Spam King Pleads Guilty in Seattle

arbitraryaardvark writes "The Seattle Times reports that spammer Robert Soloway has pled guilty to mail fraud and tax evasion, in exchange for the state dropping multiple counts of identify theft. 'The electronic-mail fraud charge is punishable by up to five years in prison. The tax charge is a misdemeanor and carries a maximum one-year sentence. The law also allows for fines against Soloway and his business of up to $625,000 on all charges. Both sides agreed to let U.S. District Court Judge Marsha Pechman determine not just the amount of prison time Soloway, 28, might serve but also the number of his victims, the size of any fine and the amount of restitution he may be ordered to pay.' We've previously discussed his arrest and mention in the New Yorker. The wire fraud felony count is based on selling $500 packages to wannabe spammers."

I think I speak for all of us when I say

w00t!

Re:I think I speak for all of us when I say

[milsoRgen]

w00t! I don't think w00t! is the appropriate response as FTA:

One thing is clear from the plea agreement: Soloway does not have a lot of assets for the government to seize. Among the items Pechman will be asked to consider for forfeiture are Soloway's collection of 24 pairs of sunglasses, valued at more than $3,700; 27 pairs of shoes, worth more than $7,400; and clothing worth about $14,200. HAHA! seems much more appropriate... Even though the guy apparently dresses nicer then I do by leaps and bounds.

Re:I think I speak for all of us when I say

[techno-vampire]

It seems only appropriate to seize those assets and auction them off to pay part of his fines. After all, I doubt he'll be allowed to use any of them in the slammer.

Re:I think I speak for all of us when I say

[milsoRgen]

I realize he had other assets before other judgments against him, but I just think it's hilarious a 'Spam King' is wearing such finery the courts would actually seize said items! =) If I was in that situation I'm sure the courts would see fit to see my clothing off in a hefty bag on it's way to the dump.

Re:I think I speak for all of us when I say

[techno-vampire]

If I was in that situation I'm sure the courts would see fit to see my clothing off in a hefty bag on it's way to the dump.

Well, yes but that goes without saying. After all, you are a slashdotter, aren't you?

Re:I think I speak for all of us when I say

on it's way

"its".

For sending too much email?

[Brian+Gordon]

Why would they drop the charges of identity theft and charge him with sending too much email? Who cares if someone spams, SMTP is an open system and it's designed to indiscriminately deliver messages- CAN-SPAM is a terrible idea. If you don't want spam, just don't accept email from every mail server on the internet. ID theft and tax evasion are the real charges here.

Re:For sending too much email?

[thyrf]

That's all fair and well if you're only expecting email from certain servers, but for most of us a deny-by-all service doesn't cut it.

Re:For sending too much email?

[Brian+Gordon]

Well that's SMTP's fault. I guess it's useful to have a totally open point of contact, but hold your nose when you jump in because you shouldn't expect anything but the dregs of the internet. It's absurd to expect anything else if you leave it wide open.

Re:For sending too much email?

[jd]

And you'll identify these e-mail servers how? By hostname? (Domain stealing, DNS poisoning, DNS injection) By IP address? (Fake IP headers + source routing, Router table poisoning, Zombies on legit servers, Zombies on any machine between legit server and target) By mail headers? (Zombies anywhere)

And you guarantee inclusion of legit traffic from mobile sources, how? You don't know what IP address or ISP will be used. What about legit mailing lists, where the originator is indeterminate?

X.400 provides much better authentication, and offers an API for repudiation, but if that's what people really wanted, we'd be using it. Or maybe everyone would use SMTP-over-SSL where client-side and server-side certificates were validated. We don't use them because people need the privacy, anonymity and flexibility of the existing system, although I'd argue almost anything is technically superior to the existing system.

In the end, although a totally secure option should exist, an insecure option should also exist that is controlled by policy rather than technology, and that ultimately means laws.

Re:For sending too much email?

[sleeponthemic]

ID theft and tax evasion are the real charges here.

The "real charges" are based on which charges are politically most popular and Spam is charge that raises the most ire.

Re:For sending too much email?

[arbitraryaardvark]

Anyone know what the evidence was regarding the ID theft?

I don't actually. But TFA mentioned how the Washington ID theft statute had never been used in that way before. In my original draft of the summary I described the ID charges as "iffy".
The deal is for potentially a lot of jail time. Fines and restitution don't matter much because he's sheltered all his assets after having gotten sued by Microsoft. 90% of criminal charges are resolved with plea bargains, and that usually involves dropping most charges and pleaing to one or a few.

Re:For sending too much email?

[FlyingGuy]

You sound liek a spammer to me. If you are I really do hope you go to a federal recreation facility and room with a guy named "Buba" who really likes you.

Re:For sending too much email?

[__aadhrk6380]

I suppose the real crimes committed depend on your perspective. As an IT Director for a state government agency, I have to deal with the problem of spam directly. We have to budget for equipment and manpower (both of which have real costs) to maintain email as a viable method of communication with the people we serve. Money that could be better spent elsewhere to make more of an impact on our clients and ease the burden on taxpayers. Identity theft is an egregious crime, but it affects a much smaller portion of the population than you might think (check Sans.org). The costs of spam, both direct and indirect, affect everyone with an email account. This is about the hijacking and abuse of a globally available service. Whether it is T&A, male enhancement or phishing, when the means of communication itself are corrupted we all lose.

Re:For sending too much email?

Your post advocates a

(X) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting spam. your idea will not work. here is why it won't work. (one or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) spammers can easily use it to harvest email addresses
( ) mailing lists and other legitimate email uses would be affected
( ) no one will be able to find the guy or collect the money
( ) it is defenseless against brute force attacks
( ) it will stop spam for two weeks and then we'll be stuck with it
(X) users of email will not put up with it
( ) microsoft will not put up with it
( ) the police will not put up with it
( ) requires too much cooperation from spammers
(X) requires immediate total cooperation from everybody at once
(X) many email users cannot afford to lose business or alienate potential employers
( ) spammers don't care about invalid addresses in their lists
( ) anyone could anonymously destroy anyone else's career or business

specifically, your plan fails to account for

( ) laws expressly prohibiting it
(X) lack of centrally controlling authority for email
( ) open relays in foreign countries
( ) ease of searching tiny alphanumeric address space of all email addresses
( ) asshats
( ) jurisdictional problems
( ) unpopularity of weird new taxes
( ) public reluctance to accept weird new forms of money
(X) huge existing software investment in smtp
(X) susceptibility of protocols other than smtp to attack
(X) willingness of users to install os patches received by email
( ) armies of worm riddled broadband-connected windows boxes
( ) eternal arms race involved in all filtering approaches
( ) extreme profitability of spam
( ) joe jobs and/or identity theft
( ) technically illiterate politicians
( ) extreme stupidity on the part of people who do business with spammers
( ) dishonesty on the part of spammers themselves
( ) bandwidth costs that are unaffected by client filtering
( ) outlook
(X) botnets

and the following philosophical objections may also apply:

(X) ideas similar to yours are easy to come up with, yet none have ever been shown practical
(X) any scheme based on opt-out is unacceptable
( ) smtp headers should not be the subject of legislation
( ) blacklists suck
( ) whitelists suck
( ) we should be able to talk about viagra without being censored
( ) countermeasures should not involve wire fraud or credit card fraud
( ) countermeasures should not involve sabotage of public networks
( ) countermeasures must work if phased in gradually
( ) sending email should be free
( ) why should we have to trust you and your servers?
( ) incompatiblity with open source or open source licenses
( ) feel-good measures do nothing to solve the problem
( ) temporary/one-time email addresses are cumbersome
( ) i don't want the government reading my email
( ) killing them that way is not slow and painful enough

furthermore, this is what i think about you:

(X) sorry dude, but i don't think it would work.
( ) this is a stupid idea, and you're a stupid person for suggesting it.
( ) nice try, assh0le! i'm going to find out where you live and burn your house down!

Re:For sending too much email?

[ZorbaTHut]

Who cares if someone sends junk faxes, the phone network is an open system and it's designed to indiscriminately deliver messages - making junk faxes illegal is a terrible idea. If you don't want wasted toner, just don't accept phone calls from every bozo on the phone system.

And yet, oddly, junk faxes are illegal, because they cause a significant amount of cost for the receiver. Just like junk email does.

The law won't [i]fix[/i] things, of course. Junk faxing still occurs. But it might help, if it's designed properly.

Re:For sending too much email?

[grumbel]

Do you have a telephone? Do you mind if I call you around the clock to advertise some junk? It is in a open system after all...

Spam these days is nothing more then a denial of service attack on the SMTP network and should be punished as such. Just because it is on open system doesn't mean abuse shouldn't be punished, quite the opposite actually, since it is an option system abuse must be punished, since it is the only way to get rid of it.

The days where it was easy to filter it out by hand and spam was just a little annoyance are long long gone. Today I get around 600 spams per day, it is simply impossible to handle that by hand. Even doing it automatically is a hassle, spamassassin takes around 2 sec per Mail, at 600 spams thats 20 minutes my system is going at 100% CPU for doing exactly nothing and useless for most other things.

Re:For sending too much email?

[jack455]

mod this UP!
I want to see this form anytime anyone has a simple answer for a complex problem such as SPAM

Re:For sending too much email?

