Is Forged Spam a Crime? 249
PJRC2 writes "ABC News.com has an article about a man who claims he commited no crime in sending millions of AOL users porn and make-money-fast spam and making the messages appear as though they came from ibm.net. " We're going to see more of this in the future. I think forged spam should be punishable by death, but I probably get more of it than most people ;)
Re:Fake Spam? (Score:1)
Please!
Not while I'm eating lunch!
t_t_b
--
Trademark Infringement? (Score:5)
Re:It's not even about spam, or email (Score:2)
Let's see what this criminal did:
* He sent mass e-mails using other people's computer facilities. That's theft, chattel trespass and - if the spams clogged their e-mail system - denial-of-service. The people who have to clean up the damage have to pay technical people large amounts of money. That's damage that can be recovered in a court of law.
* He impersonated IBM. That's fraud.
* He used IBM's trademark without authorisation. That's trademark infringement.
* He sent pornographic spams. If any of the recipients were underage and the underage recipients then visited the web site, that's transmission of pornography to minors.
* He violated his ISP's Acceptable Use Policy. That's breach of contract.
If the laws were up-to-scratch, then this perpetrator would be facing 3 years in jail, large lawsuits from IBM and the people from whom he stole e-mail facilities, and many small claims from the recipients.
And he wants us to believe that he's not a criminal? Yeah, right, and I'm the Swiss Navy on maneuvers in the southern Indian Ocean.
--
Easy to Detect (Score:2)
Re:Spam Licensing: A Modest proposal (Score:2)
//rdj
It's explicitly a crime in at least a dozen states (Score:1)
See http://www.suespammers.org [suespammers.org] for all the juicy details.
--Tom Geller, Founder, The Suespammers Project
Alternatives ... (Score:1)
Besides, it's my understanding that most ISP's have a terms and conditions agreement that limits the liability of the ISP, and provides for the termination of the abusive users account.
------
The problem is that the terms and conditions agreements simply do not work towards limiting abuse, and the termination of the user's account just doesn't happen.
I see that it would set dangerous legal precedents. Point taken. IANAL either, but the ISPs are the only ones with the ability to intervene in this situation, and many times they just don't. If there were repercussions to the ISP giving the abuser sustained and repeated access to the internet, you can be sure they would implement some from of controls in order to prevent it. But there isn't, so they do very little to stop it.
If the cabbie knew he was a bank robber, and gave him a ride out of town anyway, is the cabbie innocent? Or, if the bank robber got into the cab unbeknownst to the cabbie, and the security officer from the bank ran out and said "Don't give him a ride, he's a bank robber," but the cabbie still gave him a ride, is the cabbie innocent?
OK, let's say that the ISP is not fined, but rather obliged to reveal the identity of the abuser when a clear cut case of abuse is present. This information could be made readily available to those adversely affected by the abuse, as well as sent to other ISP's to prevent the abuser from reestablishing connectivity. The terms and conditions agreement could be modified to force the users to agree to this possibility.
(if you are a lawyer, feel free to speak up
Re:Why is this even a question? (Score:1)
What this guy is doing is probably "wrong" but I applaud him on all accounts. I really detest spammers
This [freewebsites.com] is excellent. Incidentally, there is a legal doctrine called the "doctrine of necessity" which allows what would ordinarily be considered crimes to be committed if a) the amount of damage caused is less than that caused by the original crime and b) there is no other reasonable legal alternative.
A bank which, rather than alerting the police and causing their shareholder value to drop precipitously, instead hired hackers to hack back when they were being invaded, would be merely honoring their fiduciary responsibility to shareholders.
"Hack back" defenses have not yet been legally tested, that I know of. Further the risk is minimal. I myself have used DOS attacks (deliberately limited to avoid damaging the guy's ISP) against spammers, to limit the damage they cause while attempting through other means to get them axed. I find it highly unlikely that someone is going to complain to the police about something someone did to them while they were themselves committing a crime.
"Uh, officer, well, I was stealing this car when this guy came up behind me and. . ."
Re:Your Karma ran over my Dogma (Score:1)
Yup. It's patented too. And trademarked.
At least I have a sig.
Re:Take away their net priveleges for 3 years (Score:1)
--
Overlooked problem: Open relay (Score:1)
The open relay shouldn't get by unscathed.
Assuming that there really was an open mail relay used to send the spam to AOL, in no case should Market Vision, the company through which the spam was sent, be able to sue. This is as ludicrous as the shrinkwrap licenses that we all loathe so much.
If a company is irresponsible enough to have an open mail relay (whether intentionally or through casual ineptitude), they should not be able to take their case to the corner drugstore, much less to court. To absolve the company with the open relay of all guilt is to invite stupidity to the Net, and stupidity is the most damaging thing the Net can take.
