California ISP Sues Spammer and Wins

← Back to Stories (view on slashdot.org)

California ISP Sues Spammer and Wins

Posted by Roblimo on Monday August 2, 1999 @12:00AM from the sometimes-the-good-guys-win-one dept.

Kris Rallapalli sent us a press release that tells how his small ISP successfully sued a spammer in small claims court. Text from Kris's press release (minus some corporate hype) follows.

San Jose, CA, August 2, 1999 -- In one of the first cases of its kind, San Francisco Bay Area Internet service provider (ISP), Kepnet, took a spammer to court in order to recover damages and won. On July 29th, Los Gatos Small Claims Court awarded Kepnet $600 compensation plus court costs for damages caused by a spammer's unauthorized use of its network.

Kris Rallapalli, President of Kepnet, caught the spammer abusing his network by sending large quantities of unsolicited e-mail messages. By filing a suit in small claims court, Rallapalli took advantage of California Assembly Bill 1676, passed in the summer of 1998, which makes it easier for ISPs to collect damages from spammers.

"Our objective with the suit was simply to collect those damages that were tangible," Rallapalli said. "That is, the number of hours it took us to find the problem and minimize its adverse effect on the network. It didn't include potential harm to our reputation."

Until this new law took effect, ISPs had to bear the burden of costs associated with repairing network damage due to spammers, who send mass e-mail messages using an ISP's network facilities. This can cause jams and sometimes crash servers. The new law expands and clearly enumerates the list of prohibited advertising practices to include spamming, making such activity illegal and allowing significant punitive penalties.

"I hope that other ISPs in California will pursue this kind of action if they have spammers, too." Rallapalli said after the verdict. "Because now there is legal recourse they can take." Using small claims court expedited the process for Kepnet. "It was fast and inexpensive," added Rallapalli. "We didn't even need an attorney, and the judge's decision came back in just a few weeks."

53 comments

Min score:

Reason:

Sort:

Good! by RomulusNR · 1999-08-01 19:13 · Score: 1

About time, too. Maybe other ISPs and tech firms which remain sheepish will be encouraged to take actions like this.

Regards,

--
Terrorists can attack freedom, but only Congress can destroy it.
1. Re:Good! by VWswing · 1999-08-01 19:46 · Score: 1
  
  That's well.. but how much do we want outside bodies to intervene? I agree there are instances that legal precedence could be a good pressure point on jerks... but what about when it's just a
  matter of configuring our systems to avoid the hassle altogether? Should we still sue? where's the spirit in that?
  
  --
  "And how can this be? For he is the ..."
2. Re:Good! by RomulusNR · 1999-08-03 20:03 · Score: 1
  
  If it were still the case where you could get all the admins on the net to, for example, spam-proof their sendmails, or smurf-proof their networks, that would be great, and there would be a little less need to get help from "outside" bodies.
  
  What happens for example when your network pipe is hosed by a smurf attack, because some schmoe admin at a major provider wont set their routers to prevent it? Do you then turn on your users, and start denying them "problem" services, because of someone else's negligence? Or would it be a little better, for all concerned, to make an example of the networks whose idleness adds to your grief?
  
  For another example, see last week's (?) article about the site that was blocked by CyberPatrol. Was it best in that ISP's case to pretend there wasn't a problem? And to accept the CyberPatrol block as a fact of life, and pretend to themselves that it wouldn't eventually damage their business?
  
  If you really believe you/we can get everyone on the net to stop using suppressware anytime soon, please, show me how. Or, if you think rampant negligence, abuse, and bad faith can go unchecked, and you can still make a long-term profit as a small or mid-size tech firm on the Internet, I'm sorry, I don't see how in the current trend.
  
  In point of fact, outside bodies are already interfering, quite a lot, and little is being done, effectively, to stop it. In my mind, using legal action is an inside force, as opposed to knee-jerk legislation which is coming from totally nowhere and with little input from those it affects.
  
  I dont know why so many in this field think law is always their enemy.
  
