Lawsuits Against Spammers

apc writes "Pretty good overview of the state of the law regarding spammers, and some stories about people who have sued them and won. Nice to see the topic getting mainstream attention." It talks about several different states and several different people who have won cases. I still think its fairly hopeless, but I also believe forging SMTP headers should be legally punishable by castration.

Technical / Social solution please

[Tom7]

Instead of encouraging litigation, why don't we develop (easy) and attempt to gain acceptance (harder) of an authenticated e-mail format?

I would much rather see technical (or social) solutions to the spam problem... laws have a funny way of not going in our favor, don't they?

Re:Technical / Social solution please

[hogsback]

Is there a technical solution?

Isn't the only advantage of an authenticated email format that the recipient can easily find out who the sender really is?

Knowing who the sender is doesn't prevent spam being sent from spam friendly servers abroad.

If the spam is sent from within your own country, this makes using the law against the perpetrator easier, it doesn't remove the need for the law.

Spam is an abuse of the email sysem. The collective opinion is that some characteristics of the emails are bad - otherwise there isn't much to distinguish it from legitimate mail. Because it is a social problem, laws are needed to combat it.
Spam is behaviour that we can't stop, therefore we need laws to discourage it.

Re:Technical / Social solution please

[Deagol]

Just because we won't use the law, it doesn't mean they won't. I suspect that any truly effective technical solution will meet the same fate as ORBS and MAPS with lawsuits.

Re:Technical / Social solution please

[garett_spencley]

I completely agree. I relate SMTP to TCP/IP. It's very simple which is why it caught on but it just doesn't live up to today's standards.

All of this litigation, while a worthwhile cause, is like security through obscurity. While it may be a deterrent for some people, lots will do it anyway.

So what we need is a new e-mail protocol that will make forgeing at least non-trivial but attempt to make it 100% impossible.

Ideally it would even be backwards compatible with SMTP so that older e-mail clients would work with newer servers.

--
Garett

Re:Technical / Social solution please

[garett_spencley]

You're right but it would take away spammer's anonimity.

To further this the new protocol would also have to be better at authenticating as the parent poster said. But this can already be implemented to an extent with our current protocol by denying access to SMTP services from anyone who's host does not belong to certain domains.

That still won't elliminate spam all together since many companies spam using their own servers. But at least if you force spammers to do it in the open then at least you can prove that they were the ones who spammed you and can charge them with fraud, false advertising, sexual harrasment (if the add contains sexual material) etc.

It will reduce spam considerably and probably make it a lot less "annoying" since the adds will be more up to par with junk mail. It will still be a problem but it won't be nearly as big of one and then we can use the litigation to regulate it and if there is a God elliminate it :O)

--
Garett

Re:Technical / Social solution please

[Jay+L]

I thought a lot about stamped e-mail in a previous life as a mail systems developer. Our VP of development was really hot on the idea, since it would solve both the authentication problem and the no-incentive-for-targeting problem. You wouldn't even have to make it backwards-compatible; just create a new tier of "first-class" e-mail. Two big problems though:

1. Technical: It would be very, very expensive to process e-mail stamped with some form of digital cash. You're adding lots of crypto calculations, database lookups, and some sort of synchronization scheme that scales up to whole-Internet level. Large sites would likely have to have crypto plug-in hardware to do this at all efficiently.

2. Political: You'd have to get a significant number of ISPs on board, and these days most spam is NOT sent directly through the big ISP mail servers anyway.

It's a neat concept but there are too many problems. It ended up not being worth it.

Re:Technical / Social solution please

[BitterOak]

You're right but it would take away spammer's anonimity.

It would also take away everyone else's anonymity. Given the number of people who get sued by corporations for telling truthful but disparaging things, and given the number of "whistle blowers" who end up out of a job, or worse, do you really think that we should give up the ability to send anonymous e-mail just to avoid the inconvenience of junk mail? I sure don't.

Business opportunity

[yggdrazil]

Let's hope some people see this as a business opportunity, and start a business or organization to sue on behalf of all of us who don't bother now, and collect a percentage. So that more of us can use our lawful right to make the spammers pay for their nuisance.

We could donate proceedings of successful spam litigation to open source projects or to the EFF.

What we need

[CaptainSuperBoy]

What we need is national legislation against spam. There are too many state laws that legitimize spam in one way or another. This gives every spammer a one time get out of jail free card, and does nothing for spam problem in general. New spammers pop up all the time - it doesn't make sense to 'opt out' of every new spam list you get onto.

The article makes a good point about laws that require spam to be labeled. This isn't a solution, and there are also conflicting requirements between state laws. One law requires "ADV: ADLT" on the subject header, another law requires "ADULT ADVERTISEMENT". This is a perfect example of laws being too specific - legislation has no business dictating changes to the SMTP protocol. This isn't useful either: shouldn't spam laws apply to more than SMTP? Say, ICQ spam? Internal AOL spam?

This is why we need a national spam law. No conflicts, no SMTP requirements, no opt-out. Make spam illegal, period. Spam is harassment, theft of service, and usually fraudulent. It costs ISPs millions of dollars that are passed on to YOU. Companies lose productivity because of workers receiving spam.

If you think this is any different from junk fax laws, you're kidding yourself. Spam and junk faxes both hurt the recipient. Spam is not free speech. Spam is not a constitutional right. Banning spam IS the right answer.

Check out my latest piece of spam !

[J.D.+Hogg]

DEAR FRIEND !

Tired of not making enough MONEY ? HOW ABOUT $3000 PER WEEK OR MORE !
No, this is not a joke, YOU TOO CAN QUIT YOUR JOB AND MAKE THE MONEY YOU DESERVE !

HOW ?

