Slashdot Mirror
Is Forged Spam a Crime?
PJRC2 writes "ABC News.com has an article about a man who claims he commited no crime in sending millions of AOL users porn and make-money-fast spam and making the messages appear as though they came from ibm.net. " We're going to see more of this in the future. I think forged spam should be punishable by death, but I probably get more of it than most people ;)
Please!
Not while I'm eating lunch!
t_t_b
--
I'm on PJ's "enemies" list! Are you?
Wouldn't this count as Trademark Infringement? Since domain names have precedent as being covered under Trademark law, shouldn't abuse of domain names also fall under Trademark/IP law? Unfortunatly this would put the onus on the abused company to do anything. Matbe IBM should get in on the action.
IANAL. But I'm sure we can lengthen the list of charges a little.
Let's see what this criminal did:
* He sent mass e-mails using other people's computer facilities. That's theft, chattel trespass and - if the spams clogged their e-mail system - denial-of-service. The people who have to clean up the damage have to pay technical people large amounts of money. That's damage that can be recovered in a court of law.
* He impersonated IBM. That's fraud.
* He used IBM's trademark without authorisation. That's trademark infringement.
* He sent pornographic spams. If any of the recipients were underage and the underage recipients then visited the web site, that's transmission of pornography to minors.
* He violated his ISP's Acceptable Use Policy. That's breach of contract.
If the laws were up-to-scratch, then this perpetrator would be facing 3 years in jail, large lawsuits from IBM and the people from whom he stole e-mail facilities, and many small claims from the recipients.
And he wants us to believe that he's not a criminal? Yeah, right, and I'm the Swiss Navy on maneuvers in the southern Indian Ocean.
--
The only thing necessary for the triumph of evil is for good men to do nothing. - Edmund Burke
Most spammers who try to forge where the message is coming from (including this guy) are not very good at it. The forgeries are easy to spot when you look at the complete message headers. Why doesn't someone (me?) write a MUA that automatically deletes this junk?
Just be sure to wear the gold uniform when you beam down -- you know what happens when you wear the red one.
Don't you know? to a spammer EVERYBODY is an american..
//rdj
No one can understand the truth until he drinks of coffee's frothy goodness.
--Sheikh Abd-Al-Kadir, 1587
See http://www.suespammers.org for all the juicy details.
--Tom Geller, Founder, The Suespammers Project
Tom Geller
------
:)
Besides, it's my understanding that most ISP's have a terms and conditions agreement that limits the liability of the ISP, and provides for the termination of the abusive users account.
------
The problem is that the terms and conditions agreements simply do not work towards limiting abuse, and the termination of the user's account just doesn't happen.
I see that it would set dangerous legal precedents. Point taken. IANAL either, but the ISPs are the only ones with the ability to intervene in this situation, and many times they just don't. If there were repercussions to the ISP giving the abuser sustained and repeated access to the internet, you can be sure they would implement some from of controls in order to prevent it. But there isn't, so they do very little to stop it.
If the cabbie knew he was a bank robber, and gave him a ride out of town anyway, is the cabbie innocent? Or, if the bank robber got into the cab unbeknownst to the cabbie, and the security officer from the bank ran out and said "Don't give him a ride, he's a bank robber," but the cabbie still gave him a ride, is the cabbie innocent?
OK, let's say that the ISP is not fined, but rather obliged to reveal the identity of the abuser when a clear cut case of abuse is present. This information could be made readily available to those adversely affected by the abuse, as well as sent to other ISP's to prevent the abuser from reestablishing connectivity. The terms and conditions agreement could be modified to force the users to agree to this possibility.
(if you are a lawyer, feel free to speak up
What this guy is doing is probably "wrong" but I applaud him on all accounts. I really detest spammers
This is excellent. Incidentally, there is a legal doctrine called the "doctrine of necessity" which allows what would ordinarily be considered crimes to be committed if a) the amount of damage caused is less than that caused by the original crime and b) there is no other reasonable legal alternative.
A bank which, rather than alerting the police and causing their shareholder value to drop precipitously, instead hired hackers to hack back when they were being invaded, would be merely honoring their fiduciary responsibility to shareholders.
"Hack back" defenses have not yet been legally tested, that I know of. Further the risk is minimal. I myself have used DOS attacks (deliberately limited to avoid damaging the guy's ISP) against spammers, to limit the damage they cause while attempting through other means to get them axed. I find it highly unlikely that someone is going to complain to the police about something someone did to them while they were themselves committing a crime.
"Uh, officer, well, I was stealing this car when this guy came up behind me and. . ."
are you the only one? if not, that's a dumbass sig
Yup. It's patented too. And trademarked.
At least I have a sig.
Will in Seattle
--
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Okay, it was unethical for a spammer to send spam allegedly from IBM. Yes, AOL users are people too, and shouldn't have to receive the stuff. But there's something missing in the logic here:
The open relay shouldn't get by unscathed.
Assuming that there really was an open mail relay used to send the spam to AOL, in no case should Market Vision, the company through which the spam was sent, be able to sue. This is as ludicrous as the shrinkwrap licenses that we all loathe so much.
If a company is irresponsible enough to have an open mail relay (whether intentionally or through casual ineptitude), they should not be able to take their case to the corner drugstore, much less to court. To absolve the company with the open relay of all guilt is to invite stupidity to the Net, and stupidity is the most damaging thing the Net can take.
If you leave the top down on your convertible and park it in the darkest underpass of the inner city, and you leave the doors unlocked and the engine running, I believe it is still a crime to steal the car. However, if you then sue the thieves because they stole the car, you probably stand a very slim chance of getting any money (or you should stand little chance, that is).
Ignorance may be bliss, but it should not be rewarded.
There's just no arguing with fsckwits like this guy. It's obvious to the vast majority of clear thinking people that this kind of behaviour is anti-social, at minimum. I used to become infuriated by that Spamford Wallace character a few years back when he was generally being an asshole and taunting everyone who disagreed with his conception of acceptable email behaviour. No more, fuck it, life's to short, now I just hit Del.
Unfortunately we have two options. Spam is either made illegal by legislative means, which bugs the net-anarchist types to no end. Or try to continue dealing with spam via the current means, that is, filters, MAPS RBL, etc. I'm not sure which way I lean (which is often where I find myself when the self-righteous right, left, commie, objectivist, whatever types are going at it.)
That reminds me. Last week that peahead on zdnet Jesse Burst claimed that MAPS RBL was some newfangled tool that ISP's use to prevent spam. A modicum of research by the ad mongers at zdnet would have revealed the purpose of RBL. What a maroon!
:wq
If the message is a blantant advertisement, or a get-rich-quick scheme or other such crap,
then there is a very very small chance that following the remove instructions will actually remove you from anything. There is a pretty good chance that the email address shown is false or made-up, and there is also a good chance that any mail sent to it will just get you more spam, now that they have confirmed that your address is good, and that you actually read their junk.
Right - it's meant in irony - the source is Voltaire's commentary on the court-martial and hanging of Admiral Byng. (Byng was grossly outnumbered, and ran away - as a result, he was executed for "cowardice".)
"C'est necessaire quelquefois a suspendre un admiral ou deux, pour encourager les autres." ("It is necessary sometimes, to hang an admiral or two, to encourage/enhearten the others" ;-)
Although Voltaire originally meant it in the sense of "beatings will continue until morale improves", the quip has also developed a second sense, namely "punish excessively and make an example out of the offender". While not quite historically faithful, it certainly has a nice ring to it when used in conjunction with the image of a row of spammer heads on pikes.
> On va leur couper les couilles et leur faire manger, violer leur femme et mettre leur tête sur un pic... (that's better :)
Well, I dunno.
As for leur couper les couilles et leur faire manger, you'd starve to death on the contents thereof, and as for violer leur femme, we're talking about spammers here. Given what goes into spammer DNA, do you really think a spammers's mother, sister, or first cousin is gonna be much to look at? OK, not every spammer falls into that category, but the few spammers who didn't marry blood relatives are probably hooked up with goats and sheep, which is just Not My Kink.
But I'm still up for the heads on pikes bit.
Considering that AOL's servers are located in VA, all email to AOL is received in Virginia. This is part of the reason that AOL wanted the anti-spam law, so they could go after spammers like this one and slap them with nice hefty lawsuits.
The particular section of the bill (18.2-152.4) reads:
Virginia - SB 881 Computer Crimes Act; electronic mail
Original Slashdot Story - Virgina Criminalizes spam, ACLU against it
-Todd
---
"The details of my life are quite inconsequential..."
Ding-Ding-Ding! All aboard the Logic Train! (tm)
If I try and pass a check at a band with a signature other than my own, that's illegal. I'm convicted of check fraud, and I go to prison.
If I walk into a bar with a fake ID, or attempt to purchase a firearm go with false identification, I'll get busted as well.
If I send a piece of mail through the US Postal Service posing as someone I'm not, then bingo, i'm guilty of mail fraud.
