Slashdot Mirror
Is Forged Spam a Crime?
PJRC2 writes "ABC News.com has an article about a man who claims he commited no crime in sending millions of AOL users porn and make-money-fast spam and making the messages appear as though they came from ibm.net. " We're going to see more of this in the future. I think forged spam should be punishable by death, but I probably get more of it than most people ;)
Wouldn't this count as Trademark Infringement? Since domain names have precedent as being covered under Trademark law, shouldn't abuse of domain names also fall under Trademark/IP law? Unfortunatly this would put the onus on the abused company to do anything. Matbe IBM should get in on the action.
IANAL. But I'm sure we can lengthen the list of charges a little.
Let's see what this criminal did:
* He sent mass e-mails using other people's computer facilities. That's theft, chattel trespass and - if the spams clogged their e-mail system - denial-of-service. The people who have to clean up the damage have to pay technical people large amounts of money. That's damage that can be recovered in a court of law.
* He impersonated IBM. That's fraud.
* He used IBM's trademark without authorisation. That's trademark infringement.
* He sent pornographic spams. If any of the recipients were underage and the underage recipients then visited the web site, that's transmission of pornography to minors.
* He violated his ISP's Acceptable Use Policy. That's breach of contract.
If the laws were up-to-scratch, then this perpetrator would be facing 3 years in jail, large lawsuits from IBM and the people from whom he stole e-mail facilities, and many small claims from the recipients.
And he wants us to believe that he's not a criminal? Yeah, right, and I'm the Swiss Navy on maneuvers in the southern Indian Ocean.
--
The only thing necessary for the triumph of evil is for good men to do nothing. - Edmund Burke
Most spammers who try to forge where the message is coming from (including this guy) are not very good at it. The forgeries are easy to spot when you look at the complete message headers. Why doesn't someone (me?) write a MUA that automatically deletes this junk?
Just be sure to wear the gold uniform when you beam down -- you know what happens when you wear the red one.
Don't you know? to a spammer EVERYBODY is an american..
//rdj
No one can understand the truth until he drinks of coffee's frothy goodness.
--Sheikh Abd-Al-Kadir, 1587
Right - it's meant in irony - the source is Voltaire's commentary on the court-martial and hanging of Admiral Byng. (Byng was grossly outnumbered, and ran away - as a result, he was executed for "cowardice".)
"C'est necessaire quelquefois a suspendre un admiral ou deux, pour encourager les autres." ("It is necessary sometimes, to hang an admiral or two, to encourage/enhearten the others" ;-)
Although Voltaire originally meant it in the sense of "beatings will continue until morale improves", the quip has also developed a second sense, namely "punish excessively and make an example out of the offender". While not quite historically faithful, it certainly has a nice ring to it when used in conjunction with the image of a row of spammer heads on pikes.
> On va leur couper les couilles et leur faire manger, violer leur femme et mettre leur tête sur un pic... (that's better :)
Well, I dunno.
As for leur couper les couilles et leur faire manger, you'd starve to death on the contents thereof, and as for violer leur femme, we're talking about spammers here. Given what goes into spammer DNA, do you really think a spammers's mother, sister, or first cousin is gonna be much to look at? OK, not every spammer falls into that category, but the few spammers who didn't marry blood relatives are probably hooked up with goats and sheep, which is just Not My Kink.
But I'm still up for the heads on pikes bit.
Considering that AOL's servers are located in VA, all email to AOL is received in Virginia. This is part of the reason that AOL wanted the anti-spam law, so they could go after spammers like this one and slap them with nice hefty lawsuits.
The particular section of the bill (18.2-152.4) reads:
Virginia - SB 881 Computer Crimes Act; electronic mail
Original Slashdot Story - Virgina Criminalizes spam, ACLU against it
-Todd
---
"The details of my life are quite inconsequential..."
Ding-Ding-Ding! All aboard the Logic Train! (tm)
If I try and pass a check at a band with a signature other than my own, that's illegal. I'm convicted of check fraud, and I go to prison.
If I walk into a bar with a fake ID, or attempt to purchase a firearm go with false identification, I'll get busted as well.
If I send a piece of mail through the US Postal Service posing as someone I'm not, then bingo, i'm guilty of mail fraud.
