Suing Spammers: What works?

jdedman4 writes "According to Junkbusters, various civil lawsuits against Spammers have used a number of theories, including the analogizing of junk email to junk faxes. As there have been a number of "IANAL, but . . ." discussions of late, I was curious as to which legal theories, if any, you all thought might work against spammers. Does the fact that a spammer deluges us all with automated commercial email subject him and his enterprise to personal jurisdiction in the courts of the fifty states? What torts do the spammers commit (intentional affliction of emotional distress, invasion of privacy, false light, nuisance, et cetera?) Might an unfair trade practices lawsuit be brought? Is state or federal law a better weapon? Why haven't the legislatures been more active in this area? It seems like this is a pure public relations winner for a media-conscious political figure - everyone hates spammers. If this is such a widespread and pernicious menace(which of course it is), why hasn't some enterprising young plaintiff's attorney filed a class action suit? Is it that the spammers are essentially judgment proof, or that they are difficult to find, or all of the law is analagous but not directly helpful?"

Perhaps...

Most spammers are probably overseas in countries where they cannot be sued.

Of course IAJAIAC. (I Am Just Another Ignorant AC.

First post?

Re:Perhaps...

[fishnuts]

On the contrary. From the analyses I've read in news.admin.net-abuse.email, and my own observations, it seems at least half the major spammers - the ones with easily recognized patterns, styles, and quirks - are based in the US, but use foreign resources for their campaigns. 90% of the spam I'm getting now is originating from foreign open proxy servers, mostly in APNIC and RIPE ip space, which shows that spammers are now getting more cunning about covering their email tracks. They're also using foreign "free webhosting" services for their web content, but as you go through it all, it's evident that a lot of them are American, by their vocabulary, their pitches, addresses (er, PO boxes) and phone/fax numbers, etc.

Such practices of using open proxies and free anonymous web hosting may be advocated by the free-speech party, but I don't feel it's free speech anymore when the sole purpose of hiding their identity is to avoid punishment for NON-free-speech related crimes, as well as having a purely commercial, rather than political or editorial, purpose.

Luckily, all this effort goes to prove that they KNOW what they're doing is wrong, and jumping through hoops to avoid being caught. It makes it that much easier to prosecute them once they're identified and caught. Unfortunately, finding them is the hard part.

In the meantime, the best we can do is help the government in THEIR fight against spam and scams, by forwarding all your spam - WITH HEADERS - to utc@ftc.gov
They've found and prosecuted several high-profile scammers and originators of pyramid schemes, and they notify the SEC about stock price manipulation schemes done in large spam campaigns.

Theft of Services

[routerwhore]

Outright theft has always been my favorite course of thought. They are stealing my bandwidth, my cpu cycles, my disk space. Not a big deal for one message, but when it comprises 30% of mail traffic, then that means my operating expense is 30% hire. This is real money they are stealing from me. If they paid me, or anyone (post office) to accept it, fine, thats different. The main reason spam needs to be made illegal is because it is outright theft.

Re:Theft of Services

[pete-classic]

my operating expense is 30% hire.

I thought they're would be alot of web sights about how much hire expenses are out their, but there nowhere too be found.

Weird.

-Peter

Re:Theft of Services

[jdedman4]

Outright theft has always been my favorite course of thought.

I wonder if there is any precedent for that? Courts usually have a tough time making such a leap from penal statutes which don't directly address a specific electronic infraction. Remember, too, that we would be dealing with 51 sets of criminal theft statutes, as well. Take Texas, for example. Compare statutory theft to statutory theft of services. Now, I think we all know that when these statutes were drafted that the authors did not envision spam as it didn't exist at the time of the drafting. There's just no way. The defense attorney would be able to convincingly argue that legislators did not envision these types of offenses and thus they are not covered under the statute. That is why this enterprise is so perilous when we attempt to argue by analogy (i.e. pursuing spammers under junk fax laws) or couch electronic offenses into the statutory language of pre-Internet penal statutes.