If you leave the top down on your convertible and park it in the darkest underpass of the inner city, and you leave the doors unlocked and the engine running, I believe it is still a crime to steal the car. However, if you then sue the thieves because they stole the car, you probably stand a very slim chance of getting any money (or you should stand little chance, that is).
Ignorance may be bliss, but it should not be rewarded.
Spamford *was* king (Score:1)
There's just no arguing with fsckwits like this guy. It's obvious to the vast majority of clear thinking people that this kind of behaviour is anti-social, at minimum. I used to become infuriated by that Spamford Wallace character a few years back when he was generally being an asshole and taunting everyone who disagreed with his conception of acceptable email behaviour. No more, fuck it, life's to short, now I just hit Del.
Unfortunately we have two options. Spam is either made illegal by legislative means, which bugs the net-anarchist types to no end. Or try to continue dealing with spam via the current means, that is, filters, MAPS RBL, etc. I'm not sure which way I lean (which is often where I find myself when the self-righteous right, left, commie, objectivist, whatever types are going at it.)
That reminds me. Last week that peahead on zdnet Jesse Burst claimed that MAPS RBL [mail-abuse.org] was some newfangled tool that ISP's use to prevent spam. A modicum of research by the ad mongers at zdnet would have revealed the purpose of RBL. What a maroon!
Re:Spam and U.S. regulations (Score:1)
then there is a very very small chance that following the remove instructions will actually remove you from anything. There is a pretty good chance that the email address shown is false or made-up, and there is also a good chance that any mail sent to it will just get you more spam, now that they have confirmed that your address is good, and that you actually read their junk.
Re:Nail 'em to the wall! (Score:2)
Right - it's meant in irony - the source is Voltaire's commentary on the court-martial and hanging of Admiral Byng. (Byng was grossly outnumbered, and ran away - as a result, he was executed for "cowardice".)
"C'est necessaire quelquefois a suspendre un admiral ou deux, pour encourager les autres." ("It is necessary sometimes, to hang an admiral or two, to encourage/enhearten the others" ;-)
Although Voltaire originally meant it in the sense of "beatings will continue until morale improves", the quip has also developed a second sense, namely "punish excessively and make an example out of the offender". While not quite historically faithful, it certainly has a nice ring to it when used in conjunction with the image of a row of spammer heads on pikes.
> On va leur couper les couilles et leur faire manger, violer leur femme et mettre leur tête sur un pic... (that's better :)
Well, I dunno.
As for leur couper les couilles et leur faire manger, you'd starve to death on the contents thereof, and as for violer leur femme, we're talking about spammers here. Given what goes into spammer DNA, do you really think a spammers's mother, sister, or first cousin is gonna be much to look at? OK, not every spammer falls into that category, but the few spammers who didn't marry blood relatives are probably hooked up with goats and sheep, which is just Not My Kink.
But I'm still up for the heads on pikes bit.
It's illegal in VA, which counts here... (Score:2)
Considering that AOL's servers are located in VA, all email to AOL is received in Virginia. This is part of the reason that AOL wanted the anti-spam law, so they could go after spammers like this one and slap them with nice hefty lawsuits.
The particular section of the bill (18.2-152.4) reads:
Virginia - SB 881 Computer Crimes Act; electronic mail [state.va.us]
Original Slashdot Story - Virgina Criminalizes spam, ACLU against it [slashdot.org]
-Todd
---
Treat it like any other form of forgery. (Score:4)
Ding-Ding-Ding! All aboard the Logic Train! (tm)
If I try and pass a check at a band with a signature other than my own, that's illegal. I'm convicted of check fraud, and I go to prison.
If I walk into a bar with a fake ID, or attempt to purchase a firearm go with false identification, I'll get busted as well.
If I send a piece of mail through the US Postal Service posing as someone I'm not, then bingo, i'm guilty of mail fraud.
Now, in the case of fradulent spam, I attempt to tell tens of thousands of people I am someone who I'm not. Worse yet, i'm trying to use that identity to sell something. Why should that form of fraud be punished any differently than other forms of fraud?
Bowie J. Poag
Paper mail often fraudulent, too (Score:1)
Generally speaking the bulk-rate postal metering on them gives 'em away, but I must admit that once in a while I get careless and actually open one up.
While I realize that this is someone's First Ammendment rights, etc etc, it does seem that the intention of the senders is to trick you into believing that the mail they've sent you is something important that you'd better not toss. To me, this is prima facie proof of deceptive busienss practices but if you complain to the Postal Inspector they just kind of shrug their shoulders.
Until the postal authorities set a precendent that cheating through the mails is not OK, why would anyone be expected to care about internet spam?
