Major Anti-Spam Lawsuit To Be Filed In VA 77
Rick Zeman sends
us to the Washington Post, which is reporting that a John Doe lawsuit
will be filed in US District Court today in spam-unfriendly Alexandria,
Virginia. The suit will be filed by Project Honey Pot, which is having
a week of big
announcements. The suit seeks the identity of individuals
responsible for harvesting millions of e-mail addresses on behalf of
spammers. From the Post: "The company is filing the suit on behalf of
some 20,000 people who use its anti-spam tool. Web site owners use the
project's free software to generate pages that feature unique 'spam
trap' e-mail addresses each time those pages are visited. The software
then records the Internet address of the visitor and the date and time
of the visit. Because those addresses are never used to sign up for
e-mail lists, the software can help investigators draw connections
between harvesters and spammers if an address generated by a spam trap
or 'honey pot' later receives junk e-mail."
RIAA tactics to catch spammers? (Score:3, Funny)
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Maybe that's the solution. (Score:5, Insightful)
I understand this wouldn't be an exactly popular solution -- it's sort of the equivalent of a "scorched earth" tactic towards spammers -- but what if you implemented strict liability on all computers under your control? You get rootkitted or botnetted, sorry pal, it's your problem. Don't want to deal with it? Keep your machines up-to-date or keep them unplugged.
Unpatched machines that are connected to the internet are a public nuisance, in the same way that an abandoned house in an otherwise good neighborhood is. It's nearly impossible, and probably a losing battle, to try and go after the individual criminals who are using the abandoned house for nefarious purposes (which isn't to say that we shouldn't try); sometimes the best solution is just to go after the person who owns the house and make them either fix it or raze it.
A compromise, which would avoid true strict liability, would be making it a positive defense that you took reasonable steps to secure a system; i.e. it was kept up-to-date with the latest vendor patches and was behind a firewall. But if you can't take those reasonable steps, or are too incompetent/lazy/ignorant to do it, maybe you shouldn't be on the net at all.
Re: (Score:3, Interesting)
Amen brother. In today's society of "ooh.. it's not my fault.." somebody needs to take the initiative to make the people responsible for the problem responsible and those people are the OWNERS of the pwned machines. Yes, Microsoft sucks. Yes, Microsoft has security problems. They do, however, release patches in a semi-reasonable time frame and people just DO NOT patch their machines like they should. Of course, there's kind of a "catch-22" with if you'r system is cut off from the net
Re: (Score:3, Interesting)
I think most of us would support a system that would, upon detection of an infection of your system, apply firewall rules to prevent you from doing anything other than viewing a webpage that says "Your ass is infected, call this number to find out how to get back on the internet." The problem is that it
Technological solutions solve part of it. (Score:4, Interesting)
But you're right; technological solutions would probably only further the cat-and-mouse game between bot authors and the authorities; it would probably be fairly easy to write a DDoS bot that mimicked human browsing -- it wouldn't be as effective as sending out a few thousand requests per second, but if you had enough bots you could melt a server in the same way that a large number of bona fide humans do when a page gets mentioned on Slashdot. That would be nearly impossible to reliably detect. So in the long run I'm not sure that's effective; what's needed is a way of making sure more people follow the recommended guidelines given by their OS manufacturer, in terms of security updates and best practices.
In that way, I think that to be effective, you would need to have both a legal solution and a technological one. If you really went after people whose computers were compromised because they weren't keeping them patched and were leaving them on the Internet, in a very public way, you might encourage people to either patch their machines or disconnect them.
I'm not sure that such a tactic would be politically feasible -- as other people have pointed out, it is exactly the same tactic used by the RIAA to scare people into not file sharing, and the effect of that is questionable at best (however, in the case of discouraging people from leaving their PC unpatched, you're really not working against something they want to do, in the same way that the anti-file-sharing people are; very few people want to have an unpatched machine, they're just too lazy to do anything about it -- you're not really being punitive as much as you're giving them some very pointed encouragement to do something about a problem they're today comfortably ignoring).
Re: (Score:3, Interesting)
You need to think long and hard if you actually want that to happen, because this is definitely one of those cases of "be careful what you wish for."
Because a couple years from now you'll be in here bitching "My ISP won't let me use any p2p app, or telnet even ssh, or download exe files etc etc" just because someone *might* sue them.
Re:RIAA tactics to catch spammers? (Score:4, Informative)
And even if they can't find the end person, they can at least educate the zombie PC owners using a real-world example instead of the fear tactics used to push crapware like Norton Internet Security.
