Why aren't email providers liable in some way or another for scams operated via accounts on their domains?

Question

Suppose a spam email tells you that you've earned $1m. To get the funds the email goes on to tell you to email joe.schmoe@gmail.com. My question revolves around why Gmail doesn't block "joe.schmoe@gmail.com" on the spot when it detects such an obvious fraud (which it correctly marks as spam), so that less savvy users don't take the unfortunate step of getting defrauded out of their savings with little to no recourse.

A real life equivalent might seem to be a driver who waits for the hitchhiker they picked up while the latter does a bank heist, and continues on with their passenger after they're done. Surely such a well meaning albeit naive driver wouldn't stand a chance in court if they said that it's because they've a section 230-like protection.

Also, given the amount of spam I receive that actually use Gmail accounts, I presume -- but have not checked -- that the accounts do not get disabled quickly by Gmail and others. (Some do answer, with amusing results.) This is on the basis that fraudsters would use an actual domain name if email account providers did block these emails quickly.

Why do Gmail, Hotmail, etc. get away with enabling bank wire fraud? Is section 230 indeed the reason that they do? Has this ever been tested in court as a class action in the US or elsewhere to see where it leads?

---

To clarify what is being asked:

This is not about blocking e.g. Gmail accounts that send spam, nor is it about detecting spam. Rather, the question is about blocking e.g. xyz@gmail.com in emails that Gmail already identifies as spam (with near 100% accuracy) in a format that revolves around:

Congratulations, someone gave you lots of moneys. Please email xzy@gmail.com for instructions on how to collect it.

Further, the question is not why doesn't Gmail stop such emails from being sent. Rather, it is: Is section 230 indeed the reason that they get away with not shutting down accounts like "xyz@gmail.com" in the above example quickly when they detect such emails without being held liable? Has this ever been tested in court as a class action in the US or elsewhere to see where it leads?

Answer 1

Surely such a well meaning albeit naive driver wouldn't stand a chance in court if they said that it's because they've a section 230-like protection.

Because Section 230 of the Communications Decency Act explicitly protects computer service providers from such charges. A driver is not a computer service provider, and the US legislature has never voted to offer similar protection to drivers picking up hitchhikers.

You say that an email can easily be classified as fraudulent, but that's not true. Spam detection has gotten pretty sophisticated, but they still get plenty of false positives. They were a lot less sophisticated back in 1996 when the Communications Decency Act was passed.

Answer 2

This is a technical answer rather than a legal one. If those are unwelcome here, let me know

My question revolves around why Gmail doesn't block "joe.schmoe@gmail.com" on the spot when it detects such an obvious fraud

They often do. I am an admin on a G-suite domain, and I get several emails every month titled "Alert: User suspended due to suspicious activity". It usually means someone re-used a password, their account got compromised, and it is now being used to send spam.

Also, given the amount of spam I receive that actually use Gmail accounts, I presume -- but have not checked -- that the accounts do not get disabled quickly by Gmail and others.

Several things come in to play here:

• Google is definitely more aggressive in tagging a message as spam than it is suspending an account (I get "G Suite Alert - You have users sending spam through your SMTP relay" emails warning me that suspension is imminent much more often than I get "Alert: User suspended due to suspicious activity" emails). This discrepancy is probably where the bulk of the problem comes from.
• Emails can be retroactively tagged as scams, so the account might have been suspended by the time you read the email. From the scammers point of view, as long as this only happens some of the time, this is not that a big problem. This is a bulk business.
• "FROM" in an email is super easy to spoof, so they might not actually be using Gmail accounts. Consider the following scenario:

EvilAlice wants to scam VictimBob. She creates the account EvilAlice@gmail.com. She then uses another non-Gmail server (or botnet infected computer) to send a message to VictimBob@gmail.com. She instructs her server to tell the Gmail server that it is a Gmail server. Gmail knows she is lying (for several reasons, search for SPF and DKIM records if you are interested), so Gmail marks the message as a scam. Gmail can't really suspend EvilAlice@gmail.com though, because as far as Gmail is concerned the real EvilAlice@gmail.com hasn't done anything. Someone was just trying to impersonate her. VictimBob opens the message and replies. Gmail tries to warn him, but he is insistent. What is Gmail to do? The only return address on that message was EvilAlice@gmail.com, so Gmail sends the reply there. From Gmail's point of view, EvilAlice@gmail.com has now received an unsolicited offer of money from VictimBob. Gmail can't suspend her account for that, otherwise I could suspend everyone's account by emailing them and offering them money. And so the scam communication is complete. Eventually Gmail builds up enough confidence that it thinks it's justified in suspending EvilAlice@gmail.com, but Gmail accounts are easy to make. EvilAlice just creates EvilAlice92@gmail.com and the process continues.

