Smothered by spam: more than half of all e-mail messages are now 'junk.' Recently passed legislation should bring some relief. Until then, you can take steps to keep spam from clogging your computer system and bogging down your practice.
"It is probably unrealistic to expect that the consensus required for such coordination can be achieved. More likely, the technical arms race between spammers and antispammers will escalate, and more and more innocent bystanders will be caught in the crossfire," wrote one law professor and information technology specialist. (1)
Spam is defined variously as unsolicited commercial e-mail (UCE), unsolicited bulk e-mail (UBE), or simply "junk e-mail." It accounted for 54 percent of U.S. e-mail as of September 2003, compared with 8 percent in 2001, according to San Francisco-based antispam firm Brightmail. A Federal Trade Commission (FTC) forum on spam held in May 2003 found that the costs of managing spam--including system overhead, antispam software, personnel, educational materials, and customer support--have risen 500 percent to 700 percent in the past three years.
America Online (AOL) reported that between February and April 2003, the number of spam messages it blocked and deleted tripled to 2.4 billion. A recent Newsweek article mentioned a spammer whose company sends 80 million e-mail ads a day. (2)
Spammers spam to make money. Marketers selling products or trying to drive traffic to a Web site pay spammers based on how many people buy or visit. A 2003 survey by the Direct Marketing Association (DMA), which represents approximately 4,700 companies that market directly to consumers, showed that e-mail solicitations drew about 46 million Americans to buy products and services last year ($7.1 billion in sales), 11 million of them in response to an advertiser previously unknown to the purchaser. (3) The low cost of sending millions of messages, and technology that makes it easy to collect addresses and send untraceable e-mail, make spamming an attractive enterprise.
Some spamming techniques include:
Harvesting--using software that roams the Internet, grabbing e-mail addresses from Web pages, news groups, chat rooms, and other sources without the permission office Web site or its users.
Dictionary attacks--using software to randomly generate addresses using common letter combinations.
Phishing--sending e-mail to trick users into giving credit card information--for example, by luring them to Web sites that look like those of reputable companies to which they might divulge personal financial data. (4)
Spoofing--forging a return address or domain name to hide an e-mail's actual source.
Spyware--software included with another program, without the user's knowledge, that monitors his or her Internet activity and sends it to someone, usually an advertiser or online marketer; it can also gather e-mail addresses, passwords, and credit card numbers.
Open relays--servers that forward messages to e-mail addresses not listed as users by the server's owner/operator; they are programmed to accept and send e-mail on behalf of any user anywhere, even unrelated third parties. Spammers use software to scan the Internet for open relays, then route their bulk messages through that server, which conceals their identity because the spam seems to come from the server.
Spam zombies--computers that have been turned into open-relay servers by spammers implanting a virus.
Spammers may also
* split words, or add numbers or characters to words, to make them undetectable by dictionary-based scanning software (for example, V1agra)
* insert random words or characters into the subject line or message body (Bwy dis*count drvg$) to skew statistical filtering (which uses keywords to locate new spam)
* send HTML-based spam as a full Web page to avoid detection by content-filtering software.
The scope of the problem is astronomical: "There are roughly 24 million small businesses in the U.S. If one percent of those businesses got your e-mail address, and each of those one percent sent you just one e-mail ad a year, that would average out to 657 e-mail ads in your inbox every day," wrote John Mozena, cofounder of the Coalition Against Unsolicited Commercial E-Mail. (5)
Nor surprisingly, in recent years 35 states passed antispam laws. They varied widely in requirements, penalties, and jurisdiction, and state courts in California and Washington found them unconstitutional under the Commerce Clause. (6) Marketers called some state laws "draconian," or claimed they threatened rights of free speech and due process. The DMA favored either self-regulation by the marketing industry or a milder, blanket federal law.
The business and marketing concerns that wanted federal legislation that would preempt "draconian" state antispam bills have gotten their wish.
In December, President George W. Bush signed the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN SPAM) of 2003, which preempts state law in most instances to set national standards for commercial e-mail. The law, which took effect January 1, allows marketers to send UCE if the messages contain an opt-out provision, a legitimate return address, a valid subject line that indicates it is an advertisement, and the sender's physical address.