Re:No crime? (Score:1)
Re:Spam Solution (Score:1)
--
Re:Why is this even a question? (Score:2)
Now say I do the same thing because I want to use a pseudonym but not for illegal reasons (i dont want so-and-so to know im checking into this hotel) then its all fine and dandy.
Re:One other thing (Score:1)
Just because you, say, leave your house unlocked doesn't mean it's okay for someone to come in and watch tv, use your phone, and drink your beer. The case is more similar to this than to the "loaded gun" analogy.
Re:Different Angle... (Score:1)
richard nixon was a bad example (that's the price of picking a name at psuedo-random)...
Re:This is just a privacy issue in disguise (Score:2)
No it's not.
What's happening is that the spammer is behaving like an ass, and so does not want to reveal their idenity -- they want "privacy" for their actions in this case. The forgery is just a symptom of their desire for privacy.
No...the spammer is acting in a public and commercial capacity and so has forsaken his expectation of privacy.
What's interesting is that this reverses the usual role of privacy in these discussions. Mostly privacy is regarded like fresh air or something -- the more the better. In reality, like most things privacy has many bad effects as good.
"Privacy" is neither good nor bad. But respect for the individual's privacy is desirable, and that respect should not hinge on the characterization of the information being held private.
I look forward to the day I can program my mail system to only accept email from real signed identities -- i.e. no privacy for people sending me email. This sounds scary at first since the privacy==good thing is so conditioned, so you need to think about it a bit.
You make it sound as if the right to privacy extends to the right to intrude anonymously. For one thing, you are a private individual and can set your own personal "Terms of Service" that requires identification prior to engaging in communication. This is, by no means, inconsistent with the basic premise of the right to privacy.
Forged the worst way on Earthlink (Score:1)
Actually, these forgeries are very common (Score:5)
However, there are always a certain percentage of readers who know about these forgeries, and the spammer will lose his account eventually anyways. Btw, there is even a even a web site in which you can paste your spam, and which automatically sends complaints to the correct places: Spamcop [spamcop.net].
So, unless this forgery was done with the express purpose of annoying someone at IBM, don't make it into a criminal case; it's just business as usual.
Re:It's not even about spam, or email (Score:1)
False Advertising/Deceptive Business Practices (Score:2)
Re:His argument reeks of Hacker-speak... (Score:2)
//rdj
Re:Fake Spam? (Score:1)
Fraud is Fraud (Score:2)
1) He "Hijacked" an environment that was not owned by him, and he had no right to manipulate data on that environment. This should fall under the same cracking style laws that govern the prosecution of script kiddies and other web page defacers.
2) He used the words "IBM.net in his soliitations. This is going over the line that is somewhat grey to begin with but is reasonable well understood. If he had stopped at "You may already be a winner" or other technique that sweepstakes companies and such use, he may have been ok, however he did reference IBM.net and that's blatantly wrong and misleading.
They will trow the book at this guy, and I think the general public will have little sympathy for him. Being a spammer has got to be one of the most unpopular endevors one could choose as a line of work.
Re:For a bunch of geeks... (Score:1)
Incidently, just because you can fake the headers, doesn't mean that you should, or that we're not allowed to complain and, if allowed to do so by law, prosecute you if you do. This is a form of fraud that we're talking about here; claiming to be someone that you're not, or to represent someone/something that you do not. That's illegal in most other media, so why should email be any different?
Cheers,
Tim
Nail 'em to the wall! (Score:5)
Juno and Hotmail have sued spammers (e.g., the "TCPS" spammer from a couple of years back) for forging their domain names into fake email addresses inserted in the From: header. The forging caused clueless people to send countless bogus abuse reports to Juno and Hotmail abuse desks, consuming their resources. IIRC, uu.net got into the act too, as most of the spams were coming from a long series of uu.net dialups in an area of NYC that didn't have caller-ID.
There's the "flowers.com case", where a spammer issued a forged HELO flowers.com when doing a spam in order to fool (ancient) versions of Sendmail into hiding the spammer's originating IP address when raping a third-party relay. $65000 in damages because it defamed the legitimate owner of flowers.com at the time.
It's trademark infringement as well. You purport that your mail comes from AOL, it's AOL's business that you're using their domain name. AOL's landsharks have been known to sue spammers for falsely implying that spam comes from AOL. More power to 'em.
Finally, in the cases of "joe jobs" - where a spammer will forge spam in the name of someone in order to target the forged party for harassment - it's obvious that there's intent to defame, harass, and of course, willful misrepresentation.
The forging of headers in unsolicited bulk email should be at the very least a civil, if not a criminal, offense.
The real problem, of course, is that since your average spammer lives in a trailer surrounded by beer cans and chicken bones, collecting anything from a spammer can be a real problem.
Which is why it's relatively rare that ISPs sue or press criminal charges against spammers. More's the pity. There's a group of spammers operating out of Earthlink dialups in a manner identical to that of the TCPS spammer's abuse of uu.net dialups a few years ago, and Earthlink is doing nothing about it. More's the pity.
