Slashdot Mirror
Major Anti-Spam Lawsuit To Be Filed In VA
Rick Zeman sends
us to the Washington Post, which is reporting that a John Doe lawsuit
will be filed in US District Court today in spam-unfriendly Alexandria,
Virginia. The suit will be filed by Project Honey Pot, which is having
a week of big
announcements. The suit seeks the identity of individuals
responsible for harvesting millions of e-mail addresses on behalf of
spammers. From the Post: "The company is filing the suit on behalf of
some 20,000 people who use its anti-spam tool. Web site owners use the
project's free software to generate pages that feature unique 'spam
trap' e-mail addresses each time those pages are visited. The software
then records the Internet address of the visitor and the date and time
of the visit. Because those addresses are never used to sign up for
e-mail lists, the software can help investigators draw connections
between harvesters and spammers if an address generated by a spam trap
or 'honey pot' later receives junk e-mail."
So these guys are using the same tactics as the RIAA to catch spammers? I smell a patent lawsuit! ;)
My blog
which is here
Obviously this kind of litigation is a good step and to be encouraged, but it's interesting to imagine what would happen if nobody took action against spammers through the courts.
Clearly spam works, so the amount of spam being sent would only continue to grow. Would this lead to increased vigilante action? More privacy and restrictions imposed by administrators? Decrease in the use of Email as the signal-to-noise ratio continues to degenerate? All of the above?
Peter
So, if they get emails at this honey pot email account, and they are able to make deductions and say that a certain outfit was responsible for mining that email address and giving it to spammers... does that hold any legal weight*?
I'm trying to figure out how they can do this AND have it be able to hold water in court. Theres a hundred ways an account can get an email (spam or not) without it being mined specifically by the future defendant. I don't think it will suffice as the plentiff's sole burden of proof. It probably wouldn't be "clear and convincing evidence" (civil) or "beyond a reasonable doubt" (criminal).
*I have zero training in anything remotely related to law.
It is possible if you brute-force all the e-mail address space, and you don't really need to brute force it. Markov Chains and other techniques can help you reduce the number of possibilities to try.
Let's hope this project thought about this issue (for example, by generating quite long AND random addresses), I would suppose so but haven't checked.
The AACS key is NOT 0xF606EEFD628B1CA427BEA93A9CA9773F
Is there any kind of mandate for this? I mean, this is a private organization doing this, not local police or the FBI as part of some larger investigation, so I imagine the suit would have to be civil, rather than criminal. They might have a harder time doing this than they realize. If I were them, i might have gotten law enforcement involved at some point. The link in the article is useless, since it really says nothing about the suit.
GetOuttaMySpace - The Anti-Social Network
Maybe in the USA nobody knows, but the acronym VA uses to stand for Vatican (http://www.vatican.va/) not Virginia. You may imagine how dazzled I was after reading that the Pope himself will take care of spammers, will they be excommunicated?
this post contain no useful information, no need to mod it down
I live in the vicinity of Alexandria (well, about 60-90 minutes away). Is there any way regular spam-targets like me can help?
This is cool, but I doubt many big players still use web crawlers to find e-mails. Not with plentiful sources of hacked databases and co-registation e-mails available. Servers cost money, time to setup, and man hours to make sure they're up. Pushing low quality e-mails wouldnt be worth it, since the response rate of spam has lowered so much over time. Too many of the e-mails were posted years ago(and since died), are honeypots, or unverifiable e-mails(large domains like yahoo.com do not support the method spammers use to verify the existance of e-mail addresses).
Before you mod me funny, think, perhaps I was insightfully funny?
If you have a website, you can help. If you have mail servers, you can help. If you have a blog, you can help.
Looks ok, hope this spam thing gets to an end but it does not look like its ever going to end as they catch one and 99 are still spamming. in fact they are growing with in crease in number of internet users. Hope some one put a full stop in front of spammers some day.
Game Cheats|
Might not be a bad idea to update the summary with a link to the full story mentioned in the blurb.
...because you never know who you're dealing with.
This method of collecting evidence assumes that the email addresses aren't collected using the same zombie computers that send the spam.
Two things can happen:
1) Spammers used their own computers, and (maybe) face the consequences - after this lawsuit the collecting is distributed onto zombies aswell. As long as there's a market, there'll be new people exploiting it.
or
2) The spammers didn't use their own computers to collect addresses, and will continue that way.
Not that I have any hard information, but I guess these guys are using this as an information gathering exercise prior to something bigger (at least I hope it leads to something...)
The gathering of IP addresses has been discussed here before (though I cannot offhand remember when). It is theorectically trivial to serve up a cryptohash of the IP address of the visitor harvesting email addresses with the intention of spamming. So, we know how the email address in question was gathered.
