Jump to content

Preventing False Spam Reports


WisTex

Recommended Posts

I am glad that SpamCop has a policy against people reporting e-mail as spam when it isn't.

http://www.spamcop.net/fom-serve/cache/167.html

You may want to also mention that it is illegal as well. Filing a false report with SpamCop is not only counterproductive to SpamCop's efforts and against SpamCop's policies, it is also against the law. Filing a false report is considered libel and carries a possible fine and imprisonment if convicted.

Let's put spammers away and prevent spammers from using SpamCop against legitimate mailers.

Link to comment
Share on other sites

I am glad that SpamCop has a policy against people reporting e-mail as spam when it isn't.

http://www.spamcop.net/fom-serve/cache/167.html

You may want to also mention that it is illegal as well.  Filing a false report with SpamCop is not only counterproductive to SpamCop's efforts and against SpamCop's policies, it is also against the law.  Filing a false report is considered libel and carries a possible fine and imprisonment if convicted. 

Let's put spammers away and prevent spammers from using SpamCop against legitimate mailers.

Where did you come up with the notion that libel is a criminal offense punishable by fine and/or imprisonment? Maybe it is in "foreign" countries, but not in the U.S. and (AFAIK) not in the UK. It is a civil tort, not a crime.

Link to comment
Share on other sites

Where did you come up with the notion that libel is a criminal offense punishable by fine and/or imprisonment? Maybe it is in "foreign" countries, but not in the U.S. and (AFAIK) not in the UK. It is a civil tort, not a crime.

26956[/snapback]

Because in some circumstances it is. I looked it up to make sure of the law. In Texas, for example, it is a criminal offense to libel a state trust company or bank or to blacklist or cause to be blacklisted a terminated employee with the intention of preventing them from engaging in or securing employment. Libeling a bank or trust company is a state jail felony, actually, while blacklisting carries a fine and/or imprisonment. In Texas, it would be a tort in all other cases, however.

http://www.capitol.state.tx.us/statutes/index.htm

Remember, it depends on the state. Libel and slander is actually against state law, and laws differ from state to state. Whether civil or criminal, you could still sue and it is still against state law in the United States and against most other countries laws as well.

Maybe it would be better to simply state that it is against the law (which it is) instead of stating that there is a fine or imprisonment, as that would depend on the jurisdiction.

Another thing to consider is that even if it is not a criminal offense under libel law in most states, it may be a criminal offense under other state laws.

For example, Georgia's computer abuse statute makes illegal the use of a computer with the intention of "obstructing, interrupting, or in any way interfering with the use of a computer program or data; or altering, damaging, or in any way causing the malfunction of a computer, computer network or computer program" regardless of how long the alteration, damage or malfunction persists.
http://www.gigalaw.com/articles/2003-all/h...003-07-all.html

Submitting a false report to SpamCop.net would definitely be a criminal offense under Georgia law as it "obstructs, interrupts, and interferes with the use of a computer program or data" by preventing the innocent victim from sending e-mail.

Many other states have passed similar laws. That means that it IS a crime to submit a false report in many states and countries, and since you wish to deter false reports yourself, you may want to mention that it is illegal in some jurisdictions. That would do two (2) things for you.

  1. It would deter false reports which are counterproductive to the purpose of SpamCop.net and are against SpamCop.net rules.
  2. By informing people who make reports that in some jurisdictions it is illegal to submit a false report, you are transferring the legal liability to the person submitting the report. If you were ever sued yourself under one of these laws (such as the Georgia law), you could use that in your defense.

It would probably be worth mentioning it just to protect yourself from lawsuits concerning illegally "obstructing, interrupting, or in any way interfering with the use of a computer program or data." You provide a much needed service and it would be best to protect yourself legally by deterring false reports as much as you can.

Maybe you could say something like this:

"Submitting a false report is illegal in many jurisdictions, and you may be subject to criminal or civil liability by doing so."

