Dictionary Spammer Fined $55,000 for Spam Attack

Lawrence_Bird writes "In a first, a Japanese district court has ordered a spammer to pay restitution to NTT DoCoMo for abuse of their imode system. 'The damage caused by large amounts of e-mail not reaching their destinations should be covered by the sender,' said the judge. The fine is about $55,000 and was based on an estimated cost to NTT of 1.2 yen per undelivered spam ($0.01) for the 4 million spams that were undeliverable. What is most startling is NTT DoCoMo assertion that of the 950 million emails they receive each day, 880 million are not deliverable!"

Great

[captainclever]

If only there were more rulings like this one, maybe it would make spammers think twice if they knew they could be fined.

I want to see this guy fined per DELIVERABLE message aswell though.

Re:Great

[Black+Perl]

If only there were more rulings like this one, maybe it would make spammers think twice if they knew they could be fined.

Are you kidding? This will encourage more spam. The spammers are saying, "they only got fined $55,000? That's decent ROI. Let's spam DoCoMo!"

"880 million"

[rf0]

I think that it should be clearer that those 880 million are sent to *non-existant* addresses. The slashdot article makes it looks like that their infrastructure can't cope...

Rus

Re:"880 million"

[Bendy+Chief]

IANA network admin, but wouldn't all that sending put something akin to a huge glut of SMTP traffic on their routers? CPU cycles and bandwidth are hot commodities even if he's not getting what he wants.

Re:"880 million"

[tomhudson]

It was a "dictionary attack". This means trying all sorts of combinations of common names, words, and numbers (cf: /usr/libcrack*). Almost none of them would be deliverable, as there are no subscribers.

Unfortunately, my cell plan's email addy is my 10-digit phone number+@+my phone company. It's easy for spammers to just send to every possible cellphone number. I would think that they (the cellphone company) would allow you to add either a prefix or suffix to the number, to keep down spam. I guess this is why they don't charge for the first 2500 sms messages received each month - to keep down complaints.

Well...

[acehole]

They tried to email the judgement to him but for some reason thiscouldbeyou@riches.await.com kept bouncing...

A great precedent!

[Bvardi]

Now if only more countries would do this kind of thing - recognizing that spam has a financial impact on ISPs and on the end consumer, and that especially mass "dictionary" based attacks to randomly find accounts are the internet equivilent of dropping millions of leaflets from an airplane for advertising purposes. (In which case they'd be rightly charged with littering and other offences.)

Plus they got zapped for undelivered email - avoids the whole "opt in/opt out" argument (difficult to prove always that someone didn't accidentally "opt in" at SOME point and you KNOW the spammer is going to claim that they did) AND it also is likely far more costly than targetted spam attacks. (If you send to a 90 percent valid email list chances are you are sending to a few hundred thousand addresses. You do a dictionary attack you are sending to MILLIONS of addresses... which would you rather see them get charged cash for?)

It's a good start if you ask me (though of course part of me thinks that locking them in a small room with one angry ferret per 1000 emails would be a good way too... but that might be going too far. Probably. I mean, think of the poor ferrets?)

Bvardi

Re:A great precedent!

[phorm]

Probably. I mean, think of the poor ferrets

How about something more like a reality-TV show? For every 100/1000 spams sent... they spend one day on a deserted island. The island has water... but little food.

Eventually... we can wait until they turn on each other, or start suffering from malnutrition, whatever.

Disclaimer: I strongly dislike "reality TV", but I'd buy a dish and PPV just to see a bunch of miserable spammers shipped to some godforsaken remote destination

Re:A great precedent!

[override11]

Thats why I dont understand why ISP's dont get more involved in fighting SPAM, its costing THEM money. You would think that a big backbone like UUNET would spend a chunk of change to create 100% accurate filters and be pro-active on blocking out this bull-crap. It would only benifit them down the road.

It would even waggle the magic word 'ROI' in front of the exec's, so why isnt it happening yet??

