SPAM - A Different Kind of Identity Theft? 101
bmooney28 asks: "After maintaining a single permanent email address through 8
years and five ISP's (via a forwarding service), I lost it all in a day. My first sign of trouble came when I found a message undeliverable email in my inbox containing hundreds of failed email addresses. Apparently, my email address had been pasted as the return address in a mass mailing similar to this
one sent to hundreds of random recipients. This process repeated a few times over the next day or so, effectively blacklisting my email address on various master lists and adding my address to thousands of random address books
(virus magnets). In the past, I have had a great deal of luck fighting off SPAM and other unwanted email via throwaway
email addresses and preemptive email filtering.
Now, the email address that I use to communicate with friends, former students,
and coworkers around the world is useless. Have any of you ever found yourself in a similar situation? Are there any legal steps that I could
take against this company?"
that stinks (Score:4, Interesting)
Re:that stinks (Score:1)
Re:that stinks (Score:2)
I've found that in my experience, ISPs aren't as responsive to SPAM-type abuse issues as are webmasters.
My homepage (vanity domain) has a "Webserver Stats" section that logs, among other things, referrers to my site. Some unscrupulous types found this out and decided to take advantage of this public advertising medium. What resulted were literally hundreds of requests per night for each of about 30 domains (almost all of them pornographic in nature) for non-existant files (I suppose they figured my 404 page was the smallest thing on my site). With their URLs in the referrer field, Webalizer [mrunix.net] dutifully added them up and created a referrers graph that, not surprisingly, was filled with the top ten of these porn sites.
These attacks (which also flooded my ADSL line's bandwidth, I might add) were carried out from two major U.S. ISPs. E-mail to the ISPs got me little more than an automated "Thanks for the heads-up" responses, so I decided to go after the websites themselves. A little whois work on the domains and I found that they were all hosted at the same hosting company [mach10hosting.com] who responded immediately requesting more information, and who then acted on the complaint in short order and the problem went away.
A little bit of dilligence and these people can be nailed down. Many of them don't seem to host their own websites, so use their webhosting companies against them. Track them down and have them ousted. The transition time to a new company will be real bite in the keester and should make their job a little less worthwhile. At the very worst, they'll give up on third party hosting companies and have to shoulder the cost of hosting the sites themselves.
2 ways to deal with this (Score:4, Insightful)
2) The sane human being will get a new email address and tell all of his friends, family and other contacts that he's changed addresses.
Pick one. Do you maybe have legal recourse? IANAL, but yeah maybe. Think about what would happen if someone fraudulently used your home address or phone number.
On the other hand, how much is that email address really worth to you?
(note that if the answer to that last question actually has a real substantial dollar value attached to it, then you shouldn't be talking to slashdot, but a real attorney.)
Re:2 ways to deal with this (Score:5, Insightful)
Re:2 ways to deal with this (Score:3, Insightful)
Being forced to take on another e-mail address only adds to your damages.
You would have a lesser case if you didn't have to change email addresses.
Re:2 ways to deal with this (Score:2, Insightful)
while it's easy to look down your nose at litiginous behavior, it is typically the only way to keep companies from acting like greedy, spoiled schoolyard bullies.
Re:2 ways to deal with this (Score:1)
The problem with (1) is that you may lose important stuff in the meantime. I know people can always send again when they know your address, but it is a pain in the arse to tell everyone that it has changed. If it were simply a case of mailing all your contacts to let them know, that wouldn't be so bad but it's when you have to change your address on all kinds of things like contact details for banks, for clubs, for prospective employers. That is when it really sucks
Car stolen, learn to walk (Score:2)
If you came home and found a stranger in your house, you would not just get another apartment and call it a day.
This is identity theft. It is no different than someone going out and using your name and credit history to get a credit card in your name... and making it impossible for you to refinance your house to lock in low rates, or get a new car loan, or get an increased credit line on your cards before a long trip.
Actually, I take that back - at least identity theft is now beginning to be considered a serious crime, although it's still unnecessarily hard on the victims. (E.g., many credit bureaus won't report fraud alerts without police reports, the local police don't accept these reports since the crime occured elsewhere, and the remote police don't accept reports over the phone.) But the damage caused when an individual or a small business (when an entire domain is blacklisted) is unable to communicate with others because of the fradulent traffic sent out by spammers.