But back to the original article on ABCNews:
The son of a bitch not only spammed, but he raped a relay to do it. That's theft of computer services at a minimum, and given the number of bounced spams that probably came back to the raped relay at Market Vision, probably a DOS attack too.
Throw the book at the son of a bitch and put his head on a pike. Pour encourager les autres.
Re:Actually, these forgeries are very common (Score:1)
Re:One other thing (Score:2)
People make choices and they are responsible for the outcomes of those choices. The woman in our example is responsible for choosing to get drunk, for choosing to walk alone, and perhaps unarmed, down that alley at that hour of the night. She is existentially responsible if she is assaulted, just as I would be existentially responsible if I were assaulted under the same conditions.
The folks at Market Vision *chose* not to properly secure their email server, whether they made the choice from ignorance or with full knowledge of the consequences, they still made that choice. They therefore bear some responsibility for what happened.
A quote from a RUSH song would be appropriate here: "If you choose not to decide, you still have made a choice."
PAY ATTENTION! I AM NOT talking about LEGAL responsibility. I AM talking about MORAL and EXISTENTIAL responsibility. Legally, they can sue the guy, but ethically they are still at fault and are not deserving of a dime. Anyway, I don't see how it could cost $18,000 for a mail server to be down for a few hours, unless they lost an $18,000 contract that hinged on one lost email, highly unlikely.
Re:One other thing (Score:2)
Leaving the house unlocked does not excuse the behavior of the person who has broken the law by entering/trespassing. It does, however, lessen the amount of responsibility shown by the homeowner and, in fact, increases their existential responsibility in the outcome of someone breaking and entering.
I suggest reading some Sartre and Camus if you want to know where I am coming from.
Next TCP/IP Standard (Score:1)
I heard some rumors that the next version of the TCP/IP standard will incorporate the MAC address of the particular machine. I know that many people, including me, have concerns about privacy but there could be an up-side. If you could identify the particular machine then you track the spam sender. Then you'd force them to buy new NICs every time they want to send a batch of spam. In effect a financial penalty for spam. Just a thought...
sketch (Score:1)
Re:Spam Licensing: A Modest proposal (Score:1)
Re:$18000 (Score:1)
That wasn't IBM's figure, that was someone else. Sending out enough relay mail to bog down IBM.net's servers would be something immpressive (SDOS-Spam Denial Of Service). This guy's servers were crashed by the weight of being a relay for a few million messages. This is why mail servers should be setup to deny relays from untrusted hosts. IBM just had their name stolen.
SignaI v. SignaL (Score:1)
Then again, the user pages look identical. So is Signa[eye] the same as Signa[elle]? Ouch, this is making my head hurt, trying to differentiate between an I and an l... make it stop... make it stop...
Same thing (Score:1)
The Internet Is Really Evil (Score:1)
It was previously a uu.net account he was performing these actions from...but our many complaints finally had his uu.net account destroyed *thanks abuse@uu.net*.
The worst part about this is actually explaining why this message didn't really come from us. People just don't understand that the internet isn't the most honest place in the world, or exactly how easy it is to forge these headers.
So my day goes on...and tomorrow I will probably answer another 15 of these abuse reports. Why don't I do something about this...well...I have alot of projects to do and talking to lawyers doesn't exact appeal to my geeky nature.
Hmm (Score:1)
----
Oh my god, Bear is driving! How can this be?
Why is this even a question? (Score:4)
Fake Spam? (Score:3)
It's not even about spam, or email (Score:4)
At a certain level, of course we can tell the message didn't come from IBM.
But...
The guy sending the spam.
a) new that he was making his messages appear to come from IBM.net to the average user.
b) was probably doing this without authority from ibm.net
c) Was doing this for the express purpose of misleading the recipients of the spam into reading the spam. THIS is the really bad part. It's fraud.
One other thing (Score:2)
Two Laws (Score:2)
Finally, given that SMTP makes no guarantees about the validity of the "From:" address, I see no reason (other than ignorance) for anyone to have any expectation of its validity. I don't know about the "law of the land" when it comes to fraud, but I would imagine that the recipient's expectation of validity plays an important role in proving fraud.
Disclaimers: IANAL, IANAS (Sysop).
Re:More Spam Hits (Score:2)
Rather than just trashing the spam, I think I'll save it to a special mailbox. At some point in the future, I think I'd like to come up with some effective (and intelligent) spam blocking software.
Omnibus reply (Score:2)
1) Forging from headers is criminal in a number of ways:
a) A number of States have laws on the books:
Ref: http://www.cauce.org
http://www.suespammers.org
These laws criminalize forging of headers. No gray area.
b) The bounces cause resource theft of AOL's servers, and bandwidth.
c) Civil action for misuse of trademark and goodwill.
