California ISP Sues Spammer and Wins

Kris Rallapalli sent us a press release that tells how his small ISP successfully sued a spammer in small claims court. Text from Kris's press release (minus some corporate hype) follows.

San Jose, CA, August 2, 1999 -- In one of the first cases of its kind, San Francisco Bay Area Internet service provider (ISP), Kepnet, took a spammer to court in order to recover damages and won. On July 29th, Los Gatos Small Claims Court awarded Kepnet $600 compensation plus court costs for damages caused by a spammer's unauthorized use of its network.

Kris Rallapalli, President of Kepnet, caught the spammer abusing his network by sending large quantities of unsolicited e-mail messages. By filing a suit in small claims court, Rallapalli took advantage of California Assembly Bill 1676, passed in the summer of 1998, which makes it easier for ISPs to collect damages from spammers.

"Our objective with the suit was simply to collect those damages that were tangible," Rallapalli said. "That is, the number of hours it took us to find the problem and minimize its adverse effect on the network. It didn't include potential harm to our reputation."

Until this new law took effect, ISPs had to bear the burden of costs associated with repairing network damage due to spammers, who send mass e-mail messages using an ISP's network facilities. This can cause jams and sometimes crash servers. The new law expands and clearly enumerates the list of prohibited advertising practices to include spamming, making such activity illegal and allowing significant punitive penalties.

"I hope that other ISPs in California will pursue this kind of action if they have spammers, too." Rallapalli said after the verdict. "Because now there is legal recourse they can take." Using small claims court expedited the process for Kepnet. "It was fast and inexpensive," added Rallapalli. "We didn't even need an attorney, and the judge's decision came back in just a few weeks."

Re:News?

[Radnor]

I don't see why not. News messages are propagated by an ISP's news servers, and end up on other news servers. The spammer is still misusing the ISP's hardware, albeit the recipient list is probably smaller. The Usenet "community" is pretty good about finding spam messages in the higher groups-- cancel bots handle a good portion, and rogue cancellers catch some others. Most of the times I find that a spam message has already been canceled by the time I get to click on it. This only works if your news server supports cancels, though. A side note: If you do find spam and don't want to decode all the headers yourself, take the message (headers included) and paste it into SpamCop. They generate the emails to the appropriate abuse addresses, and even send them out to you if you register (it's free; I use a decoy hotmail account to do my spam reporting). Only you can help prevent spam.

Wanted: Private right of action

[Tackhead]

Yes, the CA antispam law is a good first step, as it allows ISPs to sue spammers.

Problem is, most ISPs won't sue. ISPs are in the business of providing IP connectivity, not suing spammers. Small ISPs don't generally have the money to bring about such suits in the first place, and large ISPs don't have the time to launch a dozen suits against every day's load of new dialup spammers.

What I want is something like the WA state law, which allows for a "private right of action" against the spammer. This allows the recipient of the spam, not the ISP, to sue. If the spammer doesn't show up in court to defend itself, a default judgement is entered against it, and the judgement can be sold off to a debt collection agency.

(Yes, if you live in Washington, that next spam could be worth up to $500! MAKE MONEY FAST!)

What's interesting about the WA state law is that most of the cases where people have collected $500 for being spammed haven't gone to court. Often, a demand letter in an amount less than $500 is all that's required, and the spammer, knowing it hasn't a hope in hell of winning in court, and wishing to avoid an encounter with the legal system, merely forks over the cash.

OK, that's the theory. Now the practice. Here's a guy in Washington, who sues spammers for fun. He's collected $3,900 to date.

If you live in Washington - go thou and do likewise.

Re:One amusing thing in that article

[Windigo+The+Feral+(N]

Kavalier yammered:

eah I guess you're right.. I'm not considering spamming, I'm just trying to view this from all directions.. however, if I have a good standing relationship with my provider and he with his provider, and me with his provider, which has a direct connection to a major backbone, nobody could stop me right? like say my best friend works for splitrock.. nobody would risk cutting off a whole backbone for a simple spammer so it wouldnt be pushed too far if my ISP ignores the requests. I'm just saying this because I've noticed alot of spammers that I've been spammed with have their own mail server and had a direct connection to a major backbone provider and its possible they had inside connections that would prevent them from getting disconnected. right?