It's a losing cause (Score:5, Informative)
Due to some friends getting Klez, my "good" emails have leaked out and are receiving spam. So no matter what you do the email shell game is not a complete strategy for spam management.
In your case I think that address is so worthless at this point that you're going to have to give up on it. Put a vacation message on it and move on.
Re:It's a losing cause (Score:4, Informative)
Re:It's a losing cause (Score:2)
> number of email addresses.
And so that you can receive an unlimited amount of spam. About half of my spam is addressed to randomly generated usernames.
I've said this before: bombarding a domain with identical messages addressed to randomly generated usernames would be deemed an illegal DOS attack if done by a 13-year-old in his mother's basement.
Re:It's a losing cause (Score:2)
Re:It's a losing cause (Score:2)
You can no longer expect to use an email address for very long without it getting spammed.
"Expect" is the operative word. I certainly didn't expect this, but my primary email address hasn't received a single piece of spam since I got it in March of last year (my Yahoo! addresses are, of course, worthless).
Re:It's a losing cause (Score:2)
- My father got me an online-dvd rental for Christmas and gave them my address.
- A friend sent me an email greeting card, giving out my address to the greeting card site.
- Some "friend" submitted my email address to crushlink.
I started getting 10 spam a day at that address just from those three leaks and I had to change my address after just a couple of months.Re:It's a losing cause (Score:2)
Yeah, I've been very lucky up to this point, especially considering some of the people who have it. I'm tempted to declare forwarded jokes as another form of spam and blackhole my own father. ;-)
Re:It's a losing cause (Score:2)
Even if your girl is dumb as rocks, and is constantly giving out your address, it's really not to hard to put a spam filter on your address (like I do with my non-AOL accounts), particularly for someone who is all smart who owns their own domain and stuff, right? My lazyness outweighs yours, especially because all you need to do is configure an app *once*.
Email's about convenience, get a clue.
Re:It's a losing cause (Score:2)
I also have an alternate email address (from a former employer that never bothered to shut it off) that I use whenever I'm signing up for something I think is questionable (online merchants I haven't dealt with before, ebay, paypal, USENET, etc). It's been active for almost 2 years (one month to go) and is still perfectly usable, getting maybe 5 SPAMs a day.
Note that neither of these are typical "throw away" email addresses. Note also that I'm not going to any great lengths to keep either of them secret. You may be right in that it's a losing battle to try and keep a Hotmail or Yahoo address SPAM free, but for a real email address the only reason you should expect it to be overrun with SPAM is if you are exceptionally careless or stupid with it.
Re:It's a losing cause (Score:2)
I can't imagine changing email addresses every month. People send me mail who have not communicated with me for YEARS. How would they know what to use?
Re:It's a losing cause (Score:1)
Re:It's a losing cause (Score:1, Insightful)
I have received lots of spam on my primary email account since about 1997. I used to just filter the majority of it with my mail client's filters, but, it was just too burdensome ever since I began receiving spam from spoofed email addresses. I eventually had to resort to dropping my personal email address (which I paid for and had an alotted amount of storage space and bandwidth) at my own domain and obtaining a new email address.
It's not much work, of course, but, it's something we would be best without. Why shall we be forced to have new email addresses? Similarly, why should we be forced to have new phone numbers? We're paying for these services, yet, in regards to email, we accept the abuse?
Currently my workaround solution is to have separate email accounts for different uses. I use one for spam (signing up for any services/registering for anything), one for friends and family (and now school), and a few others for my other personalities. I NEVER post my personal email address, nor do I EVER use it when posting information on the Internet or with any programs (during installation or configuration). I also include a disclaimer to my emails as part of my signature warning others to not distribute my email address and/or email message and to not include me when sending spam/chain mail.
