CMU Usable Privacy and Security Laboratory Suing Spammers for Fun and Profit Serge Egelman.

CMU Usable Privacy and SecurityLaboratory

http://cups.cs.cmu.edu/

Suing Spammers for Fun and Profit

Serge Egelman

• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ • Serge Egelman

“Two years from now, spam will be solved”

-Bill Gates, February 24th, 2004


Background Over 80% of all mail• 2006 MAAWG report

Less than 200 people responsible for 80%• According to Spamhaus.org


Statistics


Background It’s cheap!

Wider audience

Profit guaranteed

Little work involved

$250

$2,200

$0

$500

$1,000

$1,500

$2,000

$2,500

Email USPS


Background Address harvesting• Web pages• Forums• USENET

Dictionary attacks

Purchased lists

No way out


Profile of a Spammer Alan Ralsky• 20 Computers at home

190 Servers around the world

650,000 messages/hour 250 millions addresses $500 for every million

messages Do the math!

• Convicted Felon 1992 Securities fraud 1994 Insurance fraud

• 2008 stock fraud indictment


Technical Means Text recognition• Keywords• Statistical modeling

Black hole lists

Greylisting

Cryptography• Digital signatures• Payment schemes


Asymmetric Cryptography Example


Digital Signature Example


DomainKeys Asymmetric cryptography

Verified sender

Modified SMTP server

Additional DNS records


SpamAssassin Multiple tests• Around 300

Statistical modeling

Scoring

http://spamassassin.apache.org/tests_3_0_x.html


Example

DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;h=received:message-id:date:from:reply-

to:to:subject:mime-version:content-type:content-transfer-encoding;b=ARByWZ8/yk5cm8Ew/tJZ5UykezQZkm/fZUV6Wkd0RAb46slxGg8TRQ91Dc2yi8ZIhbVz1TOc94QeRGgHOfvALEtjqeIA1L1z3yVtTa+4BJG4+oqiTsTicz+bI2hPdGlGFRixbSshslvoyc3FaISIICMx7HlcqCN/wmiG4Q0uub4=

From: Matthew Eaton <[email protected]>Reply-To: Matthew Eaton <[email protected]>To: [email protected]: test from gmailX-Spam-Status: No, hits=-4.9 required=5.0 tests=BAYES_00 autolearn=no version=2.63X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on jabba.geek.haus


Sender Policy Framework Prevents forgery

Requires DNS record

Recipient confirms sender

Open standard


Greylisting Whitelist maintained

Other mail temporarily rejected

Spammers might give up

Mail delivery delayed

Spammers will adapt


The Hunt Contact Info• URLs• Email Addresses

WHOIS/DNS

USENET• news.admin.net-abuse.email

Databases:• Spews.org• Spamhaus.org• OpenRBL.org


Legal Means Foreign spam, local companies

One weak federal law

38 State laws (as of 2006)

A few heuristics:• Forged headers• “ADV” subject line• Misleading subject


Telecommunications Consumer Protection Act

The TCPA (U.S.C 47 §227):• "equipment which has the capacity to

transcribe text or images (or both) from an electronic signal received over a regular telephone line onto paper.“• $500 or $1500 fine per message

Mark Reinertson v. Sears Roebuck• Michigan small claims


Telecommunications Consumer Protection Act

ErieNet, Inc. v. VelocityNet, Inc.• US Court of Appeals, 3rd Circuit, No. 97-3562• September 25, 1998

“it is my hope that the States will make it as easy as possible for consumers to bring such actions, preferably in small claims court.” –Senator Hollings

“The question, therefore, is whether Congress has provided for federal court jurisdiction over consumer suits under the TCPA.”

U.S.C. 28 §1331: The district courts shall have original jurisdiction of all civil actions arising under the Constitution, laws, or treaties of the United States


The CAN-SPAM Act15 U.S.C. §7702

Requirements:• Deceptive Subjects• Falsified Headers• Valid Return Address• Opt-Out

Enforcement:• FTC• States• ISPs

Do-Not-Email List Bounty Hunters Sender: “a person who initiates such a message and whose

product, service, or Internet web site is advertised or promoted by the message.”

Preemption


Virginia Laws The VA Computer Crimes Act (18.2-§152)• Forged headers• $10/message or $25,000/day• AOL and Verizon

Verizon v. Ralsky: $37M AOL v. Moore: $10M U.S.C. 28 §1332: The district courts shall have

original jurisdiction of all civil actions where the matter in controversy exceeds the sum or value of $75,000, exclusive of interest and costs, and is between citizens of different States.


Pennsylvania Laws The Unsolicited Telecommunications

Advertisement Act (73 §2250)

Illegal activities:• Forged addresses• Misleading information• Lack of opt-out

Only enforced by AG and ISPs• $10/message for ISPs• 10% from AG


Small Claims Court Court summons: $30-80

Maximum claim: $8000

Winning by default because the spammer didn’t bother to show up: Priceless


So you’ve won a judgment… Domesticate the judgment

Summons to Answer Interrogatories

Writ of Fieri Facias

Garnishment Summons


Criminal Penalties You’ve got jail!• 1 year• 3 years:

$5,000 profit >2,500 in 24 hours >25,000 in a month >250,000 in a year

• 5 years for second offense


Questions?

CMU Usable Privacy and Security Laboratory Suing Spammers for Fun and Profit Serge Egelman.

Documents

Transcript of CMU Usable Privacy and Security Laboratory Suing Spammers for Fun and Profit Serge Egelman.