Series: All About Spam
Article 1 of 12 in series
by Geoff Duncan
If you've been on the Internet for any length of time, the odds are excellent that you've received unsolicited email announcements and advertisements. These messages vary widely: one day you might receive information about a get-rich-quick scheme, the next an ad for an Internet service providerShow full article
If you've been on the Internet for any length of time, the odds are excellent that you've received unsolicited email announcements and advertisements. These messages vary widely: one day you might receive information about a get-rich-quick scheme, the next an ad for an Internet service provider. Some messages are controversial and pernicious, including political harangues and hate-filled diatribes. Others are just odd, such as an ad for hand-knitted kitty-boots, or (I'm not making this up!) an announcement that extraterrestrials from Saturn want to set up a bottle-cap recycling program in New Jersey.
Although the problem isn't new, the recent growth of the Internet has been accompanied by an explosive expansion in "bulk email" or "spam," and followed in recent months by an angry backlash. An entire industry is springing up around bulk email, and now the issues are headed for the courts. Although this article can't discuss every aspect of bulk emailing, it does provide some background, and explains how to respond reasonably to junk email.
Pros -- Since I'm personally inundated and annoyed by bulk email, I cannot claim to represent the viewpoints of those who send it. However, in discussing the topic with several people who condone bulk mailings, some rationales surprised me.
For the most part, bulk emailers believe they are providing a service by distributing information, thereby helping their recipients make informed decisions. In the United States, they believe their activities constitute free speech. Internationally, bulk email seems to be viewed as free enterprise that could only be curtailed by international trade agreements - agreements which, if they existed, would be nearly impossible to enforce. Further, in the U.S., bulk emailers feel the Internet is a public resource (since it was created in part with taxpayer monies), and that an email address is a matter of public record, like a street address. Many bulk emailers argue their activities should be encouraged since they're an "improved" form of postal advertisements: they can be better targeted, take less time to deal with (mail messages can be deleted in a few seconds, and no physical object needs to be transported), and have less environmental impact, since no paper and little fuel is used to deliver them.
Almost universally, bulk emailers believe their activities are justified. Further, some are selective with their mailings, sending only 50 or 100 highly targeted messages. Some also work hard to prune their mailing lists of addresses or whole domains that object to their mailings.
Of course, many are much less conscientious, holding contempt for those who take issue with their activities, or arguing (often effusively) that objecting to bulk email is nothing more than economic, technological, and cultural elitism. There are also a few bulk emailers who are new to the Internet and seem to have no idea their actions might be problematic.
A few bulk emailers also make an interesting point: users who most strenuously object to bulk email tend to have been on the Internet for a few years, whereas new Internet users seem to have far fewer objections to bulk email. And here's another surprise: unless a recipient actively objects to receiving a message, even the most conscientious of bulk emailers usually interpret that message as a success. They choose to believe that while the recipient may not have been interested in the material in that particular message, that recipient did not object to receiving it, and is thus a reasonable target for future mailings.
Cons -- The arguments against bulk email are numerous and well-known; I'll only summarize a few here. First, unlike postal mail, most Internet users pay to receive email at a flat rate, timed, or per-byte basis, so in many cases unwanted email is literally paid for by the recipient. Further, since the cost of bulk email is considerably lower than the cost of sending advertisements via postal mail, bulk email can be more easily abused and arrive in considerably higher volumes. Bulk email is also far more likely than postal advertisements to be inappropriate or personally offensive, not to mention in violation of state or local legislation. An argument can even be made that repeated targeting by bulk emailers constitutes harassment.
The most common objection to bulk email, however, is the annoyance. Most Internet users consider bulk email to be irritating and one of the Internet's largest drawbacks. They may feel that unsolicited mailings violate their privacy or interfere with their effective use of the Internet.
Perhaps the worst-case scenario is a bulk mailing gone bad. It's possible for a poorly-conducted bulk mailing to deliver thousands of copies of a message to a single account. Another troubling case is a mailing (or the backlash from a mailing) which overwhelms an Internet site or forces it to go offline. Events like these are widely considered to be attacks on individuals or entire sites, and usually provoke hostile and resource-consuming responses, potentially impacting untold thousands of Internet users.
The Spam Industry -- During the last two years, businesses and software products built around the bulk emailing concept have sprung into existence. Beginning with commercial endeavors by expert spammers who would sell themselves as hired guns to spread a message as widely as possible, the bulk email arena has lately been dominated by programmers and entrepreneurs looking to make a quick buck. Some write programs that collect email addresses or that can perform bulk mailings to thousands of people in a few hours. Others collect and sell mailing lists, and still others offer complete bulk mailing services, setting up Internet sites as bulk email clearinghouses. Many of these endeavors are visible and public, and at least one is being taken to court.
Bulk emailers get your address using a number of methods:
Usenet trawling: Many bulk emailers use programs that scan all available Usenet newsgroups for email addresses, compile comprehensive lists, then remove duplicates. This is also used to create targeted mailing lists; for instance, a bulk emailer may assume that anyone posting in the comp.* hierarchy must be interested in computers. Similarly, geographically-specific lists can be created from Usenet groups related to cities or regions. Though scanning Usenet is an arduous task, any respectable computer can pull out thousands of addresses an hour. Ironically, services like AltaVista and Deja News make this process even easier for bulk emailers.
Provider-trawling: Although this tactic is most often applied to online services like CompuServe or America Online, bulk emailers use programs to scan member directories and discussion forums to generate lists of users of online services. Bulk emailers wanting to generate a list of users at large Internet providers (like Netcom or EarthLink) may sign on using a trial account, then use directory listings or programs like Finger to generate lists of valid usernames.
Mailing list trawling: Bulk emailers also scan large and popular mailing lists for email addresses. This tactic works best on large lists where lots of email addresses appear in the text of messages.
Collectively, these processes produce thousands of mailing lists, many of which overlap significantly. Removing your address from one doesn't remove it from the others, and your address can easily be re-added. Some bulk emailers do handle list removals responsibly; however, overwhelmingly, these lists merely grow.
What Can I Do? -- Unfortunately, there is no sure-fire way eliminate bulk email. As the problem gets worse, you can expect services to appear offering spam-free email accounts, and email filtering software will become increasingly sophisticated. In the meantime, the most effective way to stop bulk email is to make your objections known:
Reply to the sender of the email, saying that you do not wish to receive such mailings, and that you object to such activities. If the message offers a way to remove yourself from a list, use it. Many addresses that bulk email appears to be sent from are forged, so be aware these messages may bounce.
Examine the headers of the message to determine the site where the message originated. (This information is usually in the bottommost "Received:" header line.) Although this information can be forged, it's usually more useful than the names of intervening sites. Write a mail message to the username "abuse" or "postmaster" at that site, with a brief, polite note, the full headers of the message you received, and the message itself. Try to leave the subject line intact. This is the text I use to reply to junk email:
"I received the following unsolicited bulk email ("spam"), which apparently originated from your site. Please take appropriate action to ensure this doesn't happen again."
Although you may not receive a response to these messages, Internet providers usually a warn a bulk emailer that the activity should stop. If the mailings continue, the provider will usually terminate the account.
Some Internet providers and online services have local email addresses or newsgroups where you can report bulk email messages. With enough information, the provider can then handle the matter for you. Check your provider's or online service's help system or customer service information.
In the event you receive bulk email from an Internet domain specifically set up to send bulk email, these tactics are likely to fail. If you're familiar with utilities like Whois and Traceroute, you might be able to identify that site's upstream providers and complain to them, but that's too detailed to discuss here.
The Future of Bulk Email -- The current inability to stop bulk emailers has led to calls for regulation, perhaps by modifying existing laws applying to the postal service or fax machines. Although the issues are very complex, here in the United States, communications law experts I spoke with generally agreed existing legislation would adapt poorly to email, particularly in the case of laws designed to prevent junk faxes. Of course, legislation passed here would be difficult to enforce within the country and wouldn't apply elsewhere.
The first court cases regarding bulk email are getting underway now and will be watched closely by the online community. No matter what the outcome of these cases, the success of bulk emailers is likely to spawn services geared to eliminating bulk email. Already, there's talk of building live, authenticated filters into email clients - every time you checked your mail, your mail program would check for a new set of anti-spam filters set up by your provider or perhaps by a subscription-based service anywhere on the Internet. With a small editorial staff and decent connectivity, providing frequently updated bulk email filters isn't a technological challenge.
In the meantime, if you're one of the few who likes bulk email... I know where you can get some great hand-knitted booties for your cat.
Article 2 of 12 in series
Suppose you belong to a simple lakefront beach club, where you and some neighbors jointly contribute dues to maintain the beach and docks. Now suppose that, several times a day, a rapidly moving caravan of several thousand vehicles zoomed across the beachShow full article
Suppose you belong to a simple lakefront beach club, where you and some neighbors jointly contribute dues to maintain the beach and docks. Now suppose that, several times a day, a rapidly moving caravan of several thousand vehicles zoomed across the beach. "Hey!" they might shout as they zoom by. "We're not using your beach; we're just passing through!"
This is what unsolicited commercial email (UCE, or spam) does to the Internet service providers (ISPs) that form our Internet beach clubs. Spam threatens the enjoyment of our pockets (and packets) of serenity by subverting resources paid for by ISP subscribers.
Such subversion comes in two forms: spam sent directly to you, where you waste time and effort downloading and deleting it; and spam that passes through your ISP's mail server on its way to some other poor sucker. (The mail server is technically called a Mail Transfer Agent, or MTA, whether it's Unix sendmail or a QuickMail SMTP gateway.)
This second problem is less discussed. A spammer can send outgoing spam through any mail server they choose - unless the mail server is secured against this, and relatively few are. This hijacking of a mail server clogs it up and invites retribution from people receiving the spam who incorrectly identify the innocent mail server that delivered it as the source of the offending mail.
