suing spammers for fun and profit

Suing Spammers for Fun and Profit

Serge Egelman

Background

Over 50% of all mail Less than 200 people responsible for 80%

Statistics

Statistics

Background

It’s cheap! Wider audience Profit guaranteed Little work involved

$250

$370,000

$0

$50,000

$100,000

$150,000

$200,000

$250,000

$300,000

$350,000

$400,000

Email USPS

Background

Address harvesting Web pages Forums USENET

Dictionary attacks Purchased lists No way out

Profile of a Spammer

Alan Ralsky 20 Computers

190 Servers 650,000 messages/hour 250 millions addresses $500 for every million

messages Convicted Felon

1992 Securities fraud 1994 Insurance fraud

Technical Means

Text recognition Black hole lists Statistical modeling

Neural networks

Cryptography Digital signatures Payment schemes

Basic Asymmetric Cryptography

RSA Pick two large primes, p and q Find N = p * q Let e be a number relatively prime to (p-1)*(q-1) Find d, so that d*e = 1 mod (p-1)*(q-1) The set (e, N) is the public key. The set (d, N) is the private key. Encryption:

C = Me mod N Decryption:

M = Cd mod N

Basic Asymmetric Cryptography

d = e-1 mod (p-1)(q-1) N = p*q is known!

But usually very large (1024 - 2048 bits) RSA 1024 bit challenge:

135066410865995223349603216278805969938881475605667027524485143851526510604859533833940287150571909441798207282164471551373680419703964191743046496589274256239341020864383202110372958725762358509643110564073501508187510676594629205563685529475213500852879416377328533906109750544334999811150056977236890927563

309 digits $100,000 prize

Asymmetric Cryptography Example

Digital Signature Example

DomainKeys

Asymmetric cryptography Verified sender Modified SMTP server Additional DNS records

SpamAssassin

Multiple tests Around 300

Statistical modeling Scoring

ExampleDomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; +h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-tr+ansfer-encoding; +b=ARByWZ8/yk5cm8Ew/tJZ5UykezQZkm/fZUV6Wkd0RAb46slxGg8TRQ91Dc2yi8ZIhbVz1TOc94QeRGgHOfvALE+tjqeIA1L1z3yVtTa+4BJG4+oqiTsTicz+bI2hPdGlGFRixbSshslvoyc3FaISIICMx7HlcqCN/wmiG4Q0uub4=From: Matthew Eaton <mattheweaton@gmail.com>Reply-To: Matthew Eaton <mattheweaton@gmail.com>To: serge@guanotronic.comSubject: test from gmailX-Spam-Status: No, hits=-4.9 required=5.0 tests=BAYES_00 autolearn=no version=2.63X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on jabba.geek.haus

Sender Policy Framework

Prevents forgery Requires DNS record Recipient confirms sender Open standard

Graylisting

Whitelist maintained Other mail temporarily rejected Spammers might give up Mail delivery delayed Spammers will adapt

The Hunt

Contact Info URLs Email Addresses

WHOIS/DNS USENET

news.admin.net-abuse.email

Databases: Spews.org Spamhaus.org OpenRBL.org

Legal Means

Foreign spam, local companies One weak federal law 35 State laws (as of 2003) Two types:

Forged headers “ADV” subject line

Telecommunications Consumer Protection Act

The TCPA (U.S.C 47 §227): "equipment which has the capacity to transcribe

text or images (or both) from an electronic signal received over a regular telephone line onto paper.“

$500 or $1500 fine per message Mark Reinertson v. Sears Roebuck

Michigan small claims

Telecommunications Consumer Protection Act ErieNet, Inc. v. VelocityNet, Inc.

US Court of Appeals, 3rd Circuit, No. 97-3562 September 25, 1998

“it is my hope that the States will make it as easy as possible for consumers to bring such actions, preferably in small claims court.” –Senator Hollings

“The question, therefore, is whether Congress has provided for federal court jurisdiction over consumer suits under the TCPA.”

U.S.C. 28 §1331: The district courts shall have original jurisdiction of all civil actions arising under the Constitution, laws, or treaties of the United States

The CAN-SPAM Act15 U.S.C. §7702 Requirements:

Deceptive Subjects Falsified Headers Valid Return Address Opt-Out

Enforcement: FTC States ISPs

Do-Not-Email List Bounty Hunters Sender: “a person who initiates such a message and whose

product, service, or Internet web site is advertised or promoted by the message.”

Preemption

Virginia Laws The VA Computer Crimes Act (18.2-§152)

Forged headers $10/message or $25,000/day AOL and Verizon

Verizon v. Ralsky: $37M AOL v. Moore: $10M U.S.C. 28 §1332: The district courts shall have original

jurisdiction of all civil actions where the matter in controversy exceeds the sum or value of $75,000, exclusive of interest and costs, and is between citizens of different States.

Pennsylvania Laws

The Unsolicited Telecommunications Advertisement Act (73 §2250)

Illegal activities: Forged addresses Misleading information Lack of opt-out

Only enforced by AG and ISPs $10/message for ISPs 10% from AG

Small Claims Court

Court summons: $30-80 Maximum claim: $8000

Winning by default because the spammer didn’t bother to show up: Priceless

So you’ve won a judgment…

Domesticate the judgment Summons to Answer Interrogatories Writ of Fieri Facias Garnishment Summons

Criminal Penalties

You’ve got jail! 1 year 3 years:

$5,000 profit >2,500 in 24 hours >25,000 in a month >250,000 in a year

5 years for second offense

Questions?