Or something similar.

Link to comment
Share on other sites

Submitting a false report to SpamCop.net would definitely be a criminal offense under Georgia law as it "obstructs, interrupts, and interferes with the use of a computer program or data" by preventing the innocent victim from sending e-mail.

You've totally mangled the whole scenario, sorry. Ignoring even the "false" word (just a red herring at this point) ... what you describe is not how SpamCop reporting system or the BL work. There is no "contact" with a e-mail sending user's computer, there isn't even the possibility of "preventing ... sending e-mail" (which first of all is not guaranteed by any ISP that I know of) ... e-mail sent may be blocked by the receiving ISP for any reason at all .. even the lousy CAN-spam Act allows this to happen.

Link to comment
Share on other sites

"Obstructing, interrupting, or in any way interfering with the use of a computer program or data" means in any way. That would include submitting false reports that would result in them being blacklisted that would result in ISPs blocking them if the persons intent was to get the ISPs to block an innocent party.

Link to comment
Share on other sites

IMHO, this is not a very productive argument. It is not very easy to deliberately send false reports about a particular person and get them on the blocklist. It would have to be a deliberate attempt to blacklist a particular IP address - and not many people want to do that. It would only be effective if the IP address was a whitehat. In that case, they would probably catch the first reports and the reporter would be stopped. If it were a blackhat ISP, there would be enough legitimate reports that it would not be an issue.

Anything is possible in this litigitious society. Have you read some of the ridiculous warnings on products? Like the windshield sunscreen that warns not to drive with it installed?

IANAL, but apparently, 'my server, my rules' is upheld which means that there can be frivilous reasons to block email. If the law you quoted applied to the receiving end, all content filters (which are the primary defense against spam) would be illegal since they are even more susceptible to 'false positives' and thus 'interrupt' legitimate use.

Miss Betsy

Link to comment
Share on other sites

True, but I am not talking about suing the ISPs, but suing the person who maliciously filed false complaints. Big difference.

You say it is not easy to deliberately send false reports, but I would think it would be very easy. Simply paste the real header from an e-mail you received from the victim, and paste spam as the body. Wa La, instant fake spam with real headers. Or worse, sending out thousands of spam with forged headers that point to the victim, using real headers they pasted from a real e-mail. The victim gets thousands of spam complaints for spam they didn't send, in addition they get blacklisted for forged spam they didn't send, all the while everyone assumes they are guilty until proven innocent, and even then.... The lost sales, lost reputation, overloaded servers....

I have read about it happening many times. And typically people are so filled with hate for spammers that they can't even see the facts for what they are and don't even want to find out the facts.

As a result the innocent get stepped on.

Link to comment
Share on other sites

Or worse, sending out thousands of spam with forged headers that point to the victim, using real headers they pasted from a real e-mail. The victim gets thousands of spam complaints for spam they didn't send, in addition they get blacklisted for forged spam they didn't send, all the while everyone assumes they are guilty until proven innocent,

I know that spammers do use forged headers, but I thought that the originating header could not be forged. Nobody (except totally clueless people) pays any attention to forged return paths. As I said, I am not technically fluent, but IIU the process even using a real email header pasted into another email would not disguise where the email really came from to anyone who was running a blocklist and they would recognize that the pasted headers were not real.

Miss Betsy

Link to comment
Share on other sites

You say it is not easy to deliberately send false reports, but I would think it would be very easy.  Simply paste the real header from an e-mail you received from the victim, and paste spam as the body.  Wa La, instant fake spam with real headers.

27016[/snapback]

Which could easily be refuted by the ISP's logs unless the size of the spam happens to match the size of the original message. Spamcop also reprimands, fines or revokes privliges for people found to be doing this (and much less).