I have once had a completely spam free email address until one day a friend of mine sent me some humorous chain mail. It was very funny, but, it was sent to about 20 of his friends or so. Who knows where it went from there, but, after a few weeks in came the spam.
legal steps (Score:5, Informative)
for fraud, you'll likely need the assistance of a public prosecutor. if they are cool with that, you're in luck. if they aren't, there's not much you can do. you will have to somehow show ill-intent on the basis of committing the fraud. honestly, not too difficult, but given the courts in your jurisdiction, you never know. jurisdiction differences between you and the spammer may make this difficult.
for personal loss, jurisdiction can be worked with (if, as mentioned above, in the same country), although it could get expensive to pursue. documentation becomes really big here as you'll have to prove loss. document the time you spend contacting people to let them know of your new address. write a journal and document your 'pain and suffering' having to go through this. keep all server logs, measure for bandwidth and storage use (not totally sure what to do with it, but maybe someone else creative here will help), and anything else you can think of. if it requires long distance calls, document that. etc. then find a lawyer who will take it and see what happens. then again, contact a lawyer in your jurisdiction first, as the usual /. rules apply: few here are lawyers (i'm not) and none are _your_ lawyer.
good luck. i certainly feel for you. this bites.
Re:legal steps (Score:4, Insightful)
The scenario that happened to this guy happens EVERY DAY. There is no socially redeeming value to spam. It has to go. Contact your favorite government official of choice in whatever country you live in. Pressure them into outlawing spam. We must have the strong legal tools to bankrupt spammers.
Come and si the violence inherit in teh system! (Score:5, Interesting)
I cannot send mail to AOL users. Why? Because I'm in their spam filter. Why? Because of Kleez. AS you may know, it extracts address from your IE cache and sends mail using one of those addresses it find. Well, mine was used a bunch of times to send the virus to AOLers.
AOLs mail server didn't bother to read the headers -- instead, it does wqhat no server should do, trust the "From:" header. Had their MTA parsed the "Received By" logs, it would find that it wasn't sent by me. Instead, whoever wrote it took the easy way out and decided to always believe the From: header and as such I'm now unable to send mail to AOL.
Not like I mind.
Re:Come and si the violence inherit in teh system! (Score:2)
Not really possible. joe@whatever.com can send out mail using smtp.colo-isp.com. Not everyone sets up their relay to be named some-subdomain.whatever.com, but they use some other relay. Or, better example, I send out mail from me@personal-isp.com while I'm at work, so it goes through smtp.my-work.com. I do that all the time (or usually the other way around - sending out work-related mail from my home ISP).
Can't really figure these things out programatically. Sucks that they try, because they'll fail.
Ditto (Score:3, Interesting)
This same thing happened to me as well. I had a POP account for some time, but it got used as the return-address for spam. My only recourse was to deactivate the account with my ISP and find another address.
The real trouble came when I had to transfer my domain to another registrar. Since they have to verify my identity against my email, I was forced to reactivate the account. Thankfully, after several months of rejecting email, the problem of 10,000 undeliverable messages per day had gone away. There still were thousands of messages in my inbox I had to clear (thank God for IMAP), but the account was still usable again.
As a side note, I tried reporting this to my ISP's abuse department, but that got nowhere. I never seemed to find a real person to listen. However, I didn't try very hard--your milage may vary.
Habeas.com headers to assert you're not spamming (Score:5, Informative)
Re:Habeas.com headers to assert you're not spammin (Score:5, Funny)
It's a good thing that spammers are ethical!
Enforce the ethics with legal action (Score:1)
It's a good thing that spammers are ethical!
If a spammer uses the Habeas mark, you can sue the spammer for fraud, and Habeas can sue the spammer for trademark infringement.
Re:Enforce the ethics with legal action (Score:1)
I'd like to see it. There are few effective lawsuits against these scumbags.
The worst part is: (Score:3, Insightful)
And as long as we focus on a system where a hashed string is an index into a table, and that is the sole identifying feature of some communication (wanted or unwanted), there won't be a solution forthcoming.
I think a facet the current problem is there's no easy way to "clear your name" with ISPs. It's easy to harvest and build deny lists, but difficult to deal with those false positives; you know, human interaction. Not a strong point, especially among this crowd (myself included)
Real identity your email address (Score:5, Interesting)
So what to do about the future? I guess you have to assume that every email address can eventually be nuked, and get used to sending out new email address notifications to everyone. Another reason I see digital signing becoming a necessity in the future -- else what is to stop a trojan hijacking your email address and sending out fake change of address messages?
