Spammer Pleads Guilty

Rick Zeman writes: "A spammer faces up to seven years in jail after pleading guilty to "computer hijacking." " He apparently hijacked a mail server, and used it to send millions of forged email to make it come from IBM domains. He's pleaded guilty to forgery and I hope he gets all 7 years. But then again, I also wish someone would get 7 years every time they mail me a credit card offer, or call me and ask me to change my long distance service.

Re:Does Spam Really Bug Everyone That Much?

[Tackhead]

> Why does everyone get so damn pissed off at spam?

Because it's theft. I don't like being stolen from.

But not just because it's theft. The real fight is how we preserve email as a useful communications medium.

> Add to that the fact that I can block senders,[ ... ]

And how much of your time do you spend doing this, when you could be doing other things? You say you've never had more than 10 a week. Before I started reading headers, I was up to 10 a day. And I'm on the light side. Others I know were in the hundreds per day.

Consider this - if we give Jay Garon net.access in prison, and only 1% of legitimate small businesses (ignoring the MMFools and pr0n-hawkers and snake-oil "pharmacists") in the US spam Jay Garon once a year. Jay will have to "just hit delete" 240,000 times a year. That's 657 a day.

As punishment, I think Jay Garon should have to reply to an email from the warden, three times a day, to get his meals served. Failure to answer the mail within an hour results in no meal service.

Now how long do you think it would be before Jay starved to death, "just hitting delete"?

> Now I just delete and forget.

I used to delete spam. Now I delete spammers.

Speaking of whom... hey Garon, seen any sexy babes lately? How's Premier Financial?

The wheels of justice grind slowly - Garon's spamhaus dates back to early 1999 - but they grind extremely fine. I'm gonna eat an 8-oz filet mignon tonight. I'm sure Jay will be eating meat soon too, but of a different sort.

Buh-bye, Jay. You might as well let the door hit you in the ass on the way out. A little tenderizing might make it easier on ya when Bubba comes a knockin'.

Comment removed

[account_deleted]

Comment removed based on user account deletion

What would be worse...

[jamus]

make him eat SPAM every day for 7 years.

That would be a deterent.

His guilty plea...

[lambda]

He actually passed his guilty plea to the judge in the form of a chain letter:

Please e-mail this plea to 5 people in the courtroom, who will then in turn e-mail it to 5 more people...

Failure to do so will result in the death of your immediate family, increase of Oracle pricing for your employer, and the installation of RedHat 7 on your C++ development machine.

Thank you.

Re:Relaying

[Chris+Mattern]

> After all, no-one is complaining that having
> open mailboxes outside every post office is a
> security problem

Yes, they are. You can no longer post packages
via public mailbox because of security reasons.
Remember the IMF protests in Washington back in
April? I work half a dozen blocks from the IMF;
I remember when the security guys came and removed
all our street mailboxes to prepare for the
protests. They did put 'em back afterwards, but
still, it was a pain.

Chris Mattern

While we're at it...

[iElucidate]

How about we give 7 years in jail to everyone who ever breaks into a computer system? I mean, I sure hate spam as much as the next guy, but "hijacking" mail servers is a crimial offense now? And 7 years jail for doing it? Incredible! How could we endorse this when we as a community often advocate white hat hacking and general system exploration? I mean, a civil action would be merited, and perhaps some monetary penalty, but JAIL??? I don't know, this worries me. It is a dangerous precedent.

Re:While we're at it...

[TheCarp]

Ethical check fraud?

Well how about I find a bank whose checks are extremely easy to forge because of something that they could easily fix (of course the truth is that any checks are easy to forge...since a forgery doesn't even have to be good enough to fool a bank in most cases)

So I forge a check for $0.01 (or $0 if possible...or some token amount) and immediatly have the money deposited back into the account that I forged it to be from.

The point of "ethical" hacking is exploiting the system, not for personal gain, but to expose the problem and get it fixed. Check out the story in the jargon dictionary "The Meaning of Hack" and read the last story.

It was about some motorola engineers in the 70s who found a severe security bug in their OS, they couldn't get the vendor to fix the problem, so they used it to gain access to the vendors system and placed an "example" of the problem there.

Now....ill admit the example was one where the people went quite oveboard and did do some damage (making a card stacker shuffle peoples punch cards is just plain mean!)

Of course...I guess the thing is... when it comes to actually hacking in the "break in" sense, for it to really be a hack it has to be novel, it has to be original, it has to have style.

Pounding a system thousands of times over to send out mails, and not a single one of them being to postmaster telling them that their system is open? Thats not original, its not novel, and it completely lacks style.