2) There is an automated way of sending complaints:
Register with abuse.net (Run by John Levine). Then you send your complaint to the domain you want to complain to, @abuse.net, and John's system automagically forwards it to the right address for that domain.
3) If you want to hunt the spammers down yourself, try Steve Atkins' Sam Spade (http://www.samspade.org)
4) Hitting delete is NOT an option. It does not scale.
5) There is no Federal Bill. Those disclaimers you see are bogus. They often refer to HR 1716, or Murkowski. These were proposed, but *never* passed. There is no Inbox or Federal Bill that protects spam. There is a Federal Bill making its way through the house currently, HR 3113. It is a "good"(tm) thing. Support it.
6) When all else fails..
If you can't get the spammer's IPS's attention, *don't do anything illegal*. Visit http://mail-abuse.org, document your efforts, and nominate the spammer, and his ISP to the RBL. Trust me, it is *extremely* effective in educating the ISP.
Revenge of the Spammed (Score:2)
To summarize he went into the spammers computers and got everything personal he could find on them... including some interesting photos
------
IanO
Re:One other thing (Score:2)
$18000 (Score:2)
Re: (Score:2)
Re:Trademark Infringement? (Score:3)
Hmm... is IBM known for sending spam? If so, then I guess they could make a case that the perp misled people into thinking they were getting name-brand spam when it fact they were getting a cheap knock-off.
On the other hand, if IBM isn't in the spam business, then it should be hard to convince a judge that a trademark was infringed.
---
Re:Why is this even a question? (Score:3)
Forgery is already a crime in the physical realm. Why, then, should it not be also a crime in the digital?
Indeed. Incidentally, while it may or may not be a crime to forge spam, it's a misdemeanor of the first degree to use a computer without authorization. (18 USC 2701 [cornell.edu].) I'm surprised this one isn't used more often. The "victim" of the crime would be the site used as a spam relay, and the result (overload of the system), being something any reasonable person would expect, could be construed as malice, resulting in the act being a felony, since obviously they are using the other person's system with the intent of avoiding their own system being wiped out by spam.
A number of cases [netins.net] have shown that relay hijacking and use of trademarks in spam is trademark infringement.
I think the argument that "forging spam" is itself a crime is somewhat bogus, I don't know why they don't go forward with some state version of the "Unlawful Use of Computers" statute, as this is a slam-dunk, while this "forged spam is crime" argument is pretty thin.
Forgery generally refers to the forgery of documents for the benefit of the forger. This is a trickier claim to make. (Definition of forgery here [law.com].)
When this guy is convicted... (Score:2)
So I'm sitting here on the group W bench, when the biggest, meanest father-raper comes over to me and asks, "What'd you get?"
I said, "I didn't get nothing - I had to clean up the mess."
He said, "What are you in for?"
I said, "Spamming." And they all moved away. "And creating a public nuisanse." And they all moved back....
With apologies to Arlo Guthrey
</Humor>
I'll be the other prisoners will love him.
Re:Localhost.com spam lawsuit (Score:3)
The Localhost claim is different because the host there was suing for defamation. That's a civil claim, not a criminal charge. Also, it wouldn't be binding precedent - it was merely a low level ruling in a Colorado state court.
No, I think this IBM case is much better. I've pursued cases like this with no success, because there is some question of consent by the "victim" if they were running an open relay. Regardless of how stupid it is, open relays are still very common, and spammers regularly abuse them. If the spammer somehow hacked the relay, that will help the case.
The other aspect is the forgery - use of IBM's name. Another thread on this topic had a post talking about a guy who was calling other people and leaving a third party's name and phone number. Depending on your state law, that might not be forgery, because it's a voice communication. That's why the appropriate criminal charge there was phone harassment, which is usually an extremely low-level felony or a misdemeanor. Spam involves printing the actual text of the name IBM.COM in the email. That's the forgery. Making it appear as if IBM was sending it, that's the fraud. If it was my case, I'd also charge theft for any damage caused to IBM by the actions of the spammer - time lost on machine downtime, and cost to fix machines. Manpower and overtime to fix the problem might be worth asking for, too (probably depends on the judge).
But if the IBM.COM machine was an open relay.... I dunno.
==
"This is the nineties. You don't just go around punching people. You have to say something cool first."
Re:Fake Spam? (Score:2)
It's that "mostly" bit that scares me...
The human body is "mostly" water, but it's those other inconsequential meaty bits that keep you from sliding down the drain when you take a shower.
"The axiom 'An honest man has nothing to fear from the police'
Re:I can see his defense lawyer angling for.... (Score:2)
eMail Fraud? (Score:2)
What would happen if it were made illegal to alter the headers in email messages? Would mail routers have to have special licenses to add 'received by:' fields?
