Spam Kings
Page 29
"We send out ten-million-plus emails a day, and you on average send me two complaints per day. I think one complaint per three million is real good," said Richter, apparently unconcerned that the bogus headers in the messages made it extremely difficult for average Internet users to determine to whom they should complain.[23]
New York's exhibits also included hundreds of spam samples. The scores of sample spams from Delta Seven included the characters "wsb," a special tracking code OptInRealBig had assigned to Delta Seven. But none of the message headers contained IP addresses assigned to networks directly operated by OptInRealBig.
After news outlets published an array of articles quoting Spitzer and Smith, Richter belatedly responded with a press release about the lawsuits. The argumentative statement bore little of the polish customarily found in corporate press releases on legal matters. It described the lawsuit as "one of the worst orchestrated smear campaigns against legitimate Internet business interests of recent times," and said prosecutors hadn't produced any evidence linking OptInRealBig to the illegal spams.
"If there were 10,000 false and fraudulent emails sent by Optin, it would be good legal practice if the Attorney General would see fit to attach at least one," read the statement. It also criticized Spitzer's "reliance on Spamhaus" as "a fatal error, because Spamhaus is an offshore, anonymous organization which has no legitimate connection with Internet businesses in the United States." Richter's press release concluded by saying OptInRealBig would vigorously defend itself in court and "prevail as one of the most legitimate Internet marketing institutions in the United States."
Spam fighters reveled in the moment. The man they considered one of the most frustrating spammers in the world had finally met his comeuppance. But nearly everyone, including Shiksaa, was secretly worried about whether the charges against Richter would stick.
* * *
[18] Based on the December 11, 2003, affidavit of Scott Richter in OptInRealBig.com LLC v. Jeff Perreault et al.
[19] Ibid.
[20] Author interview with Susan Gunn, April 7, 2003.
[21] Case docket on file with Denver County Court.
[22] Shiksaa published the AOL Instant Messenger log of her December 17, 2003, conversation with Richter at her AOL Hometown web page.
[23] While not illegal at the time, none of the messages contained instructions on how to opt out of future mailings. Recipients were forced to click a link labeled "Privacy Policy," which would take them to a web page that contained, among other things, information on how to unsubscribe.
Chapter 11.
CAN-SPAM
"Welcome to the death of email, ladies and gentlemen. Would the last person to leave email please turn out the lights?"
That's how a spam fighter greeted the Nanae crowd on the evening of November 22, 2003. Earlier that day, the U.S. House of Representatives had overwhelmingly approved the "Controlling the Assault of Non-Solicited Pornography and Marketing Act," otherwise known as CAN-SPAM. The measure was expected to sail through the Senate and be signed into law by President George W. Bush. After six years of failure, Washington was about to enact its first federal anti-spam legislation.
So why the dire prediction on Nanae? Many anti-spammers felt the proposed law was in fact legalizing junk email—and, in the process, opening the floodgates to spam.
"I said years ago that government would only screw it up," wrote one spam fighter on Nanae. "Will those who have been calling for Congress to do something, please stand up and slap yourselves up side the head?"
CAN-SPAM had been hatched in April 2003 by Republican Senator Conrad Burns of Montana and Oregon Democrat Ron Wyden. Their Senate bill, S.R. 877, embraced an opt-out policy that put the burden on Internet users to unsubscribe from spammers' lists. That was philosophically backward, according to the Coalition Against Unsolicited Commercial Email. CAUCE and other consumer groups believed that U.S. spam law should be based on an opt-in framework, with advertisers obligated to obtain permission from consumers before sending email solicitations.
But the Senate unanimously passed S.R. 877 in October 2003, thanks in large part to support from the Direct Marketing Association and several large ISPs, including America Online and Microsoft. (Many anti-spammers speculated that the ISPs hoped CAN-SPAM would enable them to more easily sell access to their subscribers by mainstream marketers, otherwise known to spam opponents as "mainsleaze.") After being sent to the House of Representatives, the measure gained a few amendments and was approved by the House 392–5 that November, leading one Nanae participant, only half in jest, to call for the blacklisting of Congress's networks.
