Injunctions Against Wayne Mansfield Clarified

I’ve seen a bit of confusion as to the nature of past and present injunctions taken out against Wayne Mansfield in relation to his violations of the Spam Act. There are two major points of confusion: first, what’s the point of issuing an injunction which basically says “don’t break this law”; and second, didn’t Wayne violate previous injunctions by continuing his spam operations during the court case, and why wansn’t anything done about it?

Although I’m no legal expert, I’ve come to appreciate the point of issuing an injunction, even when that injunction is “don’t break law X”. Violating an injunction is a special offence in and of itself. The penalties for violating the Spam Act consist of fines (which is why Wayne was fined AU$5.5 million), but the penalties for violating an injunction can include imprisonment. This kind of thing discourages an unrepentant lawbreaker from continued violation. A convicted spammer (like Wayne) might simply weigh up the costs and chances of being caught again, then decide it was commercially viable to keep breaking the law if it weren’t for the additional penalties possible under an injunction.

An injunction is pointless unless it’s enforced, and this brings us to our second point of confusion. Did the court issue an injunction against Wayne Mansfield during the court case? If so, did he violate it? If so again, did the court take action against him? There certainly were injunctions issued against Wayne, and the ACMA announced in a July 2005 press release that an interim injunction had been issued, ordering him not to send further commercial emails without recipient consent, but that injunction only stood until a subsequent hearing on 4th August, 2005. After a bit more legal tussling, the injunction that finally stood for the remainder of the case (issued in September 2005) ordered that he not send further commercial email to those parties (such as myself) who had lodged complaints with the ACMA, and also that he not divulge those addresses to anyone else. I imagine that the argument went, in essence, something like this.

ACMA: Your honour, Mr Mansfield is still breaking the law even now. Please order him to stop.
Judge: Fair enough; so ordered.
Wayne: Wait a minute, I’m not breaking the law. That’s my point. I’m entitled to send these emails under the terms of the act.
ACMA: We have received complaints which contradict that claim. They say they never granted you permission to send commercial messages.
Wayne: I have prior business dealings with these recipients, so I am entitled to send them commercial messages until they request otherwise. If they want me to stop, they need only ask.
ACMA: They say that they have no prior dealings with you, and they are concerned that you will share their email addresses with other spammers if they request that you stop.
Wayne: I promise not to do that.
Judge: Very well, since there is a question of fact as to whether Mr Mansfield has appropriate permission from his recipients in general, I order that the ACMA provide a list of complainant email addresses to Mr Mansfield, that he cease sending commercial messages to those recipients specifically, and that he not divulge those addresses to any third parties.

So far as I’m aware, Wayne did comply with this court order. He also continued to spam other parties, causing noticeable grumbling on a certain anti-spam mailing list I follow. Presumably the grumblers hadn’t issued formal complaints to the ACMA, or the spam arrived at addresses other than the ones they’d specified in their complaint, so there was spam, but no violation of the injunction.

Whatever the case, the court ultimately rejected Wayne’s argument that he had a prior business relationship with his recipients. To the best of my understanding, that argument was something like “I sent them unsolicited commercial email when it was legal to do so, and they didn’t request that I stop: this constitutes a prior business relationship.” The portion of the Reasons for Judgment which address this point start at paragraph #77, and they make interesting reading (to those who, like me, appreciate a good formal argument).

Because Wayne’s arguments were rejected, he was found to be in violation of the Spam Act. The “declaratory relief” section of the final order [442KB PDF] thus covered all his unsolicited commercial email sent between 10th April 2004 and 13th April 2006 (judgment day). He was a silly boy to send further spam during his court case, since he was clocking up more and more fines in the end. I sincerely hope that the “pecuniary penalties” (fines) were sufficient to stop him in his tracks, but if he’s still spamming, it’s important to report it so that the “injunctive relief” can have its intended effect and put him behind bars — preferably without Internet access.

