Earthlink Wins Another Spam Award: $16 million

linuxwrangler writes "U.S. District Judge Thomas W. Thrash Jr. awarded Earthlink $16 million and an injunction against Howard Carmack for Carmack's use of Earthlink to deliver spam. Given that Earthlink is still awaiting payment of the $25 million it won against Kahn C. Smith last year, it views the injunction as the bigger of the two wins." A few more of these, and maybe the tide of spam will eb. Maybe. Nah.

Legal vs technical vs payperemail

[arete]

I used to believe that legal remedies couldn't stop things like spam, but I think I was wrong.

The very fact that spam is only a problem when it's on a large scale (don't think about recieving on a large scale, think that the list has to be large...) means, I think, that legal solutions can prevail.

arete

Payment in Goods?

Seeing as how these spammers probably DON'T have millions of dollars in the bank, and even Microsoft was able to negotiate for penalties being only in software, is Earthlink likely to get a truck load of $16M of penile enhancement cream and Nigerian banknotes in compensation?

A real jerk

[LittleLebowskiUrbanA]

This guy used his relative's info for setting up accounts. When Earthlink talked to his 58 year old retired uncle, they figured out what was going on when he mentioned a nephew that works at home w/ computers. (I read the Wall Street Journal. Headline news!)

Awards vs. Injunction

[sssmashy]

Last year the company was awarded $25 million in damages in a suit against another big junk e-mailer, Kahn C. Smith of Tennessee. Youngblood said the company hasn't collected that award. But the monetary award, Wellborn said, is less of a victory than the injunction.

Nobody will ever collect civil damages from a spammer, because the vast majority of spam does not come from legitimate companies with assets. Most spammers tend to be individuals: low-rent sleazebags with bad credit and a history of illegal or borderline illegal activities. If they actually had millions of dollars they wouldn't stoop to spamming.

The injunction is a good thing because if one of these lowlifes tries spamming again, they can throw him in jail.

Re:Awards vs. Injunction

[gary+bernhardt]

Generalizations like this do *not* further the anti-spam cause. Spam is most definitely an area where very large financial gain is possible. This obviously precludes spammers being "low-rent" sleezebags.

This reminds me of the thousands of posts over the years on Slashdot asking "Why does anyone spam? Noone buys that stuff." Then about a year ago a story gets posted showing someone who made *millions* spamming, and everyone stopped discussing it as if it had never happened.

Randomly assigning adjectives to someone you view as an opponent will not help your position. All it will do is make you look like someone who blindly slings insults, without giving any thought to the situation.

Re:Awards vs. Injunction

[datavortex]

Sorry, but in this case unfortunately the generalization is correct. That's pretty much how it's played out I'm afraid. There's only a couple spammers like Milette and he's more clever (and able to find scumbag salespeople at desperate bandwith providers) than many would like to admit.

Re:Awards vs. Injunction

[dubl-u]

Spam is most definitely an area where very large financial gain is possible. This obviously precludes spammers being "low-rent" sleezebags.

Even if somebody lives in a high-rent place, they can be a low-rent sleazebag. Hollywood is full of them, for example. And that the gain is possible doesn't mean that all spammers get it; the spammers I've taken the time to track down and talk to have often made very little from it.

Generalizations like this do *not* further the anti-spam cause.

Well, actually, they do, especially when they're true. It makes it much easier from a PR and lobbying perspective to be able to say paint spammers as beyond the pale.

I recently chatted with a fellow who's in the on-line porn industry. Although he doesn't spam, he knows a number of spammers. He seemed quite convinced that they were sleazebags. I've met a few myself, and all of them, excepting the once who were just plain clueless, were all sleazebags.

And all the ones I've seen profiled in the press were pathetic excuses for human beings, too. Like the guy in Minnesota, who previously was a cop. Until he got busted for selling drugs to children, that is.

So if you know some spammers who are smart, upstanding, concerned citizens, hey, share the details with us. I'd be fascinated to find once who is a vegan pacifist buddhist. No, scratch that, I'd be fucking floored.

Re:I wish I could get in on this

[Eric+Damron]

If you live in states with anti-spamming laws you may be able to sue the spammers. Not for millions of dollars however.

In Washington state we are allowed to sue for up to $500.00 per spam. However, the spammer must do something like give a false return address or misleading subject line.

You should check your state laws.

Death of a spammer

[Animats]

As I've mentioned previously, we had a problem with a spammer forging our Downside(tm) return address, resulting in over 16,000 mail bounces. It's been a headache, but all 24 of his "extreme rape" web sites, plus his billing sites, are now off the net.

