Slashdot Mirror
SPAM - A Different Kind of Identity Theft?
bmooney28 asks: "After maintaining a single permanent email address through 8
years and five ISP's (via a forwarding service), I lost it all in a day. My first sign of trouble came when I found a message undeliverable email in my inbox containing hundreds of failed email addresses. Apparently, my email address had been pasted as the return address in a mass mailing similar to this
one sent to hundreds of random recipients. This process repeated a few times over the next day or so, effectively blacklisting my email address on various master lists and adding my address to thousands of random address books
(virus magnets). In the past, I have had a great deal of luck fighting off SPAM and other unwanted email via throwaway
email addresses and preemptive email filtering.
Now, the email address that I use to communicate with friends, former students,
and coworkers around the world is useless. Have any of you ever found yourself in a similar situation? Are there any legal steps that I could
take against this company?"
Wow, that really stinks. I have personally used similar solutions to the spam problem. In the future I would suggest using different aliases for friends, business contacts, web forms, etcs; and then keep the main POP account secret, that way the SPAM people shouldn't ever get the real address, and if something like this happens again to one of the front addresses, you can just drop it without losing all of them.
j.goforth
1) The litigious young american will call his lawyer and look into suing this company for fraud and slander/libel. Reap massive multi-million dollar judgment 5 years later.
2) The sane human being will get a new email address and tell all of his friends, family and other contacts that he's changed addresses.
Pick one. Do you maybe have legal recourse? IANAL, but yeah maybe. Think about what would happen if someone fraudulently used your home address or phone number.
On the other hand, how much is that email address really worth to you?
(note that if the answer to that last question actually has a real substantial dollar value attached to it, then you shouldn't be talking to slashdot, but a real attorney.)
For several years I have been using spam-magnet accounts like hotmail.com and yahoo.com. I feel like Elaine in that episode of Seinfeld when she finds out her favorite form of birth control (The Sponge) is being taken off the market. She hoards all she can find and then has to decide if every guy she meets is "spongeworthy". That's what we are all trying to do with our email accounts, trying to decide who to give the primo ones and who gets the seldom-checked Hotmail address.
Due to some friends getting Klez, my "good" emails have leaked out and are receiving spam. So no matter what you do the email shell game is not a complete strategy for spam management.
In your case I think that address is so worthless at this point that you're going to have to give up on it. Put a vacation message on it and move on.
for fraud, you'll likely need the assistance of a public prosecutor. if they are cool with that, you're in luck. if they aren't, there's not much you can do. you will have to somehow show ill-intent on the basis of committing the fraud. honestly, not too difficult, but given the courts in your jurisdiction, you never know. jurisdiction differences between you and the spammer may make this difficult.
for personal loss, jurisdiction can be worked with (if, as mentioned above, in the same country), although it could get expensive to pursue. documentation becomes really big here as you'll have to prove loss. document the time you spend contacting people to let them know of your new address. write a journal and document your 'pain and suffering' having to go through this. keep all server logs, measure for bandwidth and storage use (not totally sure what to do with it, but maybe someone else creative here will help), and anything else you can think of. if it requires long distance calls, document that. etc. then find a lawyer who will take it and see what happens. then again, contact a lawyer in your jurisdiction first, as the usual /. rules apply: few here are lawyers (i'm not) and none are _your_ lawyer.
good luck. i certainly feel for you. this bites.
geek friendly VPS's and free API enabled DNS : zerigo.com
While not and answer to your question, I feel this incident exposes a major problem with the way many MTAs are architected.
I cannot send mail to AOL users. Why? Because I'm in their spam filter. Why? Because of Kleez. AS you may know, it extracts address from your IE cache and sends mail using one of those addresses it find. Well, mine was used a bunch of times to send the virus to AOLers.
AOLs mail server didn't bother to read the headers -- instead, it does wqhat no server should do, trust the "From:" header. Had their MTA parsed the "Received By" logs, it would find that it wasn't sent by me. Instead, whoever wrote it took the easy way out and decided to always believe the From: header and as such I'm now unable to send mail to AOL.
Not like I mind.
Hilary Rosen's speech was about her love of money and her desire to roll around naked in a pile of money.
This same thing happened to me as well. I had a POP account for some time, but it got used as the return-address for spam. My only recourse was to deactivate the account with my ISP and find another address.
The real trouble came when I had to transfer my domain to another registrar. Since they have to verify my identity against my email, I was forced to reactivate the account. Thankfully, after several months of rejecting email, the problem of 10,000 undeliverable messages per day had gone away. There still were thousands of messages in my inbox I had to clear (thank God for IMAP), but the account was still usable again.
