SPAM - A Different Kind of Identity Theft?

bmooney28 asks: "After maintaining a single permanent email address through 8 years and five ISP's (via a forwarding service), I lost it all in a day. My first sign of trouble came when I found a message undeliverable email in my inbox containing hundreds of failed email addresses. Apparently, my email address had been pasted as the return address in a mass mailing similar to this one sent to hundreds of random recipients. This process repeated a few times over the next day or so, effectively blacklisting my email address on various master lists and adding my address to thousands of random address books (virus magnets). In the past, I have had a great deal of luck fighting off SPAM and other unwanted email via throwaway email addresses and preemptive email filtering. Now, the email address that I use to communicate with friends, former students, and coworkers around the world is useless. Have any of you ever found yourself in a similar situation? Are there any legal steps that I could take against this company?"

that stinks

[gaminRey]

Wow, that really stinks. I have personally used similar solutions to the spam problem. In the future I would suggest using different aliases for friends, business contacts, web forms, etcs; and then keep the main POP account secret, that way the SPAM people shouldn't ever get the real address, and if something like this happens again to one of the front addresses, you can just drop it without losing all of them.

Come and si the violence inherit in teh system!

[Xunker]

While not and answer to your question, I feel this incident exposes a major problem with the way many MTAs are architected.

I cannot send mail to AOL users. Why? Because I'm in their spam filter. Why? Because of Kleez. AS you may know, it extracts address from your IE cache and sends mail using one of those addresses it find. Well, mine was used a bunch of times to send the virus to AOLers.

AOLs mail server didn't bother to read the headers -- instead, it does wqhat no server should do, trust the "From:" header. Had their MTA parsed the "Received By" logs, it would find that it wasn't sent by me. Instead, whoever wrote it took the easy way out and decided to always believe the From: header and as such I'm now unable to send mail to AOL.

Not like I mind.

Ditto

[themo0c0w]

This same thing happened to me as well. I had a POP account for some time, but it got used as the return-address for spam. My only recourse was to deactivate the account with my ISP and find another address.

The real trouble came when I had to transfer my domain to another registrar. Since they have to verify my identity against my email, I was forced to reactivate the account. Thankfully, after several months of rejecting email, the problem of 10,000 undeliverable messages per day had gone away. There still were thousands of messages in my inbox I had to clear (thank God for IMAP), but the account was still usable again.

As a side note, I tried reporting this to my ISP's abuse department, but that got nowhere. I never seemed to find a real person to listen. However, I didn't try very hard--your milage may vary.

Real identity your email address

[waytoomuchcoffee]

I have worried about this stuff for a long time. First, as so many have stated already, "get a new email address." Really no way around that, your old one is *dead*.

So what to do about the future? I guess you have to assume that every email address can eventually be nuked, and get used to sending out new email address notifications to everyone. Another reason I see digital signing becoming a necessity in the future -- else what is to stop a trojan hijacking your email address and sending out fake change of address messages?

More and more it's heading to the point where your *real identity* has nothing to do with your email address, but rather with your PGP key.

Re:Real identity your email address

[JohnFluxx]

Hmm, now that's an idea..

Could it be done so that when you hit reply, you contact one of the pgp keyservers and get back the prefered email address.

That way, when you change your email, all you have to do is change the prefered email address on the keyservers.

as a CA resident

[drDugan]

once I cross the "you pissed me off, spammer" line...

I usually send a nastygram back to all the email addresses I can find, their funders & investors, board members, customers, employees, etc. all in the TO: field:

I say I will never do business with them, will tell my friends not to do business with them, and purposefully seek out their competitors when I next need their product.

I tell them that this is formal notification to not contact me again commercially, and list the email addresses that they must remove.

Then I tell them I will sue them under CA law (http://www.spamlaws.com/state/ca1.html) if they don't comply.

criminal prosecution?

[phr2]

This is much different than the ordinary civil offense that gets committed when you simply get sent a piece of spam.

Call your state attorney general and describe the situation as identity theft and/or DOS attack, and urge him/her to prosecute the spammer. Say it can be a very visible prosecution that will make the AG enormously popular with computer users.

Re:I find this hard to believe...

[Asprin]

a) There's no reason to use someone's email address when signing up for Netflix... It essentially gives that someone access to an account paid for with YOUR credit card.

Like I said, I did not access the account, so I do not know if Netflix provides no-CC options or not, whether the CC used was valid or not, nor whether the card itself was stolen or not. Here's a thought - let's say that it **was** a stolen credit card. Now my email address is on an account that's using a stolen card. Prove that I didn't sign up for the account and fill in a bogus mailing address. There'd be no point you say? Maybe, if I was actually after the movies, but it's still fraud and theft *AND* now carries the added weight of being a FEDERAL crime because the transaction crosses state lines **AND** My email address is listed as a contact on the account. Excuse me for letting paranoia get the best of me, but if I were the FBI, I would AT LEAST sent a couple of agents out to investigate the owner of the email account, so I'm going to complain early and often to make sure that my position is understood by everyone with whom I come in contact.

Plus, now the credit card companies are involved and they have attorneys who's job it is to fight this kind of stuff - ALL DAY LONG. I've heard too many horror stories about innocent people plea-bargaining to make problems like this go away because they cannot afford the battle.

b) How the hell did this guy order DVDs if he didn't have access to your email (and hence the account password).

He put my email address on the sign-up form and Netflix didn't verify it was his. I don't know if he ever accessed the account after his initial order, because I didn't stick around long enough to find out.

c) You would have had nothing to worry about - Whoever was at that address is a different story though. More importantly, whoever's CC# was used to sign up would've had something to worry about.

I would hope so, but I can't assume that -- not when there isn't some sort of clear legislative or legal precedent to identify this sort of thing as identity theft.

It's also possible it was an honest mistake like a typo, though I clearly can't assume that either. It's better to avoid the accident if you have the opportunity than let the accident happen and be in the right.