Now, in the case of fradulent spam, I attempt to tell tens of thousands of people I am someone who I'm not. Worse yet, i'm trying to use that identity to sell something. Why should that form of fraud be punished any differently than other forms of fraud?
Bowie J. Poag
Bowie J. Poag
A better analogy would be a wire communication than an actual letter. Lets say if I was to use a voice changer to fool people about who I really am and use some method to make the call harder to trace for illegal reasons(promote my pyramid scheme or avoiding prosecution for stealing computer time) then I'm breaking the law for giving false information about myself.
Now say I do the same thing because I want to use a pseudonym but not for illegal reasons (i dont want so-and-so to know im checking into this hotel) then its all fine and dandy.
No it's not.
What's happening is that the spammer is behaving like an ass, and so does not want to reveal their idenity -- they want "privacy" for their actions in this case. The forgery is just a symptom of their desire for privacy.
No...the spammer is acting in a public and commercial capacity and so has forsaken his expectation of privacy.
What's interesting is that this reverses the usual role of privacy in these discussions. Mostly privacy is regarded like fresh air or something -- the more the better. In reality, like most things privacy has many bad effects as good.
"Privacy" is neither good nor bad. But respect for the individual's privacy is desirable, and that respect should not hinge on the characterization of the information being held private.
I look forward to the day I can program my mail system to only accept email from real signed identities -- i.e. no privacy for people sending me email. This sounds scary at first since the privacy==good thing is so conditioned, so you need to think about it a bit.
You make it sound as if the right to privacy extends to the right to intrude anonymously. For one thing, you are a private individual and can set your own personal "Terms of Service" that requires identification prior to engaging in communication. This is, by no means, inconsistent with the basic premise of the right to privacy.
Get Veiled
However, there are always a certain percentage of readers who know about these forgeries, and the spammer will lose his account eventually anyways. Btw, there is even a even a web site in which you can paste your spam, and which automatically sends complaints to the correct places: Spamcop.
So, unless this forgery was done with the express purpose of annoying someone at IBM, don't make it into a criminal case; it's just business as usual.
Say no to software patents.
Violations of the FTC Act amounting to false advertising and deceptive business practices is certainly actionable by regulatory agencies (FTC or analogous state regulators under their "little FTC" acts), and can rise to the level of criminal conduct.
There are some cases in which I would allow the misconfigured argument: if all the burglar did was leave a note saying 'your locks suck, here's the adress of a good locksmith' or something like that. As soon as you actually start making use of your ill-gotten privileges...that's real bad.
//rdj
No one can understand the truth until he drinks of coffee's frothy goodness.
--Sheikh Abd-Al-Kadir, 1587
1) He "Hijacked" an environment that was not owned by him, and he had no right to manipulate data on that environment. This should fall under the same cracking style laws that govern the prosecution of script kiddies and other web page defacers.
2) He used the words "IBM.net in his soliitations. This is going over the line that is somewhat grey to begin with but is reasonable well understood. If he had stopped at "You may already be a winner" or other technique that sweepstakes companies and such use, he may have been ok, however he did reference IBM.net and that's blatantly wrong and misleading.
They will trow the book at this guy, and I think the general public will have little sympathy for him. Being a spammer has got to be one of the most unpopular endevors one could choose as a line of work.
Juno and Hotmail have sued spammers (e.g., the "TCPS" spammer from a couple of years back) for forging their domain names into fake email addresses inserted in the From: header. The forging caused clueless people to send countless bogus abuse reports to Juno and Hotmail abuse desks, consuming their resources. IIRC, uu.net got into the act too, as most of the spams were coming from a long series of uu.net dialups in an area of NYC that didn't have caller-ID.
There's the "flowers.com case", where a spammer issued a forged HELO flowers.com when doing a spam in order to fool (ancient) versions of Sendmail into hiding the spammer's originating IP address when raping a third-party relay. $65000 in damages because it defamed the legitimate owner of flowers.com at the time.
It's trademark infringement as well. You purport that your mail comes from AOL, it's AOL's business that you're using their domain name. AOL's landsharks have been known to sue spammers for falsely implying that spam comes from AOL. More power to 'em.
