SPAM – The next inflection point in the revolution

“Be careful about what you asked for. You just might get it!” a friend said one day as I was leaving work at a telefunding job in Minneapolis. We were talking about the public outrage at the volume of telemarketing and spam, to the point that jobs are threatened and maybe the openness of the Internet and the ability of entrepreneurs to continue using it in the future is compromised. And when we speak of spam, we are not referring to the luncheon meat in the opening scenes of Sophie’s Choice

        What we “ask for” of course was micro-costs in communications. Instead of going to the moon and the rest of the solar system, our culture spawned a revolution in inexpensive telecommunications, leading to new opportunities both to make money and to make a name for oneself with very little in the way of credentials or previous financial mass. In a way, though, maybe it is like real estate in past decades.

While I used the web as a way to make my books and writing known and have them read with very little investment, others were using it for get-rich-schemes. Email, they noticed, carried no postage stamp. And rapid advances in hardware and software in the 1990s made it possible to generate emails and send them to literally hundreds of millions of potential customers at practically no cost.

The ethical problem with this is the inverse of draft dodging in the 60s. If everybody does it, the system breaks down. Or if only a relatively small percentage of users do it, the whole system can be stressed severely.

Therefore, the recipients and facilitators of the email bear the cost. Individuals and businesses take the time to filter out emails worth reading, often less than half of those sent. Parents are afraid to inspect their email inboxes in front of children, and may have trouble keeping such emails from their kids’ accounts. ISPs and servers spend their bandwidth transmitting them and now filtering them out with a variety of spam filters. Larger ISPs like AOL and Earthlink have implemented relatively effective spam filters and have started suing spammers.  Unsolicited text message spam sent to cell phones and wireless devices has become a bigger problem in Europe and Asia than in the United States, but cell phone users may have to pay for each message received and in some cases have cancelled service because of spam.

Another factor is that the most profligate spam offenders tend to be very small operations, even individuals, with relatively little capital. Generally, legitimate companies have followed reasonable common sense in building their email lists. However, spammers often try to sell products or services (especially pornography, products related to sexual performance, or illegitimate debt collection services, or various international money laundering scams [the “Nigerian scam”]. If only a thousand or so out of 100 million addresses purchase when receiving spam, it becomes profitable. This picture tends to harm the idea of entrepreneurialism as a whole, and creates the impression that small Internet businesses or individuals may not be legitimate or authentic. It is also not good for information technology as a profession. What happens when someone has a resume but has worked as a spammer when it was legal?

Some spam, besides inviting people to be scammed (such as the infamous “Nigerian Scam”) might have ties to money laundering that could support terrorist operations.

Gradually states have been passing a variety of anti-spam laws, and Congress is close to passing an anti-spam law at the end of 2003. But at this point it is well to go over a number of the proposals. 

· The common-sense approach in many state laws and bills is to forbid sender disguising or spoofing, provide legitimate ability for recipients opt out. There is more detail about these bills at the August 2003 PCWorld (“Uncle Sam vs. Spam” A slew of proposed federal and state bills promise to protect your in-box. But can any law stem the tide of spam?” by Daniel Tynan)

http://www.pcworld.com/reviews/article/0,aid,111112,00.asp

· Some states want to ban all unsolicited email, very much the way some people want to ban all telephone solicitations.  In September 2003 California passed a draconian “opt-in” law that would prohibit the sending of even one unsolicited email to (or from) a California email address when the sender does not have a business relationship with the recipient. There is a provision for fine of $1000 per email ($100 per “mistake”) or 1 million per campaign. Ivan Hoffman has a cogent discussion at

http://www.ivanhoffman.com/antispam.html

· Hans Peter Brondmo, of Digital Impact, proposes Project Lumas, where bulk emailers have to get digital certificates and performance scores similar to Fair Isaacs credit scores.

· Microsoft proposes requiring bulk emailers to use an ADV mark, with an exemption for commercial mailers who demonstrate compliance with a seal of good practice (and this could be difficult for small businesses). This is called “Sender ID” and Pobox.com is a co-sponsor.  It would work best in a world with larger ISPs, which would cull lists of approved senders by application. Doaskdotell.com, for example, would have to be an approved sender for hotmail, with known sender lists. When an email that purported to be from this domain arrives, hotmail would check the real sending IP against the IP that had been registered for it, and would reject the email if it did not match. Anonymous senders would be stopped by this system. Microsoft wanted to patent this process, which had been invented in the beginning in some part by Meng Wong.  The Internet Engineering Task Force was trying to implement this as an industry standard, and its political credibility broke down with Microsoft’s patent application.[1]  [2]

· Steve Linford, of the Spamhaus Project, develops block lists and Rosko (Register of Known Spam Organizations)

· Esther Dyson (Edventure Holdings, Release 1.0) proposes letting recipients set an initial price (probably about that of a postage stamp) for receiving unsolicited email, that would be billed to the sender’s account at the sender’s ISP’ recipients would be given the opportunity to allow subsequent emails from the same sender to be free.[3] Presumably, spokespersons who appear in the media should be prepared to receive well-intended and constructive comments from the public.

· There has been a lot of discussion of charging for emails, after a certain threshold is reached. This would be accomplished by ISPs. Persons who ran their own servers would somehow have to register their servers. There would have to be some kind of controlling authority like ICANN.  The stamp would be some kind of serial number, a checksum, and the URL of the recipient.[4]  Major ISPs actually do charge for excessive emails, when the emails use over a threshold of disk space and bandwidth, but these allowances are typically very generous for most legitimate use. I am not aware that ISPs have been charging for the receipt of spam, but a “nuisance” customer could inadvertently attract spam. 

