Slashdot Mirror
First CAN-SPAM Lawsuit Filed in California
rocketjam writes "Foster City, California-based ISP Hypertouch, Inc. has filed the first lawsuit alleging violations of the new Federal CAN-SPAM Act of 2003. The lawsuit was filed against BobVila.com and the spammer they hired, Bluestream Media, for sending Hypertouch customers unwanted, unsolicited email advertisements for Vila's "Home Again Newsletter." The suit alleges the defendents sent spam email ads with fraudulent headers and no physical address. It also alleges the emails were sent to randomly generated and harvested addresses as well as addresses that had replied to opt-out links in other spams. Hypertouch's attorney, John L. Fallat, said the CAN-SPAM Act offers little protection to the public, but they would use the few protections it offers to punish spammers." Reader Clemence links to Wired's coverage of the suit.
IANAL so I'll ask this question.
Faking an email header, return address, etc. is supposedly illegal under CAN-SPAM. If this is fraud, then wasn't this illegal before CAN-SPAM?
M
At first I was kind of worried that the first target gone after was someone "respectable"-- bob vila-- and not like the people selling penis pumps or something.
But then I thought about it. How much of the problem is caused by ignorant businesses who just happen to hire the wrong marketing firm, and just say "we want you to increase our exposure on the internet" and don't realize this means millions of spam mails sent illegally through hijacked SMTP?
Perhaps to some degree education is the answer. If other legitimate businesses see bob vila getting smacked for spam mail, maybe they'll panic and make absolutely certain the people they're hiring aren't sending fraudulently-sent spam.
If this case gets a lot of press coverage, it might help show people how utterly useless the CAN-SPAM act really is.
If a lawyer says its near useless, you know it must be bad. Hopefully the NY Times covers this in depth.
At least for once they are suing the company who uses the spammer and not just the spammer.
Buy Steampunk Clothing Online!
Bob Vila sending spam?!?! Next you'll be telling me Norm Abrams wants me to have a longer penis.
General article on Bob Vila's ebiz
One line blog. I hear that they're called Twitters now.
So for any spam that has a forged header or a misleading subject, California's new law, with the $1000 per spam penalty, will still apply. California allows private suits in small claims court by any party. So you can haul the bozos into court. Maybe even across state lines.
A year or two from now, we'll be rid of the chickenboners, but we'll be getting even more spam from "legitimate businesses".
So I'm a pervert. Welcome to the Internet.
"Fraudulent" refers not to the compliance of the headers with the e-mail protocol, but means that the headers contained information which was false.
Sounds like there could be money in setting up as an ISP, and sueing any spammers who use you for $100 per message. Given the millions of messages an individual spammer can send, even one victory against them would result in a cash windfall for the ISP concerned.
"If you think nobody cares if you're alive, try missing a couple of car payments." Earl Wilson
Until they start punishing the companies that benefit from the ads this is never going to stop. It should be handled like the drug war. If your company is benefitting from ads spammed to millions of people, you go down unless you reveal who you hired to do it.
Authority questions you. Return the favor.
It's going to be very difficult to prove this. I could send spam and make it look like Slashdot sent it, routing it through some foreign country.
The physical address of a spammer is more difficult to change cheaply and, if trained properly, will find it's way into bayean databases.
I guess we will see over time.
Incidentally, my mailserver (and my company's mailservers) reject any emails with "bluestreammedia.com" in the body and have done so for some time.
The real "Libtards" are the Libertarians!
Firstly CAN-SPAM is nothing more than a political tool used by a tool this election year nothing more. For the US to claim to have made a law in places where laws mean nothing - e.g. about those pesky APNIC/LACNIC domains. Now, considering a huge portion of spam gets sent by users whose machines are infected with annoying ass viruses, what is the government going to do aside from possibly bringing in innocent victims - users whose machines were infected or rooted - to court and make them stand trial for something they didn't even know they did.
Secondly, with every Joe Blow dot com stepping on the scene, how many companies with misconfigured mail servers fall victim to going to court?
MoFscker
Ok, what if I send some US-based companies/people spam. Since I'm from the Netherlands they can't really do anything about it, right??
