suing spammers for fun and profit serge egelman. background over 50% of all mail less than 200...
TRANSCRIPT
Suing Spammers for Fun and Profit
Serge Egelman
Background
Over 50% of all mail Less than 200 people responsible for 80%
Statistics
Statistics
Background
It’s cheap! Wider audience Profit guaranteed Little work involved
$250
$370,000
$0
$50,000
$100,000
$150,000
$200,000
$250,000
$300,000
$350,000
$400,000
Email USPS
Background
Address harvesting Web pages Forums USENET
Dictionary attacks Purchased lists No way out
Profile of a Spammer
Alan Ralsky 20 Computers
190 Servers 650,000 messages/hour 250 millions addresses $500 for every million
messages Convicted Felon
1992 Securities fraud 1994 Insurance fraud
Technical Means
Text recognition Black hole lists Statistical modeling
Neural networks
Cryptography Digital signatures Payment schemes
Basic Asymmetric Cryptography
RSA Pick two large primes, p and q Find N = p * q Let e be a number relatively prime to (p-1)*(q-1) Find d, so that d*e = 1 mod (p-1)*(q-1) The set (e, N) is the public key. The set (d, N) is the private key. Encryption:
C = Me mod N Decryption:
M = Cd mod N
Basic Asymmetric Cryptography
d = e-1 mod (p-1)(q-1) N = p*q is known!
But usually very large (1024 - 2048 bits) RSA 1024 bit challenge:
135066410865995223349603216278805969938881475605667027524485143851526510604859533833940287150571909441798207282164471551373680419703964191743046496589274256239341020864383202110372958725762358509643110564073501508187510676594629205563685529475213500852879416377328533906109750544334999811150056977236890927563
309 digits $100,000 prize
Asymmetric Cryptography Example
Digital Signature Example
DomainKeys
Asymmetric cryptography Verified sender Modified SMTP server Additional DNS records
SpamAssassin
Multiple tests Around 300
Statistical modeling Scoring
ExampleDomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; +h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-tr+ansfer-encoding; +b=ARByWZ8/yk5cm8Ew/tJZ5UykezQZkm/fZUV6Wkd0RAb46slxGg8TRQ91Dc2yi8ZIhbVz1TOc94QeRGgHOfvALE+tjqeIA1L1z3yVtTa+4BJG4+oqiTsTicz+bI2hPdGlGFRixbSshslvoyc3FaISIICMx7HlcqCN/wmiG4Q0uub4=From: Matthew Eaton <[email protected]>Reply-To: Matthew Eaton <[email protected]>To: [email protected]: test from gmailX-Spam-Status: No, hits=-4.9 required=5.0 tests=BAYES_00 autolearn=no version=2.63X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on jabba.geek.haus
Sender Policy Framework
Prevents forgery Requires DNS record Recipient confirms sender Open standard
Graylisting
Whitelist maintained Other mail temporarily rejected Spammers might give up Mail delivery delayed Spammers will adapt
The Hunt
Contact Info URLs Email Addresses
WHOIS/DNS USENET
news.admin.net-abuse.email
Databases: Spews.org Spamhaus.org OpenRBL.org
Legal Means
Foreign spam, local companies One weak federal law 35 State laws (as of 2003) Two types:
Forged headers “ADV” subject line
Telecommunications Consumer Protection Act
The TCPA (U.S.C 47 §227): "equipment which has the capacity to transcribe
text or images (or both) from an electronic signal received over a regular telephone line onto paper.“
$500 or $1500 fine per message Mark Reinertson v. Sears Roebuck
Michigan small claims
Telecommunications Consumer Protection Act ErieNet, Inc. v. VelocityNet, Inc.
US Court of Appeals, 3rd Circuit, No. 97-3562 September 25, 1998
“it is my hope that the States will make it as easy as possible for consumers to bring such actions, preferably in small claims court.” –Senator Hollings
“The question, therefore, is whether Congress has provided for federal court jurisdiction over consumer suits under the TCPA.”
U.S.C. 28 §1331: The district courts shall have original jurisdiction of all civil actions arising under the Constitution, laws, or treaties of the United States
The CAN-SPAM Act15 U.S.C. §7702 Requirements:
Deceptive Subjects Falsified Headers Valid Return Address Opt-Out
Enforcement: FTC States ISPs
Do-Not-Email List Bounty Hunters Sender: “a person who initiates such a message and whose
product, service, or Internet web site is advertised or promoted by the message.”
Preemption
Virginia Laws The VA Computer Crimes Act (18.2-§152)
Forged headers $10/message or $25,000/day AOL and Verizon
Verizon v. Ralsky: $37M AOL v. Moore: $10M U.S.C. 28 §1332: The district courts shall have original
jurisdiction of all civil actions where the matter in controversy exceeds the sum or value of $75,000, exclusive of interest and costs, and is between citizens of different States.
Pennsylvania Laws
The Unsolicited Telecommunications Advertisement Act (73 §2250)
Illegal activities: Forged addresses Misleading information Lack of opt-out
Only enforced by AG and ISPs $10/message for ISPs 10% from AG
Small Claims Court
Court summons: $30-80 Maximum claim: $8000
Winning by default because the spammer didn’t bother to show up: Priceless
So you’ve won a judgment…
Domesticate the judgment Summons to Answer Interrogatories Writ of Fieri Facias Garnishment Summons
Criminal Penalties
You’ve got jail! 1 year 3 years:
$5,000 profit >2,500 in 24 hours >25,000 in a month >250,000 in a year
5 years for second offense
Questions?