Very recently, I have discovered that anybody on the internet receives "SPAM" emails, and that it is usuall possible to sue those "SPAMMERS". Most often, "SPAM" originates from VERY LARGE COMPANIES who have a LOT OF MONEY MOST OFTEN, and these companies don't want to lose their reputation in the "SPAM" industry, therefore they are usually willing to give plaintiffs A LOT OF MONEY to settle their claims.

I CAN ALREADY HEAR YOU SAY "HOW CAN I SUE SPAMMERS TOO AND RECEIVE A LOT OF SETTLEMENT MONEY ?" !

IF YOU SEND ME A RESPONSE AT THE EMAIL ADDRESS AT THE BOTTOM OF THIS MESSAGE, I'LL INTRODUCE YOU TO MY NEW BOOK CALLED "HOW TO SUCCESSFULLY SUE SPAMMERS AND RECEIVE A LOT OF SETTLEMENT MONEY". MY BOOK NORMALLY COSTS IN EXCESS OF $85 FROM NORMAL RETAIL CHANNELS, BUT ONLY FOR YOU, I OFFER YOU THIS INCREDIBLE MONEY-MAKING TOOL FOR ONLY $19.99 !!

DON'T PASS UP YOUR CHANCE TO MAKE THE MONEY YOU DESERVE. SEND ME A RESPONSE RIGHT NOW, OR CALL ME AT THE NUMBER BELOW.

THANK YOU DEAR FRIEND !

email: SUCKER_RESPONSE@HOTMAIL.COM
phone: 1-800-YOU-SUCK

**********

THIS IS A ONE-TIME EMAIL, YOU DO NOT NEED TO DO ANYTHING IF YOU DO NOT WISH TO RECEIVE ANYMORE INFORMATION ABOUT THIS INCREDIBLE OFFER.

Re:Check out my latest piece of spam !

[InterruptDescriptorT]

I didn't believe it for a minute. The grammar and spelling are too good for it to be legitimate. :-)

---
Some say Netware is just like a wheel/ When you abend it, you can't mend it

The solution to spam.

[Restil]

The only reason spam is so prevalant is because there are still enough suckers out there who respond to it and buy into the schemes. We need to do one of two things. Either successfully educate the suckers so the spam becomes uneconomical, or compile a real list of suckers and find a way to convince the spammers to ONLY spam them, and not the rest of the world.

Neither of these things will happen, unfortunately.

-Restil

Re:The solution to spam.

[clark625]

Since there's a sucker born every minute, that gives plenty of "new" customers for the spammers. That's 1,440 potential suckers every single day--or 525,600 per year. And if you can get the typical $19.99 out of each of them, you can get a whopping $10,506,744 of revenue. When you look at numbers like that, you can easily see how spammers (and TV commercials) can continue to annoy the rest of the population.

The problem with having a "sucker list" is that no one ever thinks he/she is one; and would do everything possible to stay off it. It's very similar to how most people believe they have an above average IQ. Nevermind the fact that most people can't be above average. A lot of people simply don't think of themselves as suckers.

Anyways, I need to go buy that new Igia ElectoSage 8. Have you seen it? It looks absolutely amazing! I'm gonna lose lots of weight with this thing--all without getting off my butt. Schweet!

Re:Double standard

[CaptainSuperBoy]

Well, AOL had a trademark complaint about GAIM. This has absolutely nothing to do with spam - what are you saying? If you're against one lawsuit, you shouldn't support any laws whatsoever? I guess you disagree with some trademark laws, so you believe that we should live in anarchy because SOME laws are bad.

www.xns.org

This is why XNS (a next generation DNS replacement) needs to be adopted ASAP by the worldwide technical community. For example, here is the white paper on spam filtering. In a nutshell, if someone who is not on your acceptable email list wants to send you an email, they must first (and this is all automatically handled by the software) accept an agreement which dictates your exact privacy requirements. If it is a personal email with actual valid content, clearly they will simply accept the agreement and automatically be added to your list. On the other hand, bulk email spammers (hereafter referred to as "Dickwads") will probably not like the section talking about your fees for accepting bulk advertising. :)

Re:www.xns.org

[johnburton]

I like this.

But I can't see any reasable hope of pursuading people to replace DNS. But I suppose people won't care what kind of name lookup their email software is doing.... Hmm...

Or what about something like ICQ where you can say who you want to be able to receive communciations from. Anyone else you have to authorize before they can send you an actual message. I doubt spammers could be bothered to do this, they'd go find some other way to annoy people.

How about doing this?

Your email program looks at the headers of emails being received. If the message is from someone in your address book, or is from someone you sent an email to *recently*, or is from a recognised mailing list then you get the email.

If it does not fit any of those conditions, it must first validate the sender. To do this it sends back a message to the senders From address with instructions saying under what terms you are prepared to accept the email, and a code to send back saying that you accept those terms. Your client would then accept one, and only one message from that address to be delivered to you. If you want to accept more in future you can add them yo your local address book.
The fact that the "spammer" must explicitly accept your terms for accepting your email would give a lot more legal protection to filtering and blacklists of known spammers.

Hmm. Must think about this some, and implement something!

Ooh, a slashdot story on spam

[Paul+Wright]

Let me summarise:

Spam is Free Speaaech (A Troll)

No it isn't (Baittaker543)

Yes it is (Anonymous Spammer) 30 post thread snipped

No more government regulation (aynrand666) All problems have a technical solution. Just hit delete.

My webserver got RBL'd (warfire) So I've come here to cry instead of ditching my low-file ISP. Your technical solutions are no good.

I know more than you do (karmawhore23) I am cleverer than you.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Put the ball in the court of the ISP

[smack_attack]

The simplest reasons that spammers "get away with it":

1) Forged headers (SMTP auth would alleviate)
2) ISPs turn a blind eye or aren't as responsive as they should be. Many are repeat offenders which labels them "soft" on spam prevention.

A lot of people have already commented on #1 so I'm going to skip that one.

