Spammer Pleads Guilty

Rick Zeman writes: "A spammer faces up to seven years in jail after pleading guilty to "computer hijacking." " He apparently hijacked a mail server, and used it to send millions of forged email to make it come from IBM domains. He's pleaded guilty to forgery and I hope he gets all 7 years. But then again, I also wish someone would get 7 years every time they mail me a credit card offer, or call me and ask me to change my long distance service.

Re:Does Spam Really Bug Everyone That Much?

[Tackhead]

> Why does everyone get so damn pissed off at spam?

Because it's theft. I don't like being stolen from.

But not just because it's theft. The real fight is how we preserve email as a useful communications medium.

> Add to that the fact that I can block senders,[ ... ]

And how much of your time do you spend doing this, when you could be doing other things? You say you've never had more than 10 a week. Before I started reading headers, I was up to 10 a day. And I'm on the light side. Others I know were in the hundreds per day.

Consider this - if we give Jay Garon net.access in prison, and only 1% of legitimate small businesses (ignoring the MMFools and pr0n-hawkers and snake-oil "pharmacists") in the US spam Jay Garon once a year. Jay will have to "just hit delete" 240,000 times a year. That's 657 a day.

As punishment, I think Jay Garon should have to reply to an email from the warden, three times a day, to get his meals served. Failure to answer the mail within an hour results in no meal service.

Now how long do you think it would be before Jay starved to death, "just hitting delete"?

> Now I just delete and forget.

I used to delete spam. Now I delete spammers.

Speaking of whom... hey Garon, seen any sexy babes lately? How's Premier Financial?

The wheels of justice grind slowly - Garon's spamhaus dates back to early 1999 - but they grind extremely fine. I'm gonna eat an 8-oz filet mignon tonight. I'm sure Jay will be eating meat soon too, but of a different sort.

Buh-bye, Jay. You might as well let the door hit you in the ass on the way out. A little tenderizing might make it easier on ya when Bubba comes a knockin'.

What would be worse...

[jamus]

make him eat SPAM every day for 7 years.

That would be a deterent.

His guilty plea...

[lambda]

He actually passed his guilty plea to the judge in the form of a chain letter:

Please e-mail this plea to 5 people in the courtroom, who will then in turn e-mail it to 5 more people...

Failure to do so will result in the death of your immediate family, increase of Oracle pricing for your employer, and the installation of RedHat 7 on your C++ development machine.

Thank you.

Re:Relaying

[Chris+Mattern]

> After all, no-one is complaining that having
> open mailboxes outside every post office is a
> security problem

Yes, they are. You can no longer post packages
via public mailbox because of security reasons.
Remember the IMF protests in Washington back in
April? I work half a dozen blocks from the IMF;
I remember when the security guys came and removed
all our street mailboxes to prepare for the
protests. They did put 'em back afterwards, but
still, it was a pain.

Chris Mattern

But an open relay is the right thing to do

[bluGill]

There is a big difference between what is right and what we do. When I left my house this morning I locked the door behind me. The right thing to do however would be to leave the door unlocked so that if my neighbor ran out of sugar in her baking she could walk in and get it. I know she will return the favor next time I'm short and egg for my morning omlet.

An open mail server is likewise a nice thing to provide for those people who have unreliable internet connections. I temparly store mail on your server until my buddy gets online, and then you send it while my server is offline.

Trust for your fellow man should be the normal way of dealing with things. Locks should be to prevent kids from playing with balsting caps, not to keep theives out. Fraud and abuse should be completely unknown.

No I agree admins should lock down their mail servers. However everyone should feel very bas about having to do it. Locking down a mail server says bad things about socity.

Re:But an open relay is the right thing to do

[Winged+Cat]

Reply or moderate...reply or moderate...

The right thing to do however would be to leave the door unlocked so that if my neighbor ran out of sugar in her baking she could walk in and get it.

Nope. The right thing to do would be to give your neighbor, and anyone else you trust, a key to your house. It has been mathematically proven that "trust always" and "never trust" are not optimal solutions to a wide variety of Real Life cases, at least where they can be reduced to math (for instance, Prisoner's Dillema). "Trust but verify" isn't just a catchy name for an algorithm in some abstract case; it works quite well in the real world. Assuming the common assumption that what works best in the long term is morally correct (that being how history tends to be written), why should anyone feel bad about doing what works?

Proportional Response?

[weston]

I agree with the other posts that have said that 7 years in jail seems a bit over the top, especially considering that many of us endorse white hat hacking. Maybe even grey hat.

I think computer security law should reflect physical security law, and provide for different kinds of crime. As far as I know, neither "trespassing" nor "breaking and entering" land you seven years in the slammer.

