FBI Plans Spammer Smackdown

An anonymous reader writes "ZDNet News reports: '...the FBI told Congress on Thursday that it has 'identified over 100 significant spammers' so far and is targeting 50 of the most noxious for potential prosecution later this year.' and that '...an 'initiative is being projected for later this year in which it is anticipated that criminal and civil actions under the Can-Spam Act of 2003 will be included.'"

Same old...

[bendelo]

Your post advocates a

( ) technical ( ) legislative ( ) market-based (*) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
(*) No one will be able to find the guy or collect the money
(*) It is defenseless against brute force attacks
(*) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
(*) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
(*) Lack of centrally controlling authority for email
(*) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(*) Asshats
(*) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(*) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
(*) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
(*) Extreme stupidity on the part of people who do business with spammers
(*) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(*) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
(*) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
(*) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
(*) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
(*) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(*) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

Skeptical

[ralphb]

I'll believe that this stupid law is having a positive effect when I start getting less spam. Hasn't happened yet.

Re:Skeptical

[Otter]

Geez, and people wonder why the government is prone to grandstanding and empty gestures, or to policies written for them by lobbyists. They pass a sensible, cautious law, monitor violations and prepare to bring legal action against violators. And all they get is complaints that the magic anti-spam fairies haven't been deployed yet.

Basically, what the crowd here seems to want is that:

• Spammers should be summarily shot.
• To accomplish that, Internet anonymity should be eliminated for spammers, while not affecting the rest of us.
• Any such policy must apply to the entire world. Instantly.
• Oh, and if anyone can think of a way by which a single spam might slip through, a proposal is obviously worthless and the person who proposed it is a techno-illiterate simpleton.

And then you wonder why the legislators and regulators don't listen to nerds.

Re:Skeptical

[not_a_product_id]

The most effective option would be if NOBODY EVER BOUGHT ANYTHING OF THESE SCUMBAGS! Sadly that's not going to happen - the government could pass a law against stupidity but enforcement is always the tricky part. ;-)

Re:Skeptical

[Daniel+Dvorkin]

Spammers should be summarily shot.

As satisfying as that might be (public executions, please!) I don't think anyone really wants such a law. However, they should face substantial penalties; I don't think a few years in prison and multimillion-dollar fines and/or lawsuit liability are unreasonable for the worst of the "spam kings."

To accomplish that, Internet anonymity should be eliminated for spammers, while not affecting the rest of us.

Spammers, as individuals, have the same right to anonymity as everyone else. But anyone who is trying to sell me something wants me to give them money at some point along the line. That requires that they reveal their identity. And if the spammers are acting as contractors for someone else who is selling something -- type "bulk e-mail service" into Google and see how many hits you get -- then it is not unreasonable to require that they, too, reveal who they are.

Any such policy must apply to the entire world. Instantly.

Would that it could be so! But the next best thing would be to make having an effective spam policy a condition of international trade treaties, and again, I don't think that's an unreasonable requirement.

Oh, and if anyone can think of a way by which a single spam might slip through, a proposal is obviously worthless and the person who proposed it is a techno-illiterate simpleton.

Many anti-spam proposals are techno-illiterate, and it's fair to point that out when such proposals are made. Others, like CAN-SPAM, are the result of legislative sell-outs to entrenched corporate interests. I don't think anyone realistically expects ever to see a solution that eliminates every single spam. But it would be nice to see one that achieves a 90%, or even 75%, or hell, even 50% reduction in the volume we see now -- and certainly we don't want to see "solutions" that actually give spammers more freedom to spam under certain circumstances, as CAN-SPAM does.

CAN-SPAM is not a "sensible, cautious law." It is a very nearly toothless law. If it puts one or two spam kings out of business, well, good. But it's not what we need to make a measurable difference in the total amount of spam now clogging the Net.

Re:Skeptical

[anticypher]

The appearance of a law does nothing until there is enforcement action backing it up.

This is what I've been waiting for, positive action by a law enforcement agency against the worst criminal spammers. The pathetically few lawsuits by US States Attorneys General against a few spammers hasn't made much of a dent in the levels of spam. But I'm convinced that a handful of US based spammers account for 60% or more of all spam today.

When the NY Attorney General, Elliot Spitzer, launched his attack against Opt-in Real Big, that flow dwindled to almost nothing. Since then, Richter has either sold off his spam lists, or just no longer up front admits to being ORB. The spams against some honeypot accounts that for the last year were exclusively getting ORB spam have started getting spam from a dozen different groups recently, all using chinese, comcast or wanadodo hijacked machines. At least for a few months there was a perceptible decrease in some spam.

Knowing the FBI, they will make a few headline grabbing busts, complete with news agencies being tipped off in advance so camera crews will be on hand to film the heavily armed agents swarming a trailer park in south Florida. With any luck, the spammers will make sudden, hostile moves towards something in their waistbands, resulting in a "lethal and appropriate" response from the LEOs. I would pay for a copy of that video.

The FBI may also be using these busts as a way of seizing computers which may hold leads to virus/worm writers who then sell botnets to spammers. The spammers machines may also hold leads to dozens of other criminal activities, which may impact US national security. Even if the spammers lose all their electronics until after the trial, they will still be offline. Especially if their bail conditions include a ban from using any computer or communication device.

The Federal prosecutors will lump dozens or hundreds of charges against the spammers, knowing they will eventually plea-bargain down to a few charges which will get them only a few years in prison. There will be much press coverage, and many other amateur spammers will decide for less risky fields of criminal enterprise. This action will never eliminate all spam, but it will put a big dent in it.