· Earthlink is developing an “opt in” only system for its customers.

· A new technique called challenge-response requires the email sender to answer a form before the email can go through. This could slow down mass mailings from legitimate operations (see note (1) above). Peoplepc.com and earthlink.net, for example, have an effective system that requires a sender to answer an automated response and repeat a hand-carved, non scannable graphic.[5]

· An AP story by Anick Jesdanun (July 23, 2005) reports that a company called Blue Security sets up honeypots to attract spam, and then uses “Blue Frog” software to flood a spamming site with messages to shut it down with a kind of pseudo “denial of service” attack. Others call this approach vigilantism.

· It is true that good computing habits can reduce the receipt of spam with forged headers. Typically one should be wary of posting a complete email address in multiple locations. It may be better to use email forms that email addresses to receive communications from clients. But not all servers support these forms (they seem to be an issue on Windows servers).

At the outset, we favor a similar approach, of a small “per recipient postage charge” per email (1 cent per email destination or 2 cents for a listserver destination), which would be affordable by all individuals and legitimate marketing efforts. The concept would be to make the sender pay for email following the paradigm for physical mail. Money raised would go strictly for improving Internet security. ISPs would be required to collect the fee separately, and persons who run their own mail servers would have to have a license with fees processed through an appropriate NGO. Another idea would be to place a moderately time-consuming calculation in all email send programs to slow down spamming.

These most interesting proposals seem to imply that any commercial user (even an individual like me selling self-published books) would have to establish a unique identification code (something like an EIN with the IRS) with which his or her activities could be accounted for and billed. It is certainly reasonable that the cost of sending a message should be borne by the sender and perhaps be a few cents per recipient (in analogy to mail). But the regulatory mechanisms (even if “privatized” and outside of government) might even affect (through registration costs) small businesses or individuals who (like me) do not use mass mailing but depend on the passive marketing offered by search engines. An identification code could be used to force any commercial domain operator to make financial results and other qualifying information available to the public. Currently, the main control over passive content abuse (by domain owners like me) comes from the fact that ISP’s charge for excess bandwidth use, although academic and text content generally would not exceed any reasonable bandwidth allowance (movies and music could). Even here, what if a disgruntled reader tried to heckle a site by writing a script to generate excessive bandwidth to it (like a DOS attack)?

AOL (American Online) and Yahoo! have both started postage-due systems, billing approved commercial mailers 1/4 cent per item delivered in order to give guaranteed speedier delivery to (AOL and Yahoo!) subscribers who have agreed to receive notification emails from these vending companies. Both ISPs maintain that this is a major voluntary, non-legally-driven and "libertarian" step in fighting spam. There are criticisms that this will interfere with airline and travel confirmations, order confirmations, and similar legitimate uses. Non-paying vendors will have to negotiate spam filters. [5.5]

As a systems design exercise and thought experiment, it is not so hard to see how to implement a “postage” charge for email sent through “conventional” ISP’s, because headers could be tracked to IP addresses, domains, and other ISP’s through these databases (including WHOIS), for accounting purposes (through rather conventional relational access techniques, in either a conventionally procedural or object-oriented design). But SMTP can install itself (with a worm) on any equipped machine connected to the Internet and run without these hooks. So there would have to be some way to account for (or perhaps “license”) free-standing machines capable of acting as servers, and at an international treaty level that might be an enormous effort, although efforts to modify SMTO or replace it, as noted below, would help, as would tighter control of the accuracy of WHOIS, which with some domain name registration services is clumsily handled.

Implementation of such a systems approach would require enormous development and testing effort of a number of major companies and providers like IBM, Microsoft, and Sun., as well as the credit card companies. Maybe that’s a good thing, because it would generate some pretty good jobs. And western capitalism is pretty good at designing and implementing complex solutions to problems into operating systems and in doing accounting and billing.

Spammers often forge email headers to make it appear that an “innocent” third party sent the spam, so that the email appears legitimate and escapes filters, although the customer will quickly discover otherwise when visiting the website pointed to in the spam content. Often spammers put random characters into heading lines to try to defeat filters. This practice, of forged headers, is called spoofing.

Therefore, a malicious spammer can substitute a home or small business email address (and email header) as the sender. This can have consequences for the target. The affected party (who is spoofed) may receive complaints and bounce-backs and in some cases his own mailbox may be overwhelmed (and this has been ruinous for some small businesses whose domains became targets). The complaints may be less likely now as more users of email understand how spoofing occurs and that it cannot now be prevented (although it is illegal in many states). However, some ISP’s have canceled account privileges of people who were spoofed by spammers? Why? Of course, careful examination of a spoofed email can show that it did not come from the spoofed individual or his domain. Generally, determination of the origin of the email is still a straightforward process (even more so with an email program like Microsoft Outlook), because the sending IP (Internet Protocol) address is present and it can be looked up at http://www.arin.net/whois/index.html.[6] [7] Heinz Tschabitscher provides a good detailed example “What Email Headers Can Tell You About the Origin of Spam.”[8]  I have not found a published example analyzing a return email to the target of the spoofing.

Microsoft proposes letting a web domain owner publish the identification numbers of their mail servers on the “WHOIS” database for the company that manages the domain name. Again, this modification to the DNS system might be a significant project. But this would seem to make it hard to spoof, if ISP’s verified IP’s against such a database as another part of the filtering process. At the same time, spammers seem to be getting more sophisticated in breaking into servers and replicating legitimate matching information in forged headers, even while sending the mails from SMTP engines on their own machines. 