It's possible for server administrators to prevent relaying and dramatically reduce spam delivery, although they can't close the door entirely.
In NetBITS-003, Adam discussed how individuals can deal with spam, including deleting it, reporting it, and supporting legislation against it. This article instead concentrates on solutions at the mail server side, which can apply equally to small offices or big ISPs. You can suggest these alternatives to your ISP if you're getting too much spam - if they implement any or all of them, expect service to improve and spam to decrease.
What Mail Is All About -- Here's a quick lesson in how email works. When you send mail, a short set of transactions takes place between your mail client (like Eudora or Netscape Communicator) and an SMTP (Simple Mail Transfer Protocol) server, which accepts the mail and later delivers it to the recipient's SMTP server.
The SMTP transaction consists of three basic commands which tell the server who sent the mail and who should receive it, and then the body of the message. The MAIL FROM command has the return address which starts the process; the RCPT TO header has the recipient's address. A DATA header follows, after which the contents of the mail message are sent, ending with a single period on a line by itself. The mail headers you're probably familiar with from reading the tops of your messages - like Received:, Reply To:, and X-Sender: - are actually inserted by the mail server into the body of the email message. They don't have anything to do with the process of sending or receiving mail.
A simple transaction looks like this (the server responses are in square brackets):
[220 spaghettini.shlomo.com ESMTP Sendmail 1.0/1.0; Mon, 13 Oct 1997 10:06:19 -0700 (PDT)] HELO nebula.frogstar.boombox.com [250 spaghettini.shlomo.com Hello nebula.frogstar.boombox.com [192.0.0.1], pleased to meet you] MAIL FROM:<firstname.lastname@example.org> [250 <email@example.com>... Sender ok] RCPT TO:<firstname.lastname@example.org> [250 <email@example.com>... Recipient ok] DATA [354 Enter mail, end with "." on a line by itself] X-Hello: Hi there! Comments: I am not an authenticated user. Hope you eat your weight in ice cream today. . [250 KAA19936 Message accepted for delivery] QUIT
The reason it's so easy to spam people is that neither the MAIL FROM nor the RCPT TO headers are confirmed by a mail server beyond verifying (and even then only rarely) that the domains themselves exist. There's no login procedure for accounts that want to send mail. And, because the mail headers are just text the server inserts, they can be forged just by typing the text in after DATA.
So sending mail from <firstname.lastname@example.org> is a matter of connecting to the mail server, typing MAIL FROM:<email@example.com>, RCPT TO:<firstname.lastname@example.org>, DATA, and then your text. Some mail headers can't be changed, notably the topmost Received: header, but there are ways to make it seem like mail originated from the forged address and then passed through other servers before coming to you.
That's the first part of the problem. The second is that MTAs actually "relay" mail between servers; they don't deliver it unless the address is "local." When you send mail from your local email client, the mail server first analyzes the RCPT TO address and does one of two things. If the address is local - a user who has a mailbox on that server - the MTA uses a Mail Delivery Agent (MDA) to add the mail to a mailbox. The mailbox is generally a file to which the MTA can append more information. This is true for Unix mailboxes (generally accessed via POP, or Post Office Protocol) and also proprietary systems like QuickMail, Microsoft Exchange, and cc:Mail.
If the address in RCPT TO isn't a local mailbox, the MTA acts just like a mail client and connects to another mail server that receives mail for the RCPT TO domain. It then repeats the transaction of MAIL FROM and RCPT TO. This process is relaying - your email client sends the message to your mail server, which in turn relays the message to another mail server that receives the recipient's mail. This usually involves only your mail server and the recipient's mail server. In rare cases, mail can go through several intermediate relays if the servers on either end are in large organizations or aren't connected to the Internet full-time.
Spammers subvert this process by using your mail server without permission. They specify your SMTP server as their outbound server and send mail to it; the SMTP server accepts the mail and then tries to deliver it. So, if a spammer can connect to the Internet at all, he or she can just appropriate time and space on any SMTP server.
Fortunately, users don't have to just sit back and be spammed. Let's take a look at possible solutions that you, your company, or your ISP can try.
Turn Off Relaying for Non-Local Users -- At least a million machines are running some kind of mail server or delivery agent, and sendmail V8 (also called 8.x) is the freeware Unix MTA program of choice. Some simple rules can be added to its configuration to prevent users who don't connect from previously specified addresses or domains from sending mail to users other than those to whom the mail server can deliver locally. In other words, your ISP can prevent anyone but local users from sending mail through its SMTP server.
Point your ISP to, or take a look at, the Web page below, which is a highly technical (but hopefully readable) counterpart to this article that I've aimed at those who implement these kinds of solutions. With an hour of work, any sendmail V8 configuration can be secured. There are also other resources which are referenced on this page.
Systems running MTAs other than sendmail should have options to allow connections only from specific addresses as well. Often, this restriction is turned off by default. If the mail package your company or ISP uses doesn't allow this restriction, the ISP or your company might rethink the choice of MTA or lobby the vendor for this feature. Qualcomm's latest beta of Eudora Internet Mail Server for Macintosh and Eudora WorldMail Server for Windows NT 4 both support filtering, though the Mac server is currently more flexible. The popular commercial Post.Office mailserver from Software.com for Windows NT and Unix offers relay filters starting with version 3.1.
Removing relaying can cause problems, however. A few months ago, the large ISP EarthLink Network turned off relaying for users who weren't dialed into their network in an effort to reduce spam. However, many people use EarthLink for email while at work, and they were cut off from sending email via EarthLink's mail servers. Retrieving email still worked, because it's secure: you must use your password to retrieve your email through a standard POP server. Of course, these users could use their companies' SMTP mail servers, but many companies have policies restricting use.
The benefit of eliminating relaying is enormous, though. Any site that spammers employ to relay mail can suffer twofold: first, from the added and unexpected gush of incoming spam mail that could slow down or crash a mail server; and second, from retaliation - many spam victims look at the last relay as the source of the spam and react by sending, say, 1,000 huge files or other "email bombs" in an attempt to take down the mail server. I don't condone such retaliation, in large part because it's usually misdirected at innocent by-servers.
Netcom, another large ISP, in a recent reply from their Internet abuse department, told me that they were still experimenting with what they called a "spam trap" to stop relaying. When Netcom stopped allowing non-Netcom addresses to use their mail servers, the servers bounced four million messages per week. Netcom then tackled users who bought accounts from them and spammed using other people's servers; three million messages per week were captured through this method.
Build Site-wide Spam Filters -- Spam can be rejected from specific IP numbers, domains, and email addresses. AOL pioneered this technique, although it's hard to tell whether it works. The sendmail filters noted above enable the mail server to bounce mail back to its return address automatically (with or without a custom bounce message, like, "We hate spam") instead of delivering it to local users.
Adam and I disagree over the utility of this kind of filter slightly, as he notes in his article last issue. Spammers are growing more and more clever, and usually forge return addresses uniquely each time. But spam filters can easily exclude "legitimate" spammers, like Cyber Promotions, which doesn't make any attempt at disguise. It's still difficult to identify and delete mail from <email@example.com> because the next time they'll masquerade as someone else, but I believe it's still worth trying.
Filtering on IP numbers works better, because faked addresses are ignored. IP numbers can't be spoofed easily (especially in mail transactions) since they involve low-level protocols. However, spammers often set up slash-and-burn ISP accounts at major providers from which they can send spam before the ISP realizes and cancels the account. If you filter on an IP number range that belonged to a major ISP because of this, you could risk filtering out a vast quantity of legitimate email.
One particular sendmail switch only allows incoming mail from real domain names. However, not all sites on the Internet have domain name resolution set up correctly, and you can wind up losing mail from people without knowing it. If you ban them from sending you email, it becomes a Dilbert cartoon: how do they send you email telling you that?
Make Money Slow -- You can take back your time and energy and put it into other things - like enjoying the sun and surf from your newly quiet patch of Internet sand. Or maybe getting some work done.
[Glenn Fleishman has been using Internet email since 1988. He receives about 40 spams a day and manages to reject 35 of them without ever seeing their subject lines.]
Article 3 of 12 in series
All right, I'm angry. I'm fed up with spam (junk email, sometimes known as unsolicited commercial email), and I'm almost as fed up with the hopelessness of the current methods of stopping itShow full article
All right, I'm angry. I'm fed up with spam (junk email, sometimes known as unsolicited commercial email), and I'm almost as fed up with the hopelessness of the current methods of stopping it. I assume you're all familiar with spam - if by some stretch of luck you're not, you probably will be before long, especially if you post to Usenet or put your email address on a Web page.
We all saw the rise of spam coming: unlike paper-based bulk mail, spam is essentially free to send, and so purveyors of spam are happy with a response rate far lower than the standard 1 to 2 percent achieved by traditional direct response campaigns. Now, the spam problem is getting ridiculous, with no signs of abatement in sight. In the last two months, I've gotten about 250 individual pieces of spam. Sure, I have a well-known address, but that's a lot of spam, and it's increasing in volume all the time.
In this article, I'll examine the efficacy of some anti-spam tactics and technologies. In an upcoming issue, Glenn Fleishman will cover the upstream part of this problem - how to stop spam at the source and how to keep your own or your ISP's mail servers from being hijacked.
Delete -- The simplest method of dealing with spam is the Delete command in your email program. It probably takes a few seconds for you to recognize that a message is spam, and only a few more to delete the message. Even multiplied by the number of messages I received since I started counting, I would only have spent two or three minutes of those months dealing with spam. This technique also has the advantage of being familiar - we do exactly the same thing with paper junk mail. However - in the United States at least - we don't directly pay to receive paper junk mail, whereas we all pay in some form or fashion to receive spam. More concerning, what happens when the ratio of spam to real email flips, so we're getting 98 percent spam? The Delete command won't work so well then, and believe me, it's only a matter of time before that would be true.