As a side note, I tried reporting this to my ISP's abuse department, but that got nowhere. I never seemed to find a real person to listen. However, I didn't try very hard--your milage may vary.
ph34r teh p0w3r 0f th3 c0w
Check out Habeas for adding headers to your email that certify you're not sending spam. Habeas' license policy restrict spammers from using them, thus spam filters allow emails Habeas headers through without problems. Let's hope it works! :)
Meet My Attorney
You won't know why things aren't working until way after you can do damage control, and let everyone know what happened. Most of them will think you're ignoring them and become insulted.
And as long as we focus on a system where a hashed string is an index into a table, and that is the sole identifying feature of some communication (wanted or unwanted), there won't be a solution forthcoming.
I think a facet the current problem is there's no easy way to "clear your name" with ISPs. It's easy to harvest and build deny lists, but difficult to deal with those false positives; you know, human interaction. Not a strong point, especially among this crowd (myself included)
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
I have worried about this stuff for a long time. First, as so many have stated already, "get a new email address." Really no way around that, your old one is *dead*.
So what to do about the future? I guess you have to assume that every email address can eventually be nuked, and get used to sending out new email address notifications to everyone. Another reason I see digital signing becoming a necessity in the future -- else what is to stop a trojan hijacking your email address and sending out fake change of address messages?
More and more it's heading to the point where your *real identity* has nothing to do with your email address, but rather with your PGP key.
Do what a friend of mine did. Get a domain. Then generate nice one-of mail addresses to use for all things and purposes. Should help to reduce your exposure to things like this -- lets you spread the risk around. Any address that is compromised can just be blocked out.
Big Daddy, Johnny, Burp, Aunt Zelda, Scott, Slurp, Big Momma
My email address is trashcan at hotmail.com, so yes it has happened to me. Remember that online spam collection? I can beat that anyday.
Hmm, now that's an idea..
Could it be done so that when you hit reply, you contact one of the pgp keyservers and get back the prefered email address.
That way, when you change your email, all you have to do is change the prefered email address on the keyservers.
My 9-year-old address has been forged in spam headers about 6 times. I'm guessing that around 150k spam messages have been sent with my email as the 'From' address. I haven't found my domain or my address to be on any blacklists as a result, and I've only gotten ONE reply from a spammee who couldn't tell that the email didn't really come from me.
I hate it, it sucks, etc. But it hasn't affected my legitimate use of the address.
once I cross the "you pissed me off, spammer" line...
I usually send a nastygram back to all the email addresses I can find, their funders & investors, board members, customers, employees, etc. all in the TO: field:
I say I will never do business with them, will tell my friends not to do business with them, and purposefully seek out their competitors when I next need their product.
I tell them that this is formal notification to not contact me again commercially, and list the email addresses that they must remove.
Then I tell them I will sue them under CA law (http://www.spamlaws.com/state/ca1.html) if they don't comply.
Just goes to show why filtering on sender alone is useless, since the From: line isn't authenticated and can contain absolutely anything. A tool like SpamAssassin that checks multiple criteria can be much more effective.
I'm the Head Geek (ok, CTO) of the company which runs domains such as UK.com, UK.net, US.com, etc. Among our 'portfolio' we have the name NO.com.
Now, admit it, how many times have you typed 'no@no.com' into a reply-to field, or a web-form? Those bounces come to us, and yes, they're hellish to deal with - it's pretty much rendered the whole domain useless for email, never mind one single address, because we have to bounce or filter the 'bad' addresses. It's a Wile E Coyote Acme-branded magnet for spam.
You don't say which locale you're in, but the European Commission made this a criminal act - I was at the consultation with members of the ISP industry, and cited the collateral spam problem as a form of DoS - never mind the identity theft.
If you want to take legal action, this is probably the way forward, but if I were you I'd just let it go - it'll be expensive, and probably greenfield legal territory anyway.
(IANAL, blah).
Smegma.
I experienced some real anxiety, when I opened up my mailbox, and saw sixty odd "undeliverable" messages. But it turned out it was all addressed to a userid I hadn't used in almost six years. That ISP kindly agreed to keep forwarding my old email. This was useful for the first year or so. From then on all it got me was the occasional SPAM.
Then the SPAM grew more frequent. And, more recently, I started getting SPAM addressed to me under the name Joan.
Then, in late November of last year I got the same flood of undeliverable messages bmooney describes.
I found it very surprising how many ISPs could not detect that the messages were SPAM. Most ISPs didn't bounce back enough to submit a report to http://spamcop.net. But some did. And I reported those. Altogether I got about 600 warnings and error messages.