Web publishers should not give out or display email addresses of other parties without permission, because that may make the email address subject to spoofing, and this involuntary exposure could conceivably consitute a tort itself. Furthermore web publishers might be liable for credit card numbers, social security numbers, phone numbers, and other location or private information if they were stored on a site and then stolen by hackers or spammers. HPPUB does not store such information. But it is possible for a spammer to harvest names from a site used as bibliographic references and then use them to augment the sender line in spam.  This might be embarrassing to the person whose name (but not email address) was so misused, but hopefully most recipients of such emails know by now that, again, this is a spoofing process that says nothing about the individual involved. Furthermore, addresses for spam (and spoofing) can be generated by algorithms, harvested from chat rooms and news groups or message boards, and (with certain worms and viruses) even from the cache of a home computer user. This has led to recommendations that people use “disposable” email addresses in public forums.[9]

This site (when it was hppub.com until July 2005) has been the target of spoofing recently, although it has not received any complaints. Again, this site does not send spam or mass marketing (by mail or phone or even legitimate email lists) of any kind. I do respond to specific inquiries or to other publications or websites and individuals that state a willingness to be contacted for legitimate networking.

Spoofing of course raises the question of the basic weakness in SMTP, the Simple Mail Transport Protocol, which was designed two decades ago for a “trustworthy” environment. Paul Festa provides a detailed discussion in a CNET news article, “End of the Road for SMTP, Aug. 1, 2003, at http://news.com.com/2100-1038-5058610.html?tag=nl. “The protocol that has defined e-mail for more than two decades may have a fatal flaw: It trusts you.”  It was originally intended for a controlled network (Arpanet) of universities and defense sites. "I would suggest they just write a new protocol from the beginning," Suzanne Sluizer, a co-author of SMTP's immediate predecessor (as well as TCP/IP) and a visiting lecturer at the University of New Mexico. However, Paul Hoffman, director of the Internet Mail Consortium and contributor to the Internet Engineering Task Force, writes that SMTP can be run on top of  SSL/TLS as a protocol now, authenticating senders although there would still be some issues in authenticating mail servers. Another proposal is the Trusted Email Open Standard (TEOS). Yahoo is now working on a similar anti-spam authentication structure.[10] This concept is called “Domain Keys” and requires considerable authentication at the domain level, and would prevent recipients on other ISP’s who haven’t installed their complementary signature authentication from getting emails from subscribing Yahoo senders, and to some extent compromises anonymity; but it may be much harder for spammers and worm writers to get around it in continuing to forge headers.[11]  Microsoft is promoting a sender verification mechanism and as of late Oct. 2004 it had persuaded AOL to work together with it on this.[12]

A new proposal is a special domain name TLD for mailing only, where the protocols would be set up so that the mail is trusted as not spam.  For example, doaskdotell.com/content would have a domain doaskdotell.com/content.mail.  However these TLD’s would be expensive and reasonable only for companies with a large volume of legitimate transactions justifying legitimate email.[13]

A recent concept (as of Oct. 2005) is “caller ID,” according to Jack M. Germain of newsfactor.com.  The underlying idea is that the ISP or sending facilitator gives the message a “score” and would block failing messages. Germain talks about Yahoo’s Domain Keys method as well as Microsoft’s Sender ID Framework (SIDF).[14] 

Spoofing, however, is a subset of an even bigger problem, which is the generation of fraudulent “commercial” emails by worms and viruses, or the intentional propagation of these worms by some spammers for “distributed spam” attacks, in a mechanism that reminds one of Distributed Denial of Service attacks. A few years ago, almost all viruses were sent by attached files that simply need not be opened. (A concept called social engineering refers to wording the subject line, spoofed sender and attachment name so that even a well-informed user will believe that the email is legitimate.) Now, some viruses can be disguised in the body of emails and fool users (although Microsoft is trying to patch the holes that allow this), and some viruses and worms come through an Internet connection alone. Most of these affect Windows based systems (due to Microsoft’s effective monopoly of monoculture), but a few have affected Linux or Unix servers, too, corrupting their command bases. Usually, a domain owner who uses a commercial ISP can count on the ISP to provide security from the use of his domain this way, but lapses have occurred. The result is sometimes that a domain will be blacklisted by other ISP’s as a “spamming domain.” This happened once where I worked, and it happened once briefly to my domain in the summer of 2001. Here, the potential downstream liability for the domain owner would seem to be greater because in such a scenario his domain is actually sending the spam, even though it may happen because of inadequate security by his ISP. A domain owner who runs his own webserver would seem to be especially exposed to liability. A spam email generated off his server would not necessarily have his own domain name in it; he might not find out about a problem until a visit from a sheriff or process server.[15]

I recall having my first discussion of this downstream liability idea ironically in the Libertarian Party of Minnesota booth at the Gay Pride festival in Minneapolis Loring Park in June of 2000. It was during that period that DOS attacks had become more common. And now, the USA Patriot Act allows domain owners or server operators to be held liable for downstream damage to infrastructure if they are negligent in their security practices. 