In short, the accountability should come to the ISP, because they are the ones you inevitably allow this to happen. @Home or similar could implement a per day limit on outbound emails, same for the fre services, Yahoo! and Hotmail. There needs to be a clearinghouse for spam notification, someone who tracks spam and spammers, period. Fines should be imposed on ISPs who allow bulk email to originate from their service. Their choice should be simple: don't let spam originate from your system or face the penalty (steep fines, this could be used to fund the clearinghouse). Leniency could be worked into this, an ISP may have X number of reports per day based on the number of IPs they have. X should shrink every year.

The clearinghouse should also be audited on a yearly basis and the results made public (what ISPs spam the most/least, amount of fines paid, etc)

Re:Put the ball in the court of the ISP

[Dr.Dubious+DDQ]

2) ISPs turn a blind eye or aren't as responsive as they should be.

YES! Most times that I get spam, I trace down the headers to find the source and report the spam to the ISP hosting the address, and the spam stops.

MOST times. It took a while to get through to hinet.net about their 'tom lee designs' spammer, but even then, when I finally got through to somebody the spam was stopped.

For the last three months, I've been dealing with wads of spam from what I believe to be the same spammer due to the headers:

• They all have the same style of random-fake-hotmail.com addresses
• They all bounce through hijacked foreign servers
• They all have the same 'X-Mailer' header ('X-Mailer: Microsoft Outlook Express 5.50.4133.2400')
• They are repetitions of the same 5-8 advertisements (most for dubious semi-medical supplements e.g. 'increase your ejaculation 581%','stop hair loss', etc. on www.poxteam2001.com)
• And, of course, they ALL come from the same bank of apparently Texan addresses on prserv.net (slip.12.64.*.mis.prserv.net).

The ISP in question is AT&T Global. (mail to abuse@prserv.net ends up at postmaster@attglobal). For the last three months or so, I've diligently forwarding the messages, with headers, to abuse@prserv.net (or postmaster@attglobal.net). Until recently, they've been universally coming back with form-letters saying 'this problem has already been reported'. Sometimes the spam stops for a day or two, sometimes it doesn't.

I even looked up their contact number on whois and called THAT a few times (the only human beings there seem to be overworked and underpaid tech support people). The last few days, I've been getting my reports returned in a form letter stamped 'not our domain', as if whoever's getting my messages at AT&T Global is either 'in on it' or just doesn't want to deal with it any more (or perhaps is's just a 'new guy' who's not used to dealing with the headers, or thinks that only AT&T Global user's complaints about spam from their network should be dealt with)....

Point is, with roughly 80 spam messages from the same spammer forwarded, the spam has continued unabated, and I honestly wonder if some salesdrone at AT&T Global's Austin, Texas area POP has an 'understanding' with the spammer and has been willing to re-sign him every time he gets kicked off. Unfortunately, none of the emails I've sent to 'postmaster@attglobal.net' requesting more information about the spammer (including requests on the order of 'who do I contact to find out the proper legal procedure for obtaining the spammer's identity so that I can look into taking action myself') simply come back with more form-letters, or are unanswered...

I called them again today (after last night's two spams came back from them stamped 'not our domain') and for the first time, actually got to speak to someone in the postmaster department. She actually seemed helpful and polite, so hopefully something might finally be DONE about this spammer...

So, anyway, to get back to the point - the ISP's are the ones who have the power to do something about spammers on their network, and if they choose not to, there ought to be some sort of recourse. Small ISP's, you can complain to their upstream provider, but when you're dealing with AT&T Global?....

'scuze the verbosity of this post - this particular spammer/ISP issue has me pretty irritated at the moment...

Jerry Cerasale can kiss my ass.

[jcr]

U.S. businesses generally oppose restrictions, equating advertising with free speech.

"If you ban me from this type of medium, you have severely limited my ability to enter into the marketplace," said Jerry Cerasale of the Direct Marketing Association.

God DAMN IT, for the LAST time, spam is not a free speech issue, it's a property rights issue. My computer is NOT a public utility for every sleazy marketing dink in the world to use at MY expense.

If Mr. Cerasleazy wants to "enter the marketplace", he can damn well pay for his advertising.

-jcr

Re:Jerry Cerasale can kiss my ass.

[damiam]

The analogy I like to use is:

You have the right to sell your product, but you do not have the right to break my window during dinner hour, climb in, come to me and interrupt my dinner to scream in my face that "MY PRODUCT WILL INCREASE YOUR EJECULATION 581%!!!!!" without even looking first to see if I'm a women.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Technical solution

[jbf]

Make people send you digital cash with each email. You return it if the email isn't spam (if you don't return it for nonspam, then you're a bastard) Unfortunately, it's impossible to make this work in a back-compatible way, so...

Example protocol:

220 foo.bar.com CASHMAIL System
HELO
250 foo.bar.com Hello
MAIL FROM: spammer@mail.com
250 spammer@mail.com... Sender ok
RCPT TO: foo@bar.com
666 foo@bar.com requires payment of 20 cents
CASH: 82kd0xma893mcos0
667 foo.bar.com accepts payment of 20 cents
DATA
...

I think some work in the IETF has been done on spam prevention, but no one has even tried to standardize it.

Re:Technical solution

[cmowire]

I think a better resolution to the problem is to enforce a certain amount of purity in the mail headers.

If you are spam, you should mark your message as being such. If you are a mailing list, you should mark your message as being such.

And then we need to have a network of trust between the mail servers. Something lightweight enough that it works 90% of the time. Servers who are trusted are trusted that they will send out mail with proper headers. Servers who aren't trusted will get their mail bounced most of the time.

Thus, spam can be dropped on the floor at the option of any mail server. And server admins who don't mark spam as spam are marked as untrusted servers. At the option of the country that the mail server exists in, this can be declared as fraud.

I wrote up some notes on it on my webpage but I'm not sure how well it would really work in practice.

