Major Anti-Spam Lawsuit To Be Filed In VA

Rick Zeman sends us to the Washington Post, which is reporting that a John Doe lawsuit will be filed in US District Court today in spam-unfriendly Alexandria, Virginia. The suit will be filed by Project Honey Pot, which is having a week of big announcements. The suit seeks the identity of individuals responsible for harvesting millions of e-mail addresses on behalf of spammers. From the Post: "The company is filing the suit on behalf of some 20,000 people who use its anti-spam tool. Web site owners use the project's free software to generate pages that feature unique 'spam trap' e-mail addresses each time those pages are visited. The software then records the Internet address of the visitor and the date and time of the visit. Because those addresses are never used to sign up for e-mail lists, the software can help investigators draw connections between harvesters and spammers if an address generated by a spam trap or 'honey pot' later receives junk e-mail."

What would the natural response be?

[pzs]

Obviously this kind of litigation is a good step and to be encouraged, but it's interesting to imagine what would happen if nobody took action against spammers through the courts.

Clearly spam works, so the amount of spam being sent would only continue to grow. Would this lead to increased vigilante action? More privacy and restrictions imposed by administrators? Decrease in the use of Email as the signal-to-noise ratio continues to degenerate? All of the above?

Peter

Guided search of all the address space

[rbarreira]

It is possible if you brute-force all the e-mail address space, and you don't really need to brute force it. Markov Chains and other techniques can help you reduce the number of possibilities to try.

Let's hope this project thought about this issue (for example, by generating quite long AND random addresses), I would suppose so but haven't checked.

Probably no major players.

[rel4x]

This is cool, but I doubt many big players still use web crawlers to find e-mails. Not with plentiful sources of hacked databases and co-registation e-mails available. Servers cost money, time to setup, and man hours to make sure they're up. Pushing low quality e-mails wouldnt be worth it, since the response rate of spam has lowered so much over time. Too many of the e-mails were posted years ago(and since died), are honeypots, or unverifiable e-mails(large domains like yahoo.com do not support the method spammers use to verify the existance of e-mail addresses).

Re:RIAA tactics to catch spammers?

[Dachannien]

Scenario I: The e-mail harvesters are using their own crawlers. The IP addresses picked up by the honeynet lead directly to the e-mail harvesters, making it easier to make a case against them. No innocent third parties are involved.

Scenario II: The e-mail harvesters are using botnets. The IP addresses lead to third-party zombie machines that were infected by malware pushed by the e-mail harvesters. The honeynet operators file the anti-spam lawsuit, settle with the actual spammers for reduced damages in exchange for the identities of the people they bought their e-mail lists from, and thereby uncover the botnet operators. The relevant police organization arrests the operators for violating their country's relevant computer trespass laws and prosecutes a criminal case against them. Large imprisoned cop-killing psychopath subsequently pounds them in the ass, and justice is served.

Re:Maybe that's the solution.

[itlurksbeneath]

MOD PARENT UP!

Amen brother. In today's society of "ooh.. it's not my fault.." somebody needs to take the initiative to make the people responsible for the problem responsible and those people are the OWNERS of the pwned machines. Yes, Microsoft sucks. Yes, Microsoft has security problems. They do, however, release patches in a semi-reasonable time frame and people just DO NOT patch their machines like they should. Of course, there's kind of a "catch-22" with if you'r system is cut off from the network, how do you obtain patches... Still, that's a minor issue that could be managed with some network monitoring software and notifications like "hey - your system is infected and about to be disconnected unless you go apply all your patches and clean it up."

However, if after everybody with a Windows box agrees to keep their systems up to date and apply all the patches, how would this scorched earth policy work? You'd be snipping off access to somebody that has been exercising due diligence to keep their machines current. At that point, I think it's safe to start pointing the gun at the maker of the operating system and make them accountable for the damage their sub-standard security is causing.

Re:Maybe that's the solution.

[drinkypoo]

Maybe the solution to the botnet problem isn't to go after the botnet operators, but to go after the people who are leaving unpatched machines connected to the net? Or, perhaps more to the point, their ISPs?

I think most of us would support a system that would, upon detection of an infection of your system, apply firewall rules to prevent you from doing anything other than viewing a webpage that says "Your ass is infected, call this number to find out how to get back on the internet." The problem is that it's not easy to detect all bot behavior. If I wget a website, am I a spider, a spambot looking for email addresses, or just a guy downloading some documentation?

Technological solutions solve part of it.

[Kadin2048]

True. However, there are some behaviors that ought to be immediately detectable -- sending out hundreds or thousands of nearly-identical emails, for instance, or DDoSing a server with repeated identical requests in patterns that are too fast to be a human being.

But you're right; technological solutions would probably only further the cat-and-mouse game between bot authors and the authorities; it would probably be fairly easy to write a DDoS bot that mimicked human browsing -- it wouldn't be as effective as sending out a few thousand requests per second, but if you had enough bots you could melt a server in the same way that a large number of bona fide humans do when a page gets mentioned on Slashdot. That would be nearly impossible to reliably detect. So in the long run I'm not sure that's effective; what's needed is a way of making sure more people follow the recommended guidelines given by their OS manufacturer, in terms of security updates and best practices.

In that way, I think that to be effective, you would need to have both a legal solution and a technological one. If you really went after people whose computers were compromised because they weren't keeping them patched and were leaving them on the Internet, in a very public way, you might encourage people to either patch their machines or disconnect them.

I'm not sure that such a tactic would be politically feasible -- as other people have pointed out, it is exactly the same tactic used by the RIAA to scare people into not file sharing, and the effect of that is questionable at best (however, in the case of discouraging people from leaving their PC unpatched, you're really not working against something they want to do, in the same way that the anti-file-sharing people are; very few people want to have an unpatched machine, they're just too lazy to do anything about it -- you're not really being punitive as much as you're giving them some very pointed encouragement to do something about a problem they're today comfortably ignoring).

The sound of money?

[John3]

From the lawsuit mini-faq [projecthoneypot.org]:

What happens to any money you win in the lawsuit?
        We're a long way from that, but we'd like to help out the people who have helped us. Obviously a large chunk would go to paying legal fees. Intriguingly, though, since we will know what Project Honey Pot members provided the data that ends up winning the case, maybe we'll be able to send them a little bonus. :-)

I've been running a few of their honeypots for the past two years, so hopefully one of the spammers I "caught" will wind up paying a big time settlement. Sure, it's a pipe dream, but it's my pipe dream.

Re:Maybe that's the solution.

[robogun]

Well, you're talking about removing their common carrier protection.

You need to think long and hard if you actually want that to happen, because this is definitely one of those cases of "be careful what you wish for."

Because a couple years from now you'll be in here bitching "My ISP won't let me use any p2p app, or telnet even ssh, or download exe files etc etc" just because someone *might* sue them.