Not only could many ISPs blackhole an entire backbone to "get rid of a single spammer", entire backbones have historically been blackholed to get rid of spammers.

Some examples I can think of off the top of my head:

AGIS, a backbone which was given the "Internet Death Penalty" (had all Usenet posts shunned or cancelled, and many sites shunned all email and blocked all other connections, including web and FTP, to sites that got feeds through AGIS) due to their hosting of several major spam sites associated with the IEMMC (a now-defunct spammers' trade group) including sites associated with Nancynet and Sanford Wallace's spams. AGIS refused to remove IEMMC sites, even when confronted with info that IEMMC "remove" lists were actually being used to add folks to spam lists. It literally took a large portion of the sites on the Internet refusing to exchange ANY packets that went through AGIS's backbone before AGIS finally dropped Sanford Wallace and company like a hot potato.

UUnet's dialups have been periodically blackholed by ISPs because of severe problems with net.abuse (including spam) from the dialups and UUnet being slow to provide tracing info. It took the real threat of possibly the largest backbone's dialups being left to talk to the ether bunnies for UUnet to shape up.

While not backbones, national-level ISPs and servers have been blackholed for reasons of spam and/or net.abuse. (Among a short list: AOL, Netcom (has been IDP'd at least twice), Earthlink (in association with Scientology-related net.abuse), Zippo (pay news service; was unblocked after strong AUP enforced), Altopia (blackholed due to "Hipcrime" related net.abuse and refusal of admin to investigate), Demon Internet (open NNTP servers), etc.) In fact, there is serious talk of blackholing an entire name domain registry due to spam (Network Solutions, aka InterNIC).

An increasing number of sites--largely because it's been shown that People Just Plain Don't Like Spam and because spam does consume a gawdawful amount of system resources (I've done a rough essay on the subject)--are joining blackholing mechanisms. Spam-cancels and UDPs were the first of these; a later incarination is the famous Blacklist of Internet Advertisers, then NoCeM was developed to replace spam cancellation (as well as provide for global killfiles for end-users) and now blackholing mechanisms such as the Realtime Blackhole List; the RBL is now explicitly supported by most modern mail daemons, including sendmail.

In other words...don't assume that people won't blackhole an entire backbone if the backbone won't wack people who are using it to spam. Some folks will. They've done it before, they'll do it again, and it is literally easier than ever to leave a spamaceous site--backbone or no--talking to itself and the ether bunnies. This way of dealing with Bad Folks is as old as the Amish and it's not gonna go away anytime soon. >;)=

Re:Yo, Bonehead - READ THE TEXT YOU QUOTED

[Windigo+The+Feral+(N]

Progman said:

Spammers use security holes? Even if they did, which they don't since it's so easy to find an open relay, those holes would have to be fixed anyway. Whoever creates, uses, whatever, security holes, doesn't matter. It's the admin's job to make sure they aren't there in the first place, and fix them when he finds out. I suppose you are grateful when someone "finds" a security hole for you.

As someone who's been fighting the good fight against spam for some time ;), I can tell you that yes, indeed, spammers do exploit security holes. A rough list:

Third-party relaying being turned on by default IS a security hole anymore, and spammers increasingly target sites that have poorly configured or ancient versions of sendmail or other "wide open" mail daemons. (Particularly bad ones in this regard are foreign servers in Asian or African countries (there's an increasing amount of spam being relayed through open servers in India and Pakistan and breakaway "formerly-Soviet" countries), unsecured standard IRIX sendmail, unsecured older Sun sendmails...don't even get me started on IBM mainframe mail daemons... :P)

