against Spammers

apc writes "Pretty good overview of the state of the law regarding spammers, and some stories about people who have sued them and won. Nice to see the topic getting mainstream attention." It talks about several different states and several different people who have won cases. I still think its fairly hopeless, but I also believe forging SMTP headers should be legally punishable by castration.

Technical / Social solution please

[Tom7]

Instead of encouraging litigation, why don't we develop (easy) and attempt to gain acceptance (harder) of an authenticated e-mail format?

I would much rather see technical (or social) solutions to the spam problem... laws have a funny way of not going in our favor, don't they?

Re:Technical / Social solution please

[hogsback]

Is there a technical solution?

Isn't the only advantage of an authenticated email format that the recipient can easily find out who the sender really is?

Knowing who the sender is doesn't prevent spam being sent from spam friendly servers abroad.

If the spam is sent from within your own country, this makes using the law against the perpetrator easier, it doesn't remove the need for the law.

Spam is an abuse of the email sysem. The collective opinion is that some characteristics of the emails are bad - otherwise there isn't much to distinguish it from legitimate mail. Because it is a social problem, laws are needed to combat it.
Spam is behaviour that we can't stop, therefore we need laws to discourage it.

Re:Technical / Social solution please

[Deagol]

Just because we won't use the law, it doesn't mean they won't. I suspect that any truly effective technical solution will meet the same fate as ORBS and MAPS with lawsuits.

Re:Technical / Social solution please

[garett_spencley]

I completely agree. I relate SMTP to TCP/IP. It's very simple which is why it caught on but it just doesn't live up to today's standards.

All of this litigation, while a worthwhile cause, is like security through obscurity. While it may be a deterrent for some people, lots will do it anyway.

So what we need is a new e-mail protocol that will make forgeing at least non-trivial but attempt to make it 100% impossible.

Ideally it would even be backwards compatible with SMTP so that older e-mail clients would work with newer servers.

--
Garett

Re:Technical / Social solution please

[weave]

laws have a funny way of not going in our favor, don't they?

Agreed, but on the flip side, I'd certainly like to see a law that says any ISP, employer, or individual has a right to block any e-mails that they do not wish to receive. Spammers sometimes throw out empty threats like "I'm going to sue you for blocking interstate commerce" or some crap. Look at what happend to the various voluntary black hole lists. At a lot of companies, if anyone even mentions a lawsuit, whether serious or not, the sys admin must stop all communications and immediately notify corporate legal. Then they start asking lots of questions and start poking around in the operation.

Basically, affirm my right (as provider or customer) to block unwanted e-mail, and then technical solutions are possible...

Re:Technical / Social solution please

[garett_spencley]

You're right but it would take away spammer's anonimity.

To further this the new protocol would also have to be better at authenticating as the parent poster said. But this can already be implemented to an extent with our current protocol by denying access to SMTP services from anyone who's host does not belong to certain domains.

That still won't elliminate spam all together since many companies spam using their own servers. But at least if you force spammers to do it in the open then at least you can prove that they were the ones who spammed you and can charge them with fraud, false advertising, sexual harrasment (if the add contains sexual material) etc.

It will reduce spam considerably and probably make it a lot less "annoying" since the adds will be more up to par with junk mail. It will still be a problem but it won't be nearly as big of one and then we can use the litigation to regulate it and if there is a God elliminate it :O)

--
Garett

Re:Technical / Social solution please

[jcr]

You're right but it would take away spammer's anonimity.

I've seen proposals for adding "postage" to e-mail, which in the normal course of things would be refunded.

So, if someone I don't know sends me a message, it would come with a dime or so of digital coinage attached, which my mail client would authenticate and cash in *before* I ever saw the message. If the message was spam, I'd keep the money. If it wasn't spam, I'd automatically refund the dime to the sender.

Of course, I could also set up a white list of addresses from which I'd accept messages without payment. (Zero payment, actually)

-jcr

Re:Technical / Social solution please

[Jay+L]

I thought a lot about stamped e-mail in a previous life as a mail systems developer. Our VP of development was really hot on the idea, since it would solve both the authentication problem and the no-incentive-for-targeting problem. You wouldn't even have to make it backwards-compatible; just create a new tier of "first-class" e-mail. Two big problems though:

1. Technical: It would be very, very expensive to process e-mail stamped with some form of digital cash. You're adding lots of crypto calculations, database lookups, and some sort of synchronization scheme that scales up to whole-Internet level. Large sites would likely have to have crypto plug-in hardware to do this at all efficiently.

2. Political: You'd have to get a significant number of ISPs on board, and these days most spam is NOT sent directly through the big ISP mail servers anyway.

It's a neat concept but there are too many problems. It ended up not being worth it.

Re:Technical / Social solution please

[BitterOak]

You're right but it would take away spammer's anonimity.

It would also take away everyone else's anonymity. Given the number of people who get sued by corporations for telling truthful but disparaging things, and given the number of "whistle blowers" who end up out of a job, or worse, do you really think that we should give up the ability to send anonymous e-mail just to avoid the inconvenience of junk mail? I sure don't.

Re:Technical / Social solution please

I use Authd :) Authd

Re:Technical / Social solution please

[zerocool^]

You can change your sendmail.cf to disalow sending of messages that have the from field indicated with the -f tag (i.e. a manually specified "from"), and you can set up your spam filters to disalow any mail that has a from field set with a -f tag.

Also, you can stop bounces from happening by editing your deliminators in the Scheck_rcpt section of sendmail.cf so that R$* @ $* @ $* returns an error code. Anything that is "someone colon at someplace at someplace.com" bounces thru your sendmail and gets sent, looking like it came from you.

I was gonna post a good clip of my sendmail.cf file here, but the lameness filter got it first - so here's a link: sendmail.txt. Just don't pound the server too hard, the load balencing's a little off.

~z

Re:Technical / Social solution please

[Electrum]

Is there a technical solution?

Spam is an abuse of the email sysem. The collective opinion is that some characteristics of the emails are bad - otherwise there isn't much to distinguish it from legitimate mail. Because it is a social problem, laws are needed to combat it.

D. J. Bernstein has an excellent solution to spam and many of the other problems of email: Internet Mail 2000

Essentially, with IM2000, mail is stored on the sender's machine, rather than on the recipient's, much like with HTTP. Spam is still possible, but it makes it much easier to identify the sender and to block it.

Re:Technical / Social solution please

[zerocool^]

no, but it's a start. if the spammers are the ones running the sendmail, then it won't do any good, because they'll just not enable that, but if someone on your network is sending spam, you can note it and stop it.

And no, not everyone sets the from with the -f flag. however, it is one of the ear marks of a spam message - the fact that the from address doesn't exist or is just wrong

~z

Re:Technical / Social solution please

[mpe]

Is there a technical solution?

A technical solution which would make spamming far more expsnsive to the spammer would be the complete elimination of third party relaying. (Including ISP provided third party relays.)
This also makes the source of any spam which is still around a lot easier to identify.(especially if use of dynamically assigned IP addresses is minimised.)
IMHO methods such as forcing the use of third party relays perpetuates many problems. Especially where ISPs have no way of verifying the identity of their customers...

Re:Technical / Social solution please

[Sodium+Attack]

A legal solution is nothing more than a formalized social solution. Why the animosity towards a legal solution? True, laws can be abused, but so can unwritten, informal social solutions.

A technical solution simply encourages a "[technical] might makes right" attitude. Which may be fine for many /.ers, but hardly suits your average user.

Double standard

Why are lawsuits against spammers (and castration!!) fantastic but against open source guys -- like the GAIM author sued by AIM-owner AOL -- terrible. You can't have it both ways. Either the law applies on the net or it doesn't.

Personally, I'd prefer no laws -- even for spammers.

Re:Double standard

[CaptainSuperBoy]

Well, AOL had a trademark complaint about GAIM. This has absolutely nothing to do with spam - what are you saying? If you're against one lawsuit, you shouldn't support any laws whatsoever? I guess you disagree with some trademark laws, so you believe that we should live in anarchy because SOME laws are bad.

Re:Double standard

[fotoLilith]

Personally I favor taking the spammers out to the woods and beating them with socks filled with 8balls, then sticking the fleas of a thousand bloody camels in their arses. But I suppose that is just too "Home-grown George W. Justice" for some. ;-) But yeah, spammers spend a few pennies (if that) per email address, so if they send out thousands (yeah, that's a foreign concept. ;-) ), and a few test-tube babies fall for the ploy, they profit. But, as for lawsuits: how many LEGAL businesses truly utilize this method to reach the public?

Business opportunity

[yggdrazil]

Let's hope some people see this as a business opportunity, and start a business or organization to sue on behalf of all of us who don't bother now, and collect a percentage. So that more of us can use our lawful right to make the spammers pay for their nuisance.

We could donate proceedings of successful spam litigation to open source projects or to the EFF.

What we need

[CaptainSuperBoy]

What we need is national legislation against spam. There are too many state laws that legitimize spam in one way or another. This gives every spammer a one time get out of jail free card, and does nothing for spam problem in general. New spammers pop up all the time - it doesn't make sense to 'opt out' of every new spam list you get onto.

The article makes a good point about laws that require spam to be labeled. This isn't a solution, and there are also conflicting requirements between state laws. One law requires "ADV: ADLT" on the subject header, another law requires "ADULT ADVERTISEMENT". This is a perfect example of laws being too specific - legislation has no business dictating changes to the SMTP protocol. This isn't useful either: shouldn't spam laws apply to more than SMTP? Say, ICQ spam? Internal AOL spam?

This is why we need a national spam law. No conflicts, no SMTP requirements, no opt-out. Make spam illegal, period. Spam is harassment, theft of service, and usually fraudulent. It costs ISPs millions of dollars that are passed on to YOU. Companies lose productivity because of workers receiving spam.

If you think this is any different from junk fax laws, you're kidding yourself. Spam and junk faxes both hurt the recipient. Spam is not free speech. Spam is not a constitutional right. Banning spam IS the right answer.

