Slashdot Mirror
SPAM - A Different Kind of Identity Theft?
bmooney28 asks: "After maintaining a single permanent email address through 8
years and five ISP's (via a forwarding service), I lost it all in a day. My first sign of trouble came when I found a message undeliverable email in my inbox containing hundreds of failed email addresses. Apparently, my email address had been pasted as the return address in a mass mailing similar to this
one sent to hundreds of random recipients. This process repeated a few times over the next day or so, effectively blacklisting my email address on various master lists and adding my address to thousands of random address books
(virus magnets). In the past, I have had a great deal of luck fighting off SPAM and other unwanted email via throwaway
email addresses and preemptive email filtering.
Now, the email address that I use to communicate with friends, former students,
and coworkers around the world is useless. Have any of you ever found yourself in a similar situation? Are there any legal steps that I could
take against this company?"
Wow, that really stinks. I have personally used similar solutions to the spam problem. In the future I would suggest using different aliases for friends, business contacts, web forms, etcs; and then keep the main POP account secret, that way the SPAM people shouldn't ever get the real address, and if something like this happens again to one of the front addresses, you can just drop it without losing all of them.
j.goforth
1) The litigious young american will call his lawyer and look into suing this company for fraud and slander/libel. Reap massive multi-million dollar judgment 5 years later.
2) The sane human being will get a new email address and tell all of his friends, family and other contacts that he's changed addresses.
Pick one. Do you maybe have legal recourse? IANAL, but yeah maybe. Think about what would happen if someone fraudulently used your home address or phone number.
On the other hand, how much is that email address really worth to you?
(note that if the answer to that last question actually has a real substantial dollar value attached to it, then you shouldn't be talking to slashdot, but a real attorney.)
For several years I have been using spam-magnet accounts like hotmail.com and yahoo.com. I feel like Elaine in that episode of Seinfeld when she finds out her favorite form of birth control (The Sponge) is being taken off the market. She hoards all she can find and then has to decide if every guy she meets is "spongeworthy". That's what we are all trying to do with our email accounts, trying to decide who to give the primo ones and who gets the seldom-checked Hotmail address.
Due to some friends getting Klez, my "good" emails have leaked out and are receiving spam. So no matter what you do the email shell game is not a complete strategy for spam management.
In your case I think that address is so worthless at this point that you're going to have to give up on it. Put a vacation message on it and move on.
for fraud, you'll likely need the assistance of a public prosecutor. if they are cool with that, you're in luck. if they aren't, there's not much you can do. you will have to somehow show ill-intent on the basis of committing the fraud. honestly, not too difficult, but given the courts in your jurisdiction, you never know. jurisdiction differences between you and the spammer may make this difficult.
for personal loss, jurisdiction can be worked with (if, as mentioned above, in the same country), although it could get expensive to pursue. documentation becomes really big here as you'll have to prove loss. document the time you spend contacting people to let them know of your new address. write a journal and document your 'pain and suffering' having to go through this. keep all server logs, measure for bandwidth and storage use (not totally sure what to do with it, but maybe someone else creative here will help), and anything else you can think of. if it requires long distance calls, document that. etc. then find a lawyer who will take it and see what happens. then again, contact a lawyer in your jurisdiction first, as the usual /. rules apply: few here are lawyers (i'm not) and none are _your_ lawyer.
good luck. i certainly feel for you. this bites.
geek friendly VPS's and free API enabled DNS : zerigo.com
While not and answer to your question, I feel this incident exposes a major problem with the way many MTAs are architected.
I cannot send mail to AOL users. Why? Because I'm in their spam filter. Why? Because of Kleez. AS you may know, it extracts address from your IE cache and sends mail using one of those addresses it find. Well, mine was used a bunch of times to send the virus to AOLers.
AOLs mail server didn't bother to read the headers -- instead, it does wqhat no server should do, trust the "From:" header. Had their MTA parsed the "Received By" logs, it would find that it wasn't sent by me. Instead, whoever wrote it took the easy way out and decided to always believe the From: header and as such I'm now unable to send mail to AOL.
Not like I mind.
Hilary Rosen's speech was about her love of money and her desire to roll around naked in a pile of money.
This same thing happened to me as well. I had a POP account for some time, but it got used as the return-address for spam. My only recourse was to deactivate the account with my ISP and find another address.
The real trouble came when I had to transfer my domain to another registrar. Since they have to verify my identity against my email, I was forced to reactivate the account. Thankfully, after several months of rejecting email, the problem of 10,000 undeliverable messages per day had gone away. There still were thousands of messages in my inbox I had to clear (thank God for IMAP), but the account was still usable again.
As a side note, I tried reporting this to my ISP's abuse department, but that got nowhere. I never seemed to find a real person to listen. However, I didn't try very hard--your milage may vary.
ph34r teh p0w3r 0f th3 c0w
Check out Habeas for adding headers to your email that certify you're not sending spam. Habeas' license policy restrict spammers from using them, thus spam filters allow emails Habeas headers through without problems. Let's hope it works! :)
You won't know why things aren't working until way after you can do damage control, and let everyone know what happened. Most of them will think you're ignoring them and become insulted.
