![[Feedback]](/images/fb.gif){kind=small}
April 2003 Letter on junk email from consumer groups
RealAudio · Presentation · Questions · (Background on Hearings) · (Written Comments)
April 2003 Letter on junk email from consumer groups
[This letter was published April 28 for delivery to the FTC April 30.]
We, the undersigned groups, representing consumer interests,
urge Congress to pass legislation to empower individuals
to act against senders of Unsolicited Commercial Email (UCE).
The leading bill currently before Congress, S.877
(CAN-SPAM Act of 2003)
does not meet two requirements that we consider essential:
an opt-in policy, and a private right of action.
Because spammers impose costs on recipients, the correct policy is to prohibit it, just as Congress prohibited junk faxes in the Telephone Consumer Protection Act of 1991 (TCPA). An acceptable alternative would be to enable network owners such as ISPs to post an electronic "No Spamming" sign, as was done in the 106th Congress's H.R. 3113, which passed the House. An opt-out policy, which is taken in S. 877, will not significantly reduce the widespread damage to consumers' interests and confidence.
The second essential requirement is that recipients of UCE have a private right of action. Liquidated damages of $500, as in the TCPA, are appropriate. ISPs should also have a right of action, but leaving enforcement solely to them, or state or federal regulators would leave far too many spammers breaking the law.
Beyond these fundamental requirements are numerous details, including a narrow exemption for existing business relationships such as the one that Federal Trade Commission (FTC) arrived at in their Telemarketing Sales Rule this year.
The definition of a solicitation should be carefully limited to avoid any impact on non-commercial speech, such as speech about religion or politics. Measures against typical spammer tactics such as the falsification of return addresses and other headers are desirable but not sufficient.
We urge members of Congress to pass anti-spam legislation with
an opt-in policy and a private right of action.
We also ask the FTC to recommend and support
such legislation.
Respectfully
Jason Catlett, President, Junkbusters Corp.
Jeff Chester, Executive Director,
Center for Digital Democracy
Tom Geller, Secretary, SpamCon Foundation
Beth Givens, Director, Privacy Rights Clearing House
Ken McEldowney, Executive Director, Consumer Action
Scott Hazen Mueller, Chairman, CAUCE.org
(Coalition Against Unsolicited Commercial Email)
Chris Murray, Legislative Counsel, Consumers Union
Gary Ruskin, Executive Director, Commercial Alert
The Federal Trade Commission's hearing was attended by perhaps 100 people and was covered by the Wall Street Journal, USA Today, CNN and many other major media organizations. Wired News dubbed it a Spam Roast. AP and CNN promptly ran a story titled Feds to crack down on junk e-mail fraud.
This panel began at approximately 9am on Thursday 12 June, 1997.
This transcript has not been checked against the official one provided by the court reporter, so it should be treated as provisional.
The participants in order of speaking were:
Medine: Federal Trade Commission Attorney David Medine (Chair)
Catlett: Junkbusters Corp. CEO Jason Catlett
Varney: Federal Trade Commissioner Christine Varney
Wallace: Sanford Wallace, President of Cyber Promotions, Inc.
Profiles of the speakers and other background information is available from democracy.net, including a RealAudio file.
Medine: Good morning and welcome to the third day of FTC's privacy week and the last session on consumers' online privacy. This afternoon we'll turn to the very important topic of children's' online privacy. I want to mention that this morning's session on unsolicited commercial email is being cybercast on democracy.net, and listeners on democracy.net who wish to submit comments for the public record may do so at www.democracy.net. And so we have an interactive session going on as we speak.
Again, this morning we're going to be focusing on the subject of unsolicited email, and we're going to do that in three panels. The first will focus on really what the practice is all about, how it takes place. The second panel will discuss what are the economic benefits and costs to the practice, and the third will discuss what controls, if any, are appropriate in addressing the practice.
Jason Catlett, who is the CEO and founder of Junkbusters, who was with us yesterday has agreed to come back again and give us a bit of education about unsolicited email. So I'll turn it over to Jason.
Catlett: Thank you David. I'm honored that the commission staff have asked Junkbusters to present some examples of spam and to say a little bit about how spam factories work.
Junk email probably causes more anger than any other issue on the Internet. However I think it's worth trying to at least start with a dispassionate and rational examination of what spam is. We should maybe even allow ourselves a little humor while discussing this serious and important topic, because even spam can have its funny side, in small quantities. In bulk of course it can cause substantial injury.