Now, in the case of fradulent spam, I attempt to tell tens of thousands of people I am someone who I'm not. Worse yet, i'm trying to use that identity to sell something. Why should that form of fraud be punished any differently than other forms of fraud?
Bowie J. Poag
Bowie J. Poag
Paper mail is often right on the edge of fraudulent as well. I can count the number of letters I've gotten trying to appear to be official governmental correspondence -- "PENALTY FOR UNOFFICIAL USE" and all kinds of other threatening or otherwise "official" looking marks on it, as well as generic return addresses (ie, PO BOX 1234 ANYTOWN, USA) with no business name.
Generally speaking the bulk-rate postal metering on them gives 'em away, but I must admit that once in a while I get careless and actually open one up.
While I realize that this is someone's First Ammendment rights, etc etc, it does seem that the intention of the senders is to trick you into believing that the mail they've sent you is something important that you'd better not toss. To me, this is prima facie proof of deceptive busienss practices but if you complain to the Postal Inspector they just kind of shrug their shoulders.
Until the postal authorities set a precendent that cheating through the mails is not OK, why would anyone be expected to care about internet spam?
He may not have accessed the other persons box some spammers just use someone else's email address as the return address. The thing is most users don't know any better and think it came from the person who's email is displayed in the return or from line. visit eWaddle.com
--
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
A better analogy would be a wire communication than an actual letter. Lets say if I was to use a voice changer to fool people about who I really am and use some method to make the call harder to trace for illegal reasons(promote my pyramid scheme or avoiding prosecution for stealing computer time) then I'm breaking the law for giving false information about myself.
Now say I do the same thing because I want to use a pseudonym but not for illegal reasons (i dont want so-and-so to know im checking into this hotel) then its all fine and dandy.
Bullshit.
Just because you, say, leave your house unlocked doesn't mean it's okay for someone to come in and watch tv, use your phone, and drink your beer. The case is more similar to this than to the "loaded gun" analogy.
true, the recipient of spam does end up paying for it. however, junk mail (i'm sure there is a huge volume of it going through the post office) also puts a load on the USPS infrastructure. those who buy stamps help to pay for this load (assuming that less load -> lower cost for stamps...similar to assuming less spam -> lower ISP fees).
richard nixon was a bad example (that's the price of picking a name at psuedo-random)...
No it's not.
What's happening is that the spammer is behaving like an ass, and so does not want to reveal their idenity -- they want "privacy" for their actions in this case. The forgery is just a symptom of their desire for privacy.
No...the spammer is acting in a public and commercial capacity and so has forsaken his expectation of privacy.
What's interesting is that this reverses the usual role of privacy in these discussions. Mostly privacy is regarded like fresh air or something -- the more the better. In reality, like most things privacy has many bad effects as good.
"Privacy" is neither good nor bad. But respect for the individual's privacy is desirable, and that respect should not hinge on the characterization of the information being held private.
I look forward to the day I can program my mail system to only accept email from real signed identities -- i.e. no privacy for people sending me email. This sounds scary at first since the privacy==good thing is so conditioned, so you need to think about it a bit.
You make it sound as if the right to privacy extends to the right to intrude anonymously. For one thing, you are a private individual and can set your own personal "Terms of Service" that requires identification prior to engaging in communication. This is, by no means, inconsistent with the basic premise of the right to privacy.
Get Veiled
I finally got fed up with earthlinks lax spam policies when I got mail relayed by the earthlink mail server(read from an earthlink user) which was forged to have my own user name as the sender. I knew already that earthlink basically supported spam from the fact that I got spam at both my earthlink email addresses even though I had never used one of them anywhere. I had only set it up in case I decided to use it but never got around to it. -John
Government is the abdication of your responsibility to a faceless bureaucracy. Anarchy(absence of government)is the a
However, there are always a certain percentage of readers who know about these forgeries, and the spammer will lose his account eventually anyways. Btw, there is even a even a web site in which you can paste your spam, and which automatically sends complaints to the correct places: Spamcop.
So, unless this forgery was done with the express purpose of annoying someone at IBM, don't make it into a criminal case; it's just business as usual.
Say no to software patents.
Uh, chattel trespass?
Intolerant people should be shot.
Violations of the FTC Act amounting to false advertising and deceptive business practices is certainly actionable by regulatory agencies (FTC or analogous state regulators under their "little FTC" acts), and can rise to the level of criminal conduct.
There are some cases in which I would allow the misconfigured argument: if all the burglar did was leave a note saying 'your locks suck, here's the adress of a good locksmith' or something like that. As soon as you actually start making use of your ill-gotten privileges...that's real bad.
//rdj
No one can understand the truth until he drinks of coffee's frothy goodness.
--Sheikh Abd-Al-Kadir, 1587
It's real ham, actually. It is all those unappetizing parts of the pig smooshed together and spiced so as you don't notice.
The cake is a pie
1) He "Hijacked" an environment that was not owned by him, and he had no right to manipulate data on that environment. This should fall under the same cracking style laws that govern the prosecution of script kiddies and other web page defacers.
2) He used the words "IBM.net in his soliitations. This is going over the line that is somewhat grey to begin with but is reasonable well understood. If he had stopped at "You may already be a winner" or other technique that sweepstakes companies and such use, he may have been ok, however he did reference IBM.net and that's blatantly wrong and misleading.
They will trow the book at this guy, and I think the general public will have little sympathy for him. Being a spammer has got to be one of the most unpopular endevors one could choose as a line of work.
Sendmail 8.10 supports smtp auth; click here for details.
Incidently, just because you can fake the headers, doesn't mean that you should, or that we're not allowed to complain and, if allowed to do so by law, prosecute you if you do. This is a form of fraud that we're talking about here; claiming to be someone that you're not, or to represent someone/something that you do not. That's illegal in most other media, so why should email be any different?
Cheers,
Tim
It's official. Most of you are morons.
Juno and Hotmail have sued spammers (e.g., the "TCPS" spammer from a couple of years back) for forging their domain names into fake email addresses inserted in the From: header. The forging caused clueless people to send countless bogus abuse reports to Juno and Hotmail abuse desks, consuming their resources. IIRC, uu.net got into the act too, as most of the spams were coming from a long series of uu.net dialups in an area of NYC that didn't have caller-ID.
There's the "flowers.com case", where a spammer issued a forged HELO flowers.com when doing a spam in order to fool (ancient) versions of Sendmail into hiding the spammer's originating IP address when raping a third-party relay. $65000 in damages because it defamed the legitimate owner of flowers.com at the time.
It's trademark infringement as well. You purport that your mail comes from AOL, it's AOL's business that you're using their domain name. AOL's landsharks have been known to sue spammers for falsely implying that spam comes from AOL. More power to 'em.
Finally, in the cases of "joe jobs" - where a spammer will forge spam in the name of someone in order to target the forged party for harassment - it's obvious that there's intent to defame, harass, and of course, willful misrepresentation.
The forging of headers in unsolicited bulk email should be at the very least a civil, if not a criminal, offense.
The real problem, of course, is that since your average spammer lives in a trailer surrounded by beer cans and chicken bones, collecting anything from a spammer can be a real problem.
Which is why it's relatively rare that ISPs sue or press criminal charges against spammers. More's the pity. There's a group of spammers operating out of Earthlink dialups in a manner identical to that of the TCPS spammer's abuse of uu.net dialups a few years ago, and Earthlink is doing nothing about it. More's the pity.
But back to the original article on ABCNews:
The son of a bitch not only spammed, but he raped a relay to do it. That's theft of computer services at a minimum, and given the number of bounced spams that probably came back to the raped relay at Market Vision, probably a DOS attack too.
Throw the book at the son of a bitch and put his head on a pike. Pour encourager les autres.
I'm not arguing "blame the victim". That is so often used to excuse the perpetrator of evil. It is disingenuous to say your woman walking, while intoxicated, down a dark alley in a high crime area [I added the high crime area], is asking to get raped.
People make choices and they are responsible for the outcomes of those choices. The woman in our example is responsible for choosing to get drunk, for choosing to walk alone, and perhaps unarmed, down that alley at that hour of the night. She is existentially responsible if she is assaulted, just as I would be existentially responsible if I were assaulted under the same conditions.
The folks at Market Vision *chose* not to properly secure their email server, whether they made the choice from ignorance or with full knowledge of the consequences, they still made that choice. They therefore bear some responsibility for what happened.
A quote from a RUSH song would be appropriate here: "If you choose not to decide, you still have made a choice."
PAY ATTENTION! I AM NOT talking about LEGAL responsibility. I AM talking about MORAL and EXISTENTIAL responsibility. Legally, they can sue the guy, but ethically they are still at fault and are not deserving of a dime. Anyway, I don't see how it could cost $18,000 for a mail server to be down for a few hours, unless they lost an $18,000 contract that hinged on one lost email, highly unlikely.