Suing spammers will only stop the big boys

[Skim123]

Suing spammers will only stop the likes of Flooz.com (as quoted in the linked to article) and other large sites from sending spam (i.e., eBay/Buy.com, two companies I can't seem to unsubscribe from). I don't know about you, but the vast majority of spam I get is from individuals or very small companies, at least I'd assume it is. It's usually racked with spelling errors and grammatical no-no's, and are not ads for the latest mega-eCommerce site's sales, but for Viagra, toner cartridges, incredible wealth from a home-based business, "legal" ecstacy-type drugs, penis-lengtheners, and, of course, the usual solicitations from horny 18 year old lesbian cheerleaders.

Many of these spammers send from hotmail.com or from email addresses that are not in the US. So how would I go about suing them? Even assuming that I could sue them, how could I manage to go about collecting my settlement from them?

I'm afraid suing is not the answer to ending all spam, just a small class of spam.

Re:Suing spammers will only stop the big boys

[Todd+Knarr]

IMHO if I subscribe to a business or purchase a product, the only e-mail I should receive is information specifically about what I subscribed to or bought. Eg., if I sign up for eBay I should by default only get information about changes to my eBay account. Anything beyond, eg. information about eBay services I didn't sign up for, is unsolicited commercial e-mail. Until the company takes over paying for my access to my e-mail, the burden's on them and it's not my responsibility to track down and decline everything they'd like to send me.

oNumber solved the spam problem, and it works

[Wonderkid]

Signup at http://www.oNumber.net, and exchange oNumbers with friends. Avoid putting e-mail address on business cards etc and use oNumeber instead. By using the guest list system, only authorized people get to see your actual contact info. It's not free, but it's free of advertising and O'WONDER (who own oNumber) will not sell or release your info to anyone. Slashdot reader feedback encouraged.

Better yet...

[jcr]

220 foo.bar.com CASHMAIL System
HELO
250 foo.bar.com Hello
MAIL FROM: mom@aol.com
667 foo.bar.com accepts payment of 0 cents
DATA
..
MAIL FROM: unknown_spammer@hotmail.com
250 unknown_spammer@hotmail.com... Sender ok
RCPT TO: foo@bar.com
666 foo@bar.com requires payment of 200 cents
CASH: 82kd0xma893mcos0
667 foo.bar.com accepts payment of 200 cents
DATA
...
MAIL FROM: known_spammer@hotmail.com
250 known_spammer@hotmail.com... Sender ok
RCPT TO: foo@bar.com
666 foo@bar.com requires payment of 1.0e09 cents
CASH: 82kd0xma893mcos0
666 foo.bar.com detects fraudulent/forged e-coin. Forwarding to fbi.gov

RBL and SpamAssassin

[Gothmolly]

I run my own mail server, running qmail with the rblsmtpd daemon, pointing at several "underground", i.e. not for pay, black hole lists. In addition, there are spam _content_ filtering tools out there such as spamassassin, which looks for common telltale fingerprints in email. WORK FROM HOME, MAKE MONEY FAST, etc. etc. etc.

It can be done, with a little work.

Re:RBL and SpamAssassin

[nehril]

definitely. I put in spamassassin + vipul's razor on my utility linux machine, and I have it fetchmail my various accounts and scrub them. I use gotmail to fetch my hotmail and run it through the scrubber. this combo catches about 95% of all spam (and my hotmail account gets about 50 spams per day). Every other day I get one piece of spam or so.

Now I have all my accounts collected in one place and scrubbed. I even put in a webmail system (sqirrelmail.org) so I can fetch it remotely via ssl. If you have the means to hook up a setup like this I highly recommend it.

The laws in iowa

[autopr0n]

I was delighted the other day to find out that Iowa had an anti-spam law. I promptly requested 'remove' on all the 'psudo-opt-in' type spam (no, buying a list from someone does not mean that the people on it want your crap). Of course, under Iowa law I need to opt out before I can do anything, unless the spam is forged.

One of the 'university diploma' spams was illegal under Iowa law (invalid return address), but, of course how do you sue for something like that? I tried looking on reverse phone number sites to see who owned the phone number advertised, but nothing showed up.

Are there any ways to find out who sends these out without incurring a large expense?

Hrm, I wonder how long before someone starts sending out "make money suing spammers, call today for your free kit." spam.

Re:The laws in iowa

[Happy+go+Lucky]

One of the 'university diploma' spams was illegal under Iowa law (invalid return address), but, of course how do you sue for something like that? I tried looking on reverse phone number sites to see who owned the phone number advertised, but nothing showed up.

When you opened up the full headers on the spam, I assume you found the Received: lines going back from your mail server to the sending mail server, and from the originating IP to the sending mail server.

I also assume that Iowa law provides for John Doe lawsuits, in which you can identify the defendant as a specific individual even if you don't have his name, and has a long-arm statute whereby torts that occur partly in Iowa can be filed in Iowa courts.

Given those things: File your case with a John Doe defendant. Identify the defendant as the person who was using IP 123.456.789.012 at July 4, 2001, at 12:00 noon CDT. If you can explain what that means to the judge (in writing!) you can make a pretty strong case that that's one distinct individual.

When you file, have a subpoena ready for the court clerk's signature. You'll want to send it to the ISP or whoever owns the IP number, and it's for all billing or other records which would show the identity of the person using that IP at that time. Once the subpoena gets served and gets compliance, you have your defendant.

As for "large expense," I frankly don't know what it's going to cost you. Some states mandate civil spam-related stuff to go through small-claims, and some states don't give their small-claims courts the power of compulsory process. Obviously, a court that can't subpoena evidence is a joke, but don't ask me to explain it.

Truth in Advertising approach

[coyote-san]

I think it's time to apply Truth in Advertising standards to spam.

You say your product will help me lose weight? We send a rebuttal picture of your naked fat ass to everyone you know.