Finally, in the cases of "joe jobs" - where a spammer will forge spam in the name of someone in order to target the forged party for harassment - it's obvious that there's intent to defame, harass, and of course, willful misrepresentation.
The forging of headers in unsolicited bulk email should be at the very least a civil, if not a criminal, offense.
The real problem, of course, is that since your average spammer lives in a trailer surrounded by beer cans and chicken bones, collecting anything from a spammer can be a real problem.
Which is why it's relatively rare that ISPs sue or press criminal charges against spammers. More's the pity. There's a group of spammers operating out of Earthlink dialups in a manner identical to that of the TCPS spammer's abuse of uu.net dialups a few years ago, and Earthlink is doing nothing about it. More's the pity.
But back to the original article on ABCNews:
The son of a bitch not only spammed, but he raped a relay to do it. That's theft of computer services at a minimum, and given the number of bounced spams that probably came back to the raped relay at Market Vision, probably a DOS attack too.
Throw the book at the son of a bitch and put his head on a pike. Pour encourager les autres.
I'm not arguing "blame the victim". That is so often used to excuse the perpetrator of evil. It is disingenuous to say your woman walking, while intoxicated, down a dark alley in a high crime area [I added the high crime area], is asking to get raped.
People make choices and they are responsible for the outcomes of those choices. The woman in our example is responsible for choosing to get drunk, for choosing to walk alone, and perhaps unarmed, down that alley at that hour of the night. She is existentially responsible if she is assaulted, just as I would be existentially responsible if I were assaulted under the same conditions.
The folks at Market Vision *chose* not to properly secure their email server, whether they made the choice from ignorance or with full knowledge of the consequences, they still made that choice. They therefore bear some responsibility for what happened.
A quote from a RUSH song would be appropriate here: "If you choose not to decide, you still have made a choice."
PAY ATTENTION! I AM NOT talking about LEGAL responsibility. I AM talking about MORAL and EXISTENTIAL responsibility. Legally, they can sue the guy, but ethically they are still at fault and are not deserving of a dime. Anyway, I don't see how it could cost $18,000 for a mail server to be down for a few hours, unless they lost an $18,000 contract that hinged on one lost email, highly unlikely.
Just be sure to wear the gold uniform when you beam down -- you know what happens when you wear the red one.
Well, yes it is, but you still bear some of the responsibility in an existential manner if you choose to leave your house unlocked. Given the conditions under which we live, only a fool would deliberately leave their house unlocked. For the ignorant, this would hopefully be a "learning experience" and they would then know not to do this in the future.
Leaving the house unlocked does not excuse the behavior of the person who has broken the law by entering/trespassing. It does, however, lessen the amount of responsibility shown by the homeowner and, in fact, increases their existential responsibility in the outcome of someone breaking and entering.
I suggest reading some Sartre and Camus if you want to know where I am coming from.
Just be sure to wear the gold uniform when you beam down -- you know what happens when you wear the red one.
Forgery is already a crime in the physical realm. Why, then, should it not be also a crime in the digital? Leave the spam issue out of it, if you want; a forged letter is still a forged letter.
But isn't SPAM itself just fake ham? Seems like it's been fake from the start....
Driven by 100% sarcasm - fueled by the need to be heard.
The important thing to remember is not to get too technical.
At a certain level, of course we can tell the message didn't come from IBM.
But...
The guy sending the spam.
a) new that he was making his messages appear to come from IBM.net to the average user.
b) was probably doing this without authority from ibm.net
c) Was doing this for the express purpose of misleading the recipients of the spam into reading the spam. THIS is the really bad part. It's fraud.
The dorks at Market Visions should have had their mail server properly configured so that it would not forward messages. I don't think they deserve any compensation for the $18,000 they allegedly suffered in damages. It's their own fault that they were abused in this way.
Just be sure to wear the gold uniform when you beam down -- you know what happens when you wear the red one.
Finally, given that SMTP makes no guarantees about the validity of the "From:" address, I see no reason (other than ignorance) for anyone to have any expectation of its validity. I don't know about the "law of the land" when it comes to fraud, but I would imagine that the recipient's expectation of validity plays an important role in proving fraud.
Disclaimers: IANAL, IANAS (Sysop).