Re:What we need

[edstromp]

A national law will get you no where. Over 90% of the spam I receive doesn't originate in the United States. International law *might* get you a little somewhere, but it will never pass, and even if by some act of god did pass, it would never be enforced.

The correct technical solution is to filter your e-mail. No laws to sneak up and get us later, and we can improve the filter to our likeing at any point. I find www.spamcop.net to work wonders for my inbox. Not only does it block the unwanted mail very accuratly, but it simplifies the complain-to-the-system-admin's process.

Re:What we need

[schon]

there are also conflicting requirements between state laws. One law requires "ADV: ADLT" on the subject header, another law requires "ADULT ADVERTISEMENT".

Maybe it's just be, but I don't see a conflict here.

If the recipient is in California, you use the first one, if they're in Wisconsin, you use the second one. (The recipient can't reside in more than one state at a time.)

The way I see it, this "conflict" is a GOOD thing - as it slows the rate of spam (spammers have to take "care", instead of blasting hundreds of thousands of identical emails.) Once they get bitten a couple of times, they're likely to say "screw it, I'll go back to working at the 7-11"

Re:What we need

[q-soe]

Actually i can tell you from the spam i have followed up and complained about 90% of our spam (my company) - comes from the US and the overwhleming majority comes from 3 ISP's

AT&T
Worldcom
@ home (used to be but replaced now by)
earthlink

oh and of course there are a lot from yahoo, hotmail etc.

Now that might just mean it's routed thru the US so im not neccesarily attacking that country

Re:What we need

[mpe]

What we need is national legislation against spam. There are too many state laws that legitimize spam in one way or another. This gives every spammer a one time get out of jail free card, and does nothing for spam problem in general. New spammers pop up all the time - it doesn't make sense to 'opt out' of every new spam list you get onto.

Actually you need a treaty, since spammers enguage in their behaviour worldwide. Though it is surprising that the US federal government hasn't passed any relevent legislation. Maybe because it would require actually following the US constitution rather than attempting to subvert/rewrite it :)

Re:What we need

[budgenator]

The most effective way to avoid spam, whether through junk mail or e-mail, is to simply ignore and/or delete it,
I would like a client that deletes the spam without having to download it;Maybe just down load the header's, does the POP3 protocal allow this?
As far as confirming the address something like this;
<img src=evilspam.nul/image/onebit.gif?spamvictem@examp le.com >
makes an entry in the server logs confirming the Email address if html is enabled in the client.

My brother's employer out-sourced their Email to an other company, that company considered have Email's funneled through their NT box by a solaris box running 30 instances of sendmail over a T1 line a deinal-of-service attack.

Check out my latest piece of spam !

[J.D.+Hogg]

DEAR FRIEND !

Tired of not making enough MONEY ? HOW ABOUT $3000 PER WEEK OR MORE !
No, this is not a joke, YOU TOO CAN QUIT YOUR JOB AND MAKE THE MONEY YOU DESERVE !

HOW ?

Very recently, I have discovered that anybody on the internet receives "SPAM" emails, and that it is usuall possible to sue those "SPAMMERS". Most often, "SPAM" originates from VERY LARGE COMPANIES who have a LOT OF MONEY MOST OFTEN, and these companies don't want to lose their reputation in the "SPAM" industry, therefore they are usually willing to give plaintiffs A LOT OF MONEY to settle their claims.

I CAN ALREADY HEAR YOU SAY "HOW CAN I SUE SPAMMERS TOO AND RECEIVE A LOT OF SETTLEMENT MONEY ?" !

IF YOU SEND ME A RESPONSE AT THE EMAIL ADDRESS AT THE BOTTOM OF THIS MESSAGE, I'LL INTRODUCE YOU TO MY NEW BOOK CALLED "HOW TO SUCCESSFULLY SUE SPAMMERS AND RECEIVE A LOT OF SETTLEMENT MONEY". MY BOOK NORMALLY COSTS IN EXCESS OF $85 FROM NORMAL RETAIL CHANNELS, BUT ONLY FOR YOU, I OFFER YOU THIS INCREDIBLE MONEY-MAKING TOOL FOR ONLY $19.99 !!

DON'T PASS UP YOUR CHANCE TO MAKE THE MONEY YOU DESERVE. SEND ME A RESPONSE RIGHT NOW, OR CALL ME AT THE NUMBER BELOW.

THANK YOU DEAR FRIEND !

email: SUCKER_RESPONSE@HOTMAIL.COM
phone: 1-800-YOU-SUCK

**********

THIS IS A ONE-TIME EMAIL, YOU DO NOT NEED TO DO ANYTHING IF YOU DO NOT WISH TO RECEIVE ANYMORE INFORMATION ABOUT THIS INCREDIBLE OFFER.

Re:Check out my latest piece of spam !

[InterruptDescriptorT]

I didn't believe it for a minute. The grammar and spelling are too good for it to be legitimate. :-)

---
Some say Netware is just like a wheel/ When you abend it, you can't mend it

The solution to spam.

[Restil]

The only reason spam is so prevalant is because there are still enough suckers out there who respond to it and buy into the schemes. We need to do one of two things. Either successfully educate the suckers so the spam becomes uneconomical, or compile a real list of suckers and find a way to convince the spammers to ONLY spam them, and not the rest of the world.

Neither of these things will happen, unfortunately.

-Restil

Re:The solution to spam.

[clark625]

Since there's a sucker born every minute, that gives plenty of "new" customers for the spammers. That's 1,440 potential suckers every single day--or 525,600 per year. And if you can get the typical $19.99 out of each of them, you can get a whopping $10,506,744 of revenue. When you look at numbers like that, you can easily see how spammers (and TV commercials) can continue to annoy the rest of the population.

The problem with having a "sucker list" is that no one ever thinks he/she is one; and would do everything possible to stay off it. It's very similar to how most people believe they have an above average IQ. Nevermind the fact that most people can't be above average. A lot of people simply don't think of themselves as suckers.

Anyways, I need to go buy that new Igia ElectoSage 8. Have you seen it? It looks absolutely amazing! I'm gonna lose lots of weight with this thing--all without getting off my butt. Schweet!

Re:The solution to spam.

[Swaffs]

Ten million... That's just amazing! I had no idea one could make so much money spamming... Boy, spam sure makes sense now that you think about it. Thanks for all the info, I'm going to go and start spamming right now!

Re:The solution to spam.

[pmc]

Do you have an above average IQ? You seem to have confused "average" with "median"...

Since by definition IQ follows a normal distribution (with m=100 and s=15 usually - s can vary), then mode=median=mean.

So the original post was correct.

When will help arrive?

[Methuseus]

Most of us hate spam, but there are always those stupid users that click on every email promising another money-making opportunity. If you make an authenticated-mail protocol, that means everyone needs to use it, but those people targeted by spammers are the late adopters of new tech, so I don't think it would work too well.

www.xns.org

This is why XNS (a next generation DNS replacement) needs to be adopted ASAP by the worldwide technical community. For example, here is the white paper on spam filtering. In a nutshell, if someone who is not on your acceptable email list wants to send you an email, they must first (and this is all automatically handled by the software) accept an agreement which dictates your exact privacy requirements. If it is a personal email with actual valid content, clearly they will simply accept the agreement and automatically be added to your list. On the other hand, bulk email spammers (hereafter referred to as "Dickwads") will probably not like the section talking about your fees for accepting bulk advertising. :)

Re:www.xns.org

[johnburton]

I like this.

But I can't see any reasable hope of pursuading people to replace DNS. But I suppose people won't care what kind of name lookup their email software is doing.... Hmm...

Or what about something like ICQ where you can say who you want to be able to receive communciations from. Anyone else you have to authorize before they can send you an actual message. I doubt spammers could be bothered to do this, they'd go find some other way to annoy people.

How about doing this?

Your email program looks at the headers of emails being received. If the message is from someone in your address book, or is from someone you sent an email to *recently*, or is from a recognised mailing list then you get the email.

If it does not fit any of those conditions, it must first validate the sender. To do this it sends back a message to the senders From address with instructions saying under what terms you are prepared to accept the email, and a code to send back saying that you accept those terms. Your client would then accept one, and only one message from that address to be delivered to you. If you want to accept more in future you can add them yo your local address book.
The fact that the "spammer" must explicitly accept your terms for accepting your email would give a lot more legal protection to filtering and blacklists of known spammers.

Hmm. Must think about this some, and implement something!

Ooh, a slashdot story on spam

[Paul+Wright]

Let me summarise:

Spam is Free Speaaech (A Troll)

No it isn't (Baittaker543)

Yes it is (Anonymous Spammer) 30 post thread snipped

No more government regulation (aynrand666) All problems have a technical solution. Just hit delete.

My webserver got RBL'd (warfire) So I've come here to cry instead of ditching my low-file ISP. Your technical solutions are no good.

I know more than you do (karmawhore23) I am cleverer than you.

Re:Castration?

Main Entry: cas.trate
Pronunciation: 'kas-"trAt
Function: transitive verb
Etymology: Latin castratus, past participle of castrare; akin to Greek keazein to split, Sanskrit sasati he slaughters
Date: 1609
Inflected Form(s): cas.trat.ed; cas.trat.ing
1 a : to deprive of the testes : GELD b : to deprive of the ovaries : SPAY

Re:Castration?

[mESSDan]

Hmm, considering that this is a website about Linux, and that most of the editors use ONLY Linux, how would they go about testing this? Under Wine? And if it gave an error, would that have been a Wine error, or an XBox emulation error?

The story was interesting, not because it was a hoax, but because it might NOT have been a hoax.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Put the ball in the court of the ISP

[smack_attack]

The simplest reasons that spammers "get away with it":

1) Forged headers (SMTP auth would alleviate)
2) ISPs turn a blind eye or aren't as responsive as they should be. Many are repeat offenders which labels them "soft" on spam prevention.

A lot of people have already commented on #1 so I'm going to skip that one.