Sending UCE with false or misleading header information (which shows where the mail originated) is a criminal misdemeanor punishable by up to a year in jail; the law also provides civil penalties for spammers who hijack computers or open relays to send bulk e-mail, spoof legitimate addresses or domain names, or use harvesting software or dictionary attacks. The law addresses spam sent to cell phones and other wireless devices as well.
The FTC is charged with enforcing the law, which mandates that the commission produce several reports on other spam-reducing solutions, including a plan to pay a bounty for reporting the identity of a mailer using false header information, and the feasibility of creating a national do-not-spam list similar to the do-not-call registry, which bans some telemarketing but not charitable or political calls.
FTC Commissioner Timothy Muris called such a registry unenforceable and said the commission doesn't have the resources to implement one, but agreed to work with Congress to enforce the law. A registry could also face a First Amendment legal challenge similar to the one that is still unresolved over the do-not-call registry.
The new federal law does not allow individual e-mail users to sue spammers. Instead, the FTC, other federal agencies, Internet service providers (ISPs), and state attorneys general can sue on behalf of Internet users.
"The federal bill ... is a turkey," said John Levine, author of Internet for Dummies and coauthor of the new Spam-Fighting for Dummies. "It has a few good provisions; it addresses harvesting, allows some rights of action by attorneys general and Internet service providers, and provides for statutory damages, which is important because proving actual damages from individual pieces of e-mail is hopeless. But it doesn't make spam illegal.
"It's been said before, but the name of this bill says it: Big companies 'can spam' all they want. [The law is] a gift to those companies that were waiting to see the rules clarified so they can bombard us with ads."
Antispam advocates who are disappointed with the law argue that it will overburden state and federal authorities, who must file civil antispam suits because consumers cannot.
"The Center for Democracy and Technology believes that a private right of action would have helped stop spam, but the main parts of this bill--giving FTC, attorneys general, and ISPs better opportunities to sue--should help the situation," said Ari Schwartz, associate director of the nonprofit public policy organization that promotes an open, global Internet. "The FTC is also working on a cross-border fraud provision that will help them take up cases that they can't today.
"We hope that the new law, along with technologies and industry self-regulation, will help to turn the title so that--within the next few years--we are all receiving less spam than we do today."
While the law may spawn new litigation, numerous suits by individuals and agencies had already been filed before the bill was signed.
Agency actions have been somewhat successful, although the suits are labor-intensive because finding spammers' true locations is difficult: They can set up shop overseas and aren't required to disclose their physical locations. Often those caught spamming don't pay the fines, but just set up another operation and continue.
At press time, the FTC, Securities and Exchange Commission, U.S. Postal Inspection Service, three federal prosecutors, four state attorneys general, and two state regulatory agencies had filed 45 law enforcement actions against bulk e-mailers who used schemes including auction fraud, illegal sale of controlled substances, bogus business opportunities, deceptive money-making scams, illegal advance-fee credit card offers, and identity theft. (7)
State attorneys general, notably Eliot Spitzer of New York, have also gone after spammers for using deceptive practices. Last year, New York received a $10,000 penalty when Spitzer settled with E.B.A. Wholesale Corp. (d/b/a Cyebye.com) for spoofing Amazon.com's domain name in over 10,000 e-mails. The state also won a suit against MonsterHut, which had sent more than half a billion UCEs falsely claiming that consumers had requested the messages. (8)
Spitzer's office also arrested and indicted e-mail marketer Howard Carmack, known as the "Buffalo Spammer." ISP Earthlink sued Carmack in U.S. district court in Atlanta for sending 825 million pieces of unsolicited spam from Earthlink accounts he opened using stolen credit cards. The court ordered Carmack to pay Earthlink $16.4 million in damages.
Private suits are harder to pursue because proving actual damages is difficult, and awards are usually low. Laws that provide for liquidated or statutory damages instead, and/or criminal penalties or government enforcement actions, may be easier to enforce.