Remember, that some courts are still struggling with initial hurdles of authentication and admissibility [PDF] of electronic email and web data. My favorite such quip from a federal judge (from my own state of Texas):

"While some look to the Internet as an innovative vehicle for communication, the Court continues to warily and wearily view it largely as one large catalyst for rumor, innuendo, and misinformation.... Anyone can put anything on the Internet. No web-site is monitored for accuracy and nothing contained therein is under oath or even subject to independent verification absent underlying documentation. Moreover, the Court holds no illusions that hackers can adulterate the content on any web-site from any location at any time. For these reasons, any evidence procured off the Internet is adequate for almost nothing, even under the most liberal interpretations of the hearsay exception rules found in FED. R. EVID. 807". See St. Clair v. Johnny's Oyster & Shrimp, Inc., 76 F.Supp.2d 773, 774-75 (S.D. Tex. 1999)

The PDF link is to an article I wrote earlier this year on that very subject. See also the Siddiqqui case for the application of the rules of evidence to e-mail. The point: How can such a jurist be convinced to apply pre-digital laws to spammers? That is the question.

jd

Any Australians out there?

[judd]

Got one today with an actual address and phone number in it. This crowd:

The Maverick Partnership
A division of The Which Company Pty Ltd
ABN: 90 091 728 620
Postal: P.O. Box 159, Northbridge W.A. 6865
Phone: +618 6210 1348 Fax: +618 6210 1445

are advertising some book or other.

Any Aussie state or federal laws worth mentioning when I ring them?

Spam is also used to attack people

[FireWhenRady]

I recently suffered from a spammers "joejob" where a spammer used my email address as a reply address for a spam.

This meant that I received all the bounces, irate messages etc. to the tune of over 7000 bounces in the last week and a half. From the email headers of the bounced messages, I was able to trace the sender to Miami Florida using Ameritech ADSL, but that provides little proof.

My real anger is over the people running open relays that aided and abetted this attack. Spam is not just junk email so they are not innocent bystanders. They are similar to someone who helps a bank robber escape from a crime scene. In this case it prevented me from receiving email for several days (my incoming mailbox was full) and created an immense amount of work sorting the bounces out from legitimate traffic (bounces for messages I wanted to know about).

Has there been any precedent for suing owners of open relays or providers of abusive users?

Re:Spam is also used to attack people

[jdedman4]

I recently suffered from a spammers "joejob" where a spammer used my email address as a reply address for a spam.

This, I think, is the actionable. I wonder why some enterprising young federal prosecutor does not chase this villain under the wire fraud statutes. The spammer, after all, committed a fraud and sent it across state boundaries, didn't he? If the feds can pursue college coaches who fax faked test scores from cheating athletes, can't they get these guys?

You might also have a claim against him for false light, a tort at common law which I don't think is recognized here in Texas but is elsewhere. The example my law prof gave me was the following: Let's say you work at Company A, which provides you with a public mailbox from which to retrieve your memos, letters, magazines, brochures, et cetera. A colleague of yours, as a joke, signs you up for various pornographic magazines. Anyone who visits the mailbox area sees your mailbox stuffed with the porn, and reasonably believes that it is yours. Your colleague has put you in "false light," just as this spammer might have.

Defamation seems analagous, but dubious under these facts.

Re:Spam is also used to attack people

[jdedman4]

I would have difficulty prosecuting because I am in Canada and the spammer in the U.S. But since the same spam was also sent out in the name of an web designer in Tennessee and spamcop.net someone else may be able to prosecute.

I wonder if part of the problem is a lack of complainants. Do the people to whom this happens take the time to file an official complaint with the district attorney or federal prosecutors? Does it occur to them to contact a plaintiffs attorney to suggest a possible suit? This might make a spectacular class action lawsuit, provided that a suitably wealthy corporation could be found to sue. Stealing one's identity to send offensive pornographic or automated commercial email simply has to be tortious or illegal or negligent per se or something, you know?

Re:Please Explain

[dacarr]

As always, IANAL. One typically provides a URL when they spam, which can typically be traced somehow to a physical address. How this is done is left as an exercise, but in the end it'll probably involve a subpoena. The message can be traced by IP (the modern MTA's will implant them in the headers), the provider can take their own action. As for subpoena, if you want to take action, you need one against the ISP providing the account to the user. One way or another, you *can* find them.`

sue your ISP - have them pass it up the line

[cdn-programmer]

A comment was made a while back that worldcom had no interest in blocking span because they made money from it. You see - they got paid by the people who created it and furthermore they got paid by the telcos that paid them for access to the POP's.

Its all about money. When the Telco's find the pain from the wrath of people like you and me costs them more than they make from the bandwidth the ISP's pay for - then they will stop it.

This is also true of overseas connections.