First, I'd like to ask how many people here have received at least one piece of junk email in their lives? [maybe 70%] How many have received at least 10? [maybe 60%] At least 100? [maybe 40%] So there's still a substantial number. 1000? [maybe 15%] Still a few hands. Anyone more than 10,000 pieces of junk email? Still one. 100,000? [no hands remained up] Well, we have something to be grateful for.
People who never received junk email before are often kind of disappointed by their first piece: they've heard all these terrible things about junk email, and when they actually see some, it strikes them as pathetic and mundane. It's kind of like reading about Moses and the plague of locusts in the book of Exodus and then seeing a single dead grasshopper. Well, there's a big difference between one insect and a swarm of millions of them descending on your backyard.
Now Junkbusters has a sizeable collection of junk email in its forensic lab, but I was reluctant to present real examples before the Commission because we don't like to single out any individual for doing what has become a common practice. So what I've done here is to put together a composite of parts taken from dozens of different pieces of real spam, rather like an Identikit portrait or an idealized botanical drawing. The result might look to novices like a parody, but really everything I'll show today is fairly ordinary and representative of the kind of spam flying around the Internet as we speak. Not all junk email looks like this, but much of it does.
Something you learn after reading a few hundred pieces of spam is that they come in various types: the amateur's junk is a very different species from what a spam factory produces, as different as a grasshopper and a cicada. The amateur's spam is much easier to exterminate than the professional's, so I've put together idealized specimens of each. Let's dissect them.
For those of you listening on the Web broadcast, you can find these specimens at http://www.junkbusters.com/spams.html [spelled].
Return-Path: POPmail Received: from dub-img-4.compuserve.com (dub-img-4.compuserve.com [149.174.254.1 34]) by mail.junkbusters.com (8.7.4/8.7.3) with SMTP id RAA29711 for <service@junkbusters.com>; Wed, 30 Apr 1997 17:15:59 -0400 (EDT) Received: by dub-img-4.compuserve.com (8.6.10/5.950515) id RAA22677; Wed, 30 Apr 1997 17:00:47 -0400 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <199704301636_MC2-15C7-7A19@compuserve.com> From: 104593.912@compuserve.com Subject: YOUR OWN BUSINESS FOR UNDER $30!!!! Date: Tue, 27 May 1997 00:58:16 +0000 To: service@junkbusters.com Dear Friend... Forgive the intrusion, but I am compeled to tell you how to make a lot of money. Haven't you ever thought "I wish I could find a way to make money with my computer and my internet connection"? Well you can! It's very easy, costs peanuts to participate in, and you can make $50,000 or more in less than 90 days within the comfort of your own home. MULTI-LEVEL MARKETING (MLM) has reached respectability. It is being taught in Harvard Business Schools, and both Stanford Research and the Wall Street Journal have stated that between 50% and 60% of all goods and services will be sold through multi-level methods by the mid to late 1990's. [Pitch abridged. Most spam is a few hundred words, sometimes several thousand.] Send checks (US funds only) to NOTASCAM INC., P.O.BOX 534, Nottingham MD 20753 Ph:289-555-8477 fax:289-555-8535 For more information hit Reply and put "MLM" in the subject - put you phone/fax/name in the body of the email - and we will contact you with all the details ASAP!! This is a special offer. You are not on any mailing list, so there is no need to reply to be removed. GOD BLESS !!!
This spam basically says, "Forgive the intrusion, but I am compelled to tell you how to make a lot of money" and goes on with some multilevel marketing scheme.
The first thing we that we notice about it is its truly awful sales pitch. It's marginally literate, it's riddled with spelling errors, it's made up of patently false claims that are thrown together in an incoherent presentation that nobody able to read would seem likely to fall for.
Second, contrary to the end where the spammer tells us "you are not on any mailing list so there's no need to ask to be deleted" the recipient obviously is on a mailing list because he's received the spam. The spammer simply hasn't bothered to come up with an address where requests to remove from the list can be sent.
The body text of the email already suggests that the spammer is a novice, but what confirms this is the header information, most of which isn't displayed by email readers unless specifically requested.
The "From", "Received" and "Message-ID" headers are consistently indicating here that the spammer is sending email from a Compuserve account, and is asking for responses back to that Compuserve address. These amateurs are easy to deal with: you simply send email to postmaster or sometimes an account called "abuse" at the company (this case, Compuserve) and they take care of it. Almost all the major online service companies have strict policies against spamming, and are pretty vigilant in terminating accounts that violate their terms of service. An angry recipient could also reply to the spammer directly, and many do.