The only rationale would be if that person is perceived to be an “attractive nuisance”[16] (attracting spammers, the way an unfenced swimming pool attracts kids) and is not himself operating a legitimate business. On the other hand, some ISP’s now tell consumers that they have no way to prevent spoofing of email addresses owned by their customers and imply that they will generally not take action unless spam was actually sent from their own servers. There is more about the legal consequences of spoofing in the article by Harry Valetk “E-mail Spoofing: A disturbing Spam Tactic” at http://www.gigalaw.com/articles/2003-all/valetk-2003-03-all.html   A party that is the target of spoofing can litigate against the spammer, either under many state laws or general tort law. A good case is RustNet, Inc. v. Benjamin and Randall Bawkon in Michigan, which was settled out of court without comment. In another case, a spammer defended itself by complaining that the target’s email address was generic and intended to extort money from spammers! Recently (at the end of 2003) some ISP’s have been suggesting that web domain owners remove email addresses from their content to avoid spammer harvesting (which may markedly increase the chance of spoof-targeting as well as increasing spam received) and instead using forms and cgi-bin scripts to allow visitors to contact them. However, as noted above, domain owners must also be careful about hacker attacks by various means. This would include care with passwords, anonymous FTP, and familiarity with the ISP’s security procedures. For webservers run at home, competence in using firewalls, virus scanners and applying operating system patches is essential to reduce the risk of downstream liability. Domain owners and probably especially webserver operators should document their security procedures and log them offline for use as affirmative defense in the case of experimental litigation. Fixing SMTP would not protect domain or server owners whose facilities are actually used to physically send the spam or offensive emails (and spammers might simulate use on their own machines).[17]

The upcoming federal legislation and the particularly draconian nature of the “opt-in” California law SB 186 (effective Jan. 1, 2004) that can assess penalties for even a single email, have created controversial and speculations of constitutional First Amendment challenges. There are obvious problems with the inability of the sender to determine whether or not a particular email recipient is a “California” address, and with the vagueness of the notion of “commercial.”  Would non-profits be treated differently than companies? What if I send an "unsolicited" email to a California "resident: (or email address) and discuss a matter of susbtance (like gay marriage or the military gay ban or even my COPA litigation as a member of EFF.org) and then mention the URL where my books can be found? This would seem to violate the letter of the law, although it is hardly spam according to common sense.  Also, what is "unsolicited"?  Does providing a contact email on a personally-owned domain give permission to email? Would an email without direct commercial or advertising content from a domain that offers commerce (or from an individual that owns a proprietorship) be presumed to be “commercial” according to the statute?  Note that a sender not living in California or sending the emails from California could be liable for email sent to California under the Full Faith and Credit Clause. Already there have been a lot of frivolous lawsuits resulting from a less stringent law in Utah. Michigan is apparently enacting a “do not spam” list law that could have similar ambiguities.

The Federal Trade Commission has provided a paper on the possibility that hackers can use unsuspecting home users to send spam.[18]

Other organizations, such as the ACLU, have written position papers criticizing the vagueness and overbreadth of much of this legislation. As I note, the meaning of “commercial” is very open to interpretation, and may ensnare anyone who owns a proprietorship as sending an email that is “indirectly” commercial. The ACLU has criticized some provisions of proposed regulations regarding disguised headers, because anonymous speech is a First Amendment right. One ACLU position paper is http://www.aclu.org/FreeSpeech/FreeSpeech.cfm?ID=13258&c=84

The Senate passed the federal bill, called the “CAN SPAM act” on November 25, 2003. The House passed the bill in December.[19] Apparently it may seem less objectionable, and because it apparently overrides state laws like California, it has some support from legitimate direct marketers. An advertising company called Linkshare published an interpretation of the CAN SPAM Act on Dec 9 as favorable, clarifying and simplifying the responsibilities for merchants and businesses in e-commerce.[20] There are fines and jail terms for the most egregious spammers, an opt-out feature, and penalties for misleading headings and subject lines. Consumers will complain that this does not protect them as well as “opt-in.” The European Union, by early 2004, was trying to apply new pressure on the United States to adopt an “opt-in” feature, and to its credit the Bush administration has argued that this would be harmful to small businesses in comparison to large.[21] However, the FTC is supposed to report on the possibility of a “do not spam” registry within six months of passage, and this proposal could set more traps.[22] Could a small business owner not intending to send high-volume commercial email still be required to purchase it? Would home or small business computer users with operating systems capable of running servers (Windows XP Pro) or of being hijacked be required to purchase access to the lists? Could ISP’s manage access to the lists for customers? How should businesses that engage in legitimate “target marketing” be affected? Ultimately, Cato argues, industry must figure out how to stop sending of unauthenticated emails without charge or bonding.[23] Anti-spam legislation and litigation, if mishandled, is a bit like chemotherapy. The cure can be worse than the disease. It may target legitimate companies and individuals, maybe chilling them out of business, and leave unscathed offshore operators. This is a pretty good example of the public policy notion of “unintended consequences.” In some ways, the legislative solutions remind me of the overbreadth problems with COPA, the Child Online Protection Act, against which I am a sub-litigant. However, it is all too easy to find rationalizations for any legislation that would appear to protect consumers in any way possible. As an individual, I am somewhat accountable for the use of my own name and identity as a domain owner as I am in other areas of the world subject to “identity theft.” A spammer or, ironically, a plaintiff may rationalize that anyone who tries to leverage himself with the unauthenticated mechanisms of the Internet does so at his own risk if his activities increases the risk to others, however indirectly. The spammer, unfortunately, has made enough money to absorb the risk.[24] Still another grim, if speculative, possibility is the idea that spam (with headers forged with some particular pattern) could be used to transmit steganography to terrorists. This brings up issues with the USA Patriot Act.