At first I was getting about fifty or so a day. But then they slowed to a trickle.
I can't understand what advantage there is for a SPAM artist to forge a real address as the author of their SPAM.
I suspect that the arrival of SPAM addressed to "Joan" marked the beginning of SPAM artists using this userid. The forged userid was accompanied by dozens of made up names. I suspect that one SPAM artist mistakenly harvested the forged name Joan from a previous SPAM campaign.
One of the other respondents to bmooney's article has reported their userid too has been forged into SPAM, and they estimated 150K messages went out. I was curious how many messages went out under my old userid. How would one make a reliable estimate, based on the number of undeliverables?
My SPAM artist was trying to sell penis enlargement.
I too only received a single reply from a live human being, who couldn't tell that the message was SPAM, and replying was useless. I got a couple of dozen messages from people who had set up autoresponders, because they were on vacation.
I do a mailout to up to 75,000 opt-in recipients.
Of course it needs a return address.
Guess who has the delight of that one.
I don't need bugtraq or Massage Labs to tell me when the newest Email Virus is out. I get at least 20-25 a day.
I used to try mailing them back and explaining but I stopped wasting my time. The old forged From: problem sorts that one out.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Call your state attorney general and describe the situation as identity theft and/or DOS attack, and urge him/her to prosecute the spammer. Say it can be a very visible prosecution that will make the AG enormously popular with computer users.
Why would I? I use a legitimate throwaway email address in web forms that I don't trust.
It's fraud/impersonation. Someone says they're you when they're not. Simple as that.
There are laws against that in most countries. If the spammer is in the same country as you, you've a better chance of success.
The damages should go up, if they impersonate you and do bad things.
You wouldn't be able to do anything you can't do at the moment. The keyservers already contain the email address of all the emails.
You currently can just search for a name and get back the closest hits. You could drastically slow down email-reapers by only returning exact hits - although this wouldn't be as functional..
I have an account that offers 5 email addresses. One is a trashcan address (i.e. spamfilter@blah.net) and I use that when I get a site that want your email address. I also put it in my email program (evolution) as a return address and put comments below to use another account. I never bother to check my spam account and let my isp deal with it. Funny they have never contacted me about it(?). One time I had over 100 spam emails in it. Im sure there are better solutions but this one tends to work well for me. coffee177
Damn right it's identity theft!
One day a couple of months ago, I got a "Thanks for joining!" message from Netflix. A few hours later, I got several "Thanks for your order, Your DVD rental is on its way" messages. Apparently, some jerk-ass had used **MY** email account to sign up for the service. Sure enough, when I called their customer service department (who were very helpful once they called the phone number on the account and got a non-residential warehouse in California) and complained that I was the victim of, you know, **FRAUD**, they changed the email address to something invalid to prompt a customer service call from the dude who signed up.
The problem is who do they go after when this asshead absconds with the DVDs? Me? I didn't do anything except have an email address someone else used fraudulently. Unfortunately, I'm probably the only contact information they have on the account that leads to an actual human being, and that's why I was so vigilant about complaining early and often.
If anyone was at fault, it was Netflix - mailing lists learned long ago that you cannot assume an email address is valid because someone stuck it in a web form, so they send confirmation messages through an autoreply address validation system.
BTW, one of the early messages I got also included the password for the account. (Good move, NetFlix!!!) I looked up the account to get info for my records, but I didn't change the password or log on to the account (though I was prepared to do so if Netflix couldn't fix the problem). My concern was that some boneheaded prosecutor somewhere would have interpreted that as acknowledging ownership of the account, and I didn't want to be involved any more than I already was.
I'm just glad it's over.
"Lawyers are for sucks."
- Doug McKenzie
It's a good thing that spammers are ethical!
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
i got an email from postmaster@bigfoot.com telling me i was over quota because of all the bounced messages flowing to my bigfoot account. i replied to it explaining the situation and it was bounced because the box was full. i am in the process of moving to other email addresses and i will put an autoresponder on my bigfoot account pointing them to a web page where my friends and family can send me a message and i will respond with my new email address.
a) There's no reason to use someone's email address when signing up for Netflix... It essentially gives that someone access to an account paid for with YOUR credit card.
b) How the hell did this guy order DVDs if he didn't have access to your email (and hence the account password).
c) You would have had nothing to worry about - Whoever was at that address is a different story though. More importantly, whoever's CC# was used to sign up would've had something to worry about.
retrorocket.o not found, launch anyway?
