Slashdot Mirror
California ISP Sues Spammer and Wins
San Jose, CA, August 2, 1999 -- In one of the first cases of its kind, San Francisco Bay Area Internet service provider (ISP), Kepnet, took a spammer to court in order to recover damages and won. On July 29th, Los Gatos Small Claims Court awarded Kepnet $600 compensation plus court costs for damages caused by a spammer's unauthorized use of its network.
Kris Rallapalli, President of Kepnet, caught the spammer abusing his network by sending large quantities of unsolicited e-mail messages. By filing a suit in small claims court, Rallapalli took advantage of California Assembly Bill 1676, passed in the summer of 1998, which makes it easier for ISPs to collect damages from spammers.
"Our objective with the suit was simply to collect those damages that were tangible," Rallapalli said. "That is, the number of hours it took us to find the problem and minimize its adverse effect on the network. It didn't include potential harm to our reputation."
Until this new law took effect, ISPs had to bear the burden of costs associated with repairing network damage due to spammers, who send mass e-mail messages using an ISP's network facilities. This can cause jams and sometimes crash servers. The new law expands and clearly enumerates the list of prohibited advertising practices to include spamming, making such activity illegal and allowing significant punitive penalties.
"I hope that other ISPs in California will pursue this kind of action if they have spammers, too." Rallapalli said after the verdict. "Because now there is legal recourse they can take." Using small claims court expedited the process for Kepnet. "It was fast and inexpensive," added Rallapalli. "We didn't even need an attorney, and the judge's decision came back in just a few weeks."
Regards,
Terrorists can attack freedom, but only Congress can destroy it.
Could they get this to work with newsgroups and servers as well, now that there is *some* precedent?
Hoping that other ISPs will follow suit IF they have spammers?
Seems to me that any ISP which doesn't have some sort of substantial and followed-up-on policy to discourage spammers (and some that do) is going to have spammers sending from their service from time to time.
"Somebody exploded a letter-bomb today
It's interesting to note that the press release mentions 'unathorized access' - what do they mean by this?
:(
Have they recovered damages against someone who spammed their customers, with the resultant increased mail server / network load? This would be a nice precedent.
If it's one of their own customers, there should be harsh fines specified in their AUP / TOS, which it should be simple to collect. Again, nice if this is actually being enforced.
If it's someone outside of their network relaying off of them, it should probably not have happened in the first place. There's very little in the way of excuses for running an open mail relay any more - the only way to get around a sensibly configured mail server I can think of is IP spoofing, which is a) beyond most spammers and b) blockable at your border routers. If it's this one, I hope they've fixed the problem as well as collecting the damages.
"Unauthorized access" tends to suggest the last option to me
Regards,
Tim.
Well, may this be a path breaking case (and well needed) that came out of California? I hate to complain, but it's nice to see a liberal bill for once put to good use. As many BS laws and bills are passed here, finally one that kinda gives a CA Resdient a good feeling (unless that resident be the spammer). :)
--------------------------- Jason Parker (aka kornyone)
The ISP I work for did this too a while back, the first of it's kind in Canada, I believe. Here's the release they sent out:
I.D. Internet Direct. Ltd. successful in suit against junk emailer
April 1, 1999, Toronto - In the first successful lawsuit of its kind in Canada, independent Internet service provider (ISP) I.D. Internet Direct Ltd. today announced that the court has ruled in its favour in its recent application for an injunction against junk emailer Cory Altelaar. The ruling grants I.D. Internet Direct. Ltd. an injunction preventing Cory Altelaar from delivering junk email through its systems and awards the ISP a reimbursement of its legal costs.
"This is a ground-breaking ruling in the struggle against junk email in Canada," says John Nemanic, President of I.D. Internet Direct. Ltd. "If Mr. Altelaar violates the court order and attempts to use our services for junk email again, he'll be looking at some serious charges."
Nemanic says that his company received several calls and emails of support from other ISPs who were similarly abused by junk emailers (also known as "spammers"). "We want to thank our lawyer, Andrew Lundy of Brunner and Lundy, for his fine work in this case," says Nemanic. "This ruling sends junk emailers a serious message: this activity is not legally acceptable in Canada. You can try to hide, but you will be caught and risk prosecution if you abuse the Internet."
Jeff Higgins
www.hal9000.cc
- el jefe -
www.hal9000.cc
Exactly. If you intentionally run an open relay, you are implictly authorizing access to everyone.
Also true. I doubt this ISP was intentionally running an open relay. They probably got hit with the quoting exploit that's in a lot of pre-8.9 sendmails (or could be any number of other sendmail exploits). ORBS has a good list of them.
This message has been scanned for memes and dangerous content by MindScanner, and is believed to be unclean.