In April 2004, the Maryland legislature passed a bill (signed by governor Robert L. Ehrlich on May 26) assessing severe criminal and civil penalties for spam sent to Maryland email addresses with fraudulent headers or based on “harvested” email addresses. Besides Virginia, Maryland may have the only law with criminal penalties for out-of-state spam. The Maryland law is apparently enforceable on top of the federal CAN SPAM act because it penalizes only senders of fraudulent email.[25]  It would take effect Oct. 1, 2004. I wonder, however, what if a spammer breaks into an ISP and sends fraudulent email from an unsuspecting domain owner (whether in shared hosting or not), or into an individually owned server for that matter. In theory only the spammer is liable, but the “bystander” might have huge defense legal bills and be subject to wrongful conviction or civil penalties. (The law is supposed to criminalize breaking into a server, but a “framed” defendant would have to show that.) Could this have a chilling effect on small businesses?  Again, what is the obligation of small, asymmetric speakers who own domains if they make attractive targets for hackers? On the other hand, to date all legal actions against spammers (such as those brought by AOL) seem to be well-investigated and involve huge volumes that can be conclusively tracked to specific servers, sometimes offshore, and brought against entities with clearly traceable profits from spam.

Some ISP’s have recently (early 2004) blocked access by the subscribers to web sites promoted by spam. AOL started the practice, unannounced, in early 2004, and apparently only tells the customer that a connection to the website cannot be made. Earthlink has a similar policy based on spam that purports to come from Earthlink addresses (although with falsified headers). AOL has also blocked access to phishing sites for about a year. One risk is that a spammer cold provide a link to a competitor to get the competitor blocked, or that a heckler might spam a site that he finds “objectionable” to get it blocked. It is unclear right now if AOL and other ISP’s are able to determine if linked domain names were provided fraudulently and deliberately for this purpose, but the block does start with complaints from subscribers.[26] 

Larry Seltzer of eWeek weighed in with a detailed discussion after passage of the bill,[27] and thought that on balance it was about as much as can be done now without mandatory infrastructural addons for authentications on top of today’s SMTP protocols. Normally only governments or sometimes ISP’s can bring suits under this bill, and most provisions of state laws that put small businesses at possible inadvertent risk seem to be pre-empted. Private action at the state level is possible with respect to intentional fraud in the use of headers or actual attacks on other computers or websites. States can bring suit in federal court. There is a comment in eWeek that spam could so overwhelm home users that they will tend to see email and the web as useless. 

Spamming and virus-writing should be distinguished from spyware, which reports sites visited by home or work computers users (at work, it can be installed by employers for monitoring) or even keystrokes. Earthlink and AOL are announcing features that will soon detect and disable spyware, which is often reported by operating systems as included in the number of programs or processes running and sometimes triggers anti-virus warnings.

If this all was not sobering enough, there is also now a problem of domain name theft, as written up by Larry Seltzer, Enterprise News[28] And hackers have developed a round-robin Trojan that builds a decentralized network making it much harder to shut down spamming networks, and operate in their own world of remote-access networks or “radmins”[29] that they claim are so profitable as to be like a major underground, seriously eroding legitimate business and I.T. employment.

I discussed the sender-spoofing issue above, but another possibility is that a hacker could actually break into the mail server of a domain owner and send spam or other illegal content (child pornography, money laundering, terrorist messages). A domain owner running his own dedicated server would obviously run the risk of downstream liability, but what about the indirect risk to a domain owner who shared hosting? With an established, reputable hosting company with good security this is perhaps a minimal risk, but many ISP’s are small, home-based or very minimalist operations in terms of staff, and security problems would occur during business failures, or when a small ISP is sold, or particularly when the mail server work is outsourced to another company (now a common practice). Does the domain owner have a due diligence duty to shut down if he suspects the ISP customer support is substandard?  In any case, the practice of most ISPs of offering multiple email boxes that may go unused (for customers who like to filter all their email to large servers like AOL, earthlink or MSN) sounds like a gratuitous security and perhaps liability hazard in the post 9/11 word that has gone unaddressed. (Domain owners must be reachable by email, however, at generic addresses like postmaster and webmaster, according to ICANN standards.) This maybe another loophole in the growth of the Internet, and one for which I would need to do some fact finding.  On the other hand, some ISPs could eventually take the position that they do not want domain owners to forward their email, or to post email addresses on websites other than email addresses that contain the same names—this would be motivated by a desire to reduce bogus network traffic and mailer daemon bounce-backs caused by spoofing (much of it generated by viruses and worms, such as the Sober worm). This could force domain owners to actually use and monitor their mailboxes against misuse by others. Where must the domain owner play the role of “my brother’s keeper”?

Again, although I do not use any direct marketing techniques for any of my domains, I benefit indirectly from the open culture that allows them. Large scale advertisers and marketers are actually paying for the free exposure I get from Google and other major search engines. So the problem definitely concerns me. Furthermore, to the extent that spammers who do not falsify headers are still sued (or arrested) just based on the volume of their e-mailings,[30] we are setting a precedent that anyone who uses an unregulated technology might be liable it others latter decide that his conduct is inherently “unfair.” I have been concerned that this kind of “tainted fruits” thinking could lead eventually to requirements that domain owners post bonds or have their own liability insurance, even to offer “free” content to gain recognition. One partial solution would be to equate domain names with subdomains on large providers (this is probably “safer” than even shared hosting), as is done today by some bloggers. A related proposal would be licensing and bonding of ISPs or server owners.