It will be interesting to see what level of participation the spam hunting community provides to the FBI. Although the FBI may go it alone, there are a lot of us with a strong technical background willing to put in some hours to provide forensic evidence which can hold up in court.

the AC

I got scammed by all the spams..

[brxndxn]

Good! My penis never got any larger. Horny wives never had sex with me. My prescriptions for Xanax never arrived. My cheap version of Windows XP wouldn't activate. My home loans never came through. Michelle's page made just for me had 900,000 visits and I'm beginning to think she is cheating on me...

They're all scammers - a bunch of spamming scammers they are!!

Great

[digitalgimpus]

Spam has made email so rediculus it's amazing.

The FBI went crazy when someone crashed eTrade, Yahoo, etc. with a DoS attack...

But the world's email has been under a DoS attack for some time, while they stand idle.

Strange isn't it? Yahoo's website goes under heavy load, and it's criminal. Yahoo's mail goes under heavy load... and it's not.

Yes but

[Roland+Piquepaille]

the FBI told Congress on Thursday that it has 'identified over 100 significant spammers

That's very nice, but the fact remains that 90% of all spam originates from countries that are out of the FBI's jurisdiction. What are they going to do about it?

It nothing else, American spammers will just move their operations abroad. The FBI knows this very well, so I reckon they're just making noise and spewing hot air in an effort to look like they're on top of the problem, when really they're not.

Re:Yes but

[meringuoid]

That's very nice, but the fact remains that 90% of all spam originates from countries that are out of the FBI's jurisdiction. What are they going to do about it?

90% of spam is sent from servers outside the FBI's jurisdiction. That doesn't mean it originated there: it's sent by Americans who are offering products in America to an American market and expecting to be paid in American dollars to an American bank.

Unless the spammer is prepared personally to move overseas, sooner or later the matter comes into the FBI's jurisdiction.

And since when does being in a foreign country mean you can flout US law? Dmitri and Jon found that out to their cost. Criminals beware: you can no longer hide behind the figleaf of foreign national sovereignty!

Re:Yes but

[rekoil]

Actually, more and more spam is originating from various 0wned Windows boxen sitting on broadband lines right here in the US.

I think what you meant to say is that 90% of the websites advertised in spam emails today are offshore.

However, just because the servers are offshore does not mean that the spammers are foreign. If you follow the money like spamhaus.org does, you'll see that the large majority of the world's largest spammers are, in fact, based in the US. They simply host their servers in China.

In short, most American spammers have already moved their operations abroad. But as long as the spammers themselves are still here, they are very much subject to prosecution. It just takes more work to track them down. :)

Get the Feds out...

[WordODD]

Before CANSPAM some states like California were actually making some (little) progess with their own state laws. Now that we have the Federally sponsered CANSPAM act these most of these previous laws have been rendered useless/void and a lot of them were tougher on spammers then CANSPAM is. The Feds have enough to deal with already and, it would be in their best interests to let the states handle it themselves.

In Other News

[Greyfox]

Scott Richter suddenly becomes unavailable to debate SpamCop's Julian Haight.

Re:China

[DaHat]

Remember the title of the article you linked to?

71% of Spam Servers are Located in China

Just because the servers are there doesn't mean the are being used by locals.

It is very likely that a good % of those Viagra spams we all so love may be sent from a Chinese server, but it is nearly as likely that they are being initially sent from the US in the first place.

Re:Juxtaposition of laws...

[jfengel]

Actually, soldiers who abuse prisoners can receive a lot more than a year in prison. The first guy got one year because he wasn't directly involved; he just took the pictures. Look for stiffer sentences in the future.

Cut it out already

[johannesg]

This article invariably gets posted whenever someone proposes a solution to spam. Has it ever occurred to you that a single solution is not going to work, but that it _will_ be possible to reduce the problem by taking a number of (in themselves incomplete) measures? And that it is necessary to take such steps, in order to reach a sufficiently acceptable solution?

By shooting down everything that looks like a beginning to a solution, you are defending the spammers and postponing the date when our inboxes will once again be _ours_.

Some comments on the items you selected:

> (*) No one will be able to find the guy or collect the money

You won't know until you try, do you?

> (*) It is defenseless against brute force attacks

Maybe, but we still get to see the 50 most obnoxious spammers go through a courtcase and hopefully jail time or major fines. That is good enough for me.

> (*) Requires too much cooperation from spammers

Eh? Once the FBI figures out where they live, all they need to do is be home when they knock on his door. And then hopefully resist arrest in some extreme manner.

> (*) Open relays in foreign countries

Any spammer based in the US is vulnerable, though. Start with those, then think about how to get the rest. I'm sure some method will make itself apparent.

> (*) Ideas similar to yours are easy to come up with, yet none have ever been shown practical

That's because people like you shoot them down before they are ever tried.

us spam

[cstream_chris]

You're all silly. Over 55% of the world's spam originates in the US with the closest 2nd being Canada at 6.8%. See Sophos Dirty Dozen at: http://www.sophos.com/spaminfo/articles/dirtydozen .html Additionally, over 90% of the world's spam comes from just 200 well known spammers (w/ Alan Ralsky being #1). See ROKSO (Registry of Known Spam Operations): http://www.spamhaus.org/rokso/index.lasso Anyway, it's good the US is finally going after some of these people since individuals are no longer allowed to sue spammers under the Can Spam Act (aka "You Can Spam Act")