Its more than an offense of stolen resources, its an offense against good taste.

-Steve

Re:While we're at it...

[lizrd]

Just because they don't put a lock on the door doesn't constitue an invitation.

There's a little bit of a difference when you place a service on the internet. By leaving the port for some service open to the public you have in effect issued an invitation. Placing a public resource in a public place and being surprised when it is used by the public is stupid. If I open port 80 on my machine I should not be surprised when people connect to it and attempt to use the http resources on my machine. Why would I expect it to be any different if I leave port 25 open on my machine?

I think that an apt analogy is if I were to put a drinking fountian on my front lawn adjacent to the sidewalk. If you happened to feel thirsty as you walked past my home you could reasonable expect that I had extended an invitation to you to drink from the fountian since it was placed in a public place. If you were to connect a hose to it and use it to fill your swimming pool that might well be a different legal and ethical question.

One should be able to place a resource avaliable that is available to the world and expect that it not be abused. The internet and human nature being what they are though that just might not be the wisest decision. Something to think about anyway...
_____________

Re:While we're at it...

[Tackhead]

> Unlike forging a signature on a cheque, or an official document, there is nothing in the RFC822 headers of an email that was ever designed to act as proof of a message's origin.

Crap, that's an excellent point. Moderators? Mod this guy up!

I'd have to look at the forgery statute to see if forging a HELO really oughtabe "forgery" in the criminal sense.

It's certainly a false representation, and it's certainly intended to deceive people as to the message's origins in order to perpetrate fraud.

But I think I may be mixing up my (meager) understanding of law with respect to forgery and fraud. (That is, it's OK to send a funny email on April Fool's Day as alan_greenspan@really.really.big.bank.gov, since it's clear to a reasonable person that you're not Greenspan. Doing the same thing, but sending economic statistics portending the interest rate bias for the upcoming fed meeting, to a bunch of Wall Street analysts, wouldn't be.)

The interesting thing if I take that "reasonable person" standard - is HELO ibm.net - believable to a reasonable person?

When I see Recieved: from ibm.net (luser.dialup.uu.net [63.whatever]), whether as a relay rape or direct-to-MX, I know it's a forgery. I wouldn't reasonably believe it came from IBM. I would believe that the spammer is trying to fool others less knowledgeable into thinking that it was.

I think it's more fraud than forgery, but the distinction's probably too subtle to really be captured in the law as it's currently written.

Like I said - a damn good point you made.

Re:While we're at it...

[Tackhead]

>> What part of "theft by trespass to chattel" do you not understand?
>
> The chattel part.

Chattel: Lawyerspeak for "stuff".

From mycounsel.com

Chattel refers to personal property such as a car, pet or jewelry. Trespass to chattel is basically theft, but can also be the temporary "borrowing" of an item. A wrongdoer commits trespass to chattel if he or she intentionally possesses someone else's property without their consent--even if only for a brief period of time. Most courts require that some sort of actual harm result from the trespass to chattel.

Example: If you take your friend's new convertible for a joy ride without his or her authorization and during the course of your ride you scratch the new paint and dent the back fender, you have committed a trespass to chattel

So - if I dump three million spams through your mail server without your authorization, and during the course of that, I saturate your outbound link and/or fill up /var/spool/mail with bounces, you've (a) been harmed by having your bandwidth eaten by me, and (b) been harmed by having real mail dropped on the floor from the full mail spool. To say nothing of (c) the time it takes to clean up the mess.

It's an open-and-shut case, and if your relay has been compromised in this manner, regardless of your moral responsibility to secure the relay in the first place, you can sue the spammer for the damages.

Re:While we're at it...

[TheCarp]

I disagree.

I see, fundamentally, no difference between forging a check to steal money from a persons account, and what spammers do.

They connect to another host, and exploit a configuration flaw to send mail through it. They masquerade as a legitimate user (just as a check forger masquerades as a legitimate check writter for an account) to achieve their end.

Now hacking is another story. I see no problem with "hacking". Exploiting holes to gain elevated privilidge for the sake of doing it...and then closing those holes and helping those who run the system to fix the problem...thats another story.

There is quite a difference between breaking in as an example, the so called "ethical hacking", like what happend to slashdot a few weeks/months back, and exploiting a hole for personal gain.... over and over again.

Spammers are the most unethical creatures! They join online services with full intention of violating the Terms of Service. They search for "weak" hosts and then use them to launch their spam.