Complaints -- You can also complain about spam. You can return nastygrams to the spammers, ask to be removed from their lists, and complain to the postmasters of the ISPs involved.
At this point, however, replying to spammers has an efficacy of about zero. Sure, you might hit a novice spammer at some point who doesn't realize that no good email ever comes from spamming, but that's an exception. Most spam is forged in such a way that there isn't a valid email address to which you can reply. This makes pointless the idea of replying with a note that tells spammers that the next time you receive spam from them, they'll owe you money.
Using remove features when offered sounds like a nice idea, but why would a spammer want to honor remove requests? After all, getting a remove request means that the recipient has a valid email address and actually read the message. To the scarred and twisted minds of spammers, that must mean that the person sending the remove request is a prime target for more spam. Replying to an email address in spam that actually works virtually always gets you added to more lists.
Of these ideas, complaining to postmasters (nicely) is the only tack that has any hope of succeeding. I wrote and used a KeyQuencer macro that actually did all of these things (it replied to the message with full headers, put the word "remove" in the Subject line, put abuse and postmaster addresses at the domain involved in the CC line, and typed a short and pointed note at the top of the message). In several months of using my macro, I got email from a couple of abuse addresses (most of the big ISPs were pretty good) thanking me for the information and saying that they had kicked the person off. Most of the time, though, there was no recourse, and all my messages either bounced or disappeared. I figure I had at best about a 2 percent success rate.
Filters -- What about using the filtering capabilities built into all good email programs, like Qualcomm's Eudora and Claris Emailer? All you have to do is identify common aspects of spam and then you can filter it all to the Trash, or (until you're confident of your filters) into another mailbox where any real messages caught by your filters can survive. If you don't have the time or energy to create your own filters, others have done so for Eudora and other programs.
Unfortunately, filters are problematic for several reasons, and although you're welcome to use them, in the long term they're simply not the solution.
Most spam email has been forged anyway - how can you possibly hope to keep up with spammers who can just forge another address?
Filtering on the Received lines in the message header fails if the spammer hijacks an SMTP server to force it to deliver the spam. It's far too easy to do.
Filtering requires constant updates and constant vigilance to make sure real mail hasn't been captured accidentally.
To filter email, you must first receive it, which means in essence that you're paying for it, either in money directly (not everyone has flat-rate Internet access) or in time or bandwidth.
Filtering on the domains of network service providers (the most notable one being filtered is a company called Apex Global Information Systems or AGIS) casts far too wide of a net. For instance, it turns out that the first part of the IP address we had some time ago for our mailing list machine, 205.199.*.*, is the same as the first part of the IP address used by arch-spammer Cyber Promotions. People who thought they were being clever by filtering on the start of that IP address effectively filtered TidBITS out as well, causing us major headaches when we got the complaints about missing issues. Also, since it's so easy to hijack an SMTP server, filtering on IP addresses is just as doomed as any other technique. Cyber Promotions recently got kicked off this network by AGIS; they're threatening to build their own network - which would make them much easier to filter out.
ISP Filters -- Perhaps the problem should be pushed upstream, to the Internet service providers? After all, if they filtered the spam out before it hit our mailboxes, we wouldn't have to deal with it all.
Nice idea, but I think it's fatally flawed. After all, who's to say that ISPs can avoid filtering real email any better than you can? And if the ISP was doing the filtering, you'd never even know that email from some friend of yours was being caught by the filter. Besides, even if you're not receiving, and thus paying for, the spam, the ISP is. Why should an ISP want to pay to carry spam any more than you?
Glenn has a slightly different viewpoint on this and will discuss it in his upcoming article about stopping spam at the source.
Voluntary Restraint -- Spammers had talked about forming a voluntary organization, and the Internet Email Marketing Council (IEMMC) was formed under the aegis of AGIS to develop industry guidelines for unsolicited commercial email, establish lists of people who didn't want to receive spam, and monitor compliance. However, according to news accounts (see URL above), the IEMMC was allegedly thrown out of AGIS's headquarters at the same time AGIS discontinued service to three major spam companies. It's unclear what will happen next with the IEMMC. In any case, this idea was flawed from the start. Anyone who believes this kind of a proposal will stop (or even stem) the tide of spam, should look into the purchase of this very nice bridge I have for sale. It's just not logical - anyone can spam, and whether or not the industry group has good intentions, they can't stop others from spamming any more than anyone else can.
Legislation -- The final and, I've come to believe, only effective method of stopping spam is by legislation. If sending spam is illegal, then spammers will be subject to civil penalties, which, of all the methods discussed so far, pushes costs back on the spammers rather than forcing all of us to bear the costs of being spammed. Unfortunately, all the bills currently introduced just allow victims of spam to recover damages; none of them actually turn the spammers into real criminals.
Keep in mind, we're talking about legislation in the United States. But since the U.S. represents the largest consumer market on the Internet, bills that ban spam here should have repercussions elsewhere, especially in places where electronic privacy rights are already more highly protected, such as the European Union. If these bills drive spammers outside the U.S., it will become even easier to filter those sites out completely - cutting them off from the Internet, effectively - until they agree to stop. Most Internet traffic in and out of the United States flows over networks owned by a few U.S. companies; these companies might face fines if they fail to block spam from international sources.
There are four anti-spam bills being introduced before the U.S. Congress. The most direct is by Representative Christopher Smith (R-NJ); the other three are by Senator Frank Murkowski (R-AK), Representative Billy Tauzin (D-LA), and Senator Robert Toricelli (D-NJ). The four bills (others may be on the way) are not equal; three focus on opting out, and Smith's focuses on opting in.
Opting out means you have to ask to be removed from a list, but your request must be honored or the sender will face civil penalties which you can collect from them. However, there could be thousands or tens of thousands of lists you'd have to opt out from. Opting in means that a company can't send you a single piece of email without your request or your setting up a documented business relationship with them.
A small clarification about U.S. civil and criminal law, too, for those of you fortunate enough to never have had to tangle with either: Criminal law covers crimes prosecuted by the government. These may be ridiculous, but the penalties involve fines, jail time, community service, and other court-imposed duties. Civil law governs individuals' and companies' actions against each other, in which the final settlement generally involves either injunctions or consent decrees (in which one side agrees to stop or start doing something) or civil penalties (in which one side wins a monetary judgement against the other). The bills below all involve civil penalties, which mean you personally could file suit against the offender and, if you can prove their violation of the act, get cash money. In the case of spam, thousands or even hundreds of thousands of individuals could file civil claims across the country against single companies. Failure to appear in response to a suit often means a forfeit and having to deal with court-sanctioned liens. Since spammers annoy so many people, their financial risk would be enormous.
Current Bills -- Let's look at the current anti-spam bills. Senator Toricelli's <firstname.lastname@example.org> bill, to start with, makes a civil offense of any attempt to forge email addresses or create fake domains. Further, it requires that if you request to be removed from a list (opt-out), these requests must be honored. The civil penalties are $500 for sending mail to you after you opt out, and $5,000 for various forgeries or misuse of service provider resources. The bill doesn't provide for specifics of how fast you have to be removed from lists. It also doesn't specifically limit coverage to commercial email, so anonymously sent private email could be covered. It's possible that legislating private speech in this manner could be unconstitutional; commercial speech has always had less constitutional protection.
Representative William Tauzin's bill is also an opt-out bill, but is exceptionally vague. It essentially says that spam might be bad, and that spammers should voluntarily join an organization that will create guidelines for the industry. It doesn't specify civil penalties, and only appears to recommend that spammers honor opt-out requests. The bill provides relief to spammers in that if they join the trade organization, they're exempted from most penalties if they follow guidelines the group develops.
Senator Frank Murkowski's <email@example.com> bill is problematic. It would require spammers to label spam and avoid forgeries so ISPs can filter the spam at the server. Murkowski's bill graciously gives large ISPs one year to set up such filters, whereas smaller providers get two years. There are other provisions: users can request to be removed from spam lists, and must be removed within 48 hours; furthermore, ISPs would be forced to terminate service to anyone using their network to send spam without the required labelling and identification information. Penalties would range up to $11,000. These penalties could apply to ISPs if they fail to meet the bill's requirements, too, which has ISPs a bit nervous - it's not quite the Communications Decency Act, but it's potentially a case of "killing the messenger."
Unfortunately, Murkowski's bill forces the ISPs to pay for carrying the spam, not to mention the costs of setting up and maintaining software to do the filtering. The basic problem, though, is that Murkowski's bill is an "opt-out" system (I'm sure there are a few people who like to receive spam, but there are people who enjoy self-mutilation as well). Cyber Promotions, one of the largest of the spam companies, brags about having 9,000 customers. I really don't want to spend my days removing myself from every spam list around, especially when they can just be regenerated from new sources.
Representative Smith's bill is based on an amendment to the Telephone Consumer Protection Act 47 USC 227, the law that makes it illegal to transmit junk faxes and sets a fine of $500 per incident, payable to the recipient, and $1,500 per incident if it can be proven that the originator of the junk fax knowingly violated the law. The amendment resembles suggestions from CAUCE (Coalition Against Unsolicited Commercial Email), and would expand the law and the penalties to apply to junk email as well. The existing law has been tested, both in the real world and in court, and has been found both effective and Constitutional. Junk faxes are essentially unknown now because of it.
I've read through all of CAUCE's material, and I find them to be realistic and level-headed about the entire situation. I strongly encourage you to go to their site and read their explanations of why they feel legislation is the only course of action remaining. Essentially, CAUCE recommends an "opt-in" solution, where the only commercial email you receive is that which you ask for. If you agree with CAUCE's stance, consider joining and helping to spread the word... through non-spam techniques, of course.
There are tons of anti-spam resources available on the Internet these days - here are a few that I've visited. Note that they may have different opinions or propose different courses of action than I have above. Take everything you read here and elsewhere with a grain of salt. No one has a monopoly on the truth or even the one right way.