  Regards,
  
  --
  Terrorists can attack freedom, but only Congress can destroy it.
News? by vosque · 1999-08-01 19:17 · Score: 1

Could they get this to work with newsgroups and servers as well, now that there is *some* precedent?
1. Re:News? by Radnor · 1999-08-01 19:36 · Score: 3
  
  I don't see why not. News messages are propagated by an ISP's news servers, and end up on other news servers. The spammer is still misusing the ISP's hardware, albeit the recipient list is probably smaller. The Usenet "community" is pretty good about finding spam messages in the higher groups-- cancel bots handle a good portion, and rogue cancellers catch some others. Most of the times I find that a spam message has already been canceled by the time I get to click on it. This only works if your news server supports cancels, though. A side note: If you do find spam and don't want to decode all the headers yourself, take the message (headers included) and paste it into SpamCop. They generate the emails to the appropriate abuse addresses, and even send them out to you if you register (it's free; I use a decoy hotmail account to do my spam reporting). Only you can help prevent spam.
2. Re:News? by HowWonderful · 1999-08-01 22:48 · Score: 1
  
  I don't know about that. If many news servers let binaries through i dont see how they could make a case that spammers waste alot of bandwidth.
  
  And yes i understand binaries arent spamming.
3. Re:News? by Anonymous Coward · 1999-08-02 01:15 · Score: 0
  
  Not all ISPs carry binaries groups, though, and most of them who are able put binary and non-binary groups on separate news spools. Spam can turn (warning, hypothetical figures ahead) a 10-day expire for comp.os.linux.announce into a 5-day expire, but never even make a difference for the constantly churning, 1-day-expire alt.binaries.pictures.my.cat.
One amusing thing in that article by fable2112 · 1999-08-01 19:21 · Score: 2

Hoping that other ISPs will follow suit IF they have spammers?

Seems to me that any ISP which doesn't have some sort of substantial and followed-up-on policy to discourage spammers (and some that do) is going to have spammers sending from their service from time to time. :P

--
"Somebody exploded a letter-bomb today ... but it wasn't anybody I knew" -The Moody Blues, "Dear Diar
1. Re:One amusing thing in that article by kavalier · 1999-08-01 19:42 · Score: 1
  
  what about spammers who run their own ISP and their own mail server? theres still no way to stop that is there? I host my own server and if I were to send spam using my ISP's mail server, they'd cancel my account, but if I use my own mail server, nobody (including my ISP) could stop me.
  
  --
  my blog sucks, does yours?
2. Re:One amusing thing in that article by Radnor · 1999-08-01 19:52 · Score: 1
  
  They could cut off your access. You'd eventually be traced back to your provider, who would be deluged with spam reports and hate mail. They don't want to have to deal with that, so they kick you off of their service.
  
  Really, it's not worth the trouble of spamming. Who really reads them, anyways? I sure don't.
3. Re:One amusing thing in that article by HowWonderful · 1999-08-01 22:50 · Score: 1
  
  Well, I'm guessing that spammers really dont give a rats colon if there is a policy or what it says.
  
  They DONT CARE.
4. Re:One amusing thing in that article by tgeller · 1999-08-02 01:20 · Score: 2
  
  Based on the California laws, you can sue anybody who send spam *to* your server -- you need not have a prior business relationship with them. Here are the three references:
  * California Business and Professions Code, Section 17538.45
  * California Business and Professions Code, Section 17538.4
  * California Penal Code, Section 502
  The first two were the result of a bill by Gary Miller; the last (which sucks rocks) is from Bowen. I'm collecting all these resources (including full texts of the bills) for a site to be launched as soon as I get my Linux server to talk with my router. Until then, you can look them up on FindLaw.
  --Tom
  
  --
  Tom Geller
5. Re:One amusing thing in that article by kavalier · 1999-08-02 02:11 · Score: 1
  
  yeah I guess you're right.. I'm not considering spamming, I'm just trying to view this from all directions.. however, if I have a good standing relationship with my provider and he with his provider, and me with his provider, which has a direct connection to a major backbone, nobody could stop me right? like say my best friend works for splitrock.. nobody would risk cutting off a whole backbone for a simple spammer so it wouldnt be pushed too far if my ISP ignores the requests. I'm just saying this because I've noticed alot of spammers that I've been spammed with have their own mail server and had a direct connection to a major backbone provider and its possible they had inside connections that would prevent them from getting disconnected. right?
  
  --
  my blog sucks, does yours?
6. Re:One amusing thing in that article by Windigo+The+Feral+(N · 1999-08-02 03:05 · Score: 3
  
  Kavalier yammered:
  eah I guess you're right.. I'm not considering spamming, I'm just trying to view this from all directions.. however, if I have a good standing relationship with my provider and he with his provider, and me with his provider, which has a direct connection to a major backbone, nobody could stop me right? like say my best friend works for splitrock.. nobody would risk cutting off a whole backbone for a simple spammer so it wouldnt be pushed too far if my ISP ignores the requests. I'm just saying this because I've noticed alot of spammers that I've been spammed with have their own mail server and had a direct connection to a major backbone provider and its possible they had inside connections that would prevent them from getting disconnected. right?
  