Somewhat related to spam is the problem of spyware.[31] Antivirus companies make spyware detectors available as separate functionalities from virus scanning and firewalls. Since installing Microsoft XP Service Pack 2, I have had few problems with it, although it is not perfect. Congress is considering legislation (Mary Bono, R-CA) to require companies to notify consumers when they want to install adware. (My own sites do not use adware or spyware!)

Electronic Frontier Foundation has become very concerned about the effect of anti-spam measures on non-commercial email lists.[32] EFF discusses the concepted of the bonded sender program, which some ISPs (IronPort and TrustE) have offered, which seems like an ominous move in the direction of someday requiring web self-publishers to be bonded because of the potential downstream liability issues. EFF provides best practices for users and ISPs but it seems to me that unusued email facilities with many domains could present potential targets for hackers to break into a domain and send spam from it.

On Dec 6, 2006, there were major press reports about the resurgence of spam, especially from outside of the US where spammers are driven by the CanSpam Act. Brad Stone has a report "Spam Doubles, Finding New Ways to Deliver Itself," in The New York Times, p A1, in which he discusses a new technique of spammers called "image spam" which outwits existing spam filter technology. Spammers also outwit attempts to prevent delivery of multiple copies of the same message. Corporations are spending more do deal with spam, and the Seattle Mariners (major league baseball) switched from a system managed by Computer Associates to Barracuda Networks, with some success. The Washington Times has an article by Kara Rowland, "Clever spammers stay 'one step ahead' of law: Federal act fails to stem the tide." The link is here. The article reviews the CanSpam provisions, requiring legitimate headers, a non-misleading subject line, an opt-out method, and proper labeling of the message as an ad. Legitimate companies are harmed by the practice, as they are by phishing, which has become more aggressive (telling Bank of America customers that their electronic access will be terminated). Some spam schemes have promoted illegal "pump and dump" penny stock trading schemes, even without links to websites. There are suggestions that ISP's quarantine home users whose computers become infected with botnets, which are used by spammers to send spam from zombie machines. I have been very concerned (as noted above) by email sender spoofing, which email protocols (SMTP) still do not detect, and have suggested that charging for email could be a solution. I am concerned about possible downstream liability concerns to spoofing targets if they are perceived as "attractive nuisances."

There is a more recent story by Brian Krebs in The Washington Post, Dec. 27, 2006. Cybercrooks Deliver Trouble "With Spam Filters Working Overtime, Security Experts See No Letup in '07", at  http://www.washingtonpost.com/wp-dyn/content/article/2006/12/26/AR2006122600922.html  The mention of the Rustock.B worm and its ability to morph around virus scans is particularly troubling.

On May 31, 2007, media sources reported the arrest of spammer Robert Alan Soloway, and reports suggested that his apprehension would reduce the amount of spam people get and reduce denial-of-service attacks. Story (AP' CNN-tech)  The Spamhaus project praised his arrest.:  A later AP story by Anick Jesdanaun from the Daytona Beach "New Journal Online" is this: h

ăCopyright 2003, 2006 by Bill Boushka, subject to fair use.

Back to home page

Back to intellectual property page

Link to discussion of telemarketing

http://billboushka.blogspot.com/2006/01/sensible-policies-to-solve-spam.html  or  http://billboushka.blogspot.com

Or http://billboushka.blogspot.com/2006/12/time-to-charge-for-sending-email.html

Email to Jboushka at aol.com.

 

 


 

[1] Ariana Eunjung Cha, “Alliance Raised Hope in Fight Against Spam; Mistrust of Microsoft Ended Effort to Use Single Standard,” The Washington Post, July 3, 2005.

[2] Microsoft’s reference is at http://www.microsoft.com/mscorp/safety/technologies/senderid/default.mspx

[3] An Australian company, CashramSpam, already offers a service like this to e-mail recipients, although apparently senders would have to sign up. Bill Gates and Microsoft are also discussing a (challenge-response) system that would do this worldwide and would take maybe two years to test and implement. Jonathan Krim, “Gates Want to Gove E-Mail Users Anti-Spam Weapons,” The Washington Post, Jan. 27, 2004.

[4] A good writeup is to be found at geek.com, 12/15/2003, at http://www.geek.com/news/geeknews/2003Dec/gee20031215023066.htm

There is another article by the UK’s Forrester Research at http://www.pcpro.co.uk/news/51289/charging-for-email-only-way-to-stop-spam-says-report.html  12/11/2003.

[5] For Earthlink’s system, see http://www.emaillabs.com/article_earthlink.html

[5.5] Saul Hansell, "Postage Due, With Special Delivery, for Companies Sending E-Mail to AOL and Yahoo", The New York Times, Feb. 5, 2006.

[6] Here is a typical example of a spam that bounced back to me: Here I have replaced real email names of people and companies with “fictitious” or “madeup” for privacy.  The “myname” is spoofed.  According to the ISP, the email header was actually forged at the ip  address  “nnn.ppp.qqq.rrrr and this is the address that sent the email, even though at first glance it appears that it came from doaskdotell.com/content and then was bounced by the upper received address. Actually, this email appears to have originated from Microsoft Outlook on an individual “home” server; the second received line appears to be forged and apparently the spammer got access (or hacked) to various information about that ISP’s shared hosting mail server for forging.  Reading the header is tricky. In a legal downstream liability claim, the defendant would depend on this kind of analysis of the header to get a case dismissed quickly. Here, the shared hosting server (Unix) is known not to run Outlook Express.