[LiENUS]

Nuke the planet, with only 2 people left alive if one starts spamming the other a pointy stick immediately solves it.

Re:For sending too much email?

[Phroggy]

You don't know a whole lot about how email actually works, do you? Yes, it's a pain in the ass. You sound like you're having more problems with it than a couple state universities I know of though. Read up on the RFC's and learn how to get rid of most of your spam rather than go 'Chicken Little' will ya? I don't know whether you understand how e-mail works, but you certainly don't appear to understand spam at all. Sure, of course familiarizing yourself with the SMTP RFCs is a good first step, but since most spam is RFC compliant, where does that get you? If you're not 1) spending a lot of time working on blocking spam, 2) spending a lot of money on blocking spam, or 3) letting someone else spend a lot of time or money to block spam for you, then your e-mail address just hasn't gotten distributed to very many mailing lists yet. Publish it on a few web pages; it won't take long for the deluge to begin.

Either that, or you don't actually use e-mail for anything important, so the spam doesn't really get in your way. But if that's the case, please try to understand that many of us do need to use e-mail for business purposes.

I run a very small mail server at home with a handful of users. My first line of defense against spam is DNSRBLs - blacklists of IP addresses that are known to be spam sources, or happen to be in certain countries such as China or Korea that I would otherwise get a ton of spam from but currently have no need to receive legitimate mail from. I reject all SMTP connections from blacklisted IPs, before even bothering to look at the message they're trying to send. Would it surprise you to learn that I'm currently blocking an average of 78 connections per hour, or 685,000 connections per year, just based on blacklisted IPs? That's one attempted connection every 46 seconds, every hour of every day, all the time. And that doesn't count all the spam blocked by the myriad of rules I've got set up to handle incoming messages once they've been accepted, nor does it count the spam that unfortunately finds its way to my inbox anyway - remember, DNSRBLs are just the first line of defense. But this is a very small server, as mail servers go. Imagine what the numbers would look like if I ran a large ISP.

Re:For sending too much email?

That's all fair and well if you're only expecting email from certain servers, but for most of us a deny-by-all service doesn't cut it.

Oh come on, you can just require a person to call you before they e-mail you, giving you the server they're sending from. No problem at all! The original poster is right, spammers haven't done anything to inconvenience us. They have done no wrong!

Re:For sending too much email?

Well that's SMTP's fault. I guess it's useful to have a totally open point of contact, but hold your nose when you jump in because you shouldn't expect anything but the dregs of the internet. It's absurd to expect anything else if you leave it wide open. Do you actually know what SMTP is?

Re:For sending too much email?

[olman]

I think I do have a solution to spam.

It goes simply like this - As the spam volumes keep on climbing and climbing and ever-decreasing volume of email is actually legitimate, "huge investment in SMTP infrastructure" becomes slowly more of a liability than asset.

You already need heavy-duty spam filtering SOMEWHERE to be able to use business email. I just realized some of my colleagues "just hit delete" on something like 50 emails per day because they lack the know-how to make simple thunderbird/outlook filter to weed out mails marked as SPAM by the mail server.

Not only that, the spam-poofing methods become more and more intricate. Botnets make it practically impossible to recognize valid sender. Image based spam makes it extremely difficult to recognize content as spam without nuking all legitimate family photo emails.

If you start arrogant diatribe about why people shouldn't buy from spammers, I'm personally going to come over your house and beat you up with a nice ripe carp. Real customers havent been for ages people buying 4" more length-baking powder pills but rather the guys who think they're going to get rich quick and forking over $500 or whatever on a starter spammer pack. Or renting botnet posting capability. Or buying email address lists. And so on and so forth.

So yes, my solution to spamming is that sheer volume of spam and the difficulty of fighting it is making email as a media increasingly worthless and when supporting it becomes clearly more of a liability it becomes more and more attractive to apply incompatible measures of doing business. Such as, well, calling people.

Graylisting and other such measures also become more viable. Sure it'll delay and possibly lose legitimate email but the signal would be liable to be lost in the noise anyways. I can easily see "sales"-email links becoming the only email addresses accepting email from anyone with some people weeding crap from content on the backside. Personal corporate accounts probably become more and more biased towards graylisting email from unknown senders.

To sum it up, no I do not have a method to cure email. I think the problem will solve itself by making the host die of the infection which will also kill the parasites.

Re:For sending too much email?

[ultranova]

Publish your public key along with your email address, require that any message sent to you be encrypted with the public key, and then delete any incoming messag which isn't. Use whitelists for mailing lists and such, preferably based on cryptographic signature verification to avoid source spoofing.

So, how does this fail ?

Re:For sending too much email?

[mpe]

Who cares if someone sends junk faxes, the phone network is an open system and it's designed to indiscriminately deliver messages - making junk faxes illegal is a terrible idea. If you don't want wasted toner, just don't accept phone calls from every bozo on the phone system.
And yet, oddly, junk faxes are illegal, because they cause a significant amount of cost for the receiver. Just like junk email does.

IIRC in the US faking the CSID on a fax is also against the law. Even if the CLID is bogus.

The law won't [i]fix[/i] things, of course. Junk faxing still occurs. But it might help, if it's designed properly.

As well as being backed up by the appropriate enforcement. If the US were to end the "War of Drugs" they could create a "Spam Email and Fax Enforcement Agency" to replace the DEA.

Re:For sending too much email?

[sjwest]

There are websites that detail the charges against Robert Soloway and what he did.

I see this a victory against the 'email marketers' who send you spam opt in, opt out, three barrel opt out or whatever the dma are calling it this week. Soloway was a pain for isps worldwide, email, and the infrastucture of the internet.

How Soloway worked: Soloway 'gets' your email address, you change it, soloway 'gets' it again, but now uses both, result = one bounce and continued spam and now multiply that several million times. The detail on Soloway is out there.

Yes our email servers can handle the 'no user at this address' but why should we (or yours have to) have to handle this request x many which was never asked for.

OK so the US can-span act is useless, thats what happens when you buy the power to water down laws. So fraud seems a good way to take down Soloway.

Re:For sending too much email?

[frdmfghtr]

So, how does this fail ?

It fails because your Aunt Mathilda doesn't know the first thing about email encryption, nor does she care. Businesses won't mandate its use with the buying public because most of those customers will go somewhere else instead of changing their email habits. "Public keys? How does a key protect anything if it is public?" "Cryptographic signature verification?" Good luck explaining that the John and Jane Public.

I don't expect to see widespread use of email signing (or encryption for that matter) until:

(a) It is mandatory and automatic on all email clients; and
(b) conforms to ONE standard (PGP? Digital certificates?).

I don;t know much about digital signing of email beyond setting up Mail to use it; and I do use it on all outgoing email. However, I have received only a handful of email messages that have been signed, and they all were from federal gov't research labs where PKI use is mandatory.

Re:For sending too much email?

[darkpixel2k]

I hate these forms.
Let's go through it

(X) technical ( ) legislative ( ) market-based ( ) vigilante

What other way will there be of blocking spam? Legislative won't work because there is no one governing body that controls the entire world and can punish those that do wrong.

Market based...well, it might work, but the solution will probable be some sort of technical device like a barracuda appliance.

Vigilante would work if we just shot all the spammers, but then those people would go to jail for murder. Wait until we can clone, then send your clone in to do the dirty work and hope they don't grab you instead of your clone.

So technical is the only way.

(X) users of email will not put up with it

Fine, they can put up with the spam.
But in my experience, users will put up with a lot of shit if it's required of them. Think BSODs, Windows ME, Windows Vista, etc...

(X) requires immediate total cooperation from everybody at once

Kinda like SMTP is required by everyone. If you don't have it, you don't get mail.
I don't care if it's another protocol, or the same protocol with changes. Kinda like IPv6, eventually there will be a cutoff date and everyone needs to get on board or else things just won't work. Get the new email protocol in place, have it work along side SMTP and then once it's developed and tested set a shutoff date for SMTP.

Yeah, it'll be a lot of work, but that's our job. We do the technical shit on the internet. Just like the telco guys--I don't care how my phone call gets from point A to B, just that it does get there.

(X) many email users cannot afford to lose business or alienate potential employers

This seems somewhat irrelevant. We're not talking about immediately shutting down SMTP and saying 'fuckit'. A group of intelligent geeks like you'd find on slashdot (for the most part) are completely capable of coming up with a transition plan.

(X) huge existing software investment in smtp
(X) susceptibility of protocols other than smtp to attack
(X) willingness of users to install os patches received by email

There's always going to be a huge investment when switching (think IPv4 to IPv6). At some point the flaws or limitations of the system become too big a problem and you must change. Have we reached that point with SMTP and spam? Are we out of quick fixes like SenderID, Domain Keys, DKIM, blacklists, whitelists, spamassassin, greylists, etc...?

As for 'patches' received via email, you're never going to stop idiots and social engineering.
I'm not sure what you're getting at with attacking protocols other than smtp.

(X) ideas similar to yours are easy to come up with, yet none have ever been shown practical

That part is true. I'm sitting here saying we should come up with something, but not putting forth any ideas.
But I believe if a group like Slashdot held a huge discussion about it, we would come up with something.