What are you sending to 75,000 opt-in recipients a day? Are they really opt-in? Looking at your email address and your website link, I have a very hard time believing that 75,000 people are actually interested in anything you say or do.
75,000??? Inquiring minds want to know!!!!!
J. Preston
I have my own domain, and give everyone a different email address on that domain. For example if I signed up with ebay it would be ebay@mydomain.com. This way I know who is giving out my address. I have had almost 0 spam messages since I've been doing this. And if one of the emails become contaminated, I just drop that mail for a while.
It's a good thing that spammers are ethical!
If a spammer uses the Habeas mark, you can sue the spammer for fraud, and Habeas can sue the spammer for trademark infringement.
Will I retire or break 10K?
Fine, but it doesn't scale, and it wouldn't stop spammers from finding your email address. In fact, it would make it easier as all the email addresses are available at one easy-to-use location!
Technical measures to the spam problem just don't work. Being forced to change email addresses every week is NOT THE ANSWER. Filtering only masks the problem and doesn't solve it (closing the barn door AFTER the cows got out.) More and more people are filtering yet the volume of spam is just increasing. You can't just toss out email standards and create new standards as some people suggest (spammers would probably find a way to spam in a new standard anyway, and any new protocol would take 5-10 years to roll out.)
What is REALLY needed is GOOD anti-spam laws that would provide for hefty jail terms for spammers that do this kind of thing. Since most spam is US centric (even though spammers frequently use international open relays) US laws would make a huge dent in spam. Other countries would probably quickly follow suit. What is really needed is for congress to work with technical experts to write good laws with teeth. Even the DMA is comming around to the reality that spam is bad and laws are needed
Now, admit it, how many times have you typed 'no@no.com' into a reply-to field, or a web-form?
Never. I typically use anonymous_coward@slashdot.org
Will I retire or break 10K?
I had this happen to me, too. Some spammer was promoting a pump-and-dump scheme and then moved onto promoting an actual product. It was easy enough to connect the two, and thus get a name and address. A friend and staunch anti-spam advocate actually called the guy up and challenged him. He invented some yarn about an evil business partner taking over his servers or something. I talked to several attorneys, but the cost for taking on the case was thousands of dollars, so that was out. I eventually filed a complaint with the SEC over the pump-and-dump scheme, but I've never heard back.
Another spammer started sending out mail with my return address about a week ago. This time, I wrote a quick filter to pipe it all into a folder where I could ignore it. I don't know what else I can do.
-Waldo Jaquith
First off, the FBI is most definately not going to come around because of a couple of stolen DVDs. Most importantly though, the DVD's would actually have to get mailed somewhere. So, unless he also used your postal address and hung out by your mailbox until the DVD's got dropped off and then stole them, you don't really have a problem.
Mine started about a week ago with several bounced messages from yahoo.com. What did I do?
1. Safely followed the link in the message to the website hosted on a DSL line from Belize (Mortage Refinance)
2. Looked for contact info (none, just a phone 900#)
3. Did a whois on the domain (all bogus info)
4. Contacted the domain registrar with the bogus info and a quote from their terms of service.
5. Asked that the domain be suspended until contact info is provide.
Did it work? Not yet but I have hope.
SD
âoeWho knew something as harmless as willful ignorance could end up having real consequences?â
What is REALLY needed is GOOD anti-spam laws that would provide for hefty jail terms for spammers that do this kind of thing. Since most spam is US centric (even though spammers frequently use international open relays) US laws would make a huge dent in spam.
I would tend to disagree with this. How are you going to prove that all those Chinese open relays were exploited in the US? And if you could, spammers would just move to Anguilla and set up shop there.
Fine, but it doesn't scale, and it wouldn't stop spammers from finding your email address. In fact, it would make it easier as all the email addresses are available at one easy-to-use location!
As someone said, it isn't stopping them today -- you can go farm lots of addresses on the netservers right now.
This is why I predict whitelisting becoming more and more common. However, it is really easy to get around a lot of the whitelisting today -- for example, most people include their OWN email address (they had to see if it worked, right?), and this has already been used to get by a whitelist -- just forge the from and to headers BOTH to the address your are spamming.
I guess the more drastic kind of whitelist would be a "trusted circle" variety that required digital signatures of the person sending you an email.
If you came home and found a stranger in your house, you would not just get another apartment and call it a day.
This is identity theft. It is no different than someone going out and using your name and credit history to get a credit card in your name... and making it impossible for you to refinance your house to lock in low rates, or get a new car loan, or get an increased credit line on your cards before a long trip.