"I say, add SBL/Spews listings for the U.S. House and Senate servers, for 'spam support,'" wrote the frustrated anti-spammer.
The passage of CAN-SPAM caught many anti-spammers by surprise, but not Spamhaus leader Steve Linford. He'd been monitoring the bill's progress for months and considered it abysmal compared to spam laws recently passed by Australia and some European countries. (In December 2003, a new opt-in spam law in the United Kingdom would go into effect, prohibiting marketers from sending email ads to consumers who hadn't requested to receive them.)[1]
But when Linford jumped into the Nanae discussion of CAN-SPAM, he noted the bright spots in the proposed U.S. law. For one thing, he said, law enforcement officials would appreciate CAN-SPAM's criminal provisions. Linford pointed out that CAN-SPAM would outlaw the use of spam "zombies" and proxy servers.
"Obviously it's not going to happen overnight, but fairly quickly in 2004 I would expect that ... spammers will either emigrate to China, or do jail time for proxy spamming," said Linford. Without legal access to proxies, he argued, spammers would be flushed out into the open and forced to send their emails from their own networks. That would make them susceptible to blacklists such as the SBL.
Other strong points in CAN-SPAM included a ban on collecting email addresses online using automated harvesting tools. It also prohibited forging message headers, and it required spammers to include a valid "From" address. The proposed law further specified that spammers list a valid physical mailing address in their messages, as well as include a working opt-out mechanism, such as a link to a web page for easy unsubscribing.
But opponents of CAN-SPAM found other aspects of the legislation troubling. Language in the bill empowered the Federal Trade Commission to create a Do Not Email list, patterned after the recently implemented federal Do Not Call list. But Congress had not required the FTC to create such an email registry. Without it, the onus would be on consumers to unsubscribe individually from potentially hundreds of spammers' mailing lists—even though many Internet users had been taught that opt-out links were usually a fraud designed to harvest verified email addresses. (There had even been recent reports on Nanae that some spammers were using fake opt-out links in an attempt to install Trojan horse software on the computers of unprotected Internet users.)
Also objectionable to many spam fighters was CAN-SPAM's lack of a "private right of action" clause. The law would give the FTC, state attorneys general, and ISPs the ability to sue spammers who violated CAN-SPAM. But individual spam victims would be denied such recourse. As a result, CAUCE predicted that enforcement of CAN-SPAM would be rare and infrequent. The anti-spam group said regulators and attorneys for ISPs lacked the time and resources to pursue more than a few symbolic legal actions against spammers.
"Unless the FTC is given a massive appropriation to pay for more prosecutors and investigators, giving consumers a right to sue is the only way to get enforcement at a frequency to make spammers think twice," said CAUCE in an October 2003 statement at its web site.
Particularly aggravating for many spam opponents was language in CAN-SPAM dictating that the new federal law trumped several states' stronger junk email laws. Among the state spam laws preempted by CAN-SPAM was a strict opt-in spam law in California that would have taken effect on January 1, 2004. The measure would have allowed individuals to sue spammers for up to $1,000 per unw
anted email message. Not surprisingly, many bulk emailers were relieved to see the California law gutted by CAN-SPAM.
"We are very excited," OptInRealBig.com CEO Scott Richter told the New York Times on the day the U.S. House passed CAN-SPAM. "All of our clients had been worried about the California law. In the last two hours we have been booking a lot of orders for January."[2]
Despite CAN-SPAM's critics, Congress and the White House moved ahead quickly to make it the law of the land. On December 16, 2003, Bush signed the landmark bill. The President had no official comment on the Act, but cosponsor Wyden released a statement, saying that the new law created harsh consequences for "kingpin" spammers.
"Swift and aggressive enforcement will be essential," said Wyden. "I will continue to push the Federal Trade Commission and others to use the tools this law gives them to fight against spam."