SMTP connection tracking will tell us from which IP address the email was delivered.
What we don't know is how these two events are linked - ie. who is involved in the chain. Hopefully, court action will force the participants out, and maybe reveal other interesting information...
and I wish these guys all the best. Someone is actually attempting to do something. It may not work first time - but they are giving it a damn good go, and I for one hope they suceed.
This needs to be done more often. Where do we get the software!?
If only they could find a solution to Domain Tasting and Kiting, we'd be taking a good step forward.
"Please, shut up. Just when I think you can't say anything more stupid, you speak again." -Archie Bunker.
Maybe the solution to the botnet problem isn't to go after the botnet operators, but to go after the people who are leaving unpatched machines connected to the net? Or, perhaps more to the point, their ISPs?
I understand this wouldn't be an exactly popular solution -- it's sort of the equivalent of a "scorched earth" tactic towards spammers -- but what if you implemented strict liability on all computers under your control? You get rootkitted or botnetted, sorry pal, it's your problem. Don't want to deal with it? Keep your machines up-to-date or keep them unplugged.
Unpatched machines that are connected to the internet are a public nuisance, in the same way that an abandoned house in an otherwise good neighborhood is. It's nearly impossible, and probably a losing battle, to try and go after the individual criminals who are using the abandoned house for nefarious purposes (which isn't to say that we shouldn't try); sometimes the best solution is just to go after the person who owns the house and make them either fix it or raze it.
A compromise, which would avoid true strict liability, would be making it a positive defense that you took reasonable steps to secure a system; i.e. it was kept up-to-date with the latest vendor patches and was behind a firewall. But if you can't take those reasonable steps, or are too incompetent/lazy/ignorant to do it, maybe you shouldn't be on the net at all.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
so I'll say it:
Nobody expects the SPAMish Inquisition!
"Happy families are all alike; every unhappy family is unhappy in its own way." -- Anna Karenina by Leo Tolstoy
This is in response to various replies, not the parent or TFA: This is not "vigilante" activity. A vigilante is someopne who usurps or subverts established social structure, acting as judge, jury and/or executioner.
Before there were laws on the books about spamming, there was no social structure for identifying and acting against spammers. Those who did it then were emergent order enforcement acts. They were volunteers carrying out the desires of many based on the consensus, or at least vocal majority, of the net. There was a socially accepted behavior, people who violated it, and people who took it upon themselves to enforce the socially accepted. All law enforcement has evolved from social systems in precisely this manner.
Now that there are laws, these people seek to identify the perps, and use the established social structure by turning them over to the proper channels and authorities.
Those who provide filtering/blocking services are acting within a social structure suitably designed and executed for property protection. They are offering private protection services and people sign up with them, or not.
Ever since Canter & Seigel people have accused anti-spammers of vigilantism without understanding what it means. Of course this was semi-informed media, hot headed critics, or spammers caught in the act, all of them using the word for hot-button value.
Now, people who cat together their tracking cookies with large garbage files to try to buffer overflow spammers' data collection activities, and people who set up botnets to DDoS spammer botnets, those are vigilantes. There are laws in place. Going around them is what vigilantism is about.
I was there for Canter & Seigel, and many more for several years. Only Alan Boyle, science editor at MSNBC, ever noted that the word "vigilante" was frequently misused in this way by others in the media. The few others anywhere near as correct simply didn't refer to us in that way.
"I may be synthetic, but I'm not stupid." -- Bishop 341-B
True. However, there are some behaviors that ought to be immediately detectable -- sending out hundreds or thousands of nearly-identical emails, for instance, or DDoSing a server with repeated identical requests in patterns that are too fast to be a human being.
But you're right; technological solutions would probably only further the cat-and-mouse game between bot authors and the authorities; it would probably be fairly easy to write a DDoS bot that mimicked human browsing -- it wouldn't be as effective as sending out a few thousand requests per second, but if you had enough bots you could melt a server in the same way that a large number of bona fide humans do when a page gets mentioned on Slashdot. That would be nearly impossible to reliably detect. So in the long run I'm not sure that's effective; what's needed is a way of making sure more people follow the recommended guidelines given by their OS manufacturer, in terms of security updates and best practices.
In that way, I think that to be effective, you would need to have both a legal solution and a technological one. If you really went after people whose computers were compromised because they weren't keeping them patched and were leaving them on the Internet, in a very public way, you might encourage people to either patch their machines or disconnect them.
I'm not sure that such a tactic would be politically feasible -- as other people have pointed out, it is exactly the same tactic used by the RIAA to scare people into not file sharing, and the effect of that is questionable at best (however, in the case of discouraging people from leaving their PC unpatched, you're really not working against something they want to do, in the same way that the anti-file-sharing people are; very few people want to have an unpatched machine, they're just too lazy to do anything about it -- you're not really being punitive as much as you're giving them some very pointed encouragement to do something about a problem they're today comfortably ignoring).