You say your product will make my penis gain 3"? We get testimonial from your two mercy fucks about how you need to use this product yourself.

You say your product will get me hot dates every weekend? We distribute a copy of your busy social calendar - with a note that you were stood up for the sole entry, your Jr. Prom in 1989.

And lest we forget it, you say your product will net me $50,000 in only 10 weeks? We show your credit card bills, and how even Miss Cleo has cut you off as a deadbeat.

The best thing of all si that this doesn't really require any new laws. (Well, the suggestions above do, but not the concept.) Don't just nail the spammers with small fines for sending spam, hit them with large fines for fradulant advertising, participation in criminal enterprises, etc.

Are the lawsuits worth it?

[btempleton]

I've sued phone spammers, the type who use a machine that calls people and plays a recording, which as been blatantly illegal for almost 10 years.

I've won, but it takes more work than the $500 you win is worth even when you do win, and on average it's something you do only on principle and not for money.

And thus few do it. When I have been in court the judges/commissioners have said they don't often (if at all) see these cases.

Laws are not the answer to spam. In spite of what people say it is not just a question of "it's not a free speech issue it's a property issue."

Spam involves rights in conflict. It's a free speech issue AND a property issue AND a privacy issue, all in one. The answers are not so simple as these laws suggest.

Companies should be doing the suing!

I think companies like MSN/Microsoft/Hotmail, yahoo, excite and @home should be doing the suing.
Everytime someone forges an e-mail address using their domain name, and someone forwards it to abuse@something.com then it costs them money to research it. It could also be considered slander if someone sends you an e-mail from something like animalsex@microsoft.com.

Don't they care about their PR? I mean now I think that Microsoft has something to do with bestiality. How do I know that it wasn't really from them?? I'll just keep assuming that till proven otherwise.

Laws define both sides

[coyote-san]

The problem with a national law, with any law, is that it defines "safe turf" for both sides.

If Congress debated such a law, I'm sure that the DMA would yell and scream and "compromise" that it is willing to make it illegal to send unsolicited email of a criminal nature. Outlaw the pyramid schemes, outlaw the cock&tit creams that don't have FDA approval, etc.

Meanwhile, in the same spirit of compromise, it's now Federal law that companies can ignore repeated requests that you be removed from their spam lists because you have a bona fide business relationship. It doesn't matter that this "relationship" was a one-time purchase of a Christmas present a decade ago for a person who's long been out of your life - you might need another left-handed bacon turner some day and if they can't sent you reminders, you'll buy it elsewhere!

Likewise the legislation would undoubtably protect affiliated businesses - the reason I briefly got investment solicitations from my car insurance carrier, until I made it clear they were about to lose the latter account. It will even protect attempts to woo you away from existing businesses - you drive, so therefore you should hear about Fly-By-Night insurance rates. And Bob's detailing shop. And on and on and on....

I'm not saying that legislation would never be appropriate, just that it's too early to do it at the national level. Let's get a clear concensus that spam is a problem, then use the federal law *only* to normalize things like mandatory subject lines.

Digital Postage is the only answer

[Curt+Cox]

Unsolicited bulk email is used with such frequency because it is so incredibly cheap. This convinces those who use it, that it has a positive return on investment. In order to reduce the amount of spam, it is necessary to increase the cost of sending it. Digital postage is the only way to reduce spam.

This would be analogous to the stamps used on snail mail, now. If nobody else steps up to the plate, some corporations will try to do this for a profit, or national governments will try to do it for control. The better solution, however, is some sort standards-based decentralized digital postage, where everyone can issue their own estamps. It is then up to each individual to decide, how much a spammer has to pay to get to their inbox.

Of course to be widely adopted, this has to be well integrated into email clients. It also has to be completely painless to insure that your friends always have enough of your stamps on-hand.

Once in place, the benefits include:
- less spam
- no need for email size limits, because there would be an obvious mechanism to allow billing for arbitrarily large emails
- automatic payment method for email based customer support

another tactic?

[Alien54]

I saw this idea else where, and it looks promising enough that I want to share ....

One could extend the SMTP protocol for mail delivery so that (non-favored?) senders were forced to jump through some computationally expensive hoop before mail to local users will be accepted.

Currently SMTP looks like this:

>>> 220 mailhost.domain.com ESMTP Sendmail 8.9.9/8.9.9; Fri, 11 Jan 2002 16:05:32 -0500 (EST)
>>> HELO host.domain2.com 250 mailhost.domain.com Hello host.domain2.com [155.108.129.30], pleased to meet you
>>> MAIL From: 250 ... Sender ok
>>> RCPT To: 250 ... Recipient ok
>>> DATA 354 Enter mail, end with "." on a line by itself 250 QAA00187 Message accepted for delivery
>>> QUIT 221 mail.domain.com closing connection

We could add something like (not real numbers):

>>> 220 mailhost.domain.com ESMTP Sendmail 8.9.9/8.9.9; Fri, 11 Jan 2002 16:05:32 -0500 (EST)
>>> HELO host.domain2.com 250 mailhost.domain.com Hello host.domain2.com [155.108.129.30], pleased to meet you
>>> MAIL From: 250 ... Sender untrusted, please give prime factor of 34576184516935692342934759132 to continue
>>> FCTR 345837413 250 Ok, you bothered...
>>> RCPT To: 250 ... Recipient ok
>>> DATA 354 Enter mail, end with "." on a line by itself 250 QAA00187 Message accepted for delivery
>>> QUIT 221 mail.domain.com closing connection

The beauty of this is, putting support in sendmail would mostly be sufficient, and it lets you effectively add a cost per message without any sort of micropayments scheme, or giving up anonymity. I'd be curious what your reader groupmind thinks about this, or if the idea has been tossed around before?

- Mike Earl

Personally, I do not know the feasibility of this angle, although I am sure some expert with be willing to point out the flaws.