In short, the accountability should come to the ISP, because they are the ones you inevitably allow this to happen. @Home or similar could implement a per day limit on outbound emails, same for the fre services, Yahoo! and Hotmail. There needs to be a clearinghouse for spam notification, someone who tracks spam and spammers, period. Fines should be imposed on ISPs who allow bulk email to originate from their service. Their choice should be simple: don't let spam originate from your system or face the penalty (steep fines, this could be used to fund the clearinghouse). Leniency could be worked into this, an ISP may have X number of reports per day based on the number of IPs they have. X should shrink every year.

The clearinghouse should also be audited on a yearly basis and the results made public (what ISPs spam the most/least, amount of fines paid, etc)

Re:Put the ball in the court of the ISP

[Dr.Dubious+DDQ]

2) ISPs turn a blind eye or aren't as responsive as they should be.

YES! Most times that I get spam, I trace down the headers to find the source and report the spam to the ISP hosting the address, and the spam stops.

MOST times. It took a while to get through to hinet.net about their 'tom lee designs' spammer, but even then, when I finally got through to somebody the spam was stopped.

For the last three months, I've been dealing with wads of spam from what I believe to be the same spammer due to the headers:

• They all have the same style of random-fake-hotmail.com addresses
• They all bounce through hijacked foreign servers
• They all have the same 'X-Mailer' header ('X-Mailer: Microsoft Outlook Express 5.50.4133.2400')
• They are repetitions of the same 5-8 advertisements (most for dubious semi-medical supplements e.g. 'increase your ejaculation 581%','stop hair loss', etc. on www.poxteam2001.com)
• And, of course, they ALL come from the same bank of apparently Texan addresses on prserv.net (slip.12.64.*.mis.prserv.net).

The ISP in question is AT&T Global. (mail to abuse@prserv.net ends up at postmaster@attglobal). For the last three months or so, I've diligently forwarding the messages, with headers, to abuse@prserv.net (or postmaster@attglobal.net). Until recently, they've been universally coming back with form-letters saying 'this problem has already been reported'. Sometimes the spam stops for a day or two, sometimes it doesn't.

I even looked up their contact number on whois and called THAT a few times (the only human beings there seem to be overworked and underpaid tech support people). The last few days, I've been getting my reports returned in a form letter stamped 'not our domain', as if whoever's getting my messages at AT&T Global is either 'in on it' or just doesn't want to deal with it any more (or perhaps is's just a 'new guy' who's not used to dealing with the headers, or thinks that only AT&T Global user's complaints about spam from their network should be dealt with)....

Point is, with roughly 80 spam messages from the same spammer forwarded, the spam has continued unabated, and I honestly wonder if some salesdrone at AT&T Global's Austin, Texas area POP has an 'understanding' with the spammer and has been willing to re-sign him every time he gets kicked off. Unfortunately, none of the emails I've sent to 'postmaster@attglobal.net' requesting more information about the spammer (including requests on the order of 'who do I contact to find out the proper legal procedure for obtaining the spammer's identity so that I can look into taking action myself') simply come back with more form-letters, or are unanswered...

I called them again today (after last night's two spams came back from them stamped 'not our domain') and for the first time, actually got to speak to someone in the postmaster department. She actually seemed helpful and polite, so hopefully something might finally be DONE about this spammer...

So, anyway, to get back to the point - the ISP's are the ones who have the power to do something about spammers on their network, and if they choose not to, there ought to be some sort of recourse. Small ISP's, you can complain to their upstream provider, but when you're dealing with AT&T Global?....

'scuze the verbosity of this post - this particular spammer/ISP issue has me pretty irritated at the moment...

Re:Put the ball in the court of the ISP

[camusflage]

www.poxteam2001.com

Congratulations. You've met Alan Ralsky. Not one of the most prolific spammers, but definitely one of the most annoying ones.

His typical MO lately is to use asymmetrical routing, with his sites hosted on dialup connections. Through his own DNS servers which seemingly cannot be removed from the net, combined with joker.com not particularly caring that domain registration information is totally fraudulent, he's not going to be going anywhere anytime soon. The Registry of Known Spam Operators has more and more detailed info on him, including his various criminal convictions and civil judgements. This guy is a crook, flat-out.

The Solution: email protocol that stops spoofing i

[Tuxinatorium]

Block quoth the poster:
I still think its fairly hopeless, but I also believe forging SMTP headers should be legally punishable by castration.

There is a realistic protocol change that would make it impossible to spam without getting caught.

When the message arrives at the destination server, a confirmation packet is sent back to the alleged source with a checksum of the content of the message and a confirmation code. If the source has sent an email to the server that matches the checksum, it sends the confirmation code back to the server. If the server never recieves a reply with the confirmation code it sent out (in other words, if the alleged sender doesn't exist), it automatically deletes the email after 30 seconds. The whole cycle would last less than a second, depending on lag, so you wouldn't have to worry about losing email that you have sent unless you turn off your computer very quickly. This protocol would make it impossible to spoof IP/email addresses, etc, when sending email. Then the spammers could be tracked down easily and thrown in jail.

Jerry Cerasale can kiss my ass.

[jcr]

U.S. businesses generally oppose restrictions, equating advertising with free speech.

"If you ban me from this type of medium, you have severely limited my ability to enter into the marketplace," said Jerry Cerasale of the Direct Marketing Association.

God DAMN IT, for the LAST time, spam is not a free speech issue, it's a property rights issue. My computer is NOT a public utility for every sleazy marketing dink in the world to use at MY expense.

If Mr. Cerasleazy wants to "enter the marketplace", he can damn well pay for his advertising.

-jcr

Re:Jerry Cerasale can kiss my ass.

[damiam]

The analogy I like to use is:

You have the right to sell your product, but you do not have the right to break my window during dinner hour, climb in, come to me and interrupt my dinner to scream in my face that "MY PRODUCT WILL INCREASE YOUR EJECULATION 581%!!!!!" without even looking first to see if I'm a women.

Re:Jerry Cerasale can kiss my ass.

[MillionthMonkey]

The 581% figure is from an authentic spam. Haven't you gotten it before?
I remember seeing that, and commenting to a friend of mine how that was an example of a statistic with high precision and low accuracy.
My favorite spam is the one about how Fortune 500 companies are looking for losers to work from home using their computers. That and the one offering diplomas from "prestigious, non-accredited" universities. Although it stops being funny the 200th time you see it.
Also, you should stop smoking. If you need help there are many people out there selling quality stop-smoking products. Just post your email address in any public forum and they'll be in touch with you.

Re:Jerry Cerasale can kiss my ass.

[Cramer]

AMEN!

"free speech" That's funny. Advertising is neither "free speech" nor "free". One must pay for radio and tv spots, magazine and newspaper ads, newspaper inserts, billboards, sky writers, and all that junk that collects in your US Postal mailbox. Advertising has never been fucking free.

As for "free speech"... that's laugh-in-your-face stupid! Perhaps they should begin lobying to allow cig. and booze ads on TV. I'd love to see p0rn on interstate billboards as well while their at it :-)

Comment removed

[account_deleted]

Comment removed based on user account deletion

Technical solution

[jbf]

Make people send you digital cash with each email. You return it if the email isn't spam (if you don't return it for nonspam, then you're a bastard) Unfortunately, it's impossible to make this work in a back-compatible way, so...

Example protocol:

220 foo.bar.com CASHMAIL System
HELO
250 foo.bar.com Hello
MAIL FROM: spammer@mail.com
250 spammer@mail.com... Sender ok
RCPT TO: foo@bar.com
666 foo@bar.com requires payment of 20 cents
CASH: 82kd0xma893mcos0
667 foo.bar.com accepts payment of 20 cents
DATA
...

I think some work in the IETF has been done on spam prevention, but no one has even tried to standardize it.

Re:Technical solution

[cmowire]

I think a better resolution to the problem is to enforce a certain amount of purity in the mail headers.

If you are spam, you should mark your message as being such. If you are a mailing list, you should mark your message as being such.

And then we need to have a network of trust between the mail servers. Something lightweight enough that it works 90% of the time. Servers who are trusted are trusted that they will send out mail with proper headers. Servers who aren't trusted will get their mail bounced most of the time.

Thus, spam can be dropped on the floor at the option of any mail server. And server admins who don't mark spam as spam are marked as untrusted servers. At the option of the country that the mail server exists in, this can be declared as fraud.

I wrote up some notes on it on my webpage but I'm not sure how well it would really work in practice.

Re:Technical solution

[jbf]

You should take a look at http://www.ietf.org/ID-nits.html: you're still going to need some sort of authentication to prevent spoofing, and to provide nonrepudiation so you can blacklist spammers later.

In practice, the social aspects of trust would be a pain to implement. I personally would need to get my mail server trusted by everyone else in the net? Sounds like an inverse RBL, with the same sorts of problems (maybe worse because of scalability issues)

Re:Technical solution

[cmowire]

I think that an advagato styled trust metric might work out. Your mail server would be trusted by your upstream ISP's mail server, who would create trust relationships with a selection of other ISPs, enough that the large whole of the 'net would trust them.

I think getting a signifigant percentage of the mail servers in a trust system would be much less troublesome than trying to get every mail address on the 'net in a trust system.

Re:Technical solution

[cmowire]

This is true.

However, if you maintained your list of trust properly, it could be managed.

An RBL-like group could mistrust known spammers. You could decide that you will mistrust everybody they mistrust and get rid of a chunk of spammers. A TRUSTe group could trust a large group of ISPs that manage to keep their noses clean.

Trust relationships are difficult yes, but there are successes. Most employees don't steal from their employers, for example. Most marrages don't fail because of cheating, they arrise from personality differences. And creating a trust system between mail server admins would be much easier than creating a trust system between individual people on the 'net.

I suspect the downfall of my idea is that people don't like getting a "Your mail server isn't trusted" message, so all of the mail servers will be far too trusting.

The root of the problem

[SevenTowers]

The problem isn't going to be solved by suing spammers. why? Well,
because spammers are spread out around the globe
Because spammers highjack networks to send out their bulk mail
Because a lot of spammers aren't even legit cies
Because it is too easy to spam from a bogus account, or for that matter from pretty much any email account using a bot that anybody can write.

