Major Anti-Spam Lawsuit To Be Filed In VA
Rick Zeman sends
us to the Washington Post, which is reporting that a John Doe lawsuit
will be filed in US District Court today in spam-unfriendly Alexandria,
Virginia. The suit will be filed by Project Honey Pot, which is having
a week of big
announcements. The suit seeks the identity of individuals
responsible for harvesting millions of e-mail addresses on behalf of
spammers. From the Post: "The company is filing the suit on behalf of
some 20,000 people who use its anti-spam tool. Web site owners use the
project's free software to generate pages that feature unique 'spam
trap' e-mail addresses each time those pages are visited. The software
then records the Internet address of the visitor and the date and time
of the visit. Because those addresses are never used to sign up for
e-mail lists, the software can help investigators draw connections
between harvesters and spammers if an address generated by a spam trap
or 'honey pot' later receives junk e-mail."
Obviously this kind of litigation is a good step and to be encouraged, but it's interesting to imagine what would happen if nobody took action against spammers through the courts.
Clearly spam works, so the amount of spam being sent would only continue to grow. Would this lead to increased vigilante action? More privacy and restrictions imposed by administrators? Decrease in the use of Email as the signal-to-noise ratio continues to degenerate? All of the above?
Peter
True. However, there are some behaviors that ought to be immediately detectable -- sending out hundreds or thousands of nearly-identical emails, for instance, or DDoSing a server with repeated identical requests in patterns that are too fast to be a human being.
But you're right; technological solutions would probably only further the cat-and-mouse game between bot authors and the authorities; it would probably be fairly easy to write a DDoS bot that mimicked human browsing -- it wouldn't be as effective as sending out a few thousand requests per second, but if you had enough bots you could melt a server in the same way that a large number of bona fide humans do when a page gets mentioned on Slashdot. That would be nearly impossible to reliably detect. So in the long run I'm not sure that's effective; what's needed is a way of making sure more people follow the recommended guidelines given by their OS manufacturer, in terms of security updates and best practices.
In that way, I think that to be effective, you would need to have both a legal solution and a technological one. If you really went after people whose computers were compromised because they weren't keeping them patched and were leaving them on the Internet, in a very public way, you might encourage people to either patch their machines or disconnect them.
I'm not sure that such a tactic would be politically feasible -- as other people have pointed out, it is exactly the same tactic used by the RIAA to scare people into not file sharing, and the effect of that is questionable at best (however, in the case of discouraging people from leaving their PC unpatched, you're really not working against something they want to do, in the same way that the anti-file-sharing people are; very few people want to have an unpatched machine, they're just too lazy to do anything about it -- you're not really being punitive as much as you're giving them some very pointed encouragement to do something about a problem they're today comfortably ignoring).
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."