Article 4 of 12 in series
Washington State Outlaws Spam -- According to a Seattle Times article, Washington State Governor Gary Locke last week signed into law a bill that aims to reduce unsolicited commercial email, better known as spam (see "Damn that Spam!" in NetBITS-003, or search for "spam" in the NetBITS search engine)Show full article
Washington State Outlaws Spam -- According to a Seattle Times article, Washington State Governor Gary Locke last week signed into law a bill that aims to reduce unsolicited commercial email, better known as spam (see "Damn that Spam!" in NetBITS-003, or search for "spam" in the NetBITS search engine). The new law, which takes effect in 90 days, makes it a violation for spammers to send email messages with forged return addresses, fake header information, or misleading subject lines. The law applies both to spam originating within the state of Washington and spam directed at people who the spammer knows, or has reason to know, are Washington residents. It also places the burden on the spammer to determine whether or not any given individual resides in Washington. People who receive such spam could collect up to $500 per message, and Internet service providers could collect up to $1,000. It remains to be seen how easy it will be to collect damages, but no matter what, the new law should create a possible economic liability to spam where none has previously existed.
In related news, notorious spammer Cyber Promotions has settled the last outstanding lawsuit against it by agreeing to pay ISP EarthLink Network $2 million and to stop sending unsolicited email to EarthLink members. Previously, Cyber Promotions settled spam cases with AOL, CompuServe, and Bigfoot, and had its network connectivity terminated by AGIS. [ACE]
Article 5 of 12 in series
[This article is currently unavailable.] Show full article
[This article is currently unavailable.]
Article 6 of 12 in series
by Geoff Duncan
Nearly two years ago, I wrote an article in TidBITS-347 called "Those Bulk Email Blues," which outlined issues surrounding unsolicited commercial email ("spam"), and how to respond to those messages. Although much of that article remains relevant, times have changedShow full article
Nearly two years ago, I wrote an article in TidBITS-347 called "Those Bulk Email Blues," which outlined issues surrounding unsolicited commercial email ("spam"), and how to respond to those messages.
Although much of that article remains relevant, times have changed. Spam continues to increase: since 01-Jun-98, I've received nearly 800 spams, an average of more than 11 per day. Further, spammers frequently probe my network looking for mail servers to exploit - my servers are locked down, but occasionally I run a dummy server that reports attempted spamming back to the originating network (and laughs gleefully when it does so). I'm also a party in the TidBITS lawsuit to test Washington's anti-spam legislation.
Don't Be Complacent -- During the last two years, I've become convinced that failing to report spam responsibly contributes to the wider spam problem. By failing to report spam, Internet users send an implied message to network providers, and hence to spammers: "This message didn't bother me enough to report; therefore, it is acceptable." If Internet users want spamming to stop, they must send a consistent, explicit message: spamming is unacceptable. Users can send that message by working toward effective legislative and technological solutions, and by reporting spamming incidents.
The problem is how to report spam. Most spammers try to cover their tracks: they use bogus return addresses, insert false headers, and relay messages through unsecured mail servers. Nonetheless, it is possible to figure out where you should report most incidents. Doing so requires time and some knowledge - but, as with all things, the more you do it, the easier it gets.
Identifying the Server -- To report a spamming incident, you must determine what Internet server sent the spam message to you, which means looking through the message's Received headers. Ignore return addresses or From lines: they're easily forged. Received headers are typically grouped near the top of a raw email message and appear in a particular order: the topmost header is the most recent, and (in theory) the bottommost indicates the message's origin. Email messages always have at least one Received header.
The bottommost Received header may not always identify the originating system. Spammers often forge one or more Received headers to throw you off the trail, but they can't forge them all. Forged Received headers appear beneath any legitimate Received headers and are often obviously different.
The only guaranteed way to figure things out is to start from the topmost Received header and work down. Look for the first Received header that claims to have sent the message to the domain where you receive email. If you have an account with EarthLink, for example, look for the first header that mentions an EarthLink system. Here's a fictional header that points to a location on my network:
Received: from Fred (pointless.quibble.com [220.127.116.11]) by smtp100.earthlink.net (8.8.8/8.8.8) with SMTP id MAA17789 for <firstname.lastname@example.org>; Sun, 9 Aug 1998 12:55:13 -0700
You can see the system smtp100.earthlink.net received a message from a machine calling itself "Fred," a name probably supplied by the spammer. However, EarthLink's mail server didn't blindly accept Fred's statement of identity and performed a DNS lookup, discovering that Fred's canonical name is pointless.quibble.com. (All Internet machines have at least one unique IP number; machines don't require any assigned name, but can have many names, only one of which is canonical.) EarthLink's mail server inserted pointless.quibble.com in the Received header along with the machine's IP number to make it easier to track the origin of the message. This is good - these days, mail servers at many responsible Internet providers tag messages in this manner. Now you know the message came to EarthLink from quibble.com, and that's probably where you want to send your spam report. Let's look at a more complex example:
Received: from pointless.quibble.com (pointless.quibble.com [18.104.22.168]) by smtp100.earthlink.net (8.8.8/8.8.8) with SMTP id MAA17789 for <email@example.com>; Sun, 9 Aug 1998 12:55:13 -0700 Received: from Fred by pointless.quibble.com id QQfbjb05104 Sun, 9 Aug 1998 12:54:34 -0700 (PDT)
Here we can see that a machine calling itself Fred connected to a machine calling itself pointless.quibble.com, which didn't do any checking on Fred. Then, pointless.quibble.com connected to EarthLink, which confirmed the machine's name and delivered the message to you.
This second instance is probably a case of "relaying," where a spammer found an exploitable mail server in the quibble.com domain. This particular server would be a spammer's dream because it doesn't identify the machine that sent the message in the first place. The administrators of quibble.com may not be involved with the spammer and may not even be aware their system was used to distribute spam. You still want to report the incident to quibble.com and strongly encourage them to disable relaying on their mail server. Unfortunately, there isn't enough information to track the spammer further; hopefully, quibble.com's mail server keeps logs that would enable its administrators to determine the spam's origin.
If any of your mail is forwarded to you from another address, you may need to ignore one or more topmost Received headers. For instance, all mail to <firstname.lastname@example.org> is forwarded to me at quibble.com. The topmost Received line in spam to <email@example.com> always says that quibble.com received the message from tidbits.com. But the TidBITS server didn't originate the spam; I need to look at subsequent Received headers to see what machine sent the message to the TidBITS server.
IP Numbers & Ranges -- Sometimes even a well-configured email server won't be able to look up a canonical name for the machine giving it an email message. A Received header might look like this:
Received: from 22.214.171.124 ([126.96.36.199]) by smtp100.earthlink.net (8.8.8/8.8.8) with SMTP id MAA17789 for <firstname.lastname@example.org>; Sun, 9 Aug 1998 12:55:13 -0700
To report this incident, you need to figure out who's responsible for the IP number 188.8.131.52. First, try a DNS lookup yourself to see if the number has an assigned name. Many utilities will perform a DNS lookup. For the Mac, I recommend Peter Lewis's $10 Mac TCP Watcher or Peter Sichel's $20 IPNetMonitor, both of which also include traceroute tools.
Looking up 184.108.40.206 should reveal pointless.quibble.com, which indicates that you should report the incident to quibble.com. But let's say no name turned up. Your next best bet is to use a Whois server to determine who's responsible for that IP number. The Whois protocol enables you to ask a network authority for information about domains, systems, and points of contact for Internet sites. Unfortunately, there is no central network authority for the entire Internet. The American Registry for Internet Numbers (ARIN) maintains a good Whois database for domains registered in the U.S.; I always try ARIN first. Other network authorities include the InterNIC, RIPE (for European domains), and APNIC (Asia Pacific). Services like Allwhois.com try to be comprehensive but are more useful for determining if a particular domain is available, rather than figuring out IP number assignments.
You may have to check with several authorities before you find who's responsible for an IP number. You may also have better luck searching for a range of IP numbers using an asterisk ("204.57.207.*") than looking for a single IP number, although you'll need to be careful interpreting the results. Multiple searches are awkward via the Web; you can also use a dedicated Whois client to query the databases directly. On the Mac, try IPNetMonitor or Peter Lewis's $10 Finger, which can query Whois servers.
If you look up 220.127.116.11 or 204.57.207.* via appropriate Whois servers, you find Northwest Nexus, which is my upstream ISP. If you were to report a spam incident from my domain to Northwest Nexus, I'd be taken to task quickly. Not all providers are that responsible, however; if spamming persists from a domain or an IP number after you've reported a few incidents, you can use a Whois server to figure out who's upstream from the responsible party - usually AT&T, Sprint, UUNET, or another large network provider. Most high-level network providers have a low tolerance for spam, but may only be able to forward complaints to their customers, such as regional ISPs. In my experience, reporting spam to upper-level network providers is only moderately effective.
If you can't use Whois to figure out who controls an IP number, your last option is a traceroute utility. Traceroute essentially figures out the path that packets are taking between two Internet machines. This path should show you what sites are "closest" to the IP number that sent the spam. You could send spam reports to the domain indicated as "closest" to the IP number that sent the spam message. However, be aware that Internet routing is dynamic: although the specific path between two machines usually doesn't change from moment to moment, it can change at any moment. Machines near your target IP number may have nothing to do with the spammer or the organization responsible for the IP number. If you report a spam incident using data obtained from traceroute, do so politely.
How to Report Spam -- When reporting a spam incident, include the complete text and headers of the message you received: administrators need this information to verify the incident. A courteous, professional message is always more effective than a vitriolic rant. I begin my reports with this boilerplate text:
I received the following unsolicited commercial email ("spam") that was either sent directly by one of your users, relayed through a mail server on your site or network, or sent from a dialup pool or downstream network administered by your organization. I've enclosed the complete message below with full headers; please ensure this doesn't happen again.
Since I live in Washington State, my messages also point to information about Washington's anti-spam legislation and mention the per-incident damages Washington residents can try to collect.