All in all, spamming is as controllable as peer-to-peer, as long as people really want to spam, there's not much you can do against it. As long as there's money to make, people that don't have money will be tempted, and unfortunatly a lot of those people are in countries in which there is little or no legislation (not that's it's better in more developped countries)...

Suing spammers will only stop the big boys

[Skim123]

Suing spammers will only stop the likes of Flooz.com (as quoted in the linked to article) and other large sites from sending spam (i.e., eBay/Buy.com, two companies I can't seem to unsubscribe from). I don't know about you, but the vast majority of spam I get is from individuals or very small companies, at least I'd assume it is. It's usually racked with spelling errors and grammatical no-no's, and are not ads for the latest mega-eCommerce site's sales, but for Viagra, toner cartridges, incredible wealth from a home-based business, "legal" ecstacy-type drugs, penis-lengtheners, and, of course, the usual solicitations from horny 18 year old lesbian cheerleaders.

Many of these spammers send from hotmail.com or from email addresses that are not in the US. So how would I go about suing them? Even assuming that I could sue them, how could I manage to go about collecting my settlement from them?

I'm afraid suing is not the answer to ending all spam, just a small class of spam.

Re:Suing spammers will only stop the big boys

[Skim123]

If you subscribed then it isn't spam, is it?

If I buy something there and am unbeknowingstly signed up to some mail list, that, IMHO, is annoying, but not spam. If, upon receiving the mailing list, I click on the little link at the bottom to unsubscribe, and am told that I have unsubscribed, but still keep getting emails, then that is spam (IMHO).

Re:Suing spammers will only stop the big boys

[Todd+Knarr]

IMHO if I subscribe to a business or purchase a product, the only e-mail I should receive is information specifically about what I subscribed to or bought. Eg., if I sign up for eBay I should by default only get information about changes to my eBay account. Anything beyond, eg. information about eBay services I didn't sign up for, is unsolicited commercial e-mail. Until the company takes over paying for my access to my e-mail, the burden's on them and it's not my responsibility to track down and decline everything they'd like to send me.

Re:Castration?

[Gannoc]

But what if you're a female spammer/editor?

Yeah, its not like Tammy and her "barely 18" horny friends are going to be intimidated by potential castration.

Once again, ./ hasn't thought the problem through.

oNumber solved the spam problem, and it works

[Wonderkid]

Signup at http://www.oNumber.net, and exchange oNumbers with friends. Avoid putting e-mail address on business cards etc and use oNumeber instead. By using the guest list system, only authorized people get to see your actual contact info. It's not free, but it's free of advertising and O'WONDER (who own oNumber) will not sell or release your info to anyone. Slashdot reader feedback encouraged.

Better yet...

[jcr]

220 foo.bar.com CASHMAIL System
HELO
250 foo.bar.com Hello
MAIL FROM: mom@aol.com
667 foo.bar.com accepts payment of 0 cents
DATA
..
MAIL FROM: unknown_spammer@hotmail.com
250 unknown_spammer@hotmail.com... Sender ok
RCPT TO: foo@bar.com
666 foo@bar.com requires payment of 200 cents
CASH: 82kd0xma893mcos0
667 foo.bar.com accepts payment of 200 cents
DATA
...
MAIL FROM: known_spammer@hotmail.com
250 known_spammer@hotmail.com... Sender ok
RCPT TO: foo@bar.com
666 foo@bar.com requires payment of 1.0e09 cents
CASH: 82kd0xma893mcos0
666 foo.bar.com detects fraudulent/forged e-coin. Forwarding to fbi.gov

RBL and SpamAssassin

[Gothmolly]

I run my own mail server, running qmail with the rblsmtpd daemon, pointing at several "underground", i.e. not for pay, black hole lists. In addition, there are spam _content_ filtering tools out there such as spamassassin, which looks for common telltale fingerprints in email. WORK FROM HOME, MAKE MONEY FAST, etc. etc. etc.

It can be done, with a little work.

Re:RBL and SpamAssassin

[nehril]

definitely. I put in spamassassin + vipul's razor on my utility linux machine, and I have it fetchmail my various accounts and scrub them. I use gotmail to fetch my hotmail and run it through the scrubber. this combo catches about 95% of all spam (and my hotmail account gets about 50 spams per day). Every other day I get one piece of spam or so.

Now I have all my accounts collected in one place and scrubbed. I even put in a webmail system (sqirrelmail.org) so I can fetch it remotely via ssl. If you have the means to hook up a setup like this I highly recommend it.

Don't the porn spammers realize?

[cliffy2000]

I must have recieved 200 e-mails on "farm action" and "hot family sex." I've never visited any such site nor have I ever responded to their e-mails... what makes them think that I'm suddenly gonna be interested in these deviant sexual activities... they should offer uhm... I dunno... NORMAL sexual behavior? I mean, hot playmates and stuff. They've gotta get their act together and stop catering to this select audience of sickos -- rather, they should attempt to appeal to the masses.
Sorry. Venting. Thank you.

The laws in iowa

[autopr0n]

I was delighted the other day to find out that Iowa had an anti-spam law. I promptly requested 'remove' on all the 'psudo-opt-in' type spam (no, buying a list from someone does not mean that the people on it want your crap). Of course, under Iowa law I need to opt out before I can do anything, unless the spam is forged.

One of the 'university diploma' spams was illegal under Iowa law (invalid return address), but, of course how do you sue for something like that? I tried looking on reverse phone number sites to see who owned the phone number advertised, but nothing showed up.

Are there any ways to find out who sends these out without incurring a large expense?

Hrm, I wonder how long before someone starts sending out "make money suing spammers, call today for your free kit." spam.

Re:The laws in iowa

[Happy+go+Lucky]

One of the 'university diploma' spams was illegal under Iowa law (invalid return address), but, of course how do you sue for something like that? I tried looking on reverse phone number sites to see who owned the phone number advertised, but nothing showed up.

When you opened up the full headers on the spam, I assume you found the Received: lines going back from your mail server to the sending mail server, and from the originating IP to the sending mail server.

I also assume that Iowa law provides for John Doe lawsuits, in which you can identify the defendant as a specific individual even if you don't have his name, and has a long-arm statute whereby torts that occur partly in Iowa can be filed in Iowa courts.

Given those things: File your case with a John Doe defendant. Identify the defendant as the person who was using IP 123.456.789.012 at July 4, 2001, at 12:00 noon CDT. If you can explain what that means to the judge (in writing!) you can make a pretty strong case that that's one distinct individual.

When you file, have a subpoena ready for the court clerk's signature. You'll want to send it to the ISP or whoever owns the IP number, and it's for all billing or other records which would show the identity of the person using that IP at that time. Once the subpoena gets served and gets compliance, you have your defendant.

As for "large expense," I frankly don't know what it's going to cost you. Some states mandate civil spam-related stuff to go through small-claims, and some states don't give their small-claims courts the power of compulsory process. Obviously, a court that can't subpoena evidence is a joke, but don't ask me to explain it.

Re:The laws in iowa

[Happy+go+Lucky]

As much as I hate to reply to my own posts...

If the spam included a fax number, then find out which telco supports that number. For instance, a 303 or 720 area code would be metro Denver and therefore Qworst.

When you file against your John Doe defendant, you can subpoena that number's owner from the phone company.

Frankly, I'd use both of these avenues. A judge would probably be more receptive to the phone company angle, since he might not understand your header-reading tutorial completely. Tracing through the IP could then be used as confirmation.

Also, the mail could have been relayed. Probably 75% of my spam is English-language with a payload site connected through a US provider, or a US phone/fax number. Easily a third of that 25% is relayed through an overseas mail server (usually a badly-misconfigured and ancient sendmail on some APNIC IP=read as China) which doesn't accurately report the originating IP. In theory, you could try to subpoena the info from the relay's owner. In practice, a Chinese sysadmin would wipe his ass with your subpoena even if he could read it.

In other words, the headers may or may not have the information that you need.

Also, spams may carry a PO box or another box number. The USPS will give out POB boxholder information to the public on any box used to do business with the public.

I don't know if that applies to the private pack-and-ship businesses like MBE. It's worth asking them, though.

Re:Castration?

[damiam]

Taco has at least one Windows box, as evidenced by his occasional mentions of the Windows games he likes.

Truth in Advertising approach

[coyote-san]

I think it's time to apply Truth in Advertising standards to spam.

You say your product will help me lose weight? We send a rebuttal picture of your naked fat ass to everyone you know.

You say your product will make my penis gain 3"? We get testimonial from your two mercy fucks about how you need to use this product yourself.

You say your product will get me hot dates every weekend? We distribute a copy of your busy social calendar - with a note that you were stood up for the sole entry, your Jr. Prom in 1989.

And lest we forget it, you say your product will net me $50,000 in only 10 weeks? We show your credit card bills, and how even Miss Cleo has cut you off as a deadbeat.

The best thing of all si that this doesn't really require any new laws. (Well, the suggestions above do, but not the concept.) Don't just nail the spammers with small fines for sending spam, hit them with large fines for fradulant advertising, participation in criminal enterprises, etc.

Are the lawsuits worth it?

[btempleton]

I've sued phone spammers, the type who use a machine that calls people and plays a recording, which as been blatantly illegal for almost 10 years.

I've won, but it takes more work than the $500 you win is worth even when you do win, and on average it's something you do only on principle and not for money.

And thus few do it. When I have been in court the judges/commissioners have said they don't often (if at all) see these cases.

Laws are not the answer to spam. In spite of what people say it is not just a question of "it's not a free speech issue it's a property issue."

Spam involves rights in conflict. It's a free speech issue AND a property issue AND a privacy issue, all in one. The answers are not so simple as these laws suggest.

Help: Spammers with Fax-Numbers to reply

[Lord+Azrael]

i would be very happy if anybody could tell me a solution what to do with spammers, who only use Fax-Numbers to respond. I have a massive problem with a guy who is using my domainname as sender adress. He always sends via open relays in taiwan, korea and all these countries and he always includes to fax numbers in the US. I do get an average of 500 bounces per day from mails this guy sent, because the recipient does not exist. Since he uses my domain i get these bounces every day. I am now collecting every day IPs of the open relays this guy uses and submitting them to ordb.org Open Relay DataBase, but obviously this is not the way to stop this.

