Virginia Anti-Spam Law; FTC Forum on Spam

kiwimate writes "According to this press release, the state of Virginia has just passed a statute making 'the worst, most egregious and fraudulent kinds of spam' legally actionable. And yes, this includes header forging. The article reads like a big AOL PR piece in some places -- the VA governor led the signing at the AOL HQ in Dulles. The story also states this comes on the eve of the first-ever FTC forum on spam in Washington D.C." The FTC also made the insightful discovery that most spam is fraudulent in some fashion.

Going after header forgers?

[Corvaith]

This is the one that's always gotten me. It's obviously one of the worst possible things in spam. But how do you then track down who happens to be sending it and punish them for it?

Re:Going after header forgers?

[AlphaSys]

And better yet, do I have to live in Va. to benefit, or does my inconvenient mail just need to make a hop there?

Re:Going after header forgers?

[The+Turd+Report]

Go after the site advertised in the spam. The spammer (or who paid the spammer) has to get replies about their ads somehow.

Re:Going after header forgers?

[k-0s]

This is the one that's always gotten me. It's obviously one of the worst possible things in spam. But how do you then track down who happens to be sending it and punish them for it?

I don't know how you track them down personally but when you find out let me know and I can take care of the punishment part.

Re:Going after header forgers?

[Fished]

Most likely, either you or the sender would need to live in Virginia. Generally speaking, the rule is (and this is very approximate, as IANAL) that the person sued must have done *something* that they could reasonably have expected to have placed them under the laws of a given state. Marketing to someone in that state would qualify, connecting directly to a mailserver in that state would probably qualify, bouncing off a mailserver in that state would probably *not* qualify.

Sadlly of shore spam would not be stopped

[fozzy(pro)]

This may be good for Spam originating in the US, for the residents of VA, however Spamers from other countries could still fill our inboxes.

Re:Sadlly of shore spam would not be stopped

[David_W]

Why the fuck are you you cable/DSL-providing assclowns so unwilling to control your customers?

I find the idea that the providers are supposed to be in a controlling role offensive. I am the customer, I am paying for the service, I should be resonably free to do what I want with the connection. The attitude you present will lead us down the road of everything being blocked or filtered except for what our provider approves for us.

I agree that something needs to be done about spam, and that the providers should help, but please don't advocate them "controlling" us.

Re:Sadlly of shore spam would not be stopped

[angst_ridden_hipster]

Hey, some of us run legit servers on our DSL lines.

That's why we pay for DSL.

Arbitrarily blocking the ports leads to bad things.

Wouldn't it be better to have ISPs scan for open relays, and port filter SMTP for IP addresses failing the test?

Sure, there will be wrinkles for the DHCP crowd (e.g., Cable Modems), but most of them forbid the running of servers in their User Agreements. Oh, it would be good if they enforced those consistently, too. Those old MediaOne agreements that ban "the running of servers" really need to be enforced against the standard Windows servers (NetBIOS/NetBUIE, IIS, etc) as well, not just Apache.

Sic Semper Tyrannis

[sulli]

Will they drive a spear through the heart of the spammer? I would move back to Virginia just to be part of that.

Either it's all illegal or the law is wrong

[ObviousGuy]

So apparently we can use our 'common sense' to figure out what's 'the worst, most egregious and fraudulent kinds of spam'. I'm not sure I feel safe in a system where such a statute can be passed. The definition is too open for interpretation. Today it's porn spam with forged headers, tomorrow it's legitimate advertising getting outlawed.

If the state representatives don't have the balls to outlaw all spam outright, perhaps the residents of Virginia could grow some balls and vote these jokers out of office.

Re:Either it's all illegal or the law is wrong

[bgeiger]

I don't mind legitimate advertising. Spam that clearly shows itself as such isn't a problem; I can just delete it without a second thought, like tossing out the fliers in my mailbox.

It's the bullshit that these scumbags pull that bothers me. Header forging is fraud. Making invalid claims is fraud. Sending spam and making it look like legitimate mail is fraud. Spammers should be prosecuted under existing anti-fraud laws.

(And by the way, at least the VA representatives have the balls to address the problem, unlike most states.)

Re:Either it's all illegal or the law is wrong

[ad0gg]

From the article

To qualify for the felony provisions the sender must:

consciously (with intent) alter either e-mail header or other routing information (a technical characteristics common to most unsolicited bulk mail, but not present in normal e-mail messages); and

attempt to send either 10,000 messages within a 24/hr period or 100,000 in a 30-day period OR the sender must generate $1,000 in revenue from a specific transmission, or $50,000 from total transmissions.