  Not only could many ISPs blackhole an entire backbone to "get rid of a single spammer", entire backbones have historically been blackholed to get rid of spammers.
  Some examples I can think of off the top of my head:
  AGIS, a backbone which was given the "Internet Death Penalty" (had all Usenet posts shunned or cancelled, and many sites shunned all email and blocked all other connections, including web and FTP, to sites that got feeds through AGIS) due to their hosting of several major spam sites associated with the IEMMC (a now-defunct spammers' trade group) including sites associated with Nancynet and Sanford Wallace's spams. AGIS refused to remove IEMMC sites, even when confronted with info that IEMMC "remove" lists were actually being used to add folks to spam lists. It literally took a large portion of the sites on the Internet refusing to exchange ANY packets that went through AGIS's backbone before AGIS finally dropped Sanford Wallace and company like a hot potato.
  UUnet's dialups have been periodically blackholed by ISPs because of severe problems with net.abuse (including spam) from the dialups and UUnet being slow to provide tracing info. It took the real threat of possibly the largest backbone's dialups being left to talk to the ether bunnies for UUnet to shape up.
  While not backbones, national-level ISPs and servers have been blackholed for reasons of spam and/or net.abuse. (Among a short list: AOL, Netcom (has been IDP'd at least twice), Earthlink (in association with Scientology-related net.abuse), Zippo (pay news service; was unblocked after strong AUP enforced), Altopia (blackholed due to "Hipcrime" related net.abuse and refusal of admin to investigate), Demon Internet (open NNTP servers), etc.) In fact, there is serious talk of blackholing an entire name domain registry due to spam (Network Solutions, aka InterNIC).
  An increasing number of sites--largely because it's been shown that People Just Plain Don't Like Spam and because spam does consume a gawdawful amount of system resources (I've done a rough essay on the subject)--are joining blackholing mechanisms. Spam-cancels and UDPs were the first of these; a later incarination is the famous Blacklist of Internet Advertisers, then NoCeM was developed to replace spam cancellation (as well as provide for global killfiles for end-users) and now blackholing mechanisms such as the Realtime Blackhole List; the RBL is now explicitly supported by most modern mail daemons, including sendmail.
  In other words...don't assume that people won't blackhole an entire backbone if the backbone won't wack people who are using it to spam. Some folks will. They've done it before, they'll do it again, and it is literally easier than ever to leave a spamaceous site--backbone or no--talking to itself and the ether bunnies. This way of dealing with Bad Folks is as old as the Amish and it's not gonna go away anytime soon. >;)=
  
  --
  -Windigo The Feral (NYAR!)
7. Re:One amusing thing in that article by kavalier · 1999-08-02 21:40 · Score: 1
  
  ok.. if its so easy.. why do spammers still exist after a few days? I dont mean spammers in general, but I mean if one person spammed, why are they still online after a few days if its so easy and guaranteed to get rid of them right away? many porn sites that spam still remain to be online and nobody has gotten rid of them yet, why?
  
  and also, isnt the only way to completely blackhole a backbone provider, to contact EVERYBODY on the internet who provides links and tell them to ignore that person/site? cuz if say one of AGIS's links blocks them, couldnt they just put up another T-x or OC-xx to another provider that doesnt have them blocked? theres unlimited number of connections to the internet, you cant convince everybody in the world to refuse connections from one person, can you?
  
  (not pretending to be a know-it-all.. asking questions is the best form of education)
  
  --
  my blog sucks, does yours?
"Unauthorized access" by timftbf · 1999-08-01 19:39 · Score: 1

It's interesting to note that the press release mentions 'unathorized access' - what do they mean by this?

Have they recovered damages against someone who spammed their customers, with the resultant increased mail server / network load? This would be a nice precedent.

If it's one of their own customers, there should be harsh fines specified in their AUP / TOS, which it should be simple to collect. Again, nice if this is actually being enforced.

If it's someone outside of their network relaying off of them, it should probably not have happened in the first place. There's very little in the way of excuses for running an open mail relay any more - the only way to get around a sensibly configured mail server I can think of is IP spoofing, which is a) beyond most spammers and b) blockable at your border routers. If it's this one, I hope they've fixed the problem as well as collecting the damages.

