Please help! I've had a ridiculous day. Someone has sent spam from my 
email address, promoting my company. Then, they complained to 
spamcop.net, they contacted my ISP and they shut my site down. My 
site has only be up for three days. I think I've sent a total of 3 
emails, responding to customers questions. I have certainly never 
sent spam.

Although I have no proof, I believe that this whole thing was put 
into action by my competitor in California. Although the email header 
led to a dead end, some linux server in Russia.

What course of action do I have. My ISP and spamcop think I'm guilty, 
despite faxes from my attorney. Isn't it illegal to use someone 
else's email address? How can I clear my name and how can I track 
down the perpetrators and have them prosecuted?

Please don't tell me that, on the Internet, I'm guilty until proven 
innocent and I just got screwed.

Hi Ethyl,

It sounds as if you have been having a pretty bad day. While we may
not be able to nail your competitor, there are a number of things you
can do at this point, to put your own name in the clear and make
things right with your ISP.

The first thing to know is that SpamCop is not necessarily an
administrative agency that says you are a spammer, they are a
reporting service that allows you [or someone else] to send a stock
letter to an ISP or several ISPs indicating that spam came from a
specific address. While SpamCop generates a report, it is up to the
individual to verify or investigate that the companies they are
reporting are actually spam violators and not just people whose
dentity has been stolen as it seems yours has. This happened in an
online community I was involved in recently, and while the issue got
resolved, it took several people and several emails to work it out.
Please keep in mind that it is also the responsibility of your ISP to
use due diligence to determine whether you are actually at fault for
the spamming, or have been the victim of email identity theft. Make
sure you familiarize yourself with their terms of service so that you
can make sure you respond to their concerns appropriately. many ISPs
have a "three strikes" policy and you may be able to get back online
quickly this first time.

for the anectodal report, you can read this exchange
     http://metatalk.metafilter.com/mefi/2162

Now, let's address some of your specific questions:

1. Is email identity theft illegal? sort of. The laws concerning email
forgery and fraudulent identity use have not kept up with the huge
growth of the internet and the use of these technologies for nefarious
means. In some states, like my home state of Washington

http://www.wa.gov/ago/clearinghouse/consumer/home.html 

forging email headers is a punishable offense, though tracking down
the culprits is often difficult. There is a list of states who have
regulations that control the use [and misuse] of commercial email at
this address:

http://law.spamcon.org/us-laws/index.shtml

2. How can I clear my name? You haven't mentioned how much
investigation you did into the actual source of the forged email.
There are ways of checking system logs of the SPAM recipient's email
to determine the original mail server of the problematic email in
question. The person who reported the violation to SpamCop should be
able to have their system administrator check the log files of the
email server in question to determine more definitively where the
email came from. More details on how this is done are found here:

http://eddie.cis.uoguelph.ca/~tburgess/local/spam.html

SpamCop has specific pages on its website where ISPs who receive
reports from SpamCop can respond to accusations of Spam. They describe
them here:

http://spamcop.net/reported.shtml

One you access this page, it will give you information about the
specific email that was received by SpamCop and give you a chance to
look at the headers and possibly request more information about the
source of the email. SpamCop also has an email address that is
specifically for communicating with a human being. If your ISP
requires more information from SpamCop to be able to reinstate your
account they can email them here "email deputies@admin.spamcop.net. If
you are writing about a spam report, please include a copy of the
report in question - including full headers and the spam itself. Your
email will be read by a living, breathing, thinking (!) person."

3. how can I prosecute the people responsible? You may not be able to.
While proving yourself innocent is not to difficult to do with some
proper dilligence and a good solid paper trail [I cannot stress enough
to keep track of the people you speak to, and the emails you send and
receive with regards to this issue] getting those responsible may be
tough. One of the uniquely identifying parts of almost all spam email
headers is know as the "originating IP address" this will basically
contain information about the internet address of the computer that
sent the email, the mailserver that sent the mail out. If this is the
machine that you tracked back to a Linux box in Russia, then you may
have hit a dead end. On the other hand, if it is a Linux box in
Russia, that seems to indicate that it is not you.

More information on getting the actual originating IP information from
an email message with forged headers can be found at PObox.com

http://pobox.com/spam1.html

This information should be given to your ISP as proof that you were
not involved in the spamming event. You can include as other evidence
your own IP addresses of your computers and some sort of logfiles that
indicate that those are the addresses that you do business under.

Moving forward with your ISP will involve asking them what sorts of
data they require to clear your name and trying to provide that data.
In a worst case situation, you may need to move your webspace and
website to another ISP, or possibly even change your URL. While this
is less than ideal and a last ditch effort, keep in mind that it may
be necessary.

4. Continuing business in your name. This is going to be a tricky part
of the equation since there may be people who received the forged spam
and have now put your URL into a filter so they they will not receive
more email from your domain. You will need to weigh the strength of
your brand against the damage done to it by this spam event. If you
are mostly concerned about getting back on board with your ISP, this
should not be a huge problem. If you have one email address at your
domain [sales@mynewsite.com] for example, you may want to change that
to a new address [exec@mynewsite.com] and give up the old address.
Since you say you have only had the website for a few days, this might
not be as much of a hassle as trying to undo the damage of being
though of as a spammer. Remember that even though this whole mess was
NOT your fault, you will have the responsibility of doing damage
control for it and the easier you are to work with and the more
information you can provide to the people involved, the better your
chances of putting it behind you quickly and easily.