Just be sure to wear the gold uniform when you beam down -- you know what happens when you wear the red one.
Well, yes it is, but you still bear some of the responsibility in an existential manner if you choose to leave your house unlocked. Given the conditions under which we live, only a fool would deliberately leave their house unlocked. For the ignorant, this would hopefully be a "learning experience" and they would then know not to do this in the future.
Leaving the house unlocked does not excuse the behavior of the person who has broken the law by entering/trespassing. It does, however, lessen the amount of responsibility shown by the homeowner and, in fact, increases their existential responsibility in the outcome of someone breaking and entering.
I suggest reading some Sartre and Camus if you want to know where I am coming from.
Just be sure to wear the gold uniform when you beam down -- you know what happens when you wear the red one.
I heard some rumors that the next version of the TCP/IP standard will incorporate the MAC address of the particular machine. I know that many people, including me, have concerns about privacy but there could be an up-side. If you could identify the particular machine then you track the spam sender. Then you'd force them to buy new NICs every time they want to send a batch of spam. In effect a financial penalty for spam. Just a thought...
yeah this story sounds sketchy to me. He magically "hacked" into their regular win9x systems, got screenshots, and full "administrative" access remotely on all 6 of them?
You are ignoring the international consequences of spam. I have had tons of spam advertising schemes to cut down on my long distance calling rates. All this was sent to an adress in the .nl top level domain. Like if I care about American long distance rates. A licensed spammer still would be able to do this.
-- Spelling and grammar errors tend to be a sign of erroneous thinking.
That wasn't IBM's figure, that was someone else. Sending out enough relay mail to bog down IBM.net's servers would be something immpressive (SDOS-Spam Denial Of Service). This guy's servers were crashed by the weight of being a relay for a few million messages. This is why mail servers should be setup to deny relays from untrusted hosts. IBM just had their name stolen.
I don't need a million points of light, just two points of multi-mode fiber and a 10 Gig-E router.
Then again, the user pages look identical. So is Signa[eye] the same as Signa[elle]? Ouch, this is making my head hurt, trying to differentiate between an I and an l... make it stop... make it stop...
You are in a maze of twisty little relative jumps, all alike.
I had several people notify me that i was sending them spam from unknown accounts. It eventually stopped. But it is still a huge frickin pain. Definately deserves the chair for that one.
Talk about the post of the day. I spent 3 hours this morning sending off abuse reports to psi.net.
It was previously a uu.net account he was performing these actions from...but our many complaints finally had his uu.net account destroyed *thanks abuse@uu.net*.
The worst part about this is actually explaining why this message didn't really come from us. People just don't understand that the internet isn't the most honest place in the world, or exactly how easy it is to forge these headers.
So my day goes on...and tomorrow I will probably answer another 15 of these abuse reports. Why don't I do something about this...well...I have alot of projects to do and talking to lawyers doesn't exact appeal to my geeky nature.
"You should always go to other people's funerals; otherwise, they won't come to yours." -- Yogi Berra
IANAL, but isn't there some legal stuff about misrepresntation?
----
Oh my god, Bear is driving! How can this be?
ADVENTURERS! - ANTIHERO FOR HIRE - CARDMASTER CONFLICT
It is already a crime in california, at least in this case. check it out here.
I wouldn't do that... after all, that makes an assumption about the existance of les couilles.
----------------------------
Forgery is already a crime in the physical realm. Why, then, should it not be also a crime in the digital? Leave the spam issue out of it, if you want; a forged letter is still a forged letter.
I'm personally a big fan of returning everything repeatedly. If you're spammed, return it repeatedly (3 or 4 times is sufficient - the goal is just to tick off the spammer's ISP, not to crash their server), along with a message saying that it was determined to be unsolicited e-mail, along with long, boring, redundant, and redundant ramblings about how spam is considered to be one of the least effective ways of reaching customers... Of course, you'd need to find the _real_ address to do this.
You know, I must say that such tactics are tremendously annoying from the ISP perspective.
Nothing like receiving a complaint CC'd to root, postmaster, domreg, owner's name, tech manager's name, support, grandma, Uncle Frankie AND all upstream providers for a spammer that was cancelled four days ago through normal procedures.
Hint: Most ISPs have an abuse@ account. Send ONE complaint, don't CC anyone, and the problem is usually resolved quite quickly.
Remember, it's not the ISP's fault (from where the spam is originating). We don't know a customer is going to spam until s/he does. And when they do, they are history. Fast.
Wouldn't it be quicker to do it quickly?
"If one is really a superior person, the fact is likely to leak out without too much assistance" -- John Andrew Holmes
But isn't SPAM itself just fake ham? Seems like it's been fake from the start....
Driven by 100% sarcasm - fueled by the need to be heard.
No. Force them to spend 3 years on AOL. That'll teach em.
---------------------- "I have a firm grip on reality. Now I can strangle it."--Gordon Paynter
I also belive you should be able to leave your door unlocked. Just don't be surprised when your neighbors come for your head because someone is shooting a rifle at their houses from your house. Saying "my houseguest did it" is not going to fly. Even if the police don't arrest you, the hood is going to make your life hell.
--
: He did not hijack anyone's box. Can you spell the words OPen Relay.
Just because someone leaves their front door open does not in any way, shape or form justify a crime of trespass. The relay was an innocent, if somewhat naive, third party and the owners thereof should IMHO be entitled to triple damages.
Just MHO of course. I don't like spam.
Pat
-- This
I'll all for Forged Spam. Then it would be real meat. :)
--
then it comes to be that the soothing light at the end of your tunnel is just a freight train coming your way
then it comes to be that the soothing light at the end of your tunnel is just a freight train coming your way
For some reason, porn spam never actually leads to real porn.
What are these spammers thinking? It seems to me to be a reasonable business model to 1) Put up a porn site; and 2) Advertise it.
But, instead, the porn-spammers tend to skip step 1, and you get a site with 12,000 banner links to other non-existent porn sites, and when you close that window, six more pop up with 5,000 banner links to the aforementioned sites.
I mean, seriously, I don't mind sex being delivered through advertisements. Hell, that's why I subscribe to the Victoria's Secret Catalog. But this - man, they're just teasing me. I say, give this guy 80 years and chemical castration.
"Beware he who would deny you access to information, for in his heart he deems himself your master."
The important thing to remember is not to get too technical.
At a certain level, of course we can tell the message didn't come from IBM.
But...
The guy sending the spam.
a) new that he was making his messages appear to come from IBM.net to the average user.
b) was probably doing this without authority from ibm.net
c) Was doing this for the express purpose of misleading the recipients of the spam into reading the spam. THIS is the really bad part. It's fraud.
Why that just means that you must be a genius. :)
The cake is a pie
I got some choice spam last week that had blank To: and From: headers!
I couldn't believe it made it to me...
"Free your mind and your ass will follow"
The dorks at Market Visions should have had their mail server properly configured so that it would not forward messages. I don't think they deserve any compensation for the $18,000 they allegedly suffered in damages. It's their own fault that they were abused in this way.
Just be sure to wear the gold uniform when you beam down -- you know what happens when you wear the red one.
Finally, given that SMTP makes no guarantees about the validity of the "From:" address, I see no reason (other than ignorance) for anyone to have any expectation of its validity. I don't know about the "law of the land" when it comes to fraud, but I would imagine that the recipient's expectation of validity plays an important role in proving fraud.
Disclaimers: IANAL, IANAS (Sysop).
Credit card purchases which don't bear the signature or were authorized via the secret PIN code of the owner are the risk of the merchant if there is a contestation. So you would punish innocent bystanders rather than this fellow. And moreover, he'll have a new number within days.
Say no to software patents.
Is it any worse to forge a return address for Spam than to send junk snail-mail with a fake (or absent) return address?
I hate Spam just like everyone else, but I don't think the real issue here is the forging of the return address. I think it is the cost this jerk incurred upon an innocent company by slamming their server.
-
That'll teach them.
And then put them on probation, only able to read and surf, not to post or send, for 2 years.
Will in Seattle
My personal favorite tactic is when they send you spam and forge your email address as the sender. Like, I wouldn't remember that I didn't send the damn thing to myself? Who do they really think they're fooling? Of course, nowadays they just seem to send it from "(random letters)@(random letters).com".
"Prejudice is wrong; you should hate everyone the same."
Porn SPAM, it's fun to watch for those who like a raunchy taste...
make-money-fast SPAM, it might be just old SPAM because it looks a little green,
corporate SPAM, but it's too rich for my blood...
wow... I've even been getting Diploma SPAM, although it's a bit watered down from the real thing...
hopefully I won't see any Lawsuit SPAM, which looks brown and smells worse than a skunk; it leaves a funny taste in my mouth. :-)
Humorless sig goes here.
Thanks for sharing that croaker. I'm not doing exactly what you say, but I am checking for empty or missing From: and To: headers. I'll have to set up my filters the way you describe when I get home.