 

From:      myname@doaskdotell.com/content
Subject:   E86Bay Secrets
Sent:      Fri, 05 Dec 2003 09:56:04 -0500

The following recipient is unknown: fictitiousname@fictitious.com

<< THIS IS AN AUTO-GENERATED MESSAGE >>
<< EMAIL RESPONSES TO THIS ADDRESS WILL NOT BE READ >>




Received: from c-66-177-109-61.madeup.client2.attbi.com (unverified [66.177.109.61]) by repgpgwpt-mime1.ficititious.com
(Content Technologies SMTPRS 4.3.12) with SMTP id <T66523aaa71c0f697b8b14@repgpgwpt-mime1.ficititious.com> for <ficititiousname@ficititious.com>;
Fri, 5 Dec 2003 09:57:20 -0500
Received: from doaskdotell.com/content (mail-fwd.fiction-fiction.com [nnn.ppp.qqq.rrr])
    by c-66-177-109-61.madeup.client2.attbi.com (Postfix) with ESMTP id A80361170D
    for <ficititiousname@ficititious.com>; Fri, 05 Dec 2003 09:56:04 -0500
Reply-To: ficitiousname2@ificititiousdomain2.com
Message-ID: <101001c3bb3f$0fc39057$44610cac@doaskdotell.com/content>
From: "Marsha K. Peroxide" <jboushka@doaskdotell.com/content>
To: Fictitiousname <fictitionsname@fictitious.com>
Subject: E86Bay Secrets
Date: Fri, 05 Dec 2003 09:56:04 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="----=_NextPart_000_0015_9E002474.43E0A8E9"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1082

AOL technical support provided me with this example (7/19/2005):

 

If the Message-ID line is missing or looks like it might be fake, look at the 
bottom line of the headers, which should read something like:
 
Received: from mail.example.net (mail.example.net [192.229.169.1]) by 
emin22.mail.aol.com (8.6.12/8.6.12) with SMTP id TAA00559; Sat, 6 Dec 1999 
19:13:39 -0500
 
This indicates that the mail arrived at AOL from a server called 
mail.example.net. In this example, you would need to contact 
postmaster@example.net. If there are multiple Received lines, please also send 
complaints to all other domains shown.
 
Many junk spammers know that their recipients will take the actions described 
above, so they will forge the e-mail to make it look like it has come from 

somewhere else.

 

[7] My ISP’s brief explanation is

“The e-mails you sent to us shows that these messages are being bounced back to you although you did not send these messages. This is a continuous way spammers operate over the internet (i.e. use any domain name to send illegitimate messages).

To assist with getting rid of some of these messages you can contact your ISP
with the IP address for the mail servers that these messages are being sent from.”

 

AOL said (tech support, 7/19/2005):

 

People who send this type of mail are often very technically savvy and go to great lengths to hide the location they are sending it from. As a result, the header information, which shows where the message originated from and the route it took to reach your mailbox, may have been forged to implicate people that were not actually involved. Many of these deceptive headers make the e-mail appear to be coming from seemingly legitimate sites.
 
You may have observed that when you send a reply, the e-mail is returned to you as undeliverable. These forged headers are designed to confuse people who are trying to complain. Unfortunately, they also make it difficult for service providers like AOL to block or otherwise filter out offending e-mail; the spammers can simply change their headers to any address that is not blocked.
 
AOL is cooperating with system administrators at the sites from which such e-mail originates in order to eventually halt the abuse of their facilities.

 

[8] http://email.about.com/cs/spamgeneral/a/spam_headers_2.htm

 

[9]

I have personally wondered if ISPs will become more vigorous in discouraging webmasters (in shared hosting) from displaying their email addresses in easily copied form on static pages, or will try to discourage forwarding of email, which can add considerably to the burden of spoofed email to be filtered.

But AOL tech support just writes (7/19/2005):

 

Anytime you do anything that makes your name open to the public, you may receive unsolicited mailings. What types of online activities can make your e-mail address "open to the public"?
 
- Chatting online
- Registering on a Website
- Creating a member profile
- Joining mailing lists
- Creating a Web page
- Posting to message boards

 

[10] “New authentication system tries to block spam,” CNN, Dec 5, 2003, http://www.cnn.com/2003/TECH/internet/12/05/spam.yahoo.reut/index.html

Also here is a story of a suit by Yahoo for forging its addresses http://www.cnn.com/TECH/computing/9904/29/yahoospam.idg/index.html

 

[11] Larry Seltzer, “Yahoo Proposes Anti-Spam Standard for Internet,” Enterprise Weekly eWeek, Jan 12, 2003, at http://www.eweek.com/article2/0,4149,1430976,00.asp

 

[12] Jonathan Krim, “Microsoft Regains AOL’s Support for Anti-Spam Technology,” The Washington Post, Oct. 26, 2004, p E5. But on Nov. 11, 2004 Krim provided another story “E-Mail Authentication Will Not End Spam, Panelists Say.” The story indicates that zombie (home or office) machines would still send spam that is “authentic,” and that about 30000 machines world wide becomes zombies a day. An interesting question then is whether the owner of such a machine could face legal liability in some forms of anti-spam laws over allowing his machine to become a nuisance or for failing to secure it. Will we some day have to license computer users?

[13] David McGire, “Dot-Mail Domain Proposed as Spam Solution,” The Washington Post, April 9, 2004.