Re:good

[PerryMason]

...as someone who recently had an email server relay raped

Hmmm. Not to come across too harsh or anything, but you _really_ should test these things. Rather than just assuming that it wasnt "accesible to the open", you should telnet to your mail server and test the possible relay methods, or at the very least, register with abuse.net and let their online tester do the work for you.

As you have no doubt seen, getting a server off ORBS and the like is really a LOT more hassle than testing in the first place. Additionally; as you say "[i]t's about time people realise that stuff like this has very real consequences..." This works both ways. If you don't secure your systems, they _will_ be taken advantage of, and next time it will be Company X suing you for permitting your mail server to be used in spamming them and not just Company X suing the spammer.

Not deliverable? How about, not readable!

[dsplat]

Of the dozens of spam messages I get every day, at least 20% of them are unreadable. I'm not counting the ones that are in languages that I don't know. I'm talking about the ones that are sent in an encoding that isn't properly reflected in the headers. Then there are the ones that are in such poorly formatted HTML that they just won't display.

Not on slashdot

[XCondE]

I long for the day those fines are so common they don't even make it to /.

Re:They only have themslves to blame

[RembrandtX]

Do you like telemarketers too ?

Sending unsolicited e-mail is NOT a legitimate business practice. Sending unsolicited e-mail is closer to harassment than it is to legitimate communication.

If your theory held, then people wouldn't get spammed with crap like penis/breast enlarging cream, ugoslavian tractor deals, or offers to become ordained ministers - they would get spam about things that INTERESTED THEM, 100% of the time.

You are confusing the issue, by assuming that all businesses have a right to free (as in beer) advertising, which as common sence dictates, is totally 180 from the true.

I work for a fortune 500. We send e-mail. We ONLY send email to folks who have opted into our mailing lists (by default, we are, across the board, and opt-out company - meaning we will assume you wanted to opt-out before we send you a lick of e-mail.)

One important nugget of info you glossed over in advertsising is the basic concept of 'target'. We make power tools, as a result, we normally do NOT advertise in .. lets say .. Cosmo Magazine, or Mother Earth News etc.

We follow the same practices with e-mail we send. Believe it or not, I actually DOES cost money to send bulk e-mail. As much as a TV ad ? no, but it still costs money, and as anyone who ever worked for big business can tell you - coming across ANY money is not always easy.

So, my long rambling has this point : Advertising is targeted communication with your audiance. Spam is Blind-Monkey-Flailing at anyone who is listening.

Saying that Spam is advertising, is like saying that the Homeless-Eveangelist-Guy who shouts about the *End of the World*(tm) in the middle of Times Square - is actually the pope.

Re:Damn!

[$rtbl_this]

I think you'll find they're just being blackholed. *rimshot*

Ew. I really wish I hadn't just used the syllable "rim" in that context.

Dictionary Spam = DoS Attack

[Michael_Burton]

This kind of mass mailing should be treated the same as a deliberate denial of service attack. Dictionary spammers tie up target servers without any reasonable expectation that most messages will reach an actual user. It is a consciously malicious act, and should result in criminal penalties, including prison time.

It's about time...

[hafree]

It's about time someone set a precedent in determining the cost of spam. Not just in terms of denial of service, but also the amount of time it takes people to deal with it.

Many people don't realize what a hassle spam can be, until you try to put a monetary cost on it. Let's forget about the resources it uses and just look at how much time it consumes to delete... For the sake of using round numbers, let's say it takes someone 5 seconds to identify a message as spam and delete it. That means in an hour they can theoretically delete 720 pieces of spam. I don't know about the rest of you, but I regularly receive about 100 pieces of spam on a typical day. That means that about 2.6% of your paycheck goes towards you deleting spam. For an employee that makes $50k/year, this comes out to approximately 3.5 cents per piece of spam received, or $1277/year...

Re:It's about time...

[Kombat]

it takes someone 5 seconds to identify a message as spam and delete it.