This is the sig that says NI (again)
regardless of if they win or how much (little) money they get in return, this is great publicity and it also keeps in the public limelight somewhat the issue of spam and needing better legislation. I'd assume other ISPs would sue, but I wonder which ones are making money off of the spammers...
In times like these, it is helpful to remember that there have always been times like these. - Paul Harvey
Couldn't huge email centers (yahoo, msn, etc.) in real time compare source IP's from all emails moving into their systems, identify SPAM as massive amounts of identical email coming from identical IP addresses, load that data into a filter and then block? Some would always get through, say 100,000 but the rest of the 1.4 million get blocked? Isn't anything like this possible?
Authority questions you. Return the favor.
Misunderestimated is a perfectly valid word. It means to incorrectly minimize.
So how do I find a good anti-spammer lawyer to initiate some lawsuits and cash in on the 30 spamm I receive a day from forged address? I try to bounce as many as possible, but most are fake email. I even got a UCE from one of my OWN email address, so I know they are harvesting as fast as possible.
I can see the Warden welcoming Bob Villa to the big house: "Welcome to this old Penitentiary"
Remember: If the U.S. can get to the point that all spam is coming into the U.S. from the outside, that is a major win.
The idea here is to increase the accuracy of filter-based spam fighting techniques. If we can assume-- because the CAN-SPAM act requires it-- that e-mails sent within the U.S. have accurate header information, we can set up much stronger e-mail filters based on that assumption.
We can't assume email from the netherlands has this assumption, but this just means that these filters are going to increase in higher false positive rates on the spam filters.
The hope and assumption is that NLian businesses will start complaining to the netherlandese government that they want something like the CAN-SPAM act too, so that email from the Netherlands to the U.S. can be "trusted" and thus less likely to be labelled spam.
...than Bob Vila isn't personally involved. Ever watch "This Old House"? The guy never does ANY projects himself. He always passes it off to that other guy! "Hi, I am Bob Vila for Sears Bulk Mail Services. For just $19.95...."
Why don't you embrace your slashbotness instead of living in a dreamworld?
Now, considering a huge portion of spam gets sent by users whose machines are infected with annoying ass viruses, what is the government going to do aside from possibly bringing in innocent victims - users whose machines were infected or rooted - to court and make them stand trial for something they didn't even know they did.
They can sue the person the spam mail was sent on behalf of, and subpeona the names of the actual spammers, then charge them with hacking the computers used to send the spam.
For it to be spam, someone has to be selling something. If someone is selling something logically they can be tracked down, because how else are they supposed to get the money?
...Bob Vila's or Martha Stewart?
At the end of the day, we can only continue to hope that as more and more of these cases are highlighted, that the people that are supposed to represent us in government decide to pull their fingers out and put in some proper laws with proper penalties. If all companies that used spammers to advertise their company were fined and repeat offenders given jail sentences, how long before these unscrupulous companies stopped using spammers. And of course as mentioned above, very heavy penalties for hiding the actual identities of spammers
If at first you DON'T succeed, Skydiving is NOT for YOU!!
and subpeona the names of the actual spammers, then charge them with hacking the computers used to send the spam Did you miss something I posted? Again if someone has their machine broken into, how the hell are they supposed to find out who it was that broke into it if they didn't know how to protect it from the jump? As for your subpoena point, makes little sense, again what are you going to do if Shaka Zulu from Niger broke into your machine, go searching for him? Sure waste 2million tax dollars as opposed to just chalking up what a $ .0002 spam sent. Instead of attacking the endusers, they should be going after the companies who are selling the products being offered. That would definitely stop it, going after an end user does nothing, besides the gov is liable to falsely prosecute some innocent joe shmoe. If you think it won't happen look at what the RIAA did to 80 year olds who never even heard of an MP3. Same players different issue
MoFscker
One of the biggest problems with CAN-SPAM Act that we are hoping to educate the press so they can inform the public is that the Act says end users _must_ contact each spammer and opt-out. This is of course exactly the opposite of what ISPs have been tell their customers to do. "Opting out" merely gives the spammer have a live address. Some of the email addresses defendants sent spam to were unique addresses submitted to a "virus software 90 % off" spam. In no uncertain terms, "opting out" of spam signs you up for more spam.