Thanks for sharing that croaker. I'm not doing exactly what you say, but I am checking for empty or missing From: and To: headers. I'll have to set up my filters the way you describe when I get home.
Rather than just trashing the spam, I think I'll save it to a special mailbox. At some point in the future, I think I'd like to come up with some effective (and intelligent) spam blocking software.
Just be sure to wear the gold uniform when you beam down -- you know what happens when you wear the red one.
An omnibus reply to many of the posts:
1) Forging from headers is criminal in a number of ways:
a) A number of States have laws on the books:
Ref: http://www.cauce.org
http://www.suespammers.org
These laws criminalize forging of headers. No gray area.
b) The bounces cause resource theft of AOL's servers, and bandwidth.
c) Civil action for misuse of trademark and goodwill.
2) There is an automated way of sending complaints:
Register with abuse.net (Run by John Levine). Then you send your complaint to the domain you want to complain to, @abuse.net, and John's system automagically forwards it to the right address for that domain.
3) If you want to hunt the spammers down yourself, try Steve Atkins' Sam Spade (http://www.samspade.org)
4) Hitting delete is NOT an option. It does not scale.
5) There is no Federal Bill. Those disclaimers you see are bogus. They often refer to HR 1716, or Murkowski. These were proposed, but *never* passed. There is no Inbox or Federal Bill that protects spam. There is a Federal Bill making its way through the house currently, HR 3113. It is a "good"(tm) thing. Support it.
6) When all else fails..
If you can't get the spammer's IPS's attention, *don't do anything illegal*. Visit http://mail-abuse.org, document your efforts, and nominate the spammer, and his ISP to the RBL. Trust me, it is *extremely* effective in educating the ISP.
On a spam related note see what this guy did to some spammers that kept forging mail from his domain.
:) He sent AOL a complete list of hijacked accounts and all the necessary contact info for the spammers. It's really interesting!
To summarize he went into the spammers computers and got everything personal he could find on them... including some interesting photos
------
IanO
------
Objects in Mirror are Losing!
The "damages" are probably just the cost of waking the sysadmins up in the night and having them come into work at overtime pay and clean up the thing. If you're paying multiple people overtime while they fix the problem, look into preventing it from the future, and twiddle their thumbs while it all gets retrieved from backup tape (which may be located in another building, requiring you to wake other people up and pay them too), and if you're talking about as many accounts as ibm is tending, then $18,000 isn't such an impossible figure. Of course, I'd go further and demand millions in punative damages on top, not to mention emotional pain and suffering.
"If one is really a superior person, the fact is likely to leak out without too much assistance" -- John Andrew Holmes
Though, it would be kinda nice if the spammer could be locked up, too.
According to the article he's facing up to 7 years in jail.
-- Dr. Eldarion --
So I'm sitting here on the group W bench, when the biggest, meanest father-raper comes over to me and asks, "What'd you get?"
I said, "I didn't get nothing - I had to clean up the mess."
He said, "What are you in for?"
I said, "Spamming." And they all moved away. "And creating a public nuisanse." And they all moved back....
With apologies to Arlo Guthrey
</Humor>
I'll be the other prisoners will love him.
www.eFax.com are spammers
The Localhost claim is different because the host there was suing for defamation. That's a civil claim, not a criminal charge. Also, it wouldn't be binding precedent - it was merely a low level ruling in a Colorado state court.
No, I think this IBM case is much better. I've pursued cases like this with no success, because there is some question of consent by the "victim" if they were running an open relay. Regardless of how stupid it is, open relays are still very common, and spammers regularly abuse them. If the spammer somehow hacked the relay, that will help the case.
The other aspect is the forgery - use of IBM's name. Another thread on this topic had a post talking about a guy who was calling other people and leaving a third party's name and phone number. Depending on your state law, that might not be forgery, because it's a voice communication. That's why the appropriate criminal charge there was phone harassment, which is usually an extremely low-level felony or a misdemeanor. Spam involves printing the actual text of the name IBM.COM in the email. That's the forgery. Making it appear as if IBM was sending it, that's the fraud. If it was my case, I'd also charge theft for any damage caused to IBM by the actions of the spammer - time lost on machine downtime, and cost to fix machines. Manpower and overtime to fix the problem might be worth asking for, too (probably depends on the judge).
