FBI Plans Spammer Smackdown

An anonymous reader writes "ZDNet News reports: '...the FBI told Congress on Thursday that it has 'identified over 100 significant spammers' so far and is targeting 50 of the most noxious for potential prosecution later this year.' and that '...an 'initiative is being projected for later this year in which it is anticipated that criminal and civil actions under the Can-Spam Act of 2003 will be included.'"

Same old...

[bendelo]

Your post advocates a

( ) technical ( ) legislative ( ) market-based (*) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
(*) No one will be able to find the guy or collect the money
(*) It is defenseless against brute force attacks
(*) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
(*) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
(*) Lack of centrally controlling authority for email
(*) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(*) Asshats
(*) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(*) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
(*) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
(*) Extreme stupidity on the part of people who do business with spammers
(*) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(*) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
(*) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
(*) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
(*) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
(*) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(*) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

Re:Same old...

[bendelo]

It was not intended as a troll, it was meant to be humourous. The usual response to a spam fighting technique.

Skeptical

[ralphb]

I'll believe that this stupid law is having a positive effect when I start getting less spam. Hasn't happened yet.

Re:Skeptical

[Otter]

Geez, and people wonder why the government is prone to grandstanding and empty gestures, or to policies written for them by lobbyists. They pass a sensible, cautious law, monitor violations and prepare to bring legal action against violators. And all they get is complaints that the magic anti-spam fairies haven't been deployed yet.

Basically, what the crowd here seems to want is that:

• Spammers should be summarily shot.
• To accomplish that, Internet anonymity should be eliminated for spammers, while not affecting the rest of us.
• Any such policy must apply to the entire world. Instantly.
• Oh, and if anyone can think of a way by which a single spam might slip through, a proposal is obviously worthless and the person who proposed it is a techno-illiterate simpleton.

And then you wonder why the legislators and regulators don't listen to nerds.

Re:Skeptical

[not_a_product_id]

The most effective option would be if NOBODY EVER BOUGHT ANYTHING OF THESE SCUMBAGS! Sadly that's not going to happen - the government could pass a law against stupidity but enforcement is always the tricky part. ;-)

Re:Skeptical

[Daniel+Dvorkin]

Spammers should be summarily shot.

As satisfying as that might be (public executions, please!) I don't think anyone really wants such a law. However, they should face substantial penalties; I don't think a few years in prison and multimillion-dollar fines and/or lawsuit liability are unreasonable for the worst of the "spam kings."

To accomplish that, Internet anonymity should be eliminated for spammers, while not affecting the rest of us.

Spammers, as individuals, have the same right to anonymity as everyone else. But anyone who is trying to sell me something wants me to give them money at some point along the line. That requires that they reveal their identity. And if the spammers are acting as contractors for someone else who is selling something -- type "bulk e-mail service" into Google and see how many hits you get -- then it is not unreasonable to require that they, too, reveal who they are.

Any such policy must apply to the entire world. Instantly.

Would that it could be so! But the next best thing would be to make having an effective spam policy a condition of international trade treaties, and again, I don't think that's an unreasonable requirement.

Oh, and if anyone can think of a way by which a single spam might slip through, a proposal is obviously worthless and the person who proposed it is a techno-illiterate simpleton.

Many anti-spam proposals are techno-illiterate, and it's fair to point that out when such proposals are made. Others, like CAN-SPAM, are the result of legislative sell-outs to entrenched corporate interests. I don't think anyone realistically expects ever to see a solution that eliminates every single spam. But it would be nice to see one that achieves a 90%, or even 75%, or hell, even 50% reduction in the volume we see now -- and certainly we don't want to see "solutions" that actually give spammers more freedom to spam under certain circumstances, as CAN-SPAM does.

CAN-SPAM is not a "sensible, cautious law." It is a very nearly toothless law. If it puts one or two spam kings out of business, well, good. But it's not what we need to make a measurable difference in the total amount of spam now clogging the Net.

Re:Skeptical

[edp]

"Basically, what the crowd here seems to want is that:"

That is utter rubbish. It is ad hominem and is not consistent with comments I have generally observed in Slashdot.

"Spammers should be summarily shot."

Redress should be quick and effective, like the ability of recipients of unlawful telephone calls to sue in small claims court.

"To accomplish that, Internet anonymity should be eliminated for spammers, while not affecting the rest of us."

Anonymity should be preserved in web browsing, participating in discussion fora where the owners desire that, sending email where the recipients desires to allow sender anonymity, and in other communications where all parties consent to such arrangements. Anonymity should not be allowed in sending email if the recipient does not desire that.