More and more it's heading to the point where your *real identity* has nothing to do with your email address, but rather with your PGP key.
Re:Real identity your email address (Score:5, Interesting)
Could it be done so that when you hit reply, you contact one of the pgp keyservers and get back the prefered email address.
That way, when you change your email, all you have to do is change the prefered email address on the keyservers.
Re:Real identity your email address (Score:3, Insightful)
Re:Real identity your email address (Score:2)
You currently can just search for a name and get back the closest hits. You could drastically slow down email-reapers by only returning exact hits - although this wouldn't be as functional..
Re:Real identity your email address (Score:3, Insightful)
Technical measures to the spam problem just don't work. Being forced to change email addresses every week is NOT THE ANSWER. Filtering only masks the problem and doesn't solve it (closing the barn door AFTER the cows got out.) More and more people are filtering yet the volume of spam is just increasing. You can't just toss out email standards and create new standards as some people suggest (spammers would probably find a way to spam in a new standard anyway, and any new protocol would take 5-10 years to roll out.)
What is REALLY needed is GOOD anti-spam laws that would provide for hefty jail terms for spammers that do this kind of thing. Since most spam is US centric (even though spammers frequently use international open relays) US laws would make a huge dent in spam. Other countries would probably quickly follow suit. What is really needed is for congress to work with technical experts to write good laws with teeth. Even the DMA is comming around to the reality that spam is bad and laws are needed
Re:Real identity your email address (Score:2)
I would tend to disagree with this. How are you going to prove that all those Chinese open relays were exploited in the US? And if you could, spammers would just move to Anguilla and set up shop there.
Fine, but it doesn't scale, and it wouldn't stop spammers from finding your email address. In fact, it would make it easier as all the email addresses are available at one easy-to-use location!
As someone said, it isn't stopping them today -- you can go farm lots of addresses on the netservers right now.
This is why I predict whitelisting becoming more and more common. However, it is really easy to get around a lot of the whitelisting today -- for example, most people include their OWN email address (they had to see if it worked, right?), and this has already been used to get by a whitelist -- just forge the from and to headers BOTH to the address your are spamming.
I guess the more drastic kind of whitelist would be a "trusted circle" variety that required digital signatures of the person sending you an email.
Get a domain instead (Score:3, Informative)
Re:Get a domain instead (Score:3, Informative)
Re:Get a domain instead (Score:2)
When you signup for something, use -@. for example, I could use:
ksnider-slashdot@flarn.com as an email address. That way, if spam starts coming to this address, I just blackhole *that* address entirely, and either change my address on slashdot (ksnider-slashdot2), or leave it as-is if I don't care about the registration in question.
There is an issue with spambots trying any address at your domain, since you'll get tons of mail in your mailbox if you just allow, by default, *@your-domain.tld to deliver to your mailbox. But in my experience, they tend to hit the same addresses - sales, info, webmaster, etc.. and once you explicitly blacklist those, you'll find your world blissfully spam-free.
Oh, and as a final note, don't use any combination of your name as your *primary* email address! Instead, use something like me@my-domain.tld or somesuch, to make it more difficult to "guess" your email address.
Re:Get a domain instead (Score:2)
What I meant was, if someone *does* use your address, by having multimple addresses, one per source, you mitigate the damage. You just disable that one address and change to another. It's far easier to change your email on, say, slashdot, rather than changing it *Everywhere*, dont-ya think?
Re:Get a domain instead (Score:1)
Re:Get a domain instead (Score:2)
Re:Get a domain instead (Score:1)
Doesn't have to be that specific, you could just to ph@sub1.domain.com and once it goes bad, kill it.
Forget about your spam problem (Score:1, Offtopic)
Re:Forget about your spam problem (Score:1)
not a big deal for me (Score:3, Insightful)
I hate it, it sucks, etc. But it hasn't affected my legitimate use of the address.
as a CA resident (Score:4, Interesting)
I usually send a nastygram back to all the email addresses I can find, their funders & investors, board members, customers, employees, etc. all in the TO: field:
I say I will never do business with them, will tell my friends not to do business with them, and purposefully seek out their competitors when I next need their product.