Re:For sending too much email?

[PopeGumby]

A group of intelligent geeks like you'd find on slashdot (for the most part) are completely capable of coming up with a transition plan...
But I believe if a group like Slashdot held a huge discussion about it, we would come up with something.

Oh my god, are you kidding? No two people on Slashdot could even agree on whether or not the grits poured on Natalie Portman should be hot or cold.

There are many places in the world where fine conversations about technical and technological advancement could take place, but slashdot isnt one of them.

Re:For sending too much email?

[totally+bogus+dude]

Publish your public key along with your email address

How exactly will this stop spam? All it means is the bots that crawl sites looking for email addresses also need to snag the associated public key at the same time. If the information can be obtained by Joe User then it can be obtained by Joe Spammer and fed to his network of spambots. At best, they might have difficulty associating the correct key with the correct email address (though to be usable by Joe User the browser will probably need to associate the two easily) but in this case they'd just encrypt every message for every potential public key and mail volumes would skyrocket.

Adding additional hoops to jump through won't stop spammers any more than greylisting stops spammers. Sure it stops some now, but if everyone used it then all the spam engines would be adapted to it. And as others have pointed out, if only a few people use this method to protect their email then most people won't bother emailing them because it's too confusing. This might be okay for your personal email (then again it might not - people don't like to be made to feel stupid) but it's a no-go for businesses.

I still think the "solution" to the spam problem is to solve the zombie PC problem, since if the spammers don't have access to vast numbers of random PCs to send their email from they become much, much easier to block.

Re:For sending too much email?

[darkpixel2k]

There are many places in the world where fine conversations about technical and technological advancement could take place, but slashdot isnt one of them.

Aside from trolls which could be weeded out from the discussion easily, the geek side of slashdot could (I think) easily come up with a way and agree on the best way to solve this.

This may be oversimplifying it a bit, but I would trust most slashdot users to know how to solve a technical problem.
If a network cable it unplugged, plug it in.

Of course you'll have several threads discussing the best brand of network cable for not coming unplugged with a sub-thread from the guys who still think BNC has something to offer because of the twist-lock connectors. You'll get a thread about the best super-glue to permanently bond the cable into the card for situations where the cable must NEVER come unplugged for security/life support reasons, a few people repeating the same joke about cable length and "is it in yet?", followed lastly by the trolls talking about that one time in the locker room and goatse.

...Oh--and that one guy who always makes a car analogy which makes no sense to me because I'm a netadmin, not a gearhead.

Re:For sending too much email?

[PopeGumby]

Your cable analogy doesnt quite fit, because thats a technical problem with a known solution aka tech support. And I still wouldn't trust us to actually get it done.

You're talking about design work, where any opinions on methods are almost guaranteed to be wildly different.

The likelihood of achieving anything in a meeting is inversely proportional to the number of people in the meeting. So what's the likelihood when the meeting attendees number in the millions?

Re:For sending too much email?

[darkpixel2k]

The likelihood of achieving anything in a meeting is inversely proportional to the number of people in the meeting. So what's the likelihood when the meeting attendees number in the millions?

Give me some credit. I did say get rid of the trolls. That should drop the number a few million... ;)

Re:For sending too much email?

[gr8scot]

Let's prove you right.

Aside from trolls which could be weeded out from the discussion easily, the geek side of slashdot could (I think) easily come up with a way and agree on the best way to solve this. We could discuss the feasibility of charging a fee to use port 25. To start the conversation, let's suppose the fee is commensurate with the cost of one local toll telephone call or one snail mail letter, then just round to $0.50 per message. Let's make this payable to one's ISP as part of one's regular bill, or via PayPal for users of free e-mail services without their own ISP account of any kind, because we can't infringe their 1st Amendment rights, but we can impose payment to speak to somebody! Now, to make communication with our actual friends and legitimate business contacts as affordable as ever, suppose we add to this system a refund or offsetting payment any time our ISP's mail server receives a reply or original message to our address from a recipient for whom we've paid to send a message. This way, once a recipient implies agreement to ongoing communication with a sender, these two e-mail addresses can exchange messages free of charge as they always do, but unwanted mail will cause the sender a significant amount, if they continue to send messages at the volume of current spam bots.

Infected victims should of course be able to reverse the charges by showing that their computer was sending mail because of malware, and ISP's using this system would be responsible for providing thorough malware-removal software with easy-to-use documentation. Better yet, any request to send outgoing mail would result in a dialog requesting payment on the spot. The timeout should be set to 5 or 10 minutes to allow looking up details of one's PayPal account, but not long enough to brute-force payment details. Now, if I'm sending e-mail the right way, I have time to pay to send it, but if my computer is infected with a spam bot, the payment window times out unless I happen to be sending my legitimate mail at the same time.

Mission accomplished.

Comment removed

[account_deleted]

Comment removed based on user account deletion

It's ok, buddy

has pled guilty to mail fraud and tax evasion Don't sweat it, they've caught the best of them with that one.

Re:It's ok, buddy

[arbitraryaardvark]

Actually, he pled to failure to file, not quite the same thing as tax evasion.
I had written tax avoision, and zonk changed it.

Re:It's ok, buddy

[ILuvRamen]

yeah and plus, if you're going to run an extremely illegal business, you might as well go the extra mile and not pay taxes on it lol. You know, don't wanna get audited or anything. It's like if you're robbing a bank, you know what, punch someone in the face cuz you're already committing a felony.

If only it were so good...

[txoof]

Part of me wants to do a happy dance that a spammer is finally doing some serious time for their crimes. The rest of me sadly realizes that he is but one of many. One, albeit large head, has been cut off, but the SpamaHydra has many, many more.

I've seen some pretty interesting ideas regarding a more robust email standard, but I wonder what it will take for everyone to switch to something other than SMTP. We're sort of at a point where spam filters are just good enough to keep the signal within reasonable limits. I guess until spam levels reach a tipping point, we'll all destined to stick with the current standard.

We are Spam of Borg. You shall be cordially invited to participate in our newest Nigerian scam of the month. Resistance is futile.

Re:If only it were so good...

[SanityInAnarchy]

Actually, filters have been remarkably good for me. At work (Gmail), a spam slips through every few days. At home, I have an "unsure" box, which gets mostly spam (maybe 10 a day) and the occasional innocent mail -- out of hundreds hitting the actual spam folder.

Also, just about any other system would have problems worse than spam -- but it's hard to talk about something abstract. What, exactly, did you have in mind?

Re:If only it were so good...

[Telvin_3d]

The problem with this? The depressing number of office workers who use their accounts for personal type mail. A company uses your smtpx protocol and promptly sees their rating drop due to the dozen fifty year old ladies in accounting forwarding on every piece of cute spam and donate-to-save-the-children mail they get.

Re:If only it were so good...

[SanityInAnarchy]

I always envision a system where a new protocol (say smtpx) simply adds to smtp, adding authentication of where the mail is actually being sent from, allowing rate limiting error codes for domains/addresses, and a relationship trust mechanism built between servers.

This could be built on top of SMTP. The only problem is that either way, you still have to accept mail from people who aren't using it.

Basically, a server could implement smtpx, so that all emails sent using it must be authenticated (no more header spoofing)

How would this work beyond the server? Say AOL implements this -- how does it prevent me from claiming to send mail from someoneelse@aol.com?

What about people who travel around on a laptop, and thus borrow SMTP servers to send mail "from" their home email address?

What about people who want a different Reply-To, on purpose?

What about deliberate forwarding accounts? That is, an alias such that mail sent "to" one person ends up arriving somewhere else?

What about new, as-yet-uninvented headers?

Right now, the best measure I can think of similar to yours is to verify that the actual 'from' in the SMTP itself is from an IP that's actually mentioned in an MX record for said server. And even then, I'd rather it flag the mail, or contribute to some "spam" weight, rather than block it outright.

cannot send X number of emails per Y period (for instance, not more than 10 per minute)

So no more mailing lists. Or at least, you would need to treat them specially -- which means mailing lists must now be approved by some authority.

and the sending server must have a trust score of at least 50/100 with at least 3 other trusted servers

So how do I get into this web of trust, if I've just set up a brand-new mailserver?

Also, what happens in the case where a public mailing list gets spammed? Are we not allowed to have public mailing lists? Yes, it would provide an incentive to clean up the list, but I think pissed-off users and bandwidth costs would help with that, too -- either way, I don't want the legitimate mail coming from that server to be flagged.

Regular smtp would still be accepted for the time being, but would be put on a 30 minute delay before being delivered (or has some other limitation as incentive to use smtpx - like maybe no attachments?).

30 minute delay solves nothing -- someone sends you 1000 spams, getting all of them 30 minutes later won't help anything. Same with no attachments -- they do nothing to stop spam, only annoy people who are still using SMTP for whatever reason.

If you make the delay cumulative -- that is, each untrusted message will take 30 mins past when the last untrusted message was sent -- then the risk of false positives is too high.

Now of course you need some mechanism so that you can't poison or fake the trust relationships, but I believe problems like that are pretty well solved in modern p2p systems.

Really? Care to point to where and how they are solved?

So you've just created a system which kills two major features of SMTP, without even denting the spam problem. I don't mean to sound too harsh, as I can't blame you for trying, and it is a hard problem -- but this is how you find out just how hard a problem it is.

