Spam King Pleads Guilty in Seattle

arbitraryaardvark writes "The Seattle Times reports that spammer Robert Soloway has pled guilty to mail fraud and tax evasion, in exchange for the state dropping multiple counts of identify theft. 'The electronic-mail fraud charge is punishable by up to five years in prison. The tax charge is a misdemeanor and carries a maximum one-year sentence. The law also allows for fines against Soloway and his business of up to $625,000 on all charges. Both sides agreed to let U.S. District Court Judge Marsha Pechman determine not just the amount of prison time Soloway, 28, might serve but also the number of his victims, the size of any fine and the amount of restitution he may be ordered to pay.' We've previously discussed his arrest and mention in the New Yorker. The wire fraud felony count is based on selling $500 packages to wannabe spammers."

For sending too much email?

[Brian+Gordon]

Why would they drop the charges of identity theft and charge him with sending too much email? Who cares if someone spams, SMTP is an open system and it's designed to indiscriminately deliver messages- CAN-SPAM is a terrible idea. If you don't want spam, just don't accept email from every mail server on the internet. ID theft and tax evasion are the real charges here.

Re:For sending too much email?

[thyrf]

That's all fair and well if you're only expecting email from certain servers, but for most of us a deny-by-all service doesn't cut it.

Re:For sending too much email?

[jd]

And you'll identify these e-mail servers how? By hostname? (Domain stealing, DNS poisoning, DNS injection) By IP address? (Fake IP headers + source routing, Router table poisoning, Zombies on legit servers, Zombies on any machine between legit server and target) By mail headers? (Zombies anywhere)

And you guarantee inclusion of legit traffic from mobile sources, how? You don't know what IP address or ISP will be used. What about legit mailing lists, where the originator is indeterminate?

X.400 provides much better authentication, and offers an API for repudiation, but if that's what people really wanted, we'd be using it. Or maybe everyone would use SMTP-over-SSL where client-side and server-side certificates were validated. We don't use them because people need the privacy, anonymity and flexibility of the existing system, although I'd argue almost anything is technically superior to the existing system.

In the end, although a totally secure option should exist, an insecure option should also exist that is controlled by policy rather than technology, and that ultimately means laws.

Re:For sending too much email?

[sleeponthemic]

ID theft and tax evasion are the real charges here.

The "real charges" are based on which charges are politically most popular and Spam is charge that raises the most ire.

Re:For sending too much email?

[arbitraryaardvark]

Anyone know what the evidence was regarding the ID theft?

I don't actually. But TFA mentioned how the Washington ID theft statute had never been used in that way before. In my original draft of the summary I described the ID charges as "iffy".
The deal is for potentially a lot of jail time. Fines and restitution don't matter much because he's sheltered all his assets after having gotten sued by Microsoft. 90% of criminal charges are resolved with plea bargains, and that usually involves dropping most charges and pleaing to one or a few.

Re:For sending too much email?

Your post advocates a

(X) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting spam. your idea will not work. here is why it won't work. (one or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) spammers can easily use it to harvest email addresses
( ) mailing lists and other legitimate email uses would be affected
( ) no one will be able to find the guy or collect the money
( ) it is defenseless against brute force attacks
( ) it will stop spam for two weeks and then we'll be stuck with it
(X) users of email will not put up with it
( ) microsoft will not put up with it
( ) the police will not put up with it
( ) requires too much cooperation from spammers
(X) requires immediate total cooperation from everybody at once
(X) many email users cannot afford to lose business or alienate potential employers
( ) spammers don't care about invalid addresses in their lists
( ) anyone could anonymously destroy anyone else's career or business

specifically, your plan fails to account for

( ) laws expressly prohibiting it
(X) lack of centrally controlling authority for email
( ) open relays in foreign countries
( ) ease of searching tiny alphanumeric address space of all email addresses
( ) asshats
( ) jurisdictional problems
( ) unpopularity of weird new taxes
( ) public reluctance to accept weird new forms of money
(X) huge existing software investment in smtp
(X) susceptibility of protocols other than smtp to attack
(X) willingness of users to install os patches received by email
( ) armies of worm riddled broadband-connected windows boxes
( ) eternal arms race involved in all filtering approaches
( ) extreme profitability of spam
( ) joe jobs and/or identity theft
( ) technically illiterate politicians
( ) extreme stupidity on the part of people who do business with spammers
( ) dishonesty on the part of spammers themselves
( ) bandwidth costs that are unaffected by client filtering
( ) outlook
(X) botnets

and the following philosophical objections may also apply:

(X) ideas similar to yours are easy to come up with, yet none have ever been shown practical
(X) any scheme based on opt-out is unacceptable
( ) smtp headers should not be the subject of legislation
( ) blacklists suck
( ) whitelists suck
( ) we should be able to talk about viagra without being censored
( ) countermeasures should not involve wire fraud or credit card fraud
( ) countermeasures should not involve sabotage of public networks
( ) countermeasures must work if phased in gradually
( ) sending email should be free
( ) why should we have to trust you and your servers?
( ) incompatiblity with open source or open source licenses
( ) feel-good measures do nothing to solve the problem
( ) temporary/one-time email addresses are cumbersome
( ) i don't want the government reading my email
( ) killing them that way is not slow and painful enough

furthermore, this is what i think about you:

(X) sorry dude, but i don't think it would work.
( ) this is a stupid idea, and you're a stupid person for suggesting it.
( ) nice try, assh0le! i'm going to find out where you live and burn your house down!

Re:For sending too much email?

[ZorbaTHut]

Who cares if someone sends junk faxes, the phone network is an open system and it's designed to indiscriminately deliver messages - making junk faxes illegal is a terrible idea. If you don't want wasted toner, just don't accept phone calls from every bozo on the phone system.

And yet, oddly, junk faxes are illegal, because they cause a significant amount of cost for the receiver. Just like junk email does.

The law won't [i]fix[/i] things, of course. Junk faxing still occurs. But it might help, if it's designed properly.

Re:For sending too much email?

[frdmfghtr]

So, how does this fail ?

It fails because your Aunt Mathilda doesn't know the first thing about email encryption, nor does she care. Businesses won't mandate its use with the buying public because most of those customers will go somewhere else instead of changing their email habits. "Public keys? How does a key protect anything if it is public?" "Cryptographic signature verification?" Good luck explaining that the John and Jane Public.

I don't expect to see widespread use of email signing (or encryption for that matter) until:

(a) It is mandatory and automatic on all email clients; and
(b) conforms to ONE standard (PGP? Digital certificates?).

I don;t know much about digital signing of email beyond setting up Mail to use it; and I do use it on all outgoing email. However, I have received only a handful of email messages that have been signed, and they all were from federal gov't research labs where PKI use is mandatory.

Re:For sending too much email?

[darkpixel2k]

I hate these forms.
Let's go through it

(X) technical ( ) legislative ( ) market-based ( ) vigilante

What other way will there be of blocking spam? Legislative won't work because there is no one governing body that controls the entire world and can punish those that do wrong.

Market based...well, it might work, but the solution will probable be some sort of technical device like a barracuda appliance.

Vigilante would work if we just shot all the spammers, but then those people would go to jail for murder. Wait until we can clone, then send your clone in to do the dirty work and hope they don't grab you instead of your clone.

So technical is the only way.

(X) users of email will not put up with it

Fine, they can put up with the spam.
But in my experience, users will put up with a lot of shit if it's required of them. Think BSODs, Windows ME, Windows Vista, etc...

(X) requires immediate total cooperation from everybody at once

Kinda like SMTP is required by everyone. If you don't have it, you don't get mail.
I don't care if it's another protocol, or the same protocol with changes. Kinda like IPv6, eventually there will be a cutoff date and everyone needs to get on board or else things just won't work. Get the new email protocol in place, have it work along side SMTP and then once it's developed and tested set a shutoff date for SMTP.

Yeah, it'll be a lot of work, but that's our job. We do the technical shit on the internet. Just like the telco guys--I don't care how my phone call gets from point A to B, just that it does get there.

(X) many email users cannot afford to lose business or alienate potential employers

This seems somewhat irrelevant. We're not talking about immediately shutting down SMTP and saying 'fuckit'. A group of intelligent geeks like you'd find on slashdot (for the most part) are completely capable of coming up with a transition plan.