I tell them that this is formal notification to not contact me again commercially, and list the email addresses that they must remove.
Then I tell them I will sue them under CA law (http://www.spamlaws.com/state/ca1.html) if they don't comply.
Re:as a CA resident (Score:4, Funny)
Re:as a CA resident (Score:1)
-G
Re:as a CA resident (Score:1)
I tried this with a company that put me on their listserv without my consent. After complaining for months to their ISP, attempting to use their unsubscribe page with no results and bouncing their emails back, I visited their website and wrote an email to the dozens of "partner" companies listed there. I said that I would no longer purchase any products from companies that "partner" with a spammer.
The original company then threatened to sue me for causing them to lose "$200,000" in advertising revenue from all the partners who cancelled their contracts.
Of course, after their lawyer acknowledged they had found all the times I attempted to unsubscribe in their weblogs and couldn't explain why that didn't work, I never heard from them again.
Just goes to show.. (Score:3, Insightful)
This is 'Collateral Spam' (Score:5, Informative)
I'm the Head Geek (ok, CTO) of the company which runs domains such as UK.com, UK.net, US.com, etc. Among our 'portfolio' we have the name NO.com.
Now, admit it, how many times have you typed 'no@no.com' into a reply-to field, or a web-form? Those bounces come to us, and yes, they're hellish to deal with - it's pretty much rendered the whole domain useless for email, never mind one single address, because we have to bounce or filter the 'bad' addresses. It's a Wile E Coyote Acme-branded magnet for spam.
You don't say which locale you're in, but the European Commission made this a criminal act - I was at the consultation with members of the ISP industry, and cited the collateral spam problem as a form of DoS - never mind the identity theft.
If you want to take legal action, this is probably the way forward, but if I were you I'd just let it go - it'll be expensive, and probably greenfield legal territory anyway.
(IANAL, blah).
Re:I've never typed that. (Score:2)
A quick grep of the mailspool shows ass@no.com, nnnnnnnnnnoooooooooo@no.com, jackMehoff@no.com, fake@no.com, no@no.com, nobody@no.com, noemail@no.com, never@no.com, acidreign.sez@no.com, bob@no.com, noyouwonticqme@no.com, no_no_no_no@no.com, yeahwhatever@no.com...
Time to clean things up again I think
Re:This is 'Collateral Spam' (Score:4, Insightful)
Since example.com is not available for registration [rfc-editor.org], no one gets hurt.
Re:This is 'Collateral Spam' (Score:2)
Also included for those who are interested is:
Re:This is 'Collateral Spam' (Score:2)
Re:This is 'Collateral Spam' (Score:2, Informative)
A better option might be to use a domain ending with .invalid, as also shown in the RFC you linked to. It's also reserved, but it shouldn't resolve to a valid IP address. This is the option that has been recommended to me in the past.
Re:This is 'Collateral Spam' (Score:2)
Anonymous Coward (Score:1)
Now, admit it, how many times have you typed 'no@no.com' into a reply-to field, or a web-form?
Never. I typically use anonymous_coward@slashdot.org
Re:This is 'Collateral Spam' (Score:1)
Never.
Typically, I enter uce@ftc.gov so the spam can be processed directly. This way, I do not have to forward the spam by hand.
Re:This is 'Collateral Spam' (Score:1)
Using postmaster@<upstream ISP> is more effective.
It happened to me too (Score:4, Informative)
I experienced some real anxiety, when I opened up my mailbox, and saw sixty odd "undeliverable" messages. But it turned out it was all addressed to a userid I hadn't used in almost six years. That ISP kindly agreed to keep forwarding my old email. This was useful for the first year or so. From then on all it got me was the occasional SPAM.
Then the SPAM grew more frequent. And, more recently, I started getting SPAM addressed to me under the name Joan.
Then, in late November of last year I got the same flood of undeliverable messages bmooney describes.
I found it very surprising how many ISPs could not detect that the messages were SPAM. Most ISPs didn't bounce back enough to submit a report to http://spamcop.net [spamcop.net]. But some did. And I reported those. Altogether I got about 600 warnings and error messages.