Re: (Score:2)
Second, it's going to be tough to interest law enforcement in a $200 purchase of harvested email addresses. Linking that to the botnet or webscrapers is going to be difficult, and CAN-SPAM did not create any mandate or provide any funds to law enforcement. It was a joke played on the gullible by Congress.
Third, project Honeypot has a major problem if they think they can fund their organization by selling these [cafepress.com] to geeks.
Re: (Score:3, Interesting)
Scenario II: The e-mail harvesters are using botnets. The IP addresses lead to third-party zombie machines that were infected by malware pushed by the e-mail harvesters. The honeynet operators file the anti-spam lawsuit, settle with the actual spammers for reduced damages i
Re: (Score:1)
Re: (Score:3, Insightful)
Re: (Score:1)
Re: (Score:1)
If you discover a subnet which scans your IP range and snarfs up a buncha email addresses which have never been publicised elsewhere (and are hidden behind appropriate robots.txt or META noindex,nofollow
how about a link to the actual article? (Score:5, Informative)
Re:how about a link to the actual article? (Score:4, Informative)
Or what about a link to the Project Honey Pot page that explains the lawsuit [projecthoneypot.org] and contains a link to that Washington Post article?
Re: (Score:2)
What would the natural response be? (Score:5, Interesting)
Clearly spam works, so the amount of spam being sent would only continue to grow. Would this lead to increased vigilante action? More privacy and restrictions imposed by administrators? Decrease in the use of Email as the signal-to-noise ratio continues to degenerate? All of the above?
Peter
Re: (Score:3, Funny)
The answers to these and other questions in the next episode of "Honey Pot Advantures". Do not miss the next episode on Channel Dupe !
Re: (Score:3, Insightful)
Sometimes I wonder if that's the case or if it's a case of slash and burn marketing - the spammers just keep signing up folks (especially overseas) who don't know any better, take their money, the folks who "advertised" realize it doesn't work and stop, the spammer just moves on and keeps signing folks up.
My ISP's spam filters are great and I'm really careful about sharing my email address. That being said, are there still a l
Re: (Score:2)
Then why would the "spammer" have to actually send emails? Wouldn't that just be extra effort, since they're lying to the client anyway?
Yeah but what will the judge think (Score:1)
I'm trying to figure out how they can do this AND have it be able to hold water in court. Theres a hundred ways an account can get an email (spam or not) without it being mined specifically by the future defendant. I don't think it will suffice as the plentiff's sole burden of p
Re: (Score:3, Informative)
Guided search of all the address space (Score:3, Interesting)
Let's hope this project thought about this issue (for example, by generating quite long AND random addresses), I would suppose so but haven't checked.
Re: (Score:2)
Ask the RIAA. The same tactics have worked for them at least half the time -- other half is spent suing grandmothers and small children.
Re:Yeah but what will the judge think (Score:5, Insightful)
Starting evidences:
-A send spam to targeted email, obviously without opt-in.
-B is suspected to have harvested that adress.
And then:
-Investigation shows a link between A and B.
Then you have something solid to sue on.
Re: (Score:1)
Here's some math. There are 15K harvesters identified by Honeypot. About 20% are US-based. This makes more than 3K harvesters that are US-based and subject to jurisdiction by US courts. With the power of legal process it won't be that hard to unmask the identities of a large portion of these 3K harvesters. With some pressure and threat of damages
Re: (Score:2)
According to the anti-spam laws they are suing for, that would be the only legal way for these e-mails to be used in advertising.
They only have to prove that it was the defendant who sent these e-mails - it is pretty c
Harvesting is the only source here (Score:3, Informative)
The way Project Honeypot works is this:
Lovely idea, but... (Score:2)
Is there any kind of mandate for this? I mean, this is a private organization doing this, not local police or the FBI as part of some larger investigation, so I imagine the suit would have to be civil, rather than criminal. They might have a harder time doing this than they realize. If I were them, i might have gotten law enforcement involved at some point. The link in the article is useless, since it really says nothing about the suit.
Nothing worthwhile is easy (Score:2)
I mean, this is a private organization doing this, not local police or the FBI as part of some larger investigation, so I imagine the suit would have to be civil, rather than criminal. They might have a harder time doing this than they realize.
On the other hand from what I(AmNotALawyer) understand, a civil suit needs only prove wrongdoing by preponderance of evidence, as opposed to beyond reasonable doubt; that is, you only need to prove that they probably did it, rather than almost certainly. It also h
Re: (Score:1)
I can think of several good reasons.
* CAN-SPAM makes unsolicited commercial email illegal in the US, but enforcement is very difficult.
* Spam must be a huge expense to the broad community of internet users -- bandwidth, filter costs, manual efforts, etc.
* Providing spammers with incentive to take over others' PCs with zombie botnets extracts further costs to hapless users.