They remove all of the grief onto others. They cause the admins of the systems (who are not totally without blame usually) to get floods of abuse reports and cause them lots of greif. They then just open another account and do it all over again - closing their account doesn't even slow them down! As an added bonus, their mail floods slow down the hosts that they are using - causing mail delays and resource issues for legitimate users of the machines.

It is simple theft of resources, and they do it over and over again. Reaping the rewards at essentially zero cost to themselves. They can send out thousands upon thousands of messages for mere pennies.

If they setup their own domains, with their own legitimate mail servers, and used those to spam from - then I wouldn't have a problem with them. Of course, every mail server and ISP in existance would have them blocked at the boarder router within a week, and they know it - so they act like parasites, feeding off weak systems - and transfereing all of their costs to others.

They change their usernames and things often (want to see my spam message folder? Its interesting to see the tiny changes they make to things - one has to imagine specifically to get around blocking filters)

Make an example of the bastards I say. They are parasites.

-Steve

Re:While we're at it...

[Tackhead]

>I mean, a civil action would be merited, and perhaps some monetary penalty, but JAIL??? I don't know, this worries me. It is a dangerous precedent.

What part of "denial of service attack" do you not understand? (Ever seen an open relay try to process 500,000 bounces?)

What part of "theft by trespass to chattel" do you not understand?

What part of "unauthorized access to a computer system" do you not understand?

But honestly, I'm glad they got him on the forgery charge instead of all of the above charges (i.e. forging a bogus return address) - because it's a very real attack (via 50,000 flames!) on a victim whose systems were completely unrelated to the damn open relay in the first place.

And it's a hell of a lot easier to say to the owner of a forged domain "consider suing the spammer for trademark infringement for forging your domain name into the spam" (civil suit launched at the victim's expense) to "Please contact the district attorney in (spammer's dialup's general area) and ask him to place criminal fraud charges upon the spammer" (a criminal suit).

> but JAIL???

I've found that a pretty good way of not going to jail is not to commit crimes like theft or forgery. Works for me.

Crime for every email sent

[shinji]

It does not specify but they should charge him with fraud for every email he sent. Lets see that would be about a million counts of fraud...that should up that sentance quite a bit. That way the bigger a spammer as person is the more years and bigger fines they can get.

Lousy admins don't help:

[Wakko+Warner]

"He executed the scheme using the computer resources of the Market Vision graphics studio company, authorities said, and an overload of data crashed the company's internal network. Ed Greenberg, owner of Market Vision, said his losses amounted to about $18,000.

If I had a dollar for every open relay on the Internet, I'd be a very rich person. This kind of crap -- "hijacking", they call it -- wouldn't be possible if sysadmins would LEARN how to SECURE their mailservers!!! Here's a hint: turn off relaying! It's absolutely asinine to allow the entire Internet to send mail through your machines; hopefully $18,000 in losses has taught this person that.

- A.P.

--
* CmdrTaco is an idiot.

But an open relay is the right thing to do

[bluGill]

There is a big difference between what is right and what we do. When I left my house this morning I locked the door behind me. The right thing to do however would be to leave the door unlocked so that if my neighbor ran out of sugar in her baking she could walk in and get it. I know she will return the favor next time I'm short and egg for my morning omlet.

An open mail server is likewise a nice thing to provide for those people who have unreliable internet connections. I temparly store mail on your server until my buddy gets online, and then you send it while my server is offline.

Trust for your fellow man should be the normal way of dealing with things. Locks should be to prevent kids from playing with balsting caps, not to keep theives out. Fraud and abuse should be completely unknown.

No I agree admins should lock down their mail servers. However everyone should feel very bas about having to do it. Locking down a mail server says bad things about socity.

Re:But an open relay is the right thing to do

[Winged+Cat]

Reply or moderate...reply or moderate...

The right thing to do however would be to leave the door unlocked so that if my neighbor ran out of sugar in her baking she could walk in and get it.

Nope. The right thing to do would be to give your neighbor, and anyone else you trust, a key to your house. It has been mathematically proven that "trust always" and "never trust" are not optimal solutions to a wide variety of Real Life cases, at least where they can be reduced to math (for instance, Prisoner's Dillema). "Trust but verify" isn't just a catchy name for an algorithm in some abstract case; it works quite well in the real world. Assuming the common assumption that what works best in the long term is morally correct (that being how history tends to be written), why should anyone feel bad about doing what works?

Re:Antisocial?