Send spam reports to the username "postmaster" and, optionally, "abuse" at the domain you've determined is responsible for the spam. The postmaster address is almost universally valid for a domain; the abuse address is less common but is often set up as a reporting address for spamming incidents.
For best results, always report spam to an address at a domain, not to a specific machine. In the examples above, you would use <email@example.com> rather than <firstname.lastname@example.org>. If the spam originated from a site using a two-letter country code (such as .us) rather than a three-letter top-level domain (such as .com or .edu), the domain will contain at least three parts (reno.nv.us) rather than two (quibble.com).
Removal Services -- What about removal services listed in spam messages, or sites purporting to be "global remove" lists? Two years ago, I recommended these removal services, figuring that responsible bulk mailers (there are a few) will remove your name from their lists and irresponsible ones have your address anyway, so there's no harm in trying.
Today, I can't recommend any removal services. Although a few are legitimate, far too many are either non-existent or simply address-collection clearing houses. One instance I chased down turned out to be a sophisticated operation used by several spammers: they collected the removal requests, then sold the senders' addresses to other spammers as "fresh addresses."
Don't Just Take My Word for It -- The issues surrounding spam are often the subject of debate. Although this article contains technical information and tips, in the end it's just my opinion. If you're interested in learning more - including other opinions about responding to spam or current legislative and technology initiatives - some of the links Adam has collected regarding TidBITS's anti-spam lawsuit are a good place to start.
Will the techniques outlined here stop the flow of spam into your mailbox? No. Is reporting spam simple? No. But at least reporting spam appropriately is an alternative to complacency, and you'll have the satisfaction of hearing from providers who have shut down spammers thanks to your reports. For that alone, many people will thank you.
Article 7 of 12 in series
by Geoff Duncan
On 14-Mar-2000, King County Superior Court Judge Palmer Robinson ruled Washington State's 1998 anti-spam legislation unconstitutional under the interstate commerce clause of the U.SShow full article
On 14-Mar-2000, King County Superior Court Judge Palmer Robinson ruled Washington State's 1998 anti-spam legislation unconstitutional under the interstate commerce clause of the U.S. Constitution, holding that the law is "unduly restrictive and burdensome" on businesses. Robinson dismissed with prejudice a case brought by Washington State's attorney general against an Oregon man using unsolicited email to promote a get-rich-quick package, and signed an order allowing the defendant to attempt to recover costs and legal fees. The attorney general's office has until 10-Apr-00 to decide whether to file an appeal; it's widely expected to do so.
TidBITS also filed a lawsuit in July of 1998 under the same Washington State anti-spam law. Our suit has progressed far enough that it is not affected by Judge Palmer's ruling; we hope to be able to say more in the near future.
Washington's anti-spam law bans unsolicited commercial email messages sent to a Washington State email address or from a computer in Washington State which use misleading information in the subject line, use an invalid reply address, or attempt to disguise routing information. Spammers are deemed to know if an address is in Washington State if available information indicates a domain is located in Washington, or if the address is included in a registry of Washington State email addresses. Judge Robinson reportedly found the requirement that senders proactively identify Washington State email addresses too restrictive; however, to meet the conditions of the statute, messages must both misrepresent themselves and be sent to a Washington address or from a computer in Washington State. An out-of-state business that sends email to Washington residents is not subject to the anti-spam law so long as it doesn't misrepresent the subject, reply address, or routing information in the email - even if the message is unsolicited.
At this point the case has no significance in terms of precedence, and legal experts and consumer advocates are widely disagreeing with Judge Robinson's dismissal. TidBITS joins them in calling for the state to appeal the decision to the Washington State Supreme Court. In the meantime, HR 3113, a federal anti-spam bill widely known as the Unsolicited Electronic Mail Act of 1999, passed the U.S. House of Representatives Commerce Subcommittee on Telecommunications, Trade, and Consumer Protection on 24-Mar-2000. If enacted as law, it would offer even greater consumer protections than Washington State's anti-spam law.
Article 8 of 12 in series
As the Internet has evolved to provide ever more opportunities to separate fools from their money, the number of people trying to do just that has also increasedShow full article
As the Internet has evolved to provide ever more opportunities to separate fools from their money, the number of people trying to do just that has also increased. It was not always this way. Many years ago when I had my first AOL account, I never received a single piece of unwanted email. When I last tried AOL I received over 20 unwanted solicitations every day, even though I never used the account for email.
What happened? Can we go back to those halcyon days of yore? Can we stop the deluge of unsolicited commercial email, also known as "spam?"
"What happened?" is an easy question to answer. More ordinary people began using the Internet. A few brave souls took the risk of using the new medium to hawk their wares and some appeared to become fabulously successful - though that appearance seldom matched the reality. Others wanted to get in on the action and get rich quick. Junk email was born, grew, and proliferated like a runaway cancer.
Can we go back to the halcyon days of yore? No. You can't go home again, you can't put the genie back in the bottle, and you can't stop folks from trying to sell you things you don't want.
Can we stop the deluge? We can do some things to make spam more tolerable. We can report spam, which requires technical know-how and a bit of work every each time you're targeted. We can also look for legislative solutions. Back in NetBITS-005, I pointed out that once we turn to the government to help us deal with the undesirable elements on the Internet, we open the door to (shudder) regulation of the Internet. That is exactly what is happening across the U.S. with spam - it is being regulated by an increasing number of states, and Congress is actively considering enacting federal legislation to address the subject.
We have now entered an era where many believe it is more desirable to have the government tell us what we can and cannot send across the Internet than to deal with the problems caused by unrestricted Internet use.
The Problem -- In 1997 there were no state or federal statutes in the United States that specifically addressed email or Internet advertising. Since that time several states have enacted statutes, and others have established commissions to study the issue and make recommendations to state legislatures. On the federal level, the Federal Trade Commission (FTC) has completed two studies on Internet email and marketing; these studies concluded that a serious problem exists and will increase with Internet use. Congress has considered multiple bills addressing the issue; although none have passed yet, it is likely only a matter of time before Congress presents a bill to the President for signature. The FTC reports are available online; see "Protecting Consumers Online," 21-Dec-99, and "Report to the Federal Trade Commission of the Ad-Hoc Working Group on Unsolicited Commercial Email," 1997.
The problem addressed by the FTC, Congress, and the state legislatures is known colloquially as "spam." It is known more formally as "unsolicited commercial email," or UCE. UCE generally takes the form of an advertisement for a service or product that is sent to Internet users just as flyers, coupons, and other solicitations are sent to regular postal customers. To spammers, email offers a way to target thousands or even millions of potential customers at virtually no cost. The spammer needs only a computer and an email account. With those tools, he can prepare a single solicitation and email it to dozens, hundreds, or thousands of people at a time by using a list of email addresses gathered from a variety of public sources, such as Usenet news and links on Web pages.
As personal use of the Internet increased, so did the number of people using email to advertise their products and services. Many users didn't like receiving these solicitations, particularly since a large number offer things such as pornography, sexual aids, and other items that many people find offensive. The recipients then responded with torrents of complaints directed back to the spammers, who rapidly found their own email accounts filling up not with orders, but with complaints and demands to stop sending solicitations. Most spammers therefore began to conceal their own email address, instead including phone numbers or obfuscated links to Web sites where the user could place an order.
UCE is different from postal "junk mail" in one important way: When a seller sends a flyer, he must pay for the paper, printing, envelope, and postage for each item (a real cost, even considering the significant discounts for bulk postal mail). By contrast, when a spammer sends a thousand email solicitations, he pays virtually nothing. The recipients, however, do pay for their Internet accounts based either on time spent online or amount of data transferred. Even users with flat-rate pricing pay for spam: their fees are based on estimates of the resources users will consume, so although spam may not result in direct additional costs to the user, it could cause flat-rate pricing to increase across the board. Either way, the user pays the cost of the UCE. According to 1998 estimates in the report to the FTC (see above), users were paying up to $2.00 per month just for UCE, in addition to the time spent replying to or deleting unwanted messages, or reporting abuses. Internet service providers (ISPs) were dedicating increasing amounts of resources and time addressing customer complaints. In addition, the UCE was taking up disk space on the ISP servers - sometimes to the point of forcing the server to shut down until the UCE was cleared out.
Stamping Out Spam -- Now that we know the problem, what can be done about it? In the next part of this article, we'll look at the myriad solutions proposed at the state and federal levels, and why government intervention may not be a panacea for the spam problem.
Article 9 of 12 in series
TidBITS has published a variety of articles about how to deal with unsolicited commercial email (UCE), more commonly referred to as "spam" (see "Responding to Spam" in TidBITS-442)Show full article
TidBITS has published a variety of articles about how to deal with unsolicited commercial email (UCE), more commonly referred to as "spam" (see "Responding to Spam" in TidBITS-442). As the problem has increased with the widespread popularity of the Internet, lawmakers have begun to pay serious attention to the bulk email that's flooding their constituents' mailboxes. In the first part of this article, I covered the legal definitions of spam and some of the studies done by governmental bodies into the severity of spam. In this installment, I'll talk about how various governments propose to handle this growing problem.
Response by Congress and the States -- Email solicitation has much in common with other forms of commercial bulk marketing such as junk mail and broadcast advertising. Advertising speech is protected by the First Amendment and an outright ban on any type of advertising, including bulk mail solicitations, would be unconstitutional. But commercial speech can be regulated to a greater degree than private speech.
Based on two Federal Trade Commission reports (see the first part of this article), as well as the increasing number of consumer complaints, Congress and several states began considering legislative solutions to the problem. Congress has not yet passed any legislation, but 20 states have considered the issue and 15 have enacted laws on the subject. Others are actively considering legislation to address the problem.
