Title: Suing Spammers for Fun and Profit
1Suing Spammers for Fun and Profit
2Background
- Over 50 of all mail
- Less than 200 people responsible for 80
3Statistics
4Statistics
5Background
- Its cheap!
- Wider audience
- Profit guaranteed
- Little work involved
6Background
- Address harvesting
- Web pages
- Forums
- USENET
- Dictionary attacks
- Purchased lists
- No way out
7Profile of a Spammer
- Alan Ralsky
- 20 Computers
- 190 Servers
- 650,000 messages/hour
- 250 millions addresses
- 500 for every million messages
- Convicted Felon
- 1992 Securities fraud
- 1994 Insurance fraud
8Technical Means
- Text recognition
- Black hole lists
- Statistical modeling
- Neural networks
- Cryptography
- Digital signatures
- Payment schemes
9Basic Asymmetric Cryptography
- RSA
- Pick two large primes, p and q
- Find N p q
- Let e be a number relatively prime to (p-1)(q-1)
- Find d, so that de 1 mod (p-1)(q-1)
- The set (e, N) is the public key.
- The set (d, N) is the private key.
- Encryption
- C Me mod N
- Decryption
- M Cd mod N
10Basic Asymmetric Cryptography
- d e-1 mod (p-1)(q-1)
- N pq is known!
- But usually very large (1024 - 2048 bits)
- RSA 1024 bit challenge
- 13506641086599522334960321627880596993888147560566
70275244851438515265106048595338339402871505719094
41798207282164471551373680419703964191743046496589
27425623934102086438320211037295872576235850964311
05640735015081875106765946292055636855294752135008
52879416377328533906109750544334999811150056977236
890927563 - 309 digits
- 100,000 prize
11Asymmetric Cryptography Example
12Digital Signature Example
13DomainKeys
- Asymmetric cryptography
- Verified sender
- Modified SMTP server
- Additional DNS records
14SpamAssassin
- Multiple tests
- Around 300
- Statistical modeling
- Scoring
15Example
DomainKey-Signature arsa-sha1 qdns cnofws
sbeta dgmail.com hreceivedmessage-
iddatefromreply-totosubjectmime-versioncont
ent-typecontent-tr ansfer-encoding
bARByWZ8/yk5cm8Ew/tJZ5UykezQZkm/fZUV6Wkd0RAb46s
lxGg8TRQ91Dc2yi8ZIhbVz1TOc94QeRGgHOfvALE tjqeIA1L
1z3yVtTa4BJG4oqiTsTiczbI2hPdGlGFRixbSshslvoyc3F
aISIICMx7HlcqCN/wmiG4Q0uub4 From Matthew Eaton
ltmattheweaton_at_gmail.comgt Reply-To Matthew Eaton
ltmattheweaton_at_gmail.comgt To serge_at_guanotronic.com
Subject test from gmail X-Spam-Status No,
hits-4.9 required5.0 testsBAYES_00
autolearnno version2.63 X-Spam-Checker-
Version SpamAssassin 2.63 (2004-01-11) on
jabba.geek.haus
16Sender Policy Framework
- Prevents forgery
- Requires DNS record
- Recipient confirms sender
- Open standard
17Graylisting
- Whitelist maintained
- Other mail temporarily rejected
- Spammers might give up
- Mail delivery delayed
- Spammers will adapt
18The Hunt
- Contact Info
- URLs
- Email Addresses
- WHOIS/DNS
- USENET
- news.admin.net-abuse.email
- Databases
- Spews.org
- Spamhaus.org
- OpenRBL.org
19Legal Means
- Foreign spam, local companies
- One weak federal law
- 35 State laws (as of 2003)
- Two types
- Forged headers
- ADV subject line
20Telecommunications Consumer Protection Act
- The TCPA (U.S.C 47 227)
- "equipment which has the capacity to transcribe
text or images (or both) from an electronic
signal received over a regular telephone line
onto paper. - 500 or 1500 fine per message
- Mark Reinertson v. Sears Roebuck
- Michigan small claims
21Telecommunications Consumer Protection Act
- ErieNet, Inc. v. VelocityNet, Inc.
- US Court of Appeals, 3rd Circuit, No. 97-3562
- September 25, 1998
- it is my hope that the States will make it as
easy as possible for consumers to bring such
actions, preferably in small claims court.
Senator Hollings - The question, therefore, is whether Congress has
provided for federal court jurisdiction over
consumer suits under the TCPA. - U.S.C. 28 1331 The district courts shall have
original jurisdiction of all civil actions
arising under the Constitution, laws, or treaties
of the United States
22The CAN-SPAM Act15 U.S.C. 7702
- Requirements
- Deceptive Subjects
- Falsified Headers
- Valid Return Address
- Opt-Out
- Enforcement
- FTC
- States
- ISPs
- Do-Not-Email List
- Bounty Hunters
- Sender a person who initiates such a message
and whose product, service, or Internet web site
is advertised or promoted by the message. - Preemption
23Virginia Laws
- The VA Computer Crimes Act (18.2-152)
- Forged headers
- 10/message or 25,000/day
- AOL and Verizon
- Verizon v. Ralsky 37M
- AOL v. Moore 10M
- U.S.C. 28 1332 The district courts shall have
original jurisdiction of all civil actions where
the matter in controversy exceeds the sum or
value of 75,000, exclusive of interest and
costs, and is between citizens of different
States.
24Pennsylvania Laws
- The Unsolicited Telecommunications Advertisement
Act (73 2250) - Illegal activities
- Forged addresses
- Misleading information
- Lack of opt-out
- Only enforced by AG and ISPs
- 10/message for ISPs
- 10 from AG
25(No Transcript)
26Small Claims Court
- Court summons 30-80
- Maximum claim 8000
- Winning by default because the spammer didnt
bother to show up Priceless
27So youve won a judgment
- Domesticate the judgment
- Summons to Answer Interrogatories
- Writ of Fieri Facias
- Garnishment Summons
28Criminal Penalties
- Youve got jail!
- 1 year
- 3 years
- 5,000 profit
- gt2,500 in 24 hours
- gt25,000 in a month
- gt250,000 in a year
- 5 years for second offense
29Questions?