"Unauthorized access" tends to suggest the last option to me :(

Regards,
Tim.
1. Re:"Unauthorized access" by Bartmoss · 1999-08-01 21:49 · Score: 1
  
  Unauthorized access probably means someone used
  an open relay. I doubt a spammer would go to the
  troubles of IP spoofing when there are so many
  open relays out there...
2. Re:"Unauthorized access" by Zemran · 1999-08-02 00:02 · Score: 1
  
  It says "unauthorised use" not access.
  
  If their TOC forbids spamming then tho Spam would be "unauthorised use".
  
  --
  I love stacking my barbecues in the shed at the end of summer - you can't beat a bit of grill on grill action.
hmm.... by kornyone · 1999-08-01 19:41 · Score: 1

Well, may this be a path breaking case (and well needed) that came out of California? I hate to complain, but it's nice to see a liberal bill for once put to good use. As many BS laws and bills are passed here, finally one that kinda gives a CA Resdient a good feeling (unless that resident be the spammer). :)

--
--------------------------- Jason Parker (aka kornyone)
Internet Direct by JeffHiggins · 1999-08-01 20:21 · Score: 2

The ISP I work for did this too a while back, the first of it's kind in Canada, I believe. Here's the release they sent out:

I.D. Internet Direct. Ltd. successful in suit against junk emailer

April 1, 1999, Toronto - In the first successful lawsuit of its kind in Canada, independent Internet service provider (ISP) I.D. Internet Direct Ltd. today announced that the court has ruled in its favour in its recent application for an injunction against junk emailer Cory Altelaar. The ruling grants I.D. Internet Direct. Ltd. an injunction preventing Cory Altelaar from delivering junk email through its systems and awards the ISP a reimbursement of its legal costs.

"This is a ground-breaking ruling in the struggle against junk email in Canada," says John Nemanic, President of I.D. Internet Direct. Ltd. "If Mr. Altelaar violates the court order and attempts to use our services for junk email again, he'll be looking at some serious charges."

Nemanic says that his company received several calls and emails of support from other ISPs who were similarly abused by junk emailers (also known as "spammers"). "We want to thank our lawyer, Andrew Lundy of Brunner and Lundy, for his fine work in this case," says Nemanic. "This ruling sends junk emailers a serious message: this activity is not legally acceptable in Canada. You can try to hide, but you will be caught and risk prosecution if you abuse the Internet."

Jeff Higgins
www.hal9000.cc

--
- el jefe -
www.hal9000.cc
1. Re:Internet Direct by rngadam · 1999-08-01 20:56 · Score: 1
  
  Too bad it was on April 1st, it kind of take out the idea of being taken seriously by spammers ;-)
2. Re:Internet Direct by tlhIngan · 1999-08-02 08:49 · Score: 1
  
  I still use them. I remember a few years ago someone from ID actually spammed a number of ID customers (ooh, bad, spam customers on the same ISP as yourself), and did a poor job of it too (50+K email, 2 k body, 47.9K To:/CC: lines...).
  
  I looked at all those addresses, and it seems they were spammed by email names (i.e., people with email addresses starting with a would get everyone's address starting with a...).
  
  No idea how they got hold of my ISP email address (I rarely use it). But within a day, I got a email from the administrator saying "we're sorry. We're taking action against the spammer immediately". Within a week there was "Spam Avoidance Tips" sent via email and on the web pages.
They had it coming by Farce+Pest · 1999-08-01 20:39 · Score: 2

If it's someone outside of their network relaying off of them, it should probably not have happened in the first place.

Exactly. If you intentionally run an open relay, you are implictly authorizing access to everyone.
There's very little in the way of excuses for running an open mail relay any more

Also true. I doubt this ISP was intentionally running an open relay. They probably got hit with the quoting exploit that's in a lot of pre-8.9 sendmails (or could be any number of other sendmail exploits). ORBS has a good list of them.

--
This message has been scanned for memes and dangerous content by MindScanner, and is believed to be unclean.
One concern, though... by Jonny+Royale · 1999-08-01 20:41 · Score: 2

I'm not worried about ISP's who sue spammers for abusing their networks...I'm worried about ISP's who take cash up front from spammers...kind of like the USPS does from Ed Whathisface. You know its coming, and you don't get to sue for GETTING spam, do you?
Wanted: Private right of action by Tackhead · 1999-08-01 21:03 · Score: 4