Rather than just trashing the spam, I think I'll save it to a special mailbox. At some point in the future, I think I'd like to come up with some effective (and intelligent) spam blocking software.
Just be sure to wear the gold uniform when you beam down -- you know what happens when you wear the red one.
What about the "pre-approved credit card applications" I get in the mail? I have seen ones posing as "official documents", prize winnings, blank envelopes, urgent messages, time sensitive mail and such. I get two a day. I have a seperate trash can for snail spam, and it's almost full after one month. Who needs that much credit?
Should it be illegal for these companies to send these things to me every day, killing trees left and right even though I have not had a credit card in 3 years? I guess so. [shrug]
But, what about if we could carry liscenses around that allows us to shoot stupid people. Someone does something stupid like driving at 90mph with your kids in a minivan that has a "Baby on Board" bumper sitcker. You pull them over and ask to see their stupidity liscense.... Oh, sorry about that, you are too stupid, I'm going to have to kill you now. [blam] Then we could take care of all this spam going around...
-Effendi
-Effendi
You don't even have the right sig!
-o Disclaimer: My employer doesn't even agree with me about C indentation style. o-
An omnibus reply to many of the posts:
1) Forging from headers is criminal in a number of ways:
a) A number of States have laws on the books:
Ref: http://www.cauce.org
http://www.suespammers.org
These laws criminalize forging of headers. No gray area.
b) The bounces cause resource theft of AOL's servers, and bandwidth.
c) Civil action for misuse of trademark and goodwill.
2) There is an automated way of sending complaints:
Register with abuse.net (Run by John Levine). Then you send your complaint to the domain you want to complain to, @abuse.net, and John's system automagically forwards it to the right address for that domain.
3) If you want to hunt the spammers down yourself, try Steve Atkins' Sam Spade (http://www.samspade.org)
4) Hitting delete is NOT an option. It does not scale.
5) There is no Federal Bill. Those disclaimers you see are bogus. They often refer to HR 1716, or Murkowski. These were proposed, but *never* passed. There is no Inbox or Federal Bill that protects spam. There is a Federal Bill making its way through the house currently, HR 3113. It is a "good"(tm) thing. Support it.
6) When all else fails..
If you can't get the spammer's IPS's attention, *don't do anything illegal*. Visit http://mail-abuse.org, document your efforts, and nominate the spammer, and his ISP to the RBL. Trust me, it is *extremely* effective in educating the ISP.
So suppose I had a door with a lock that was easily pickable on my house. I'm gone and someone picks the lock and looks around awhile, and then makes a bunch of long distance phone calls. Is that my fault because I did not have my door configured correctly? Or is it my fault that I wasn't sitting by the door with a shotgun to keep intruders out? Cummon, you can't expect the misconfigured argument to stand up to anything.
Spring is here. Don't believe me, look outside!
yes, thank you... I'll fix it right now!
-o Disclaimer: My employer doesn't even agree with me about C indentation style. o-
The last time I checked the USPS doesn't complain about bulk mail because this makes up a very significant portion of their revenues. They KNOW that they are going to be delivering the mail. ISP's do not assume that their servers are going to be massively spammed (well they try to prevent it).
--
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
I've usually had near 100% spam kill rates by creating a filter in my mail client that checks whether I'm in the to: or cc: line, and if not, dumping the e-mail. Spammers usually use bcc: (blind carbon copy) to send out their spam (to prevent you from seeing all the other poor schmucks that they spammed).
Of course, this is the way mailing lists work, as well. I usually put filters that shunt mail from mailing lists I'm on into folders, anyhow, so those will run first and pick out the good e-mail.
Of course, if you have real people sending you real e-mail via bcc:, you'll miss it becuase it gets tossed. For me, that's pretty unusual, so it's not an issue.
Once you do that, you might well get removed from the "50 million addresses we got from god knows where that might be long out of date or just plain made up" list, but you get put on the "this address is current, read by a human without a spam filter, who actually reads spam right the way through to the end" list. You do NOT want to be there.
Try creating a dummy account at Hotmail just to reply to one of these, and see what happens to your in box if you don't believe me.
- Andy R.
A pizza of radius z and thickness a has a volume of pi z z a
we should all forward him the spam we get. I think that would change his mind
On a spam related note see what this guy did to some spammers that kept forging mail from his domain.
:) He sent AOL a complete list of hijacked accounts and all the necessary contact info for the spammers. It's really interesting!
To summarize he went into the spammers computers and got everything personal he could find on them... including some interesting photos
------
IanO
------
Objects in Mirror are Losing!
I say draw (as in the first half of "draw and quarter") the fellow, then make him watch as his newly freed intestines are ground into luncheon meat and canned.... ;)
--WhiskeyJack
The $18,000 for not fixing sendmail to begin with. Whos bright idea was it to have mail relaying enabled by default anyhow? Sun finally wized up and fix solaris 8. Most of my spam comes from some box in asia with a default install of solaris 7.
Only the State obtains its revenue by coercion. - Murray Rothbard
The "damages" are probably just the cost of waking the sysadmins up in the night and having them come into work at overtime pay and clean up the thing. If you're paying multiple people overtime while they fix the problem, look into preventing it from the future, and twiddle their thumbs while it all gets retrieved from backup tape (which may be located in another building, requiring you to wake other people up and pay them too), and if you're talking about as many accounts as ibm is tending, then $18,000 isn't such an impossible figure. Of course, I'd go further and demand millions in punative damages on top, not to mention emotional pain and suffering.
"If one is really a superior person, the fact is likely to leak out without too much assistance" -- John Andrew Holmes
hey common... since when was forgery removed from the list of crimes. Any kind of forgery is a crime, unless its for the good of the entire mankind.
p.s. I'm a borg. I just forged myself to be a human.
I'll take liberty to use my bonus point (which I rarely do) to post a link to the article in an unrelated forum
So, in other words, you feel justified in spamming another forum, just because you can.
How does this make you any different from a spamster?
Will in Seattle
In california it is already a crime to send spam via forged email addresses, in fact the network that you forged the email as originating from can sue you for this.
this space for rent
normal(adj)- people who don't sit on slashdot all day wondering why everyone else isn't building robots [DECS]
Though, it would be kinda nice if the spammer could be locked up, too.
According to the article he's facing up to 7 years in jail.
-- Dr. Eldarion --
I don't know about you, but I can count to 1023 on my toes.
what is to prevent fake slashdot accounts from moderating their troll-posts upward?
Blessed is he who expects the worst, for he shall not be disappointed.
actually....
Extra syllables are considered Jiamari (translates roughly into "letter overflow"--for the most part, each phoenetic letter in Japanese translates into a syllable). IIRC, you are allowed one in each haiku, though the result has been considered to be in poor form.
So I'm sitting here on the group W bench, when the biggest, meanest father-raper comes over to me and asks, "What'd you get?"
I said, "I didn't get nothing - I had to clean up the mess."
He said, "What are you in for?"
I said, "Spamming." And they all moved away. "And creating a public nuisanse." And they all moved back....
With apologies to Arlo Guthrey
</Humor>
I'll be the other prisoners will love him.
www.eFax.com are spammers
Falsely representing yourself as someone else, its a crime. As in illegal.
Maybe we ought to find this Signa1 l1 (that's, I believe, Signa one L one) guy and throw him behind bars. Or, we could arrest Tom Green for claiming to be the real Slim Shady.
How's this for civil disobedience: "My name is Bageeno Hormonis. I work for Starbucks."
"Beware he who would deny you access to information, for in his heart he deems himself your master."
Let's not forget that Earthlink was organized and funded by the "Church" of Scientology to serve as a jumping-off point for the Co$'s attempts to shut down their critics on the net. For details, go to alt.religion.scientology, and ask someone to fill you in on the "sporgeries."
They were a spam haven for the first year or so of their existence, because they simply didn't care to play by the rules. They actually had a stated policy of not yanking a spammer's account until the third offense.
They only put a lid on the spamming when they were threatened with the Usenet Death Penalty.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
The Localhost claim is different because the host there was suing for defamation. That's a civil claim, not a criminal charge. Also, it wouldn't be binding precedent - it was merely a low level ruling in a Colorado state court.
No, I think this IBM case is much better. I've pursued cases like this with no success, because there is some question of consent by the "victim" if they were running an open relay. Regardless of how stupid it is, open relays are still very common, and spammers regularly abuse them. If the spammer somehow hacked the relay, that will help the case.
The other aspect is the forgery - use of IBM's name. Another thread on this topic had a post talking about a guy who was calling other people and leaving a third party's name and phone number. Depending on your state law, that might not be forgery, because it's a voice communication. That's why the appropriate criminal charge there was phone harassment, which is usually an extremely low-level felony or a misdemeanor. Spam involves printing the actual text of the name IBM.COM in the email. That's the forgery. Making it appear as if IBM was sending it, that's the fraud. If it was my case, I'd also charge theft for any damage caused to IBM by the actions of the spammer - time lost on machine downtime, and cost to fix machines. Manpower and overtime to fix the problem might be worth asking for, too (probably depends on the judge).