This could be a landmark case for electronic mail -- if the same thing happened with snail mail, it would have been called 'Mail Fraud'.
dc
--
Re:Actually, these forgeries are very common (Score:2)
If the law strikes back at those people forging their headers, then maybe we'll get a nice baseball bat to knock the spammers around with...
Re:Different Angle... (Score:2)
*Sigh* One more time:
1. Junk snail-mail is paid for by the sender out of his own pocket.
2. Junk e-mail is paid for by the recipient out of stolen bandwidth and the increase in ISP fees caused by spam-related overhead.
also, i don't think that impersonation, in all cases, is illegal. suppose, for example, that you dressed up as richard nixon (just to pick a name out of the air) for halloween. suppose also that you ran about in your costume doing all sorts of embarrasing or shameful things. clearly, reasonable people would not take you for the real nixon.
If you went around gluing flyers to people's front doors (a meatspace analogy to spamming, in that it involves conversion of other people's property and creation of a public nuisance to spread your message), then concealing one's identity would be an aggrivating factor.
In addition, your analogy fails because recognizing that someone wearing a Nixon halloween mask is not really Nixon is much easier than spotting a forged header. One does not need any special technical skill to distinguish a cheap mask from a human face, or to know that the real Richard M. Nixon is taking the eternal dirt nap.
/.
"viable economic option" (Score:2)
The response rate for spam is high enough that the spammers are willing to work on commission. It's high enough, in fact, that their clients are uncommonly willing to pay up fairly large money (four/five figure weekly payouts) readily.
It's more than viably economic: it's a damn fine income... alas.
--
Revenge (Score:2)
http://belps.freewebsites.com/
Basicly someone hacked a spam company and got all sorts of logs and even some pictures of the perps.
Check it out.
Re:One other thing (Score:2)
Absolutely - any system administrator who leaves his relay open for abuse is incompetent.
But I disagree with you here:
> [ ... ] I don't think they deserve any compensation [ ... ] It's their own fault [ ... ]
While they're dorks for not having secured it, this is just blaming the victim.
Although it's not smart for a woman to walk down a dark alley at 3 in the morning, staggering as if drunk, while wearing a miniskirt and low-cut blouse that doesn't mean "she asked for it" if she ends up raped. (My apologies to rape victims for that example - you're the best example I can think of to explain that "blame the victim" is bogus.)
The incompetence of the admins at Market Visions (whose server, like all open relays, essentially was staggering down a blind alley, sloshed to the gills, wearing a low-cut blouse and hot pink mini...) does not take away from the fact that their property was violated, nor should it, IMHO, detract from their rights to compensation.
(Of course, we're in complete agreement that a more competent admin would have prevented the problem from requiring a lawsuit or criminal charges in the first place. That's why you pay your admins the big bucks -- preventing a breach is always cheaper than cleaning up after one, and a good sysadmin is worth his or her weight in gold.)
Re:well.. lets see (Score:2)
It's a bit more complicated than that. It is legal, at least in the USA, to use aliases instead of your legal name. It's illegal to use an alias to deceive someone, with intent to defraud.
Re:Two Laws (Score:2)
No doubt; that's what I was referring to with my parenthetical phrase "other than ignorance."
Remember that ignorance of the law is no excuse. I would imagine that works for victims as well. That is, if you incorrectly think that someone is perpetrating a crime against you, that doesn't make them a criminal.
I wouldn't advocate that every AOL user, for example, should read every RFC, just that nobody should assume that an email is really from the address shown in the From: line. You'd think that after all the media attention paid to the Melissa and ILOVEYOU viruses, that a few more people would start waking up to this possibility. I guess not. Sigh...
Re:New York Times also covered this (Score:2)
And if you log in, maybe you could check out and vote on my story, which I worked on a while today? :^)
Re:Spam sucks, but worse than government? (Score:4)
There is no opt-out.
There is no invasion of privacy (those spammers obviously wanted to be contacted, or they wouldn't be sending out communications)
There is no new legistation (fraud, forgery and misrepresentation are already on the books).
In short, this could be just the ticket to stop spam. If forging headers is found illegal, then the spammers will have to use their real address. Then we can do a quick whois, hunt them down and kill them. Slowly. Uh- I mean, get their accounts cancelled.
--
More Spam Hits (Score:2)
There's another class of spam, that isn't really spam, but that's those damned annoying messages that people I know keep sending me with subjects of Read this--Funny or some such. I don't have time to wade through that crap, so I generally I just hit the delete key and go on to the next message. I'll have to add a filter to check for that junk, too.
I've already got my MUA set to automatically delete messages with empty or missing From: and To: headers. I think I'll add code to delete messages with forged addresses.