Yes, the CA antispam law is a good first step, as it allows ISPs to sue spammers.
Problem is, most ISPs won't sue. ISPs are in the business of providing IP connectivity, not suing spammers. Small ISPs don't generally have the money to bring about such suits in the first place, and large ISPs don't have the time to launch a dozen suits against every day's load of new dialup spammers.
What I want is something like the WA state law, which allows for a "private right of action" against the spammer. This allows the recipient of the spam, not the ISP, to sue. If the spammer doesn't show up in court to defend itself, a default judgement is entered against it, and the judgement can be sold off to a debt collection agency.
(Yes, if you live in Washington, that next spam could be worth up to $500! MAKE MONEY FAST!)
What's interesting about the WA state law is that most of the cases where people have collected $500 for being spammed haven't gone to court. Often, a demand letter in an amount less than $500 is all that's required, and the spammer, knowing it hasn't a hope in hell of winning in court, and wishing to avoid an encounter with the legal system, merely forks over the cash.
OK, that's the theory. Now the practice. Here's a guy in Washington, who sues spammers for fun. He's collected $3,900 to date.
If you live in Washington - go thou and do likewise.
1. Re:Wanted: Private right of action by flieghund · 1999-08-01 22:59 · Score: 1
  
  What I would really like to see is this policy instituted on a national level. I have three "regular" email aliases (and about a dozen temporary ones): one is practically clear of spam (because I never give it out 8^), one gets about 50% spam, and the third is 100.00%. Yup, good ol' Yahoo seems to have made my MyYahoo address available to every spammer who has ever walked the face of the earth.
  
  I figure, if there were a law like this in California, I could make $3900 each week.
  
  --
  "I came here to kick ass and chew bubblegum. I'm all out of bubblegum." MSE USC APX AIA CSI CASp
2. Re:Wanted: Private right of action by Doug+Lim · 1999-08-02 01:03 · Score: 2
  
  What I want is something like the WA state law, which allows for a "private right of action" against the spammer. This allows the recipient of the spam, not the ISP, to sue. If the spammer doesn't show up in court to defend itself, a default judgement is entered against it, and the judgement can be sold off to a debt collection agency.
  
  Be careful what you ask for, you might not get exactly what you want. There is legislation at the state level either already enacted or well on its way to becoming law that does provide spam recipients with a right of private action. The only problem is that several of those bills have been watered down by friends of direct marketing interests to allow recovery of only $10/per spam by the recipient or some similarly piddly amount. Hardly worth the recipient's time or effort to try and collect.
  
  For a good review of currently enacted and pending anti-spam legislation at both the state and federal levels, check out the Unsolicited E-mail Statutes subsection of the Cyberspace Law Website hosted by John Marshall Law School in Chicago, maintained by Prof. David Sorkin.
  
  Voice your desire for effective anti-spam legislation at the state and federal levels by contacting via snail mail (not phone, not e-mail) to your state and federal legislators. Find out who your state and federal legislators are and what their views are at Project Vote Smart.
  --
  Doug Lim -- Public Education Coordinator - FREE
  "Speech isn't free when it comes postage due"
  #Jim Nitchals - Founder - Forum for Responsible and Ethical Email
  ## http://www.spamfree.org/
3. Re:Wanted: Private right of action by Anonymous Coward · 1999-08-02 10:19 · Score: 0
  
  Interesting with the Yahoo bit, I wonder if there is any fine print when you get a yahoo account, they probably have something in there to allow them to sell or give your address to any one that they want. Then in turn since you accepted this agreement, you also accept the use of your email address by any company that yahoo deceides to sell it to.
  
  This would make any legal action a mute point.
  
  Tis something to think about. No matter how you play the game the people with money will find another way to annoy you.
What if? by jcr · 1999-08-01 21:44 · Score: 1

Suppose you wrote an AUP that said that if you spam from your account on this hypothetical ISP, you would owe liquidated damages in the amount of $500K per incident, or $50 per message, whichever is *greater*?

Anyone have an idea on the enforceablility of such a provision, or how to word it so that it was iron-clad?

-jcr

--
The only title of honor that a tyrant can grant is "Enemy of the State."
1. Re:What if? by Mr.+Protocol · 1999-08-02 04:49 · Score: 1
  
  Actually this is something Barry Shein, owner of Software Tool & Die and The World, advocated years ago. His position is that it's founded in contract law, which is so old that it's pretty much ironclad.
  
  I don't know that he's taken his own advice, though.
2. Re:What if? by Anonymous Coward · 1999-08-02 09:57 · Score: 0
  
  Liquidated damages have to be a "reasonable" estimate, at the time of contract formation, of the likely actual damages. They cannot be punitive.
  