But if the IBM.COM machine was an open relay.... I dunno.
==
"This is the nineties. You don't just go around punching people. You have to say something cool first."
Making his ISP an accessory to the crime and sets a dangerous legal precedent. That would make ISP's open to prosecution for other crimes committed by their users. I think that is definitely something to avoid.
That's rather like suing/fining the cab company cause the bank robber hopped in a cab to make his getaway.
Besides, it's my understanding that most ISP's have a terms and conditions agreement that limits the liability of the ISP, and provides for the termination of the abusive users account.
I am not a lawyer, but I am an ISP employee, so I *do* have an idea of what I'm talking about here....kinda, sorta.
--o You're just jealous cause the voices talk to me and not to you! o--
--o You're just jealous cause the voices talk to me and not to you! o--
Well, when you have control of the email accounts on a domain you can use my solution. I have at a minimum 2 active "junk" accounts. I use them to put into sites that require email and I'm unsure of their intent. Once one of the accounts starts collecting spam...I delete it. Create a new one. So far this has worked pretty good.
If ignorance is bliss, the world is full of blissful people
I think anything to do with spam should be punishable by death. Whether you write it, send it, mail it, ship it, manufacture it, distribute it, eat it, or force your friends to eat it, you should be shot, disembowelled, castrated, and/or burnt at the stake.
If you hate e-mail spammers, but feel like going easy on them, make them EAT Hormel SPAM!! Even worse, make them eat Armour TREET! Because TREET is NEAT!
(That looks like something you'd see after running fortune)
Why mrked "funny"? To be honest, I see that as being this guy's one hope of seeing the outside world again this side of 2007 and/or not being dropped into boiling oil by his victims.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
What would happen if it were made illegal to alter the headers in email messages? Would mail routers have to have special licenses to add 'received by:' fields?
This could be a landmark case for electronic mail -- if the same thing happened with snail mail, it would have been called 'Mail Fraud'.
dc
--
Wooden armaments to battle your imaginary foes!
Often times I get unsolicited e-mail with a blurb at the bottom suggesting how the message was sent in accordance with a particular U.S. regulation, such as:
The above statement complies with section 301 requirements relating to
transmissions of unsolicited commercial electronic mail. To remove your
email address from our mailing list immediately, please send an email to
xxx@yyy.com and write "Remove" in the subject line.
So long as I can get off the mailing list, I am annoyed but not ready to take action. It is the mails that I get in which I can't remove myself from the list or prevent future mailings in some way that really get me fired up. This is a type of fraud, and should be criminally punishable by fines, although I am not sure I would be in support of jail time.
Are the trolls now hijacking the moderation system?
Perhaps all SPAM except that going to Rob Malda advertising Toner? :)
I agree that it is an inconvienience, but unfortunately, news tech laws tend to ultimately back fire. As AC says, "extend old laws...not new laws".
For instance, I often post to mailing lists or individuals from a different address and modify the message headers to appear to come from another address - this is for two reasons, often:
1). There are often restrictions on which source address is accepted my the list manager.
2). I often don't want to give out the other address for various reasons.
So basically, this ida sounds good, but it could probably get twisted to throw me in jail for simply changing my mail headers if taken to the logical conclusion and I'd far rather put up with a small amount of spam, handled by "anti spam" groups rather than the government trying to introduce new laws that they don't understand.
Luckily I live in Britain where they're sometimes more sensible.
--
Jon.
http://www.jonmasters.org/
So, what're the good spam busters out there? I prefer procmail.
"Our position is that no crime was committed," said Bruce B. Bendish, Mr. Garon's lawyer. how is it not a crime? its pretending to be someone else who you are not
2) ISPs and Companies maintaining routers, etc. may inspect the message headers (automatically, or otherwise), lookup the spammer's license in the publically available database of spammers License Numbers, and bill the owner's of the spamming license an appropriate amount for the traffic incured, even if blocked or rejected.
3)Service providers may collect traffic fees on behalf of their customers as well.
4) Persons, companies, etc sending spam without a proper spammer's license may be prosecuted to the full extant of the law, pay appropriate fines, etc.
[disclaimer - IANAL- but feel free to add teeth to this]
"It is a greater offense to steal men's labor, than their clothes"
--
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
*Sigh* One more time:
1. Junk snail-mail is paid for by the sender out of his own pocket.
2. Junk e-mail is paid for by the recipient out of stolen bandwidth and the increase in ISP fees caused by spam-related overhead.
also, i don't think that impersonation, in all cases, is illegal. suppose, for example, that you dressed up as richard nixon (just to pick a name out of the air) for halloween. suppose also that you ran about in your costume doing all sorts of embarrasing or shameful things. clearly, reasonable people would not take you for the real nixon.
If you went around gluing flyers to people's front doors (a meatspace analogy to spamming, in that it involves conversion of other people's property and creation of a public nuisance to spread your message), then concealing one's identity would be an aggrivating factor.
In addition, your analogy fails because recognizing that someone wearing a Nixon halloween mask is not really Nixon is much easier than spotting a forged header. One does not need any special technical skill to distinguish a cheap mask from a human face, or to know that the real Richard M. Nixon is taking the eternal dirt nap.
/.
/. If the government wants us to respect the law, it should set a better example.
Make the person pay $.01 per message sent to each ISP whose users they spammed. Also if the spammer accidentally crashes the email/news server then treat it as a denial of service attack.
>But exactly what "repairs" would be necessary? The guy claims $18,000 in damages! If it's that hard for their network guys to clear out >some mail, then they guy has bigger problems that a spammer using his mail system.
That would fall under the "business downtime". If you external network is down (depending on what you do), it can cost you lost $$$. $18,000/day is not too unreasonable...
Steven V.
I patented screwing your mom. But it got revoked for "prior art."
According to a link from Kuro5hin today, which purports to be someone's cracking of a major spam business, there is damn fine money to be made in sending spam -- to the tune of several hundred thousand dollars annual income.
The response rate for spam is high enough that the spammers are willing to work on commission. It's high enough, in fact, that their clients are uncommonly willing to pay up fairly large money (four/five figure weekly payouts) readily.
It's more than viably economic: it's a damn fine income... alas.
--
--
Don't like it? Respond with words, not karma.
Sure, they were idiots for leaving the keys in the ignition, but that doesn't entitle anyone to steal the car!
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
Having been the victim of forged email headers (and having had to explain how to read headers for 4 years now) I was very pleased to see the following website. It seems legit to me although you never know, it could be a smear... Of course there are photos so it should be easy to tell...
http://belps.freewebsites.com/
Basicly someone hacked a spam company and got all sorts of logs and even some pictures of the perps.
Check it out.
This is amazing. I'm opposed to capital punishment on general principle, but in this case I'd make an exception!
Stop by my site where I write about ERP systems & more
I say lock him up and let his new boyfriends decide if he committed a crime.
forth ?love if honk then
Don't get me wrong, I completely understand where you are coming from, but I think this could set off another god awful precedent for ISPs.
...
:-)
...
ISPs are already touchy as hell about yanking peoples accounts over http stuff, and there is not much in they way of law here. Again, though I can understand this since it's a low margin biz, I don't like it.
It would just make another easy thing to cause someones acccount to get pulled. And pave the way for even more fines on ISPs for customer behavior.
See the tobaco firm lawsuits to find out how this could end up
And no, I don't have anything do do with any ISP.
dv, who needs to go do some work now
"There's no secret. You just press the accelerator to the floor and keep turning left." -- Bill Vukovich
To quote the article:
"Pirro said the message traffic Garon allegedly sent through Market Vision, a graphics studio company in Irvington, was so heavy that it crashed the company's internal network, causing damage in repairs and business downtime. Ed Greenberg, owner of the company, said his losses amounted to about $18,000. "
$18,000 dollars *lost* because people can't turn relaying off.... I really think we should outlaw the running of open mail servers. What is the real point except sending SPAM? Legit users are allowed to send mail, bogus ones are not. Any thoughts on this solution to the spam problem?
Driven by 100% sarcasm - fueled by the need to be heard.
Just how is something like this different from any other form of vigilanteism? The ``doctrine of necessity'' can justify this?
Back to the original topic: Doesn't using a forged email address fall under the heading of ``wire fraud'' or whatever it's called? I for one would not be amused were someone to send out bogus emails with my name on them. Just consider the possibilities that could get the U.S. Secret Service involved. How do you prove that you weren't didn't send the email in question (the log files are, after all, easily editable)? I would not consider it reasonable to mount a DoS attack on the spammer but certainly would be after them with all the legal force my meager resources could bring to bear.
What could possibly be the justification for sending out something with another's identity attached to it?
It's a bit more complicated than that. It is legal, at least in the USA, to use aliases instead of your legal name. It's illegal to use an alias to deceive someone, with intent to defraud.