And maybe a collective satisfaction of seeing anti-social thieves locked up should coun
Vatican spam (Score:4, Funny)
Re: (Score:1, Funny)
You hate us for our freedom!
Re:Vatican spam (Score:5, Funny)
Re: (Score:1)
Read yer FREEKIN timestamps b/f you mod me down..... geeesh.
Re: (Score:3, Funny)
I didn't expect that...
Re:Vatican spam (Score:4, Insightful)
How can I register god.i.va ? (Score:1)
How can I help? (Score:2)
Re: (Score:1)
Re: (Score:1)
If you live in VA, you might have already done your part depending on how you voted! VA has some awesomely strict anti-spam laws which even make it illegal to route spam through VA, even if the spammer and recipient don't reside anywhere in VA. Do a search for "Virginia Computer Crimes Act", or just click here for VA Codes and Laws [state.va.us]. As always, the EFF [eff.org] is a good place to look around too.
Now if VA would just get rid of UCITA... *sigh*
Re: (Score:2)
Ah, the Beltway (Score:2)
Probably no major players. (Score:3, Interesting)
One spammer less? (Score:1)
Kdawson, I know no one RTFA, but c'mon (Score:1, Redundant)
Close but no cigar (Score:2)
Two things can happen:
1) Spammers used their own computers, and (maybe) face the consequences - after this lawsuit the collecting is distributed onto zombies aswell. As long as there's a market, there'll be new people exploiting it.
or
2) The spammers didn't use their own computers to collect addresses, and will continue that way.
Re: (Score:2)
Quest for Information (Score:1)
The gathering of IP addresses has been discussed here before (though I cannot offhand remember when). It is theorectically trivial to serve up a cryptohash of the IP address of the visitor harvesting email addresses with the intention of spamming. So, we know how the email address in question was gathered.
SMTP connection tracking
Hoorah (Score:1)
If only they could find a solution to Domain Tasting and Kiting, we'd be taking a good step forward.
NOT Viginlante (Score:3, Insightful)
Before there were laws on the books about spamming, there was no social structure for identifying and acting against spammers. Those who did it then were emergent order enforcement acts. They were volunteers carrying out the desires of many based on the consensus, or at least vocal majority, of the net. There was a socially accepted behavior, people who violated it, and people who took it upon themselves to enforce the socially accepted. All law enforcement has evolved from social systems in precisely this manner.
Now that there are laws, these people seek to identify the perps, and use the established social structure by turning them over to the proper channels and authorities.
Those who provide filtering/blocking services are acting within a social structure suitably designed and executed for property protection. They are offering private protection services and people sign up with them, or not.
Ever since Canter & Seigel people have accused anti-spammers of vigilantism without understanding what it means. Of course this was semi-informed media, hot headed critics, or spammers caught in the act, all of them using the word for hot-button value.
Now, people who cat together their tracking cookies with large garbage files to try to buffer overflow spammers' data collection activities, and people who set up botnets to DDoS spammer botnets, those are vigilantes. There are laws in place. Going around them is what vigilantism is about.
I was there for Canter & Seigel, and many more for several years. Only Alan Boyle, science editor at MSNBC, ever noted that the word "vigilante" was frequently misused in this way by others in the media. The few others anywhere near as correct simply didn't refer to us in that way.
The sound of money? (Score:3, Interesting)
What happens to any money you win in the lawsuit?
We're a long way from that, but we'd like to help out the people who have helped us. Obviously a large chunk would go to paying legal fees. Intriguingly, though, since we will know what Project Honey Pot members provided the data that ends up winning the case, maybe we'll be able to send them a little bonus.
I've been running a few of their honeypots for the past two years, so hopefully one of the spammers I "caught" will wind up paying a big time settlement. Sure, it's a pipe dream, but it's my pipe dream.
Why do ISPs allow direct SMTP outbound? (Score:1)
Botnets are the biggest source of spam, so why do ISPs still allow direct outbound SMTP from home connections by default? It wouldn't be too difficult to force all outbound SMTP through the ISP's mailserver by default, but allow direct SMTP connections for those who ask for them. If the mail goes through the ISP's mailserver, it can easily be tagged and the ISP can monitor for suspicious activity.
Is there some reason why this can't be done, or is it just that there's noone to enforce it on the ISPs? I
Washingtonpost.com has a copy of the complaint (Score:2)
been there done that (Score:2)
I usually include part of the vendor in the address so I can remember it easlier. So like for NewEgg, I give them "v1newegg@vftp.net". Any email I receive that is addressed to v1newegg@vftp.net, I know exactly where it legitimately could have come from. If it comes from someone selling pr