The state and federal statutes - both proposed and enacted - contain many similar provisions. A business that wishes to advertise on the Internet can generally avoid violating the statutes by complying with certain rules such as:
Include valid headers and particularly include a return address such that the recipient of an email solicitation can reply to a valid email address that is monitored to ensure that it does not become full and begin bouncing email.
Include instructions in the body of the message providing an email address, a toll-free telephone number, or both, so a recipient can ask to be removed from the mailing list.
Maintain an "opt out" list of persons who have asked not to receive email solicitations and ensure they are removed from the mailing list. (Statutes are unclear on the sender's responsibility regarding future iterations of the email list.)
Use accurate and informative subject lines on all solicitations. Any solicitation for adult material should be clearly identified in the subject line with the initial characters being "ADV:ADLT." All other solicitations should begin with "ADV:"
State of the States --Responding to increasing consumer complaints about a variety of scams, a proliferation of unwanted pornographic solicitations, and other abuses, some state legislatures began considering how to regulate Internet email marketing in a manner that would both protect the consumer and allow legitimate businesses to advertise their products. The resulting proposed and enacted statutes are chaotic; although many provide criminal penalties, most create a private right of action for damages, and several empower the state's Attorney General to pursue a civil action for damages and injunction.
Email legislation at both the state and federal levels also shares significant similarities. Although each state has adopted a slightly different definition of spam, there are enough factors in common to present a pattern. Of the 15 states that have passed laws on spam so far, 8 have made violating one or more of the following prohibitions a criminal offense that will subject an individual or corporation to fines and possible incarceration:
- False or misleading routing or transmission information in the headers.
- Misleading or deceptive subject line.
- Use of a third party domain without permission.
- Offering to sell software primarily intended for these purposes.
Other provisions contained in state laws that may create civil liability on an individual or corporation include:
- No means of opting out or getting off of a mailing list.
- Continuing to send email after receipt of an opt out request.
- Violation of primary ISP policies.
- Failing to label UCE as "ADV:" in the subject line.
Ten of the 15 states permit individuals to sue a spammer for violation in addition to other criminal or civil penalties the state may impose. In most of theses states, recipients of spam that violates the prohibitions noted above can sue the sender for statutory damages that range from $10 per item in Delaware and other states to $500 per item in Washington state. In addition, a provider of interactive computer services (like an ISP) may sue for higher damages. In Washington state, the amount is $1,000 per item. To illustrate the significance of these provisions, in one pending case in Washington state, an ISP that received 5,800 UCEs is suing a corporation for violations of the state anti-spam law. At $1,000 each, the sender's exposure is $5,800,000.
Most of the state statutes provide that anyone sending email solicitations to residents of their state are subject to the jurisdiction of the state courts. This is a form of law known as a long-arm statute. Anyone who tries to sell a product in a state - even if they are doing so from out of state via catalog or email solicitations - has the protection of the state laws if a buyer refuses to pay, for example, and also has the responsibility to obey state laws such as the consumer protection and anti-spam statutes. Thus, a recipient of UCE may file suit in the courts of his own state. A spammer who sends to recipients in multiple states and violates the law in one or more may find himself responding to multiple suits filed in several different state courts.
An interesting provision contained in four of the state statutes is that the sender of UCE must honor the policies of the ISP they use. For example, if a person were to use AOL to send email across the Internet, and the email violated AOL's written and posted policies, that sender's violation of the AOL policies would also be a violation of law in California, Iowa, Louisiana and North Carolina.
California and Tennessee have passed laws that require all UCE to be labelled as an advertisement. The subject line of email offering goods or services for sale must begin with the letters "ADV:". In California, if the solicitation is for material that can legally be viewed or possessed only by a person over 18, the subject line must begin with the letters "ADV:ADLT."
Under the long-arm provisions that grant jurisdiction over non-compliant UCE sent to state residents, it is possible that a spammer in any state who sends a solicitation to a California resident but omits the "ADV:" label may become subject to penalties in California. At the current time the courts have not shed any light on this jurisdictional question - the issue involves not only long-arm jurisdiction, but also something called "conflict of laws," where an action may fall within the statutes of more than one state. In such cases, the court is required to determine which state law to apply to the case. Conflicts analysis can become very complex.
The states that have enacted anti-spam statutes of one type or another are California, Connecticut, Delaware, Iowa, Illinois, Louisiana, Maryland, North Carolina, Nevada, Oklahoma, Rhode Island, Tennessee, Virginia, Washington State, and West Virginia.
Maine has enacted a statute establishing a commission to study the problem and make recommendations to the legislature for appropriate legislation.
Possible Federal Statutes -- A wide variety of bills addressing email solicitation have been proposed in the House and Senate since 1997. While none have received the concurrence of both houses (and thus none have been presented to the President for signature) it is instructive to examine the types of concerns Congress is attempting to address for two reasons. First, it is highly likely that Congress will pass a bill on this issue, and second, two of the fifteen states that have anti-spam laws have specifically included a provision that says their law will expire if a federal statute is passed.
The federal legislation proposed to date does not contain the more stringent provisions of the state laws. In general, the federal bills do not criminalize violations and nearly all of them permit email solicitation in some form so long as the user has a meaningful way to opt out of the mailing list. Only one proposed federal statute has included a provision that UCE be labelled in the subject line, and only one has contained a provision requiring that senders of UCE honor an ISP's policies.
The most recent submission to Congress is the Unsolicited Electronic Mail Act of 2000. If enacted, the statute would make it illegal for spammers to violate the usage policies of an ISP, would require use of valid return or Reply-to addresses and that spammers maintain and honor an opt-out list. It also requires that email solicitations be clearly marked in some standardized way, to be determined by the FTC. That bill was recently amended in committee in March, and must be introduced to the floor of the House of Representatives, then to the Senate if it passes the House. At either stage it can be sent back to committee for further revision. If it finally passes both the House and the Senate, it will be presented to the President for signature.
At the present time, it is uncertain just what effect a future federal statute would have on existing state legislation. There is some precedent in the so-called junk fax legislation however. The federal Telephone Consumer Protection Act prohibits unsolicited faxes being sent to consumers and imposes a penalty of $500 per fax sent in violation of the statute. Washington and other states have a similar statute providing a nearly identical remedy for unsolicited faxes. It is quite likely that state and federal statutes regarding UCE will coexist in the same way that the anti-fax statutes have.
Unsolved Mysteries -- For the most part, none of the statutes addresses a key issue in the spam wars: most spammers don't want to be found. They conceal their identities and return addresses for a reason. They know that it is just as easy for their victims to send them opt-out email as it is for them to send the spam in the first place. If the spammers let the victims actually have a say, the spammers will be inundated with opt-out requests and will have to do an honest day's work trying to keep their mailing lists clear of those who have opted out.
[This paragraph is currently unavailable.]
Obviously, hiring attorneys and private investigators can be expensive. Washington state's law also provides that the state's Attorney General can bring an action against a spammer. The Attorney General's office has greater resources than the average individual to locate spammers. But the Attorney General's office is inundated with spam complaints and is being selective about the cases they bring. That leaves unsolved the problem of how to deal with scofflaw spammers who will simply ignore federal and state law, falsify their return address and routing headers, and continue spamming.
Another problem is that of the international spammer. A person who sends spam from another country is not subject to the jurisdiction of U.S. courts unless the U.S. and that country have a treaty giving jurisdiction. Enterprises in the Bahamas and other nations without strong regulation of unfair business practices and without jurisdictional treaties with the U.S. have already been the source of problems with offshore Internet gambling sites. As the legal environment for spammers becomes less friendly in the United States, U.S. residents can expect to see more and more spam coming from outside national borders.
The issue has only begun to be discussed internationally. No other nation has the volume of Internet traffic that the U.S. does, and not all cultures encourage unrestricted capitalism as strongly the U.S. does. So it may be some time before a meaningful international solution develops.
Summing Up -- In the United States, Internet accounts are becoming pervasive. Advertisers prominently display Web URLs, more and more media provide some content on the Web, and small businesses are putting up Web sites in potentially vain attempts to compete with the big boys. Individuals and business without Internet access are beginning to feel as out of touch as those without telephones.
With the commercialization of the Internet come the abuses, the hard sells, the unwanted solicitations. And with those abuses come complaints, followed closely by government regulation. That regulation is currently in fast-paced flux with states enacting a sometimes confusing welter of overlapping laws, and the federal government considering whether and how to enact federal regulation of commercial speech on the Internet.
In most respects, regulation of abuses like spam are important, necessary and generally well received. But there is another, more insidious consideration. The more we ask the government to intervene in the Internet, the more regulations we will receive. Not all of those regulations will be to our liking, and some very well may be the exact opposite of what we as consumers would like to see. We would all do well to bear in mind the warning of the sages: Be careful what you wish for.
Article 10 of 12 in series
After my recent two-part article on spam laws (see "Email Spam: The Bandwagon Plays On" beginning in TidBITS-528), many readers wrote privately and to TidBITS Talk with requests for practical informationShow full article
After my recent two-part article on spam laws (see "Email Spam: The Bandwagon Plays On" beginning in TidBITS-528), many readers wrote privately and to TidBITS Talk with requests for practical information. The survey of how United States law is addressing the problem was all very interesting, they wrote, but what can ordinary Internet users actually do about spam without having to sue someone?
I often find myself telling clients that litigation is usually one of the worst ways to resolve a dispute. It is often slow and tedious, costly both in terms of money and time, follows arcane rules (some of which date back to "I Claudius!") and is inherently risky in the end. If there is any other alternative, using it is often the best course of action.
On the individual spam-fighting level, you can create filters in Eudora, Outlook Express, and other email clients that will catch the more obvious spam. If you're not inclined to do that, services such as Brightmail can do it for you. If you want to take a more active role, you can sign petitions, write your elected representatives, and, of course, boycott companies with inconsistent or nonexistent spam policies.
I have compiled a short list of Web sites that offer those things and more. Many of these were recommended by those who wrote in (thank you!), while others are sites I've found and use myself. There are many more sites than those I mention below. If you run across others that you think are particularly noteworthy, please send a note to TidBITS Talk introducing the resource.