Or worse, sending out thousands of spam with forged headers that point to the victim, using real headers they pasted from a real e-mail.  The victim gets thousands of spam complaints for spam they didn't send, in addition they get blacklisted for forged spam they didn't send, all the while everyone assumes they are guilty until proven innocent, and even then....  The lost sales, lost reputation, overloaded servers....

27016[/snapback]

Spamcop and any knowledgable tracker would report the real source because the chain would be broken. Unless you controlled the server which is the MX for the receiving accounts, anything beyond that would be questionable (why did this server accept this message?).

I have read about it happening many times.  And typically people are so filled with hate for spammers that they can't even see the facts for what they are and don't even want to find out the facts.

27016[/snapback]

I think you have misunderstood what you read or the source was incorrect as to what was really happening. Mistakes are made, but spamcop is continuously updating the code to deal with new attempts at circumventing the system.

Many times in here we see someone spout off about something, and if they stick around long enough to lissten and work through the issues, the real reason is found.

Link to comment
Share on other sites

It sounds to me like a totally paranoid scenario. People that contribute to this forum are serious about tracking and reporting spam. This is confirmed everytime we report spam that is already on the block list.

Most of us get such an overwhelming amount of real spam to report, that scenario is highly unlikely and would be self defeating to any paying member here.

Link to comment
Share on other sites

It may sounds like a paranoid scenario to you, but with other anti-spam organizations that do not verify or check complaints thoroughly, it is very easy to get someone banned who doesn't deserve to be banned. I have seen it happen and have read about it many times. If fact, the sort of attack I described is common enough to have a name, which I can't recall at the moment. I think its called a "Joe Job" or something like that. Often the attack is done by a spammer or con-artist who is upset with a company or ISP for enforcing their anti-spam policy or for enforcing the company's code-of-conduct or other rules. Since the spammer was banned by the company or ISP, they in turn try to get the company or ISP banned and overwhelmed by complaints.

It sounds like you are more responsible than some of the anti-spam organizations out there. Some of them ban IPs without the slightest reason (e.g. they are in the same IP range as a spammer, but spam has never been sent from that IP address ever), and you have to pay to get off, even if you are innocent and have proof that you didn't send any spam, and they admit that spam was never sent from your IP, and third parties document that spam was never sent from that IP.

We had to change ISPs once because our IP address was blacklisted simply because it was within a certain range of IP addresses belonging to the ISP we used. One entity blacklisting us even admitted they had no proof we sent any spam and had zero (0) complaints against us or our IP address but refused to unblacklist us anyway. Another entity demanded money from us to be unblacklisted, even though we sent no spam. It cost us thousands of dollars and a ton of man-hours to move everything over to another ISP. It's organizations like those who make enemies of legitimate businesses who don't spam.

I don't mind targetting the spammers. I hate spam. It just pisses me off when innocent people are harmed by overzealous people. I've seen it happen many times, and it has personally cost me thousands of dollars, punished for a crime I did not commit.

Some anti-spam organizations's tactics amount to the equivelent of: there are gang members in the ghetto, so lets arrest everyone in the ghetto. It sounds like your organization actually cares about justice, which is rare, unfortunately.

Link to comment
Share on other sites

I don't mind targetting the spammers. I hate spam. It just pisses me off when innocent people are harmed by overzealous people. I've seen it happen many times, and it has personally cost me thousands of dollars, punished for a crime I did not commit.

I am not defending SPEWS tactics of including non-spammers in their blocklists. However, my contention is that, at this point on the internet, there are no 'innocent' people - only ignorant people. In the real world, if a businessman doesn't pay attention to the zoning board requests, he can get into trouble if he is running a family business and a strip joint opens up next door. It can cost him thousands of dollars to relocate or his business drops off. Another scenario is the opening or closing of a Walmart in a small town. Innocent business owners have no control over the problems arising from that situation, but may have to relocate or spend money in order to survive. And, for the record, my sympathies are with the small business owner and those who have suffered because of the lack of netiquette on the internet.