We were surprised when even after we told BobVila.com about the quality of the lists their hired spammer was using, they still refused even just to promise they'd never use BlueStream Media again... Right before we filed the action, one of our users received a new BobVila spam, this time sent through a Florida based spammer.
Yeah, he does exist and that is his real name. However, his association with home improvement is purely a creation of television.
He was a nobody until a PBS series called This Old House came along in 1979. He was hired as the host of that show. His job duties there were to read the opening and closing sequence lines, and to interview the experts who really did know what they were doing. He was not one of those experts, he was just asked questions to the experts.
In 1989, when he left This Old House, he created his own TV production company, and used his association with home improvement to get endorcement deals. His primary sponsor is Sears, and his Home Again series can more or less be seen as a Sears infomerical at times. (Sears has always been a title sponsor, and controls a large chunk of the ad space within the program. The content portion of the show might not hit you over the head as an ad, but notice the clear bias when it comes time to select which company's products to work with.)
His primary line of work these days isn't as a home improvement expert, it's in being the pitch man for Craftsman tools and other Sears brands. He'll endorse other products too, but that's really the only skill people pay him for. You never see him doing any of the work on his TV shows, and that's for good reason...
In many states, there were laws that made using false headers a violation of that state's laws. In addition many states have advertising laws which require the advertiser to be identified.
Fight Spammers!
Fraud isn't something new to Bob Vila. He pretends to be a carpenter all the time.
Seriously, ever notice that he does nothing but talk to the people doing the work, and the few times he actually picks up a tool he even makes me seem coordinated?
A while ago some friends and I caught an old episode of This Old House when Vila was still on it, and in this particular episode he was talking to Norm Abram as he was putting on some wooden shingles. Bob decided to show show his ineptness by putting up a few himself. Comparing the two would have been sad if it hadn't been so damned funny...
For the most trivial example which you have cited, if you try to admit spam as evidence in court, and it's labelled as coming from slashdot.org, but the Recieved: smtp routing headers show that it came from somewhere outside the U.S., it should be pretty obvious that slashdot.org did not send that letter, and someone just forged the slashdot.org return address, since slashdot.org is located, well, inside the U.S..
It's nice to see someone at least trying to get something from this Law, since it did such a good job of crippling the stricter state level laws. While I agree that a single national level law is a good idea, they took it in the shorts with this one. CAN-SPAM was a waste of paper.
The sad thing is during a recent review of my spam trap account (11800+ email in 3 months) a grand total of 30 of them were from "legitimate" business. The rest were for your usual run of penis pills, bad mortgages, "Stop spam now" software, and herbal vi@gra.
Now, if I could collect on each and every one of them, I'd be a wealthy man. But the vast majority are coming in through open proxies or trojaned Windows boxen, and are annoyingly difficult to track back to their source - which is often off-shore and out of reach of the CAN-SPAM act in any case.
Going after a legitimate" company like this is may put a slight damper on SPAM sent by "real" companies, but it does little or nothing to stem the flood tide of crap we get from the low lifes who are at the root of the problem.
Never attribute to malice what can as easily be the result of incompetence...
about time Foster City (my hometown) made the news, even if it is just slashdot!
feel free to mod me into oblivion now
I think running Windows is already legally aiding and abetting spamming. I wonder whether this is punishable...
who it was that broke into it
I am suggesting that they would subpeona the end person who hired the people to break into it. I.E. the person selling the product or service advertised in the spam.
Obviously this isn't going to do much good if this person is some kind of crime organization running a scam out of nigeria or something. However, it's not like 100% of spam is sent by organizations performing scams in countries which are unwilling to cooperate with a fraud investigation in the U.S.. I would say we could take a serious bite out of spam just by preventing those persons selling products or services within those countries with relative degree of law-enforcement cooperation with the U.S. from sending spam within the U.S. using spammers who operate under illegitimate practices.
Imagine the sweet livin on the cell block with Bob and Martha!
Wow. The mind boggles.