I should add that I am not specifically endorsing any of these sites, and the fact that I may not include a particular site does not mean I think it's no good; I probably just don't know about it. For the benefit of TidBITS readers, I will keep this list posted on the Web and will occasionally update it based on what I find and what I see mentioned on TidBITS Talk, so please do write in with new sites and with any good or bad experiences you may have with the posted sites.
Server Filtering Services -- These anti-spam tools provide an email account with server-based filtering so you don't have to create all the filters yourself in your email program. Even better, they filter out spam before it ever reaches you so you don't waste time or disk space downloading the junk.
Brightmail acts as a mail proxy server for your email and filters suspected spam for you. To use Brightmail, you have to set up a free account and modify your email client program settings to get mail through the Brightmail server. Brightmail does not simply trash suspected spam, but saves it at its site where you can view the messages and decide which to keep and which to delete. Their FAQs list more information, including topics for individuals, corporations, and ISPs.
For a fee, SpamCop offers a service similar to Brightmail where SpamCop acts as a proxy server for your email account and filters out spam before it reaches you. They hold the filtered mail for up to a week so that the user can review it.
The Spam Bouncer requires a Unix shell account, procmail, and the savvy to use both of them. The Spam Bouncer is essentially a series of procmail filters that allow you to block or flag spam as it's received.
Tracking Down Spammers -- This next group of sites provide information on tracking down spammers so they can be reported to ISPs and, if necessary, to law enforcement. Keeping track of spammers is important for another reason: the more data users can provide to lawmakers, the greater the chance of realistic laws will be implemented and enforced. Also see Geoff Duncan's TidBITS article, "Responding to Spam," in TidBITS-442.
Get That Spammer provides information and tools for tracking down spammers. The Tools link provides an array of Web-based tools to help track down systems abused by spammers - although you have to understand a bit about how email and DNS operate to use the tools effectively. The Information link lists the latest legal developments and articles discussing policy and practical approaches to stopping spam. The site also provides instructions to ISPs about crafting better acceptable use policies, advice to users on how to file complaints (complete with a sample complaint letter), and much more information, tips, and tools for dealing with spammers.
The free SpamCop service allows its registered users to send received spam to SpamCop, which will then generate complaint messages to the appropriate ISP administrators and others.
Spam Education -- These educational sites provide information about spam, additional suggestions on how to deal with it, and often links to other anti-spam sites. They also list contact information for reporting spammers, and for encouraging lawmakers to enact appropriate legislation.
F.R.E.E. is the Forum for Responsible and Ethical Email. F.R.E.E. provides a spam primer that educates users about why spam is such a bad thing, and also provides information on reading email headers, building filters to block spam, crafting complaints, and much more.
Spam.abuse.net is an informational site that not only describes the damage done by spammers, but also provides a list of non-spamming, spam.abuse.net-endorsed marketing companies and sites.
The Mail Abuse Prevention System's Anti-DMA info page provides information about the Direct Marketing Association's efforts to protect spam and spammers.
Spam Law in the United States -- The following sites offer information specific to legal efforts to curb unsolicited email in the U.S.
CAUCE, the Coalition Against Unsolicited Commercial Email, is a well-known anti-spam group providing information on current anti-spam efforts, legislative updates and discussion, and other advice on how to combat spam. CAUCE tracks spam issues in the U.S. and abroad, and they even have a cool t-shirt.
The John Marshall Law School Cyberspace Law site provides information and links to statutes, cases, and other legal materials about spam. The site is updated and maintained by Professor David Sorkin.
The Spam Laws site, also maintained by David Sorkin, is a bit more up to date than the John Marshall site but also provides information on U.S. federal and state laws addressing spam.
SueSpammers.org is an excellent resource to track developments in spam law across the U.S.
The Mad About Spam Web site provides a petition users can sign to send a message to their U.S congressional representatives about neutralizing the Direct Marketing Association's efforts to protect spam and spammers.
International Spam Law -- Finally, although the bulk of Internet usage is still centered in the United States, spam is an international issue and could become increasingly so if U.S. legislation becomes more restrictive. The following sites deal with anti-spam legislation in various global locales.
David Sorkin's Spam Laws site also includes a section on European Union directives, policies, and directions on regulating the Internet and spam as Internet usage increases in Europe. Another section covers spam and Internet regulation elsewhere in the world.
CAUCE has a number of affiliates around the world, including EuroCAUCE, CAUBE.AU (Coalition Against Unsolicited Bulk Email, Australia), and CAUCE India. If you're a resident of one of those areas, check out the appropriate CAUCE affiliate site for links to local legislative issues.
Electronic Commerce and the European Union is a site that provides information about European Union policies regarding the increasing amount of commerce being done on the Internet.
Article 11 of 12 in series
Last week, the Washington State Supreme Court unanimously struck down last year's ruling from King County Superior Court Judge Palmer Robinson that Washington State's anti-spam law was unconstitutionalShow full article
Last week, the Washington State Supreme Court unanimously struck down last year's ruling from King County Superior Court Judge Palmer Robinson that Washington State's anti-spam law was unconstitutional. Judge Robinson held the law violated the interstate commerce clause of the U.S. Constitution because compliance would require spammers to identify specific email addresses as being connected with Washington State residents. Robinson is correct - that requirement is burdensome. But what she failed to consider was the fact that identification is at issue only when the email in question uses misleading information in the subject line, has an invalid reply address, or attempts to disguise routing information. In short, legitimate commercial email, even when unsolicited, doesn't run afoul of the Washington State anti-spam law at all, and thus the concern over identification is moot.
The Washington State Supreme Court also disagreed with Robinson's opinion that inconsistent state laws regulating spam also create a burden on interstate commerce. The Supreme Court found that anti-spam laws in the 17 other states that have enacted such legislation have much overlap and complement each other in some respects, but there's no actual conflict.
Justice Susan Owens expressed it best when she wrote, "the only burden the Act places on spammers is the requirement of truthfulness, a requirement that does not burden commerce at all but actually facilitates it by eliminating fraud and deception."
Will the revitalization of the Washington State anti-spam law eliminate spam? No, though it's still an important decision that ultimately will reduce the amount of spam . The problem is that a large amount of spam is sent by small-time grifters, people who live in the cracks of society by not violating any criminal laws, changing names and addresses regularly, and staying out of the way of large companies with deep pockets. Those sort of people have always existed, but in the past their small predations have been limited. Thanks to the way the Internet magnifies the effort of an individual, these people can now aim their scams at a huge and ever-increasing audience. The economics of spamming aren't good, but they don't have to be, since that sort of life tends to be a hand-to-mouth existence, so an infinitesimally small success rate is sufficient.
But having anti-spam legislation available as a tool for people and companies to use against spammers adds a level of risk to the act of spamming. It's not a big one, but since the margin of success with spam is so low anyway, the added risk doesn't have to be enormous to be effective. More importantly, by adding some risk to spamming, the legislation can help keep honest companies honest. If it were easier to send unsolicited commercial email with misleading subjects or deceptive routing information, some companies would no doubt take that approach, and hopefully this legislation will help dissuade them.
We did see a drop in the amount of spam in 1999 that might have correlated with the passage of anti-spam legislation, but particularly when the Washington State statute was declared unconstitutional, the volume started to rise again, such that despite increasingly effective filters on our mail servers, both Geoff Duncan and I received more spam per day in 2000 than in 1998 (Geoff had an average of 7.8 spam messages per day get through server-side filters in 2000; my average was 8.2 per day). You can see how we compared to other TidBITS readers in the results of a poll from a year ago.
[This text is currently unavailable.]
One way or another, it's clear to me that we as a society have a long way to go in learning how to live with this Internet genie we've released. But we'll have to take the bad with the good, and I remain hopeful that one day we'll be have effective social and technical mechanisms that will eliminate spam from our lives without the need for legislation.
Article 12 of 12 in series
Spam is known to the law as "unsolicited commercial electronic mail," or UCE, and is usually defined as email in which someone is trying to sell someone else a product or service, or otherwise part recipients from their moneyShow full article
Spam is known to the law as "unsolicited commercial electronic mail," or UCE, and is usually defined as email in which someone is trying to sell someone else a product or service, or otherwise part recipients from their money. Recently, the State of California passed a tough new anti-spam statute that goes into effect on 01-Jan-04. The new California statute departs from others of its kind in a number of respects (something California is becoming increasingly good at doing). One of the more telling departures is that it uses the legally informal term "spam" throughout, although it does use the more legalistic "UCE" where a more specific definition is needed.
I don't need to tell TidBITS readers that spam is a worsening problem afflicting the Internet. According to Brightmail, spam has increased from only 7 percent of total email traffic in April 2001 to a whopping 54 percent in September 2003.
Sending spam carries very little cost to the spammer because the costs are borne by ISPs, which pass them on to consumers in the form of increased access charges. According to a report from San Francisco-based Ferris Research, spam cost companies in the United States over $10 billion last year - just imagine the late Carl Sagan saying "billions and billions" and you'll get the picture - in lost worker productivity, technical solutions, and wasted bandwidth. An abstract of the study is available free. The full study requires a subscription.
Users are mad as hell about spam. A Harris poll taken two and a half years ago showed that 49 percent of users wanted an outright ban on spam. In a followup, titled "Large Majority of Those Online Wants Spamming Banned," Harris found that that number jumped to 80 percent by late 2002, and it's probably even higher now.
The number of complaints received by state Attorneys General and the U.S. Federal Trade Commission has skyrocketed, and consumer pressure to control spam is being felt at all levels of state and federal government. To date, 36 states have passed laws dealing with spam.
The Washington and California statutes are the most aggressive of the batch. Both have been vigorously challenged in the courts on various grounds, and both have ultimately been upheld. Heartened by these judicial affirmations, California has now enacted an even stronger statute that is already generating renewed controversy.