In general, unfair tactics such as "Joe Jobs" and DOS attacks are problems that are recognized by on-the-ball ISPs who will work with victims to stop the problem or to alleviate it.

The only way to control spam is to control the sending end. In order to control the sending end, all the users of an ISP need to know that the ISP is not acting in a responsible or competent way about spam and so cannot provide reliable service. All users of the internet are responsible for using an ISP who does not allow spammers to operate or they are part of the spam problem.

As consumers, if there were enough consumer education, end users could demand competent service from their ISP - and the spam problem would be solved (you could have joined with other innocent customers and demanded that the present ISP provided you with 'clean' IP addresses, for instance, rather than moving - just as tenants will demand that landlords provide essential services).

And what about the innocent domain owners who no longer can use their domains because of the onslaught of spam? Who should suffer from spam? Those who can control it by their selection of ISP? Or those who have no control because they are on the receiving end?

Miss Betsy

Link to comment
Share on other sites

You are implying that we did something wrong by not having proper netiquette. Not true. We were blocked simply because the whole range of IP addresses were blocked. We had nothing to do with it other than finding out months later when customers complained they were not getting our e-mails. We never sent out an improper e-mail and never had any complaints against us.

And with all the information out there, how is every single business supposed to know there are hundreds of blackhole lists out there and whether or not they are on one? And most of them are not responsive and don't care that their lists have false information in them, as we found out.

They had the same problem with Credit Bureaus not being responsive to consumers who had incorrect information on their credit reports, which caused people to be denied credit, denied jobs and denied housing without just cause. So the government passed laws that require Credit Bureaus to fix any incorrect information about an individual or business or face stiff fines. They also passed a law stating that all consumers have a right to a free credit report. The reason why they did this was to protect innocent people from false information on their credit reports.

Using your logic, it is okay for credit bureaus to maintain false information on someone just because it protects people and businesses from people who have bad credit. Furthermore you are saying that its excusable to deny someone credit because their social security number happens to be similar to someone who has bad credit or because they happen to live in the same neighborhood as someone with bad credit or happen to be the same race. The courts have found this to be unfair.

Let's get real. Credit Bureaus and organizations like SpamCop.net provide much needed services, but they also must be accountable for their actions as well and should avoid including innocent people in their blacklists. Excusing blacklisting innocent people is like excusing credit bureaus from correcting errors on credit reports.

Link to comment
Share on other sites

I am not defending SPEWS tactics of including non-spammers in their blocklists.  However, my contention is that, at this point on the internet, there are no 'innocent' people - only ignorant people [emphasis by Steve T].
You are implying that we did something wrong by not having proper netiquette.<snip>

27075[/snapback]

...You seem to me to have misread Miss Betsy's post. Please note the text I bolded -- I believe that is what she is saying, not that you did something wrong (since you, in fact, left the irresponsible ISP).
Link to comment
Share on other sites

You are implying that we did something wrong by not having proper netiquette.<snip>

27075[/snapback]

...You seem to me to have misread Miss Betsy's post. Please note the text I bolded -- I believe that is what she is saying, not that you did something wrong (since you, in fact, left the irresponsible ISP).

27076[/snapback]

We shouldn't have to. That's like asking someone to move out of a neighborhood because their neighbors are bad. We chose to move and it cost us thousands of dollars to do so. Is that fair? No. What about the people who don't have the time or money to make a major move like we did? You are assuming that changing ISPs is that simple, but it is not when you have your own server and dedicated IP addresses and programs and multiple websites, etc.

I personally hope that Congress passes a law regulating spam Blacklists as they do Credit Bureaus, requiring them to responsive to the people they serve, and requiring them to remove false information in their files and requiring that IP addresses have compaints against them before blacklisting them. We had a dedicated IP address with no complaints. It wasn't like we were sharing IPs with someone who was spamming. Our IP was banned since the entire ISP was banned. Not fair at all. Who is going to pay us the thousands of dollars it cost us? Who?