[ichimunki]

I completely agree with you, I just wanted to inject a bit of anti-rabid-spammer-hating into the discussion, since rabid anything usually results in faster than desirable erosion of civil liberties (witness the rabid fear of drugs destroying our society and the effect of the so-called War on Drugs). I do think that criminal cases related to computer crimes are going to be a case of "the big guy is always right." so that we will continue to see people like Randal Schwartz and Emmanual Goldstein get whatever legal treatment the law department of a large company decides they should get.

Proportional Response?

[weston]

I agree with the other posts that have said that 7 years in jail seems a bit over the top, especially considering that many of us endorse white hat hacking. Maybe even grey hat.

I think computer security law should reflect physical security law, and provide for different kinds of crime. As far as I know, neither "trespassing" nor "breaking and entering" land you seven years in the slammer.

Now, using a mail server to send unauthorized resource wasting mail is probably a crime. Taking someone's car for a spin w/o permission or pirating airwaves on a spectrum allocated to someone else are probably comparable law breaking actions (if you disagree, find something closer). Is 7 years in jail a crime fitting punishment?

There's different grades of trespassing and use of others property. Computer law should reflect this as well.

Re:Proportional Response?

[dsplat]

There's different grades of trespassing and use of others property. Computer law should reflect this as well.

This is an excellent point. I used to argue that the difference between murder and attempted murder should merely be considered to be good luck on the part of the victim and not a difference in sentencing. Then I read this book. David Friedman makes good arguments for different punishments for different crimes.

The major problem with making the penalties too severe is that it encourages additional crimes in an attempt to destroy the evidence or evade capture. To use this particular case as an example, if the penalty of grossly misusing someone's server is roughly the same as the penalty for completely destroying all of the data on it, it gives the criminal an incentive to wipe the system when he's done with it to be sure that no footprints are left behind.

Relaying

[Anoriymous+Coward]

I suppose with the demise of UUCP mail (cue for someone with a ! in their email address to pipe up), and the increased connectivity of the internet, no-one really needs to relay email any more. I still think it's sad that this has to be done. After all, no-one is complaining that having open mailboxes outside every post office is a security problem, yet this is the exact real-world analogy (allowing for differences in sender-pays versus recipient-pays).

I think the sympathies here on /. are clear cut. If the guy had hacked in and left the sysadmin a note how he did it, he should walk away. But because he was using the machine for spam (not to be confused with SPAM) he should be hanged, drawn & quartered. And that's only because we're feeling nice. It's the difference between finding a back of US mail & returning it to the Post Office, or filling it with postage-due credit card scams.

Prison??

[Stiletto]

Maybe I am offtopic but...

No one likes spammers, and truly I think if convicted they should really lose their internet privileges, but PRISON?

This is evidence of a judicial system that is more about revenge than correction.

PRISON is for keeping violent people from hurting the rest of society. PRISON is for people who must be physically restrained. In the US, we send more non-violent offenders to prison than most other countries. Should you go to jail if you are caught speeding on the highway? How about jay-walking? Why do we send SOME non-violent criminals to prison and not others?

7 years for spamming?

[SpinyNorman]

Hell, it'd be nice to see people serve 7 years for murder

For spamming it'd be more appropriate to give them a large fine and temporarily ban them from any computer career (a la Mitnik).

Re:7 years for spamming?

[TheGratefulNet]

actually, it would be more fitting to force them to serve on an ISP and take all the angry calls/mails from net.abused subscribers.

7 yrs is too harsh. make the punishment fit the crime. give this turkey an appreciation of why its bad to spam.

how about this: force him to have to read all of slashdot, every day, browsing at -1 to 1.

--

Re:7 YEARS???

[TheCarp]

I agree and disagree.

I agree that its sad that people are punished less for rape than for fraud. However, I will not agree that this is too harsh of a punishment for fraud.

> How would you like it if a hacker got 7 years
> for breaking into a computer system?

Its not about breaking in. Its about exploiting a flaw for personal gain. Its about breaking in thousands upon thousands of times over and over and using it to promote your own financial gain.

A person who "hijacks" a system once to demonstrate that it CAN be done, and makes a point to not hurt anyone in doing it - has done little wrong in my book. Simple tresspass maybe, perhaps foolish, but nothing truely and fundamentally evil.

A person who "hijacks" a system directly for the purpose of furthering their own personal goals and to assign the blame away from himself? a Person who "hijacks" a system specifically for the purpose of committing FRAUD. This is much worst than the simple act of "tresspass".

I am sorry but... if its new and original, or if its done to demonstrate the possibility or just to learn about the system and to teach oneself what can be done...that is hacking. Just taking a well known problam and pounding it to death because you can or using it for personal gain, that is not hacking, its exploitation.

-Steve