Mea navis aericumbens anguillis abundat
I, the real Sig 11, would like to thank you, kind AC, for your help. I will not, repeat, not stop until I have all the karma on slashdot. Rumor has it, the prize for breaking the 1000 mark is full ownership of http://www.goatse.cx.
-o Disclaimer: My employer doesn't even agree with me about C indentation style. o-
My previous comments were rated as "Troll"?
Explain why, so that I can avoid giving this impression in future. I really meant the opinion; I can't believe that anyone could think that defend such actions in such a manner and expect to get away with it. I do not troll, not intentionally at least.
Sorry for the OT direction of this sub-thread.
-TBHiX-
It's mail fraud.
They're idiots to put the IRS on the return box. The IRS is big enough that if the upper-ups get wind of it, they'd come down HARD. First people they'd call...
The local post office inspector general and their legal department. They have enough problems with their popularity.
Firethorn
I don't read AC A human right
And if you log in, maybe you could check out and vote on my story, which I worked on a while today? :^)
Would it be a troll to suggest pouring hot grits down this guy's pants?
Ghods, I've been reading too many Diskworld books....
"The axiom 'An honest man has nothing to fear from the police'
Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
The NYTimes article says in the end that "Mrs. Pirro said that Mr. Garon, who was running his business from his home computer, had $1 million in offshore bank accounts."
Now,
1) He probably didn't do his homework if they discovered his account - after all he's far from being the Public Enemy #n.
2) Are they saying we can earn cool 7 figures from our home spamming?
Of course, IANAL...
Just as a foreword, i hate spam just as much as anybody else. however, i don't think spam should be illegal (just as junk snail-mail is not illegal). i think that comes down to a freedom of speech issue, and i think the law is on the spammer's side. also, i don't think that impersonation, in all cases, is illegal.
suppose, for example, that you dressed up as richard nixon (just to pick a name out of the air) for halloween. suppose also that you ran about in your costume doing all sorts of embarrasing or shameful things. clearly, reasonable people would not take you for the real nixon.
also with this case, reasonable people (ok, i know we're dealing with aol users here...give 'em a break!) could not possibly think that ibm would send them porn or get-rich-quick spam. although i think that this guy should be shot in the head, i think that a well-crafted defense could get him off the hook in many court rooms.
There is no opt-out.
There is no invasion of privacy (those spammers obviously wanted to be contacted, or they wouldn't be sending out communications)
There is no new legistation (fraud, forgery and misrepresentation are already on the books).
In short, this could be just the ticket to stop spam. If forging headers is found illegal, then the spammers will have to use their real address. Then we can do a quick whois, hunt them down and kill them. Slowly. Uh- I mean, get their accounts cancelled.
--
Does narcissism count as a hobby? --Shawn Latimer
My one time experience with AOHell back many long years ago, started with me having 10 messages 2 hours after creating the account. All spam. I agree there are allot of morons on AOL but after about 3 days of pure spam most should have gotten the idea.
If ignorance is bliss, the world is full of blissful people
I can see the argument getting him out of court, but as for the boiling oil...
I'd just run a stand nearby...
"Get your boiling oil heeeeere! Hot oil! Hot oil!"
and -
"Can't tell the spammer without a program! Free program with your purchase of any 300 degree or hotter oil!"
"It's tough to be bilingual when you get hit in the head."
Lately, I've been getting SPAM that starts out by telling me that I had a great chat/conversation with the person sending me the Spam, a person I've never chatted with online or in person for that matter.
There's another class of spam, that isn't really spam, but that's those damned annoying messages that people I know keep sending me with subjects of Read this--Funny or some such. I don't have time to wade through that crap, so I generally I just hit the delete key and go on to the next message. I'll have to add a filter to check for that junk, too.
I've already got my MUA set to automatically delete messages with empty or missing From: and To: headers. I think I'll add code to delete messages with forged addresses.
After that, I'm going to start saving all the Spam that I receive in a special file and run some dictionary/statistics generating software on it to see if I can come up with an algorithm to detect spam. Once that's in place, I'll live Spam free!
Just be sure to wear the gold uniform when you beam down -- you know what happens when you wear the red one.
If that's not illegal, I think the forgery charge in this case is bogus. I do think that ibm.net would be in the right to sue for any material damages that resulted from that batch of spammail, but an actual charge of forgery is a different ballgame.
CyberNet Enterprises in Turlock, CA forges email addresses constantly, and it seems the authorities in Turlock do not seem to be interested in going after this guy. Seems such crimes are overlooked in lieu of more high-profile crimes. It's more glamorous to bust a crack house than a spammer. Actually, spammers break a number of laws from forgery to false advertisement (could say that in this case they go hand-in-hand). People can talk all they want about 'anti-spam' legislation, but there are already a number of laws on the books that can be used. Too bad the authorities arent interested.
Steve's Computer Service, Hobbs, NM
Kuro5hin ran a piece on spammers and attacking them back today.. kinda an amusing read, even though I don't feel attacking people back directly is the answer.
BilldaCat
Here's some info on it: here
Other searches of mine haven't turned up anything, so it may still be fictional.. anyone else got anything?
BilldaCat
Just today I'm getting about 10 emails/hour from people complaining about email they're getting with the subject "I love it when you slap it on my face", not bothering to look at email headers to see that it did not come from our domain. I get the postmaster mail, but I practically never respond since it's a waste of my time better spent putting out REAL fires. It really gets on my nerves though. When I see the first complaint on a Friday I think "Oh boy, here comes a weekend full of mass email deletions". It could potentially give our company a bad name. So, I fully support prosecuting spammers that do this. This sig's for you
A sentence you'll never see on an Internet discussion board: "You know what? You're right."
There's a huge difference between a person signing a letter "Anonymous Coward" and "William J. Clinton". In the former case, you are merely hiding your identity. That's usually ok. In the latter case, you are trying to convince the reader you are someone you are not. That's usually illegal.
By signing "Anonymous Coward", you delude no one. It is obvious you're anonymous. By signing someone else's name, you are fraudulantly claiming to be someone else.
The cake is a pie
Good thing too, or else the pseudonym above would make me guilty of forgery as well.
Would it? IANAL, but my understanding of forgery is that you are caliming to be someone or something you are not. Hence it is argueably a forgery to claim to be CmdrTaco, but not to claim to be Anonymous Coward, because there is no "one" Anonymous Coward to say "Hey, he's claiming to be me.". I can sign a letter "Anonymous" and send it to the paper, no one will say anything. If I sign a letter "William Clinton, President, United States of America" and put it on nice custom White House letterhead, someone is going to want to see me.
I don't need a million points of light, just two points of multi-mode fiber and a 10 Gig-E router.
Forging spam sounds like a pretty weak crime to me, but a crime non-the-less. However I think forging email should be some sort of fraud. I have a friend who was fired from his job after some scientologists forged a racist email from his work address.
So far I've gotten all my Karma from telling people they are wrong... :)
Additional commentary can be found at the NYT
Instant castration. Spammers must be destroyed.
What worries me more than the spamming is the fact that he hijacked someone else's box to do his spamflooding. However, I'm always suspicious of figures like $18,000 in caused damage.
One thought: surely if AOLusers have a use, it's as spam fodder? If it wasn't for THEM we'd probably all be getting thee times as many invitions to vist mandy being spanked in her dorm.
My pen doesn't make any guarantees about the validity of things it writes, either. Still, if I sign someone else's name to a check (or, in Canada, to a cheque), it's forgery.
You're confusing computer protocols with human law. The law says that there are restrictions on creating a document and pretending it's from someone else, whether you use an unreliable pen or an unreliable protocol.
Why doesnt anybody every complain about how your email address gets into the hands of these spammers? Either they are harvesting them from text sources or somebody you trusted let your address slip out. As more and more ebiz happens, the more everybody sprays their addresses all over the net, whether its a "keeper" like me@mydomain.com or disposable like whatever@hotmail.com. If you want to have fun tracking who's dealing your addresses, and protect a good address too, have a look at sneakemail.com, and if you dont like what you see, give us some constructive criticism and well try to improve it for you.
If A makes it look like B has committed a crime against C, then B has been violated. Even if C should be smart enough to know, hell, even if C DOES know, that B is probably innocent.
Our secret is gamma-irradiated cow manure
Mitsubishi ad
We apologize for the inconvenience.
FORGING is a crime. Falsely representing yourself as someone else, its a crime. As in illegal.
Spam is also wrong and evil, so this seems more of a case of two wrongs making him well... more wrong.
What amazes me is that he actually considered this to be a defensible argument. The depths of human stupidity never cease to amaze me.
Check out Magic Firesheep!
Agreed. A lot of those have 800 numbers with an extension. If I have time I call 'em up, dial in the extension and when the recording asks for my information I ask them to resend their spam with a legitimate response address and then play the radio into the phone for a while (keeps the voice activated recorders going). If everyone did that it'd cost 'em enough money that they'd stop spamming or include legitimate response information.