Link to comment
Share on other sites

<snip>

Who is going to pay us the thousands of dollars it cost us? Who?

27078[/snapback]

...Whose action or failure to act is the most direct cause of the damage to you? IMHO, it is the ISP you had to flee -- they did not provide you the service you contracted with them to provide because they (apparently) failed to take the actions required to keep your IP address off the list.
Link to comment
Share on other sites

You are implying that we did something wrong by not having proper netiquette.  Not true.  We were blocked simply because the whole range of IP addresses were blocked.  We had nothing to do with it other than finding out months later when customers complained they were not getting our e-mails.  We never sent out an improper e-mail and never had any complaints against us. 

In the case of your apparent listing, your IP address was in a bad neighborhood where the provider likes taking the criminals money more than cleaning up the neighborhood. Think of the provider as a slumlord. Would you place your business in a poorly maintained location with criminals living next door? Would you expect the same level of service from the city in that part of town? You can always move your business to a better neighborhood.

And with all the information out there, how is every single business supposed to know there are hundreds of blackhole lists out there and whether or not they are on one?  And most of them are not responsive and don't care that their lists have false information in them, as we found out.

Every single business that is using as it's business model email, which is in no way guaranteed of delivery, had better have investigated this possibility or is destined to fail. There are MANY web sites out there (http://moensted.dk/spam/) to determine if you are on any blocklists. There are also many private blocklists not documented anywhere. Many of the blocklists are insignificant because of how little they are used. Since it is up to the receiving end to determine what they want to receive, it is their right to use any or all blocklists for whatever purpose they desire. I could block all of the .net domains if I so desired.

They had the same problem with Credit Bureaus not being responsive to consumers who had incorrect information on their credit reports, which caused people to be denied credit, denied jobs and denied housing without just cause.  So the government passed laws that require Credit Bureaus to fix any incorrect information about an individual or business or face stiff fines.  They also passed a law stating that all consumers have a right to a free credit report.  The reason why they did this was to protect innocent people from false information on their credit reports.

Using your logic, it is okay for credit bureaus to maintain false information on someone just because it protects people and businesses from people who have bad credit.  Furthermore you are saying that its excusable to deny someone credit because their social securitry number happens to be similar to someone who has bad credit or because they happen to live in the same neighborhood as someone with bad credit or happen to be the same race.  The courts have found this to be unfair.

Blocklists are created for different reasons with different criteria to be added and removed. Blocklists that do not adhere to their own rules, become useless and little used. Spamcop is designed to stop a spamrun in progress. It adds quickly an IP address sending reported spam but also removes IP addresses that have stopped sending messages reported as spam. It has been found (by many administrators) to be effective at blocking spam while having minimal impact on real messages. Often it is used in conjunction with other lists.

Let's get real.  Credit Bureaus and organizations like SpamCop.net provide much needed services, but they also must be accountable for their actions as well and should avoid including innocent people in their blacklists.  Excusing blacklisting innocent people is like excusing credit bureaus from correcting errors on credit reports.

27075[/snapback]

You have stated "We were blocked simply because the whole range of IP addresses were blocked". In this case, the blocklist was saying NOTHING about you. It was stating that this IP is owned by a provider that supports spammers. It's goal is to get the customers of providers that like spammers money to complain to that provider to clean up their neighborhood. You were not innocent of that.

Any responsible administrator knows and understands that is what that list does and makes the decision on using the list for his own reasons. Again, an administrator could block all the .com domains, if he wished. It is his decision.

Link to comment
Share on other sites

That's like asking someone to move out of a neighborhood because their neighbors are bad. We chose to move and it cost us thousands of dollars to do so. Is that fair? No. What about the people who don't have the time or money to make a major move like we did?