I'm not worried about ISP's who sue spammers for abusing their networks...I'm worried about ISP's who take cash up front from spammers...kind of like the USPS does from Ed Whathisface. You know its coming, and you don't get to sue for GETTING spam, do you?
Problem is, most ISPs won't sue. ISPs are in the business of providing IP connectivity, not suing spammers. Small ISPs don't generally have the money to bring about such suits in the first place, and large ISPs don't have the time to launch a dozen suits against every day's load of new dialup spammers.
What I want is something like the WA state law, which allows for a "private right of action" against the spammer. This allows the recipient of the spam, not the ISP, to sue. If the spammer doesn't show up in court to defend itself, a default judgement is entered against it, and the judgement can be sold off to a debt collection agency.
(Yes, if you live in Washington, that next spam could be worth up to $500! MAKE MONEY FAST!)
What's interesting about the WA state law is that most of the cases where people have collected $500 for being spammed haven't gone to court. Often, a demand letter in an amount less than $500 is all that's required, and the spammer, knowing it hasn't a hope in hell of winning in court, and wishing to avoid an encounter with the legal system, merely forks over the cash.
OK, that's the theory. Now the practice. Here's a guy in Washington, who sues spammers for fun. He's collected $3,900 to date.
If you live in Washington - go thou and do likewise.
Suppose you wrote an AUP that said that if you spam from your account on this hypothetical ISP, you would owe liquidated damages in the amount of $500K per incident, or $50 per message, whichever is *greater*?
Anyone have an idea on the enforceablility of such a provision, or how to word it so that it was iron-clad?
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
Its great that the spammer got caught and sued, but since when does it cost $600 to reboot a crashed server caused by spam ?
I mean, come on.. I woulda done it for free.
Well I say that the spammers in question deserve everything that they got. It may be a fair bit of money for a relativly small task, but spam is the bane of my email... to the point that I have now started to get mail in spanish to my .co.uk address. Typical.
Hopefully more cases like this will appear and the fines will go up and up - it's the only way to make the spammers stop.
Here's waiting for the day when a cheque for £100,000 comes through for emotional distress... Spanish email really hurts, especially when you don't speak the lingo...
Spammers use security holes? Even if they did, which they don't since it's so easy to find an open relay, those holes would have to be fixed anyway. Whoever creates, uses, whatever, security holes, doesn't matter. It's the admin's job to make sure they aren't there in the first place, and fix them when he finds out. I suppose you are grateful when someone "finds" a security hole for you.
What kind of compensation are we talking about here? I'm pretty sure the limit for small claims court in Illinois is $5000, but each state has its own limits set by law. I don't think the letter stated that they got the maximum award allowable by law, either. Probably, unless they got a very tech-savvy judge, they received quite a bit less than the maximum, whatever it may be in California. Still a definite win, but it may or may not actually end up costing the spammers $$ (they make $$ off the spam they send out, and chances are they made more than they were fined). Doesn't seem quite fair, does it?
I always find it amusing how many people think that laws should prevent spamming yet the government shouldn't be able to regulate anything else on the Internet. You can't have it both ways people. Spam is annoying, but not nearly as annoying as say, loss of your rights to encryption.
Because the laws are only good if we use them, I've been working on a project to help ISPs and network administrators sue spammers using existing laws. The URL is (drum roll, please)... http://www.suespammers.org. Thanks to Paul Vixie of MAPS for hosting it.
If you'd like to get involved, sign up for the mailing list and/or write to me directly. I need state coordinators, commentators, tech support, legal advice... just about everything. Mum's the word...
--Tom
Tom Geller
Actually an open relay is a secuirty issue and can be called a security hole. That is assuming they went in through an open relay. There is also the practice of signing up with an isp..spamming and then dropping the account when the isp catches on.
Also there is the issue of forging domains and having to deal with people not savvy enough to find the real culprit.
Working for an ISP or as a sysadmin for a company the latter two are the wosrt and hardest to deal with since you cannot simply shut off their ability to do that until after the fact.
this space for rent
Progman said:
As someone who's been fighting the good fight against spam for some time ;), I can tell you that yes, indeed, spammers do exploit security holes. A rough list:
Third-party relaying being turned on by default IS a security hole anymore, and spammers increasingly target sites that have poorly configured or ancient versions of sendmail or other "wide open" mail daemons. (Particularly bad ones in this regard are foreign servers in Asian or African countries (there's an increasing amount of spam being relayed through open servers in India and Pakistan and breakaway "formerly-Soviet" countries), unsecured standard IRIX sendmail, unsecured older Sun sendmails...don't even get me started on IBM mainframe mail daemons... :P)
Some spammers increasingly target mail daemons with othervulnerabilities as well. Older versions of IRIX sendmail and unpatched versions of IBM VM SMTP (a mail daemon for IBM mainframes running VM/CMS or VM/EISA) in particular can be and have been abused by spammers to hide the true source of a spam by forging paths; both of these have two separate security flaws in that they are both wide open to third-party relaying AND they leave no identifying info (IP lookup, etc.) in the headers--in other words, they can be used as essentially anonymous sites for spamming, and the only way to find where the spammer is really from is to talk to the admin and have hir look through the logs. It's also fairly non-trivial to fix these, as IBM no longer supports VM SMTP (I spent a fun summer sending "unsupported" patches to sites running IBM mainframes that had been relay-raped... :P) and most IRIX boxen still running those old versions of sendmail aren't supported by SGI anymore.