A lot of these are folks that are contracting with what they think is a legitimate internet "bulk emailer". Letting them know may help them to stop using their services as well.
carlos
--
As a matter of fact, I am a lawyer. But I play an actor on TV.
Should have been ATTBUSINESS.NET. Duh! ;-)
An insanity defense!
"Your honor, this man not only spams, deals in pornography, and forges addresses to hide his identity, but he truely believes he has committed no crime. He is obviously insane and should be cared for, not caged like a criminal. I have here several psychologists who have would like to testify as to..."
Didn't AOL try to crack down on people spamming its users (unless it was AOL itself doing the spamming)?
Laughter is the Spackle of the Soul.
then I think they deserved what they got.
Yes, but it's not what they got, it's what IBM got. Personally, I think IBM should be able to sue them. An open relay *is* their fault. Meanwhile, everyone who got spammed should be asking their ISP to get with the program and start using the RBL. I don't think punishing the spammer will really deter anyone, but punishing openm relays will stop them from causing more damage.
Spam sucks big-time (especially forged spam), but do we really want to bring the government into this? The more the 'net community asks the government to get involved in regulating the net, the more they will... The problem is they won't ever stop. This is exactly the kind of ammo that anti-anonymity supporters want.
:-)
Are there any technological solutions to this, especially forged spam? What about tighter permissions on mail servers, the Real-time Blackhole List, etc?
Given a choice between dealing with spam (i.e., adding the sender to my spam filter), and dealing with an overzealous government, which would you pick?
I'm all for vigilante anti-spam lynch mobs, though
Any other ideas on fighting back?
Sleep is just a poor substitute for caffeine, anyway. -Bob Lehmann
Many years ago, I had this guy from my school leave a bunch of very bizarre and often threatening messages on other people's answering machines and voicemail - and leave my phone number on it.
I finally found one sympathetic company willing to play the message back to me over the phone - I recall it had something to do with "and I'd better be seeing that money soon, understand?" Of course, I recognized the voice, and I called my local police department to see what the law had to say on the matter... and guess what? It counted as telephone harassment, same as if he'd have called me directly.
So, if'n I was IBM's bigshot lawyers, I'd go after them for either theft of services or harassment. It seems to me that ibm.net must have gotten flooded with "die fsckin' spammer" and "delete this account" messages... sounds like the same concept to me!
--
Make Money on the 'Net
Sig broken, watch for
On a related note, a number of my colleagues are insisting that China recently EXECUTED some spammers. Any stories/f.u. on that would be great!
I wonder if the guards yelled "JUST HIT DELETE" before shooting the offenders...
Highly redundant, and a deadly toxin in either case...
A good thing to do is to email the system adminstrator (and please be curtius to them the are also people to) and inform them that their systems have been abused. I resintly got a job as a system adminstrator, and inharted a network with a few open systems ( no one told me about them) and some on abused them, I got one nice message that informed me of the problem, which I was greatfull for, and one message threating me with physical violance, which I would have prefered not to have goton, plus 300+ bounce message (the anti-spam address that are out there) the resone I got them was that when they bounce back to him they bounce to my inbox. I glad to have killed the open problem (I now love the smtpd program)
p.s. if any of you got a message from emmy.mse.pitt.edu I appologize about it.
Uh, that's because we already discussed it to death in this thread. Sometimes the rejection process is a bit arbitrary, but here it's behaving correctly. And oh yeah, quit yer whining.
"If one is really a superior person, the fact is likely to leak out without too much assistance" -- John Andrew Holmes
I can believe it.
A spammer once forged the orca.bc.ca domain in their spam. Not relaying through it, but rather relaying through other people's servers with invalid user@orca.bc.ca reply addresses. The resulting flood of bounces and complaints shut us down for the day.
Think 2500 customers paying $19.95/month for their e-mail and dial-up, or $0.67 a day. That's $1600 worth of lost service, or one sysadmin's paycheque. That didn't include lost renewals that month, overtime in dealing with the spammer, or other stupid things.
To reach a number like $18 000 we'd be talking about 25 000 customers. With a domain like ibm.net the numbers of customers with lost e-mail would be in the hundreds of thousands. This still doesn't include the actual theft of service from the relay servers used.
Use Evolution instead of Outlook? Bewa
Well, what if 45 employees who bill clients at $50 an hour were unable to be productive (and bill clients) for a full 8-hour day as a result of the system downtime?
I know it. I've used the argument dozens of times. "Its not my fault they didn't have their system configured properly."
But I don't know that it stands. I mean, personally I think that if a company has a severe security problem such as the one this company so obviously had (being able to relay to out-of-domain addresses), then I think they deserved what they got. And I don't see how a company can claim damages on something that wouldn't have happened if they'd been properly configured to begin with...
On the other hand, I take responsibility that if I get caught I'm pretty much going to twist in the wind. I think he got caught, and I think he deserves to twist in the wind.
There was something the article didn't mention. Was he simply using their e-mail servers, or did the man use that company as his ISP? I think its an entirely different argument if they were his ISP. (And I don't think they were...)
--
"A mind is a horrible thing to waste. But a mime...
It feels wonderful wasting those fsckers."
I currently have no clever signature witicism to add here.
His last meal should be spam, but not the way you meant it.
They should print out every e-mail he ever sent and make him eat them.
But, then again, he is a spammer, so whatever happens to him, he probably deserves, just from a karma standpoint.
gigantino.tv - Heavy but weighs nothing.
Sheesh.
Maybe out of the 500 submissions of this story, 499 of them have been deleted, and one has been designated for a "slashback" article scheduled for later today. Maybe the entire slashdot crew is sick and tired of YANS (Yet Another Napster Story) in which the only commentary is "Napster Is Stealing! Is Not! Is Too! Is Not!" and we don't frigging feel like running another one today. Maybe this has already been noted in comments in yesterday's Napster story (yes, yesterday's), as well as about 30 people like you who want to post this breaking hot news in totally unrelated stories.
Hey, what do you think the odds of that are? Naw, probably slashdot is "hiding the story"/"only wants to build hype"/let me find a few more accusations from the comments. That's probably it.
--
Michael Sims-michael at slashdot.org
1) Firmly establish that which is already used offline to make forging the source of any internet transmission to be illegal. This would include packets, even to have the nice effect of making it easier to prosecute DoS cases.
2) Set up servers to not accept messages from non-existant hosts. This way, the server will only accept messages from real hosts, and if they're forged, it'll be prosecutable.
Of course, there's a lot more to it than just that, though. I know it could be dangerous if inappropriately applied, but I can see circumstances under which civil suits by a clean ISP against an open transport ISP *cough*AOL*cough* on the grounds of negligence. Heck, if a little kid goes into my shed and steals my radial saw, and ends up cutting his hand off with it, I can be held responsible. Therefore, I keep a lock on it. Of course, if the kid breaks in despite the lock, I'm not responsible, because I made a reasonable effort at securing the hazard.
I am kind of afraid of letting judges and juries determine what is a reasonable computer security expectation, though. Well, this is just food for thought. I'll let the experts hack it out. (in every meaning of the word)
WARNING: there is a trojan on your
I hope that this trial somehow gets televised; I'm dying to know how this guy claims that no crime was committed. This should be more interesting than the OJ trial.
~CalibanDNS
A crime against humanity!.
Oh wait, he sent this to AOL. Give him 6 months, suspended.
--
Wanna hook MAPI clients to your Tru64/AIX/Linux server?
Linux MAPI Server!
http://www.openone.com/software/MailOne/
(Exchange Migration HOWTO coming soon)
Then I realized that these email messages were wasteing connect time and bandwidth I would rather be spending on something else. Who says that somebody has the right to waste the (admittedly insignificant) money I pay for the connection and the resources that I use downloading spam that I would like to use for a project of my choice? It's like getting collect calls that demand you mail the caller some random item in exchange for a sales pitch. You pay money, you give up something you own, and you get an ad in return. That's not something I want in my world.
If I had my way, all spammers would be punished fairly and simply: make them listen to a horde of provoked trolls all day.
it's green.
Also, I think there may be a slander issue here as well. I don't think IBM appreciates being associated with porn spam.
"Stop whining!" - Arnold, as Mr. Kimble
If there hasn't been something that's been a pain, it's spam... but there is one solution, it's called the delete command. If you can't just press one key and get rid of it, I don't know what is going on with you having to make more effort than what would be a simple action. You don't reply, you just delete it. Soon, it will appear that fewer messages you receive will be spam... and don't try the "you don't run a server" excuse, as the same can apply. dev_seph, spam neutral as ever.
the one true karma whore
See how I've craftily updated my page and posted my 700+ karma!