I read alot on pages dealing with spam, many of them were pointing to ftc.gov which one should contact if a company of the US is doing spammings. But besides reporting that guy what can one do. i cannot phone up the telco and ask them to shut down these well known numbers (i saw procmail recipies of other people who in their spamfilters had these fax numbers included)

any hints or help would be greatly aprreciated

Re:Help: Spammers with Fax-Numbers to reply

[Happy+go+Lucky]

The flower shop was called flowers.com. A spamming piece of shit (like Bernie Shiftman) named Craig Nowak forged them into the From: lines of his spam. They got hammered with the bounces and bitches from people who couldn't read headers.

They identified Nowak (who is a spamming piece of shit like Bernie Shiftman) and sued him. And won.

I can't find the actual cite from the case. However, it was from 1997 in the District Court for Travis County, Texas. Tracy Parker, Zilker Internet Park, and others vs. Craig Nowak and C.N. Enterprises or something like that.

Stupid

[autopr0n]

Yeh, spam is annoying, so we should replace the entire domain name system. It is true that email information is integrated into the DNS system (MX records and stuff), but not to that level.

Secondly, it wouldn't really stop any spam anyway. Just because you 'claim' that they should owe you money for spamming doesn't that they actually will. And a huge number of spammers right now are committing crimes by hacking open relays/AOL accounts and the like right now. What's to prevent them from doing the same under XNS? I mean, even if the 'privacy policy' is enforceable by law, it doesn't mean that all spammers are going to start following it. And 'legit' spammers already have opt-outs.

Spam prevention (especially retarded crap that you outlined) does not belong in the DNS system. I'm not saying that the DNS system doesn't need to be replaced, but spam prevention doesn't belong it it.

Companies should be doing the suing!

I think companies like MSN/Microsoft/Hotmail, yahoo, excite and @home should be doing the suing.
Everytime someone forges an e-mail address using their domain name, and someone forwards it to abuse@something.com then it costs them money to research it. It could also be considered slander if someone sends you an e-mail from something like animalsex@microsoft.com.

Don't they care about their PR? I mean now I think that Microsoft has something to do with bestiality. How do I know that it wasn't really from them?? I'll just keep assuming that till proven otherwise.

Laws define both sides

[coyote-san]

The problem with a national law, with any law, is that it defines "safe turf" for both sides.

If Congress debated such a law, I'm sure that the DMA would yell and scream and "compromise" that it is willing to make it illegal to send unsolicited email of a criminal nature. Outlaw the pyramid schemes, outlaw the cock&tit creams that don't have FDA approval, etc.

Meanwhile, in the same spirit of compromise, it's now Federal law that companies can ignore repeated requests that you be removed from their spam lists because you have a bona fide business relationship. It doesn't matter that this "relationship" was a one-time purchase of a Christmas present a decade ago for a person who's long been out of your life - you might need another left-handed bacon turner some day and if they can't sent you reminders, you'll buy it elsewhere!

Likewise the legislation would undoubtably protect affiliated businesses - the reason I briefly got investment solicitations from my car insurance carrier, until I made it clear they were about to lose the latter account. It will even protect attempts to woo you away from existing businesses - you drive, so therefore you should hear about Fly-By-Night insurance rates. And Bob's detailing shop. And on and on and on....

I'm not saying that legislation would never be appropriate, just that it's too early to do it at the national level. Let's get a clear concensus that spam is a problem, then use the federal law *only* to normalize things like mandatory subject lines.

Digital Postage is the only answer

[Curt+Cox]

Unsolicited bulk email is used with such frequency because it is so incredibly cheap. This convinces those who use it, that it has a positive return on investment. In order to reduce the amount of spam, it is necessary to increase the cost of sending it. Digital postage is the only way to reduce spam.

This would be analogous to the stamps used on snail mail, now. If nobody else steps up to the plate, some corporations will try to do this for a profit, or national governments will try to do it for control. The better solution, however, is some sort standards-based decentralized digital postage, where everyone can issue their own estamps. It is then up to each individual to decide, how much a spammer has to pay to get to their inbox.

Of course to be widely adopted, this has to be well integrated into email clients. It also has to be completely painless to insure that your friends always have enough of your stamps on-hand.

Once in place, the benefits include:
- less spam
- no need for email size limits, because there would be an obvious mechanism to allow billing for arbitrarily large emails
- automatic payment method for email based customer support

Re:The Solution: email protocol that stops spoofin

[Tuxinatorium]

Block quoth the poster:
That would just force spammers to use their own servers to spam, and there is enough of that going on already...

No, I mean the destination server. When you send an email to "user@domain.com", the email goes to the "domain.com" server and is stored there until the user downloads it. The spammers would have to either control your ISP, or somehow intercept the packet with the conformation code to be able to spam without revealing their IP address. A bit of cryptography would make it prohibitively difficult to send mass spam the latter way.

Hrm

[autopr0n]

Well, I belive the reason that 'sicko' sites spam whereas 'normal' sites do not is that the main-stream porn industry simply does not spam at all. The practice has been banned by the industry association. Any pornographic spam you get is for cheap companies and individuals who are not really a part of the industry.

Btw, if you do want some normal porn, I know a great website you might want to check out...

Sexist Punishment...

[toupsie]

but I also believe forging SMTP headers should be legally punishable by castration.

So what you are saying is that only men can be punished for SPAMMING in your mind? I am sure there are women SPAMMING out there too! What part of their anatomy are you going to cut off? The National Organization for Women would like to know...

another tactic?

[Alien54]

I saw this idea else where, and it looks promising enough that I want to share ....

One could extend the SMTP protocol for mail delivery so that (non-favored?) senders were forced to jump through some computationally expensive hoop before mail to local users will be accepted.

Currently SMTP looks like this:

>>> 220 mailhost.domain.com ESMTP Sendmail 8.9.9/8.9.9; Fri, 11 Jan 2002 16:05:32 -0500 (EST)
>>> HELO host.domain2.com 250 mailhost.domain.com Hello host.domain2.com [155.108.129.30], pleased to meet you
>>> MAIL From: 250 ... Sender ok
>>> RCPT To: 250 ... Recipient ok
>>> DATA 354 Enter mail, end with "." on a line by itself 250 QAA00187 Message accepted for delivery
>>> QUIT 221 mail.domain.com closing connection

We could add something like (not real numbers):

>>> 220 mailhost.domain.com ESMTP Sendmail 8.9.9/8.9.9; Fri, 11 Jan 2002 16:05:32 -0500 (EST)
>>> HELO host.domain2.com 250 mailhost.domain.com Hello host.domain2.com [155.108.129.30], pleased to meet you
>>> MAIL From: 250 ... Sender untrusted, please give prime factor of 34576184516935692342934759132 to continue
>>> FCTR 345837413 250 Ok, you bothered...
>>> RCPT To: 250 ... Recipient ok
>>> DATA 354 Enter mail, end with "." on a line by itself 250 QAA00187 Message accepted for delivery
>>> QUIT 221 mail.domain.com closing connection

The beauty of this is, putting support in sendmail would mostly be sufficient, and it lets you effectively add a cost per message without any sort of micropayments scheme, or giving up anonymity. I'd be curious what your reader groupmind thinks about this, or if the idea has been tossed around before?

- Mike Earl

Personally, I do not know the feasibility of this angle, although I am sure some expert with be willing to point out the flaws.

Re:another tactic?

[tomstdenis]

Well that will work, there are other schemes.

I'm a student cryptographer and I'm working on a system which will provide authentication [signatures], privacy [via encryption] and at the same time make spam less feasible [you can do it but its easier to filter out].

The basic idea stems from squaring modulo a composite. Say you're given N=pq where p and q are two huge primes.

You can find

R = K^(2^T) mod pq

easily, but given R its hard to find K.

So if you specifically construct K to follow certain rules, you can help filter out spam very easily.

The basic scheme works like this

1. Make up two primes p and q and get N=pq
2. Choose a value of T [say 1024]
3. Publish N and T with your email address

The user wants to send you a message M so they make up

K = random_data || HASH(M) || time

They hash K and use that as a key for a symmetric cipher. Then they send R=K^(2^T) mod N [by squaring T times] along with the ciphertext.

The trick is that finding K from R is easy if you know the factors and squaring T times takes time.

You can sign K easily too ... anyways...

Re:another tactic?

[Dwonis]

This is broken. People will simply start selling CD-ROMS with pre-calculated hashes.

Re:another tactic?

[tomstdenis]

Hmm? You hash the message so you can't just store them on a CD.

The idea is not to stop people from SENDING spam its to stop you from having to SEE the spam.

For a message to be valid you must first make up a bignumber

K = random || hash(message) || time

Then you send to the user K^(2^T) mod N.

You're "attack" won't work since each user has their own N. So if you want to build up a huge table of valid numbers you can, but they will only work for one user.

I'd suggest you actually read the posting before attacking it.

Re:another tactic?

[vadim_t]

Nice idea, but only for normal people. I'm sure you don't send thousands of emails a day, so this doesn't bother you, but the Linux Kernel mailing list does...

Re:another tactic?

[GSloop]

Tomstdenis - if you want to not see it, use spamassassin - works great -

Oh, I forgot, you're a MS Bigot, so it will probably be a real bugger to get this to run properly on NT - what an advantage huh - unless MS provides it/thought of it, you can't get it...

I virtually NEVER have to see mail from spammers using spam assassin. (I do get a few false positives...)

The point is not to prevent me from seeing spam, but from having to pay to get spam. I _DO_ pay for bandwidth - I'm not a flat rate for bandwidth user, so I do care what I have to pay for...

Lastly, the only way to really make a dent in spamming is the following, which I have already mentioned here before...