  --Tim Smith
3. Re:What if? by Mr.+Protocol · 1999-08-03 01:37 · Score: 1
  
  Actually, I misspoke. Barry's idea was not to use liquidated damages, but to put in a steeply ascending schedule of charges for email: 1-100 recipients, free, 100-1,000 recipients, $10/message, 1,000-up, $1,000/message. Something like that. If they spam, it's a straightforward fee-collection strategy.
What ? by paradox0 · 1999-08-01 22:07 · Score: 1

Its great that the spammer got caught and sued, but since when does it cost $600 to reboot a crashed server caused by spam ?

I mean, come on.. I woulda done it for free.
1. Re:What ? by MoxCamel · 1999-08-01 22:33 · Score: 1
  
  It's more than just rebooting a server. It's responding to the multitude of complaints from spamees, the time spent tracking the spammer down, the administrative time spent filing court documents, and then documenting the whole event.
  
  Not to mention that if the fine for spamming were only, say $100, many spammers would happily pay that. Personally I think they got off light at $600.
2. Re:What ? by Anonymous Coward · 1999-08-01 22:36 · Score: 0
  
  You neglect to account for the time spent and associated costs of tracking down and repairing the holes in security used by the spammer. $600 is a very conservative number.
3. Re:What ? by Progman · 1999-08-01 22:51 · Score: 1
  
  >tracking down and repairing the holes in security used by the spammer
  
  What? Spammers create security holes? What have you been smoking?
  1- spammers don't create holes, they just spam, otherwise they're called crackers, hackers, script kiddies, black hats, etc...
  2- fixing security holes is the ISP's job, spam or no spam.
4. Re:What ? by lomion · 1999-08-02 03:33 · Score: 1
  
  $600 dollars can be a low estimate, when you consider time spent tracking the problem and repairing it. Plus any residual effects, lots accounts, having to get your isp unblocked from black hole lists, etc. $600.00 was getting off cheap imho.
  
  --
  this space for rent
as it is... by The_Jazzman · 1999-08-01 22:12 · Score: 1

Well I say that the spammers in question deserve everything that they got. It may be a fair bit of money for a relativly small task, but spam is the bane of my email... to the point that I have now started to get mail in spanish to my .co.uk address. Typical.

Hopefully more cases like this will appear and the fines will go up and up - it's the only way to make the spammers stop.

Here's waiting for the day when a cheque for £100,000 comes through for emotional distress... Spanish email really hurts, especially when you don't speak the lingo...
1. Re:as it is... by SEWilco · 1999-08-01 23:21 · Score: 2
  
  "Spanish email really hurts, especially when you don't speak the lingo..."
  I've gotten a few spams in Chinese. Romance languages I can handle, but I have no idea what "Remove" looks like in Chinese.
This is pertinent to the topic of spammers, how? by Anonymous Coward · 1999-08-01 22:45 · Score: 0

???
Yo, Bonehead - READ THE TEXT YOU QUOTED by Anonymous Coward · 1999-08-02 00:14 · Score: 0

>>tracking down and repairing the holes in security used by the spammer

>What? Spammers create security holes? What have you been smoking?

What is with your reading comprehension skills?

He never said that spammers CREATE security holes, he said that they
USE security holes...

Are you congenitally stupid, or have you just not finished grade three
yet?
1. Re:Yo, Bonehead - READ THE TEXT YOU QUOTED by Progman · 1999-08-02 00:57 · Score: 1
  
  Spammers use security holes? Even if they did, which they don't since it's so easy to find an open relay, those holes would have to be fixed anyway. Whoever creates, uses, whatever, security holes, doesn't matter. It's the admin's job to make sure they aren't there in the first place, and fix them when he finds out. I suppose you are grateful when someone "finds" a security hole for you.
2. Re:Yo, Bonehead - READ THE TEXT YOU QUOTED by lomion · 1999-08-02 03:39 · Score: 1
  
  Actually an open relay is a secuirty issue and can be called a security hole. That is assuming they went in through an open relay. There is also the practice of signing up with an isp..spamming and then dropping the account when the isp catches on.
  
  Also there is the issue of forging domains and having to deal with people not savvy enough to find the real culprit.
  
  Working for an ISP or as a sysadmin for a company the latter two are the wosrt and hardest to deal with since you cannot simply shut off their ability to do that until after the fact.
  