I will not rest until all you moderators have been bitchslapped out of existance! (starting with whoever the ass is who rated this post -1)
-o Disclaimer: My employer doesn't even agree with me about C indentation style. o-
For crying out loud... could the law PLEEEEASE TRY to keep up with technology. Spamming costs other people money, time, bandwidth.... this IS a crime and the participants should be dealt with accordingly... make them pay for the bandwidth they have tried to get for free. ISP's should set up investigation routines to catch these people... geez, id pay a lil' more to get rid of these freeloaders.
=Ricta©=
The 'innocent' spammers in question have already starting taking down mirrors of the site [cluelessfucks.com]. I suggest you get in quick!
Since spam by itself is considered criminal in certain parts of the world, cloaking yourself behind a false address is potentially criminally damaging to an innocent third party. This, at the very least, should open you up to civil charges from this third party.
What's a gimper?--
Chris Long, Departments of Mathematics & Statistics, Rutgers University
San Diego Padres, 100 Park Blvd, San Diego CA 92101
It is pitch black. You are likely to be eaten by
I'd put a link or autoresponder suggesting users submit the full headers to:
http://www.spamcop.net
A great spam auto-tracking and report sending site. Other than that, if an ISP won't close a spammer's account, I'd find a good no-win-no-fee lawyer to take them on in court. I'd also post thier support/sales/whatever e-mail address to slashdot. We'll all e-mail them with our opinions on spammers.
Just my $0.02
Michael Tandy
"Goodness me, how unlike the FBI to abuse the trust of the American public." -- The Onion
All I know to do is to look at the bottom "Received From:" header. If its a site, I type it into my web browser and see if they've got an abuse@ address. If its an IP, I traceroute it and then do the same. How reliable is this? Can the "Received From:" header also be faked?
Check out AbiWord.
I have one web site that provides free webmail (no SMTP) in addition to other stuff. Every three months for the past year, there is a scumbag spammer who uses us as a return address (forges everything, including the message-id, but can't forge the originating Received: header). He runs a credit card grabbing scam that can only appeal to people who can count their IQ on their toes. But he keeps coming back. He operates out of Los Angeles, started with connectivity through Verio, moved to UUNET, and now works out of rasserver.net.
Now, the average user cannot read email headers. However, the average user has the ability to send an abuse report (hundreds and thousands), although usually with a threat of a lawsuit, foul language, or incomplete headers. But we can't blame the users. We just tell them where it really came from and give them a few good links about spam. At the same time, we fend of cease-and-desist or die messages from our various outsourcers, who routinely forget that the exact same thing happened only a few months ago. It gets to you after a while.
So, what can we do? Contact the ISP that is putting this guy on the net? Nice try. Waste your time on their abuse address, waste more time on faxing, finally call them to tell them about the problem and they will immediately refer you to their lawyers. Any chance of getting a network tech on the phone to talk about the problem? Forget it.
The only viable solution is to subpoena (sp?) the server logs from the ISP and the telephone records from the telco and go from there. For me, that doesn't work, as I'm in Jakarta and have no desire to spend mucho money on an intercontinental lawsuit with little or no hope of reward at the end of it.
What would put a stop to SPAM? Making the ISP responsible for monitoring, and responding to abuse complaints about, spam that was sent from their systems. Do you think the ISPs could stop it if they were "motivated" to do so? Damn right they could. It can't be too hard to notice that someone is sending 50,000 emails through your system within a 20 minute period.
Making the ISPs partially responsible would go a long way toward eliminating spam. Perhaps a sliding scale fine system would work.
[aside: in the one event where a shitforbrains spammer rigged a perl script to sign up for accounts, login to our webmail, and send spam (all through HTTP connections), we only got 4 complaints. we also shut down the spammer within hours of the original complaint]
...you guys sure don't know your RFCs very well.
I'll give you a topic:
SMTP IS NEITHER SECURE NOR AUTHENTICATED.
Discuss.
It says so right there in the RFC. You can lie in the headers. There is nothing to verify that the sender is who they say they are.
If you're relying on the "From:" line of an e-mail to tell you from whence a message was generated, well, that's your problem. I guess you think hotsexx@youroffice.com is a real address, too.
I hate spam as much as the next guy, but let's get real here.
Being slashdot, I'm surprised nobody is claiming they have a First Amendment right to create bogus headers. What if he's doing it to make a political statement?
Save the whales. Feed the hungry. Free the mallocs.
- Planting it's email address in places like
/. - Finding the "remove" address and responding (to get more spam)
- And sending email to abuse@ each ISP that is being named, as well as the originating mail server?
Or am I smoking crack, or has this already been done?BTW, spammers, feel free to harvest my email address *hehe* - I've noticed that quite a lot of spam uses yahoo accounts.
---------------------------------
---------------------------------
Visit
Now here's a question that occurred to me lately while downloading the 30 day trial version of Macromedia's Dreamweaver. In order to download the software, Macromedia required me to enter my name, email address, phone number, address, state, country, zip code, and form of use in addition to three pages of special interest checkboxes. THIS IS JUST REDICULOUS! Now this frustrated me greatly because there is obviosuly no reason in the world that I should have to fill all this information in just to download the software. This is annoying, not to mention illegal under COPPA if I were under 13 years of age (they don't ask that so there is no way to get parent's permission).
Anyway, what I started wondering was is it ethical/legal to put down a Macromedia email down in the email box, sort of to give them a taste of their own medecine? I was considering strongly entering in info@macromedia.com or some other similar standard email and then checking the "send me your spam!" box. What do you think?
Quote from the article:
Pirro said the message traffic Garon allegedly sent through Market Vision, a graphics studio company in Irvington, was so heavy that it crashed the company's internal network, causing damage in repairs and business downtime.
What? I can understand that maybe the mail system would become clogged and cease to function. But exactly what "repairs" would be necessary? The guy claims $18,000 in damages! If it's that hard for their network guys to clear out some mail, then they guy has bigger problems that a spammer using his mail system.
--
Sometimes it's best to just let stupid people be stupid.
The Localhost.com spam lawsuit was very similar to this, and that was a few years back. Didn't this set a legal precedent (or something similar)?
Pablo Nevares, "the freshmaker".
Pablo Nevares, "the freshmaker".
Seems like he stole items of value from the sites he relayed from (bandwidth and computer time), in addition to fraud and forgery (aren't there also laws about identity theft that may apply?). I can't say I'm a big fan of spam or spammers; hopefully they'll make an example of this guy.
check out any one of the links below (if they are still up) and see how one net-savvy victim retaliated:
http://cow.org/~noise/belps.freewebsites.com/
http://homepages.manawatu.net.nz/~alanjb/
http://elias.rhi.hi.is/premier.cluelessfucks.com/
http://belps.freewebsites.com/
Just how is something like this different from any other form of vigilanteism? The "doctrine of necessity" can justify this?
In the case of a bank or other entity answerable to its shareholders, creating a panic could result in a massive class-action shareholders suit. With such money at stake, it is not surprising there are those willing to take "direct action" against a hacker or hackers. I have even heard rumors of such extreme actions as sending goon squads armed with baseball bats to confiscate computers and demand silence.
I for one would not be amused were someone to send out bogus emails with my name on them.
I wasn't either, myself, when forged messages containing racist and Neo-NAZI materials were forged in my name.
I would not consider it reasonable to mount a DoS attack on the spammer but certainly would be after them with all the legal force my meager resources could bring to bear.
The case I'm referring to, where I resorted to possibly-illegal DoS attacks, was the case of Scientology's forged spam of alt.religion.scientology. This was perhaps the worst and most prolonged spam in history, and all the spam was forged in the names of posters to the newsgroup, at first with NAZI materials culled from racist newsgroups.
It took electronic tracking by normal spam-hunting means, the use of private investigators and the interest of the FBI to stop that, though nobody was prosecuted. The page I cited lists the ISPs abused, some of which were effectively knocked off the net by the hijacking. The "sporgery" (spammed forgery) used dialup ISP accounts paid for by money orders with fake info, hijacked Wingates on @home.com, open news servers, even once a router for ham-based packet radio! The cable modem spam hit thousands of posts an hour.
When attacks become extreme and unstoppable by ordinary means, and law enforcement won't do anything, people will resort to extraordinary means. (I stopped the DOS when it merely caused the sporgers to hop from IP to IP faster, which made it more difficult to filter.)
What's interesting is that this reverses the usual role of privacy in these discussions. Mostly privacy is regarded like fresh air or something -- the more the better. In reality, like most things privacy has many bad effects as good.
I look forward to the day I can program my mail system to only accept email from real signed identities -- i.e. no privacy for people sending me email. This sounds scary at first since the privacy==good thing is so conditioned, so you need to think about it a bit.
more slashdot on privacy vs. transparency
Nick
Though, it would be kinda nice if the spammer could be locked up, too.
Are there any web sites on the net that "out" spammers (provide real names and addresses)?
:-)
It would be nice if somebody did that. I'm sure a little "personal" feedback from random stangers would go a long way toward convincing one to give up the SPAM habbit
An engineer who ran for Congress. http://herbrobinson.us