Just my 2 cents... now where is someone with that list of things they put X's in that say why such an idea would never work?

I don't entirely agree with that form, as I think at least a couple of the checkboxes are for things which can work in practice, but here you go:

Your post advocates a

(X) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply

Re:If only it were so good...

[nacturation]

A company uses your smtpx protocol and promptly sees their rating drop due to the dozen fifty year old ladies in accounting forwarding on every piece of cute spam and donate-to-save-the-children mail they get. So you're saying the system would work as intended?

Re:If only it were so good...

[MrNaz]

Your post advocates a

(X) technical ( ) legislative ( ) market-based ( ) vigilante

See earlier posts for the rest of the response.

Re:If only it were so good...

[MrNaz]

What about people who travel around on a laptop, and thus borrow SMTP servers to send mail "from" their home email address?

So sorry, so sad. That practice has to be let go for the love of god!

Why? I travel a lot, are you telling me I need a different email address for every location I visit? Imagine if you needed a different email address every time you left the basement! Oh wait, you probably never have, which is why you think what you do.

Furthermore, this is what i think about you:
( ) sorry dude, but i don't think it would work.
(X) this is a stupid idea, and you're a stupid person for suggesting it.
( ) nice try, assh0le! i'm going to find out where you live and burn your house down!

(X) Mailing lists and other legitimate email uses would be affected

Only as much as all other email is effected. Legitimate reasons for spoofing the "from" header would be affected, but that's the whole point!

Any collateral damage on mailing lists or other legitimate uses is unacceptable. Nobody wants an interim period of a year when all email systems are flaky and your info feeds are intermittent.

Also, how hard would it be for a black market in "trust points" to build up? Spammers could set up new SMTP servers, forward mail for a while, vouch for each other repeatedly, and then when enough points have been accumulated, blast all their spam out as quickly as possible. Any system that makes it hard to build trust would be unworkable as new mailservers would be excluded, and any system that makes it easy to build trust is open to gaming. Also, spammers could just piggy back onto existing trusted servers using hacked accounts or compromised networks or simply set up accounts with ISPs that have cheap monthly plans.

Finally, remember that botnets could simply be programmed to grab the machine's default SMTP server from Thunderbird, Outlook or Outlook Express and spam through that. ISP's would need to stay ahead of the curve here, by detecting outgoing spam. Any other restriction would place too great a burden on legitimate mass mailings like newsletters, mailing lists etc.

Dude, the sort of interruption to email services that you suggest are totally unrealistic, and can never be allowed to happen. I'd rather wade through the 10 spam messages that get through a day than to not get an unknown percentage of the 200 or so emails (mailing lists etc) that I expect to be getting.

specifically, your plan fails to account for
(X) travellers, telecommuters and other mobile users
(X) open relays in foreign countries
(X) huge existing software investment in smtp
(X) susceptibility of protocols other than smtp to attack
(X) willingness of users to install os patches received by email
(X) technically illiterate politicians
(X) extreme stupidity on the part of people who do business with spammers
(X) dishonesty on the part of spammers themselves
(X) botnets

Overall, one of the poorer attempts to solve spam from an armchair that I've seen.

Re:If only it were so good...

[Dan541]

I use RBLs and they are pretty good but over the weekend they seem to have suddenly failed
I think ive just been hit with a new wave that hasnt yet found its way into RBLs but overall I think solutions such as spamhaus are the way to go.

atleast for now

~Dan

Re:If only it were so good...

[houghi]

30 minute time limit? Why would that stop spam? Mr. Spammer does not care wether it will be 30 minutes late . ASlso much spam is send from zombies.

I think the only solution is to start from scratch and abandon SMTP completely. If I would know how, I would already be using it and so would the rest of the world.

Re:If only it were so good...

[alien_life_form]

No, they don't.
For the second week in a row, I also have seen a sharp downsteps in all of my mail/spam counters: that's message count, black and grey list activity, RCPT throttle, connection throttle (spamfiltered, relay denied and virlisted don't change much, but they have white noise type spectrum regardless).

I have two consecutive downshifts at around 17:00 MET Friday (consistent with business hours but WAY deeper then in the past) and another around 15:00 MET Saturday (unprecedented). It's like some vast spam network pulling the plug at those times...interesting. Anybody knows more about this?

Cheers,
alf

Re:If only it were so good...

[mpe]

Right now, the best measure I can think of similar to yours is to verify that the actual 'from' in the SMTP itself is from an IP that's actually mentioned in an MX record for said server.

No doubt if you tried that you'd soon discover plenty of domains where different machines handle outgoing and incomming email. Some strange setups can easily result from corporate mergers, especially if the resultant company makes internal changes, but keeps trading under all its old brand names.

Re:If only it were so good...

[mpe]

I travel a lot, are you telling me I need a different email address for every location I visit? Imagine if you needed a different email address every time you left the basement! Oh wait, you probably never have, which is why you think what you do.

One way of handling this would be to have your machine perform an MX lookup to find out where to send the email. Rather than use a "smarthost". That might run into all sorts of problems with various anti-spam systems which have the effect of forcing people to use smarthosts. Even though smarthosts are actually something of a hack when it comes to the SMTP protocol. The other way would be to use a VPN so your laptop always appears to have the same IP address wherever it might actually be.

Also, how hard would it be for a black market in "trust points" to build up? Spammers could set up new SMTP servers, forward mail for a while, vouch for each other repeatedly, and then when enough points have been accumulated, blast all their spam out as quickly as possible. Any system that makes it hard to build trust would be unworkable as new mailservers would be excluded, and any system that makes it easy to build trust is open to gaming.

Unless you though about things very carefully then you might even end up with a situation where it was actually easier for spammers to get trust than legitimate service providers. Security is hard because there are always likely to be people who will look for a way around or a way to subvert things. If you have a situation where the "bad guys" are likely to cooperate and conspire whilst the "good guys" are attempting to compete the odds look a lot better for the "bad guys".

Re:If only it were so good...

It wouldn't. The delay is to make people using smtp want to switch to smtpx - where there is no delay. It's meant as an annoyance for legitimate mail so that they will start using the new protocol.

Re:If only it were so good...

[SanityInAnarchy]

Why, oh why, do people hold onto this? Jesus Christ. Set up authentication over TLS. You can connect to your server from anywhere. Wow. here is a tutorial for postfix.

Yes, because asking home users to configure their ISP's postfix server is really going to work.

Also, as another poster pointed out, people don't always have their outgoing mailserver set up as a proper MX record for various other reasons -- which means your system would be an inconvenience for a lot of people, for no gain, as I still don't think it would work, once implemented.

There wouldn't be any besides delays due to the rate limiting

Which is unacceptable. Mailing lists can get some very heavy traffic, and building an upper bound to that traffic into the protocol is a bad idea. Plus, set that upper bound too high, and you're not doing much to stop spam, either.

as long as the domain the list is coming from is really the right domain.

Does this fall under the "forging headers" part? That is: If I change the "from" header to say "from mylist@example.com" on every single email, is that forgery? Certainly if I leave it alone, it appears to be forgery.

Don't forget, not messing with the headers is a Good Thing for a mailing list to do. Having "reply" go to the entire list is not good. What usually ends up happening is, people use reply-to-all, which has the list as a CC -- and has the nice side effect of, you're more likely to make a mistake and send something to one person, meaning to send it to the list, than to make a mistake and send something to the list, meaning to send it to one person. Sending something to one person isn't a big deal, just resend it to the whole list. But if you sent something private to the whole list... whoops.

Yes, this is the real crux of the problem. How do you build trust? There are several algorithms out there for such things. Coming up with one for this is beyond the scope of a slashdot thread, but I believe it's doable.

I have never seen a trust net on this scale which cannot be gamed -- and there's still the problem of, how do I get into the net in the first place?

So, it's beyond the scope of this thread... Would you care to link to a whitepaper? Or anything? Because right now, you've proposed a solution which, among the other problems we've pointed out, also relies on a bit of technology which you refuse to explain. And again -- even if it worked, would it have undesirable side effects?

Now, tell me what's wrong with my solution, I'm curious -- especially considering my solution works, right now, with no cooperation required from anyone else.

Re:If only it were so good...

[SanityInAnarchy]

You send the email to mydomain.com, my server then asks aol if they sent that email, they say no, I reject your email.

No, the point here is, aol did send that email. Are you saying that unauthenticated SMTP is not allowed?

So sorry, so sad. That practice has to be let go for the love of god!

It's not going to. Any solution which fails to take that into account will not work, because it will never be implemented.

Plus, that's not the only time mail is sent from a server which differs from those explicitly listed in the MX records.

Acts as a new email, this should not be effected except that the "from" becomes the address doing the forwarding.

Which sucks.

Take a look at my email address -- I came up with this when I was 15. I'm probably going to replace it sometime soon. Does that mean that everyone who still sends mail to the old address should appear to come from ninja@slaphack.com? That if I were to reply to such a mail, it would go to ninja@slaphack.com if I'm not careful?

Oh, right, reply-tos can be left alone. (What if one isn't set?) But now you have that confusing situation where Reply-To and From don't match up, which can be just as confusing as when From and "received" don't match up.

