When Spammers Use YOUR E-Mail Address?

AlphaOne asks: "Is there any legal recourse (in California or otherwise) for a spammer sending mail out with MY e-mail address as the forged 'from'? I have received an (only one for now, thankfully) 'undeliverable' message for an e-mail I never sent. Upon closer investigation, it looks like a bounce from a much larger mailing for a porn site. To make matters worse, the message is JavaScript encoded and I had to spend about 30 minutes decoding the message just to figure out who the spammer could potentially be. I'm confident I know at least who was paying for the spamming, but I may not be able to directly track down the spammer him/herself (as is so often the case). Does anyone know of a precident in a case like this? Is it worth litigating if I get bombarded with bounces, hate-mail, removal requests, or anything else?" SPAM is one thing, but cowardly spammers who have to use someone else's address for their crap advertisements is something else. What can one do in this situation?

yes, there is a case

[Anonymous Coward]

http://www.localhost.com contains a link to a lawsuit in which spammers used nobody@ localhost.com

the case is well documented.

Sadly not worth pursuing

[Anonymous Coward]

The same thing happened to me last year. I got about a thousand messages, including bounces, flames, and worst of all, subscriptions to opt-in junk mail lists. Apparently some of the addresses spammed were other spammers' auto-subscribe mailing lists. I know how you feel; I was extremely angry when this happened.

I read about the flowers.com case and several others, and brought them to the attention of a lawyer, who explained that I'd have a hard time proving actual monetary damages. After going through the details, it became clear that it would cost me time and money to go after someone who I probably would never collect anything from.

Some states do have laws that specifically make using someone else's e-mail address a crime - that could make it easier. In the end, it's probably not worth it for you either. But you're posting a request for legal advice on slashdot, so who knows.

Recourse, and precedent...

[Caradoc]

The infamous "flowers.com" case from Texas provides clear precedent for damages resulting from the use of someone else's e-mail address (or domain.)

Here's a good URL to print out and hand to your lawyer:

http://www.isoc.org/whatsnew/parkerjudgement.htm l

Other commentary from ZDNet:

http://www.zdnet.com/eweek/opinion/1201/01isigh. ht ml

"The judgment is interesting not just for the monetary damages (which seem small to me), but for the reasoning used by the judge: "The defendant's unauthorized use of that address constitutes a common-law nuisance and trespass," wrote Travis County District Judge Suzanne Covington. She also found that the reputation of flowers.com would be permanently damaged if "the hated practice" wasn't stopped immediately."

Contact a Lawyer, and The Police

[scotpurl]

This is a plain theft-of-identity case. They used your name, engaged in public activity that made you look bad, and it's going to cost you time and money to clean it up. (Start keeping a diary of when you work on something, and how long.) Also start contacting ISP's. Yours is a great first stop. Have them pull logs and such, and archive them. That's part of the proof that you did nothing.

Civil suit is fastest, as the Police in some parts of the country are either "duh" or "we're understaffed." Jourisdiction is another one. Civil suits have a wonderful way of cutting across boundaries.

Yeah, you'll spend a coupla grand on a lawyer, but I'll pledge $100 for your lawyer fund, right now.

Two Rumplestilskins for the price of one?

[AtariDatacenter]

In a way, it sounds like an interesting way to do a Rumplestiltskin type attack. You send the email to one (guessed) address. You send the email from another (guessed) address. If the name your sending it to is bogus, then it bounces back to the other name you guessed.

I hate the idea already.

Re:Actually there are several tools you can use

[jfunk]

Your fake email address is indeed fake. You might want to change it though.

nowhere.com is a real address. I'm not sure if they'd be happy with you using their domain in such a manner.

I recommend using a fake TLD instead of .com so that there would be no chance of you causing them problems. Use nowhere.fake instead.

Re:yes, there is a case

[Zurk]

yeah..localhost.com sued. but they didnt win. they just lost on lawyers fees and the spammers lost on their court costs and lawyers fees. the judge threw out the suit.

Go after their business license

[coyote-san]

IANAL, but this happened to me last year. Their return address required a broken MSIE browser to parse, but my ISP was able to track them down. A polite note, ISP-to-ISP, about facilitating criminal fraud through impersonation since they were accepting messages sent with bogus headers got quick results. My position, which my ISP may have forwarded, is that I'm a reasonable person. I'm not looking for damages, I'm looking for LICENSING FEES. Specifically, the licensing fee required for retroactive permission to use my domain name in commercial solications by any entity other than my own business. (That business, technically, owns my domain, not me.) Since I'm oh-so-reasonable, this retroactive permission costs $500 per message, $2k per bounce message. Unless documentation of all messages sent is provided, our contract assumes one bounce message out of every 100 messages, plus a 50% surcharge for failure to maintain adequate documentation. So, for 250 messages please remit: TABLE DELETED BY SLASHDOT CENSORS The spammer had no reasonable expectation of any company being indifferent to the misuse of its corporate property, so they either committed a criminal offense or agreed to be bound by the terms of a contract. Since they didn't bother to contact me prior to this use, they implicitly agreed to its terms.Of course, I never expected to collect $20 million. But any ISP with a grain of salt would realize that small charges, multiplied by thousands of acts, would be enough that a contigency based lawyer could decide it was worth it to file a suit naming that ISP as co-defendant. In this case, since I didn't have an active web site at the time, it might have been marginal. But now that I'm bringing a web site online it will definitely include a legal notice that sending forged message without prior written approval constitutes acceptance of a binding contract, arbitrated in *my* state, to pay licensing fees. Minimum $5 million retainer, in cash, non-negotiable. Heck, for $5 million, I'll sell them my domain name. :-) It might hold up in court, it might not, but it should scare the pants off of their attorneys because it clearly prior notification of a contract. Contracts don't require signatures, they only require an overt act indicating consent. Such as sending a forged email header, something explicitly covered in that contract as an indication of acceptance - and something which a reasonable person would never do by accident. Especially hundreds of times with different bogus users and message content.