If you want to know if a message really came from the domain it claimed to come from, hit the 3 dots on the message in Gmail, click "Show Original", and look for "SPF PASS" and "DKIM PASS". If those are failures, someone is impersonating the domain.

Answer 3

So many people have come up with ideas about spam that there is actually a standard "fill in the blanks" form for answering them! A copy can be found here.

Filling in the blanks for your solution:-

Your post advocates a

(X) technical ( ) legislative ( ) market-based (X) vigilante

approach to fighting spam.

As well as the technical side, it requires the ISP to act as a vigilante. Without any kind of due process, the ISP would shut down email addresses based only on the assumption that the person with that email address sent the email. (And because of the nature of email, actually proving it is virtually impossible.)

Your idea will not work. Here is why it won't work.

Here we go...

(X) Mailing lists and other legitimate email uses would be affected

Suppose one of your newsgroup users sends spam to the group inbox, which is forwarded to the rest of the group.

(X) Users of email will not put up with it

Too many false positives.

(X) Microsoft will not put up with it

Because it's a huge amount of work for no income.

(X) The police will not put up with it

Because there's no due process in cutting people off, and getting a common standard of law across the world doesn't happen.

(X) Anyone could anonymously destroy anyone else's career or business

ISPs can't unilaterally spot spam, so they're dependent on users reporting what's spam.

Specifically, your plan fails to account for

(X) Lack of centrally controlling authority for email

(X) Open relays in foreign countries

(X) Jurisdictional problems

(X) Huge existing software investment in SMTP

(X) Armies of worm riddled broadband-connected Windows boxes

(X) Eternal arms race involved in all filtering approaches

(X) Extreme profitability of spam

(X) Joe jobs and/or identity theft

I'll let you check how each of these applies to your solution.

and the following philosophical objections may also apply:

(X) Ideas similar to yours are easy to come up with, yet none have ever been shown practical

(X) SMTP headers should not be the subject of legislation

(X) Blacklists suck

(X) We should be able to talk about Viagra without being censored

(X) Countermeasures should not involve sabotage of public networks

(X) Countermeasures must work if phased in gradually

(X) Why should we have to trust you and your servers?

The latter is the key issue. Who says what spam looks like?

Furthermore, this is what I think about you:

(X) Sorry dude, but I don't think it would work.

Answer 4

This is also admittedly more of a technical explanation than a legal one but it's relevant.

The spammer presumably has control of multiple accounts. Whether the accounts were stolen from other users or created by the spammer themselves, they likely have not just one but hundreds, thousands, or even millions of accounts they can send scam mails from. It may be that you are in fact the first person to receive this spam from joe.shmoe specifically, and nobody has yet reported it as spam. Google may indeed take down accounts that are reported, but if the spammer can just steal/create more with almost no effort (likely through the use of bots), there's only so much they can do to keep up with the flood. Sure, they might notice hundreds of accounts being created by the same user at the same location, but there are ways of spoofing that as well, and any sophisticated spammer would be well aware of these. Spam detection tools may be increasing in quality, but so are spammer's tools. It's a never-ending arms race.

Answer 5

Suppose a spam email tells you that you've earned $1m. To get the funds the email goes on to tell you to email joe.schmoe@gmail.com. My question revolves around why Gmail doesn't block "joe.schmoe@gmail.com" on the spot when it detects such an obvious fraud (which it correctly marks as spam), so that less savvy users don't take the unfortunate step of getting defrauded out of their savings with little to no recourse.

Why would it? I can easily send a spam email that tells you to email "president@whitehouse.gov" and the correct response is clearly not to block emails to "president@whitehouse.gov". That's so obviously the wrong solution. If email providers did what you suggest, anyone who needed reliable email service simply wouldn't use those providers because they'd be too vulnerable to false flag attacks.

Email providers do respond to spam emails, but not that way. That doesn't make any sense at all and makes it way too easy to get other people's email shut down.