Suing Spammers for Fun and Profit

1
Suing Spammers for Fun and Profit

• Serge Egelman

2
Background

• Over 50 of all mail
• Less than 200 people responsible for 80

3
Statistics
4
Statistics
5
Background

• Its cheap!
• Wider audience
• Profit guaranteed
• Little work involved

6
Background

• Address harvesting
• Web pages
• Forums
• USENET
• Dictionary attacks
• Purchased lists
• No way out

7
Profile of a Spammer

• Alan Ralsky
• 20 Computers
• 190 Servers
• 650,000 messages/hour
• 250 millions addresses
• 500 for every million messages
• Convicted Felon
• 1992 Securities fraud
• 1994 Insurance fraud

8
Technical Means

• Text recognition
• Black hole lists
• Statistical modeling
• Neural networks
• Cryptography
• Digital signatures
• Payment schemes

9
Basic Asymmetric Cryptography

• RSA
• Pick two large primes, p and q
• Find N p q
• Let e be a number relatively prime to (p-1)(q-1)
• Find d, so that de 1 mod (p-1)(q-1)
• The set (e, N) is the public key.
• The set (d, N) is the private key.
• Encryption
• C Me mod N
• Decryption
• M Cd mod N

10
Basic Asymmetric Cryptography

• d e-1 mod (p-1)(q-1)
• N pq is known!
• But usually very large (1024 - 2048 bits)
• RSA 1024 bit challenge
• 13506641086599522334960321627880596993888147560566
  70275244851438515265106048595338339402871505719094
  41798207282164471551373680419703964191743046496589
  27425623934102086438320211037295872576235850964311
  05640735015081875106765946292055636855294752135008
  52879416377328533906109750544334999811150056977236
  890927563
• 309 digits
• 100,000 prize

11
Asymmetric Cryptography Example
12
Digital Signature Example
13
DomainKeys

• Asymmetric cryptography
• Verified sender
• Modified SMTP server
• Additional DNS records

14
SpamAssassin

• Multiple tests
• Around 300
• Statistical modeling
• Scoring

15
Example
DomainKey-Signature arsa-sha1 qdns cnofws
sbeta dgmail.com hreceivedmessage-
iddatefromreply-totosubjectmime-versioncont
ent-typecontent-tr ansfer-encoding
bARByWZ8/yk5cm8Ew/tJZ5UykezQZkm/fZUV6Wkd0RAb46s
lxGg8TRQ91Dc2yi8ZIhbVz1TOc94QeRGgHOfvALE tjqeIA1L
1z3yVtTa4BJG4oqiTsTiczbI2hPdGlGFRixbSshslvoyc3F
aISIICMx7HlcqCN/wmiG4Q0uub4 From Matthew Eaton
ltmattheweaton_at_gmail.comgt Reply-To Matthew Eaton
ltmattheweaton_at_gmail.comgt To serge_at_guanotronic.com
Subject test from gmail X-Spam-Status No,
hits-4.9 required5.0 testsBAYES_00
autolearnno version2.63 X-Spam-Checker-
Version SpamAssassin 2.63 (2004-01-11) on
jabba.geek.haus
16
Sender Policy Framework

• Prevents forgery
• Requires DNS record
• Recipient confirms sender
• Open standard

17
Graylisting

• Whitelist maintained
• Other mail temporarily rejected
• Spammers might give up
• Mail delivery delayed
• Spammers will adapt

18
The Hunt

• Contact Info
• URLs
• Email Addresses
• WHOIS/DNS
• USENET
• news.admin.net-abuse.email
• Databases
• Spews.org
• Spamhaus.org
• OpenRBL.org

19
Legal Means

• Foreign spam, local companies
• One weak federal law
• 35 State laws (as of 2003)
• Two types
• Forged headers
• ADV subject line

20
Telecommunications Consumer Protection Act

• The TCPA (U.S.C 47 227)
• "equipment which has the capacity to transcribe
  text or images (or both) from an electronic
  signal received over a regular telephone line
  onto paper.
• 500 or 1500 fine per message
• Mark Reinertson v. Sears Roebuck
• Michigan small claims

21
Telecommunications Consumer Protection Act

• ErieNet, Inc. v. VelocityNet, Inc.
• US Court of Appeals, 3rd Circuit, No. 97-3562
• September 25, 1998
• it is my hope that the States will make it as
  easy as possible for consumers to bring such
  actions, preferably in small claims court.
  Senator Hollings
• The question, therefore, is whether Congress has
  provided for federal court jurisdiction over
  consumer suits under the TCPA.
• U.S.C. 28 1331 The district courts shall have
  original jurisdiction of all civil actions
  arising under the Constitution, laws, or treaties
  of the United States

22
The CAN-SPAM Act15 U.S.C. 7702

• Requirements
• Deceptive Subjects
• Falsified Headers
• Valid Return Address
• Opt-Out
• Enforcement
• FTC
• States
• ISPs
• Do-Not-Email List
• Bounty Hunters
• Sender a person who initiates such a message
  and whose product, service, or Internet web site
  is advertised or promoted by the message.
• Preemption

23
Virginia Laws

• The VA Computer Crimes Act (18.2-152)
• Forged headers
• 10/message or 25,000/day
• AOL and Verizon
• Verizon v. Ralsky 37M
• AOL v. Moore 10M
• U.S.C. 28 1332 The district courts shall have
  original jurisdiction of all civil actions where
  the matter in controversy exceeds the sum or
  value of 75,000, exclusive of interest and
  costs, and is between citizens of different
  States.

24
Pennsylvania Laws

• The Unsolicited Telecommunications Advertisement
  Act (73 2250)
• Illegal activities
• Forged addresses
• Misleading information
• Lack of opt-out
• Only enforced by AG and ISPs
• 10/message for ISPs
• 10 from AG

25
(No Transcript)
26
Small Claims Court

• Court summons 30-80
• Maximum claim 8000
• Winning by default because the spammer didnt
  bother to show up Priceless

27
So youve won a judgment

• Domesticate the judgment
• Summons to Answer Interrogatories
• Writ of Fieri Facias
• Garnishment Summons

28
Criminal Penalties

• Youve got jail!
• 1 year
• 3 years
• 5,000 profit
• gt2,500 in 24 hours
• gt25,000 in a month
• gt250,000 in a year
• 5 years for second offense

29
Questions?