Originally, he was buying hosting from several US ISPs, including Rackspace. We asked the ISPs to identify the site owner, as required by law (because he accepts credit cards) and when they found they didn't have good info on him, they killed his accounts. He was using about five ISPs at a time, and had his own DNS server so that he could quickly switch from one ISP to another as he was kicked off. The spam itself went out via open Telnet proxies. Whois info is plausible, but fake.

This seemed like a big-time operator, but over time, a different picture emerged. It became clear that this guy's business isn't porno. It's collecting credit card numbers. The porno sites were very shallow. ISP operators told us they were typically $5/month hosting sites with maybe 1MB of content. Some of the web sites were purchased with bad credit card numbers.

This guy kept coming back, typically buying bottom-level hosting through resellers. He tried a hosting service in Mayalasia and got kicked off. He tried one in Brazil and got kicked off. He tried a "bulk friendly" ISP in the US and got kicked off. Finally, he ended up with everything on a server in St. Petersburg, Russia. It took a few days, but he's been kicked off there, too.

We have some hints of who he is. We've spoken to some people he's dealt with. When we get a solid ID, we'll go after him for trademark infringement.

It's possible to win these things. It's time consuming, but persist. Trace where the money goes, not where the spam comes from. Follow up daily. Half an hour a day keeps the spammers away.

Re:Death of a spammer

[Animats]

California Business and Professions Code section 17538.

(d) A vendor conducting business through the Internet or any other electronic means of communication shall do all of the following when the transaction involves a buyer located in this state:

• (1) Before accepting any payment or processing any debit or credit charge or funds transfer, the vendor shall disclose to the buyer in writing or by electronic means of communication, such as e-mail or an on-screen notice, the vendor's return and refund policy, the legal name under which the business is conducted and, except as provided in paragraph (3), the complete street address from which the business is actually conducted.
• (2) If the disclosure of the vendor's legal name and address information required by this subdivision is made by on-screen notice, all of the following shall apply: (A) The disclosure of the legal name and address information shall appear on any of the following: (i) the first screen displayed when the vendor's electronic site is accessed, (ii) on the screen on which goods or services are first offered, (iii) on the screen on which a buyer may place the order for goods or services, (iv) on the screen on which the buyer may enter payment information, such as a credit card account number, or (v) for nonbrowser-based technologies, in a manner that gives the user a reasonable opportunity to review that information. The communication of that disclosure shall not be structured to be smaller or less legible than the text of the offer of the goods or services. (B) The disclosure of the legal name and address information shall be accompanied by an adjacent statement describing how the buyer may receive the information at the buyer's e-mail address. The vendor shall provide the disclosure information to the buyer at the buyer's e-mail address within five days of receiving the buyer's request. (C) Until the vendor complies with subdivision (a) in connection with all buyers of the vendor's goods or services, the vendor shall make available to a buyer and any person or entity who may enforce this section pursuant to Section 17535 on-screen access to the information required to be disclosed under this subdivision.
• (3) The complete street address need not be disclosed as required by paragraph (1) if the vendor utilizes a private mailbox receiving service and all of the following conditions are met: (A) the vendor satisfies the conditions described in paragraph (2) of subdivision (b) of Section 17538.5, (B) the vendor discloses the actual street address of the private mailbox receiving service in the manner prescribed by this subdivision for the disclosure of the vendor's actual street address, and (C) the vendor and the private mailbox receiving service comply with all of the requirements of subdivisions (c) to (f), inclusive, of Section 17538.5.

...
(g) Any violation of the provisions of this section is a misdemeanor punishable by imprisonment in the county jail not exceeding six months, by a fine not exceeding one thousand dollars ($1,000), or by both that imprisonment and fine.

This is very straightforward. No ambiguity here. Accept a credit card number on the Internet from someone in California without first providing real contact info, go to jail.

This is enough to get you talking to an ISP's management levels or their legal department, rather than the abuse department. From there, progress is usually rapid.

This is way too hard

[ChrisWong]

The WSJ article today goes into some detail about the arduous chase with little pay-off. Earthlink must have some really dedicated anti-spam activists to even try this. Think they are getting big bucks? Hardly. From the WSJ:

The lawsuits rarely collect payments because most spammers don't have much money. Last year, EarthLink won one of the industry's biggest settlements -- a $25 million judgment against a Tennessee spammer, but it hasn't yet collected a cent. The Federal Trade Commission has brought 48 actions against spammers who make false claims about products or identities, but it hasn't recovered much money either. "Many times, there is no money left," says Brian Huseman, staff attorney at the FTC.

