1 / 29

Suing Spammers for Fun and Profit

Suing Spammers for Fun and Profit. Serge Egelman. Background. Over 50% of all mail Less than 200 people responsible for 80%. Statistics. Statistics. Background. It’s cheap! Wider audience Profit guaranteed Little work involved. Background. Address harvesting Web pages Forums USENET

deirdre-wilson
Download Presentation

Suing Spammers for Fun and Profit

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Suing Spammers for Fun and Profit Serge Egelman

  2. Background • Over 50% of all mail • Less than 200 people responsible for 80%

  3. Statistics

  4. Statistics

  5. Background • It’s cheap! • Wider audience • Profit guaranteed • Little work involved

  6. Background • Address harvesting • Web pages • Forums • USENET • Dictionary attacks • Purchased lists • No way out

  7. Profile of a Spammer • Alan Ralsky • 20 Computers • 190 Servers • 650,000 messages/hour • 250 millions addresses • $500 for every million messages • Convicted Felon • 1992 Securities fraud • 1994 Insurance fraud

  8. Technical Means • Text recognition • Black hole lists • Statistical modeling • Neural networks • Cryptography • Digital signatures • Payment schemes

  9. Basic Asymmetric Cryptography • RSA • Pick two large primes, p and q • Find N = p * q • Let e be a number relatively prime to (p-1)*(q-1) • Find d, so that d*e = 1 mod (p-1)*(q-1) • The set (e, N) is the public key. • The set (d, N) is the private key. • Encryption: • C = Me mod N • Decryption: • M = Cd mod N

  10. Basic Asymmetric Cryptography • d = e-1 mod (p-1)(q-1) • N = p*q is known! • But usually very large (1024 - 2048 bits) • RSA 1024 bit challenge: • 135066410865995223349603216278805969938881475605667027524485143851526510604859533833940287150571909441798207282164471551373680419703964191743046496589274256239341020864383202110372958725762358509643110564073501508187510676594629205563685529475213500852879416377328533906109750544334999811150056977236890927563 • 309 digits • $100,000 prize

  11. Asymmetric Cryptography Example

  12. Digital Signature Example

  13. DomainKeys • Asymmetric cryptography • Verified sender • Modified SMTP server • Additional DNS records

  14. SpamAssassin • Multiple tests • Around 300 • Statistical modeling • Scoring

  15. Example DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; +h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-tr +ansfer-encoding; +b=ARByWZ8/yk5cm8Ew/tJZ5UykezQZkm/fZUV6Wkd0RAb46slxGg8TRQ91Dc2yi8ZIhbVz1TOc94QeRGgHOfvALE +tjqeIA1L1z3yVtTa+4BJG4+oqiTsTicz+bI2hPdGlGFRixbSshslvoyc3FaISIICMx7HlcqCN/wmiG4Q0uub4= From: Matthew Eaton <mattheweaton@gmail.com> Reply-To: Matthew Eaton <mattheweaton@gmail.com> To: serge@guanotronic.com Subject: test from gmail X-Spam-Status: No, hits=-4.9 required=5.0 tests=BAYES_00 autolearn=no version=2.63 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on jabba.geek.haus

  16. Sender Policy Framework • Prevents forgery • Requires DNS record • Recipient confirms sender • Open standard

  17. Graylisting • Whitelist maintained • Other mail temporarily rejected • Spammers might give up • Mail delivery delayed • Spammers will adapt

  18. The Hunt • Contact Info • URLs • Email Addresses • WHOIS/DNS • USENET • news.admin.net-abuse.email • Databases: • Spews.org • Spamhaus.org • OpenRBL.org

  19. Legal Means • Foreign spam, local companies • One weak federal law • 35 State laws (as of 2003) • Two types: • Forged headers • “ADV” subject line

  20. Telecommunications Consumer Protection Act • The TCPA (U.S.C 47 §227): • "equipment which has the capacity to transcribe text or images (or both) from an electronic signal received over a regular telephone line onto paper.“ • $500 or $1500 fine per message • Mark Reinertson v. Sears Roebuck • Michigan small claims

  21. Telecommunications Consumer Protection Act • ErieNet, Inc. v. VelocityNet, Inc. • US Court of Appeals, 3rd Circuit, No. 97-3562 • September 25, 1998 • “it is my hope that the States will make it as easy as possible for consumers to bring such actions, preferably in small claims court.” –Senator Hollings • “The question, therefore, is whether Congress has provided for federal court jurisdiction over consumer suits under the TCPA.” • U.S.C. 28 §1331: The district courts shall have original jurisdiction of all civil actions arising under the Constitution, laws, or treaties of the United States

  22. The CAN-SPAM Act15 U.S.C. §7702 • Requirements: • Deceptive Subjects • Falsified Headers • Valid Return Address • Opt-Out • Enforcement: • FTC • States • ISPs • Do-Not-Email List • Bounty Hunters • Sender: “a person who initiates such a message and whose product, service, or Internet web site is advertised or promoted by the message.” • Preemption

  23. Virginia Laws • The VA Computer Crimes Act (18.2-§152) • Forged headers • $10/message or $25,000/day • AOL and Verizon • Verizon v. Ralsky: $37M • AOL v. Moore: $10M • U.S.C. 28 §1332: The district courts shall have original jurisdiction of all civil actions where the matter in controversy exceeds the sum or value of $75,000, exclusive of interest and costs, and is between citizens of different States.

  24. Pennsylvania Laws • The Unsolicited Telecommunications Advertisement Act (73 §2250) • Illegal activities: • Forged addresses • Misleading information • Lack of opt-out • Only enforced by AG and ISPs • $10/message for ISPs • 10% from AG

  25. Small Claims Court • Court summons: $30-80 • Maximum claim: $8000 • Winning by default because the spammer didn’t bother to show up: Priceless

  26. So you’ve won a judgment… • Domesticate the judgment • Summons to Answer Interrogatories • Writ of Fieri Facias • Garnishment Summons

  27. Criminal Penalties • You’ve got jail! • 1 year • 3 years: • $5,000 profit • >2,500 in 24 hours • >25,000 in a month • >250,000 in a year • 5 years for second offense

  28. Questions?

More Related