A New Model -- In 1998 California enacted one of the first and strongest anti-spam statutes in the nation (see "California Outlaws Spam" in TidBITS-448). Defining spam as unwanted commercial email intended to sell a product or service, the law required spammers to identify their email by putting "ADV:" in the subject line or "ADV:ADLT" for adult-oriented email. While individuals were not granted the right to sue, ISPs were empowered to sue spammers for violations and to obtain a judgment for significant penalties. The law was promptly challenged. In Ferguson v. FriendFinders, Inc. a lower court found it to be an unconstitutional violation of the U.S. Constitution's interstate commerce clause. The California appellate court disagreed and the law remained in force.
There is no indication that California's law has stemmed the tide of spam or even caused much spam to be labeled. Indeed, the volume of spam flooding the Internet has steadily increased despite such laws. Undaunted by failure, in September 2003 the California legislature enacted an even more sweeping statute.
The new law keeps certain features of the old one. For example, spammers must still include "ADV" or "ADV:ADLT" in the subject line, and must provide an 800 number or valid email address allowing recipients to request removal. But the changes in the new law are very significant.
The new statute completely bans all UCE unless specifically requested or authorized by the recipient. Like the old law, it is still limited to spammers using equipment in California or sending to recipients in California. But individuals now have the right to sue spammers for violating the law and to collect either actual damages or $500 per spam up to a limit of $1 million per "incident." An "incident" is "a single transmission or delivery to a single recipient or to multiple recipients of unsolicited commercial email advertisement containing substantially similar content."
One of the more sweeping provisions of the new statute prohibits anyone from collecting email addresses from the Internet for the purpose of sending spam to Californians or from California. In short, California is targeting address harvesting regardless of where the acts occur if the intent is to use the addresses to spam Californians.
There are a number of legal and practical hurdles this new statute will have to overcome. The following are some examples.
Commerce Clause -- The commerce clause is found in the U.S. Constitution, Article I, Section 8, Clause 3.
On its face, the commerce clause merely gives Congress the authority to "regulate Commerce with foreign Nations, and among the several States, and with the Indian Tribes." However, a huge body of law has grown up around this short phrase. The commerce clause issues are fascinating (well, to me anyway). Unfortunately, they are also incredibly complex and far beyond the scope of this article. So I will simply point out that the issue exists, that there is a lot of debate over how the commerce clause should be applied to Internet commerce, and that the issues are far from resolved. Partly because of the commerce clause issues, when Congress enacts legislation on spam it may abrogate state laws either entirely or in part.
Implicit in the commerce clause is the "dormant commerce clause." That doctrine holds that there are certain areas in which states cannot legislate even if Congress has not acted. The principle commerce clause challenges to spam arise under the dormant commerce clause doctrine. The argument runs like this:
State boundaries are irrelevant to the Internet, and thus to spam. All Internet email is necessarily interstate. It travels across interstate lines and is relayed via servers that could be anywhere in the world. Any regulation by any state necessarily affects interstate commerce, and one state's laws will necessarily affect spammers in other states. Thus, argue opponents of spam legislation, no state regulation of spam is possible without violating the commerce clause. Only Congress can legislate over such an inherently interstate activity.
The previous California statute survived a dormant commerce clause challenge because the court found that the statute applied only to (a) spammers using equipment located in California; and (b) spammers sending email to California residents. Because the effect of the law restricted only California-specific conduct, the court found that the commerce clause was not violated.
I anticipate a renewed challenge to the new statute under the commerce clause. I suspect that at least one clause in the new statute will not fare so well under a commerce clause analysis, and will be stricken. The new statute makes it "unlawful for any person or entity to collect electronic mail addresses posted on the Internet if the purpose of the collection is for the electronic mail addresses to be used" to initiate or advertise in an unsolicited commercial email advertisement to or from California. This provision applies to everyone, everywhere, who is collecting email addresses if the purpose is to spam Californians - regardless of whether they actually carry through on it.
First Amendment -- There has been much hoopla recently over a Colorado federal court decision blocking the Federal Trade Commission's (FTC) "Do Not Call" list because it may violate telemarketers' free speech rights. Telemarketing is similar to spam in a number of respects, and the arguments leveled against the "Do Not Call" list can easily be applied to spam laws. Indeed, advocates of spam have consistently argued to state legislatures that anti-spam laws violate the First Amendment. However, to date those arguments have not been a key part of the court decisions upholding the statutes.
The federal court of appeals has now stayed the Colorado federal court's decision and the "Do Not Call" list is moving forward. However, I anticipate that we will see additional First Amendment challenges to spam laws, and the California statute is ripe for challenge.
Jurisdiction -- Most of the complaints about the jurisdiction of a state to go after spammers in another state or abroad are actually enforcement issues. The legal issues of when a state has jurisdiction over out-of-state entities are fairly well established.
I believe that all states have enacted a form of law called a "long arm statute." In essence, long arm jurisdiction extends to any person or entity who takes advantage of the benefits of a state's laws. Even minimum contact with a state confers jurisdiction if the contact is enough to invoke the protections of state law. So, for example, a company that sells products via a catalog and has customers in a particular state can sue a customer under state law for failing to pay. But that company can also be sued by the customer under state law for failure to deliver or other breaches.
There is little question that a spammer soliciting sales in California is subject to California law. But this is a good point to segue from the legal challenges to the practical ones. A big practical question is: how do you find spammers?
In order to start a lawsuit, the plaintiff must physically hand the defendant a copy of the complaint. This is known as "service of process." It is difficult to serve someone unless you can find them. In the 1998 case that I helped Adam and his fellow TidBITS editors bring, the defendant played a shell game with false company offices, at least two fake names, and multiple fictitious addresses. After the litigation started, he actually changed his business address once a month. (See "TidBITS Sues Spammer" in TidBITS-439, and "Spam Damned in Washington State" in TidBITS-583.)
[This paragraph currently unavailable]
The solution to not being able to find someone to serve papers is to use a process called "service by publication," in which the court approves publication of the complaint in the local papers. After a period of time, the complaint is considered to have been served and the case can proceed.
That may solve the legal issue, but it does nothing to solve the practical problem. After all, if you can't find the defendant, how are you going to collect on your judgment? At some point, it becomes necessary to identify and locate the defendant physically.
Enforcement -- Under long-arm statutes, even off-shore merchants doing business in the U.S. are subject to U.S. law, including the laws of the states they sell in. If the spammer is a legitimate business that values its reputation and customers, there is little problem enforcing a judgment. But most spammers are anything but legitimate business. They do everything possible to mask their identities and location, including hiding in other countries that don't have or enforce spam laws. If you obtain a judgment in a California court, will you try enforcing it in China? The Bahamas? It is highly unlikely. Even in countries that have reciprocal enforcement of judgments treaties with the U.S., the costs of enforcing a judgment abroad are usually prohibitive for the average spam victim.
Collection -- But let's say that you are one of the fortunate ones who locates, serves and gets a judgment against a spammer. Will you collect your riches? Again we run into the disparity between legitimate businesses who care about their reputation and customers, and the majority of spammers who care nothing for either. It is likely that even having identified the live body of the spammer, a plaintiff will have to pursue execution of the judgment. No, that doesn't mean executing the spammer (popular though that option might be with some people). "Execution" is legalese for the court procedures that include garnishing wages, bank accounts, and the like. Execution can be costly, time consuming, and often will net the plaintiff only a portion of the judgment. Of course, that will be further reduced by the amount of attorney fees racked up in the course of executing on the judgment.
Conclusion -- The new California statute definitely pushes the envelope. It bans all unsolicited commercial email unless the recipient has agreed to receive it. It creates a private right of action allowing individuals to sue for damages for each item or incident, and it bans harvesting email addresses for the purpose of spamming Californians.
The new statute will inevitably draw court challenges. While some of the statute may be stricken as overbroad or violating federal law or the Constitution, most of it appears to be in line with law that has already survived such challenges. The law is deliberately modular, or in legalese "severable," so that portions can be excised if a challenge is successful, while leaving the rest of the statute intact.
Unfortunately, spam laws won't stop spam, nor will they even stem the tide, if experience so far is any guide. The old California statute did not reduce or even noticeably slow the increase in spam. I hold no great hope that the new statute will do any better. Legitimate businesses have already altered their practices to comply with existing spam law, and will no doubt do their best to comply with the new one. But legitimate business accounts for only a small amount of the spam we receive. Most spammers will simply keep on spamming. The new law will doubtless create a flurry of new court actions against spammers, resulting in more default judgments that can't be collected. And the spammers will keep spamming.
Lest I sound unduly bleak, I am not suggesting that there is no solution to the spam problem. However I do not believe that the law will stop or reduce spam.
Legal remedies are great for deceptive, misleading and fraudulent marketing practices - but those things have been illegal for a long time. Spam laws should be able to give law enforcement needed tools to go after spammers (focusing on the most egregious ones), and to allow individuals who are so inclined to go after them as well. But the Internet is a global phenomenon. State boundaries are largely irrelevant to the Internet, and state spam laws will do little or nothing to solve the larger problem. On the other hand, passing more laws amounts to more regulation of the Internet, and sets an increasingly popular precedent for further regulation. Be careful what you wish for!
I believe that the solution to the problem of spam is technological. For example, I receive between 100 and 200 spam messages each day, but 98 percent of those are filtered out by Eudora 6.0's Bayesian spam filter. True, I must regularly review the collected mess of Nigerian political refugees looking for a kind stranger to help launder a few million dollars, the offers to enlarge various body parts (some of which I don't have), and the ever popular get-rich-quick schemes so that I can find any false hits and rescue them. But as annoying as this is, it is currently the cost of using a largely unregulated forum such as the Internet in a capitalist society that values free speech and privacy.
[Brady Johnson is a grouchy attorney in Seattle who really, really hates spam.]