All told, there were 40,000 "fraudulent statements" in the messages, said Spitzer. Then
he announced his office's intent to sue the spammers $500 for each fraudulent statement, or
a total of twenty million dollars. The goal, he said, was to make other spammers realize
their business was unviable.
"We will drive them into bankruptcy, and therefore others will not come into the
marketplace to take their place," he promised.
When Microsoft's top lawyer Brad Smith took his turn at the podium, he announced the
company's intent to separately seek damages of eighteen million dollars from the
spammers.
"If these people have any money left after the New York Attorney General's lawsuit in
New York comes to a close, we will be happy to pursue the remainder," said Smith to laughter
from the press corps.
During the question-and-answer period that followed, Spitzer was asked whether
investigators had determined the profitability of the spammers' businesses. He responded
that Richter was "clearing several million dollars a month in profit," and that the damages
sought by Microsoft and New York would be "sufficient to wipe out whatever profit he has
made."
But one reporter wanted to know how a strong case could be built against Richter, since
OptInRealBig apparently had farmed out the spamming to Delta Seven. Spitzer assured the
media that prosecutors would be able to establish liability "up the chain of command...and
prove without a doubt that those, including Richter...are liable for the misbehavior of
those that actually stand there and push the buttons."
New York prosecutors also released 619 pages of exhibits gathered in support of the
complaint filed in New York Supreme Court. The evidence included dozens of email messages
between employees of Synergy6 and OptInRealBig. The emails showed Richter deeply involved in
the day-to-day operations of the Synergy6 spam campaign. In one exchange, Richter shrugged
off Synergy6's chief operating officer's concerns that Delta Seven's messages contained
forged header information.
"We send out ten-million-plus emails a day, and you on average send me two complaints
per day. I think one complaint per three million is real good," said Richter, apparently
unconcerned that the bogus headers in the messages made it extremely difficult for average
Internet users to determine to whom they should complain.
[
23
]
New York's exhibits also included hundreds of spam samples. The scores of sample spams
from Delta Seven included the characters "wsb," a special tracking code OptInRealBig had
assigned to Delta Seven. But none of the message headers contained IP addresses assigned to
networks directly operated by OptInRealBig.
After news outlets published an array of articles quoting Spitzer and Smith, Richter
belatedly responded with a press release about the lawsuits. The argumentative statement
bore little of the polish customarily found in corporate press releases on legal matters. It
described the lawsuit as "one of the worst orchestrated smear campaigns against legitimate
Internet business interests of recent times," and said prosecutors hadn't produced any
evidence linking OptInRealBig to the illegal spams.
"If there were 10,000 false and fraudulent emails sent by Optin, it would be good legal
practice if the Attorney General would see fit to attach at least one," read the statement.
It also criticized Spitzer's "reliance on Spamhaus" as "a fatal error, because Spamhaus is
an offshore, anonymous organization which has no legitimate connection with Internet
businesses in the United States." Richter's press release concluded by saying OptInRealBig
would vigorously defend itself in court and "prevail as one of the most legitimate Internet
marketing institutions in the United States."
Spam fighters reveled in the moment. The man they considered one of the most frustrating
spammers in the world had finally met his comeuppance. But nearly everyone, including
Shiksaa, was secretly worried about whether the charges against Richter would stick.
[
18
]
Based on the December 11, 2003, affidavit of Scott Richter in
OptInRealBig.com LLC
v.
Jeff Perreault et
al
.
[
19
]
Ibid.
[
20
]
Author interview with Susan Gunn, April 7, 2003.
[
21
]
Case docket on file with Denver County Court.
[
22
]
Shiksaa published the AOL Instant Messenger log of her December 17, 2003,
conversation with Richter at her AOL Hometown web page.
[
23
]
While not illegal at the time, none of the messages contained instructions on how to
opt out of future mailings. Recipients were forced to click a link labeled "Privacy
Policy," which would take them to a web page that contained, among other things,
information on how to unsubscribe.
"Welcome to the death of email, ladies and gentlemen. Would the last person to leave
email please turn out the lights?"
That's how a spam fighter greeted the Nanae crowd on the evening of November 22, 2003.
Earlier that day, the U.S. House of Representatives had overwhelmingly approved the
"Controlling the Assault of Non-Solicited Pornography and Marketing Act," otherwise known as
CAN-SPAM. The measure was expected to sail through the Senate and be signed into law by
President George W. Bush. After six years of failure, Washington was about to enact its
first federal anti-spam legislation.
So why the dire prediction on Nanae? Many anti-spammers felt the proposed law was in
fact legalizing junk emailâand, in the process, opening the floodgates to spam.