Prolly never would have happened if Norm were still on board.
Only yesterday I got some UCE from a local company... a nice large PDF file containing details of a promo they were doing for photocopiers. This company clearly think its OK to send out such junk... whilst they included in the message their email address to request to get off their list, the replyto address was a placebo... so for that alone they're breaking the acceptable use policy of the ISP that they sent from... who got a suitable complaint from me (and I hope they yank their account!). Now, this company were using some software to bulk send these messages (pdfmail)... and they harvested my email address from somewhere. You would have thought that by now comapnies would know better than to send out SPAM/UCE.. in my case the company sent crap themselves, so they can't even blame some unscrupulous marketing company.
There is no way to prove that the company being advertised has anything connection to the SPAM: same reason illegal fly posting still happens.
What I never understood is instead of going after the spammers, can't we go after the companies hiring the spammers? They would be far easier to track down. They must have websites to solicite their garbage, with credit card payments and lots of contact info.
I can see the potential for people to 'fake-spam' and get a company into trouble, but is this the only problem?
Corporations: your universal scapegoat for all society's ills.
Overrated - clever moderator
I hate spam as much as anyone but this is true. We are talking about somebody put some 1's and 0's where they shouldn't. Is this really a crime? I'm not even sure its a violation of an RFC.
/.ers feel about how copyright violation doesn't really hurt the artist very much, aren't we being just a bit hypocritcal when we say we should sue people who just bug us?
No attempt was made to destroy or steal anything. Even the theft of bandwidth is comical. Compared to how most
Let's jump off this litigation wagon for such trivial problems and start working on a way to make something like digital signatures work.
One caviat. People who send obscene unrequested emails are in a different catagory. With them you can actually show they are violating peoples rights as much as any flasher in the park.
Ya, pretty surprising! Who was the genius who decided to call it CAN-SPAM.
obviously you are too ugly/geeky/annoying for said girls, and if you force them to give you their phone numbers they are just going to ignore you anyways. leave these women alone, no matter how much you need to get laid.
GENERATION 26: The first time you see this, copy it into your sig on any forum and add 1 to the generation.
I don't like the CAN-SPAM act at all.
BUT... it is somewhat satisfying to use it against them, ridding the Internet of another vaccous marketing firm, regardless of the circumstances.
In an ideal world, my upstream mail relay would reject all email that wasn't signed, and I'd have all my friends keys on my keyring.
But I will have to settle for this...
I mean, does anyone cry if a slashdot troll dies? I know I wouldn't.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
He was a nobody until a PBS series called This Old House came along in 1979. He was hired as the host of that show. His job duties there were to read the opening and closing sequence lines, and to interview the experts who really did know what they were doing. He was not one of those experts, he was just asked questions to the experts.
Oh my god! You mean something on television isn't what it seemed?!?!?!
We have to let people know this. Shout it from the rooftops people! Make sure everybody you see knows that TV isn't real.
Information contained inside headers can only be "false" if they were meant to be taken seriously in the first place. But they were not.
Indeed, I might be willing to discriminatorily greylist all mail from any remote Windows system. (Greylisting: Sending a 4xx temporary failure the first time a host tries to send mail to a particular recipient. This causes a normal MTA to retry in a few minutes, but fire-and-forget spamware and worms generally abort.)
How to apply this to Windows only? OpenBSD's passive OS fingerprinting would be a start. It allows one to selectively redirect traffic based on the detected OS, and thus to offer different quality of service based on the quality of the client system. Since there is a much greater likelihood that a given Windows host's connection to my MTA is delivering spam and worms than that a given Solaris or Red Hat host is delivering spam and worms, there is a good reason to deteriorate service (as by greylisting) for Windows hosts -- as long as it can be done in a way which retains (eventual) delivery of real mail.
If Unix mail server admins all chose to greylist remote Windows hosts -- including Windows MTAs as well as client hosts -- then Windows servers would eat the cost of keeping messages in queue during the greylisting period. This would, effectively, be the cost of proving you're a real Windows MTA, not a worm or spamware. This lays part of the burden of the Windows system's susceptibility to malware back upon those responsible for it (deployers of Windows) whereas currently they are able to offload it upon the rest of us in the form of junk mail from worms.