Its a clear definition. Alter the headers and send over 10,000 emails in day and its illegal.

Re:Either it's all illegal or the law is wrong

[smashr]

I am a voting resident of Virginia. I am quite happy with this law. You know, the people on /. spend so much of their time whining about how we must stop the spammers, and someone finnally comes along and passes a law that will help curb the worst types of spam, and suddenly it is a horrible trangretion.

You cannot have both sides of this argument. Any restriction the government places on things like this can be interpreted by some people as too broad. Either you take your government in small doses and shy away from government regulation, or you allow the government to regulate. You cannot be wishy-washy and take whichever side of the argument you feel like supporting that day.

Spam with forged headers is bad. I dont pretend to think that this will elimnate the mass amount of email i recieve, but I can only hope.

-Dan

Re:Either it's all illegal or the law is wrong

[MrLint]

"legitimate advertising" wont be using forged headers. Try reading the article and look at the criteria for actually being a felony.

A legitimate business should stop bothering you if you tell them to.

A legitimate business with legitimate advertising should be oneou have done business with that you haved opted into.

Spam is none of these things.

Re:Either it's all illegal or the law is wrong

[gmack]

9999 isn't enough to generate revenue for them. Alan Ralsky once told me he sends a million emails per day per product.

And even that only generated about $20 000 USD per month per porn site.

Re:Either it's all illegal or the law is wrong

[danoatvulaw]

So apparently we can use our 'common sense' to figure out what's 'the worst, most egregious and fraudulent kinds of spam'. I'm not sure I feel safe in a system where such a statute can be passed. The definition is too open for interpretation.

Today it's porn spam with forged headers, tomorrow it's legitimate advertising getting outlawed. If the state representatives don't have the balls to outlaw all spam outright, perhaps the residents of Virginia could grow some balls and vote these jokers out of office.

You raise an interesting point about the lack of standards. A law based on community standards as to what is egregious may just prove Constitutionally facially invalid. That remains to be seen. At very least, it presents an issue to be dealt with, and most likely (note - i have not read the actual text of the bill) will be challenged in court. The prospect of changing standards based on conduct does not sit well with me either.

Please dont construe what I am about to say next as supporting spammers, cause I hate 'em just like everyone else, but you cannot just ban spam outright... not without tossing the 1st Amendment in the process. Both commercial and noncommercial speech is protected (like it or not), and here, a prior restraint banning spam will likewise not pass consitutional muster. Forcing truth in advertising, true header information, true return addresses == fine, but not banning spam entirely.

Suitable Remedy

[ferret70]

The convicted spammers should be forced to use AOL the rest of their lives! :)

And in further news...

[0WaitState]

And in further news, a minimum of two-thirds of all types of intrusive advertising contain false claims--telephone cold-calls, loud tv commercials, the crap that hides the funnies in the sunday newspaper, the daily pound of paper cluttering your mailbox, you name it. The more intrusive the advertising, the more fraudulent the content.

Re:And in further news...

[Bendy+Chief]

Tell me, do you see ads for "Doctor Approved!" penis enlargment in any of the media listed? Those media all advertise for identifiable, accountable corporate entities; scammers can't afford a huge publication of fliers in the Daily Rag, nor could they avoid a law-enforcement backlash after their scam is exposed.

It's due to the anonymous nature of electronic communication that these types are able to sell anything. Regulatory agencies would come down, BLAMMO, on a telemarketer phoning you and screaming pornographic lines at you. Spammers don't ask questions when taking jobs. Newspaper editors and TV commercial producers do.

Is their sample size really valid?

[psychosis]

The FTC studied a random sample of 1,000 unsolicited e-mails taken from a pool of more than 11 million pieces of spam it has collected.

OK, so were they planning to sample more than 3 typical e-mail accounts worth of daily spam?

Oh boy

I hope there can be a war on spam that is as effective as the war on drugs or the war on terrorism or the war on poverty.

Write to the Spam King

Alan M. Ralsky
6747 Minnow Pond Drive
West Bloomfield, MI 48322

If you think this will help � you�re right.

[insecuritiez]

This wont put even a tiny dent in spam. In Virginia or any where else. What it will do is set a precedent. This is one huge step in the right direction. Now you can write your local representative with "If Virginia can do it, why can't State X?" Lets take this spam victory and run with it.