With little time to prepare before CAN-SPAM went into effect January 1, 2004, email marketers of all sorts struggled to come to grips with the complex law's requirements. Some in the junk email business worried that federal and state authorities would begin aggressively pursuing spammers in the new year. Attendance at an early-January 2004 Las Vegas trade show for email marketers was reportedly down, because many spammers feared law enforcement officials would use the event to make CAN-SPAM arrests. (They didn't.) Meanwhile, some law firms created new practices dedicated to advising e-marketers on how to comply with the federal anti-spam law.
Shiksaa was delighted to see spammers fretting over CAN-SPAM. One evening in late December, she teased Nevada bulk emailer Bill Waggoner over AIM.
"Getting nervous? Are you worried you're going to jail or to court?" she asked.
"No, of course not," replied Waggoner. "Jesus loves me."
"Keep spamming, and maybe you will get sued too. One can hope," she said.
Shiksaa was especially pleased to learn that CAN-SPAM preserved Internet service providers' right to block any messages they deemed unwelcome—even if the spam was in full compliance with the new law.
"There is nothing you can do to force them to accept it," she called out to spammers in a message on Nanae. "Want to sue? Go ahead and waste your money, boys. It's becoming very expensive to run a spam shop."
Online support groups for spammers were abuzz with discussions of how to avoid trouble under the new law. After members of the Send-Safe forum held a December conference call with an attorney to discuss CAN-SPAM compliance, some junk emailers contemplated pulling out of the business.
"I am sure many of you are as worried as I am. I am really unsure what to do. I am considering shutting down my offices and/or scaling way back," wrote one Send-Safe customer, who said she primarily sent spams on behalf of insurance companies.
But other veteran spammers vowed that CAN-SPAM wouldn't mean the end of spamming.
"Sure, it is tougher and the cards are stacked against us, but WE ALWAYS PULL THROUGH. This time will be no different. WE WILL GET COMPLIANT AND continue to mail for sure. That is our way," said a Send-Safe employee. Indeed, Send-Safe soon released a new "CAN-SPAM compliant" version of its program that used rented email servers in China, rather than proxies, to anonymously send messages. Other spamware vendors released similar products.
Meanwhile, entrepreneurs began developing other offerings aimed at spammers worried about the law. New services sprang up selling "valid froms"—batches of working email addresses that could be used in the "From" line of spams, as required under the law. Operators of the services manually created accounts at free email providers all over the world and resold those accounts to spammers.
"You could easily spend more time signing up valid froms than you spend mailing. You will also drive yourself nuts doing this tedious and boring job," stated one ad for a valid-from service that charged spammers twenty-five dollars per month for fifty valid from addresses.
Several U.S. companies also launched services offering to set up offshore incorporations and merchant accounts for spammers. The web site of one such service promised that incorporating in the Bahamas could shield businesses from the "litigation explosion" in the U.S. and could "protect their savings, investments and other accumulated assets that may be attractive targets for hungry trial lawyers."[3]
But many spammers seemed unperturbed by the new U.S. spam law. In the SpecialHam.com forum, a spammer using the alias "nukeananti" said CAN-SPAM wouldn't change his business practices.
"Honestly, I don't think this law will be easy to enforce, and it will only result in a small reduction in spam. Already many states have laws against spam, and many of them are more restrictive. They don't have the resources to police email, and I doubt taxpayers would want the FTC spending millions of dollars on this," wrote the spammer.
Bottom line, said Nukeananti, "I am going to keep on mailing."
* * *
[1] The new UK spam law was created in response to the European Commission's Directive on Privacy and Electronic Communications. That directive obliged EC member states to introduce anti-spam laws by October 31, 2003. In addition to the UK, Austria, Denmark, Ireland, Italy, and Spain had already adopted the European Union law. But the other nine member states of the EU, including France and Germany, had yet to adopt anti-spam regulation.
[2] "Congress Set to Pass Bill That Restrains Unsolicited E-Mail," New York Times, November 22, 2003; Section A, Page 1.