(Incidentally, yes, the majority of mail exchangers run some form of Unix. Less than half, however, run Sendmail.)
Distributed legal actions could be carried out by masses of ISPs all with the their own records against one spammer ALL AT THE SAME TIME. 10 bucks per spam does not sound like a bad penalty when divided over thousands of ISPs and court cases.
Of course, if all of us in North America didn't have to listen to jokes about this from Jay Leno and Dave Letterman for 4 straight years, it may have still been worth a chuckle or two.
What I'm saying here, is I had hoped that Clinton Sex Jokes had finally died out.
One way to find out the identity of the spammers is to follow the money. Someone with the power to issue subpoenas should be able to find out where the money is going. An old trick is to write a check to the person under investigation and see where it goes.
Mea navis aericumbens anguillis abundat
What companies? Most of the spam is affilliate crap. Which further emphasizes the fact that 99% of spamming isn't profitable when you send out millions of messages on the premise that maybe it might bring you a commission.
After noticing all the spam sent from machines using uppercase non qualified HELO names I hacked our SMTP listener to trap all the mail sent from them.
I did this in November and so far its trapped tens of thousands of spam mails and less than ten valid mailers. Of these valid mailers, two said they had no idea they were using these names and promptly changed them to FQDNs, one was not happy, and the others didn't respond to my messages so their mail is still trapped/refused - my users didn't want the mail from them anyway so its really no loss.
I'd recommend blocking HELO NETBIOS-NAME for incoming mail as it stops heaps of spam with very little impact on valid mail.
The Bob vila is suddenly ignorant defence
That's why the Direct Marketing Association lobbied so hard for the CAN-SPAM act. A California law that did just that was going into effect on January 1, 2004. That had the spam industry really scared.
Well, IIRC, on the very first This Old House show, he personally began demolition without goggles or turning off the power. On the second show, he had to take lumps from a viewer letter that pointed this out. I've been similarly unimpressed with many of his techniques since. His current Home Again show is filled with explicit product name references and long verbal lists of marketing feature/benefit bullets associated with them. It's crossed way over the line to an infomercial, and thus is worthless to me. Add to these his leaving This Old House after conflicting himself by signing up to sell for Sears.
So to me, he has a long history of wreckless overpromotion. So if his company's chosen a spammer to promote itself, intentionally or not, I'd certainly be disgusted but I wouldn't be too surprised.
No attempt was made to destroy or steal anything. ... Compared to how most /.ers feel about how copyright violation doesn't really hurt the artist very much, aren't we being just a bit hypocritcal when we say we should sue people who just bug us?
They were trying to sell something. Once you begin committing acts of commerce, you are operating under a different set of rules. This is logical both from a legal and moral standpoint.
If you send someone a letter in the U.S. mail claiming to be someone other than whom you are and offering to sell them something, you are committing mail fraud under the law. This is just ink on paper. Do you think this should really a crime?
Even the theft of bandwidth is comical.
Look at the statistics sometime for exactly how much bandwidth is used up, how much time is spent cleaning up bounced mails from, and how much time is spent dealing with, tracing, attempting to block, and dealing with hack attempts related to, spam. You will no longer make statements like that.
Why don't you give an example of how "trivial" finding out where the forged headers actually come from is. The headers might show it being rxed at some external mail server but in fact will not be a reliable indication of where it actually originated (which I bet is in the good old USoA)
castration isn't good enough for spammers
.
If you don't like what I write don't be a CS and mod it down. Refute it.
Yea I can't spell. So what is your point?
is like an offtopic troll from an AC without a reply.
You are arguing that sending spam with forged headers is OK, and still believe that you hate spam as much as anyone? You aren't paying attention. I guarantee that I hate it more than you do - that's why I'm not arguing that spam is OK. (Much less spam with forged headers.)
Twist not my words. I am arguing that it does not appear to be a crime, not that it is OK. Many people do things that I do not find to be OK but that does not mean they do not have the right to do them.
This is the difference between a police state and a free country.