But if the IBM.COM machine was an open relay.... I dunno.
==
"This is the nineties. You don't just go around punching people. You have to say something cool first."
Why mrked "funny"? To be honest, I see that as being this guy's one hope of seeing the outside world again this side of 2007 and/or not being dropped into boiling oil by his victims.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
What would happen if it were made illegal to alter the headers in email messages? Would mail routers have to have special licenses to add 'received by:' fields?
This could be a landmark case for electronic mail -- if the same thing happened with snail mail, it would have been called 'Mail Fraud'.
dc
--
Wooden armaments to battle your imaginary foes!
*Sigh* One more time:
1. Junk snail-mail is paid for by the sender out of his own pocket.
2. Junk e-mail is paid for by the recipient out of stolen bandwidth and the increase in ISP fees caused by spam-related overhead.
also, i don't think that impersonation, in all cases, is illegal. suppose, for example, that you dressed up as richard nixon (just to pick a name out of the air) for halloween. suppose also that you ran about in your costume doing all sorts of embarrasing or shameful things. clearly, reasonable people would not take you for the real nixon.
If you went around gluing flyers to people's front doors (a meatspace analogy to spamming, in that it involves conversion of other people's property and creation of a public nuisance to spread your message), then concealing one's identity would be an aggrivating factor.
In addition, your analogy fails because recognizing that someone wearing a Nixon halloween mask is not really Nixon is much easier than spotting a forged header. One does not need any special technical skill to distinguish a cheap mask from a human face, or to know that the real Richard M. Nixon is taking the eternal dirt nap.
/.
/. If the government wants us to respect the law, it should set a better example.
According to a link from Kuro5hin today, which purports to be someone's cracking of a major spam business, there is damn fine money to be made in sending spam -- to the tune of several hundred thousand dollars annual income.
The response rate for spam is high enough that the spammers are willing to work on commission. It's high enough, in fact, that their clients are uncommonly willing to pay up fairly large money (four/five figure weekly payouts) readily.
It's more than viably economic: it's a damn fine income... alas.
--
--
Don't like it? Respond with words, not karma.
Having been the victim of forged email headers (and having had to explain how to read headers for 4 years now) I was very pleased to see the following website. It seems legit to me although you never know, it could be a smear... Of course there are photos so it should be easy to tell...
http://belps.freewebsites.com/
Basicly someone hacked a spam company and got all sorts of logs and even some pictures of the perps.
Check it out.
It's a bit more complicated than that. It is legal, at least in the USA, to use aliases instead of your legal name. It's illegal to use an alias to deceive someone, with intent to defraud.
Mea navis aericumbens anguillis abundat
And if you log in, maybe you could check out and vote on my story, which I worked on a while today? :^)
There is no opt-out.
There is no invasion of privacy (those spammers obviously wanted to be contacted, or they wouldn't be sending out communications)
There is no new legistation (fraud, forgery and misrepresentation are already on the books).
In short, this could be just the ticket to stop spam. If forging headers is found illegal, then the spammers will have to use their real address. Then we can do a quick whois, hunt them down and kill them. Slowly. Uh- I mean, get their accounts cancelled.
--
Does narcissism count as a hobby? --Shawn Latimer
Lately, I've been getting SPAM that starts out by telling me that I had a great chat/conversation with the person sending me the Spam, a person I've never chatted with online or in person for that matter.
There's another class of spam, that isn't really spam, but that's those damned annoying messages that people I know keep sending me with subjects of Read this--Funny or some such. I don't have time to wade through that crap, so I generally I just hit the delete key and go on to the next message. I'll have to add a filter to check for that junk, too.
I've already got my MUA set to automatically delete messages with empty or missing From: and To: headers. I think I'll add code to delete messages with forged addresses.
After that, I'm going to start saving all the Spam that I receive in a special file and run some dictionary/statistics generating software on it to see if I can come up with an algorithm to detect spam. Once that's in place, I'll live Spam free!
Just be sure to wear the gold uniform when you beam down -- you know what happens when you wear the red one.
Kuro5hin ran a piece on spammers and attacking them back today.. kinda an amusing read, even though I don't feel attacking people back directly is the answer.