However, even barring other consequences, I like to be able to sort my mail by sender, sometimes into conversations. Why should I have to lose this ability on forwarded mail?

What about them?

The fact that you don't take them into account, at all. A new header is a new opportunity to forge a header.

So you'll have to wait maybe 10 or 20 minutes for your email, and only if you're domain implements the delay. I fail to see how it's a show stopper.

It is pretty annoying -- especially if my domain implements the delay, and my boss' email gets caught. Five minutes later, he wants to know if I got his email.

Or take those "Please verify your email address" emails. I generally want to get those instantly.

And again -- if this only delays each individual email 20 mins from when it would have arrived otherwise, how does it make an impact on spam?

You start with a neutral trust, so you could get some spam through, but not too many before you're score plummeted. The goal is not to eliminate spam (that's impossible), but to make it impractical to send it in mass quantity.

So botnets can still send massive amounts of spam. As a bonus, if it's careful, a botnet could probably game the system and get a positive score to start out with.

The cumulative thing is an interesting idea. But the delay is not to prevent spam, it's to make other domains want to implement smtpx so that their legitimate mail is not delayed.

Which means you still need immediate total cooperation of everyone all at once. Basically, if you implement this on a one-person domain, you'll just annoy yourself. You'll never get Gmail, Hotmail, AOL, Comcast, etc to agree to it, as if any one of them implements it by themselves, it's a net loss for their customers unless enough other domains implement it.

There are a lot of them, but just one example is here.

Interesting -- a bunch of mathematics that I don't understand yet. Probably could spend some time later...

And still doesn't show me anything about this working in the real world. (Last time I was on Gnutella, there were still entirely too many spam/virus results.)

Only as much as all other email is effected. Legitimate reasons for spoofing the "from" header would be affected, but that's the whole point!

Doesn't change the fact that legitimate reasons for spoofing the "from" header are a requirement for email, as implemented.

The trust relationships can b

Re:If only it were so good...

[chromatic]

Yes, because asking home users to configure their ISP's postfix server is really going to work.

Would you really trust any ISP that cannot or will not configure authenticated SMTP to do anything more intellectually challenging than babysitting a picture of a dog torn from a magazine?

Re:If only it were so good...

[SanityInAnarchy]

I am not the issue here.

Millions of home users are the issue here. The kind of people who are still using AOL dialup.

Oh, and simply having authenticated SMTP doesn't mean it's configured to relay from outside its own network.

Re:If only it were so good...

[SanityInAnarchy]

Keep in mind, someone else has been posting also. I don't personally have a travelling issue, as I can VPN back to my own server. Not everyone can do this.

Why wouldn't you have your MX record set up properly?

All kinds of reasons. Someone pointed out the mess that can happen in mergers, acquisitions, and splits, resulting in some very interesting MX records (or lack thereof). Right now, I have some servers on Amazon EC2 which want to send mail, but EC2 has dynamically allocated IP addresses, which puts it on a Spamhaus blacklist, which is used by AOL, Comcast, and others. So in order for this mail to not be spam, I have to relay it through somewhere else. However, it's entirely possible that we'll end up going with a service which is configured to be an outbound relay, but not a secondary MX -- thus, it shouldn't actually be in our MX record, but it is sending mail as us.

Oh, and the MX record isn't even supposed to be required.

As for mailing lists, they are a hack to send lots of emails to a list, but you could pretty easily redefine the way they work for the new protocol.

In a way which is backwards-compatible with existing, high-volume mailing lists?

For instance, if it's a smtpx mailing list, The user give's their mailing list public key to the mailing list server, which then uses that to get the email sent quicker through their regular ISP.

So now users have to do public-key encryption. (Why not just use a good old-fashioned user-to-user PGP trust network?)

And now what do you do when the mailing list is spammed? Or when you want to be a part of a particular list which only supports straight SMTP?

But as I said before, it's a band-aid, not a solution. All that email is still sent, all the bandwidth is wasted, and many domains don't have very good spam filtering because they can't afford false positives.

I don't get false positives, tarpitting would stop the bandwidth wastage, and now you're complaining that many domains don't have very good spamfiltering -- why would such domains prefer your solution over mine, if they have to adapt anyway?

It's also interesting that you use tar pitting, which is basically a time delay, and then complain that my system had delays that are unacceptable.

Because your delays are based on not supporting a particular protocol. Mine are based on having actually seen spam come from that IP address -- and having seen it myself, which means there's no trust network to poison or game. That, and it gets to be my own definition of spam -- not everyone has the same definition.

But also, I don't require tarpitting to work -- I still see almost no spam in my inbox, even though I haven't implemented a tarpit yet. So, tarpitting is a mechanism to cut down on the bandwidth usage, not actually itself an antispam mechanism.

2) The servers also allow a client to connect using xmtpx, lets say over SSL as well.

It's worth mentioning that we do already support SMTP over SSL.

6) Destination server contacts the domain in the from header, and asks if they sent that message by providing the signature it attached to the email (or some other means, maybe a new header, it doesn't really matter). If it says yes, all okay. Otherwise, email is rejected.

Again -- only the From field is authenticated?

Also: What about the domain that the server itself actually claimed to be sending from? And you're now saying that multiple mailservers must all coordinate and record every mail sent, in case they get contacted back?

And it does seem to me like a potential DoS attack, though I'm not quite sure how. It does make me nervous that it's checking back, although I know this is done elsewhere.

7) Destination server scans it using current spam filteri

Re:If only it were so good...

[mengel]

What you're describing is basically SPF, which has been around for several years now. If enough places signed on with it, it would help quite a bit.

However, it has existed for several years, and we still get lots of spam...

And you can only put in the encouraging restrictions once enough places use it, otherwise you just delay or block most of the email you need to see.

I hope...

[tqphan]

He shares a jail cell with men who have enlarged their penises, taken Viagra, and are looking for a new relationship.

Re:I hope...

[Bored+MPA]

Because rape, HIV, and Hepatitis aren't cruel and unusual punishment in your book? Or is that just the line you toss out to get out of jury duty?

Your comedic take is about as funny as the drunk guy I saw yesterday that said "Ooops, you just knocked over your home" when he walked past a homeless guy that dropped a cardboard box yesterday.

Re:I hope...

Because rape, HIV, and Hepatitis aren't cruel and unusual punishment in your book? When given the choice between HIV and having my sense of humor surgically removed like you, I'll take the anally injected death sentence :-}

Your comedic take is about as funny as the drunk guy I saw yesterday that said "Ooops, you just knocked over your home" when he walked past a homeless guy that dropped a cardboard box yesterday. Real bad thing=tragic. Fake bad thing=funny. Assuming that homeless guy was real, that would not be funny. This guy getting anally raped is not an actual occurrence, therefore it is funny. Fact is, people getting hurt is perceived as funny. Ever laughed at The Three Stooges smacking each other? Same principle, different level of misfortune. Treating fake pain like a real pain makes you seem kind of self righteous.

Now watch this!

Re:I hope...

For someone who makes a living selling people's email addresses to others for the express purposes of spam? I'd call that justice.

Re:I hope...

Way to miss the joke. GFJ

Re:I hope...

[RealGrouchy]

It's not the rape that's funny; it's the irony.

- RG>

Re:I hope...

[j00r0m4nc3r]

And got burnt when they dumped their life savings into HXMP, the hottest most promising stock of the decade!

Re:I hope...

This guy getting anally raped is not an actual occurrence, therefore it is funny.

Oh dude, you are just SO right. These losers need to get a sense of humor. Hey, I gotta joke I know someone like you can appreciate...

Q: What is the New York City Fire Department's favorite song?
A: "It's Raining Men"

Hahahahaha, that is SOOO FUCKING HILARIOUS!!! Get it? Remember when the towers were burning and all the people were leaping to their deaths! It was literally raining men that day! But since that isn't REALLY the NYFDs favorite tune, then it's really fucking funny to think about all those innocent people splattering on the pavement. Oh, oh, I've got another one for ya!!

Q: What was the last thing going through Mr. Jones' head when he was working on the World Trade Center's 90th floor?
A: The 91st floor.

Hahahaha, that is soooo fucking funny!! Get it? You know it's about that time when thousands of Americans died. Hahaha, he had his brains smashed out by an entire floor of a building!! Hahahahaha, but since there was no real Mr. Jones, that's fucking hilarious!!! If he were real, Mr. Jones would have probably been thinking about his wife, or his family, or how he wasted his life working in some cubicle on the 90th floor... but literally, the building collapsed so the last thing going through his head was the floor above him! Oh, that reminds me of another one...

Q: How many Americans died in 9/11?
A: Who gives a fuck?

Hahahahahaha!!! Get it??? Everyone hates Americans because they're all sick fucking pricks. The rest of the world is appalled when things like Abu Ghraib come to light, but Americans just shrug and wonder what all the fuss is about. "Pound me in the ass prison" and "don't drop the soap" jokes are as American as apple pie, so why would Americans care if some 14 year old arab foreigner suspected of terrorism is ass raped without trial? Really, American's just don't understand why anyone else should care when we kidnap, rape, and torture their friends and family, so nobody gives a fuck when Americans die!! Isn't that fucking hilarious?!? Hahaha, everyone hates America because they've had their sense of humor removed too.