5 seconds??? Are you insane? Look at your watch. Now wait 5 seconds. That's an eternity. Why on Earth would it take anyone that long to look at an email and determine "Hey, who the %*#@ is this and why are they emailing me about penis creme?"

Personally, I can scan through a list of email subjects and senders (i.e., the folder - don't even need to see the messages' contents) and identify spam by the dozens. Even still, for the sake of argument, let's say it takes a whole second per spam.

Now, for the other holes in your ludicrous argument.

I don't know about the rest of you, but I regularly receive about 100 pieces of spam on a typical day.

At work? Then your work for a really crappy company. Even the tiniest of companies use spam filtering software. In the last 4 years, and at two separate companies, I've only ever recieved I think 2 spams IN TOTAL. Certainly not "100 per day." Sure, I get that much at home, but no one's paying me for that time, so you can't count that as lost productivity or economic cost or whatever.

So for normal employees, who can identify spam in 1 second instead of 5, and who receive 2 spams a year on their work account instead of the 26,000 you assert you receive, that amounts to about 0.0000001% of their paycheck, or precisely $0/year. Zero net impact on the company, other than loading down their mail servers a little more than usual as the spam filters do their thing.

If you get 100 spams a day on your work account, then either you're self employed and too lazy to set up even the most rudimentary spam filters, or your company sucks, or you're an idiot and use your real, work email address every time you sign up for a Honda mailing list or NASCAR "Speed Bulletins."

Stop the FUD. Spam sucks, but don't pretend it costs us more than a few seconds of our time or a few dollars of extra IT work. I get a kick out of all these people who complain that it takes them 30 valuable seconds of their free time in the evenings to delete a few dozen spams. Yet they'll sit there and waste hours on a Diablo game. If their time is so valuable, how come they spend so much time planted in front of the TV or surfing useless websites?

Dealing with dictionary attacks

[andy@petdance.com]

If their mail servers are swamped with 880,000,000 emails daily from dictionary attack, I'd think the easiest solution would be to throttle the mail servers. "Oh, I got an invalid recipient, I'll pause 5 seconds before I respond." (Adjust 5 seconds to whatever makes most sense) For most legit users, that shouldn't be a problem. For the spammers, it means they can make at most 17280 attempts per day per MTA.

Re:Dealing with dictionary attacks

[XCondE]

Postfix does that out of the box.

Re:Maybe this is the method need for spam control

[SunPin]

Good idea. While I get maybe 10 undeliverable per month, I'd still push for the idea. The problem, at least in the US, is that paid email will potentially run afoul of antitrust laws.

Paid undeliverable outgoing mail, however, might just work. It doesn't require the collaboration of other companies in a cartel-type form. While it doesn't require cooperation, it does require a giant like AOL to implement it before everyone else will follow.

There is precedent for stuff like this. In video games, EA took the first step in making smaller boxes for retail shelves. Within three months, everyone else followed. Almost a year later, you can't find an 8x11 or larger box anywhere.

Say no to excessive "costs"

[morcheeba]

I like the verdict and think that the fine is appropriate, but I don't like how it was calculated. Maybe the article misrepresented it, but charging $0.01 per spam seems excessive.

The article says 880 million undeliverable emails are sent every day. At a penny a piece, that's USD$8.8million / day, or $3.2 billion/year. The company does $42 billion in sales per year, I doubt that they spend 7.6% of their income on spam. Or, for that matter, give me $3b/yr and I'll provide the equipment to totally filter all of their undeliverable mail -- they'll save their shareholders $200 million!.

I just wish they said "it cost us 1 man-year of work to stop this guy" and cost it that way instead of making up numbers per message. It's this kind of unjustified damage estimate that "cost" sun $80 million of money that was good enough to tell a judge under oath, but too bogus to tell their shareholders. A doubt NTT has a $3.2b line-item on their annual report.

(and, as others have pointed out, this 880milMsg/day is misaddressed mail - trivial to filter out and it never consume any expensive RF bandwidth)