[3] Text from service description at AssetProtection.com.
Shiksaa Hangs Up Her LART
Buried within the dense language of the CAN-SPAM Act was an unusual enforcement provision overlooked by many people. Under the new law, the FTC was required to consider a bounty system for those who tracked down illegal spammers. The authors of CAN-SPAM proposed rewards of "not less than 20 percent of the total civil penalty collected" by the FTC. Lawmakers gave the agency until September 2004 to report back on the plan's feasibility.
The idea of paying monetary rewards to anti-spammers was spawned in September 2002 by Lawrence Lessig, an Internet visionary and professor at Stanford Law School. In an op-ed piece, Lessig suggested that spam would abate if the government required spammers to tag their messages as such and forced spammers who don't label their junk email to pay $10,000 to the first recipient who finds them.
"If we deputized the tens of thousands of qualified people out there who are able to hunt offenders, then a large number of offenders would be identified and caught," he wrote.
Lessig believed so strongly in the concept that he staked his job on it. In January 2003, he publicly stated that he would resign his position at Stanford if a spam-bounty system became federal law and did not substantially reduce the level of spam.
Lessig's stunt worked. Lawmakers slipped the bounty provision into CAN-SPAM at the eleventh hour. With the passage of the bill, capturing a spammer's hide had become a potentially lucrative pastime. Yet few anti-spammers rejoiced at the opportunity. Steve Linford pointed out to journalists that Spamhaus and other organizations already had plenty of information about spammers. The problem, he said, was getting prosecutors to act on it.
Shiksaa didn't give much thought to the prospect of a career as a spam bounty hunter. She had never been driven by financial motives. Instead, she believed that her online activism would be its own reward. Yet as Shiksaa entered her fifth year of spam fighting in 2004, she resolved it would be her last.
Shiksaa would never admit it to the spammers, but the events of the past nine months made it clear she was locked in a losing battle. For all her efforts, the spam problem was getting worse, and it was messing up her life in the process. Back when she was getting started, Shiksaa had thought spammers were simply misguided people who would respond to reason. Put a few on the right path, and the tide of spam would ebb. She knew better now. Spam had become organized online crime. The spammers operated in little cartels, with their private spammer forums and closed mailing lists. They knew what they were doing was unethical, but they were too arrogant and antisocial to care.
An
d some, like Richter, were also savvy enough to give CAN-SPAM—and maybe even the New York and Microsoft lawsuits—the slip. In essence, CAN-SPAM was a truth-in-sending law; it removed spammers' ability to lie about who sent their email. As such, it would create few problems for Richter, who relied much less on anonymity than other spam kings. As Shiksaa saw it, Richter's business was built around a simple premise. Millions of people on his lists were too busy or too computer illiterate to unsubscribe from—let alone complain about—spam. Richter had built his wealth on the small percentage of people gullible enough to buy whatever junk he was offering.
Shiksaa certainly didn't owe Scott Richter any favors. But in January 2004, Richter's dad asked her whether she'd sign an affidavit regarding Dustin Parker, the young computer expert who had deserted OptInRealBig.com LLC. Steve Richter wanted her to testify in writing that Parker had provided her with proprietary company information. He said it was necessary to his son's lawsuit against the former employees.
Shiksaa replied that Parker had merely given her instant-message logs. But she agreed to sign an affidavit to that effect.
"I'm not doing this for him or for you," she told Steve Richter. "I'm doing it because it's the right thing to do."[4]
As the year 2004 unfolded, Shiksaa kept a much lower profile. She avoided heated confrontations with Richter and other spammers over AIM. She couldn't give up on Nanae altogether, but she went long stretches in "lurk-only" mode, reading but not contributing to the discussion. She continued to hang out on #Lart, the Internet relay chat channel popular with her close anti-spam associates. But spam was no longer a crusade. She had certainly lost the desire to poke spammers with a sharp stick just to see how they'd react.