If you decide to keep the domain name, and the ISP, you may wish to
issue a disclaimer on your website for people who may be concerned
that you have been spamming them, in this model:

http://www.hsh.com/spamalert.html [a bit low tech, but you get the
idea] and this might keep people from notifying spamcop so quickly in
the future.

If you do believe that you have competitors who wish you ill will, you
may want to take some steps to ensure that this is not as much of a
problem in the future. This can include notifying your competitors
that you will take legal action against them if the same thing happens
again [a good use for a fax from a lawyer] as well as maintaing a
separate mailing list for contacting customers and not having your
website domain be the same as your business mailing address domain.
This may cost a little extra, but it will be worth it in peace of
mind.

If you would like to submit clarifying information with more of the
specifics of your situation, I would be happy to give you more
in-depth advice that was particular to your case. I am enclosing some
extra resources for further reading at the bottom of this page.

Thank you and best of luck working out your dilemma.

jessamyn-ga

additional resources:

google directory Spam category
     http://directory.google.com/Top/Computers/Internet/Abuse/Spam/

google directory Internet fraud category
     http://directory.google.com/Top/Society/Issues/Fraud/Internet/

CAUCE, The Coalition Against Unsolicited Commercial Email 
     http://www.cauce.org/

Spam.abuse.net help page
     http://spam.abuse.net/userhelp/

google searches used:

"identity theft" email
     ://www.google.com/search?num=30&hl=en&safe=off&q=%22identity+theft%22+email

"forged headers" spam
     ://www.google.com/search?num=30&hl=en&safe=off&q=%22forged+headers%22+spam

"forged headers: spam legality
     ://www.google.com/search?num=30&hl=en&safe=off&q=%22forged+headers%22+spam+legality

Very informative. Worth the money.

Ethyl26 -- Jessamyn gave an excellent answer.  I would just add that
it should be extremely easy for your ISP to verify that you didn't
violate its terms of service. If your ISP won't rectify the situation,
I suggest you get a different ISP.

jessamyn's answer thoroughly covered the facts about "email identity
theft"!

ethyl26, this may be of some interest to you (and to others facing a
similar situation): a friend of mine was recently notified that one of
his client received a virus from "him". actually, the "From" field had
been forged, thus creating the confusion. upon contacting the ISP of
the original (malicious) sender (he had left his IP address in),
emergis.com, the problem seems to have been solved (and pretty
quickly, may I add... the emergis.com tech folks were very helpful!).
here's a part of the letter he received from emergis:

"Following investigation of your report we believe one of our users is
infected with the Klez virus.  This means the virus was almost
certainly sent without the knowledge of the sender (the Klez virus
uses its own SMTP mailer and does not rely on the mail client of the
infected host).

"The following news article describes the effects of this virus which
may help to verify the above:

http://www.wired.com/news/technology/0,1282,52055,00.html

Best of luck!

Spamcop.net usually does a pretty good job of working out where spam
was sent from, and if it thinks the spam was sent from or via your
server they are probably correct.  It's not based on domain names, IP
numbers of the actual paths the mail take are used.

There are several ways it could be sent from your server.  The most
common is if the server has an "open relay", allowing the spammer to
relay the mail through your mail server.  You can check if a server is
an open relay at
http://www.abuse.net/relay.html - you can do this with the IP address
of the server had previouslt if your domain no longer points to the
server.

No server should have an open relay.  If it is an open relay (easy to
test), it's the hosting company's fault, and they are essentially to
blame for all your problems.  If it tests as an open relay it would
prove your innocence.

It's also possible that your server password has been obtained by
somebody snooping at your place or at the company hosting the server
(perhaps reading your order form, for example) but this seems less
likely, and would be hard to prove.  The IP numbers and times that
"you" logged on should be on the server somewhere, so would show that
it wasn't "you" logging on from your normal location, but it doesn't
sound like the ISP would in interested in spending time proving your
innocence.

Spamming has become such a pain for hosting companies that basically
you are guilty until proven innocent.

Whenever you get a server anywhere (especially a dedicated server)
always run some basic checks on it.  Make sure it is not an open relay
(above).  And make sure the IP addresses for it haven't been used by a
spammer in the past by look at
http://relays.osirusoft.com/cgi-bin/rbcheck.cgi to see if it is on any
blacklists.  And change the password as soon as possible if the
password was revealed during the order process or set up by the ISP.

Rob

Hello.

Although the question has already been answered, I believe I have
something to add:

Concerning tracking down the person who sent out spam emails.
I don't really see what the problem is for your ISP to check their
logs
and see if it were actually YOU who sent out spam e-mails. If you have
a static IP they should check if those connections originated from it,
if not, they have logs for their SMPT server (if it was ever used),
they have also dial-up lines logs to comapare the two logs against
each other.

Then, it should be clear to everyone that one must be really "unwise"
to spam from their business e-mail account and that this act was
originated by your competitors to ruin your firm and your reputation.

Another consideration is this: I have heard a story of a real spammer
suing his ISP for terminating service. Although the person DID send
out spam through his ISP, the ISP had to resume service because the
spammer had paid for it.

However, If the spammer used your login/password and your ISP's SMTP
server it's different. Still, this should be trackable through the
phone company. They might be able to provide data on _what_ phone
number connected to ISP's modem pool at specific time. If it were not
you -- you are not guilty.

Hope this helps in any way.

Good luck!