Now, using a mail server to send unauthorized resource wasting mail is probably a crime. Taking someone's car for a spin w/o permission or pirating airwaves on a spectrum allocated to someone else are probably comparable law breaking actions (if you disagree, find something closer). Is 7 years in jail a crime fitting punishment?

There's different grades of trespassing and use of others property. Computer law should reflect this as well.

Re:Proportional Response?

[dsplat]

There's different grades of trespassing and use of others property. Computer law should reflect this as well.

This is an excellent point. I used to argue that the difference between murder and attempted murder should merely be considered to be good luck on the part of the victim and not a difference in sentencing. Then I read this book. David Friedman makes good arguments for different punishments for different crimes.

The major problem with making the penalties too severe is that it encourages additional crimes in an attempt to destroy the evidence or evade capture. To use this particular case as an example, if the penalty of grossly misusing someone's server is roughly the same as the penalty for completely destroying all of the data on it, it gives the criminal an incentive to wipe the system when he's done with it to be sure that no footprints are left behind.

Relaying

[Anoriymous+Coward]

I suppose with the demise of UUCP mail (cue for someone with a ! in their email address to pipe up), and the increased connectivity of the internet, no-one really needs to relay email any more. I still think it's sad that this has to be done. After all, no-one is complaining that having open mailboxes outside every post office is a security problem, yet this is the exact real-world analogy (allowing for differences in sender-pays versus recipient-pays).

I think the sympathies here on /. are clear cut. If the guy had hacked in and left the sysadmin a note how he did it, he should walk away. But because he was using the machine for spam (not to be confused with SPAM) he should be hanged, drawn & quartered. And that's only because we're feeling nice. It's the difference between finding a back of US mail & returning it to the Post Office, or filling it with postage-due credit card scams.

Re:While we're at it...

[TheCarp]

I disagree.

I see, fundamentally, no difference between forging a check to steal money from a persons account, and what spammers do.

They connect to another host, and exploit a configuration flaw to send mail through it. They masquerade as a legitimate user (just as a check forger masquerades as a legitimate check writter for an account) to achieve their end.

Now hacking is another story. I see no problem with "hacking". Exploiting holes to gain elevated privilidge for the sake of doing it...and then closing those holes and helping those who run the system to fix the problem...thats another story.

There is quite a difference between breaking in as an example, the so called "ethical hacking", like what happend to slashdot a few weeks/months back, and exploiting a hole for personal gain.... over and over again.

Spammers are the most unethical creatures! They join online services with full intention of violating the Terms of Service. They search for "weak" hosts and then use them to launch their spam.

They remove all of the grief onto others. They cause the admins of the systems (who are not totally without blame usually) to get floods of abuse reports and cause them lots of greif. They then just open another account and do it all over again - closing their account doesn't even slow them down! As an added bonus, their mail floods slow down the hosts that they are using - causing mail delays and resource issues for legitimate users of the machines.

It is simple theft of resources, and they do it over and over again. Reaping the rewards at essentially zero cost to themselves. They can send out thousands upon thousands of messages for mere pennies.

If they setup their own domains, with their own legitimate mail servers, and used those to spam from - then I wouldn't have a problem with them. Of course, every mail server and ISP in existance would have them blocked at the boarder router within a week, and they know it - so they act like parasites, feeding off weak systems - and transfereing all of their costs to others.

They change their usernames and things often (want to see my spam message folder? Its interesting to see the tiny changes they make to things - one has to imagine specifically to get around blocking filters)

Make an example of the bastards I say. They are parasites.

-Steve

7 years for spamming?

[SpinyNorman]

Hell, it'd be nice to see people serve 7 years for murder

For spamming it'd be more appropriate to give them a large fine and temporarily ban them from any computer career (a la Mitnik).

Re:While we're at it...

[Tackhead]

>I mean, a civil action would be merited, and perhaps some monetary penalty, but JAIL??? I don't know, this worries me. It is a dangerous precedent.

What part of "denial of service attack" do you not understand? (Ever seen an open relay try to process 500,000 bounces?)

What part of "theft by trespass to chattel" do you not understand?

What part of "unauthorized access to a computer system" do you not understand?

But honestly, I'm glad they got him on the forgery charge instead of all of the above charges (i.e. forging a bogus return address) - because it's a very real attack (via 50,000 flames!) on a victim whose systems were completely unrelated to the damn open relay in the first place.

And it's a hell of a lot easier to say to the owner of a forged domain "consider suing the spammer for trademark infringement for forging your domain name into the spam" (civil suit launched at the victim's expense) to "Please contact the district attorney in (spammer's dialup's general area) and ask him to place criminal fraud charges upon the spammer" (a criminal suit).

> but JAIL???

I've found that a pretty good way of not going to jail is not to commit crimes like theft or forgery. Works for me.