SPAM - A Different Kind of Identity Theft?

bmooney28 asks: "After maintaining a single permanent email address through 8 years and five ISP's (via a forwarding service), I lost it all in a day. My first sign of trouble came when I found a message undeliverable email in my inbox containing hundreds of failed email addresses. Apparently, my email address had been pasted as the return address in a mass mailing similar to this one sent to hundreds of random recipients. This process repeated a few times over the next day or so, effectively blacklisting my email address on various master lists and adding my address to thousands of random address books (virus magnets). In the past, I have had a great deal of luck fighting off SPAM and other unwanted email via throwaway email addresses and preemptive email filtering. Now, the email address that I use to communicate with friends, former students, and coworkers around the world is useless. Have any of you ever found yourself in a similar situation? Are there any legal steps that I could take against this company?"

It's a losing cause

[kawika]

For several years I have been using spam-magnet accounts like hotmail.com and yahoo.com. I feel like Elaine in that episode of Seinfeld when she finds out her favorite form of birth control (The Sponge) is being taken off the market. She hoards all she can find and then has to decide if every guy she meets is "spongeworthy". That's what we are all trying to do with our email accounts, trying to decide who to give the primo ones and who gets the seldom-checked Hotmail address.

Due to some friends getting Klez, my "good" emails have leaked out and are receiving spam. So no matter what you do the email shell game is not a complete strategy for spam management.

In your case I think that address is so worthless at this point that you're going to have to give up on it. Put a vacation message on it and move on.

Re:It's a losing cause

[DeadSea]

You can no longer expect to use an email address for very long without it getting spammed.

1. Buy your own domain name so you have an unlimited number of email addresses.
2. Change your email address every few months when it starts getting spam.
3. So that friends and family can still contact you, put a form on your website that will always send to your current email address.
4. For old disabled email addresses, send an autoreply that says "This email address has been disabled because it is getting too much spam. Please contact bob at: http://bobsite.tld/contact.pl"

legal steps

[zarqman]

if you can identify who the spammer is and if they are in the same country as you are, then you certainly can sue. whether you can collect of course, is a different matter. but, things that are likely to help: document, document, document. seriously. you can probably approach this two ways: a criminal basis, fraud, and a civil basis, personal loss.

for fraud, you'll likely need the assistance of a public prosecutor. if they are cool with that, you're in luck. if they aren't, there's not much you can do. you will have to somehow show ill-intent on the basis of committing the fraud. honestly, not too difficult, but given the courts in your jurisdiction, you never know. jurisdiction differences between you and the spammer may make this difficult.

for personal loss, jurisdiction can be worked with (if, as mentioned above, in the same country), although it could get expensive to pursue. documentation becomes really big here as you'll have to prove loss. document the time you spend contacting people to let them know of your new address. write a journal and document your 'pain and suffering' having to go through this. keep all server logs, measure for bandwidth and storage use (not totally sure what to do with it, but maybe someone else creative here will help), and anything else you can think of. if it requires long distance calls, document that. etc. then find a lawyer who will take it and see what happens. then again, contact a lawyer in your jurisdiction first, as the usual /. rules apply: few here are lawyers (i'm not) and none are _your_ lawyer.

good luck. i certainly feel for you. this bites.

Habeas.com headers to assert you're not spamming

[manastungare]

Check out Habeas for adding headers to your email that certify you're not sending spam. Habeas' license policy restrict spammers from using them, thus spam filters allow emails Habeas headers through without problems. Let's hope it works! :)

Get a domain instead

[npadgett]

Do what a friend of mine did. Get a domain. Then generate nice one-of mail addresses to use for all things and purposes. Should help to reduce your exposure to things like this -- lets you spread the risk around. Any address that is compromised can just be blocked out.

Re:Get a domain instead

[waytoomuchcoffee]

What is to stop your domain from getting blacklisted? And I hope your friend is running a good whitelisting program on all but the address s/he is using, since spam comes in bundles to various addresses in the domain, which will all end up in his/her default box.

This is 'Collateral Spam'

[Joel+Rowbottom]

The technique you're describing is known as 'collateral spam'.

I'm the Head Geek (ok, CTO) of the company which runs domains such as UK.com, UK.net, US.com, etc. Among our 'portfolio' we have the name NO.com.

Now, admit it, how many times have you typed 'no@no.com' into a reply-to field, or a web-form? Those bounces come to us, and yes, they're hellish to deal with - it's pretty much rendered the whole domain useless for email, never mind one single address, because we have to bounce or filter the 'bad' addresses. It's a Wile E Coyote Acme-branded magnet for spam.

You don't say which locale you're in, but the European Commission made this a criminal act - I was at the consultation with members of the ISP industry, and cited the collateral spam problem as a form of DoS - never mind the identity theft.