"I said years ago that government would only screw it up," wrote one spam fighter on
Nanae. "Will those who have been calling for Congress to do something, please stand up and
slap yourselves up side the head?"
CAN-SPAM had been hatched in April 2003 by Republican Senator Conrad Burns of Montana
and Oregon Democrat Ron Wyden. Their Senate bill, S.R. 877
, embraced an opt-out policy that put the burden on Internet users to
unsubscribe from spammers' lists. That was philosophically backward, according to the
Coalition Against Unsolicited Commercial Email. CAUCE and other consumer groups believed
that U.S. spam law should be based on an opt-in framework, with advertisers obligated to
obtain permission from consumers before sending email solicitations.
But the Senate unanimously passed S.R. 877 in October 2003, thanks in large part to
support from the Direct Marketing Association and several large ISPs, including America
Online and Microsoft. (Many anti-spammers speculated that the ISPs hoped CAN-SPAM
would enable them to more easily sell access to their subscribers by mainstream
marketers, otherwise known to spam opponents as "mainsleaze.") After being sent to the House
of Representatives, the measure gained a few amendments and was approved by the House 392â5
that November, leading one Nanae participant, only half in jest, to call for the
blacklisting of Congress's networks.
"I say, add SBL/Spews listings for the U.S. House and Senate servers, for 'spam
support,'" wrote the frustrated anti-spammer.
The passage of CAN-SPAM caught many anti-spammers by surprise, but not Spamhaus leader
Steve Linford. He'd been monitoring the bill's progress for months and considered it abysmal
compared to spam laws recently passed by Australia and some European countries. (In December
2003, a new opt-in spam law in the United Kingdom
would go into effect, prohibiting marketers from sending email ads to consumers
who hadn't requested to receive them.)
[
1
]
But when Linford jumped into the Nanae discussion of CAN-SPAM, he noted the bright spots
in the proposed U.S. law. For one thing, he said, law enforcement officials would appreciate
CAN-SPAM's criminal provisions. Linford pointed out that CAN-SPAM would outlaw the use of
spam "zombies" and proxy servers.
"Obviously it's not going to happen overnight, but fairly quickly in 2004 I would expect
that ... spammers will either emigrate to China, or do jail time for proxy spamming," said
Linford. Without legal access to proxies, he argued, spammers would be flushed out into the
open and forced to send their emails from their own networks. That would make them
susceptible to blacklists such as the SBL.
Other strong points in CAN-SPAM included a ban on collecting email addresses online
using automated harvesting tools. It also prohibited forging message headers, and it
required spammers to include a valid "From" address. The proposed law further specified that
spammers list a valid physical mailing address in their messages, as well as include a
working opt-out mechanism, such as a link to a web page for easy unsubscribing.
But opponents of CAN-SPAM found other aspects of the legislation troubling. Language in
the bill empowered the Federal Trade Commission to create a Do Not Email list, patterned
after the recently implemented federal Do Not Call list. But Congress had not
required
the FTC to create such an email registry. Without it, the
onus would be on consumers to unsubscribe individually from potentially hundreds of
spammers' mailing listsâeven though many Internet users had been taught that opt-out links
were usually a fraud designed to harvest verified email addresses. (There had even been
recent reports on Nanae that some spammers were using fake opt-out links in an attempt to
install Trojan horse software on the computers of unprotected Internet users.)
Also objectionable to many spam fighters was CAN-SPAM's lack of a "private right of
action" clause. The law would give the FTC, state attorneys general, and ISPs the ability to
sue spammers who violated CAN-SPAM. But individual spam victims would be denied such
recourse. As a result, CAUCE predicted that enforcement of CAN-SPAM would be rare and
infrequent. The anti-spam group said regulators and attorneys for ISPs lacked the time and
resources to pursue more than a few symbolic legal actions against spammers.
"Unless the FTC is given a massive appropriation to pay for more prosecutors and
investigators, giving consumers a right to sue is the only way to get enforcement at a
frequency to make spammers think twice," said CAUCE in an October 2003 statement at its web
site.
Particularly aggravating for many spam opponents was language in CAN-SPAM dictating that
the new federal law trumped several states' stronger junk email laws. Among the state spam
laws preempted by CAN-SPAM was a strict opt-in spam law in California that would have taken
effect on January 1, 2004. The measure would have allowed individuals to sue spammers for up
to $1,000 per unwanted email message. Not surprisingly, many bulk emailers were relieved to
see the California law gutted by CAN-SPAM.
"We are very excited," OptInRealBig.com CEO Scott Richter told the
New York
Times
on the day the U.S. House passed CAN-SPAM. "All of our clients had been
worried about the California law. In the last two hours we have been booking a lot of orders
for January."