"Oh, and if anyone can think of a way by which a single spam might slip through, a proposal is obviously worthless and the person who proposed it is a techno-illiterate simpleton."

The flaws of the CAN-SPAM act are many orders of magnitude greater than letting a single spam slip through. The CAN-SPAM legitimized spam that was illegal before, by overriding state laws. It provided no effective redress. It did not outlaw much, perhaps most, of the spam that people do not want, even within US jurisdiction.

Re:Skeptical

[anticypher]

The appearance of a law does nothing until there is enforcement action backing it up.

This is what I've been waiting for, positive action by a law enforcement agency against the worst criminal spammers. The pathetically few lawsuits by US States Attorneys General against a few spammers hasn't made much of a dent in the levels of spam. But I'm convinced that a handful of US based spammers account for 60% or more of all spam today.

When the NY Attorney General, Elliot Spitzer, launched his attack against Opt-in Real Big, that flow dwindled to almost nothing. Since then, Richter has either sold off his spam lists, or just no longer up front admits to being ORB. The spams against some honeypot accounts that for the last year were exclusively getting ORB spam have started getting spam from a dozen different groups recently, all using chinese, comcast or wanadodo hijacked machines. At least for a few months there was a perceptible decrease in some spam.

Knowing the FBI, they will make a few headline grabbing busts, complete with news agencies being tipped off in advance so camera crews will be on hand to film the heavily armed agents swarming a trailer park in south Florida. With any luck, the spammers will make sudden, hostile moves towards something in their waistbands, resulting in a "lethal and appropriate" response from the LEOs. I would pay for a copy of that video.

The FBI may also be using these busts as a way of seizing computers which may hold leads to virus/worm writers who then sell botnets to spammers. The spammers machines may also hold leads to dozens of other criminal activities, which may impact US national security. Even if the spammers lose all their electronics until after the trial, they will still be offline. Especially if their bail conditions include a ban from using any computer or communication device.

The Federal prosecutors will lump dozens or hundreds of charges against the spammers, knowing they will eventually plea-bargain down to a few charges which will get them only a few years in prison. There will be much press coverage, and many other amateur spammers will decide for less risky fields of criminal enterprise. This action will never eliminate all spam, but it will put a big dent in it.

It will be interesting to see what level of participation the spam hunting community provides to the FBI. Although the FBI may go it alone, there are a lot of us with a strong technical background willing to put in some hours to provide forensic evidence which can hold up in court.

the AC

One can wish

[mpost4]

I wish this would have an inpact on spam. And I hope these spammers get the max sentence the law allows for, but I don't think this will even put a dent in the amount of spam that is slowing the net down.

Re:One can wish

[leerpm]

According to some sources, there is really just a core group of about 200 people responsible for most of the spam. If even half of those people are thrown in jail, it will have a major effect on spam. And most of the remaining ones will get out of the business, simply out of fear of going to jail. It is true that spam is a money making business for some, but the level of profits would have be a lot higher to make it worthwhile for someone to take on a real increased risk of spending time in a federal prison.

Of course there will be some that set up shop in other countries, but they would have to physically move there to be beyond the reach of authorities here. I am willing to bet, most spammers are not willing to give up the good lifestyle that is provided for them in the US (or other Western developed countries), and will simply get out of the spam business and find other employment. Or maybe spam will simply get outsourced to India..

Re:One can wish

[rusty0101]

I would hate to put rapists and murders at the level of the spamers. As noted in the first response visable the punishment is not slow enough or painful enough to suit a large percentage of the population.

Calculation error, spam/ham ratio of 71/100 is a 42% spam volume. a 71% spam volume would be 71/29 spam/ham ratio. Considering the volume of spam I am getting, I would not be at all surprised if you were getting a 71/29 spam/ham ratio, which would support the 71% claim.

As for a punishment, I think that if the convicted spammer has not been counting the total number of messages they have sent (cc/bcc etc. counts as one message per address) then the feds should ask for a minimum of 1 us cent per e-mail address per day from the date of the earliest reported spam, through the date they pay the fine off. Thus if the spamer has a list of 10 million e-mail adresses, they will be fined aproximately $36.5 million per year. That should take care of the "profit" incentive.

-Rusty

Re:One can wish

[JuggleGeek]

Spam is no different.

Yes, it is. A lot of people *want* drugs, just like a lot of people *wanted* alcohol back during prohibition. Outlawing something that is popular with large numbers of people is quite difficult.

People do not want spam. A few people want to send spam to everyone else - but the recipients don't want it. Even the spammers don't want their own email boxes full of junk.

I got scammed by all the spams..