I live in Virginia!

[Tuzy2k]

I hate to say it, but if AOL can throw their weight around to rid me of spam then I'll stop bitching every time I get an AOL cd in the mail :)

I wonder though- is there a place that we could report spam to the virginia prosecutors? Perhaps our state attorney general could setup a spam email and state residents could forward their spam there for the prosecutors to go after :)

This isn't new

[RJ11]

Virginia has had an anti-spam law since 1997, which is part of the Virginia Computer Crimes Act (VA Code 18.2-152). It makes spam with forged headers illegal: http://www.spamlaws.com/state/va.html

AOL, Verizon, and other large ISPs based in VA have been suing under this law for years (though they almost always go to federal court, pursuant to U.S.C. 85 1332). I have burninated a few spammers in small claims court under this law as well (I was actually in court today suing etracks.com). The law allows the recipient to seek civil relief for the lesser of $10/message or $25,000/day. For ISPs, it's the greater of the two.

Re:This isn't new

[nolife]

Verizon is one of the SOURCES of spam.

Meaning Verizon itself or a customer using Verizon services for the initial internet connectivity? Very big difference. Claiming the provider responsible for the actions of specific users is a very sharp double edge sword that has far more reaching effects then spam.

They don't act on complaints, and willing let scumbags and thieves operate on their network.

Your perception of what they do behind the scenes may not be exactly what is going on. If that is the common practice of theirs, then it is a problem.

AOL HQ

[Red+Warrior]

they signed the anti-spam law at the AOL HQ?
Isn't that one of the seven signs, or something?
Or

Just for Ralsky

[amber_lux]

B: A person is guilty of a Class 6 felony if he commits a violation of subsection A and:
1. The volume of UBE transmitted exceeded 10,000 attempted recipients in any 24-hour period, 100,000 attempted recipients in any 30-day time period, or one million attempted recipients in any one-year time period;

I think Ralsky would get that many bounces in an hour, if he did not forge headers, and hijack mail servers.

Penalty is only $10.00 per email or $25K, whichever is less.

Not enough financial damage to spammers, but it is a start. If the statutory damages were higher, it might have a legitimate claim to being the toughest in the country.

Wind under Thy Wings

Amber

Re:Just for Ralsky

[amber_lux]

That's a lot of viagra emails to send to get to 25k

2 500 emails at $10.00 is $25 000 dollars. AOL claims to block up to one billion spam messages per day.

Ralsky claims to be able to send 650 000 messages per hour on each of his 190 email servers.

If AOL sues Ralsky, the maximum they can get from him, per day, is $25 000. Meanwhile, he can throw 2 964 000 000 emails per day at AOL, if he so chooses.

Statutory damages should be $500.00 per email. ISPs could claim $500 multiplied by the number of undelivered emails in damages, with no maximum. That would change Ralsky's $25K per day habit with AOL, to a $250 000 000+ per day habit --- assuming that Ralsky is responsible for 10% of the spam at AOL.

Wind under Thy Wings

Amber

At last, a fair use for slashdotting websites

[Pieroxy]

You don't need to find who is behind the scene. Here are the steps to punish spammers without knowing them:

1. Write a small program that every user can run at home, on the seti model. Let's call it spammerSucker.
2. Identify an email as spam (this part is easy)
3. Find the website of the spammer (The email is generally full of http links)
4. Add the URL in the centralized DB of spammerSucker.
5. In minutes, millons of DSL/Cable users running spammerSucker are downloading every byte out of their server, initiating millions of sockets per second.
6. Their server is "slashdotted", and no one can access it.

Such a campaign would just result in destroying your website when you send a spam and so would make it a lot more dangerous for a company to send spam.

The danger is actually in step 2, because you don't want to blinbly suck any website...

Re:At last, a fair use for slashdotting websites

[amuro98]

There's also "joe jobs" where a spammer intentionally advertises a website of an enemy or competitor in an attempt to get the site yanked by the ISP.

I've also gotten "newsletter spam" where there are dozens of websites with different owners, none of whom are related to the spammer, nor given permission to have their website advertised in such a manner. I got one for a bunch of casinos - none of whom were thrilled at the attention. Since my complaint was CC'd to all of them, they had a handy mailing list to band together and take the spammer to court for defamation of character in a class action suit...

Re:At last, a fair use for slashdotting websites

[berzerke]

5. In minutes, millons of DSL/Cable users running spammerSucker are downloading every byte out of their server, initiating millions of sockets per second.