The good news is that most of these small-time spammers don't keep it up for long. The bad news is that they are being born in increasing numbers, so as many more people get on the Internet and more people get the impression that what spam promoters euphemistically call "Bulk Commercial Email" is a legitimate marketing tool. These small time spammers are never going to use any "remove list" or "Email Preference Service" from anywhere.
The really bad news is most spammers that do survive do so by learning to cover their tracks. Or, they get software or a spam factory to do this for them. Let's look at a specimen from one of these electronic mills.
Return-Path: <chokeonthis@postmasters.comm> (Smail3.1.29.1 #3) id m0wKa7j-002ixFC; Thu, 24 Apr 97 21:48 EDT Received: by kcig1.bogus.com (SMI-8.6/EMS-1.2 sol2) id UAA00038; Thu, 24 Apr 1997 20:41:19 -0500 Received: from "Virtual-Napalm" - Details at http://www.virtualpollution.com Message-Id: <199704250106.VAA18213@spamcentral.net> Comments: Authenticated sender is <would-we-lie@this-point.dom> X-S1: You received email from this server, but it was not created by X-S2: Virtual Pollution, Inc. This server just relays mail from other sources. X-S3: For abuse, please send email to abuse@virtualpollution.com X-S4: The most hassle-free way to remove yourself from a mailing list is to X-S5: hit reply and type "remove" in the subject field or message body. X-S6: The mail from this server bears no relationship to and is not affiliated X-S7: with Virtual Pollution Inc.'s send and remove lists. If you want to X-S8: filter unsolicited commercial email, check out Pro Tech Shun/Rack-It (TM) X-S9: for Windows for only $49.95! Details at http://www.virtualpollution.com X-S10: IF YOU RECEIVE ADULT-ORIENTED MATERIAL THROUGH THIS SERVER X-S11: PLEASE INFORM VIRTUAL POLLUTION INC. ASAP AT 1-289-555-2430. Content-Type: text From: patsy@cyberspacebar.comm To: patsy@cyberspacebar.comm Subject: don't ISPs just make you mad? Date: Thu, 24 Apr 1997 21:06:32 -0400 (EDT) FED UP WITH ISPS AND SLOW SERVERS BLOCKING YOUR SUPERHIGHWAY TO PROFITS? WELL START SENDING YOUR BULK E-MAIL AT up to 300,000 + MESSAGES / HOUR +ONLY "ONE" DIAL-UP ACCOUNT NEEDED. +NO MORE ACCOUNTS OR DIAL UP CONNECTIONS TERMINATED BY TYRANNICAL ISPS. +NO MORE WAITING TO SEND HUGE VOLUMES OF EMAIL. GET OUR ALL NEW "AK-47" BULK EMAIL SOFTWARE - FAST, POWERFUL AND EFFECTIVE +So easy to use! Just push a few keys and watch the fun! +Add's a Fake Authenticated Sender to the Header. +Forges the Header - Message ID - Received From / Received By line as a "red herring" - Watch ISP's writhe and suffer, unable to track you! SPECIAL BONUS!!!!!! ORDER TODAY AND WE'LL INCLUDE 300,000 FRESH EMAIL ADDRESSES !!! (a $99 value) PLUS YOU GET AN E-COUPON FOR OUR *CONSUM'R-HARVEST'R* (TM) SOFTWARE THAT GRABS EMAIL ADDRESSES FROM WEB PAGES AND USENET DISCUSSION GROUPS! THEY PUT UP THEIR EMAIL ADDRESSES IN PUBLIC, SO THEY'RE ASKING FOR YOUR UCE! AND IF THEY DON'T LIKE IT THEY CAN GET OFF THE INTERNET. Bulk Email works!! People read their email fast so you get instant responses. Email stays in their mailboxes until it is read! Don't be fooled by those who advertise "Targeted Addresses". The truth is, its a numbers game. The more you mail out, The bigger the response will be. The average response we've experience is 1%. From a 25,000 mail out thats 250 responses. [pitch abridged] Send your check today! To remove your email address from lists, send an e-mail to: displacement@sham.com and type "remove" in the subject.