===== Quote ====
Most of the spam I get now, is from companies that are using "contractors" to spam, or spam from offshore (i.e. China) ISP's. The advertised product is from the US often, but the advertisee is not. Therefore, shutting down the "spammer" isn't going to do anything.

Now I don't know how to practically impliment this, as there are some pitfalls, but with some decent legislation, we could make it possible to target the beneficiary of the spam. That makes it possible to attack the real reason for the spam - where we can use our laws etc to attack it.

Sure, there will be spam that also has you send you money to China/Afganistan etc, but that will make the spam much less profitable, as most people won't do so. Lastly, most people will use credit cards, and I assume that most SPAM scams are frauds too, so the chargebacks will be hell for the spam beneficiary.

Anyway, it just seems that we can't just attack the spammer, we really need to attack the beneficiary. Then the spammers will go away, as they can't find anyone to demand their services.

=======

Until we make it too costly to benefit from SPAM, we won't solve the problem. The costs must outweigh the revenue.

Finally, as per your proposal. Are you planning to rewrite and distribute and impliment all the patches to sendmail, qmail etc for the SMTP dameons? Not to mention all the other SMTP RFT servers out there? That's a massive task, and one that isn't likely to get done any time soon. A better approach is to attack this with the law.

I shouldn't have to put up a taller fence to prevent you from littering in my yard. That's the approach here. It may work, but it smells.

Re:another tactic?

[tomstdenis]

First off, my scheme will work with existing email systems. You can use the same transport protocols you just have to tack on a plugin that will do the math part.

So you can still use pop3/smtp for transporting email.

Second, apply "law" to the problem just doesn't work. I send spam from country X to country Y, etc...

My solution takes work [i.e to implement it] but will work regardless of laws in place. Doesn't matter if you're sending spam from Mars, if you don't apply my coding my program [client] will just filter the message out.

Also, you can *NEVER* stop people from sending spam just by filtering for keywords or something. If I can send you an email in the clear and open, then I can just as easily find a new way to make a spam message that doesn't follow the heuristics of your filter.

With my scheme spammers can still get passed the filter, it just takes them time [which you can roughly control]. That makes it less profitable.

Think about it. Suppose you pick a setting [of T] that makes a fast ghz processor take about 7 seconds or so to make a valid email.

Would a spammer wait 7 seconds per email if they have a list of 10^8 emails to go through [probably 90% of which are fake to begin with!]?

I doubt it.

Also my scheme can be made simpler. Instead of repeated squaring, use repeated cubing.

I.e

Make up

K = random || hash(message) || time

Then cube K, T times...

K = K^3 mod pq
K = K^3 mod pq
...

The end user can compute

K^((1/3)^T mod (p-1)(q-1)) mod pq

Which means they can go directly to the original K value but an attacker [i.e spammer] must perform T cubings.

So no matter what T is the time for the person getting the email is the same.

Tom

Re:another tactic?

[Alien54]

Nice idea, but only for normal people. I'm sure you don't send thousands of emails a day, so this doesn't bother you, but the Linux Kernel mailing list does

so the question is: should the Linux Kernel mailing list be a trusted sender?

Somehow I thing that the people on the mailing list would be able to configure the mail server to see this as coming from a trusted source.

You could probably arrange to have it coordinated with one of the several blacklists, etc. out there, so that most are trusted, and a few are deservedly not.

Re:another tactic?

[reynaert]

How would you decide how difficult the problem should be? Believe it or not, but there are people using email on XT's. Or take Arache, a graphical browser+email+... that works fine on a 386. Those people would in effect unable to send email.

Re:another tactic?

[GSloop]

I'm sure that ISP's who process LOTS of mail (hundreds of thousands or millions of mails) a day would be glad for the 5-10 second delay for each mail...

That's a huge computational cost, and doesn't have a prayer of making it...

My soltution attacks the profitability - a market solution if you wish - it might not be the only solution, but it could work to make SPAM unprofitable, and thus once unprofitable, kill it.

Re:another tactic?

[Dwonis]

Ah. I thought it was a system to waste spammers' CPU cycles.

Re:another tactic?

[subbuk]

>We could add something like (not real numbers):
>>>> MAIL From: 250 ... Sender untrusted, please
>give prime factor of 34576184516935692342934759132
>to continue

>Personally, I do not know the feasibility of this
>angle, although I am sure some expert with be
>willing to point out the flaws.

Flaws like the fact that 2 suffices in the example? Too good to pass up :)

Re:another tactic?

[br0ck]

Maybe this is a crazy idea, but could we have them compute a block for distributed.net or SETI@home? Two birds, one boulder..

Re:another tactic?

[rew]

Nope Won't work:

The spammers find a "open relay" (like they do now) and put the burden on those "other hosts".

Roger.

Re:another tactic?

[Dwonis]

From what I understand of your protocol, the keys can be pre-calculated, which would GREATLY reduce the effectiveness of the scheme.

Issues regarding new technology

[TheMCP]

Isn't the only advantage of an authenticated email format that the recipient can easily find out who the sender really is?

Well, not exactly. You're right in that that's all it technically does for us. However, this leads us to two potential advantages:

• When the spammer is identifiable, they don't tend to last long because the volume of incoming complaints tends to overload the ISP.
• It makes it easier to create a groupware blocking system - for example, 10,000 people subscribe, and the system requires three subscribers to complain about an address before it's blocked. A spammer sends spam and it hits 8237 of the subscribers. The first three to see it click the "this is spam" button, and the system automatically removes the mail from the inboxes of the other 8234 subscribers who got it and blocks all future email from the sender.

Knowing who the sender is doesn't prevent spam being sent from spam friendly servers abroad.

You're right, but again, the volume of incoming complaints (and denial of service attacks) tends to make the ISPs balk at hosting spammers. Once they're tracable, the attacks begin, and the ISPs dump the spammers.

The problem is, we need a completely new email system with authentication, and we need mail clients that handle both it and the current standard seamlessly... because practically nobody is going to make a hard switch over to a new email system that will prevent most of their friends and associates from emailing them, and very few people are going to be willing to run two separate email clients. It would be best if the server-side software supported both standards as well, so server admins don't have to feel that they're getting an additional piece of software to support. Moreover, everything has to support every major platform and some of the more prominent minor ones so it can support a massive switchover and won't piss off users of any particular platform by not properly supporting them.

Java, anyone?

Re:Issues regarding new technology

[reynaert]

The problem is, we need a completely new email system with authentication, and we need mail clients that handle both it and the current standard seamlessly...

Not really... All you have to do is modify your mailserver to reject any message that does not include a valid PGP signature. And any descent mail client already supports it.

Re:Issues regarding new technology

[TheMCP]

All you have to do is modify your mailserver to reject any message that does not include a valid PGP signature.

And how am I going to get email from my clients who don't use PGP, and aren't going to? Go back and read what I wrote. Nobody is going to use an email system that cuts them off from almost everyone.

And any descent mail client already supports it.

Funny, but in 12 years on the Internet I don't think I've ever used a mail client that supported it natively.

You can't legislate against stupidity

[cheekymonkey_68]

Read up on Bernard Shifman

I know hes been featured here on slashdot, but Shifman just goes to prove you can't legislate against stupidity

How to find out who sends those

[TheMCP]

Are there any ways to find out who sends these out without incurring a large expense?

Sure. Dial the number, say you're interested, and ask for their address so you "can mail them a check." It won't work every time, but in a lot of cases if they think they've got a sucker on the line they'll tell you where to send money.

Anyway I'm sure the state attorney general's office can make the phone company cough up an address where the bill for that number is sent, if you get them interested.

Remember that if the address is a PO box, the post office has the physical address of the boxholder.

Try the police and the attorney general.

[TheMCP]

Try calling your state's attorney general's office and explaining the situation to them. Sometimes they can be surprisingly helpful, particularly if you can do a good job of explaining yourself (like pointing out repeatedly that they're doing this *incredibly* *loathesome* thing in *your* *name* and that it's just *destroying* the good name of your business) and can come off as genuinely hurt and confused.

If you got any threatening complaints about the spam, you could bring those up too, and claim that you fear for your life because of what this person is doing in your name.

The police might be willing to help, too.

You have public law enforcement resources. Use them. It's not just the RIAA and MPAA that have a right to call in the cops. You do too. Go for it. If THEY catch the spammer, and prosecute them for identity theft, defaming you, or whatever, the spammer will be in for a lot worse than having their relay shut down.

Re:Try the police and the attorney general.

[TheMCP]

Under the circumstances I'd try the US embassy, and the office of the Attorney General of the state that the phone number is in. (You can determine that by the area code as long as it's not a toll-free number.)

Your local police may still be willing to get involved, and may be willing to deal with the US authorities for you.

Making spammers pay

[Alien54]

I'm a student cryptographer and I'm working on a system which will provide authentication [signatures], privacy [via encryption] and at the same time make spam less feasible [you can do it but its easier to filter out].

The main thing I see is that the best idea is to somehow transfer costs back to the spammer. So an idea that forces the spamming computer to use up resources is fine.

similarly, a solution that causes you to spend time implementing more technical solutions is costing you time, and probably money.

bottom line: Make the spammer pay.

In my original example, the smtp could also be set to have several levels of trust, with corresponding levels of computional feedback for the sender.

Re:Making spammers pay

[mpe]

The main thing I see is that the best idea is to somehow transfer costs back to the spammer. So an idea that forces the spamming computer to use up resources is fine.

Simple solution a) no third party relaying, simple solution b) if a certain IP is only performing DNS lookups and SMTP connections randomly drop packets.
Both of these are solutions individual ISP's can apply to prevent their usage for sending spam which do not require rewriting existing protocols.

Re:Making spammers pay

[mpe]

Except, of course, that the spammer's computer does next to nothing in the process of sending millions of emails. I'm on a 64k ISDN line and I can send email to 100k people in a matter of minutes. 100% of the work in sending the email is done by some one else's computer. That is what makes spam such a fucking problem. It doesn't cost the sender anything, but cost the rest of the world a great deal.