BilldaCat
While that part was offstage in the Asimov story, I can't help but think that if this were really done then other spammers would start advertising tapes of the one who got caught receiving his Clockwork Orange treatment. It would be like the pick-pockets working the crowd watching a pick-pocket being hanged.
/.
/. If the government wants us to respect the law, it should set a better example.
Additional commentary can be found at the NYT
What worries me more than the spamming is the fact that he hijacked someone else's box to do his spamflooding. However, I'm always suspicious of figures like $18,000 in caused damage.
One thought: surely if AOLusers have a use, it's as spam fodder? If it wasn't for THEM we'd probably all be getting thee times as many invitions to vist mandy being spanked in her dorm.
Why doesnt anybody every complain about how your email address gets into the hands of these spammers? Either they are harvesting them from text sources or somebody you trusted let your address slip out. As more and more ebiz happens, the more everybody sprays their addresses all over the net, whether its a "keeper" like me@mydomain.com or disposable like whatever@hotmail.com. If you want to have fun tracking who's dealing your addresses, and protect a good address too, have a look at sneakemail.com, and if you dont like what you see, give us some constructive criticism and well try to improve it for you.
An insanity defense!
"Your honor, this man not only spams, deals in pornography, and forges addresses to hide his identity, but he truely believes he has committed no crime. He is obviously insane and should be cared for, not caged like a criminal. I have here several psychologists who have would like to testify as to..."
Spam sucks big-time (especially forged spam), but do we really want to bring the government into this? The more the 'net community asks the government to get involved in regulating the net, the more they will... The problem is they won't ever stop. This is exactly the kind of ammo that anti-anonymity supporters want.
:-)
Are there any technological solutions to this, especially forged spam? What about tighter permissions on mail servers, the Real-time Blackhole List, etc?
Given a choice between dealing with spam (i.e., adding the sender to my spam filter), and dealing with an overzealous government, which would you pick?
I'm all for vigilante anti-spam lynch mobs, though
Many years ago, I had this guy from my school leave a bunch of very bizarre and often threatening messages on other people's answering machines and voicemail - and leave my phone number on it.
I finally found one sympathetic company willing to play the message back to me over the phone - I recall it had something to do with "and I'd better be seeing that money soon, understand?" Of course, I recognized the voice, and I called my local police department to see what the law had to say on the matter... and guess what? It counted as telephone harassment, same as if he'd have called me directly.
So, if'n I was IBM's bigshot lawyers, I'd go after them for either theft of services or harassment. It seems to me that ibm.net must have gotten flooded with "die fsckin' spammer" and "delete this account" messages... sounds like the same concept to me!
--
Make Money on the 'Net
Sig broken, watch for
On a related note, a number of my colleagues are insisting that China recently EXECUTED some spammers. Any stories/f.u. on that would be great!
I wonder if the guards yelled "JUST HIT DELETE" before shooting the offenders...
I know it. I've used the argument dozens of times. "Its not my fault they didn't have their system configured properly."
But I don't know that it stands. I mean, personally I think that if a company has a severe security problem such as the one this company so obviously had (being able to relay to out-of-domain addresses), then I think they deserved what they got. And I don't see how a company can claim damages on something that wouldn't have happened if they'd been properly configured to begin with...
On the other hand, I take responsibility that if I get caught I'm pretty much going to twist in the wind. I think he got caught, and I think he deserves to twist in the wind.
There was something the article didn't mention. Was he simply using their e-mail servers, or did the man use that company as his ISP? I think its an entirely different argument if they were his ISP. (And I don't think they were...)
--
"A mind is a horrible thing to waste. But a mime...
It feels wonderful wasting those fsckers."
I currently have no clever signature witicism to add here.
Bruce
Bruce Perens.
1) Firmly establish that which is already used offline to make forging the source of any internet transmission to be illegal. This would include packets, even to have the nice effect of making it easier to prosecute DoS cases.
2) Set up servers to not accept messages from non-existant hosts. This way, the server will only accept messages from real hosts, and if they're forged, it'll be prosecutable.