[brxndxn]

Good! My penis never got any larger. Horny wives never had sex with me. My prescriptions for Xanax never arrived. My cheap version of Windows XP wouldn't activate. My home loans never came through. Michelle's page made just for me had 900,000 visits and I'm beginning to think she is cheating on me...

They're all scammers - a bunch of spamming scammers they are!!

Great

[digitalgimpus]

Spam has made email so rediculus it's amazing.

The FBI went crazy when someone crashed eTrade, Yahoo, etc. with a DoS attack...

But the world's email has been under a DoS attack for some time, while they stand idle.

Strange isn't it? Yahoo's website goes under heavy load, and it's criminal. Yahoo's mail goes under heavy load... and it's not.

Yes but

[Roland+Piquepaille]

the FBI told Congress on Thursday that it has 'identified over 100 significant spammers

That's very nice, but the fact remains that 90% of all spam originates from countries that are out of the FBI's jurisdiction. What are they going to do about it?

It nothing else, American spammers will just move their operations abroad. The FBI knows this very well, so I reckon they're just making noise and spewing hot air in an effort to look like they're on top of the problem, when really they're not.

Re:Yes but

[meringuoid]

That's very nice, but the fact remains that 90% of all spam originates from countries that are out of the FBI's jurisdiction. What are they going to do about it?

90% of spam is sent from servers outside the FBI's jurisdiction. That doesn't mean it originated there: it's sent by Americans who are offering products in America to an American market and expecting to be paid in American dollars to an American bank.

Unless the spammer is prepared personally to move overseas, sooner or later the matter comes into the FBI's jurisdiction.

And since when does being in a foreign country mean you can flout US law? Dmitri and Jon found that out to their cost. Criminals beware: you can no longer hide behind the figleaf of foreign national sovereignty!

Re:Yes but

[rekoil]

Actually, more and more spam is originating from various 0wned Windows boxen sitting on broadband lines right here in the US.

I think what you meant to say is that 90% of the websites advertised in spam emails today are offshore.

However, just because the servers are offshore does not mean that the spammers are foreign. If you follow the money like spamhaus.org does, you'll see that the large majority of the world's largest spammers are, in fact, based in the US. They simply host their servers in China.

In short, most American spammers have already moved their operations abroad. But as long as the spammers themselves are still here, they are very much subject to prosecution. It just takes more work to track them down. :)

Get the Feds out...

[WordODD]

Before CANSPAM some states like California were actually making some (little) progess with their own state laws. Now that we have the Federally sponsered CANSPAM act these most of these previous laws have been rendered useless/void and a lot of them were tougher on spammers then CANSPAM is. The Feds have enough to deal with already and, it would be in their best interests to let the states handle it themselves.

In Other News

[Greyfox]

Scott Richter suddenly becomes unavailable to debate SpamCop's Julian Haight.

How to filter better - a modest proposal

[infolib]

A lot of the spam I get is "We detected a virus in your mail" when in fact the sender of the infected mail just spoofed my address.

It would probably be better if the AntiVirus companies didn't send such "warnings" at all, but if they want to, they should standardize on including a header such as X-virus-warning-bounce. Then the rest of us could just filter them out. It would save some of my precious mental bandwidth.

Re:China

[DaHat]

Remember the title of the article you linked to?

71% of Spam Servers are Located in China

Just because the servers are there doesn't mean the are being used by locals.

It is very likely that a good % of those Viagra spams we all so love may be sent from a Chinese server, but it is nearly as likely that they are being initially sent from the US in the first place.

Re:Juxtaposition of laws...

[jfengel]

Actually, soldiers who abuse prisoners can receive a lot more than a year in prison. The first guy got one year because he wasn't directly involved; he just took the pictures. Look for stiffer sentences in the future.

How spam is affecting me.

[suso]

Personally, it's not a big problem for me, I filter out most of my spam. Or delete the ones that don't get filtered.

But as for my internet services business, it makes it hard because all the customers are getting slammed with spam and I'm always trying to do things to rememdy that, instead of working on better stuff like a nicer user control panel, better backup features, adding virtual IMAP accounts, etc.

We had the same problem at the ISP I used to work at. 50% of the sysadmins jobs where to deal with spam related problems.

So there is a measurable loss of money and productivity as a result of spam.

Cut it out already

[johannesg]

This article invariably gets posted whenever someone proposes a solution to spam. Has it ever occurred to you that a single solution is not going to work, but that it _will_ be possible to reduce the problem by taking a number of (in themselves incomplete) measures? And that it is necessary to take such steps, in order to reach a sufficiently acceptable solution?

By shooting down everything that looks like a beginning to a solution, you are defending the spammers and postponing the date when our inboxes will once again be _ours_.