Re:another tactic?

[tomstdenis]

Well that will work, there are other schemes.

I'm a student cryptographer and I'm working on a system which will provide authentication [signatures], privacy [via encryption] and at the same time make spam less feasible [you can do it but its easier to filter out].

The basic idea stems from squaring modulo a composite. Say you're given N=pq where p and q are two huge primes.

You can find

R = K^(2^T) mod pq

easily, but given R its hard to find K.

So if you specifically construct K to follow certain rules, you can help filter out spam very easily.

The basic scheme works like this

1. Make up two primes p and q and get N=pq
2. Choose a value of T [say 1024]
3. Publish N and T with your email address

The user wants to send you a message M so they make up

K = random_data || HASH(M) || time

They hash K and use that as a key for a symmetric cipher. Then they send R=K^(2^T) mod N [by squaring T times] along with the ciphertext.

The trick is that finding K from R is easy if you know the factors and squaring T times takes time.

You can sign K easily too ... anyways...

Re:another tactic?

[tomstdenis]

Hmm? You hash the message so you can't just store them on a CD.

The idea is not to stop people from SENDING spam its to stop you from having to SEE the spam.

For a message to be valid you must first make up a bignumber

K = random || hash(message) || time

Then you send to the user K^(2^T) mod N.

You're "attack" won't work since each user has their own N. So if you want to build up a huge table of valid numbers you can, but they will only work for one user.

I'd suggest you actually read the posting before attacking it.

Re:another tactic?

[GSloop]

Tomstdenis - if you want to not see it, use spamassassin - works great -

Oh, I forgot, you're a MS Bigot, so it will probably be a real bugger to get this to run properly on NT - what an advantage huh - unless MS provides it/thought of it, you can't get it...

I virtually NEVER have to see mail from spammers using spam assassin. (I do get a few false positives...)

The point is not to prevent me from seeing spam, but from having to pay to get spam. I _DO_ pay for bandwidth - I'm not a flat rate for bandwidth user, so I do care what I have to pay for...

Lastly, the only way to really make a dent in spamming is the following, which I have already mentioned here before...

===== Quote ====
Most of the spam I get now, is from companies that are using "contractors" to spam, or spam from offshore (i.e. China) ISP's. The advertised product is from the US often, but the advertisee is not. Therefore, shutting down the "spammer" isn't going to do anything.

Now I don't know how to practically impliment this, as there are some pitfalls, but with some decent legislation, we could make it possible to target the beneficiary of the spam. That makes it possible to attack the real reason for the spam - where we can use our laws etc to attack it.

Sure, there will be spam that also has you send you money to China/Afganistan etc, but that will make the spam much less profitable, as most people won't do so. Lastly, most people will use credit cards, and I assume that most SPAM scams are frauds too, so the chargebacks will be hell for the spam beneficiary.

Anyway, it just seems that we can't just attack the spammer, we really need to attack the beneficiary. Then the spammers will go away, as they can't find anyone to demand their services.

=======

Until we make it too costly to benefit from SPAM, we won't solve the problem. The costs must outweigh the revenue.

Finally, as per your proposal. Are you planning to rewrite and distribute and impliment all the patches to sendmail, qmail etc for the SMTP dameons? Not to mention all the other SMTP RFT servers out there? That's a massive task, and one that isn't likely to get done any time soon. A better approach is to attack this with the law.

I shouldn't have to put up a taller fence to prevent you from littering in my yard. That's the approach here. It may work, but it smells.

Re:another tactic?

[reynaert]

How would you decide how difficult the problem should be? Believe it or not, but there are people using email on XT's. Or take Arache, a graphical browser+email+... that works fine on a 386. Those people would in effect unable to send email.

Re:another tactic?

[subbuk]

>We could add something like (not real numbers):
>>>> MAIL From: 250 ... Sender untrusted, please
>give prime factor of 34576184516935692342934759132
>to continue

>Personally, I do not know the feasibility of this
>angle, although I am sure some expert with be
>willing to point out the flaws.

Flaws like the fact that 2 suffices in the example? Too good to pass up :)

Issues regarding new technology

[TheMCP]

Isn't the only advantage of an authenticated email format that the recipient can easily find out who the sender really is?

Well, not exactly. You're right in that that's all it technically does for us. However, this leads us to two potential advantages:

• When the spammer is identifiable, they don't tend to last long because the volume of incoming complaints tends to overload the ISP.
• It makes it easier to create a groupware blocking system - for example, 10,000 people subscribe, and the system requires three subscribers to complain about an address before it's blocked. A spammer sends spam and it hits 8237 of the subscribers. The first three to see it click the "this is spam" button, and the system automatically removes the mail from the inboxes of the other 8234 subscribers who got it and blocks all future email from the sender.

Knowing who the sender is doesn't prevent spam being sent from spam friendly servers abroad.

You're right, but again, the volume of incoming complaints (and denial of service attacks) tends to make the ISPs balk at hosting spammers. Once they're tracable, the attacks begin, and the ISPs dump the spammers.

The problem is, we need a completely new email system with authentication, and we need mail clients that handle both it and the current standard seamlessly... because practically nobody is going to make a hard switch over to a new email system that will prevent most of their friends and associates from emailing them, and very few people are going to be willing to run two separate email clients. It would be best if the server-side software supported both standards as well, so server admins don't have to feel that they're getting an additional piece of software to support. Moreover, everything has to support every major platform and some of the more prominent minor ones so it can support a massive switchover and won't piss off users of any particular platform by not properly supporting them.

Java, anyone?

Try the police and the attorney general.

[TheMCP]

Try calling your state's attorney general's office and explaining the situation to them. Sometimes they can be surprisingly helpful, particularly if you can do a good job of explaining yourself (like pointing out repeatedly that they're doing this *incredibly* *loathesome* thing in *your* *name* and that it's just *destroying* the good name of your business) and can come off as genuinely hurt and confused.