Step 5 is probably easier than you would think. I worked briefly with a company that spammed intentially (don't flame until you read paragraph 2!). Their servers were located in Tunisa and China, and I've got more bandwidth than those servers did (I'm on DSL). I was told they had to move them off shore due to the anti-spam people. (You ARE making a difference; I heard more than one impolite comment about you!) The people that set up the servers (i.e. physical access) did a very poor job. One server was rooted before I first SSH'd in. No updates applied at all either. They are easy targets for some wanting to knock them off-line.

BTW, I didn't work there long because there were always problems with the systems. One delay after another under me. They couldn't launch any "marketing" campaigns. All accidental of course ;^) Since they never actually paid me anything (I don't believe they would have anyway, but it was interesting to a see a spam operation from the inside), I don't feel too bad about it professionally.

how to stop AOL cds

[SHEENmaster]

1. Beat the crap out of the disc and package. Stab it, crush it, bend it, shatter it, etc.
2. Either send the original package, or the package in a sandwich bag back by writing "Unsolicited, return to sender!" on it and placing it back in the mailbox.

I haven't recieved a CD in several months, down from once a week or so.

fraudulant?!?!?!

[edrugtrader]

spam is in no way fraud. i make $50,000 a day posting to slashdot from home. you can too, email me back at ahk235hk2@yahoo.com. if that doesn't work, try my work email at 235hlj235hl2@hotmail.com.

Whoring to Capitalists is The Problem

[SubtleNuance]

The article reads like a big AOL PR piece in some places -- the VA governor led the signing at the AOL HQ in Dulles.

Hm, thats what I want, my Legislators delivering law directly from the BoardRoom. The same people who send you "buy this penis pump" emails will, next month, be sitting next to this Virginian Politician at a $5000-a-plate fundraiser... and the viscious cycle begins again.

Most Spam is Fraudulent?

[X_Bones]

Next thing you know, someone's gonna say the Pope wears a funny hat.

FTC recruits rocket scientists

[SuperBanana]

The FTC also made the insightful discovery that most spam is fraudulent in some fashion.

Duuuh. That's because nobody selling something legitimate wants the negative side effects of spam- mainly, the disgust it causes. Hell hath no fury like a consumer who's just been spammed for a product; they'll probably, even out of spite, go for your competition, if they just so happen to be in the market for your item. Remember those stupid little remote control cars? They learned the hard way that spam didn't work; retailers reported a backlash from the spam, people coming up to them and chewing out -the store employees- for the spam other resellers were sending.

Wow, shocks this Virginian

[mao+che+minh]

As a lifelong Virginian, I never saw this coming. This state's government is usually so in bed with the money hounds, nothing (and I mean nothing) gets done "legistlative-wise" until some big company lobbies for it.

I forgot that AOL has a huge datacenter up North from here. Hmm.....

Re:Wow, shocks this Virginian

[OpieTaylor]

Ironically, I once wrote to the Delegate who introduced this bill (my local representative), asking her to support a state-wide "do not call" list for phone-spam.

She wrote back, basically saying the bill was bad for business.

Maybe I should send campaign contributions to AOL, since they seem to get the job done.

Tasty!

[pcwhalen]

Mmmm. Virginia Spam! The best kind. They cure it different there, Smithfield I think.

"And after a while, you can work on points for style.
Like the club tie, and the firm handshake,
A certain look in the eye and an easy smile." Rodger Waters

Re:FTC & FDA

[ackthpt]

They were forced to by Congress, which under pressure from the dietary supplement ("health food") industry banned the FDA from regulating such as drugs. It's a real scandal.

Unfortunately you're probably closer to the truth than they would have us believe. While the manufacturers, at least a chunk of them, could claim these do no harm (unless taken in absurd quantities, which nobody really knows how much as they aren't regulated or adequately tested), it's hard to disprove whether or not they do no good. So, it's like selling sugar pills, which can be very profitable, hence so much spam regarding all these great meds and supplements.

Spammers, of course, have used far from ethical tactics so they don't go to capitals very well armed to defend themselves, even if they could tote in some 'campaign contributions.'

Virginia and the Law

[The+Ape+With+No+Name]

As a gennilman raised in Vehjenya, I can tell you this, they do not fuck around. Illegal gun: 5 years. Use a firearm in commission of a felony: 5 years on top of 20 years for whatever you did. Simple pot possession: 12 months. Radar detector: fat fine, car searched and mucho points on the license. It goes on and on. The old joke is that Virginia has a law against everything and two laws against most things, and never get busted in a state where the flag has a woman standing on a man's chest wielding a spear.