Actually, I take that back - at least identity theft is now beginning to be considered a serious crime, although it's still unnecessarily hard on the victims. (E.g., many credit bureaus won't report fraud alerts without police reports, the local police don't accept these reports since the crime occured elsewhere, and the remote police don't accept reports over the phone.) But the damage caused when an individual or a small business (when an entire domain is blacklisted) is unable to communicate with others because of the fradulent traffic sent out by spammers.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
OK, it's very offtopic, and I expect it to get moderated that way, but believe it or not, forum at aagames dot co dot uk was getting about 20 spam messages a day. For fun, I clicked/e-mailed the unsubscribe instructions. Believe it or not, it now gets no spam. We changed the addy anyway, but amazingly our unsubscribe links _WORKED_. /me checks "No Karma Bonus" ;)
Amazon had still got me registered as being logged in - and had automagically turned one-click-ordering on for me (I never asked for that!).
A week later, they still thought I was logged on and some anti-social meanie using the cybercafe used one-click-ordering to send me a dozen rap CDs with parental advisory (warning: artist has no talent) at my expense.
When I got the email, it was too late to cancel the order via the web site.
After ringing them internationally (ka-ching!) they said they would cancel, but it still turned up. Naturally I refused delivery, but they kept trying to deliver, even after I rang the delivery company several times telling them I didn't want it. Eventually they gave up, and I was recredited on my credit card. A month or so later the tax inspectors rang me up asking me to pay VAT on the CDs!!! But they accepted me telling them that I refused the delivery, and I didn't order them in the first place.
So I learned "If you are not X, click here" is amazon's way of saying "Log Out" the hard way. And one-click-ordering is the devil's tool.
I have been a comcast subscriber since before they changed over from comcast@home, over a year ago, with the same email address. Recently, I've begun to get return emails with MY address as the sender. Though numerous emails were sent, they came from only 2 original locations. I've sent emails to Comcast's abuse with no result, but luckily it doesn't appear to have been as wide spread as to render the address useless.
I get a fair number of these messages (for some reason my yahoo.com address gets joe-jobbed every couple weeks) and found procmail / spamassassin extremely useful. Simple From/To filtering isn't reliable any more but content based filtering has a lot of life left in it - SpamAssassin will block most bounces based on the included spam in common bounce formats and procmail or perl's Mail::Audit are sufficiently flexible to get whatever's left if there's anyway to meaningfully filter them, as is usually the case.
The next step is time-based addresses - perhaps having the Evil Bastard filter on your generic foo@example.com and having a bypass for key@example.com, where the key rotates every few days. Finally, you could have your filter drop bounces which don't contain an email address and subject matching email in your sent mail folder or use a custom keyed return-path and drop bounces which don't use it.
Unfortunately, most of this is impractial for people who don't run their own mail servers. SpamAssassin is at least available as a plugin for anyone stuck with Outlook, so there's hope that more advanced filtering will sneak in to common use.
One other note - if you can figure out who was responsible file a case in small claims court. They'll lose by default if they don't show up (which is almost certain if they aren't local) and you give a default judgement to a collection agency for a percentage of the award.
...and for some reason I forgot to delete it (it arrived last week). On having another look at the source, it seems it has an attachment called live.scr with screwed up MIME headers, so Mozilla won't display it. Looks to me like a virus is faking bounce messages and claiming "The attachment is the original message" in order to get me to run it. Heh, nice try, that's one of the reasons I don't use Windows any more...
Identity Theft is a felony in Arizona, USA.
Thx to TriWest the officials here are getting very familiar with this kind of crime.
don't know if they work on this kind of problem..yet.
It always uses "john@some-randomly-selected-domain" as its From: address.
Fortunately, the targetted domain is one whose users never pick up mail, so I can use it as a honeypot, and feed systems not found in relays.osirusoft.com into a private DNS blacklist. However, I got tired of chasing this dirtball, and set up MIMEDefang to automatically add this cretin to the server's firewall rules when one of its attacks is detected.
Oh, no! You have walked into the slavering fangs of a lurking grue!
I had someone hijack my 10 year old email address as the From: field in a virus attack. They were operating from Energis in the UK on a dial up account. I not only got bounced mails but all the virus intercepting programs bounced me back a copy of the Virus. Plus irate sysadmins accusing me of being a cyberterrorist (you just can't get good sysadmins these days can you?).
Energis were very very unhelpful. I eventually had to get my company lawyer to contact Energis. Only then did they take action to block the account.
Why can't ISPs etc filter on the From: field for unidentified users to make sure the domain is part of their zone? I'm not suggesting stopping mail relaying which can be very useful.