27082[/snapback]

No, it's not fair. But who's fault is it that you're in the bad neighborhood? The people who call your neighborhood bad? Or the one's who make it bad? Or you for moving in? And when's the last time you remember 'good businesses' getting money to relocate from a bad neighborhood? They either: (a) made the bad business decision to move in, or (B) things were nice before, but stayed too long when things started going downhill.

In either case, they, as responsible business owners, must now take whatever action they need to in order to correct their situation. This may involve moving, at their own expense, but wouldn't justifiably involve suing the company that publishes crime statistics for the area.

Now, if that information was KNOWINGLY incorrect and deliberately intended to harm... maybe that could create liability (IANAL), but since the blocking action is not direct on SC's part, it wouldn't seem to be covered by those laws you mentioned. Any blocking action (strongly recommended against by SC) is taken by the ISP's. Maybe they could be liable under negligent use of potentially invalid information to block email. But then you get into the fact that the ISP is allowed to reject any email that it is not contractually obligated to accept. Any libel would be on the part of any deliberately false reporter, and would be an issue between those two parties, SC out of the mix. And I believe libel would require deliberate intent to defame. If SC needs any disclaimer, it's that SC denies liability in the use of it's list. Oh, wait, that's right here: http://www.spamcop.net/fom-serve/cache/298.html

Think of the provider as a slumlord.  Would you place your business in a poorly maintained location with criminals living next door?  Would you expect the same level of service from the city in that part of town?

27082[/snapback]

As before, no you wouldn't, but you could take the slumlord (ISP) to court for contractual breach, depending on the contract terms, assuming a rental or lease agreement (as would be the case with IP).

As a business owner, choice of real estate is your responsibility. If you build in the slums, you get what you deserve. If you failed to conduct diligent research on site location, and wind up in slums, or with hidden defects in the property, you get what you deserve. Lack of diligence up front incurs costs later on. Pay, or close up shop.

Link to comment
Share on other sites

Other posters have pretty well covered all the bases in responding to your objections to my post.

There is nothing fair about it, you are correct. However, IP addresses are not the same as credit records. Credit records are tied to a specific person. One cannot buy or sell credit records as they can IP addresses. And credit records are not shared by many people as are many IP addresses. The landlord example is much closer to the reality. Or an offline carrier - would you hire a package carrier that brought 'free' packages crawling with bugs when they delivered your package? You are buying a service, not exercising a right, when you connect to the internet.

And it is particularly unfair to those who had the bad luck to choose a 'neighborhood' before spam became the big problem it is. However, probably, if you look at history, that sort of thing happens a lot to businesses. And, the solution is usually in the formation of tenant groups, guilds, unions, and other groups who work to counteract, or adapt to, the forces that are changing the rules. Rarely are those who want to go back to the 'old' way successful.

Miss Betsy

Link to comment
Share on other sites

Now, if that information was KNOWINGLY incorrect and deliberately intended to harm... maybe that could create liability (IANAL), but since the blocking action is not direct on SC's part, it wouldn't seem to be covered by those laws you mentioned.  Any blocking action (strongly recommended against by SC) is taken by the ISP's.  Maybe they could be liable under negligent use of potentially invalid information to block email.  But then you get into the fact that the ISP is allowed to reject any email that it is not contractually obligated to accept.  Any libel would be on the part of any deliberately false reporter, and would be an issue between those two parties, SC out of the mix.  And I believe libel would require deliberate intent to defame.  If SC needs any disclaimer, it's that SC denies liability in the use of it's list. Oh, wait, that's right here: http://www.spamcop.net/fom-serve/cache/298.html

27100[/snapback]

My point exactly. The person knowingly and maliciously submitting a false report could be held liable. I never said SC should be held liable. I never said the ISP or company doesn't have a right to control what goes in and out of its network. I said knowingly and maliciously submitting a false report is illegal and could be procecuted under libel laws and well as computer abuse laws.

I am not sure if I was clear about the malicious and knowing part when I explained it before. That is the part that would make the person reporting it liable, not the incorrect report itself.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...