"For attorneys to file suits, they'll have to look for plaintiffs with big enough mail systems to use the cumbersome provisions in the [federal] law. Fighting the obvious defense--'we didn't get an opt-out message'--plus proving how much spam the plaintiff got, adding up the statutory damages, and doing all this in federal court makes the overhead so high that unless you've got a client with a lot of e-mail addresses, it isn't worth it," said Levine.
Last year, attorney Michael Worsham of Forest Hill, Maryland, filed two suits under the state antispam law, which provides for a minimum $500 in statutory damages and attorney fees for certain types of deceptive e-mail. (9) One, which the parties settled, was a small-claims suit against a New Jersey mortgage company and a California marketer the spoofed a Hotmail address to send marketing materials for the company. The Maryland law requires marketers to abide by its requirements when sending e-mail to an address it "knew or should have known ... was a state recipient." Worsham's suit argued that his e-mail address is registered to his firm's physical Maryland address, which the mortgage company should have known. He filed the second suit in general circuit court against a Florida company selling inkjet toner cartridges for sending him at least 99 spam messages. (10)
"I'm concerned about the federal law that will preempt all state laws, because it will keep people like me from suing," he said.
One problem with the federal antispam law is that suits must be filed in federal court, said Levine. The law will be useful "for AOL and Earthlink and other big providers [who can afford] rounding up a busload of lawyers and negotiators and sending them to the federal courthouse.... CAN SPAM may be somewhat effective against really criminal spammers, because if AOL goes after them and shuts them down, maybe they'll stop spamming everyone else, too."
Many large companies are, in fact, trying to close down spam operations. United Parcel Service (UPS), for example, filed a federal suit in U.S. district court in Georgia, seeking more than $1 million in damages from spammers for allegedly using the UPS domain name and employee and customer lists to market sexual products. The suit accuses 10 unnamed spammers of violating the RICO statute, federal trademark infringement laws, and Georgia's Computer Systems Act and seeks actual, punitive, and treble damages, plus disgorgement of any spammer profits from the e-mails. (11)
In August 2003, Amazon.com filed federal lawsuits in several U.S. district courts and the Ontario Superior Court of Justice against 11 e-mail marketers for spoofing its domain name. The suits seek injunctions to stop further e-mails, in addition to millions in punitive damages. (12) In the same month, Earthlink filed suit in U.S. District Court in Atlanta, accusing over 100 John Doe defendant-members of spam rings in Atlanta and Vancouver of phishing and using stolen credit cards to set up Earthlink accounts to send spam. Damages could exceed $5 million. (13)
AOL has won at least 25 spam-related lawsuits against more than 100 companies and individuals. (14)
In June 2003, Microsoft filed 15 suits against marketers--13 in the United States and 2 in Britain--for sending millions of misleading, deceptive, and unsolicited commercial e-mails to account holders and for causing the company to process improper e-mails, delaying or adversely affecting the subscribers' receipt of legitimate e-mail. (15)
Most antispam suits rely on similar legal theories, including
* trespass to chattels (using or meddling with another's property--for example, networks and servers--without authorization, depriving the owner of use for a substantial time) (16)
* conversion (claims are based on spammers' unauthorized use of a company's facilities)
* unjust enrichment (spammers circumvent the ISP fees that legitimate advertisers pay)
* misappropriation (of an ISP's infrastructure and computing resources)
* violation of state and federal computer crime laws (17)
* trademark and unfair competition (used when spoofing occurs)
* nuisance, fraud, deceptive practices, negligence, and tortious interference with contractual relations. (18)
Because efforts to identify and block spam have proved ineffective, e-mail companies and ISPs may refocus their technology to identify legitimate mail.
The biggest companies are working 0on "trusted sender" or "challenge/ response" systems, which work like telephone Caller ID: Recipients can see who's sending a message and choose whether to open it. When a message arrives that is not from an address on the receiver's list of "safe" correspondents (usually those addresses stored in a contacts list or address book), the system challenges the sender to identify himself or herself by generating an e-mail that requires human interpretation--for instance, the sender must identify a randomly generated word contained in a graphic image and e-mail the response before the server will deliver the original message. Of course, this system requires recipients to rake action just to receive a message, and it increases Internet traffic by requiring a series of e-mail exchanges for unidentified messages.