If you got any threatening complaints about the spam, you could bring those up too, and claim that you fear for your life because of what this person is doing in your name.

The police might be willing to help, too.

You have public law enforcement resources. Use them. It's not just the RIAA and MPAA that have a right to call in the cops. You do too. Go for it. If THEY catch the spammer, and prosecute them for identity theft, defaming you, or whatever, the spammer will be in for a lot worse than having their relay shut down.

Making spammers pay

[Alien54]

I'm a student cryptographer and I'm working on a system which will provide authentication [signatures], privacy [via encryption] and at the same time make spam less feasible [you can do it but its easier to filter out].

The main thing I see is that the best idea is to somehow transfer costs back to the spammer. So an idea that forces the spamming computer to use up resources is fine.

similarly, a solution that causes you to spend time implementing more technical solutions is costing you time, and probably money.

bottom line: Make the spammer pay.

In my original example, the smtp could also be set to have several levels of trust, with corresponding levels of computional feedback for the sender.

Re:Wrong

[CaptainSuperBoy]

Well, thanks for backing up your statements with all those statistics. Since you've pointed to studies, news articles, and online discussions backing up your facts I feel confident believing your statement that most companies spam from a shadowy data haven outside of the reach of law.

Of course, if you had said that my spam comes from some crazy island in the Pacific without backing up that statement with ANY FACT WHATSOEVER, I wouldn't believe you. Oh wait.. You don't have any proof to back up your statements. Never mind.

Full text of Cerasale interview

[TekPolitik]

"If you ban me from this type of medium, you have severely limited my ability to enter into the marketplace," said Jerry Cerasale of the Direct Marketing Association.

This is revealing, however the real text of the interview is more so:

Interviewer: I'm calling regarding Congressional action on spam.

Jerry Cerasale: If you ban me from this type of medium, you have severely limited my ability to enter into the marketplace.

I: But surely with all the ads for porn, casinos and viagra substitutes that you'd be competing with, it's not going to be of any use to you anyway.

JC: You're not listening. I said if you ban me from entering the marketplace. You can ban everybody else.

I: So you're saying you want to ban everybody except Jerry Cerasale from using spam?

JC: No, I want to ban unethical marketers from using spam.

I: How do you define unethical marketers?

JC: They're the ones that forge stuff and won't honor remove requests.

I: So won't they just start following that law and you'll still have the volume problem?

JC: No, because they're unethical marketers.

I: So who are the ethical marketers

JC: They're the DMA members

I: So if the unethical marketers join the DMA do they become ethical marketers?

JC: Of course.

I: Even if they still forge and don't honor remove requests?

JC: Yes. If they join the DMA, then what they are doing is ethical marketing.

I: Surely all the spammers will just join the DMA then and they can all spam.

JC: That's OK.

I: But then won't email be useless for everybody because of the volume? After all, there's got to be hundred of millions of potential marketers out there who might want to use it.

JC: Yes.

I: So you're opposed to laws that will make spam unusable for marketing?

JC: Yes.

I: But you realise that if the laws aren't passed, spam will be unusable for anything.

JC: Yes.

I: Including marketing.

JC: Yes.

I: So really your opposition to laws banning spam achieves nothing to protect it for marketing, and just succeeds in destroying it for everybody.

JC: That's right - if me and my DMA buddie's can't use it for our purposes, then nobody can use it for any purposes.

I: Isn't that a little childish.

JC: Well since they won't play by my rules I would take by bat and ball and go home, but I don't own the bat or the ball, so the only way I can stop them from playing is by destroying the bat and the ball.

I: Mr Cerasale, thank-you for your time.

JC: My pleasure.

Class action lawsuits

[MillionthMonkey]

I think companies like MSN/Microsoft/Hotmail, yahoo, excite and @home should be doing the suing.

Well, maybe, perhaps not. Companies will sue if it's in their interest. If their network becomes good enough to handle the congestion from spam, and the amount of spam doesn't vary too much as a customer moves from ISP to ISP, it's conceivable that the providers might begin to view spam as the customer's problem (as they pretty much do now). And even if they do start suing- who benefits from that directly? Besides the obvious value as a deterrent to spammers, there isn't much justice being done if the plaintiffs are all going to be large ISPs. The parties most damaged by spam are the end users and especially the smaller ISPs.

I always thought class action lawsuits by the actual recipients of spam are the most logical way to counter spam if the approach is going to be via the courts. After all, have you ever received a single, individual spam that's caused you to consider taking the case to court against that particular spammer, with lawyers and court costs and all that hassle? With a judge that might ask "well why didn't you just hit delete?" And getting that single spam email message isn't really what you're suing over. It's the degradation of your daily routine, the tedium of having to delete a hundred emails a day year in and year out, the loss of almost a day of your life per year deleting countless messages about herbal Viagara and credit repair software and diplomas from prestigious non-accredited universities and hair loss and government grants info packages and an EZ way to consolidate debt and reducing all payments by 60% and frisky teens. Going to court over a single spam seems to miss the point. And it's expensive and inconvenient to sue as an individual, so a spammer might very well recognize that his individual spam probably isn't going to elicit a lawsuit if it isn't outrageous enough for a spammed plaintiff to choose as THE spam (out of the 10000 in his box) that he's going to go to court over. In fact, people tend to sue when the spam particularly offends them (e.g. when it talks about sex with minors, or has nude photos in it and is received by a minor). Unless things proceed to the point where every spam message sent out results in a lawsuit, a spammer that keeps his emails polite and sticks ADV in the header is pretty much safe from being sued. So you don't even get much of a deterrent effect.