Some spammers increasingly target mail daemons with othervulnerabilities as well. Older versions of IRIX sendmail and unpatched versions of IBM VM SMTP (a mail daemon for IBM mainframes running VM/CMS or VM/EISA) in particular can be and have been abused by spammers to hide the true source of a spam by forging paths; both of these have two separate security flaws in that they are both wide open to third-party relaying AND they leave no identifying info (IP lookup, etc.) in the headers--in other words, they can be used as essentially anonymous sites for spamming, and the only way to find where the spammer is really from is to talk to the admin and have hir look through the logs. It's also fairly non-trivial to fix these, as IBM no longer supports VM SMTP (I spent a fun summer sending "unsupported" patches to sites running IBM mainframes that had been relay-raped... :P) and most IRIX boxen still running those old versions of sendmail aren't supported by SGI anymore.

Spammers have, on occasion, been known to launch denial-of-service attacks against others, usually admins or anti-net.abuse activists who have reported on their behaviour. This is so common that it's now known as "joe-jobbing" (after joes.com, attacked by the "Herbalife serial spammer" after the spammer's web-page was yanked; the spammer forged a spam appearing to be from joes.com's admins and meant to get him mailbombed, and the resulting volume of mail was so heavy that it knocked both joes.com and its upstream site off the net). Spammers have also been known to "listserv-bomb" (taking advantages of security flaws in some list-servers that don't "ack" whether someone wants to be added to a list), abuse mail-2-news gateways to mailbomb someone (taking advantage of security flaws), abuse *.test autoresponders to mailbomb people, abuse the "sendsys" command in Usenet news to send mailbombs (sendsys bombs are nasty) and "Hipcrime" (use a Usenet script to send forged supercedes to a group) persons. Many of these attacks themselves abuse security flaws.

Usenet spammers abuse open NNTP servers (servers available to posting by anyone; usually the admins don't intend for this to happen), mail-2-news servers, or sites known to have lax policies against net.abuse. Most spammers use the open NNTP route; it is precisely because of abuse of open NNTP servers and mail-2-news gateways that very few legitimate servers are still around.

It's been reported as of late that spammers are taking advantage of a specific flaw in sendmail to defeat blocks against third-party relaying.

There have been a very few confirmed reports of spammers who have actually compromised the machines of others to spam.

This isn't a case of someone finding a security hole, changing a web-page to say something clever, and saying "OK, you got owned, here's how we did it". The spammer tends to use a security hole either to make it more difficult or impossible to be traced (to make it harder to tell the admin to spank the Bad Person and make him go away), to use a third party's machine without permission because they know that their home site will spank them (and you try telling an admin whose server has been relay-raped that they should be "grateful" that the spammer found the hole--especially if the poor guy is in Pakistan, and is using an ancient machine, and has to pay by the byte to the national telco, and his country doesn't HAVE that much bandwidth to begin with...), or to get back at someone who has caused them to be spanked. It's the same as a script-kiddie who got pissed off he got k-lined from an IRC server for excessive use of nuke scripts, and now he's gonna try to break into somewhere else so he can nuke folks for jollies or he's gonna try to crash the server that gave him the boot. No different, really.

Also--just as an aside, and speaking from experience dealing with 'em--most serial spammers (those who get bounced from site to site, yet continue to spam and spam and spam--folks like Jeff Slaton, "Krazy" Kevin Lipsitz, and Sanford Wallace when they were actively spamming) are probably sociopaths of some sort. It takes it literally making it a) impossible for them to spam or b) costing them so much in time and money that it's no longer worth it to them to make them stop; they have no consideration for others outside of themselves. Sanford Wallace is an especially interesting case in this regard; he is the main party responsible for getting junk faxes banned in the US (he used to be one of the larger junk faxers in the US), kept spamming till he was almost literally run off the Internet and thrown in jail for contempt of court, and may well be one of the main parties responsible for spam being banned in many states. I'm not certain what is to be done with the main problem; hell, psychiatrists can't figure out how to cure sociopaths, and many psychiatrists think the only thing to be done for them is to lock them away so they can't hurt themselves or others. *shrug*