As a general rule you can believe exactly nothing that you read in spam, but some of the statements in this one are true, such as the claim that spamming is a numbers game. Most spammers don't bother to try to remove even undeliverable addresses from their lists, because the cost to them of sending an additional piece of email is such a minute fraction of a cent that it doesn't justify the slightest effort.
Another practice that's referred to in the slide coming up now, number two, is the practice of what's euphemistically called "harvesting" of email addresses. It's a euphemism because harvesting implies the harvester planted some seed and owns the land, which is simply untrue here. Junkbusters uses the term "scavenging" instead. Where do they get these addresses? The get them from Usenet groups, chat rooms, user directories, and in certain circumstances a web site can determine the email address of a visitor to that site without their knowledge, although this is possible only in a small percentage of cases.
Another true statement in this spam is the fact that ISPs try to cut off spammers, and spam factories also are run from Internet connection to Internet connection. In recent months, a few major companies have announced policies which are tolerant or favorable toward spam, and I hope that we'll hear from them today. Many spam factories surreptitiously [pass] spam to unsuspecting sites to deliver for them. Older versions of the mail delivery software will do this. In the early days of the Internet this was regarded as a helpful feature; now it's seen as a loophole for bandwidth thieves.
The subject title in this spam ("don't ISPs just make you mad?") doesn't give any strong indication that the message is junk, precisely because many people delete items of email that are obviously spam before even displaying the full text of the mail.
The body copy of this spam accurately explains what is going on in these headers. The sender has removed all real email addresses from the spam: the official-sounding "Authenticated-Sender" and even the address of the person it was delivered to are fake. This surprises many recipients. The From: and To: addresses are the same non-existent address - the domain .comm (with two ems) doesn't exist. A recipient that tried to reply to such an address in a normal manner will only get an automated reply called a "bounce" from some innocent ISP, usually their own, saying that the mail could not be delivered. This wastes time and effort by computers and this cost is not borne by the spammer.
The spammer's instructions for removal at the bottom also go to a non-existent address. Some spammers choose addresses that do exist but are unrelated to them; others actually maintain their own pseudo-remove addresses but simply use the results as an additional source of addresses to spam. There are some independently run list cleaning sites that do really seem to be working on certain high-volume spam factories, but most spammers will always ignore them.
Let's turn to the headers. The headers here contain a good deal of what's been called "spamouflage" - disinformation designed to placate or confuse the irate recipient and to thwart or weaken their efforts to stop the spam factory sending them more junk. Here at the bottom in caps, the spammer seems to be trying to wrap himself in some anti-pornography flag, making himself appear more legitimate. This spammer appears to be trying to move up the food chain, positioning himself as a carrier of other peoples' spam rather than a producer, thereby evading responsibility for the injury caused by the spam. For me, the most offensive part of this header information is the offer for a product to filter unsolicited commercial email, called here "Pro Tech Shun/Rack It (TM)."
Finally, I'd like to draw your attention to a kind of spam that doesn't exist yet, and that's unsolicited email from major marketing companies. We can only speculate on what this might look like, based on the Direct Marketing Association's guidelines, which now permit DMA members to send spam, even though none of them I'm aware of are currently doing so. A major company's spam would contain genuine instructions on how to request no further email be sent from that company, and for also all DMA members via their proposed e-MPS. The Subject heading would probably still stress opportunity, but by the end of the first paragraph there would be a clear indication that the email is a solicitation. The body of the text might address you by name, looked up from some commercial database, and it might refer to the web site where your email address was "harvested" - they'd probably not use the word "scavenged." The sales pitch would probably be look much like much of the direct mail that you get in your physical mailbox, possibly without pictures but with more URLs.
This future I'm sketching might sound very similar to the physical present, but there's one very important economic difference: for each piece of physical direct mail you get, someone paid a dollar. For that dollar, the same sender can afford to send upwards of 10,000 pieces of spam.
So I conclude with a note of warning: junk email was a novelty two years ago. Today it's a big problem. Two years from now, it could easily be much, much worse. And that's why we're here today.
Medine: OK, thank you very much. A couple questions. One is what is the incentive, you talked about how the addresses and return addresses, are not accurate indications about where the mail comes from. Do you often wonder why there's such a great effort done to not put correct information there?
Catlett: Perhaps Sanford Wallace would like to answer that question.
Medine: We'll have a chance to discuss his views.