[
2
]
Despite CAN-SPAM's critics, Congress and the White House moved ahead quickly to make it
the law of the land. On December 16, 2003, Bush signed the landmark bill. The President had
no official comment on the Act, but cosponsor Wyden released a statement, saying that the
new law created harsh consequences for "kingpin" spammers.
"Swift and aggressive enforcement will be essential," said Wyden. "I will continue to
push the Federal Trade Commission and others to use the tools this law gives them to fight
against spam."
With little time to prepare before CAN-SPAM went into effect January 1, 2004, email
marketers of all sorts struggled to come to grips with the complex law's requirements. Some
in the junk email business worried that federal and state authorities would begin
aggressively pursuing spammers in the new year. Attendance at an early-January 2004 Las
Vegas trade show for email marketers was reportedly down, because many spammers feared law
enforcement officials would use the event to make CAN-SPAM arrests. (They didn't.)
Meanwhile, some law firms created new practices dedicated to advising e-marketers on how to
comply with the federal anti-spam law.
Shiksaa was delighted to see spammers fretting over CAN-SPAM. One evening in late
December, she teased Nevada bulk emailer Bill Waggoner over AIM.
"Getting nervous? Are you worried you're going to jail or to court?" she asked.
"No, of course not," replied Waggoner. "Jesus loves me."
"Keep spamming, and maybe you will get sued too. One can hope," she said.
Shiksaa was especially pleased to learn that CAN-SPAM preserved Internet service
providers' right to block any messages they deemed unwelcomeâeven if the spam was in full
compliance with the new law.
"There is nothing you can do to force them to accept it," she called out to spammers in
a message on Nanae. "Want to sue? Go ahead and waste your money, boys. It's becoming very
expensive to run a spam shop."
Online support groups for spammers were abuzz with discussions of how to avoid trouble
under the new law. After members of the Send-Safe forum held a December conference call with
an attorney to discuss CAN-SPAM compliance, some junk emailers contemplated pulling out of
the business.
"I am sure many of you are as worried as I am. I am really unsure what to do. I am
considering shutting down my offices and/or scaling way back," wrote one Send-Safe customer,
who said she primarily sent spams on behalf of insurance companies.
But other veteran spammers vowed that CAN-SPAM wouldn't mean the end of spamming.
"Sure, it is tougher and the cards are stacked against us, but WE ALWAYS PULL THROUGH.
This time will be no different. WE WILL GET COMPLIANT AND continue to mail for sure. That is
our way," said a Send-Safe employee. Indeed, Send-Safe soon released a new "CAN-SPAM
compliant" version of its program that used rented email servers in China, rather than
proxies, to anonymously send messages. Other spamware vendors released similar
products.
Meanwhile, entrepreneurs began developing other offerings aimed at spammers worried
about the law. New services sprang up selling "valid froms"âbatches of working email
addresses that could be used in the "From" line of spams, as required under the law.
Operators of the services manually created accounts at free email providers all over the
world and resold those accounts to spammers.
"You could easily spend more time signing up valid froms than you spend mailing. You
will also drive yourself nuts doing this tedious and boring job," stated one ad for a
valid-from service that charged spammers twenty-five dollars per month for fifty valid from
addresses.
Several U.S. companies also launched services offering to set up offshore incorporations
and merchant accounts for spammers. The web site of one such service promised that
incorporating in the Bahamas could shield businesses from the "litigation explosion" in the
U.S. and could "protect their savings, investments and other accumulated assets that may be
attractive targets for hungry trial lawyers."
[
3
]
But many spammers seemed unperturbed by the new U.S. spam law. In the SpecialHam.com
forum, a spammer using the alias "nukeananti" said CAN-SPAM wouldn't change his business
practices.
"Honestly, I don't think this law will be easy to enforce, and it will only result in a
small reduction in spam. Already many states have laws against spam, and many of them are
more restrictive. They don't have the resources to police email, and I doubt taxpayers would
want the FTC spending millions of dollars on this," wrote the spammer.
Bottom line, said Nukeananti, "I am going to keep on mailing."
[
1
]
The new UK spam law was created in response to the European Commission's Directive
on Privacy and Electronic Communications. That directive obliged EC member states to
introduce anti-spam laws by October 31, 2003. In addition to the UK, Austria, Denmark,
Ireland, Italy, and Spain had already adopted the European Union law. But the other nine
member states of the EU, including France and Germany, had yet to adopt anti-spam
regulation.
[
2
]
"Congress Set to Pass Bill That Restrains Unsolicited E-Mail,"
New York
Times
, November 22, 2003; Section A, Page 1.
[
3
]
Text from service description at AssetProtection.com.