Now watch this!

Re:I hope...

Rape is so funny! Mod me up slashtards, I made teh funnies. Hahaha.

Re:I hope...

Honestly, I think the minimum penalties are far too lenient. Here is a man who makes a living by costing the world millions of dollars in unwanted fees. I myself during the course of my day job, waste on average 200 hours a year reversing damage caused by waves of spamming drones.

My time is worth $21 an hour. That's $4k that my self-funded department could use on increasing profits, rather than burning them undoing the damage that douchebag opportunists like this guy cause by making a quick buck.

Spammers profit at the cost of the entire world's time and money without offering anything useful in return.

So no, rape in prison isn't particularly unusual, and I don't think that it'd be particularly cruel given the severity of his crimes.

Re:I hope...

HAHAHAHAHAHA
Your friend has a good sense of humor. How did a lame librarian like yourself end up being friends with him anyway?

Re:Let me punish him

Riiiight. And lets disembowel they guy that lets his dog crap on your lawn...
Can you really read your own post and think you were adding constructively to the topic? Spamming is annoying, ID theft is a crime, but neither deserves more than fines and some jail time.

Burger King

[rice_burners_suck]

I would like to be called Burger King... now that's a name that has a great ring to it. But not Spam King. Oh man, that sounds awful! Imagine, you're driving down the street and you see two places next to each other. Burger King and Spam King. Which one will you go to?!

BURGER KING of course!!! Burger King rocks!

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Let me punish him

[Brian+Gordon]

Vigilante justice and torture are also no laughing matter, mod this guy down into oblivion.

The rules he's charged under suck

[Artifakt]

The major charge in this case seems to be that he defrauded a bunch of other spammers. For that, he faces serious time - conning a bunch of nasty people who had every intent to spam a lot of genuinely innocent people if they could. He faces only much more minor time and fines for not paying his fair share of taxes or for spamming anybody who wasn't themselves out to con people. The guy's pond scum, and a few years in medium security looks reasonable, but isn't this all sort of like arresting Clyde Barrow and threatening him with 30 days for each murder, 180 days each for the robberies, and 20 years+ for shortening shotguns?

Re:Let me punish him

[Nonillion]

"Riiiight. And lets disembowel they guy that lets his dog crap on your lawn...
Can you really read your own post and think you were adding constructively to the topic? Spamming is annoying, ID theft is a crime, but neither deserves more than fines and some jail time."

I guess no one here shares my sense of sadistic humor. Quite honestly, guys like him have ruined the Internet. I remember when the free exchange of ideas on the internet was free of spam and scammers wanting to steal my money. There was a time you didn't need to run firewalls and use anti-virus software, but sadly, those days are long gone.

Best Seattle Sentence

[Foobar+of+Borg]

He should be sentenced to be taken to Pike Place Market and slapped in the face with a salmon for each email sent while being forced to drink cheap coffee. Of course, that would probably a horrible waste of salmon.

spam

[rice_burners_suck]

I think there is a very simple solution to the SPAM problem. Migrate the email platform to one that uses micropayments. Each person can set a price for delivery into their inbox. For example, I can decide that to send me a message costs 10 cents. Now every time someone sends me an email, they are charged 10 cents (after a confirmation of course) and I earn 10 cents. You could decide to set a higher price or a lower one. But the point is that people have to pay you to send you email, or it simply doesn't arrive in your inbox.

Spam will disappear. The email kind. The tasty kind will continue to appear at your local grocery store.

Re:spam

[mpe]

I think there is a very simple solution to the SPAM problem. Migrate the email platform to one that uses micropayments. Each person can set a price for delivery into their inbox. For example, I can decide that to send me a message costs 10 cents. Now every time someone sends me an email, they are charged 10 cents (after a confirmation of course) and I earn 10 cents. You could decide to set a higher price or a lower one. But the point is that people have to pay you to send you email, or it simply doesn't arrive in your inbox.

The problem with this is that you need to first set up a planet wide system for such a micropayments system. It had also better cope with large companies shuffling their email servers according tom the currency markets. Then you have the problem of what happens when the spammers start using the accounts from compromised machines or even set up throw away accounts then just don't pay the bills. (Which have probably been sent to a park bench, telephone kiosk, derelict building, someone who is going to be elsewhere for 6 weeks, etc. )
A similar idea would be to have the sending machine perform some computational task, such as encrypting the email with a specific public key. Again this tends not to have the desired effect if a spammer has hacked into someone else's machine.

Comment removed

[account_deleted]

Comment removed based on user account deletion

but...

[AmigaHeretic]

I'm still getting spam?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Calm down!

[xaxa]

There's too many comments suggesting he should be killed, raped, or otherwise hurt. If you seriously approve of that kind of punishment, either
a) move to a country with Sharia law
b) save it for the worst offenders, those that actually murder others, like some US states do
c) grow up. At worst he's annoyed you, and maybe cost you a bit of time or money.

Re:Calm down!

Murder? Absolutely not, no way, no how, shouldn't even be joked about.

Rape? Hmm, give me twenty minutes to clean out my spam folder then I'll finish this post...

Re:Calm down!

[clarkkent09]

I don't think he should be killed or raped, but he should be put away for more than a year. The cumulative damage he caused to many people in bandwidth costs alone is probably much more than the guy who vandalized a few SUVs as an environmental protest and got 10 years or whatever, too lazy to look up the details. If you want to deter a crime that is easy to commit and where those committing it are hard to catch (as with spam) you do it by imposing harsher sentences.

Re:Calm down!

[obscured_dude]

xaxa, this guy is worse than saddam hussein, osama bin laden, and every child rapist that has ever lived all rolled into one... Have you spoken with him on the phone and asked him reasonably to remove a number of email address's from his "spam list"? he was the one who started the threats... he was the one who initiated contact with me... if he doesnt want to pay a multi million dollar bill for my wasted time deleting his spam... i will send debt collectors that collect "knee caps" over money to pay him a visit... not my problem in the slightest... he didnt pay up when he could have easily read my terms of business... that was on the back of the invoices i sent to him :)

Re:Calm down!

[edwardpickman]

Sorry but I loose hours a week to deleting spam even with filters. Times that by all the computer users affected and it's a massive loss of time. Why should we loose millions of hours a week so he can hawk crap no one needs and 99% never respond to, he's playing a numbers game. Where in Sharia Law does it mention being locked in a cage with a rabid grizzly bear with a belly full of Viagra? Yes it's rediculous to execute the guy for cyber crime but the fact it was all done on a computer doesn't make it okay. Let's say he stole a 100 million dollars in productivity? Not as rediculous as it sounds it was likely far more. If he stole a 100 million in gold would you say it wasn't that big a deal? Saying it's not the same thing isn't realistic because companies are loosing hundreds of millions to the flood of spam. Slapping them on the wrist isn't going to make the spam go away. We have to get out of this mindset that anything that happens on a computer is inherently good. If he hacked the FAA and caused a couple of airliners to crash by accident would it just be an honest mistake? He wasn't hacking but he was doing bad things with computers and he made millions doing it. If you're worried about him send him a jar of lube and wish him well. Personally I think it would be justice if he got a cell with a guy that had been ripped off in one of his scams. It'd not only be justice but Karma as well.

Re:Calm down!

[JediLow]

Going off your killers comment:

If an average person spends 20 minutes a month fighting spam (between time they filter through it, work they have to do to pay for the costs, or anything else - which this would be a low number) they end up fighting spam for 3.6 hours every year.

When you take that 3.6 hours spent by one person in a year and multiply it by the millions of people that receive the spam (for simplicity's sake lets just say its a paltry 1 million), thats costing 3,600,000 hours in a year.

A person who lives to be 75 lives 655,200 hours.

With this math, when a spammer hit one million people's inboxes (with just spam, not even counting the viruses and other means that we have to combat to stop their means of distribution) thats the equivalent of killing 5.5 people each year. When you figure that the amount of time it takes to fight spam is probably significantly higher than 20 minutes a month by an individual (bearing costs, actual time hitting delete, viruses, etc) even with filters and that they're hitting far more than just a million people, the actual cost in human lives increases dramatically.

So, yes; I do support a far harsher sentence on him - based on the math alone he should be thrown in jail for multiple lifetime convictions.

Re:Calm down!

[JediLow]

I wish I read the article before. Here're the numbers which he's actively responsible for (at least):

His company made at least $300,000 last year at $495 a shot - so he sold at least 606 of his packages in a year. With a package lasting 15 days it means he had to sell 24.3 packages to cover 20,000,000 people for one year (since he also sold email addresses and the cumulative effect of that would cover enough to hit the 20 min/month ratio) that means he could cover 500 million people/addresses in a year. When you take our previous number of 5.5 people in a year based off of 1 million inboxes, you find that the time he's spent is equivalent to killing 2,750 people in a year. Its currently 2008, and we know he's done it at least 2005, that means he's been responsible for the equivalent of 8,250 lives.

Or, you could just go off the fact he would send spam to 20,000,000 addresses regardless of the amount of times he could cover them or the fact that he sold their addresses; that means he's responsible for 110 people.

Sure brings some perspective to the whole spamming thing doesn't it?

Re:Calm down!

