Major Anti-Spam Lawsuit To Be Filed In VA 77
Rick Zeman sends
us to the Washington Post, which is reporting that a John Doe lawsuit
will be filed in US District Court today in spam-unfriendly Alexandria,
Virginia. The suit will be filed by Project Honey Pot, which is having
a week of big
announcements. The suit seeks the identity of individuals
responsible for harvesting millions of e-mail addresses on behalf of
spammers. From the Post: "The company is filing the suit on behalf of
some 20,000 people who use its anti-spam tool. Web site owners use the
project's free software to generate pages that feature unique 'spam
trap' e-mail addresses each time those pages are visited. The software
then records the Internet address of the visitor and the date and time
of the visit. Because those addresses are never used to sign up for
e-mail lists, the software can help investigators draw connections
between harvesters and spammers if an address generated by a spam trap
or 'honey pot' later receives junk e-mail."
What would the natural response be? (Score:5, Interesting)
Clearly spam works, so the amount of spam being sent would only continue to grow. Would this lead to increased vigilante action? More privacy and restrictions imposed by administrators? Decrease in the use of Email as the signal-to-noise ratio continues to degenerate? All of the above?
Peter
Guided search of all the address space (Score:3, Interesting)
Let's hope this project thought about this issue (for example, by generating quite long AND random addresses), I would suppose so but haven't checked.
Probably no major players. (Score:3, Interesting)
Re:RIAA tactics to catch spammers? (Score:3, Interesting)
Scenario II: The e-mail harvesters are using botnets. The IP addresses lead to third-party zombie machines that were infected by malware pushed by the e-mail harvesters. The honeynet operators file the anti-spam lawsuit, settle with the actual spammers for reduced damages in exchange for the identities of the people they bought their e-mail lists from, and thereby uncover the botnet operators. The relevant police organization arrests the operators for violating their country's relevant computer trespass laws and prosecutes a criminal case against them. Large imprisoned cop-killing psychopath subsequently pounds them in the ass, and justice is served.
Re:Maybe that's the solution. (Score:3, Interesting)
Amen brother. In today's society of "ooh.. it's not my fault.." somebody needs to take the initiative to make the people responsible for the problem responsible and those people are the OWNERS of the pwned machines. Yes, Microsoft sucks. Yes, Microsoft has security problems. They do, however, release patches in a semi-reasonable time frame and people just DO NOT patch their machines like they should. Of course, there's kind of a "catch-22" with if you'r system is cut off from the network, how do you obtain patches... Still, that's a minor issue that could be managed with some network monitoring software and notifications like "hey - your system is infected and about to be disconnected unless you go apply all your patches and clean it up."
However, if after everybody with a Windows box agrees to keep their systems up to date and apply all the patches, how would this scorched earth policy work? You'd be snipping off access to somebody that has been exercising due diligence to keep their machines current. At that point, I think it's safe to start pointing the gun at the maker of the operating system and make them accountable for the damage their sub-standard security is causing.
Re:Maybe that's the solution. (Score:3, Interesting)
I think most of us would support a system that would, upon detection of an infection of your system, apply firewall rules to prevent you from doing anything other than viewing a webpage that says "Your ass is infected, call this number to find out how to get back on the internet." The problem is that it's not easy to detect all bot behavior. If I wget a website, am I a spider, a spambot looking for email addresses, or just a guy downloading some documentation?
Technological solutions solve part of it. (Score:4, Interesting)
But you're right; technological solutions would probably only further the cat-and-mouse game between bot authors and the authorities; it would probably be fairly easy to write a DDoS bot that mimicked human browsing -- it wouldn't be as effective as sending out a few thousand requests per second, but if you had enough bots you could melt a server in the same way that a large number of bona fide humans do when a page gets mentioned on Slashdot. That would be nearly impossible to reliably detect. So in the long run I'm not sure that's effective; what's needed is a way of making sure more people follow the recommended guidelines given by their OS manufacturer, in terms of security updates and best practices.
In that way, I think that to be effective, you would need to have both a legal solution and a technological one. If you really went after people whose computers were compromised because they weren't keeping them patched and were leaving them on the Internet, in a very public way, you might encourage people to either patch their machines or disconnect them.
I'm not sure that such a tactic would be politically feasible -- as other people have pointed out, it is exactly the same tactic used by the RIAA to scare people into not file sharing, and the effect of that is questionable at best (however, in the case of discouraging people from leaving their PC unpatched, you're really not working against something they want to do, in the same way that the anti-file-sharing people are; very few people want to have an unpatched machine, they're just too lazy to do anything about it -- you're not really being punitive as much as you're giving them some very pointed encouragement to do something about a problem they're today comfortably ignoring).
The sound of money? (Score:3, Interesting)
What happens to any money you win in the lawsuit?
We're a long way from that, but we'd like to help out the people who have helped us. Obviously a large chunk would go to paying legal fees. Intriguingly, though, since we will know what Project Honey Pot members provided the data that ends up winning the case, maybe we'll be able to send them a little bonus.
I've been running a few of their honeypots for the past two years, so hopefully one of the spammers I "caught" will wind up paying a big time settlement. Sure, it's a pipe dream, but it's my pipe dream.
Re:Maybe that's the solution. (Score:3, Interesting)
You need to think long and hard if you actually want that to happen, because this is definitely one of those cases of "be careful what you wish for."
Because a couple years from now you'll be in here bitching "My ISP won't let me use any p2p app, or telnet even ssh, or download exe files etc etc" just because someone *might* sue them.