And as long as we focus on a system where a hashed string is an index into a table, and that is the sole identifying feature of some communication (wanted or unwanted), there won't be a solution forthcoming.
I think a facet the current problem is there's no easy way to "clear your name" with ISPs. It's easy to harvest and build deny lists, but difficult to deal with those false positives; you know, human interaction. Not a strong point, especially among this crowd (myself included)
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
I have worried about this stuff for a long time. First, as so many have stated already, "get a new email address." Really no way around that, your old one is *dead*.
So what to do about the future? I guess you have to assume that every email address can eventually be nuked, and get used to sending out new email address notifications to everyone. Another reason I see digital signing becoming a necessity in the future -- else what is to stop a trojan hijacking your email address and sending out fake change of address messages?
More and more it's heading to the point where your *real identity* has nothing to do with your email address, but rather with your PGP key.
Do what a friend of mine did. Get a domain. Then generate nice one-of mail addresses to use for all things and purposes. Should help to reduce your exposure to things like this -- lets you spread the risk around. Any address that is compromised can just be blocked out.
Hmm, now that's an idea..
Could it be done so that when you hit reply, you contact one of the pgp keyservers and get back the prefered email address.
That way, when you change your email, all you have to do is change the prefered email address on the keyservers.
My 9-year-old address has been forged in spam headers about 6 times. I'm guessing that around 150k spam messages have been sent with my email as the 'From' address. I haven't found my domain or my address to be on any blacklists as a result, and I've only gotten ONE reply from a spammee who couldn't tell that the email didn't really come from me.
I hate it, it sucks, etc. But it hasn't affected my legitimate use of the address.
once I cross the "you pissed me off, spammer" line...
I usually send a nastygram back to all the email addresses I can find, their funders & investors, board members, customers, employees, etc. all in the TO: field:
I say I will never do business with them, will tell my friends not to do business with them, and purposefully seek out their competitors when I next need their product.
I tell them that this is formal notification to not contact me again commercially, and list the email addresses that they must remove.
Then I tell them I will sue them under CA law (http://www.spamlaws.com/state/ca1.html) if they don't comply.
Just goes to show why filtering on sender alone is useless, since the From: line isn't authenticated and can contain absolutely anything. A tool like SpamAssassin that checks multiple criteria can be much more effective.
I'm the Head Geek (ok, CTO) of the company which runs domains such as UK.com, UK.net, US.com, etc. Among our 'portfolio' we have the name NO.com.
Now, admit it, how many times have you typed 'no@no.com' into a reply-to field, or a web-form? Those bounces come to us, and yes, they're hellish to deal with - it's pretty much rendered the whole domain useless for email, never mind one single address, because we have to bounce or filter the 'bad' addresses. It's a Wile E Coyote Acme-branded magnet for spam.
You don't say which locale you're in, but the European Commission made this a criminal act - I was at the consultation with members of the ISP industry, and cited the collateral spam problem as a form of DoS - never mind the identity theft.
If you want to take legal action, this is probably the way forward, but if I were you I'd just let it go - it'll be expensive, and probably greenfield legal territory anyway.
(IANAL, blah).
Smegma.
I experienced some real anxiety, when I opened up my mailbox, and saw sixty odd "undeliverable" messages. But it turned out it was all addressed to a userid I hadn't used in almost six years. That ISP kindly agreed to keep forwarding my old email. This was useful for the first year or so. From then on all it got me was the occasional SPAM.
Then the SPAM grew more frequent. And, more recently, I started getting SPAM addressed to me under the name Joan.
Then, in late November of last year I got the same flood of undeliverable messages bmooney describes.
I found it very surprising how many ISPs could not detect that the messages were SPAM. Most ISPs didn't bounce back enough to submit a report to http://spamcop.net. But some did. And I reported those. Altogether I got about 600 warnings and error messages.
At first I was getting about fifty or so a day. But then they slowed to a trickle.
I can't understand what advantage there is for a SPAM artist to forge a real address as the author of their SPAM.
I suspect that the arrival of SPAM addressed to "Joan" marked the beginning of SPAM artists using this userid. The forged userid was accompanied by dozens of made up names. I suspect that one SPAM artist mistakenly harvested the forged name Joan from a previous SPAM campaign.
One of the other respondents to bmooney's article has reported their userid too has been forged into SPAM, and they estimated 150K messages went out. I was curious how many messages went out under my old userid. How would one make a reliable estimate, based on the number of undeliverables?
My SPAM artist was trying to sell penis enlargement.
I too only received a single reply from a live human being, who couldn't tell that the message was SPAM, and replying was useless. I got a couple of dozen messages from people who had set up autoresponders, because they were on vacation.
Call your state attorney general and describe the situation as identity theft and/or DOS attack, and urge him/her to prosecute the spammer. Say it can be a very visible prosecution that will make the AG enormously popular with computer users.
It's fraud/impersonation. Someone says they're you when they're not. Simple as that.
There are laws against that in most countries. If the spammer is in the same country as you, you've a better chance of success.
The damages should go up, if they impersonate you and do bad things.