After that, I'm going to start saving all the Spam that I receive in a special file and run some dictionary/statistics generating software on it to see if I can come up with an algorithm to detect spam. Once that's in place, I'll live Spam free!
On a related note.. (Score:2)
Re:Take away their net priveleges for 3 years (Score:2)
While that part was offstage in the Asimov story, I can't help but think that if this were really done then other spammers would start advertising tapes of the one who got caught receiving his Clockwork Orange treatment. It would be like the pick-pockets working the crowd watching a pick-pocket being hanged.
/.
New York Times also covered this (Score:3)
No crime? (Score:3)
One thought: surely if AOLusers have a use, it's as spam fodder? If it wasn't for THEM we'd probably all be getting thee times as many invitions to vist mandy being spanked in her dorm.
The origin of your address on spammers lists? (Score:2)
I can see his defense lawyer angling for.... (Score:3)
"Your honor, this man not only spams, deals in pornography, and forges addresses to hide his identity, but he truely believes he has committed no crime. He is obviously insane and should be cared for, not caged like a criminal. I have here several psychologists who have would like to testify as to..."
Spam sucks, but worse than government? (Score:3)
Are there any technological solutions to this, especially forged spam? What about tighter permissions on mail servers, the Real-time Blackhole List, etc?
Given a choice between dealing with spam (i.e., adding the sender to my spam filter), and dealing with an overzealous government, which would you pick?
I'm all for vigilante anti-spam lynch mobs, though
Depends on the judge (Score:4)
Many years ago, I had this guy from my school leave a bunch of very bizarre and often threatening messages on other people's answering machines and voicemail - and leave my phone number on it.
I finally found one sympathetic company willing to play the message back to me over the phone - I recall it had something to do with "and I'd better be seeing that money soon, understand?" Of course, I recognized the voice, and I called my local police department to see what the law had to say on the matter... and guess what? It counted as telephone harassment, same as if he'd have called me directly.
So, if'n I was IBM's bigshot lawyers, I'd go after them for either theft of services or harassment. It seems to me that ibm.net must have gotten flooded with "die fsckin' spammer" and "delete this account" messages... sounds like the same concept to me!
--
Make Money on the 'Net [geocities.com]
Spam punishable by death... (Score:5)
I wonder if the guards yelled "JUST HIT DELETE" before shooting the offenders...
Re:Fake Spam? (Score:2)
Re:Actually, these forgeries are very common (Score:2)
Hmmm. I wonder if USian spammers could be nailed under RICO? (Racketeer Influenced and Corrupt Organizations Act) Nah, probably not.
Re:Easy to Detect (Score:2)
Actually, I've noticed that some ISP's have started to include a X-trace line in headers. This includes the exact time, IP address, phone number, etc. that the spammer was using when putting the spam into the system. I've only seen it in USENET postings, but that's because I haven't actually spent any time carefully going over headers on e-mail spam. It should make it very easy to trace, though.
His argument reeks of Hacker-speak... (Score:2)
But I don't know that it stands. I mean, personally I think that if a company has a severe security problem such as the one this company so obviously had (being able to relay to out-of-domain addresses), then I think they deserved what they got. And I don't see how a company can claim damages on something that wouldn't have happened if they'd been properly configured to begin with...
On the other hand, I take responsibility that if I get caught I'm pretty much going to twist in the wind. I think he got caught, and I think he deserves to twist in the wind.
There was something the article didn't mention. Was he simply using their e-mail servers, or did the man use that company as his ISP? I think its an entirely different argument if they were his ISP. (And I don't think they were...)
--
"A mind is a horrible thing to waste. But a mime...
It feels wonderful wasting those fsckers."
Re:Why is this even a question? (Score:2)
What this guy is doing is probably "wrong" but I applaud him on all accounts. I really detest spammers
Re:One other thing (Score:2)
I disagree. Everyone should be able to leave their mail server open to this. Sometime someone will need something to relay thourgh, and it costs nothing to relay 1 message. It is only several million that was the problem.
I also belive you should be able to leave your door unlocked. People should be honest enough that they only enter your house (without your permission/knowlege) when they are passing through town and need a bathroom, or need a cup of flour. (The latter is typically a neighbor, and you would be paid back when you needed a teaspoon of Oragino)
Of course like everyone else I lock my doors because there are dishonest people, but in a perfect world things would be different.
Re:Spam and U.S. regulations (Score:2)
Bruce
How we can get rid of spam. (Score:2)
2) Set up servers to not accept messages from non-existant hosts. This way, the server will only accept messages from real hosts, and if they're forged, it'll be prosecutable.
