(At several places in this document, the string {expletive} appears. When I typed it, I was thinking of various rather nasty words. You know, the kind you hear in hard-core rap songs. I'm sure most of you have your own favorite expletives - when you see this string, substitute one.)
I last wrote this page quite some time ago. As you probably know, nothing - at least nothing effective - has been done about this ongoing theft... In the meantime, these {expletive} thieves have found new ways to force their crap into our mailboxes, and to prevent us from complaining. One spammer recently opened an account on a new ISP, and immediately obtained a restraining order preventing that ISP from shutting down their account. (even before they began spamming) (That {expletive} judge should be sentenced to buy and use every product/service promoted to him by spam for the next year)
Internet users are fed up. And Congress is finally acting. Unfortunately, their action may well be useless, or less. After writing my representatives about the issue, I received a response from Rep. Ed Bryant (R, TN - 7th). He's a co-sponsor of HR718. "This legislation would protect individuals, families, and Internet service providers from unsolicited and unwanted electronic mail." No, it wouldn't. It would require spammers to provide a valid return address and the opportunity to opt out of future mailings. If violated, a victim could sue the spammer for $500 per message, up to a limit of $50,000, or in some cases $150,000.
(Rep. Bryant's office also wrote that a significant amendment was introduced in May which would simply prohibit spammers from forging their return addresses. Doesn't really make much difference.)
Seems reasonable? Well... While it cannot be conclusively proven (unless we can get one of these {expletive}s to admit to it) investigations have shown that, when you ask one of these {expletive}s to be placed on their "remove list", your address is placed on an "active addresses" list. And sold to other spammers at a premium. Nothing in this law would prevent that process. No experienced spam fighter uses a "remove list" address; requiring it to work will accomplish absolutely nothing.
Even if the law did prevent spammers from selling the addresses of those who ask to be removed (and even if that provision was reliably enforced), it would be ineffective. All legitimate Internet service providers prohibit spamming in their terms of service. Email addresses used in connection with spam are routinely and promptly cancelled. (spammers hope to gather one or two valid addresses for resale in the brief period between when their {expletive} goes out and when their return mailbox is killed) The remove-list address that was valid when the spam was sent won't stay valid for long.
That really doesn't matter anyway. There is a fundamental difference between email spam and other types of direct marketing. To wit: the financial barriers to getting into spamming are far, far lower than those for getting into postal or telephone direct marketing.
The (apparent) absence of any criminal penalties for spamming doesn't help. Allowing the victims of spam to sue is not a bad idea. But for most victims, suing is simply not practical. Finding the spammer's physical location, so they can be served with summons, is the first challenge. Next, once they get their judgement, they have to figure out how to collect it. The spammers are {expletive} criminals in the first place, they're unlikely to voluntarily comply with a court order. $500 per message is not enough to cover the lost time and travel involved in suing.
Finally, I don't see any indication here that Americans would be banned from hiring foreigners to spam on their behalf! Doctor Podunk's wants to advertise by spam, but doesn't want to provide a return address. So, he hires a "marketing" firm in the Cayman Islands to do his marketing for him. The firm is actually owned by Americans, but it's legally incorporated offshore and uses computers outside the U.S. to send its {expletive}.
1. We should establish a national no-email list. Anyone who
doesn't want to receive spam should be able to submit their e-mail address
to a list. Internet service providers should be able to submit their entire
domains to the list, as long as they inform their customers that they've
been submitted.
The government should sell copies of this list to marketers. They should
charge enough to pay for the maintenance of the list.
It should be unlawful for any U.S. citizen, resident, or corporation to
e-mail an advertisement to any address on this list. It should also be
unlawful for any U.S. citizen, resident, or corporation to cause any other
person or corporation (U.S. or foreign) to e-mail an advertisement to any
address on this list.
Violations should bear criminal penalties - a fine of at least $10,000, and
prison term of at least 6 months. Levying only fines runs the risk of an
advertiser deciding the extra revenue is worth paying the fine. Sending
people to federal prison should be an adequate deterrent.