And it involves a lot of grunt work per spammer. How much is your time worth? It's like "The Cuckoo's Egg" story again. For just this one guy, for example:

The pursuit of the Buffalo spammer became Ms. Youngblood's top priority early last year. She spent about 10 hours a week on the case, and her employees spent another 10 to 20 hours a week, in total, hunting to see where he was hiding on the network.

Unless we start seeing some high-profile jail time, there won't be much of a victory.

Re:This is way too hard

[minas-beede]

And it involves a lot of grunt work per spammer.

Who are the spammers in the Tulsa, OK area? I've got some pretty good evidence against someone there. Wasn't much work at all. I received a relay test message from him, I delivered it, now spam is arriving that (so sorry, Mr. Spammer) isn't getting delivered. Over 5000 recipients so far. The spam comes to my fake open realy through open proxy systems.

He's sending the relay tests from:

adsl-65-70-89-125.dsl.tulsok.swbell.net

He spams:

Subject: FWD: ASSET - BACKGROUND - MISSING PERSON SEARCHES..
Subject: FWD: BACKGROUND & ASSET SEARCHES - SAME DAY!
Subject: Fwd: background & asset reports - same day..
Subject: WE FIND MISSING PERSONS FOR YOU...OR NO CHARGE..
Subject: Re: WE FIND MISSING PERSONS FOR YOU...OR NO CHARGE!
Subject: Re: BACKGROUND & ASSET REPORTS - SAME DAY"
Subject: Re: background checks - same day service!
Subject: ASSET SEARCHES - SAME DAY SERVICE.
Subject: Re: BACKGROUND & ASSET SEARCHES - NATIONWIDE SEARCHES'

with this phone number for the marks to call: 1-877-269-3892

His relay test message went to timsmith777@connectfree.co.UK

He's been sending tests from that same IP for quite some time so I think it's the spammers IP, not an open proxy.

Why isn't he in jail?

[runchbox]

The WSJ article said he'd used 350 stolen identities and credit cards to set up accounts. We've got the laws we need to put people in jail for credit card fraud -- so why is he at home avoiding phone calls?

Re:I wish I could get in on this

[Jeffv323]

In Washington state we are allowed to sue for up to $500.00 per spam.

Actually, it's not up to $500, but exactly $500, or actual damages - whichever is greater.

See here.

-- Jeff

Re:I wish I could get in on this

[Black+Copter+Control]

If they get more money back than was spent on the process, I will be surprised.
If they don't, then they shouldn't have sued in the first place.

Monetary awards are not the only reason for suing somebody (although going into court without a monetary interest can confuse the best of judges..). Here in BC there are many cases of companies going to court go get injunctions against protestors, etc. Although the injunctions are nominally interlocutory (until the case properly goes to court), they often stop prosecuting the case after the injunction is granted (i.e. the injunction is the only reason why they filed the injunction. I was actually surprised to find that they actually proceeded with one of these cases and got a ($6000) award.

Although they seem to have little hope of collecting on the $16M award, the fact that they can have these people arrested for violating the injunction can probably save them thousands of dollars in human an hardware costs.

Speaking from personal experience

Speaking from a front line position in certain corporations *coughs* phone monkey *coughs* in no way represents any corporations opinion (just what I see at the job)

I'd say besides connection issues...

Spam and pop ups tend to be the most irritating thing about the internet to those unfamiliar with it in general... I'm quite sure it's caused plenty of customers to cancel regardless of quality of service of the connection or the quality of customer service of any company...

Not only the cancelation but the support of the end user with these issues also costs money. Running 24/7 tech support with MSN, Earthlink, AOL or any major ISP...

1800 systems don't come cheap. Money is measured in minutes.

When 50% of your calls are due to spam and pop ups... With the rest as connection issues... If somehow you can kill the reason that the end user has to call in you already saved yourself a ton of money.

Of course I've talked with people who wanted to cancel their internet because they saw a banner ad saying "You are broad casting you IP!!"

Explaining the nature of pop up ads to the user is one thing, but when they are highjacked by Xupiter, Newdotnet, or "insert your spyware of the week" it's hard to understand from their end... Not to mention those same programs will cause IE to DIE! on say Windows computer if the program itself dies. (I'd say Newdotnet is horrible for that if it eats your wsock32.dll in win98... and embedds itself all over the registry... no web pages for you...)

Heck if I know how it gets on their computers.

"Do you have Kazaa on your computer?"

Usually the answer is "yes"

Personally, I'd like to see a few ISP companies go after these Spyware companies... Sure the end user can't sue because they agreed to a EULA but it often costs their ISP large sums money in terms of support costs...