Of course, there's a lot more to it than just that, though. I know it could be dangerous if inappropriately applied, but I can see circumstances under which civil suits by a clean ISP against an open transport ISP *cough*AOL*cough* on the grounds of negligence. Heck, if a little kid goes into my shed and steals my radial saw, and ends up cutting his hand off with it, I can be held responsible. Therefore, I keep a lock on it. Of course, if the kid breaks in despite the lock, I'm not responsible, because I made a reasonable effort at securing the hazard.
I am kind of afraid of letting judges and juries determine what is a reasonable computer security expectation, though. Well, this is just food for thought. I'll let the experts hack it out. (in every meaning of the word)
Defense? (Score:3)
~CalibanDNS
Re:Spam sucks, but worse than government? (Score:3)
If I were a business that had my network go down for any number of hours or days at a loss of thousands of dollars to my company, damn straight I would want the government involved.
I atleast need to be able to seek recourse in the courts so that I can file a civil suit to collect compensation to cover the financial damage my company suffered by the network-trespassing-spamming-scum.
- tokengeekgrrl
"The spirit of resistance to government is so valuable on certain occasions
Re:Spam sucks, but worse than government? (Score:2)
...dollars to my company, damn straight I would want the government involved.
---
---
"The spirit of resistance to government is so valuable on certain occasions that I wish it to be always kept alive." -- Thomas Jefferson
---
Anyone else find this incredibly funny?
Offtopic, I know, but I couldn't resist.
- Jeff A. Campbell
- VelociNews (http://www.velocinews.com [velocinews.com])
Re:No crime? (Score:2)
If it wasn't for the AOL'ers, there's a good chance that the amount of positive responses spammers got would be overwealmed by the negative impact and most spam would stop.
Just my opinion anyways.
-Restil
Don't get mad, get even! (Score:2)
The 'innocent' spammers in question have already starting taking down mirrors of the site [cluelessfucks.com] [cluelessfucks.com]. I suggest you get in quick!
Re:No crime? (Score:2)
Re:Spam flavors? (Score:2)
--
FINE his ISP as an accessory (Score:2)
Now, the average user cannot read email headers. However, the average user has the ability to send an abuse report (hundreds and thousands), although usually with a threat of a lawsuit, foul language, or incomplete headers. But we can't blame the users. We just tell them where it really came from and give them a few good links about spam. At the same time, we fend of cease-and-desist or die messages from our various outsourcers, who routinely forget that the exact same thing happened only a few months ago. It gets to you after a while.
So, what can we do? Contact the ISP that is putting this guy on the net? Nice try. Waste your time on their abuse address, waste more time on faxing, finally call them to tell them about the problem and they will immediately refer you to their lawyers. Any chance of getting a network tech on the phone to talk about the problem? Forget it.
The only viable solution is to subpoena (sp?) the server logs from the ISP and the telephone records from the telco and go from there. For me, that doesn't work, as I'm in Jakarta and have no desire to spend mucho money on an intercontinental lawsuit with little or no hope of reward at the end of it.
What would put a stop to SPAM? Making the ISP responsible for monitoring, and responding to abuse complaints about, spam that was sent from their systems. Do you think the ISPs could stop it if they were "motivated" to do so? Damn right they could. It can't be too hard to notice that someone is sending 50,000 emails through your system within a 20 minute period.
Making the ISPs partially responsible would go a long way toward eliminating spam. Perhaps a sliding scale fine system would work.
[aside: in the one event where a shitforbrains spammer rigged a perl script to sign up for accounts, login to our webmail, and send spam (all through HTTP connections), we only got 4 complaints. we also shut down the spammer within hours of the original complaint]
For a bunch of geeks... (Score:3)
I'll give you a topic:
SMTP IS NEITHER SECURE NOR AUTHENTICATED.
Discuss.
It says so right there in the RFC. You can lie in the headers. There is nothing to verify that the sender is who they say they are.
If you're relying on the "From:" line of an e-mail to tell you from whence a message was generated, well, that's your problem. I guess you think hotsexx@youroffice.com is a real address, too.
I hate spam as much as the next guy, but let's get real here.
Being slashdot, I'm surprised nobody is claiming they have a First Amendment right to create bogus headers. What if he's doing it to make a political statement?
Uh... huh? (Score:2)
Quote from the article:
Pirro said the message traffic Garon allegedly sent through Market Vision, a graphics studio company in Irvington, was so heavy that it crashed the company's internal network, causing damage in repairs and business downtime.
What? I can understand that maybe the mail system would become clogged and cease to function. But exactly what "repairs" would be necessary? The guy claims $18,000 in damages! If it's that hard for their network guys to clear out some mail, then they guy has bigger problems that a spammer using his mail system.
--
Localhost.com spam lawsuit (Score:3)
Pablo Nevares, "the freshmaker".
Adequate Civil remedies, anyways. (Score:2)
Though, it would be kinda nice if the spammer could be locked up, too.