If you want to take legal action, this is probably the way forward, but if I were you I'd just let it go - it'll be expensive, and probably greenfield legal territory anyway.

(IANAL, blah).

Re:This is 'Collateral Spam'

[Datoyminaytah]

That doesn't mean it goes nowhere. Try pinging or tracert'ing example.com. Using this in a "fake" email address could still cause a problem, couldn't it?

A better option might be to use a domain ending with .invalid, as also shown in the RFC you linked to. It's also reserved, but it shouldn't resolve to a valid IP address. This is the option that has been recommended to me in the past.

It happened to me too

[geoswan]

It happened to me too.

I experienced some real anxiety, when I opened up my mailbox, and saw sixty odd "undeliverable" messages. But it turned out it was all addressed to a userid I hadn't used in almost six years. That ISP kindly agreed to keep forwarding my old email. This was useful for the first year or so. From then on all it got me was the occasional SPAM.

Then the SPAM grew more frequent. And, more recently, I started getting SPAM addressed to me under the name Joan.

Then, in late November of last year I got the same flood of undeliverable messages bmooney describes.

I found it very surprising how many ISPs could not detect that the messages were SPAM. Most ISPs didn't bounce back enough to submit a report to http://spamcop.net. But some did. And I reported those. Altogether I got about 600 warnings and error messages.

At first I was getting about fifty or so a day. But then they slowed to a trickle.

I can't understand what advantage there is for a SPAM artist to forge a real address as the author of their SPAM.

I suspect that the arrival of SPAM addressed to "Joan" marked the beginning of SPAM artists using this userid. The forged userid was accompanied by dozens of made up names. I suspect that one SPAM artist mistakenly harvested the forged name Joan from a previous SPAM campaign.

One of the other respondents to bmooney's article has reported their userid too has been forged into SPAM, and they estimated 150K messages went out. I was curious how many messages went out under my old userid. How would one make a reliable estimate, based on the number of undeliverables?

My SPAM artist was trying to sell penis enlargement.

I too only received a single reply from a live human being, who couldn't tell that the message was SPAM, and replying was useless. I got a couple of dozen messages from people who had set up autoresponders, because they were on vacation.

Fraud/Impersonation

[TheLink]

It's fraud/impersonation. Someone says they're you when they're not. Simple as that.

There are laws against that in most countries. If the spammer is in the same country as you, you've a better chance of success.

The damages should go up, if they impersonate you and do bad things.

I can do you one better...

[Asprin]

Damn right it's identity theft!

One day a couple of months ago, I got a "Thanks for joining!" message from Netflix. A few hours later, I got several "Thanks for your order, Your DVD rental is on its way" messages. Apparently, some jerk-ass had used **MY** email account to sign up for the service. Sure enough, when I called their customer service department (who were very helpful once they called the phone number on the account and got a non-residential warehouse in California) and complained that I was the victim of, you know, **FRAUD**, they changed the email address to something invalid to prompt a customer service call from the dude who signed up.

The problem is who do they go after when this asshead absconds with the DVDs? Me? I didn't do anything except have an email address someone else used fraudulently. Unfortunately, I'm probably the only contact information they have on the account that leads to an actual human being, and that's why I was so vigilant about complaining early and often.

If anyone was at fault, it was Netflix - mailing lists learned long ago that you cannot assume an email address is valid because someone stuck it in a web form, so they send confirmation messages through an autoreply address validation system.

BTW, one of the early messages I got also included the password for the account. (Good move, NetFlix!!!) I looked up the account to get info for my records, but I didn't change the password or log on to the account (though I was prepared to do so if Netflix couldn't fix the problem). My concern was that some boneheaded prosecutor somewhere would have interpreted that as acknowledging ownership of the account, and I didn't want to be involved any more than I already was.

I'm just glad it's over.

Get your own domain

[Tip]

I have my own domain, and give everyone a different email address on that domain. For example if I signed up with ebay it would be ebay@mydomain.com. This way I know who is giving out my address. I have had almost 0 spam messages since I've been doing this. And if one of the emails become contaminated, I just drop that mail for a while.

Spam for Pump and Dump

[waldoj]

I had this happen to me, too. Some spammer was promoting a pump-and-dump scheme and then moved onto promoting an actual product. It was easy enough to connect the two, and thus get a name and address. A friend and staunch anti-spam advocate actually called the guy up and challenged him. He invented some yarn about an evil business partner taking over his servers or something. I talked to several attorneys, but the cost for taking on the case was thousands of dollars, so that was out. I eventually filed a complaint with the SEC over the pump-and-dump scheme, but I've never heard back.

Another spammer started sending out mail with my return address about a week ago. This time, I wrote a quick filter to pipe it all into a folder where I could ignore it. I don't know what else I can do.

-Waldo Jaquith