If any spammers are reading this, let me tell you about the Virginia correctional system. If you are lucky you will go to the big house. If they put you on the farm you are fucked. Most penal farms in Va grow their own food and cut their own fire wood, etc. You will come out tan and fit, my friend. I taught literacy in Wise County at the facility there. No slack for misdemeanors and light felonies. They also operate road gangs (no chains. Work is time off from your sentence with good behavior) with the Boss standing over you with a 12-gauge full of rocksalt if you decide to make like Cool Hand Luke. Also, the Virginia State Police are ruthlessly efficient and will get you. This was the best state to implement anti-spam legislation if we want spammers to hurt.

PS. It is "The Commonwealth of Virginia" not the "State of Virginia." I didn't get my hands whacked with a ruler by Mrs. Underwood to have y'all malign my beloved home with the lowly name of "state."

Permission and trespass

[NewtonsLaw]

An interesting debate arose from a story I wrote earlier this week in which I published screenshots from a spammer's mailboxes.

One reader complained that this was "hacking" and that it was an unjustifiable action.

In response to that complaint I asked my readers (part-way down the page) whether there was any difference between a spammer trespassing on someone's mailbox with their crap and someone trespassing on the spammer's mailbox to expose their mis-deeds.

Gathering by the responses it appears that the rule of "do unto others" can reasonably applied to spammers and their mailboxes.

"send", not "send or cause to send".

[Animats]

This bill, unlike California law, only penalizes sending spam, not causing it to be sent. So it doesn't let you go after firms that hire spammers. California law lets you go after people who hire spammers.

The FTC has recently gone even further. They take the position that a beneficiary of the spam is responsible for it unless they took steps to stop it. This covers spamming by "affiliates".

The FTC's position is consistent with decades of false advertising law. The FTC has often prosecuted companies that let their "dealers" lie for them. The FTC has the authority to crack down on spam, and it looks like they're starting to do so.

Don't encourage them

[billd]

If nobody ever replied to spam, there'd be no point to it, so maybe it would dry up eventually. People who react to spam are providing the feedback that encourages the spammers to spam on.

Where do I turn myself in?

[ajs]

From the article, here are the criteria:

consciously (with intent) alter either e-mail header or other routing information (a technical characteristics common to most unsolicited bulk mail, but not present in normal e-mail messages); and

Have you ever seen such hogwash?! What, pray are, "a technical characteristics"?! Since when are headers and routing information common to "unsolicited bulk mail", but not "normal e-mail messages"?!

attempt to send either 10,000 messages within a 24/hr period or 100,000 in a 30-day period OR the sender must generate $1,000 in revenue from a specific transmission, or $50,000 from total transmissions.

Ok, so where do I trun myself in? I've certainly generated $1,000 from a specific transmission (we in the spammer game call it an "invoice") and I (just like tens of thousands of other evil spammers like me) forge headers and alter routing information. For example, I have mailing list managers that alter headers and routing information and then take that single modified message and send it to DOZENS of users! I also send mail from my laptop at home and claim to be me at work and visa versa!

Before tonight I didn't know I was a spammer, but if Virginia says I'm a spammer, I must be one! Is there a reward for turning my evil spammer ass in?

I'd add a smily, but this is just creepy!

Re:Where do I turn myself in?

[ajs]

Exactly, so for example, when I've written such invoices, the fact that I claimed to be "ajs@ajs.com", but was in fact sending the mail from work (or visa versa) means that I was committing a crime by Virginia's standards.

Worse, I'm interpreting what I think is the *intent* here, but technically the fabrication (e.g. creation) of any headerer information (you know, header information, that thing "normal" mail doesn't have...) would seem to meet the criteria, so any message I've ever sent that generated $1000 in revenue would be criminal spam.

Hi, my name is Aaron and I'm a spammer. [insert reply posts here with, "Hi, Aaron!"] My career as a spammer started out like most people's. I thought it was ok to send business email, but then I got hooked on adding "headers"... that's when my dog left me and my beer all went flat! But I've admitted that I'm powerless in the face of my addiction, and I've asked my higher power (ISP) for help. Since I've been blocking outbound port 25 I've only had one relapse at an Internet cafe. I've been a recovering spammer for 2 years now, and I'd like to thank you all for this lovely medallion! ;-)