Major Anti-Spam Lawsuit To Be Filed In VA

Rick Zeman sends us to the Washington Post, which is reporting that a John Doe lawsuit will be filed in US District Court today in spam-unfriendly Alexandria, Virginia. The suit will be filed by Project Honey Pot, which is having a week of big announcements. The suit seeks the identity of individuals responsible for harvesting millions of e-mail addresses on behalf of spammers. From the Post: "The company is filing the suit on behalf of some 20,000 people who use its anti-spam tool. Web site owners use the project's free software to generate pages that feature unique 'spam trap' e-mail addresses each time those pages are visited. The software then records the Internet address of the visitor and the date and time of the visit. Because those addresses are never used to sign up for e-mail lists, the software can help investigators draw connections between harvesters and spammers if an address generated by a spam trap or 'honey pot' later receives junk e-mail."

how about a link to the actual article?

which is here

Re:how about a link to the actual article?

Or what about a link to the Project Honey Pot page that explains the lawsuit and contains a link to that Washington Post article?

What would the natural response be?

[pzs]

Obviously this kind of litigation is a good step and to be encouraged, but it's interesting to imagine what would happen if nobody took action against spammers through the courts.

Clearly spam works, so the amount of spam being sent would only continue to grow. Would this lead to increased vigilante action? More privacy and restrictions imposed by administrators? Decrease in the use of Email as the signal-to-noise ratio continues to degenerate? All of the above?

Peter

Re:What would the natural response be?

Clearly spam works, so the amount of spam being sent would only continue to grow.

Sometimes I wonder if that's the case or if it's a case of slash and burn marketing - the spammers just keep signing up folks (especially overseas) who don't know any better, take their money, the folks who "advertised" realize it doesn't work and stop, the spammer just moves on and keeps signing folks up.

My ISP's spam filters are great and I'm really careful about sharing my email address. That being said, are there still a lot of spams selling spam services like there was a few years ago? In other words, are most spams just advertising spam and "sure thing" stock market tips?

Re:Yeah but what will the judge think

[aadvancedGIR]

Directly proving how the address was collected may indeed be a weak evidence, but you'd better see that as a working base.
Starting evidences:
-A send spam to targeted email, obviously without opt-in.
-B is suspected to have harvested that adress.
And then:
-Investigation shows a link between A and B.
Then you have something solid to sue on.

Vatican spam

[paulatz]

Maybe in the USA nobody knows, but the acronym VA uses to stand for Vatican (http://www.vatican.va/) not Virginia. You may imagine how dazzled I was after reading that the Pope himself will take care of spammers, will they be excommunicated?

Re:Vatican spam

[allscan]

Perhaps a it's time for the SPAMish Inquisition.

Re:Vatican spam

[operagost]

VA was an accepted postal abbreviation for Virginia way, way, way before there was a vatican.va.

Re:Vatican spam

[FrankNputer]

Perhaps a it's time for the SPAMish Inquisition.

I didn't expect that...

Re:RIAA tactics to catch spammers?

[daeg]

They aren't seeking the identity of the unintentional middlemen involved, or are, but only so far as to find the identity at the end of the tunnel, so to speak. If they identify the particular botnet involved, they can attempt to trace it back to whoever controls it, installed it, or locate who picked the bundle of addresses up.

And even if they can't find the end person, they can at least educate the zombie PC owners using a real-world example instead of the fear tactics used to push crapware like Norton Internet Security.

Maybe that's the solution.

[Kadin2048]

Maybe the solution to the botnet problem isn't to go after the botnet operators, but to go after the people who are leaving unpatched machines connected to the net? Or, perhaps more to the point, their ISPs?

I understand this wouldn't be an exactly popular solution -- it's sort of the equivalent of a "scorched earth" tactic towards spammers -- but what if you implemented strict liability on all computers under your control? You get rootkitted or botnetted, sorry pal, it's your problem. Don't want to deal with it? Keep your machines up-to-date or keep them unplugged.

Unpatched machines that are connected to the internet are a public nuisance, in the same way that an abandoned house in an otherwise good neighborhood is. It's nearly impossible, and probably a losing battle, to try and go after the individual criminals who are using the abandoned house for nefarious purposes (which isn't to say that we shouldn't try); sometimes the best solution is just to go after the person who owns the house and make them either fix it or raze it.

A compromise, which would avoid true strict liability, would be making it a positive defense that you took reasonable steps to secure a system; i.e. it was kept up-to-date with the latest vendor patches and was behind a firewall. But if you can't take those reasonable steps, or are too incompetent/lazy/ignorant to do it, maybe you shouldn't be on the net at all.

Technological solutions solve part of it.

[Kadin2048]

True. However, there are some behaviors that ought to be immediately detectable -- sending out hundreds or thousands of nearly-identical emails, for instance, or DDoSing a server with repeated identical requests in patterns that are too fast to be a human being.

But you're right; technological solutions would probably only further the cat-and-mouse game between bot authors and the authorities; it would probably be fairly easy to write a DDoS bot that mimicked human browsing -- it wouldn't be as effective as sending out a few thousand requests per second, but if you had enough bots you could melt a server in the same way that a large number of bona fide humans do when a page gets mentioned on Slashdot. That would be nearly impossible to reliably detect. So in the long run I'm not sure that's effective; what's needed is a way of making sure more people follow the recommended guidelines given by their OS manufacturer, in terms of security updates and best practices.

In that way, I think that to be effective, you would need to have both a legal solution and a technological one. If you really went after people whose computers were compromised because they weren't keeping them patched and were leaving them on the Internet, in a very public way, you might encourage people to either patch their machines or disconnect them.

I'm not sure that such a tactic would be politically feasible -- as other people have pointed out, it is exactly the same tactic used by the RIAA to scare people into not file sharing, and the effect of that is questionable at best (however, in the case of discouraging people from leaving their PC unpatched, you're really not working against something they want to do, in the same way that the anti-file-sharing people are; very few people want to have an unpatched machine, they're just too lazy to do anything about it -- you're not really being punitive as much as you're giving them some very pointed encouragement to do something about a problem they're today comfortably ignoring).