Of course, there's a lot more to it than just that, though. I know it could be dangerous if inappropriately applied, but I can see circumstances under which civil suits by a clean ISP against an open transport ISP *cough*AOL*cough* on the grounds of negligence. Heck, if a little kid goes into my shed and steals my radial saw, and ends up cutting his hand off with it, I can be held responsible. Therefore, I keep a lock on it. Of course, if the kid breaks in despite the lock, I'm not responsible, because I made a reasonable effort at securing the hazard.
I am kind of afraid of letting judges and juries determine what is a reasonable computer security expectation, though. Well, this is just food for thought. I'll let the experts hack it out. (in every meaning of the word)
WARNING: there is a trojan on your
I hope that this trial somehow gets televised; I'm dying to know how this guy claims that no crime was committed. This should be more interesting than the OJ trial.
~CalibanDNS
The 'innocent' spammers in question have already starting taking down mirrors of the site [cluelessfucks.com]. I suggest you get in quick!
--
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
I have one web site that provides free webmail (no SMTP) in addition to other stuff. Every three months for the past year, there is a scumbag spammer who uses us as a return address (forges everything, including the message-id, but can't forge the originating Received: header). He runs a credit card grabbing scam that can only appeal to people who can count their IQ on their toes. But he keeps coming back. He operates out of Los Angeles, started with connectivity through Verio, moved to UUNET, and now works out of rasserver.net.
Now, the average user cannot read email headers. However, the average user has the ability to send an abuse report (hundreds and thousands), although usually with a threat of a lawsuit, foul language, or incomplete headers. But we can't blame the users. We just tell them where it really came from and give them a few good links about spam. At the same time, we fend of cease-and-desist or die messages from our various outsourcers, who routinely forget that the exact same thing happened only a few months ago. It gets to you after a while.
So, what can we do? Contact the ISP that is putting this guy on the net? Nice try. Waste your time on their abuse address, waste more time on faxing, finally call them to tell them about the problem and they will immediately refer you to their lawyers. Any chance of getting a network tech on the phone to talk about the problem? Forget it.
The only viable solution is to subpoena (sp?) the server logs from the ISP and the telephone records from the telco and go from there. For me, that doesn't work, as I'm in Jakarta and have no desire to spend mucho money on an intercontinental lawsuit with little or no hope of reward at the end of it.
What would put a stop to SPAM? Making the ISP responsible for monitoring, and responding to abuse complaints about, spam that was sent from their systems. Do you think the ISPs could stop it if they were "motivated" to do so? Damn right they could. It can't be too hard to notice that someone is sending 50,000 emails through your system within a 20 minute period.
Making the ISPs partially responsible would go a long way toward eliminating spam. Perhaps a sliding scale fine system would work.
[aside: in the one event where a shitforbrains spammer rigged a perl script to sign up for accounts, login to our webmail, and send spam (all through HTTP connections), we only got 4 complaints. we also shut down the spammer within hours of the original complaint]
...you guys sure don't know your RFCs very well.
I'll give you a topic:
SMTP IS NEITHER SECURE NOR AUTHENTICATED.
Discuss.
It says so right there in the RFC. You can lie in the headers. There is nothing to verify that the sender is who they say they are.
If you're relying on the "From:" line of an e-mail to tell you from whence a message was generated, well, that's your problem. I guess you think hotsexx@youroffice.com is a real address, too.
I hate spam as much as the next guy, but let's get real here.
Being slashdot, I'm surprised nobody is claiming they have a First Amendment right to create bogus headers. What if he's doing it to make a political statement?
Save the whales. Feed the hungry. Free the mallocs.
Quote from the article:
Pirro said the message traffic Garon allegedly sent through Market Vision, a graphics studio company in Irvington, was so heavy that it crashed the company's internal network, causing damage in repairs and business downtime.
What? I can understand that maybe the mail system would become clogged and cease to function. But exactly what "repairs" would be necessary? The guy claims $18,000 in damages! If it's that hard for their network guys to clear out some mail, then they guy has bigger problems that a spammer using his mail system.
--
Sometimes it's best to just let stupid people be stupid.
The Localhost.com spam lawsuit was very similar to this, and that was a few years back. Didn't this set a legal precedent (or something similar)?
Pablo Nevares, "the freshmaker".
Pablo Nevares, "the freshmaker".
Though, it would be kinda nice if the spammer could be locked up, too.