[Zatacka]

I think you won't like TV. Or sleeping too long, the silent killer!

Re:Calm down!

[hairyfeet]

I agree that it is also not very just. For a truly just verdict,he should be forced for one week to run down the streets of his hometown naked,while those that were spammed by him get to pelt him with fake viagra and penis pumps while laughing at his small dick.Then of course the resulting video should be posted to Youtube for all of us who can't make the trip.That would be just AND funny,although I do like the salmon thing,but only if he got smacked by the salmon by people he spammed.Need to think of the people,you know.

Re:Calm down!

[dissy]

There's too many comments suggesting he should be killed, raped, or otherwise hurt. Seriously.

For the people advocating death/rape for this guy: just wait until you are falsely imprisoned, or simply imprisoned for a minor infraction such as telling your mind verbally to someone who turns out to be on the 'good' side of the law. It happens very frequently in this country. And non zero odds that it will happen to you as well.

To everyone else: don't get me wrong, I'm not at all saying Soloway is innocent and should not be punished for his crimes. Just that wishing cruel and unusual punishments on him, which sadly are highly likely to happen to anyone that ends up in jail or prison, will also be forced on a small part of the innocent population as well, and that it's never right.

I also don't feel stupidity should be punished with nightly beatings, rape, disfigurement, torture, and potentially murder in the prison system either, despite the fact that the people wishing these things on others will probably never learn just how stupid such desires are until it happens to them.
But I sure do wish there was less stupid people in the world, such as those that cheer for this sort of treatment.

Re:Calm down!

[Anne+Thwacks]

Please forward copies of this e-mail to the court, you congress critter and all members of the senate. (By snail-mail on account of its quite clear none of them reads e-mail)

Re:Calm down!

[mpe]

I don't think he should be killed or raped, but he should be put away for more than a year.

In which case the most appropriate US prison for him would probably be Camp X-Ray.

Re:Calm down!

[mpe]

Sorry but I loose hours a week to deleting spam even with filters.

The filters arn't free either

Times that by all the computer users affected and it's a massive loss of time.

In the process making email a much less useful communication tool. Especially if someone misses real email in amongst all the spam or the spammers attempts to evade filtering mean that legitimate email winds up being filtered.

Why should we loose millions of hours a week so he can hawk crap no one needs and 99% never respond to, he's playing a numbers game.

Why isn't law enforcement chasing these people down in the first place. A high proportion of spam appears to involve peddling things which are illegal (or in a way which is illegal) regardless of the method to sell them.

Let's say he stole a 100 million dollars in productivity? Not as rediculous as it sounds it was likely far more. If he stole a 100 million in gold would you say it wasn't that big a deal? Saying it's not the same thing isn't realistic because companies are loosing hundreds of millions to the flood of spam.

Which is probably a far more real loss than all the noise you hear about "Internet piracy".

Slapping them on the wrist isn't going to make the spam go away. We have to get out of this mindset that anything that happens on a computer is inherently good. If he hacked the FAA and caused a couple of airliners to crash by accident would it just be an honest mistake? He wasn't hacking but he was doing bad things with computers and he made millions doing it.

Sending spam often appears to involve a lot of hacking be it faking the sender address or using botnets. (Also the Internet has nothing equivalent to TCAS.)
Someone considered a "hacker" might face a tougher sentence even if what they actually did is a lot less, e.g. Kevin Mitnick

Re:Calm down!

[mousse-man]

If we wanted to torture him, we'd subject him to this and this. Even the CIA refuses to use this torture method, they consider waterboarding more humane.

Re:Calm down!

[kvezach]

Sorry but I loose hours a week to deleting spam even with filters.

How about codifying this? Let's say that deleting a spam takes a second, and the guy sends a hundred million spam messages. Put him in jail for a hundred million seconds; that's 27777 hours or 1157 days, a little over three years. And what kind of spam king would send only a hundred million spam messages?

catch22

[Wyrmy]

"Indeed, the most serious charge Soloway now faces deals not with spam but with nonelectronic mail fraud stemming from his failure to live up to promises he made regarding his e-mail-marketing software." Let me get this straight, they are charging him with spam fraud and with not properly supporting others that wanted to do the same? So, being a spammer is bad, but being spammer IT is good?

just a hunch...

[toby]

But I don't think the Qur'an has much to say about punishing spammers.

Comment removed

[account_deleted]

Comment removed based on user account deletion

also a hunch...

...but I think you're just spouting crap because you don't really know anything about Sharia law at all.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Robert F#$king Soloway

This guy is the latest incarnation of the devil himself, I actually spoke to him on the phone, A number of company's i do IT work for were receiving HUNDREDS of emails from his "charitable mass mailing company" for "charitable organizations" LOL what a crock of shit. This guy deserves to cop it up the arse day and night. I hope he meets one new "friend" in jail for every person he sent his mass mailing crap to.... He was trying to flaunt laws that say "charity's" and non-profit organizations can send what ever crap they want.... I managed to track him down and requested the "sales" department on their IVR rather than tech support or what ever other options they wanted you to go through to remove yourself from their list.... when i unsubscribed (on his old website) a random hotmail account i signed up for that had never received an email from him just to test my theory's, Guess what! he was using the unsubscribe link to generate new email address's to spam!!! This guy deserves to die a slow and painful death in prison. I hope someone shows Robert Soloway "the light" if they dont sort him out in prison i will fly over to the USA and go ape shit on him. I wonder how many cans of spam i can force up his anal cavity with a broom stick before he bleeds to death? :)

it's not that hard...

[ya+really]

Avoiding spam is not rocket science... 1) set decent email filters or find a provider that does it for you 2) Use multiple email addresses (a junk one for signing up for things such as youtube, promotional offers, etc) and one for personal use 3) Don't post your email in public places (obvious)

Re:it's not that hard...

[chromatic]

Avoiding spam is not rocket science...

This may be a wild guess, but you've never run a mail server, have you?

Re:it's not that hard...

[AmigaHeretic]

Not that hard??

I've done what you said and made 3 email accounts. I only ever gave my email address to 1 other person, my Mom.

But somehow the spammers knew my name was John and they found all my adresses!!

john@yahoo
john@gmail and
john@hotmail

I can't figure out how they did it!!

Re:it's not that hard...

[Kierthos]

He's never built a rocket either.

Re:it's not that hard...

Avoiding spam is not rocket science...

3) Don't post your email in public places (obvious) Thats like saying

Avoiding Rape is not rocket science
Women shouldent walk alone in public

Re:it's not that hard...

[SCHecklerX]

Yeah. That gets rid of the problem, right? On a *PERSONAL* mail server over the past month (multiply by several thousand, probably more, at least, for a typical company's mail servers):

$ grep -i spam /var/log/maillog* | wc -l
  1803 (got through all of my rejection code, analyzed as being spam)
 
$ grep -i greylist /var/log/maillog* | wc -l
  4697 (how many mails from places I don't normally communicate with)
 
$ grep -i pre-greeting /var/log/maillog* | wc -l
    487 (mail servers spewing shit before my server greets them)
 
$ grep -i 'you are not' /var/log/maillog* | wc -l
      4 (helo or from address trying to be me or my server)
 
$ grep -i 'user unknown' /var/log/maillog* | wc -l
    216 (dictionary attacks. Probably a lot more of these, but other things I do stops this crap. It would be much higher if I weren't dropping SMTP from most of these abusive fucks on my firewall...the list of blocks is around 200ish known networks now)
 
$ grep -i 'Misconfigured' /var/log/maillog* | wc -l
    28 (Mail server sending bogus helo address...rfc1918, not FQDN, etc)
 
$ grep -i 'RBL' /var/log/maillog* | wc -l
  1383 (on the spamhaus or dsbl blacklist)
 
$ grep -i authorized /var/log/maillog* | wc -l
      6 (trying to send to one of my mailing lists. Again, probably much higher, but other traps catch the crap before it gets this far)

Keep in mind that greylisting tends to get rid of a lot of the dictionary attacks (as do some sendmail options that I have enabled).

I'm sure the resources used by your ISP for every user to deal with this stuff could definitely be put to much more productive use elsewhere. They could most certainly reduce operating costs if they did not have to deal with it.

Death threats are not protected speech

[MacDork]

I realize you're just shooting off at the mouth, but you could be the one that ends up in jail with psychotic posts like that. My advice: See a shrink and figure out how to let it go. It's only junk mail.

Re:Death threats are not protected speech

[Dan541]

I realize you're just shooting off at the mouth, but you could be the one that ends up in jail with psychotic posts like that. My advice: See a shrink and figure out how to let it go. It's only junk mail. ONLY?!?! there is no ONLY about Spam.

~Dan

I hope...

[MacDork]

I hope everyone who makes such remarks, and the mods who find them funny, might one day respect the 8th as much as the 1st.

No, correction.....

[www.sorehands.com]

It is delicious irony.

Re:No, correction.....

please put an end to this nonsense

Re:Let me punish him

[Dan541]

Tell you what, Seattle is only about 70 miles from where I'm at. Let me have him and I'll imprison him in my tool shed where I'll butcher him alive. Putting the video on youtube as a warning to would be scammers. ;) I know, wishful thinking... I only hope that they don't go soft on this asshole and put him in jail where he'll be butt fucked regularly by the general population... Where should I send my donations?