Some comments on the items you selected:

> (*) No one will be able to find the guy or collect the money

You won't know until you try, do you?

> (*) It is defenseless against brute force attacks

Maybe, but we still get to see the 50 most obnoxious spammers go through a courtcase and hopefully jail time or major fines. That is good enough for me.

> (*) Requires too much cooperation from spammers

Eh? Once the FBI figures out where they live, all they need to do is be home when they knock on his door. And then hopefully resist arrest in some extreme manner.

> (*) Open relays in foreign countries

Any spammer based in the US is vulnerable, though. Start with those, then think about how to get the rest. I'm sure some method will make itself apparent.

> (*) Ideas similar to yours are easy to come up with, yet none have ever been shown practical

That's because people like you shoot them down before they are ever tried.

us spam

[cstream_chris]

You're all silly. Over 55% of the world's spam originates in the US with the closest 2nd being Canada at 6.8%. See Sophos Dirty Dozen at: http://www.sophos.com/spaminfo/articles/dirtydozen .html Additionally, over 90% of the world's spam comes from just 200 well known spammers (w/ Alan Ralsky being #1). See ROKSO (Registry of Known Spam Operations): http://www.spamhaus.org/rokso/index.lasso Anyway, it's good the US is finally going after some of these people since individuals are no longer allowed to sue spammers under the Can Spam Act (aka "You Can Spam Act")

one solution I never see mentioned

[zogger]

and that is a large, non commercial email system. All the members sign up, pay a fee of some sort of adequate folding money for an email account, something high enough to make it practical to have an account, and impractical enough for spammers to use it. It's like a built from scratch giant whitelist. Any infractions, you are out. Something like the proposed google email system, that big I mean, but zero commercial traffic, none, not for any reason. The fees go to pay for the servers and bandwith, etc of the org that runs it. It would be viral in the sense that you as joe emailer tell your friends/whomever you normally conduct non commercial email with "here's my new address, it's restricted. The company doesn't allow commercial email at all, in fact, zero mail gets inside the system from outside the system. the email must orginate and terminate totally inside the system of registered users.. You can email me at this addy,after you register yourself, but don't CC to people outside, no spam or ads are allowed,you have to do your best on keeping your own computer clean, you assume responsbility for that, and this is how you can contact me now if you want to, your choice".

Then stick with it.

The main problem with email is it's so easy to have unlimited emails, so easy to create them. If an email addy was actually worth as much as say your snail mail addy or your phone number, it wouldn't be quite as bad. I don't think it would ever get perfect, but I bet it could eliminate the bulk of the bad stuff. What would an email addy that good be worth per year? I guess that's a variable, perhaps a downpayment, then a bandwith charge over a certain amount of traffic in and out of your box.

And no, I really don't have any technical details of how to go about it, outside my area of expertise. Maybe it's impossible, I don't know, but it seems like it *should* be possible. And there's nothing stopping anyone from keeping their "old" style email in addition, but at least it would be one account you know was mostly rid of spam and viruses and whatnot right from the git-go..

Instant results aren't promised

[Ra5pu7in]

Good grief. No law suddenly causes all violators to stop their behavior. Laws against monopolies didn't make businesses suddenly see the error of their ways and break up. Laws against racism and segregation haven't ended prejudice. The laws are merely tools allowing some authoritative body to take action against the worst offenders (and sometimes the lesser offenders).

Take laws against racism and segregation. Until the military came along and forced some schools to accept non-white students, they would have gone right on ignoring the law. It took 1) someone reporting the violation, 2) someone investigating the violation, 3) someone enforcing the punishment for the violation, and 4) someone making it know through action that violations would not be acceptable.

The FBI is investigating and getting ready to go after spammers. They have not yet enforced the punishments, but they have the authority to confiscate possessions bought with the proceeds or used in spamming (much as the IRS does for tax evaders), so losing homes and cars and computers should begin to make it less profitable to spam. Until enough spammers lose a lot, the word won't spread that spamming doesn't pay. That doesn't make the law useless - it just means it hasn't had time to make much impact yet. The degree of the impact will depend on the continued enforcement (though I believe the ratio of FBI agents to spammers is a lot better than speeders to cops).

Of course, this won't stop all spammers. There will be the diehard group (likely with mafia-style connections) who go so deep underground that they are hard to find.

BTW, spammers by their very business, want to have someone able to find them -- their "customers". (Hey, perhaps we should go after the users instead of the dealers -- slap a $250 fine on any person who buys from spam. Soon, with no one responding to their offers, spammers would go out of business. Yeah, I know this wouldn't really work.)