Catlett: My view is that they wish to avoid the inconvenience of people sending requests to remove their name from the list, or worse. Spammers do receive a lot of abusive mail, and they also seek to avoid that.
Medine: Is that called flaming?
Catlett: Yes, that's correct.
Medine: And is there any indication on this message or typical unsolicited email message that would actually lead you to the source or is it possible to totally obfuscate the source of the email?
Catlett: Typically the source is obfuscated, but there's usually a post office box address. There may simply be an 800 number. And people who provide integrated junk email services typically advertise themselves with the adjective ``bulletproof,'' indicating that it's impossible to retaliate.
Medine: So there's nothing inherent about the way the Internet operates that would require something traceable in the delivery of the message?
Catlett: That would be extremely difficult to do. In some cases, for example, with the case that was very widely publicized, in 1996, a very large spam was sent out soliciting child pornography, and the FBI got hundreds of calls, and they went through an enormous effort to trace the source of the spam, and it turned out to be a hoax. So usually that can be done, but there's not that economic or other incentive to do so.
Varney: I have another question. Could you put the slide that says, "to remove, how do you remove yourself from the email list" please? OK, "to remove your email address from the list send an email to sham@displacement.com and type 'remove' in the subject." Is it your experience that the majority of unsolicited email has inaccurate removal instructions?
Catlett: Yes.
Varney: And then I guess I have a question for staff - isn't that fraud or deception under our existing authority?
Medine: Yes, I think that may well be.
Varney: Thank you. The same question, when you get an unsolicited email with a header that the sender has deliberately or intentionally routed through a server to lead you to believe that the email is coming from a known source or a trusted source? How much does that happen?
Catlett: That is common. There have been a number of suits, for example EarthLink and Compuserve, where spammers have been charged with this action and judges have found this to be trespass.
Varney: Do you have any evidence as to why the mailers do that?
Catlett: Covering their tracks, and also because they are so often denied access by legitimate ISPs they seek to insert their junk at points where they're not accountable.
Varney: And again, to staff, wouldn't we be able to ban that practice under deception and fraud authority?
Medine: And again, I think that's really something that may well fall under Section 5.
Varney: OK, thank you.
Medine: One practice apparently is to use return addresses on email of real entities but not those of the unsolicited emailer. What incentive for doing that as opposed to just making up a return address?
Catlett: Who can fathom the mind of a spammer? [coughs, laughter] Most of these people are not excellent in the areas of marketing or operations.
Varney: I think we should now hear from them.
Catlett: I think you'll get a better quality of spammer at this table than you will from the typical one at this time.
Medine: I guess that's high praise. All right, well thank you very much for that presentation. We'd now like to turn to our first panelist to give us a really good sense of how unsolicited email works and we're fortunate enough to have folks on the panel who know exactly how and can talk us through that.
I'd like to introduce Sanford Wallace, who is the president of Cyber Promotions and start with some basic questions, if you'd just walk us through how unsolicited email works as a practical matter. And by the way just for terminology's sake, are comfortable with the term "spam" or do you prefer unsolicited email?
Wallace: Whatever you want to say, it's all right with me. [laughter]
Medine: OK, would you walk through what the technology, how are you able to send large quantities of messages, how are you able to get the addresses and so forth?
Wallace: OK, well, to answer your first question about how we're able to send email: we, like every other service provider on the Internet have invested hundreds of thousands of in equipment which gives us high speed access to the Internet from multiple backbones and the equipment necessary to send out and receive millions of pieces of email.
We have spent years of research and investment to make this technology available to us. The actual act of sending email, or unsolicited commercial email, is no different than sending any other type of email. We're essentially using the protocols that defined years ago by the founders of the Internet and we're just using it in a commercial forum.
Medine: Let me just go along those lines. When I send email I actually compose it, and hit the send button and I get one email. How is that you put the technology that lets you send a million emails or a hundred thousand emails?
Wallace: The technology already exists for anybody with an Internet connection to send out email to multiple recipients. All you have to do is use a standard program like Eudora, for instance, which is freeware which allows you to send hundreds and hundreds of different emails simultaneously because that's the way the protocol was designed. At Cyber Promotions we've invested in high speed equipment and we've written custom scripts and programs to allow us to send email to a large number of recipients at the same time. A lot of that is proprietary.
Copyright © 1996-2005 Guidescope Inc ®. Copying and distribution permitted under the GNU General Public License. 2005/01/15 http://www.junkbusters.com/spams.html