Secure messaging uses such lists to validate incoming e-mail, but those messages must also come from senders with valid digital signatures, based on a system like public key infrastructure. (19) There is, however, no agreed-upon standard for digital signature technology.
Another system--SPF (senders permitted from)--would check numeric Interact Protocol (IP) addresses, which are assigned to all Internet-connected computers by Internet account providers. Companies would electronically publish the IP addresses of all confirmed machines that send e-mail, so that, for example, when you get a message claiming to be from "atlahq.org," your mail server could check to see whether the Internet location it came from is assigned to ATLA. But sonic services, like anonymizer.com, will mask IP addresses.
A group of companies that do bulk e-mailing for marketers is working on a system, dubbed Project Lumos, under which bulk mailers would have to add routing information to the other message header information. The project would certify bulk mailers who promised to follow certain rules, like quickly handling opt-out requests, and would develop an electronic rating system to rank mailers based on the number of complaints received about rules violations. This system would, however, require the bulk mailers to voluntarily adopt the technical standards and ISPs to adjust their servers so as to recognize the new information and block bulk mail that doesn't contain it.
Another, more commercial solution is being floated: charging senders a fraction of a cent per message. Proponents say this would cost personal users only a few cents per month, but charges could add up significantly for bulk mailers.
New technologies to deal with spam will take years to develop--and there's no guarantee that they will be effective. If you are responsible for the servers and computer network in your office, or manage those who are, here are some practices to establish.
Install a firewall so spammers can't turn your computers into spam zombies. Run up-to-date antivirus software at all times, and download software patches for your operating system promptly: Check the manufacturer's Web site weekly for new fixes. Configure your servers and proxies to not use open relays. (20) Secure servers have software that checks to make sure outgoing e-mail is from an authorized sender; other software confirms that the recipient of incoming mail is an authorized user, then accepts and delivers the e-mail.
Watch for spyware, which could be used to steal personal information. Whenever you add a program to your computer, use the "custom install" feature to see whether other programs are embedded in it. Consider periodically running a spyware removal program such as AdAware or Spybot Search and Destroy. (21)
Use mail server products, like MS Exchange Server, and e-mail clients, like Eudora and Outlook, that have built-in antispam capabilities. You can also purchase software to help block spam. (22)
Use content-filtering features. These work on "fuzzy logic," setting up rules to look for certain words--assigning positive scores to words such as "adult" and "cheapest," and negative scores to, for example, "nytimes.com." The programs total up a message's score to get its "confidence level." You can set your e-mail program or antispam software to accept messages at a certain level or to flag them as junk.
Consider subscribing to "blocklists" maintained by third-party organizations, such as SpamCop, Spam Early Warning Prevention System, and the Spamhaus Project. Most antispam products let you choose which to use. Blocklists maybe of limited use, since spammers constantly set up new addresses from which to send mail, and the registries sometimes include legitimate e-mail addresses.
Until legislation, litigation, or technology can provide more effective relief, some attorneys have cut spam from their diets by reverting to old ways. The Pew Internet and American Life Project found that 25 percent of e-mail users complain that because they receive so much unwanted mail, they have reduced their overall use of e-mail. More than half of them said "significantly."
(1.) David E. Sorkin, Technical and Legal Approaches to Unsolicited Electronic Mail, 35 U.S. F.L. REV. 325, 384 (2001).
(2.) Brad Stone, Soaking in Spam, NEWSWEEK, Nov. 24, 2003, at 66.
(3.) Press Release, Direct Marketing Association, DMA Statement Re: Operation Slam Spam (August 22, 2003), available at www.the-dma.org/cgi/disppressrelease?article=484++++++.
(4.) The FTC provides descriptions of many common e-mail scams at www.ftc.gov/bcp/conline/edcams/spam/coninfo.htm.