Damn right it's identity theft!
One day a couple of months ago, I got a "Thanks for joining!" message from Netflix. A few hours later, I got several "Thanks for your order, Your DVD rental is on its way" messages. Apparently, some jerk-ass had used **MY** email account to sign up for the service. Sure enough, when I called their customer service department (who were very helpful once they called the phone number on the account and got a non-residential warehouse in California) and complained that I was the victim of, you know, **FRAUD**, they changed the email address to something invalid to prompt a customer service call from the dude who signed up.
The problem is who do they go after when this asshead absconds with the DVDs? Me? I didn't do anything except have an email address someone else used fraudulently. Unfortunately, I'm probably the only contact information they have on the account that leads to an actual human being, and that's why I was so vigilant about complaining early and often.
If anyone was at fault, it was Netflix - mailing lists learned long ago that you cannot assume an email address is valid because someone stuck it in a web form, so they send confirmation messages through an autoreply address validation system.
BTW, one of the early messages I got also included the password for the account. (Good move, NetFlix!!!) I looked up the account to get info for my records, but I didn't change the password or log on to the account (though I was prepared to do so if Netflix couldn't fix the problem). My concern was that some boneheaded prosecutor somewhere would have interpreted that as acknowledging ownership of the account, and I didn't want to be involved any more than I already was.
I'm just glad it's over.
"Lawyers are for sucks."
- Doug McKenzie
It's a good thing that spammers are ethical!
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
I have my own domain, and give everyone a different email address on that domain. For example if I signed up with ebay it would be ebay@mydomain.com. This way I know who is giving out my address. I have had almost 0 spam messages since I've been doing this. And if one of the emails become contaminated, I just drop that mail for a while.
a) There's no reason to use someone's email address when signing up for Netflix... It essentially gives that someone access to an account paid for with YOUR credit card.
Like I said, I did not access the account, so I do not know if Netflix provides no-CC options or not, whether the CC used was valid or not, nor whether the card itself was stolen or not. Here's a thought - let's say that it **was** a stolen credit card. Now my email address is on an account that's using a stolen card. Prove that I didn't sign up for the account and fill in a bogus mailing address. There'd be no point you say? Maybe, if I was actually after the movies, but it's still fraud and theft *AND* now carries the added weight of being a FEDERAL crime because the transaction crosses state lines **AND** My email address is listed as a contact on the account. Excuse me for letting paranoia get the best of me, but if I were the FBI, I would AT LEAST sent a couple of agents out to investigate the owner of the email account, so I'm going to complain early and often to make sure that my position is understood by everyone with whom I come in contact.
Plus, now the credit card companies are involved and they have attorneys who's job it is to fight this kind of stuff - ALL DAY LONG. I've heard too many horror stories about innocent people plea-bargaining to make problems like this go away because they cannot afford the battle.
b) How the hell did this guy order DVDs if he didn't have access to your email (and hence the account password).
He put my email address on the sign-up form and Netflix didn't verify it was his. I don't know if he ever accessed the account after his initial order, because I didn't stick around long enough to find out.
c) You would have had nothing to worry about - Whoever was at that address is a different story though. More importantly, whoever's CC# was used to sign up would've had something to worry about.
I would hope so, but I can't assume that -- not when there isn't some sort of clear legislative or legal precedent to identify this sort of thing as identity theft.
It's also possible it was an honest mistake like a typo, though I clearly can't assume that either. It's better to avoid the accident if you have the opportunity than let the accident happen and be in the right.
"Lawyers are for sucks."
- Doug McKenzie
Fine, but it doesn't scale, and it wouldn't stop spammers from finding your email address. In fact, it would make it easier as all the email addresses are available at one easy-to-use location!
Technical measures to the spam problem just don't work. Being forced to change email addresses every week is NOT THE ANSWER. Filtering only masks the problem and doesn't solve it (closing the barn door AFTER the cows got out.) More and more people are filtering yet the volume of spam is just increasing. You can't just toss out email standards and create new standards as some people suggest (spammers would probably find a way to spam in a new standard anyway, and any new protocol would take 5-10 years to roll out.)
What is REALLY needed is GOOD anti-spam laws that would provide for hefty jail terms for spammers that do this kind of thing. Since most spam is US centric (even though spammers frequently use international open relays) US laws would make a huge dent in spam. Other countries would probably quickly follow suit. What is really needed is for congress to work with technical experts to write good laws with teeth. Even the DMA is comming around to the reality that spam is bad and laws are needed
I had this happen to me, too. Some spammer was promoting a pump-and-dump scheme and then moved onto promoting an actual product. It was easy enough to connect the two, and thus get a name and address. A friend and staunch anti-spam advocate actually called the guy up and challenged him. He invented some yarn about an evil business partner taking over his servers or something. I talked to several attorneys, but the cost for taking on the case was thousands of dollars, so that was out. I eventually filed a complaint with the SEC over the pump-and-dump scheme, but I've never heard back.
Another spammer started sending out mail with my return address about a week ago. This time, I wrote a quick filter to pipe it all into a folder where I could ignore it. I don't know what else I can do.
-Waldo Jaquith