To outlaw something, you usually need to show that someone is violating someone elses rights, not simply excersizing their own. A mail system by nature invites all comers. Unless someone was obscene, offering a false product, or threatening (all of which are already addressed by other laws), there is no crime in sending an email saying "come check out my sight" even if done anonymously or with a false identity.
[nt]
GENERATION 26: The first time you see this, copy it into your sig on any forum and add 1 to the generation.
Yes, if it's done with the intent of gaining unauthorized access to other people's property (e.g. computer cracking, evasion of spam filtering, fraudulent electronic bank transactions, etc).
/. If the government wants us to respect the law, it should set a better example.
My computer and ISP are my private property. You are not authorized to use them for spamming. QED.
A mail system by nature invites all comers.
Nope, any more than a front door by nature invites all comers. It is long overdue for the law to treat circumvention of spam filtering as severely as it treats the meatspace version of breaking and entering.
/. If the government wants us to respect the law, it should set a better example.
Against my better judgement I will continue this thread
/. karma for things that are important as well. I am through defending this one.
My computer and ISP are my private property.
Damn, won't your ISP be surprised to learn they are your property. As far as your computer, don't hit the get mail button unless you want to actually get mail. If you are not accepting all comers then you have a white list and therefore won't need to worry about spam.
Nope, any more than a front door by nature invites all comers.
A better analogy would be a mail slot on your front door, or your door knob where people can hang a flyer, or your mailbox were you get all hard copy spam that is little different than its electronic cousin. Lets not pretend someone sending you an unwanted email somehow violates your privacy to any greater extent.
Again, I am not defending obscene, virus laden, or scamming emails.
I find spam very annoying. I have setup a number of spam filters to combat the situation. I have talked my conpany out of using it for marketing. But I cannot hold that sending an unwanted email is illegal, even if it has masked the headers. Let's save our laws for things that are important.
Now that I say that, maybe I should save my
That's an interesting deviation from the normal point of view. Perhaps we /should/ be thinking of the internet as just another part of life, but I would find your claim that "we" /do/ to be quite wrong. Rather than exclusively following logic, the /. crowd, on this point, seems to follow whatever suits them best in the particular case, whether it aligns with logic or not.
/internet/; I shouldn't be held to the same consequences as in real world," might go another response to such an issue (taxing, perhaps?). On any other day, when one of the crowd's freedoms from responsibility aren't being revoked, the crowd would be insightful enough to realize that just about anything could be generalized as "just bits over a pipe", including the less-as-obvious-since-it's-not-a-multipurpose-comp uter landline telephones they use or that the internet /is/ the real world and thusly should bare upon it's users the same responsibilities.
:]
On this point crowds might rally behind the idea that the internet is just like any other part of life; sure, since that would make forged spam mail headers fraud. That suits them. But when the discussion turns to bringing regulations existent in the non-internet world to their internet counterparts in ways that just might cost the aforementioned crowd more than the free ride they're enjoying now, the point of view seems to change. "What's that? The FCC wants to treat VoIP like landline networks?! Absurd! It's just bits over a pipe! It's the freedom from such regulations that allowed the internet to grow to what it is now...," would go a typical response-- or something like that. "What? But I'm doing _____ on the
I'm not telling you (/.) which point of view you should hold, but I still have a point to make: stop fucking contradicting yourselves already! Please?
excersising futility in responding to a two-day old post,
yours truly,
Corey
Wrong. A spam filter is a refusal to accept email from all comers. The evasion of a spam filter is deliberate (because the use of any filter evasion technique is prima facie proof that the mailer knew that his message had been prohibited by at least some recipients) trespass.
A better analogy would be....
Nope; my analogy is the correct one. You either believe in private property rights or you don't; I do, therefore I understand that spammers are trespassers deserving of the usual punishment for that offense.
But I cannot hold that sending an unwanted email is illegal, even if it has masked the headers.
Sure you can. All you have to do is think it through rationally.
The use of filter-evasion techniques to get spam into a mailbox is equivalent to the use of a disguise to enter private property after being told to stay off. It is obvious that the latter is, and should be, illegal. QED.
/. If the government wants us to respect the law, it should set a better example.