(5.) John Mozena, Online Chat, Senate Approves 'Can Spam' Bill, washingtonpost.com, Oct. 23, 2003, available at www.washingtonpost.com/ac2 /wp-dyn?pagename=article&node=&contentId=A2372-2003Oct22¬Found=true (last visited Dec. 22, 2003).
(6.) Ferguson v. Friendfinders, Inc., 94 Cal. App. 4th 1255 (Cal. App. 1st Dist. 2002); State v. Heckel, 24 P.3d 404 (2001).
(7.) For a list and description of cases, go to www.ftc.gov/os/2003/05/swnetforcepresschart.pdf.
(8.) For more information, go to the New York State Attorney General's, Internet Bureau at www.oag.state.ny.us/internet/internet.html.
(9.) Commercial Law Electronic Mail-Unauthorized, False, or Misleading Information, MD. COMM. L. [subsection] 14-3001-03 (2002).
(10.) Worsham v. Sheeba & Zeus Enterprises, Inc., No. 12-C-03 (Md., Harford County Cir. Ct. filed Nov. 4, 2003).
(11.) United Parcel Serv. v. John Does One Through Ten, No. 103CV1639 (N.D. Ga. filed June 13, 2003).
(12.) See, e.g., Amazon.com, Inc., v. Rockin Time Holdings, No. 1:03CV22270 (S.D. Fla. Aug. 25, 2003).
(13.) Earthlink, Inc. v. John Does, No. 03-CV-2559 (N.D. Ga. filed Aug. 27, 2003).
(14.) For a complete list of cases filed by AOL, go to legal.web.aol.com/decisions/dljunk. Other spam suits are cited at www.spamlaws.com and on the SpamCon Foundation Lave Center site at law.spamcon.org.
(15.) See Spam Litigation Case Fact Sheet, at www.microsoft.com/presspass/press/2003/Jun03/0617SpamEnforcementFS.asp.
(16.) See, e.g., Intel v. Hamidi, 71 P.3d 296 (Cal. 2003) (court ruled Intel can't stop e-mail with trespass to chattels law unless the messages cause actual damage to equipment or property, but differentiated between the thousands of e-mails a former employee sent to other workers' company e-mail addresses and the millions of messages spammers send, which it said can overburden a company's computer system).
(17.) See, e.g., Federal Computer Fraud and Abuse Act, 18 U.S.C. [section] 1030 (1994 & Supp. 1999).
(18.) See Sorkin, supra note 1.
(19.) See Rebecca Porter, Do Electronic Signatures Mean an End to the Dotted Line?, TRIAL, Sept. 2003, at 52.
(20.) For FTC suggestions on how to convert your server from an open relay, go to www3.ftc.gov/bcp/conline/pubs/buspubs/openrelay.htm.
(21.) See Jonathan Krim, Web Vipers: Computer Users Must Guard Against Threats Posed by Spam, Viruses, and Hackers--Or Else, WASH, POST, Nov. 2, 2003, at F1.
(22.) For software recommendations, see E-Mail Spam: How to Stop It from Stalking You, CONSUMER REP., Aug. 2003, at 12.
RELATED ARTICLE: Antispam strategies you can use.
If you use a computer, spam is a new tact of daily life, like overpriced boutique coffee and heavier highway traffic.
"You have to accept that you're going to get the stuff, and you have to accept that you're going to have to get rid of it," said attorney Ken Laska of Plainville, Connecticut.
To stanch the flow of unwanted e-mail, you should follow certain habits and practices:
* buy products sold through spam, respond to spam messages, or even open them. Disable your e-mail program's "preview pane," which reports to the sender that you've received a message when you view it this way.
* try to opt out of receiving spam by clicking on a Web address or sending an e-mail to the spammer. This just confirms that your e-mail address is valid and ready to receive more bulk e-mail from the sender.
* forward chain letters, petitions, or virus warnings, which spammers could be using to collect additional e-mail addresses.
* give your e-mail address out, except to trusted parties. Even friends may unwittingly add your address to a list sold to a marketer--for example, by sending you an electronic greeting card.