Re:Contact a Lawyer, and The Police

[selectspec]

If it is a personal email address, you could get them on theft of identity. If they are using your domain, then you can go after them on trademark and copyright issues too.

Congratulations, you've been Joe'd

[frankie]

Welcome to the club. This type of attack is called a Joe Job [google.com] in geek speak. It's pretty common, especially if you've ever succeeded at getting a spammer booted off his provider. You should visit the SpamCop newsgroups [spamcop.net]; they are old hands at this and helped me with the same situation in mid-April.

My Joe was also a Javascript encoded porn ad -- it might have been the exact same spammer. Here's a clipping for comparison:

Received: from [195.6.76.211] (195.6.76.211) by amyris.wanadoo.fr; 20 Apr 2001 16:05:27 +0200
Message-ID: 00000b300739$00002642$00001399@62.168.16.146
To: Undisclosed Recipients
From: fuy1@umbc.edu
Subject: Just For You
[...headers abridged...]
html head title HardCore /title
meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-88= 59-1"
/head
body bgcolor=3D"#FFFFFF"
script
function Merlin( s ) { var sRet=3D""; for(j=3D0; j=3D8364) {n =3D 128;} sRet +=3D String.fromChar= Code( n - 3 ); } return( sRet ); }

The decoder tool at NetDemon [netdemon.net] revealed that the spam was for lolital.com and visit-x.net. I contacted their hosting providers as well as wanadoo.fr (the open relay) but I don't think anything came of it.

On the bright side, not a single angry recipient wrote back to me to complain. I guess everyone really does delete spam on sight ... or maybe they happily clicked to see HardCore Teens. ;-(

Used to happen to somewhere.com all the time

[nazgul@somewhere.com]

We'd have our server brought to its knees by AOL bouncing messages to us. Court fights are too expensive, about all you can do is do your best to go after the spammers as hard as you can and try and shut them down. Now most of Somewhere.Com's problems are idiots who subscribe to sites using somewhere.com as an address. Not to mention the 1000 or so somewhere.com postings to Usenet made every day. I just got 200+ email messages in a few hours, all due to some idiot using webmaster@somewhere.com at an FFA site. Not pleasant. But on the bright side, he won't have an ISP account or a web site for much longer. Nonetheless, I see forged somewhere.com addresses in spam messages about once a month.
The SpamCop newsgroups are good resources for this kind of thing. They also provide pointers for decoding JavaScript encoded HTML. My own site, SpamWatcher, will have a builtin JavaScript interpreter in its spam decoder shortly.

How about Libel / Slander?

[MadCow42]

Of course, IANAL, but doesn't this smell like Libel and/or Slander? In effect, they have slandered your name by making it look like you're advertising/promoting/advocating porn. This is especially true because of the type of spam they sent.

Libel and Slander cases can have pretty hefty payouts... your "good name" and "reputation" are damaged, and are worth money.

Lawsuits are never something that you want to do, but being slandered by spammers is something that you should NOT let continue. If you DON'T do anything, it's worse.

MadCow.

would you mind posting ...

[onepoint]

Would you mind posting the contract. I would not mind having a copy. I could also pass it on to some lawyers where I could get us some special re-writes. maybe state rules, country rules and reg....

ONEPOINT

Spammer using your e-mail.

[dana_nutter]

File a criminal complaint and get a lawyer for a big lawsuit. Spamming alone is a misdemeanor offense in CA. Forgery is more serious.

There is a lot of information on these types of subjects at: www.suespammers.org. The discussion list is full of shared information on such cases.

Better save your work

[4thAce]

I think the first thing you ought to think about doing is to archive any important emails you have stored in your account, in case some muckety-muck should decide to shut it down. By the time that happens, all the lawyers in the world won't be enough to make up for the grief it will have already cost you.

Actually there are several tools you can use

[Lawyer Geek]

The one I found most effective when I discovered spammers had appropriated my e-mail address was to contact the internet casinos on whose behalf the spam was being sent out. I sent them a very strongly worded cease and desist letter, threatening litigation for both trademark violations and defamation. (The former is a federal issue, the latter, state.) It took a couple of days, and I had to wade through some tiresome denials that the casinos had anything to do with the spam - but as quickly as the offenders had begun, they disappeared. If folks would like to contact me regarding this kind of issue, I'm - of course - available to do so, at my usual ridiculous rates. I'm using a fake mail address above - but you can reach me at david.browde@browdelaw.com Regards!

Re:Actually there are several tools you can use

[Lawyer Geek]

Thank you. You made an excellent point, and, as you can see, I did.