[14] http://news.yahoo.com/s/nf/38096

There is a detailed example in this story:

 

X-Apparently-To: JBoushka@yahoo.com via 208.190.38.220;

Sat, 08 Oct 2005 08:20:01 -0700

X-YahooFilteredBulk:70.999.249.130

X-Originating-IP:[70.999.249.130]

Return-Path:

Authentication-Results: mta112.mail.dcn.yahoo.com from=bigbrother.bigoar.net; domainkeys=neutral (no sig)

Received:from 70.103.249.130 (HELO jonathanswift.ip-249-130.writhle.com) (70.103.249.130) by mta112.mail.dcn.yahoo.com with SMTP;

Sat, 08 Oct 2005 08:20:00 -0700

From:"Foot Locker" Add to Address BookAdd to Address Book Add Mobile Alert

To: username@yahoo.com,

Subject:Sports Authority - Order Confirmation #504R-XYZC348

Note that the authentication and “received from” information lines contain information that does not match

 

[15] For a related story, see a note about the Matt Bass case at http://www.doaskdotell.com/content/wchap1.htm at the end of the file (http://www.doaskdotell.com/content/wchap1.htm#Bass)

[16] See a similar note in my discussion of the Patriot Act, right now at note 12.

[17] New York State, which does not have a specific anti-spam law, is already going after intermediaries and vendors who financially profit from spammers. See Saul Hansell, “New York and Microsoft Expected to File Civil Suits in Spam Case,” The New York Times, Dec. 18, 2003, p. C1.

[18] AOL provides the web reference: http://www.ftc.gov/bcp/conline/pubs/alerts/whospamalrt.htm

 

[19] The House passed the new bill on the last day before recessing for Christmas, while passing a budget bill. Here is the reference: http://money.cnn.com/2003/12/08/technology/congress_spam.reut/index.htm

 

[20] The linkshare letter focuses on the idea that a website that advertises for linkshare clients may do direct marketing by email for them. Hppub does not engage in direct marketing, however; all marketing is “opt-in” or passive. 

 

[21] Brandon Mitchener, “Europe Blames Weaker U.S. Law for Spam Surge,” The Wall Street Journal, p. B1.

[22] This proposal is not going far yet, judging from David McGuire, “No-Spam Registry Faces Numerous Hurdles, As FTC Prepares Report to Congress, Anti-Spam Groups and Commercial E-mailers Weigh In,” The Washington Post, Apr 16, 2004.

[23] Clyde Wayne Crews, Jr. “Wishful Anti-spam Thinking,” The Washington Times, Dec. 7, 2003. Crews is director of technology studies at the Cato Institute.

[24] Tom Zeller, “Law Barring Junk E-Mail Allows a Flood Instead,” The New York Times, Feb. 1, 2005, recounts a story of a lawsuit and ineffective judgment against Levon Gillespie by Microsoft and others. It is difficult to pursue or close down operators whose servers are off-shore.

[25] Tim Lemke, “Maryland passes stringent antispam bill: Violators could get jail time, fines as complaints sjyrocket,” The Washington Times, April 14, 2004, p. C8. Lemke also provided a story “FTC orders porn spammers to use sexual-content warning,” “SEXUALLY EXPLICIT” in the headers starting May 19, 2004.  Also, Susan Levine, “[Maryland] Assembly Arms Fight Against Junk E-Mail.” The Washington Post, Apr 14, 2004.

[26] Jonathan Krim, “AOL Blocks Spammers’ Web Sites,” The Washington Post, March 20, 2004. The concern about a website being spammer by others was raised by Cindy Cohn, legal director of the Electronic Frontier Foundation. It is not clear that the “victim” of such a fraudulent heckle would have any recourse other than general and expensive litigation against the spammer; this problem seems to me a bit like the fraudulent header problem. Would an ISP feel pressured to take down a domain that had been used excessively in fraudulent headers, as a “nuisance”? A similar risk exists that a heckler could throw excessive bandwidth. My own spam on input into my AOL account has gone down about 80% since early 2003. AOL does disable links within embedded emails, and requires the customer to affirm that he or she wants to be able to open the link, but this seems like a different issue.

[27] Larry Seltzer, “Can CAN-SPAM Put a Dent in Spam?” Enterprise Weekly, http://www.eweek.com/article2/0,4149,1406478,00.asp  The text is at http://www.spamlaws.com/federal/108s877nov25.pdf

The full title of the law is “Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003.”  See the provisions at http://www.ftc.gov/bcp/conline/pubs/buspubs/canspam.htm

 [28] (“Domain Theft is Still a Little Too Easy”), at http://www.eweek.com/article2/0,4149,1384450,00.asp

 [29] John Schwartz, “Hackers Steal from Pirates, to No Good End,” The New York Times, Dec. 8. 2003, p. C2.

[30] To show that ISPs are determined to put away some spammers for good, read the 1/6/2006 AP story about an 11billion dollar judgment against a spammer, who also must not use the Internet for 3 years.; http://www.press-citizen.com/apps/pbcs.dll/article?AID=/20060105/NEWS01/601050310/1079

[31] Arianna Eunjung Cha, “Computer Users Face New Scourge: Hidden Adware Programs Hijack Hard Drives,” The Washington Post, Oct. 11, 2004, p. A1.

[32] Cindy Cohn and Annalee Newitz: “Noncommercial Email Lists: Collateral Damage in the Fight Against Spam,” Nov. 2004, at http://www.eff.org/wp/?f=SpamCollateralDamage.html