  --
  this space for rent
3. Re:Yo, Bonehead - READ THE TEXT YOU QUOTED by Windigo+The+Feral+(N · 1999-08-02 03:39 · Score: 3
  
  Progman said:
  Spammers use security holes? Even if they did, which they don't since it's so easy to find an open relay, those holes would have to be fixed anyway. Whoever creates, uses, whatever, security holes, doesn't matter. It's the admin's job to make sure they aren't there in the first place, and fix them when he finds out. I suppose you are grateful when someone "finds" a security hole for you.
  
  As someone who's been fighting the good fight against spam for some time ;), I can tell you that yes, indeed, spammers do exploit security holes. A rough list:
  Third-party relaying being turned on by default IS a security hole anymore, and spammers increasingly target sites that have poorly configured or ancient versions of sendmail or other "wide open" mail daemons. (Particularly bad ones in this regard are foreign servers in Asian or African countries (there's an increasing amount of spam being relayed through open servers in India and Pakistan and breakaway "formerly-Soviet" countries), unsecured standard IRIX sendmail, unsecured older Sun sendmails...don't even get me started on IBM mainframe mail daemons... :P)
  Some spammers increasingly target mail daemons with othervulnerabilities as well. Older versions of IRIX sendmail and unpatched versions of IBM VM SMTP (a mail daemon for IBM mainframes running VM/CMS or VM/EISA) in particular can be and have been abused by spammers to hide the true source of a spam by forging paths; both of these have two separate security flaws in that they are both wide open to third-party relaying AND they leave no identifying info (IP lookup, etc.) in the headers--in other words, they can be used as essentially anonymous sites for spamming, and the only way to find where the spammer is really from is to talk to the admin and have hir look through the logs. It's also fairly non-trivial to fix these, as IBM no longer supports VM SMTP (I spent a fun summer sending "unsupported" patches to sites running IBM mainframes that had been relay-raped... :P) and most IRIX boxen still running those old versions of sendmail aren't supported by SGI anymore.
  Spammers have, on occasion, been known to launch denial-of-service attacks against others, usually admins or anti-net.abuse activists who have reported on their behaviour. This is so common that it's now known as "joe-jobbing" (after joes.com, attacked by the "Herbalife serial spammer" after the spammer's web-page was yanked; the spammer forged a spam appearing to be from joes.com's admins and meant to get him mailbombed, and the resulting volume of mail was so heavy that it knocked both joes.com and its upstream site off the net). Spammers have also been known to "listserv-bomb" (taking advantages of security flaws in some list-servers that don't "ack" whether someone wants to be added to a list), abuse mail-2-news gateways to mailbomb someone (taking advantage of security flaws), abuse *.test autoresponders to mailbomb people, abuse the "sendsys" command in Usenet news to send mailbombs (sendsys bombs are nasty) and "Hipcrime" (use a Usenet script to send forged supercedes to a group) persons. Many of these attacks themselves abuse security flaws.
  Usenet spammers abuse open NNTP servers (servers available to posting by anyone; usually the admins don't intend for this to happen), mail-2-news servers, or sites known to have lax policies against net.abuse. Most spammers use the open NNTP route; it is precisely because of abuse of open NNTP servers and mail-2-news gateways that very few legitimate servers are still around.
  It's been reported as of late that spammers are taking advantage of a specific flaw in sendmail to defeat blocks against third-party relaying.
  There have been a very few confirmed reports of spammers who have actually compromised the machines of others to spam.
  This isn't a case of someone finding a security hole, changing a web-page to say something clever, and saying "OK, you got owned, here's how we did it". The spammer tends to use a security hole either to make it more difficult or impossible to be traced (to make it harder to tell the admin to spank the Bad Person and make him go away), to use a third party's machine without permission because they know that their home site will spank them (and you try telling an admin whose server has been relay-raped that they should be "grateful" that the spammer found the hole--especially if the poor guy is in Pakistan, and is using an ancient machine, and has to pay by the byte to the national telco, and his country doesn't HAVE that much bandwidth to begin with...), or to get back at someone who has caused them to be spanked. It's the same as a script-kiddie who got pissed off he got k-lined from an IRC server for excessive use of nuke scripts, and now he's gonna try to break into somewhere else so he can nuke folks for jollies or he's gonna try to crash the server that gave him the boot. No different, really.
  Also--just as an aside, and speaking from experience dealing with 'em--most serial spammers (those who get bounced from site to site, yet continue to spam and spam and spam--folks like Jeff Slaton, "Krazy" Kevin Lipsitz, and Sanford Wallace when they were actively spamming) are probably sociopaths of some sort. It takes it literally making it a) impossible for them to spam or b) costing them so much in time and money that it's no longer worth it to them to make them stop; they have no consideration for others outside of themselves. Sanford Wallace is an especially interesting case in this regard; he is the main party responsible for getting junk faxes banned in the US (he used to be one of the larger junk faxers in the US), kept spamming till he was almost literally run off the Internet and thrown in jail for contempt of court, and may well be one of the main parties responsible for spam being banned in many states. I'm not certain what is to be done with the main problem; hell, psychiatrists can't figure out how to cure sociopaths, and many psychiatrists think the only thing to be done for them is to lock them away so they can't hurt themselves or others. *shrug*
  