However if it was less easy to use someone elses computer then it wouldn't be anywhere near so easy. If your ISP didn't provide a third party relay machine then in order to use someone elses machine you'd have to find an open relay machine. But there arn't too many of these and other people are looking for them with the intent of getting their admin to fix them or getting them listed in a firewall, etc..

Re:Wrong

[CaptainSuperBoy]

Well, thanks for backing up your statements with all those statistics. Since you've pointed to studies, news articles, and online discussions backing up your facts I feel confident believing your statement that most companies spam from a shadowy data haven outside of the reach of law.

Of course, if you had said that my spam comes from some crazy island in the Pacific without backing up that statement with ANY FACT WHATSOEVER, I wouldn't believe you. Oh wait.. You don't have any proof to back up your statements. Never mind.

Believe what a SPAMMER says!

[www.sorehands.com]

Oh yes, all SPAMMERs tell the truth.

I like the bit of, "This is not SPAM in accordance with pending bill...

"I am a canadian attorney and this is legal according to US postal laws...".

Full text of Cerasale interview

[TekPolitik]

"If you ban me from this type of medium, you have severely limited my ability to enter into the marketplace," said Jerry Cerasale of the Direct Marketing Association.

This is revealing, however the real text of the interview is more so:

Interviewer: I'm calling regarding Congressional action on spam.

Jerry Cerasale: If you ban me from this type of medium, you have severely limited my ability to enter into the marketplace.

I: But surely with all the ads for porn, casinos and viagra substitutes that you'd be competing with, it's not going to be of any use to you anyway.

JC: You're not listening. I said if you ban me from entering the marketplace. You can ban everybody else.

I: So you're saying you want to ban everybody except Jerry Cerasale from using spam?

JC: No, I want to ban unethical marketers from using spam.

I: How do you define unethical marketers?

JC: They're the ones that forge stuff and won't honor remove requests.

I: So won't they just start following that law and you'll still have the volume problem?

JC: No, because they're unethical marketers.

I: So who are the ethical marketers

JC: They're the DMA members

I: So if the unethical marketers join the DMA do they become ethical marketers?

JC: Of course.

I: Even if they still forge and don't honor remove requests?

JC: Yes. If they join the DMA, then what they are doing is ethical marketing.

I: Surely all the spammers will just join the DMA then and they can all spam.

JC: That's OK.

I: But then won't email be useless for everybody because of the volume? After all, there's got to be hundred of millions of potential marketers out there who might want to use it.

JC: Yes.

I: So you're opposed to laws that will make spam unusable for marketing?

JC: Yes.

I: But you realise that if the laws aren't passed, spam will be unusable for anything.

JC: Yes.

I: Including marketing.

JC: Yes.

I: So really your opposition to laws banning spam achieves nothing to protect it for marketing, and just succeeds in destroying it for everybody.

JC: That's right - if me and my DMA buddie's can't use it for our purposes, then nobody can use it for any purposes.

I: Isn't that a little childish.

JC: Well since they won't play by my rules I would take by bat and ball and go home, but I don't own the bat or the ball, so the only way I can stop them from playing is by destroying the bat and the ball.

I: Mr Cerasale, thank-you for your time.

JC: My pleasure.

NOT the solution

[Technodummy]

The biggest problem with spam is the increased traffic load.

The spammers are the problem, not the spamees.

Forward SPAM to spammers

[Pedrito]

I get a lot of SPAM, it came all of a sudden and hasn't let up and the jerks won't take me off their list (okay, I was a little optimistic). So, I took the time to find the email addresses of the spammers (from their own web sites, from WHOIS, etc), and I simply add them to my "SPAM" filter which then sends a copy of each piece of SPAM I get to all of these addresses.

Will this fix the problem? No. Am I adding to the bandwidth waste, yeah. Sorry, but it was the best solution I could come up with.

One of the biggest offenders is a company in San Francisco. I live in Virginia and thought I'd try to sue them under VA law. The problem is collecting on an out-of-state spammer is difficult. So, I spoke to my cousin who is a lawyer in San Francisco and asked him if I could sue them under CA. law. For one thing, CA. allows for 5 times the compensation per e-mail than VA, which was very appealing. Unfortunately he said it probably wouldn't apply to an out-of-state recpient of the SPAM.

So, really, the only way to get rid of it in the States is to make a national law that's tough and easy to enforce. Otherwise, do what I do, pester them.

Polish porn sites are useful for revenge

[robogun]

It originates from a spammer in Poland. You probably opened the email as HTML. If you look at the source, you will see all the graphics have your email address in them eg http://www.incestsex.con/?from=you@work-email.con
Once he has your address, its like herpes, you'll never get rid of him. Enjoy all the spam you will be getting from him in the future.
HOWEVER, if there is someone you hate, (for instance, a spammer), type his name instead of yours after the URL to one of these sites. Come to think of, DON'T -- a spammer probably would like HOT LOLITA SEX.COM

Relatively inexpensive technical solution

[jdoeii]

First, legislation is a good step, but it will not stop spam. Because the net is really world-wide. No US law is going to stop spam from Korea or Moldova.

Second, about 25% of spam I get is from first-time spamers. Every day some idiot salesman invents this new cool way of advertising. He might quite sincerely not understand the difference between direct mail and spam. He will learn eventually, but we would get spam anyways.

The real solution is to charge sender for sending mail. E-money won't work in the near future - there is no infrastructure for it. Instead, the mail recepient should bill his own ISP for every piece of mail. The per piece price cannot exceed a certain amount (let's say $1 or $5 or even $0.15). The ISP charges the sender's ISP for the cost and processing fee. The sender ISP passes the cost to the sender.

The infrastructure could be built the same way as HTTPS. If an ISP wants to participate, it gets a certificate from a root authority, sets a server for "SMTPS" and for billing. The SMTPS session is signed. There could be some price negotiation between SMTPS servers too. SMTPS would have to be properly amended.

This would be very similar to peering agreements between ISPs. The system could get started if 3-4 large digital carriers agreed on the standard. Others could join later.

Spam-Label Laws Haven't Worked Yet

[billstewart]

Several states have spam-labeling laws, which requires Subject: line tags like "ADV:" on any spam sent to or by residents of their states, and require spammers to maintain "Don't Send Me More Spam" lists and not send more spam to complainers. Yeah, right, like that's cut down on the spam I've received by 1%.

The only thing that it's accomplished was a brief round of spammers adding tag lines that said "This message isn't spam because I've complied with the labeling laws. The proposed Senate Bill S.1618 was a more popular excuse for that, so it was a useful pattern to feed spam filters in mail messages.

They've also popularized remove-me lists which confirm your address's validity: "We're happy to remove you from our 'Get Rich Starting January 1' mailing list and hope our 'Get Rich Starting January 2' and 'Get Viagra Starting January 3' lists will serve you better!".

"National boundaries are just speedbumps on the information superhighway." US State boundaries are even more so - unlike US telephone numbers, which give a somewhat strong hint about where a recipient's fax or voice phone is, or snail mail addresses, there's usually no way to determine where the recipient lives, so no way to determine whether any anti-spam or anti-birth-control-information or anti-religious-content or anti-political-incorrectness laws apply to the recipient (or their email server), so US senders of spam can argue lack of scienter in any legal cases. But spammers can just move offshore. Or they can pretend to move offshore (either buy service outside the US, or abuse open relays offshore) and be hard to trace, or they can set up corporations in a large number of non-US jurisdictions, and have the corporation be responsible for the spam, or for that matter set up cheap disposable US corporations that are sending the spam that can go bankrupt in case anybody successfully catches and busts them.

They're scum, but we need to find other ways to stop them. (And unfortunately, anti-spam and anti-cracking laws do make it tough to mailbomb the suckers or eliminate them directly....)

Re:Spam-Label Laws Haven't Worked Yet

[mpe]

unlike US telephone numbers, which give a somewhat strong hint about where a recipient's fax or voice phone is, or snail mail addresses, there's usually no way to determine where the recipient lives, so no way to determine whether any anti-spam or anti-birth-control-information or anti-religious-content or anti-political-incorrectness laws apply to the recipient (or their email server), so US senders of spam can argue lack of scienter in any legal cases.

This simply the side effect of operators in the US choosing not to use geographic domain names.

But spammers can just move offshore. Or they can pretend to move offshore (either buy service outside the US, or abuse open relays offshore) and be hard to trace, or they can set up corporations in a large number of non-US jurisdictions,

Courts in the US routinely ignore the concept of the case being outside the jurisdiction of the US. US law enforcement is quite happy to chase over to Norway , because the MPAA is upset. The US has frequently held citizens of other nations (including those it is supposedly "friendly" towards) in violation of a huge number of treaties.
It's probably more a case of since spammers don't upset the "elite" (either corporate or aristocracy) too much the US government has no interest in persuing them. They most definitly have the means.

Re:Spam-Label Laws Haven't Worked Yet

[Steve+B]

unfortunately, anti-spam and anti-cracking laws do make it tough to mailbomb the suckers

The best anti-spam law would be the application of the old-fashioned doctrine of outlawry -- i.e. once someone is proven to be a spammer, then he stands outside the protection of the laws pertaining to computer crime, and may be cracked, DOSsed, etc. with impunity.

Class action lawsuits

[MillionthMonkey]

I think companies like MSN/Microsoft/Hotmail, yahoo, excite and @home should be doing the suing.

Well, maybe, perhaps not. Companies will sue if it's in their interest. If their network becomes good enough to handle the congestion from spam, and the amount of spam doesn't vary too much as a customer moves from ISP to ISP, it's conceivable that the providers might begin to view spam as the customer's problem (as they pretty much do now). And even if they do start suing- who benefits from that directly? Besides the obvious value as a deterrent to spammers, there isn't much justice being done if the plaintiffs are all going to be large ISPs. The parties most damaged by spam are the end users and especially the smaller ISPs.