(X) huge existing software investment in smtp
(X) susceptibility of protocols other than smtp to attack
(X) willingness of users to install os patches received by email

There's always going to be a huge investment when switching (think IPv4 to IPv6). At some point the flaws or limitations of the system become too big a problem and you must change. Have we reached that point with SMTP and spam? Are we out of quick fixes like SenderID, Domain Keys, DKIM, blacklists, whitelists, spamassassin, greylists, etc...?

As for 'patches' received via email, you're never going to stop idiots and social engineering.
I'm not sure what you're getting at with attacking protocols other than smtp.

(X) ideas similar to yours are easy to come up with, yet none have ever been shown practical

That part is true. I'm sitting here saying we should come up with something, but not putting forth any ideas.
But I believe if a group like Slashdot held a huge discussion about it, we would come up with something.

Comment removed

[account_deleted]

Comment removed based on user account deletion

I hope...

[tqphan]

He shares a jail cell with men who have enlarged their penises, taken Viagra, and are looking for a new relationship.

Re:I hope...

[Bored+MPA]

Because rape, HIV, and Hepatitis aren't cruel and unusual punishment in your book? Or is that just the line you toss out to get out of jury duty?

Your comedic take is about as funny as the drunk guy I saw yesterday that said "Ooops, you just knocked over your home" when he walked past a homeless guy that dropped a cardboard box yesterday.

Comment removed

[account_deleted]

Comment removed based on user account deletion

The rules he's charged under suck

[Artifakt]

The major charge in this case seems to be that he defrauded a bunch of other spammers. For that, he faces serious time - conning a bunch of nasty people who had every intent to spam a lot of genuinely innocent people if they could. He faces only much more minor time and fines for not paying his fair share of taxes or for spamming anybody who wasn't themselves out to con people. The guy's pond scum, and a few years in medium security looks reasonable, but isn't this all sort of like arresting Clyde Barrow and threatening him with 30 days for each murder, 180 days each for the robberies, and 20 years+ for shortening shotguns?

Re:If only it were so good...

[Telvin_3d]

The problem with this? The depressing number of office workers who use their accounts for personal type mail. A company uses your smtpx protocol and promptly sees their rating drop due to the dozen fifty year old ladies in accounting forwarding on every piece of cute spam and donate-to-save-the-children mail they get.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Calm down!

[xaxa]

There's too many comments suggesting he should be killed, raped, or otherwise hurt. If you seriously approve of that kind of punishment, either
a) move to a country with Sharia law
b) save it for the worst offenders, those that actually murder others, like some US states do
c) grow up. At worst he's annoyed you, and maybe cost you a bit of time or money.

Re:Calm down!

[clarkkent09]

I don't think he should be killed or raped, but he should be put away for more than a year. The cumulative damage he caused to many people in bandwidth costs alone is probably much more than the guy who vandalized a few SUVs as an environmental protest and got 10 years or whatever, too lazy to look up the details. If you want to deter a crime that is easy to commit and where those committing it are hard to catch (as with spam) you do it by imposing harsher sentences.

Re:Calm down!

[dissy]

There's too many comments suggesting he should be killed, raped, or otherwise hurt. Seriously.

For the people advocating death/rape for this guy: just wait until you are falsely imprisoned, or simply imprisoned for a minor infraction such as telling your mind verbally to someone who turns out to be on the 'good' side of the law. It happens very frequently in this country. And non zero odds that it will happen to you as well.

To everyone else: don't get me wrong, I'm not at all saying Soloway is innocent and should not be punished for his crimes. Just that wishing cruel and unusual punishments on him, which sadly are highly likely to happen to anyone that ends up in jail or prison, will also be forced on a small part of the innocent population as well, and that it's never right.

I also don't feel stupidity should be punished with nightly beatings, rape, disfigurement, torture, and potentially murder in the prison system either, despite the fact that the people wishing these things on others will probably never learn just how stupid such desires are until it happens to them.
But I sure do wish there was less stupid people in the world, such as those that cheer for this sort of treatment.