Consider the position of a large company like AT&T. If they have 5 million angry customers phoning each day to bitch about spam from say Korea how will they react? One solution is for them to tell say their Korean counterparts to clean it up or they will be disconnected. Yup - most of us can live without Korea for instance being part of the net. But Koreans cannot.

So it is simply a matter of upping the anti so to speak.

When the cost of accomodating the shit exceeds the money they get from it then they will take action - not before. It is well within the control of the Telecommunications industry to eliminate the spam.

The simplest way is to require each adn every customer to sign an agreement that prohibts UCE and require them to agree to a penalty of say several $1000 bux is the create UCE. This can be on the visa cards of those who pay via Visa ot it can be by way of a deposit or a pledge of assets. Get the deposit in place - then when they send it out pinch the deposit. End of problem.

ISP's will catch on really quickly. Terms of service agreements already prohibit UCE. These just need to be enforced.

It is a simple problem to solve but again - why would any company take this problem on when people just bitch among themsleves?

--------------

This is true of Hacked servers too. The ISP I use to go through is Cadvision and those idjots were so bad that they didn't even bother to pull the plug on customers hacked with Code Red. They didn't even tell them. In fact when I phoned up Cadvision they blamed me for complaining. I told them I'd sic the cops on them for a denile of service attack. You see - the idjot factor is really high.

Possibly fishing for real e-mail addresses?

[smcv]

You get annoyed and click the unsubscribe link (if you're stupid enough), they know your e-mail address is actually read by a real person, they sell your e-mail address on one of those CDs a fair proportion of spam advertises, profit!!!.

If it's HTML mail with images in, and your mail client knows too much HTML (::coughOutlookcough::), downloading the image will confirm that your e-mail address is real, if the spam mail's set up right.

Here's the problem I found.

[Mustang+Matt]

I tried to sue a spammer once. I talked to a lawyer for a while but the problem is that I couldn't prove much as damages.

Yes, they abused my resources and my bandwidth that I pay for but even if they sent 100 duplicate messages, that's such a small fraction of the bill that it's not worth trying to sue them.

I get a lot of spammers that send between 5-20 duplicate emails to @mydomain.com and I have a catchall setup, it pisses me off to no end that spammers can't go through their lists and clear off all 'root' and 'webmaster' and 'info', 'billing', 'support', etc. accounts off their lists.

Now I'm using SpamPal but that doesn't solve the problem, it just keeps it from being as annoying for me.

Re:Here's the problem I found.

[jdedman4]

I tried to sue a spammer once. I talked to a lawyer for a while but the problem is that I couldn't prove much as damages.

Was it that you yourself couldn't prove actual damages at all, or that you could not prove enough damages so that he could recover a large enough fee to cover his own expenses/cost?

Yes, they abused my resources and my bandwidth that I pay for but even if they sent 100 duplicate messages, that's such a small fraction of the bill that it's not worth trying to sue them.

This, I think, is why any suit against spammers would have to be a class action suit. Recall that class actions are typically used when a large number of individuals' rights have been violated by defendant's course of conduct but the cost of vindicating those rights is too great, as no one is going to file a lawsuit to recover a mere pittance in damages. However, if you agglomerate all of those claims, it becomes worth the attorneys time and the threat of an enormous verdict frightens the defendants. This is why most class action lawsuits settle if the plaintiffs attorney successfully certifies the class. Of course, the converse of that is that the class action joinder rule can take a relatively frivolous individual claim that an attorney would not pursue and convert it into a lucrative and dangerous claim with a potential for high recovery. But that really isn't a concern in this context, as these claims would not be frivolous, especially if we are dealing with a spammer who has misappropriated one's identity.

public nuisance

[coyote-san]

A theory I would like to see developed is that operating an open relay poses a public nuisance and that it you have your access yanked at will. More importantly, a complantant can compel your access to be yanked. That wouldn't kill spam, but it may have a significant impact on the joe jobs.

One way to do this is to set up an easily accessed test for being an open relay - you could use any of the existing ones, or create a new one. If you're a sysadmin, you're expected to test your own site after every configuration change, software update, etc. If you don't and somebody else does, you get a record of every failure... as does a public record. You then have some reasonable time to close the relay, say 10 business days, and then each and every person who receives spam through your open relay can get statutory damages of, oh, $250. Enough to make it worthwhile to pursue the matter in small claims court.

The Free Speechers will point out that there are, rare, valid reasons for running an open relay. Fine... but if you do that then you need to take some effective steps to ensure that spam doesn't get through the relay, only that rare legitimate OR material.