I always thought class action lawsuits by the actual recipients of spam are the most logical way to counter spam if the approach is going to be via the courts. After all, have you ever received a single, individual spam that's caused you to consider taking the case to court against that particular spammer, with lawyers and court costs and all that hassle? With a judge that might ask "well why didn't you just hit delete?" And getting that single spam email message isn't really what you're suing over. It's the degradation of your daily routine, the tedium of having to delete a hundred emails a day year in and year out, the loss of almost a day of your life per year deleting countless messages about herbal Viagara and credit repair software and diplomas from prestigious non-accredited universities and hair loss and government grants info packages and an EZ way to consolidate debt and reducing all payments by 60% and frisky teens. Going to court over a single spam seems to miss the point. And it's expensive and inconvenient to sue as an individual, so a spammer might very well recognize that his individual spam probably isn't going to elicit a lawsuit if it isn't outrageous enough for a spammed plaintiff to choose as THE spam (out of the 10000 in his box) that he's going to go to court over. In fact, people tend to sue when the spam particularly offends them (e.g. when it talks about sex with minors, or has nude photos in it and is received by a minor). Unless things proceed to the point where every spam message sent out results in a lawsuit, a spammer that keeps his emails polite and sticks ADV in the header is pretty much safe from being sued. So you don't even get much of a deterrent effect.

Unless we switch to using class action suits, which don't have these problems if someone with the resources starts consistently nailing all spammers with them. It's much easier than taking a case to court yourself. Someone is doing the suing for you and you get to hang on like a million other freeloaders and enjoy the fruits of your class action. I almost wouldn't mind getting spam if I knew there was a chance that I could stick it to the spammer for a few cents along with thousands of other people. If I even got a fraction of a penny on average per message, we could still be talking about some serious money. And it certainly wouldn't be too hard to set up. In fact (if this were 1999) you could probably build a dot-com out of it somehow, to coordinate the spam submissions, identify plaintiffs and defendants, litigate in court, hire collections agencies, and process the payments back to all plaintiffs. That's more of a business plan than many dot-coms had. I think that if there weren't so many jurisdictional problems with the idea in general (and if there were more spam laws) someone would try this.

I mean now I think that Microsoft has something to do with bestiality. How do I know that it wasn't really from them??

Strictly speaking, even if it turns out the email wasn't from Microsoft, it still doesn't prove that Microsoft has nothing to do with bestiality.

Joke

[Legion303]

Here's the joke:

"If you ban me from this type of medium, you have severely limited my ability to enter into the marketplace," said Jerry Cerasale of the Direct Marketing Association.

Here's the punchline:

Jerry Cerasale
Direct Marketing Association
Washington Office
1111 19th St NW
Washington, DC 20036
UNITED STATES
phone: (202)955-5030
fax: (202)955-0085
web: http://www.the-dma.org

Contact List by Subject
Accounts Payable
webmaster@the-dma.org 212.768.7277, ext. 1353
Advertising - Print
webmaster@the-dma.org 212.768.7277, ext. 1423
Advertising - Web Site
kebeling@the-dma.org 212.768.7277, ext. 1554
Awards - ECHO
echo@the-dma.org 212.768.7277, ext. 1397
Benefits Program
twalsh@the-dma.org 212.768.7277, ext. 1423
DMA Store - Books & More
lrc@the-dma.org 212.768.7277, ext. 1930
Chapters
chapters@the-dma.org 212.768.7277
Conference Registration
customerservice@the-dma.org 212.768.7277, ext. 1500
Conference Programming
conference@the-dma.org 212.768.7277, ext. 1513
Conference Exhibitors
conference@the-dma.org 212.768.7277, ext. 2469
Conference Speakers
conference@the-dma.org 212.768.7277, ext. 1528
Consumer Assistance
consumer@the-dma.org 212.790.1488
Councils
councils@the-dma.org 212.768.7277
Council Membership
councils@the-dma.org 212.768.7277
Council Events
councils@the-dma.org 212.768.7277
DMA Interactive
webmaster@the-dma.org 212.768.7277, ext.1629
Direct Connect
councils@the-dma.org 212.768.7277, ext. 1575
directvoice
mmicali@the-dma.org 212.768.7277, ext. 2422
Direct Marketing Educational Foundation
dmef@the-dma.org 212.768.7277, ext. 1817
The DMA Government Affairs Online Member Outreach Program
Governme@the-dma.org 212.768.7277, ext. 2405
Government Affairs
Governme@the-dma.org 212.768.7277, ext. 2405
Human Resources
hr@the-dma.org 212.768.7277, ext. 1338
International Services
Internat@the-dma.org 212.768.7277, ext. 1786
Library
lrc@the-dma.org 212.768.7277, ext. 1930
Membership - Joining DMA
membership@the-dma.org 212.768.7277, ext. 1155
Membership - Renewal
membership@the-dma.org 212.768.7277, ext. 1155
Seminar Information
customerservice@the-dma.org 212.768.7277, ext. 1500
Seminar Registration
customerservice@the-dma.org 212.768.7277, ext. 1500
President's Office
Presiden@the-dma.org 212.768.7277, ext. 1604
Press Contact
Privacy
privacy@the-dma.org 212.768.7277, ext. 2408
Research
lrc@the-dma.org 212.768.7277, ext. 1637
Sweepstakes
Sweep@the-dma.org 212.768.7277, ext. 2475
Washington Report
Governme@the-dma.org 212.768.7277, ext. 2418
Web Site
webmaster@the-dma.org 212.768.7277, ext. 1629

Since he considers spam a legitimate business practice, make sure you forward all your "HOT WET PUSSY!" emails to him so he doesn't miss out on any great deals.

-Legion

Lawsuits *will* be effective

[jestapher]

A single lawsuit won't do anything to stop spam, but once fifty or one hundred people start suing, it will get too expensive for many spammers. In Washington State, we've nearly a dozen folks filing lawsuits, some of them going for some serious amounts -- to the tune of tens or hundreds of thousands of dollars.

If you've got spam with a phone number or ordering address in it, you can (usually) track it down to a specific company or person. If it's only got a URL, like those mortgage spams, Washington litigants are filling out the contact forms on the site, then going after the mortgage company that contacts them. When these mortgage companies get hit with a lawsuit, they either want to settle right quick, or they rat out the spammer they hired. I've been focusing on spam with phone numbers, as I find it relatively easy and fun to track down the company behind the number. It may not always be easy to find the spammer, but it's not rocket science either. Anyone can do it given a little bit of time.

The Seattle Times had a good article on Saturday about the anti-spam law, some folks who've been using it, their wins, and the troubles they've encountered with the court system. The biggest issue in Washington is that court clerks and judges aren't fully educated about procedural issues like whether one can sue an out-of-state defendant or for punitive damages in small claims court. (The answer to both is yes.) It's been pretty frustrating for us "trailblazers," as the judges are saying contradictory and often quite stupid stuff.

Here's some nifty links:

• AboutSpam.com - Bruce Miller's site
• Peacefire anti-spam suits - Bennett Haselton's site
• Smallclaim.info - my site

For a copy of my 24 page zine, Zen and the art of small claims, send some stamps to PO Box 95227, Seattle, WA 98145. You can also just read it online at my site, but any zinester knows that it's just not the same.

What do they eat?

[jabapi]

Do those spammers eat SPAM while in prison?

Just wondering...

What are you, nuts?

[jcr]

I hate spam as much as the next guy, but this is just complete bullcrap. You are choosing to run sendmail/qmail/exim/postfix on a publically routable IP address (or you are choosing to buy service from someone who does).

Excuse me, but by that logic, there's nothing wrong with me sending you a few hundred gigs an hour on your port 25 until you crash or shut down your mail server.

I have a mailbox outside my house, too: that's not a license for someone to fill it with dog shit or toss a firecracker in it.

-jcr

Why doesn't Cauce.org have any solutions posted?

[Mustang+Matt]

I submitted this to askSlashdot and it's also in my journal entries, but shouldn't cauce.org have some proposed solutions to ending the spam problem? As in, laws that they think would actually work to benefit consumers, or mail server specs that would actually work to stop spam?

Re:Wrong

[mpe]

Most companies that spam are ghost corporations, legally residing in a small island in the Pacific.A US law cannot touch these people. It won't work any more than regulating porn or gambling online.

It's more a case of so long as US corporate interests are not upset the US government won't do much about it. If they were to do so then expect these small islands to very quickly either gain an autocratic government very friendly to the US or possibly to wind up as a US state.

Re:Wrong

[CaptainSuperBoy]

Well, there aren't going to be studies and articles about companies that virtually nobody knows about. I happen to know people who do it, and that's how it's done.

There simply aren't companies spamming that slip under the radar of anti-spam groups. Read news.admin.net-abuse.email some time - you'll be amazed by the dedication (and thoroughness) of the regulars there. I did a quick google search for 'pacific island' and it came up with nothing. Believe me, the people in nanae are smarter than your spammer friends, and they would have found them by now.

I'm sure that all of the spam you're getting are from legitimate S-Corporations with nice large offices in Silicon Valley that have PR people with who you can register complaints.

That's a pretty big assumption you're making about spam, and it's not correct. Check out spamhaus.org for a more accurate picture of where spam comes from - Beaverhome / Monsterhut is a good example of a downright evil company. Fact is, a lot of spam comes from unscrupulous companies and people right here in the US, who could be shut down with the right laws. Even this slashdot story, is about Kozmo.com getting sued for spam.

Websites a good way to avoid spam?

[NanoGator]

I had another idea, it's a little extreme, but I think it's an idea that can be built off of.

I'm a member of a forum that talks about a particular interest of mine. Basically, I log in to a site, and my friends that are online (of that particular interest, obviously I won't find my mom on a CG Art board...) show up and I can message them and check out the recent posts. There is a personal messaging system there so I can send private messages to people. If somebody sends me one, I get a notification on the home page.

Basically, I've obscured the method it takes to get a hold of me. A good chunk of my friends are on that forum, a coupla more are on another forum, and the rest including family are on icq. I've basically weined myself from the need for e-mail. I wouldn't have it at all if sites didn't require it for authorization.

This makes it a lot harder for a spammer to reach me. If every site has a different (and constantly mutating) method of sending messages around, then it's so much harder for spammers to get through.

Whatcha think, sirs?