At first I was getting about fifty or so a day. But then they slowed to a trickle.
I can't understand what advantage there is for a SPAM artist to forge a real address as the author of their SPAM.
I suspect that the arrival of SPAM addressed to "Joan" marked the beginning of SPAM artists using this userid. The forged userid was accompanied by dozens of made up names. I suspect that one SPAM artist mistakenly harvested the forged name Joan from a previous SPAM campaign.
One of the other respondents to bmooney's article has reported their userid too has been forged into SPAM, and they estimated 150K messages went out. I was curious how many messages went out under my old userid. How would one make a reliable estimate, based on the number of undeliverables?
My SPAM artist was trying to sell penis enlargement.
I too only received a single reply from a live human being, who couldn't tell that the message was SPAM, and replying was useless. I got a couple of dozen messages from people who had set up autoresponders, because they were on vacation.
similar story here (Score:2)
Of course it needs a return address.
Guess who has the delight of that one.
I don't need bugtraq or Massage Labs to tell me when the newest Email Virus is out. I get at least 20-25 a day.
I used to try mailing them back and explaining but I stopped wasting my time. The old forged From: problem sorts that one out.
Ok, I'll bite. (Score:1, Insightful)
75,000??? Inquiring minds want to know!!!!!
J. Preston
criminal prosecution? (Score:4, Interesting)
Call your state attorney general and describe the situation as identity theft and/or DOS attack, and urge him/her to prosecute the spammer. Say it can be a very visible prosecution that will make the AG enormously popular with computer users.
Fraud/Impersonation (Score:3, Informative)
There are laws against that in most countries. If the spammer is in the same country as you, you've a better chance of success.
The damages should go up, if they impersonate you and do bad things.
Several Email addresses work (Score:1)
I can do you one better... (Score:4, Informative)
Damn right it's identity theft!
One day a couple of months ago, I got a "Thanks for joining!" message from Netflix [netflix.com]. A few hours later, I got several "Thanks for your order, Your DVD rental is on its way" messages. Apparently, some jerk-ass had used **MY** email account to sign up for the service. Sure enough, when I called their customer service department (who were very helpful once they called the phone number on the account and got a non-residential warehouse in California) and complained that I was the victim of, you know, **FRAUD**, they changed the email address to something invalid to prompt a customer service call from the dude who signed up.
The problem is who do they go after when this asshead absconds with the DVDs? Me? I didn't do anything except have an email address someone else used fraudulently. Unfortunately, I'm probably the only contact information they have on the account that leads to an actual human being, and that's why I was so vigilant about complaining early and often.
If anyone was at fault, it was Netflix - mailing lists learned long ago that you cannot assume an email address is valid because someone stuck it in a web form, so they send confirmation messages through an autoreply address validation system.
BTW, one of the early messages I got also included the password for the account. (Good move, NetFlix!!!) I looked up the account to get info for my records, but I didn't change the password or log on to the account (though I was prepared to do so if Netflix couldn't fix the problem). My concern was that some boneheaded prosecutor somewhere would have interpreted that as acknowledging ownership of the account, and I didn't want to be involved any more than I already was.
I'm just glad it's over.
I find this hard to believe... (Score:2)
b) How the hell did this guy order DVDs if he didn't have access to your email (and hence the account password).
c) You would have had nothing to worry about - Whoever was at that address is a different story though. More importantly, whoever's CC# was used to sign up would've had something to worry about.
Re:I find this hard to believe... (Score:3, Interesting)
a) There's no reason to use someone's email address when signing up for Netflix... It essentially gives that someone access to an account paid for with YOUR credit card.
Like I said, I did not access the account, so I do not know if Netflix provides no-CC options or not, whether the CC used was valid or not, nor whether the card itself was stolen or not. Here's a thought - let's say that it **was** a stolen credit card. Now my email address is on an account that's using a stolen card. Prove that I didn't sign up for the account and fill in a bogus mailing address. There'd be no point you say? Maybe, if I was actually after the movies, but it's still fraud and theft *AND* now carries the added weight of being a FEDERAL crime because the transaction crosses state lines **AND** My email address is listed as a contact on the account. Excuse me for letting paranoia get the best of me, but if I were the FBI, I would AT LEAST sent a couple of agents out to investigate the owner of the email account, so I'm going to complain early and often to make sure that my position is understood by everyone with whom I come in contact.