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
60-90 minutes from Alexandria puts you in about Annandale, at least during certain times of the day.
I mean, this is a private organization doing this, not local police or the FBI as part of some larger investigation, so I imagine the suit would have to be civil, rather than criminal. They might have a harder time doing this than they realize.
On the other hand from what I(AmNotALawyer) understand, a civil suit needs only prove wrongdoing by preponderance of evidence, as opposed to beyond reasonable doubt; that is, you only need to prove that they probably did it, rather than almost certainly. It also has the possibility to increase the "expected" costs of such scum, which may shift the supply curve and reduce the spam level. (Alas, we're talking about a non-exclusive good, so the typical supply-demand model isn't very good. But one may hope.)
Also, a civil suit does not preclude later criminal charges.
//Information does not want to be free; it wants to breed.
From the lawsuit mini-faq:
:-)
What happens to any money you win in the lawsuit?
We're a long way from that, but we'd like to help out the people who have helped us. Obviously a large chunk would go to paying legal fees. Intriguingly, though, since we will know what Project Honey Pot members provided the data that ends up winning the case, maybe we'll be able to send them a little bonus.
I've been running a few of their honeypots for the past two years, so hopefully one of the spammers I "caught" will wind up paying a big time settlement. Sure, it's a pipe dream, but it's my pipe dream.
"We make our world significant by the courage of our questions and by the depth of our answers." Carl Sagan
The way Project Honeypot works is this:
Botnets are the biggest source of spam, so why do ISPs still allow direct outbound SMTP from home connections by default? It wouldn't be too difficult to force all outbound SMTP through the ISP's mailserver by default, but allow direct SMTP connections for those who ask for them. If the mail goes through the ISP's mailserver, it can easily be tagged and the ISP can monitor for suspicious activity.
Is there some reason why this can't be done, or is it just that there's noone to enforce it on the ISPs? If it's a question of enforcement, wouldn't an agreement by some of the big ISPs not to peer with ISPs that are spam sources help matters along?
I'm just waiting for that "your idea won't work because" template now...
Available at this link (PDF)
...because you never know who you're dealing with.
In today's society of "ooh.. it's not my fault.." somebody needs to take the initiative to make the people responsible for the problem responsible and those people are the OWNERS of the pwned machines.
So if my PC gets hacked, it is my fault. But if I hack CD/DVD encryption, it is still my fault?
If we are going with the attitude of PC owners need to take responsibility, then I want to see RIAA take responsibility and "path" their CDs (not likely to happen of course).
I run my own mailserver and I can generate a unique email alias on a whim, that forwards to my main account. I use this whenever I need to give my address to someone that I either don't trust or want to be able to track.
I usually include part of the vendor in the address so I can remember it easlier. So like for NewEgg, I give them "v1newegg@vftp.net". Any email I receive that is addressed to v1newegg@vftp.net, I know exactly where it legitimately could have come from. If it comes from someone selling prescription drugs at a discount, I know that one of two things has happened:
(1) newegg sold me out
(2) newegg's incompetent IT department allowed a spam virus to run loose on one of their internal machines and it harvested my address and sent it to the spammers.
While I'm sure that 95% of the cases are (2), neither is any worse than the other, as they have the exact same effect on me.
One I sent to was for ford, I wanted some dealers in my area to contact me about a hybrid. I got my calls. Six months later, one spam per day arriving, addressed to v1ford. I don't believe ford sold me out, but likely one of their dealers that they sent my email to to contact me, was owned and got my name on the list.
Fortunately, when this happens I just delete the alias and stop doing business with them, I give my real address out to my friends and family, though I probably shouldn't even do that. Who knows when a friend of mine is emailing me from someone else's PC and gets me nailed. If the spammers get my real address, I am screwed.
I tried to do this with my mom, but she knows so many people with PCs, her main address was on several lists within two months. Amazing how windows security even screws with the mac users.
I work for the Department of Redundancy Department.
If you're technical enough to have a good idea how thing really work, have dealt with the hell spammers cause the industry (hosting especially, abuse departments, CS, hah) and you're familiar with Project Honey Pot, what they do, how and why; you'd know this is a great thing. It's awesome to finally see efforts put to good use and progress made, even only in small steps, any kind of progress gives me a hell of a sense of hope for the future...
Spam Thwart: Anti-Spam Collective
ISP's don't have common carrier status, and they will fight to the death to keep it that way. CC would disallow arbitrary unpublished bandwidth limits, for instance.
god.i.va - seems like a nice domain name, and it's not in use by anyone, but where does one register *.va domains?