  --
  -Windigo The Feral (NYAR!)
4. Re:Yo, Bonehead - READ THE TEXT YOU QUOTED by Trepidity · 1999-08-02 11:26 · Score: 2
  
  A slightly off-topic comment on part of your comment:
  
  Perhaps the script kiddies have a point when they say "you should be glad we pointed out your security holes." After all, would you rather have a mostly harmless script kiddie point out the security hole to you (without actually doing anything other than changing your webpage, and often even backing up your original page for you) than have the security hole remain open and undetected for truly malicious people, such as spammers, to exploit?
  
  --
  10 PRINT CHR$(205.5+RND(1)); : GOTO 10
Compensation? by Zen · 1999-08-02 00:58 · Score: 1

What kind of compensation are we talking about here? I'm pretty sure the limit for small claims court in Illinois is $5000, but each state has its own limits set by law. I don't think the letter stated that they got the maximum award allowable by law, either. Probably, unless they got a very tech-savvy judge, they received quite a bit less than the maximum, whatever it may be in California. Still a definite win, but it may or may not actually end up costing the spammers $$ (they make $$ off the spam they send out, and chances are they made more than they were fined). Doesn't seem quite fair, does it?
thoughts on law and the internet by Sancho · 1999-08-02 00:59 · Score: 1

I always find it amusing how many people think that laws should prevent spamming yet the government shouldn't be able to regulate anything else on the Internet. You can't have it both ways people. Spam is annoying, but not nearly as annoying as say, loss of your rights to encryption.
1. Re:thoughts on law and the internet by Anonymous Coward · 1999-08-02 01:31 · Score: 2
  
  Yes, you can have it both ways. I do.
  Laws against the private use of encryption between two willing parties are bad. They infringe on my right to free speech and privacy.
  
  Laws against spam are good. They infringe on a spammer's ability (not right) to steal bandwidth and services from others without fair compensation. If you really want to send or receive spam, there are many opt-in bulk email services out there that will be happy to serve you (getting back to the "private use" and "willing parties" thing again).
  
  I don't see anything wrong with being in favor of not regulating voluntary, willing free speech, while having laws against theft.
2. Re:thoughts on law and the internet by Anonymous Coward · 1999-08-02 01:47 · Score: 0
  
  I want it both ways, and if enough people
  agree with me that's what we are going to get.
Announcing suespammers.org (sort of) by tgeller · 1999-08-02 01:36 · Score: 2

I hadn't planned to announce this for a while, and in fact won't do a real "public" announcement until I have a few things squared away. This is just for the slashdot.org community -- let's keep this under our hats, shall we?
Because the laws are only good if we use them, I've been working on a project to help ISPs and network administrators sue spammers using existing laws. The URL is (drum roll, please)... http://www.suespammers.org. Thanks to Paul Vixie of MAPS for hosting it.
If you'd like to get involved, sign up for the mailing list and/or write to me directly. I need state coordinators, commentators, tech support, legal advice... just about everything. Mum's the word...
--Tom

--
Tom Geller
Of course you do! by Anonymous Coward · 1999-08-02 04:29 · Score: 0

That's what most of the lawsuits have been about, receiving spam from outside. Take a look at all those AOL suits, in particular.
Yes, it is... by Anonymous Coward · 1999-08-02 04:38 · Score: 0

I'm *more* annoyed by people stealing from me (spammers forcing me to pay for their activities) than by the loss of an ability I never actually use.
Re: Yahoo privacy policy by bjorng · 1999-08-02 22:49 · Score: 1

I just read Yahoo's privacy policy and TOS, and they're pretty clear about not releasing your private information (including e-mail address) without your explicit permission. But on the flipside, their TOS has so much legalese that says they're immune from any kind of legal action, I think you'd have a hard time getting anything out of them even if they did violate their privacy policy.

In their defense, I have had an e-mail account on Yahoo for about two years, and I've never gotten a single spam. Now on dejanews, that's another story....

--

--
This is why I don't post much.