Plus, now the credit card companies are involved and they have attorneys who's job it is to fight this kind of stuff - ALL DAY LONG. I've heard too many horror stories about innocent people plea-bargaining to make problems like this go away because they cannot afford the battle.
b) How the hell did this guy order DVDs if he didn't have access to your email (and hence the account password).
He put my email address on the sign-up form and Netflix didn't verify it was his. I don't know if he ever accessed the account after his initial order, because I didn't stick around long enough to find out.
c) You would have had nothing to worry about - Whoever was at that address is a different story though. More importantly, whoever's CC# was used to sign up would've had something to worry about.
I would hope so, but I can't assume that -- not when there isn't some sort of clear legislative or legal precedent to identify this sort of thing as identity theft.
It's also possible it was an honest mistake like a typo, though I clearly can't assume that either. It's better to avoid the accident if you have the opportunity than let the accident happen and be in the right.
No need to worry (Score:2)
Amazon.com did that to me (Score:2)
Amazon had still got me registered as being logged in - and had automagically turned one-click-ordering on for me (I never asked for that!).
A week later, they still thought I was logged on and some anti-social meanie using the cybercafe used one-click-ordering to send me a dozen rap CDs with parental advisory (warning: artist has no talent) at my expense.
When I got the email, it was too late to cancel the order via the web site.
After ringing them internationally (ka-ching!) they said they would cancel, but it still turned up. Naturally I refused delivery, but they kept trying to deliver, even after I rang the delivery company several times telling them I didn't want it. Eventually they gave up, and I was recredited on my credit card. A month or so later the tax inspectors rang me up asking me to pay VAT on the CDs!!! But they accepted me telling them that I refused the delivery, and I didn't order them in the first place.
So I learned "If you are not X, click here" is amazon's way of saying "Log Out" the hard way. And one-click-ordering is the devil's tool.
the exact same thing happened to me (Score:1)
Get your own domain (Score:2, Informative)
Spam for Pump and Dump (Score:3, Informative)
Another spammer started sending out mail with my return address about a week ago. This time, I wrote a quick filter to pipe it all into a folder where I could ignore it. I don't know what else I can do.
-Waldo Jaquith
Me too! (Score:2)
1. Safely followed the link in the message to the website hosted on a DSL line from Belize (Mortage Refinance)
2. Looked for contact info (none, just a phone 900#)
3. Did a whois on the domain (all bogus info)
4. Contacted the domain registrar with the bogus info and a quote from their terms of service.
5. Asked that the domain be suspended until contact info is provide.
Did it work? Not yet but I have hope.
SD
Kind of off-topic (Score:1)
Similar Problems (Score:1)
Better filtering until law enforcement catches up (Score:2)
The next step is time-based addresses - perhaps having the Evil Bastard filter on your generic foo@example.com and having a bypass for key@example.com, where the key rotates every few days. Finally, you could have your filter drop bounces which don't contain an email address and subject matching email in your sent mail folder or use a custom keyed return-path and drop bounces which don't use it.
Unfortunately, most of this is impractial for people who don't run their own mail servers. SpamAssassin is at least available as a plugin for anyone stuck with Outlook, so there's hope that more advanced filtering will sneak in to common use.
One other note - if you can figure out who was responsible file a case in small claims court. They'll lose by default if they don't show up (which is almost certain if they aren't local) and you give a default judgement to a collection agency for a percentage of the award.
I had one of those... (Score:1)
Dictionary Attacks (Score:2)
It always uses "john@some-randomly-selected-domain" as its From: address.
Fortunately, the targetted domain is one whose users never pick up mail, so I can use it as a honeypot, and feed systems not found in relays.osirusoft.com [osirusoft.com] into a private DNS blacklist. However, I got tired of chasing this dirtball, and set up MIMEDefang [roaringpenguin.com] to automatically add this cretin to the server's firewall rules when one of its attacks is detected.