~Dan

Language

[Pogdranaut]

I'm pleading for you to use pleaded rather than pled.

"identify theft"?

[wilx]

"identify theft"?

Mod parent up

Finally someone who knows what there talking about!

Re:Let me punish him

[Peet42]

While I disagree with the specifics, I'm all for the principle of making an example of SPAMmers. Lets try some of these wastes of flesh in death-penalty states and make sure that their crimes are taken seriously enough to make that penalty a credible possibility. SPAMming as a business model should be on the same tariff as murder-for-hire - while the damage to each individual is so much less, there are so many more individuals being harmed. Shock and Awe, people, Shock and Awe.

Re:Let me punish him

I chuckled. Just felt no need to say anything. Just one or two people take this sort of comment a bit too seriously.

Who is fighting the Spam

[Max_W]

Governor Spitzer made his career "fighting" human trafficking, prostitution, and organize crime. If we say it in English - he was holding interests in theses businesses. If not being an owner and an organizer.

The information of it started to leak at first and then it all was simplified to being a simple client.

Is it not a reason why human trafficking business is growing?

Next question - who is fighting the Spam?

Re:Let me punish him

[Obsi]

Your post advocates a

( ) technical (x) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
(x) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
(x) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

(x) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(x) Asshats
(x) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(x) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
(x) Extreme profitability of spam
(x) Joe jobs and/or identity theft
(x) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(x) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
(x) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

sweet

[Lawrence_Bird]

As someone who provided evidence to the various federal agencies involved, I'm glad to know I won't have to go to Seattle for a deposition or anything else. When I signed documents early last fall, they said to be prepared for a trial sometime in January so guess they didn't miss that mark by much. I mean its not sex but it sure does feel good that this guy has been taken down.

Will we ever get his collaborators?

[damn_registrars]

A few collaborators - or really, parters-in-crime - that we should look into:

• The owners of the domains he was spamming for
• The ISPs that provided connectivity or hosting for those domains
• The registrars that sold the domains
• The people who provided DNS for the domains

There's a good chance that those are different groups of people, and an even better chance that those groups were getting kick-backs from the spammer. Its rare that the registrars and ISPs that keep spamming operations afloat are truly ignorant of whats going on. Indeed, they are usually taking kick-backs as hush money.

Of course, there's a good chance at least some - if not all - of those groups are outside US territory (and jurisdiction) and will hence never see anything from us. But we can keep hoping for some cooperation on it.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Public Flogging Needed

[fast+turtle]

Yes: I do believe that public floggings are needed along with the usage of stocks and for those who've crossed the line, hanging. Instead of coddling the criminals, we need to revert back to a harsher sentencing structure that inflicts actual pain and suffering as a punishment. Read Robert Heinlen's Star Ship Troopers (not the damn movie) to see what I'm talking about.

I suspect that if we finally got around to actually making criminals responsible for their crimes instead of free food/medical/housing that crime would drop pretty quickly in the United States. Of course with all the brainwashing that's been going on about not being responsible for your actions, that's about as likely to happen as the 2nd coming of Christ

Re:Public Flogging Needed

[Stevecrox]

I don't think that would work, I've recently moved within the UK from a big city to a small town. In the big city I never saw a single fight on a night out (but did hear about the occasional one) in the small town every night out seems to show either a fight being broken up, police talking to whitnesses or as of last friday 10 guys running up and hitting a guy dressed up as a cricket dude because he was dressed up as a cricketman.

Listening to their self congratulations after they decided that knocking him to the floor was enough showed they didn't think of any consequences only pride in how "hard" they were. Increasing jail terms wouldn't have dettered them as they honestly couldn't see an issue. Whenever I've had the displeasure of coming accross a theif or violent ejit they seem not to understand what their doing is wrong and seem to take pride if they do it well. I have no idea how you'll address this but sadly I don't think its a problem that can be easily solved.

I do agree that western society needs a culture of responsibility rather than rights.


PS the area in question is Sherborne/Yeovil which apparently have renowned schools, having gone to a top twenty school I can honestly say I don't see much difference between them and your average comprehensive student. But the local parents don't like me saying that.

The new brave world

[Max_W]

Spam is profitable. This is the problem. When a 60K official approaches a spammer king the question arises what is better: 60K or a share of 1000K?

Spam is the slavery of modern days. Billions of people around the globe work for spammers for free. Clicking on the messages either to indicate a filter that it's spam, or delete, or view.

Roughly 90% of the Internet traffic is Spam. A new type of a social system came out unexpectedly. It is neither capitalism, nor communism. It is the Spam.

Spam kings will be getting more and more powerful. Already now they befriend such figures as Tony Blair and the likes. Before long 99.99% of the network traffic will be the Spam. We will be working more and more hours for free for the spam kings.

Welcome to the new brave world of Spam.

Re:The new brave world

[meringuoid]

Roughly 90% of the Internet traffic is Spam.

You misspelled 'BitTorrent'.

Re:The new brave world

[Max_W]

One may download a film or a game from time to time. But it is not a game, Jim. It's day and night, day and night. You get in your e-mail box, forum, comment, guest book only a tip of an iceberg.

Fines too low

[wfstanle]

Is it just me. Lately, the fines levied for illegal business practices in the US have gotten too low because of inflation. The logical remedy is to make the fines based upon a percentage the profits gained through illegal practices. 300% sounds right to me.

Comment removed

[account_deleted]

Comment removed based on user account deletion

TQPHAN LOVE RAPE

Hi TQPHAN, I know you love rape. Maybe you are join the military. You can rape 9 year old girls in Iraq!! Wouldn't that be awesome TQPHAN. Rape is so cool isn't it TQPHAN. It is so cool and funny!!! Hahahaha. Rape is awesome, right TQPHAN? MMmmmm, rape. And murder too. Not all little girls allowed live. TQPHAN is awesome rape funny!!

Yes, just use DNS hostname. It's a start.

[lennier]

"And you'll identify these e-mail servers how? By hostname?"

Yes, by DNS hostname. It's not mil-spec perfect (nothing is), but it will be 1,000 times better than the not-even-trying SMTP swamp we have now. DNS works just fine, and doesn't get spoofed, for *finding* mail. It will work for *authorising* servers.

You can layer encryption/signing over the top, if you really want a few more nines. But if people are constantly breaking in and scrawling their name over your stuff, you might as well just lock the door before you start installing autofire machineguns.

Seriously, what the heck is taking simple, obvious measures like reverse-MX (SPF) so long to get used? Do people *want* SMTP to keep sucking?

"In the end, although a totally secure option should exist, an insecure option should also exist that is controlled by policy rather than technology, and that ultimately means laws."

No, it means fixing the huge, obvious holes in your security before you start handwringing about how your Yale lock won't stop Al Quaeda, and how that means you need to call in the National Guard.

NOBODY needs unauthenticated SMTP sending, except people who need to fraudulently claim their DNS domain of origin as something other than what it is (ie, spammers).

Just get over it and accept that anonymity of mail routing is as silly as wanting anonymous HTTP connections, and can be fixed right now.

How encryption reduces and increases spam

[billstewart]

First of all, it reduces spam because almost nobody's actually bothering to encrypt their email at the client level, though there's a lot of encryption happening on the transport level (TLS on submission links or between SMTP servers, etc.) So spammers aren't going to bother when there are so many easier targets, but neither are your friends and customers.

But it also reduces spam because it takes CPU work to encrypt email, and spammers are generally not going to bother with that. 5-10 years ago, it was _enough_ CPU work to make spamming non-scalable, but with the advent of botnets, that's mostly changed; computers have gotten a lot faster and spammers are using other people's computers instead of having to burn their own CPUs.

How encryption increases spam is that it means that your mail server can no longer run content-based scanning on your incoming email - you'll have to decrypt it first, and then have your mail client run a filter on it. I'm not aware of any mail clients that do that, though at least some of them let you type in your passphrase once and apply it to all incoming messages.

There are systems like some of the corporate PGP stuff that do most of the encryption at the mail server level rather than the mail client, and maybe some of them can help with that.

yes calm down.......but.

[zelik]

I agree, the punishments one may receive in prison may be horrible/fatal and not all crimes deserve such harsh punishments. I also agree that such unfortunate punishments do occur to people who may be wrongfully imprisoned. BUT, I must say, this guy IS guilty, without a doubt, no?? I mean, it's not possible he was "framed" for these charges. It's not an "innocent" crime where he didn't know what he was doing is illegal or falls into the "gray" area of the law. He had evil intentions and acted upon them to make money from spam. The fact is he did the crime and now he has to do the time (apology for the cliche). How should he be punished? That's really up to the community that he was found guilty in. In my opinion, all forms of brutality unleashed upon him in jail may not be deserved but maybe he should have thought about that before he decided to pull these stunts. There is no such thing as victim-less crime. If I get caught at customs for carrying a bunch of China made bootleg DVDs, I should pay for the consequences, however severe. The laws are pre-existing and should be abided. Especially with the convenience of the internet now, feigning ignorance when committing crimes is unforgivable.

Movie Titles

[achenaar]

From the makers of "Guilty in Seattle", comes this year's box-office smash, "You've got mail"