2. Internet service providers (ISPs) need to take more effective
action. Spammers rely on being able to make a small number of very
high profit sales very quickly, in the period before their return address
method disappears. Delays in the reporting of spam make that spam more
profitable.
Reputable ISPs maintain an "abuse" account - "abuse@bellsouth.net", etc.
When you note that someone at BellSouth.net appears to be engaged in
spamming, you can forward the spam to that address. BellSouth's technicians
will investigate, and if the complaint is valid, they will suspend or
terminate the offender's account.
Unfortunately, some ISPs don't adhere to this standard. Some think that
because they don't offer email (for example, they only offer Web hosting)
they don't need an abuse account. However, spam is often used to promote
Web sites. Reputable Web hosting companies will kill a site that's been
promoted by spam - but they can't do so if there's no way for spam victims
to tell them about their customers' abuse.
Other companies think that because they don't offer access to the
general public, they don't need an abuse account. But often, misconfigured
computers at these companies are used by spammers to relay their
{expletive}. These companies need to know that their systems have been
comprimised. Every Internet domain needs an "abuse" account.
Maybe the worst are ISPs that decide they want to use non-standard methods
of taking spam reports. One firm which is occasionally used by spammers has
started bouncing all email received at their "abuse" address, and begun
demanding complainants use a Web-based form. With spammers using dozens of
different ISPs, it is NOT POSSIBLE to keep track of the unique
reporting requirements of each ISP. An ISP that demands any
reporting method other than forwarding to "abuse@isp.net" really doesn't
want abuse complaints - and is aiding and abetting these {expletive}
criminals.
Another problem are public-access ISPs that don't take prompt action against
spammers on their systems. If you file a spam complaint with one major
British ISP, you get an auto-response that says their abuse account is only
read during business hours in the U.K.. As you might imagine, much of the
spam sent through this ISP is received a few minutes after the close of
business on Friday; the spammers know no action will be taken against their
sites until Monday morning. Another ISP requires a supervisor's approval to
suspend or kill an account or site; sites have been known to stay up for
several days after numerous valid spam complaints were filed. Public-access
ISPs must have people on duty 24/7 who have the knowledge to judge
the validity of spam complaints, and the authority to immediately suspend
any accounts and websites that are the target of valid complaints.
3. Law enforcement needs to be easier to contact via the Internet.
A significant fraction of spam promotes scams, pornography, illegal chain
letters, and/or tax evasion. Spams with pornographic content are sent to
millions of addresses - thousands of which belong to young children. It's
not particularly difficult to figure out which police force has jurisdiction
over most spammers, and it's usually not particularly difficult to find a
Web site run by that police department.
E-mailing information to these departments, however, is usually much more
difficult. I recently received a pornographic spam from an outfit in Valley
Village, California. It took just a few minutes to find the Web site of the
local police. I had the names and office phone numbers of all the town's
police officers. But there was not a single email address anywhere on the
site!
Likewise with illegal chain letters. The Postal Service's website makes it
clear these are illegal. (despite the claims of the spammers to the
contrary) It fully explains why they're illegal. It even provides a
web-based form to show how to complain. Fill it out - it shows you the
postal address of the nearest Postal Inspection Service office and tells you
to mail them a printout.
The Securities and Exchange Commission has the right idea. A fair number of
spams are "shilling" stocks - trying to artificially inflate their value so
that scammers holding large amounts of cheap stock can make a quick killing.
The SEC has established an address "enforcement@sec.gov" which accepts
complaints about this kind of spam. Other government and police agencies
should follow the SEC's lead. All regulatory and law-enforcement
agencies should have an "enforcement" address to accept Internet complaints
in their jurisdictions.
4. Physical restraint may be necessary against these {expletive} spammers. Local governments should enact laws making aggravated assault legal if the assailant can show that the victim was engaged in spamming.
© D. Smith W9WI 2009
Page created