Spammers have, on occasion, been known to launch denial-of-service attacks against others, usually admins or anti-net.abuse activists who have reported on their behaviour. This is so common that it's now known as "joe-jobbing" (after joes.com, attacked by the "Herbalife serial spammer" after the spammer's web-page was yanked; the spammer forged a spam appearing to be from joes.com's admins and meant to get him mailbombed, and the resulting volume of mail was so heavy that it knocked both joes.com and its upstream site off the net). Spammers have also been known to "listserv-bomb" (taking advantages of security flaws in some list-servers that don't "ack" whether someone wants to be added to a list), abuse mail-2-news gateways to mailbomb someone (taking advantage of security flaws), abuse *.test autoresponders to mailbomb people, abuse the "sendsys" command in Usenet news to send mailbombs (sendsys bombs are nasty) and "Hipcrime" (use a Usenet script to send forged supercedes to a group) persons. Many of these attacks themselves abuse security flaws.
Usenet spammers abuse open NNTP servers (servers available to posting by anyone; usually the admins don't intend for this to happen), mail-2-news servers, or sites known to have lax policies against net.abuse. Most spammers use the open NNTP route; it is precisely because of abuse of open NNTP servers and mail-2-news gateways that very few legitimate servers are still around.
It's been reported as of late that spammers are taking advantage of a specific flaw in sendmail to defeat blocks against third-party relaying.
There have been a very few confirmed reports of spammers who have actually compromised the machines of others to spam.
This isn't a case of someone finding a security hole, changing a web-page to say something clever, and saying "OK, you got owned, here's how we did it". The spammer tends to use a security hole either to make it more difficult or impossible to be traced (to make it harder to tell the admin to spank the Bad Person and make him go away), to use a third party's machine without permission because they know that their home site will spank them (and you try telling an admin whose server has been relay-raped that they should be "grateful" that the spammer found the hole--especially if the poor guy is in Pakistan, and is using an ancient machine, and has to pay by the byte to the national telco, and his country doesn't HAVE that much bandwidth to begin with...), or to get back at someone who has caused them to be spanked. It's the same as a script-kiddie who got pissed off he got k-lined from an IRC server for excessive use of nuke scripts, and now he's gonna try to break into somewhere else so he can nuke folks for jollies or he's gonna try to crash the server that gave him the boot. No different, really.
Also--just as an aside, and speaking from experience dealing with 'em--most serial spammers (those who get bounced from site to site, yet continue to spam and spam and spam--folks like Jeff Slaton, "Krazy" Kevin Lipsitz, and Sanford Wallace when they were actively spamming) are probably sociopaths of some sort. It takes it literally making it a) impossible for them to spam or b) costing them so much in time and money that it's no longer worth it to them to make them stop; they have no consideration for others outside of themselves. Sanford Wallace is an especially interesting case in this regard; he is the main party responsible for getting junk faxes banned in the US (he used to be one of the larger junk faxers in the US), kept spamming till he was almost literally run off the Internet and thrown in jail for contempt of court, and may well be one of the main parties responsible for spam being banned in many states. I'm not certain what is to be done with the main problem; hell, psychiatrists can't figure out how to cure sociopaths, and many psychiatrists think the only thing to be done for them is to lock them away so they can't hurt themselves or others. *shrug*
-Windigo The Feral (NYAR!)
A slightly off-topic comment on part of your comment:
Perhaps the script kiddies have a point when they say "you should be glad we pointed out your security holes." After all, would you rather have a mostly harmless script kiddie point out the security hole to you (without actually doing anything other than changing your webpage, and often even backing up your original page for you) than have the security hole remain open and undetected for truly malicious people, such as spammers, to exploit?
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
I just read Yahoo's privacy policy and TOS, and they're pretty clear about not releasing your private information (including e-mail address) without your explicit permission. But on the flipside, their TOS has so much legalese that says they're immune from any kind of legal action, I think you'd have a hard time getting anything out of them even if they did violate their privacy policy.
In their defense, I have had an e-mail account on Yahoo for about two years, and I've never gotten a single spam. Now on dejanews, that's another story....
--
This is why I don't post much.