Unless we switch to using class action suits, which don't have these problems if someone with the resources starts consistently nailing all spammers with them. It's much easier than taking a case to court yourself. Someone is doing the suing for you and you get to hang on like a million other freeloaders and enjoy the fruits of your class action. I almost wouldn't mind getting spam if I knew there was a chance that I could stick it to the spammer for a few cents along with thousands of other people. If I even got a fraction of a penny on average per message, we could still be talking about some serious money. And it certainly wouldn't be too hard to set up. In fact (if this were 1999) you could probably build a dot-com out of it somehow, to coordinate the spam submissions, identify plaintiffs and defendants, litigate in court, hire collections agencies, and process the payments back to all plaintiffs. That's more of a business plan than many dot-coms had. I think that if there weren't so many jurisdictional problems with the idea in general (and if there were more spam laws) someone would try this.

I mean now I think that Microsoft has something to do with bestiality. How do I know that it wasn't really from them??

Strictly speaking, even if it turns out the email wasn't from Microsoft, it still doesn't prove that Microsoft has nothing to do with bestiality.

Joke

[Legion303]

Here's the joke:

"If you ban me from this type of medium, you have severely limited my ability to enter into the marketplace," said Jerry Cerasale of the Direct Marketing Association.

Here's the punchline:

Jerry Cerasale
Direct Marketing Association
Washington Office
1111 19th St NW
Washington, DC 20036
UNITED STATES
phone: (202)955-5030
fax: (202)955-0085
web: http://www.the-dma.org

Contact List by Subject
Accounts Payable
webmaster@the-dma.org 212.768.7277, ext. 1353
Advertising - Print
webmaster@the-dma.org 212.768.7277, ext. 1423
Advertising - Web Site
kebeling@the-dma.org 212.768.7277, ext. 1554
Awards - ECHO
echo@the-dma.org 212.768.7277, ext. 1397
Benefits Program
twalsh@the-dma.org 212.768.7277, ext. 1423
DMA Store - Books & More
lrc@the-dma.org 212.768.7277, ext. 1930
Chapters
chapters@the-dma.org 212.768.7277
Conference Registration
customerservice@the-dma.org 212.768.7277, ext. 1500
Conference Programming
conference@the-dma.org 212.768.7277, ext. 1513
Conference Exhibitors
conference@the-dma.org 212.768.7277, ext. 2469
Conference Speakers
conference@the-dma.org 212.768.7277, ext. 1528
Consumer Assistance
consumer@the-dma.org 212.790.1488
Councils
councils@the-dma.org 212.768.7277
Council Membership
councils@the-dma.org 212.768.7277
Council Events
councils@the-dma.org 212.768.7277
DMA Interactive
webmaster@the-dma.org 212.768.7277, ext.1629
Direct Connect
councils@the-dma.org 212.768.7277, ext. 1575
directvoice
mmicali@the-dma.org 212.768.7277, ext. 2422
Direct Marketing Educational Foundation
dmef@the-dma.org 212.768.7277, ext. 1817
The DMA Government Affairs Online Member Outreach Program
Governme@the-dma.org 212.768.7277, ext. 2405
Government Affairs
Governme@the-dma.org 212.768.7277, ext. 2405
Human Resources
hr@the-dma.org 212.768.7277, ext. 1338
International Services
Internat@the-dma.org 212.768.7277, ext. 1786
Library
lrc@the-dma.org 212.768.7277, ext. 1930
Membership - Joining DMA
membership@the-dma.org 212.768.7277, ext. 1155
Membership - Renewal
membership@the-dma.org 212.768.7277, ext. 1155
Seminar Information
customerservice@the-dma.org 212.768.7277, ext. 1500
Seminar Registration
customerservice@the-dma.org 212.768.7277, ext. 1500
President's Office
Presiden@the-dma.org 212.768.7277, ext. 1604
Press Contact
Privacy
privacy@the-dma.org 212.768.7277, ext. 2408
Research
lrc@the-dma.org 212.768.7277, ext. 1637
Sweepstakes
Sweep@the-dma.org 212.768.7277, ext. 2475
Washington Report
Governme@the-dma.org 212.768.7277, ext. 2418
Web Site
webmaster@the-dma.org 212.768.7277, ext. 1629

Since he considers spam a legitimate business practice, make sure you forward all your "HOT WET PUSSY!" emails to him so he doesn't miss out on any great deals.

-Legion

Lawsuits *will* be effective

[jestapher]

A single lawsuit won't do anything to stop spam, but once fifty or one hundred people start suing, it will get too expensive for many spammers. In Washington State, we've nearly a dozen folks filing lawsuits, some of them going for some serious amounts -- to the tune of tens or hundreds of thousands of dollars.

If you've got spam with a phone number or ordering address in it, you can (usually) track it down to a specific company or person. If it's only got a URL, like those mortgage spams, Washington litigants are filling out the contact forms on the site, then going after the mortgage company that contacts them. When these mortgage companies get hit with a lawsuit, they either want to settle right quick, or they rat out the spammer they hired. I've been focusing on spam with phone numbers, as I find it relatively easy and fun to track down the company behind the number. It may not always be easy to find the spammer, but it's not rocket science either. Anyone can do it given a little bit of time.

The Seattle Times had a good article on Saturday about the anti-spam law, some folks who've been using it, their wins, and the troubles they've encountered with the court system. The biggest issue in Washington is that court clerks and judges aren't fully educated about procedural issues like whether one can sue an out-of-state defendant or for punitive damages in small claims court. (The answer to both is yes.) It's been pretty frustrating for us "trailblazers," as the judges are saying contradictory and often quite stupid stuff.

Here's some nifty links:

• AboutSpam.com - Bruce Miller's site
• Peacefire anti-spam suits - Bennett Haselton's site
• Smallclaim.info - my site

For a copy of my 24 page zine, Zen and the art of small claims, send some stamps to PO Box 95227, Seattle, WA 98145. You can also just read it online at my site, but any zinester knows that it's just not the same.