Wayne Mansfield Fined $5.5 Million

On April 13th, 2006, Wayne Mansfield was found by an Australian Federal Court to be in breach of the Spam Act. The wheels of justice turn slowly, but on October 27th, 2006, the judge handed down his decision in relation to penalties: AU$4.5 million against Clarity1 Pty Ltd (Mansfield’s business) and AU$1 million against Mr Mansfield himself. (At present exchange rates, AU$1 is roughly 75 US cents.)

The decision against Mr Mansfield also imposes a restraining injunction to the effect that neither he nor his company may send commercial email to anyone that has not granted specific prior consent for him to do so; nor may he or his company harvest email addresses or use harvested address lists. Basically the injunction requires him to obey the law (specifically the Spam Act), which seems a little superfluous, but I gather this is done so that future violations become violations of specific court orders, not just breaking the law, and action can be taken much more quickly against violation of an injunction. It’s therefore important to report any Mansfield-related spam to the ACMA if it’s still being sent.

I was one of the parties who lodged complaints in relation to Mr Mansfield’s spamming, and was called as a witness at the trial. The process was very slow and tedious, but educational. My hat is off to the ACMA guys for their success in this matter. I hope that the outcome acts as a deterrent to any other Australians who might be under the false impression that spamming is cheap and effective marketing.

References

For convenience, I have produced a PDF rendition of the final order. The court-supplied document (see case file above) is a “.doc” file.

On Forum Spam

Apparently I picked a ripe moment to start hosting a forum. Forum spam has been a problem for quite a while, but it seems to have hit a new pitch this month. Perhaps the automated spamming tools with imaginative names like “Forum Poster” have hit the mainstream. These generate a maximum amount of damage (in the euphemistic name of “search engine optimisation”) with a minimum amount of user interaction.

Fortunately I’ve managed to fend off the spam for now. After one or two attempts with limited success, I’ve found an approach which neutralises the bot-generated spam without noticably impacting normal operation. I’m using phpBB, but this technique isn’t specific to that software.

The technique involves adding one line of Javascript to the main template for the forum, and a couple of lines of Apache “.htaccess” configuration (or equivalent). The one line of Javascript sets a session cookie. It doesn’t really matter what the cookie is called or what value it holds: make something up. The Javascript code looks like the following.

document.cookie = 'foo=bar;PATH=/';

In this particular case, a cookie named ‘foo’ obtains the value ‘bar’. Next, create or modify the “.htaccess” file for the forum (assuming that it’s served by Apache) to deny POST operations except where this cookie is present. The configuration might look like the following.

SetEnvIf Request_Method "^POST$" posting
SetEnvIf Cookie "foo=bar" javascript
Order Deny,Allow
Deny from env=posting
Allow from env=javascript

If a client attempts to POST anything to the server (as it would in leaving a message or creating a user account), it will receive a “403 Access Denied” response unless the appropriate cookie is set. This should filter out anything that lacks Javascript support, including the forum posting spamware (at this point in time). If the technique becomes widespread, the arms race will progress, and the spamware authors will adjust accordingly. Such is life. It’s an excellent measure to take right at the moment, however.

While I’m on the subject of forum spam, I’d like to blow a big raspberry in the direction of “TOT Corporation” in Thailand for the netblock 203.113.13.0/24, and “Telefonica de Espana” in Spain for the netblock 80.58.205.0/24. Several addresses in these ranges are, at this time, using (or proxying) forum spamming software which is blocked by my filter. Given that they hit my forum on the order of ten times a day, I hate to think how much crap they generate on a global scale. A quick Google search for “203.113.13.” shows it to be a notorious source of Wiki and guestbook spam as well.

Food for misanthropy.

Further updates on this subject can be found in a dedicated thread in the forum itself. There you can see what abuse has occurred since inventing this technique, and what additional measures have been necessary. Also, you can comment there. Guest posting is enabled.