Re:Is it just me or....

[Raven42rac]

Basically, spammers make money because some "John Doe", who does not know any better is buying their stuff. If no one clicked through and bought their stuff, it would just fizzle out. But hopefully these huge settlements will scare the "casual" ass, I mean "mass e-mail marketer" out of the "business" and the rest will be sued into oblivion. IMHO, the crux of this matter will be proving that someone either did or did not "opt-in" on some website somewhere with some "checked tiny ass checkbox" located on many websites. "I did not sign up for that", yes you did, on this date at this time. On the other hand, if you contacted them and they did not stop sending you things, then you should have a legal ground.

Moral is: do not buy their wares, and scrutinize all websites that ask for you e-mail address, read the privacy policies, and make sure you do not inadvertantly sign up for mail from "affiliates".

Hosting my own server

[Nonillion]

This is why I host my own e-mail server. It is FAR easyer to block unwanted spam than to have no control of my ISPs based e-mail account. SPAM has to be rejected at the mail server, accepting the e-mail and then filtering it out with your e-mail client does no good at all. It will be interesting to see if any of these SPAMers ever pay up.

Maybe when hell freezes over SPAMers will finally catch a clue...nahhh, I doubt it..

Re: "Patriot" Legislation...

[nametaken]

Couldn't they bend 'spam' into a legally actionable offense by calling it 'terrorism'?

I know the idea of a site that sells penis enlarging devices and offers college degrees for $19.95, terrorizes me.

Re:SPAM? What's that?

[Spetiam]

It's both a matter of principle and spam does have a financial and quality of service impact on companies and consumers.

In order to dodge spam, companies/consumers have to either spend the time manually deleting spam or put out the money to buy software to filter spam. In both these cases, spam still eats bandwidth.

Companies also have to be careful (i.e., spend time/money) that software filters do not delete legitimate email, as this could potentially have a severe imapact on their business dealings, service record, etc.

Finally, the burden of spam should fall on those responsible for it, not those that are "victimized" by it. So let's still nail the spammers.

Re:SPAM? What's that?

[CodeBuster]

The problem with this argument is that even if we all ran Bayesian Filters and blocked 99.9% of all spam messages from hitting our inboxes there would still be billions of messages going back an forth between mail servers before they are caught by the filters. This is a major drag on Internet bandwidth even if all of us never actually saw another spam in our inboxes ever again. These people who abuse their network privileges and degrade the network for the rest of us should be caught and punished for their behavior. Another thing that would really help is for slashdot people to advocate proper mail server configuration, including disallowing open relays, and education of all of the part-time mail sysadmins out there who perpetuate the problem with their own ineptness. There are groups already trying to do these things and it is helping, but it will take much more work on the part of mail admins and users to shut the spammers down for good.

Treat Spammers like hackers!!!

[pkinetics]

1. Spam is theft of services and or equipment.
2. Spam is often misrepresented, ergo fraud.
3. Spam is often sexual harrassment.

Why not go after these people for real crimes and send them to the slammer, confiscate their equipment, and all that other stuff the FBI loves to do? Also gotta figure if these guys are making any money, their probably violating some IRS law, so send more feds after them.

Bah... until judges and politicans actually grow up around this stuff, or have to answer their own emails, they'll never pursue it.

I bet when Bill Gates kids start getting spam, we'll see some radical solutions.

OK, I have a friend who is a sleazebag^W spammer

[Simon+Brooke]

I went round to see a friend last night. She is a mostly sensible, mostly reasonable, fairly tech literate person. Her values are on the whole mostly in the right place. She runs a small bunsiness and until recently her business has been mostly servicing a government contract. That contract ended and was not renewed. She has laid off most of her staff, but she has no income and still two employees to pay, and she's desperate to find new work.

A couple of months ago she came and talked to me about how to set up a bulk email thing and I thought I'd succeeded in persuading her that it was a seriously bad idea and she shouldn't do it. Apparently I hadn't; last night she told me she'd started sending bulk UCE.

This isn't someone whom I'd describe as sleazy, and it isn't someone who's stupid. It's someone who is desperate. I think you will find a lot of spammers are.

The problem can be tackled, it seems to me, at two levels. Yes, if there's legislation (particularly if it has real teeth) then peopel will get a good clue that this is not a good thing to do. But it also needs there to be a professional ethic among systems and network administrators that we will not allow the infrastructure we control to be used for this sort of thing, and that we will kick offenders off and cancel accounts; and that if our management say different we will refuse to work for them - a sort of hypocratic oath for geeks.