Joe Morris of Dothan, Alabama, said his firm doesn't print attorney e-mail addresses on business cards or letterhead. "Our Web site has a link to e-mail, so you can send us an e-mail that way." The firm's Web host has filtering software that eliminates some spam, "but it's not perfect," he said.
* add your contact information to ISP member directories.
* Set tip more than one e-mail account. You might have a personal address, a business address, and a separate, general address to receive e-mail from the public; for example, general queries to TRIAL go to firstname.lastname@example.org.
* Use a unique e-mail address that includes both letters and numbers. For example, I might use L8deadline@yahoo.com, which is much less vulnerable to dictionary attacks by spammers but still easy for me to remember.
* Use a screen name for online chats that's not associated with your e-mail address. For example, I might log into a chat room as iReditor, rather than using LSdeadline as my screen name.
* Choose a disposable address to use on Web sites and for public postings in news groups or online purchases. When spam starts piling in, simply drop that address and select another. Yahoo! will set up disposable addresses through its Mail Plus service ($29.99/year) and relay the messages it receives to your primary account. SpamMotel is another disposable forwarding-address service.
* Disguise your address if you must share it. Write, for example, "rebecca dot porter at atlahq dot org." (Caution: Some news groups and message boards won't allow this, and some harvesting programs can pick out common masks like spelling out "at.") You can "munge" your address by adding an antispam phrase that a human user would catch, such as rebecca.porter@NOSPAMatlahq.org. (When sending e-mail, a person would know to type the address without the phrase.) Or scan your address into a graphic and post the image; harvesting programs read only text.
* Select a big ISP such as AOL that automatically blocks spam and lets you sort messages from known and unknown senders. Earthlink uses challenge/ response technology, and MSN lets you choose to block spam automatically.
* Set the filter in your e-mail application to block further e-mails from senders you don't want (in Outlook, highlight the message, click on "Actions" and then on "Junk E-mail" to add a sender to the Junk Senders list). Set rules to move suspicious e-mail into a "Junk" folder that you review often. Don't automatically delete everything with certain words, however, became someone with a potential claim involving, for example, Viagra, might be e-mailing.
* Use an additional spam filter, such as SpamKiller, SpamCatcher, Spam Arrest, or IHateSpam.
* Report spammers to your ISP and to the ISP from which the spam originated, in case the address was spoofed. The address is usually abuse@[ISPname].com or postmaster@[ISPname].com. Include a copy of the message with all of its header information.
To get all header information in Outlook, with the message open, click on View, Options. In the Message Options dialogue box, the last text box, called "Internet headers," contains the information. In Hotmail, click Options, Additional Options, Mail Display Settings, and, in the Message Headers section, click on Advanced, then click OK. In Yahoo!, click on Mail Options, General Preferences, and under Messages, Headers, select "Show all headers on incoming messages," then crick Save.
* Report certain kinds of spam to agencies. The Coalition Against Unsolicited Commercial E-Mail (www.cauce.org) recommends reporting fraudulent spam, such as products that don't work or exist, to the FTC at email@example.com (also inform the FTC if a "Remove Me" request isn't honored, at www.ftc.gov. Click "For Consumers," then "File a Complaint"). Report spam promoting stocks to the SEC at firstname.lastname@example.org; spam containing child pornography to the FBI at https://tips.fbi.gov; chain letters that ask for money, even if via e-mail, to your local U.S. Postmaster; and spammers who want to use your bank account to transfer money (a "419" scam) to the U.S. Secret Service (information at www.treas.gov/usss/alert419.shtml).
REBECCA PORTER is an associate editor of TRIAL. The views expressed in this article are the author's and do not constitute an endorsement of any product by TRIAL or ATLA.
|Printer friendly Cite/link Email Feedback|
|Date:||Feb 1, 2004|
|Previous Article:||Primer on wrongful death claims: a successful wrongful death claim can compensate a family that has suffered the loss of a loved one. Preparation is...|
|Next Article:||How probable is 'probable cause'?|