Suing Spammers for Fun and Profit

# Suing Spammers for Fun and Profit

Télécharger la présentation

## Suing Spammers for Fun and Profit

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
##### Presentation Transcript

1. Suing Spammers for Fun and Profit Serge Egelman

2. Background • Over 50% of all mail • Less than 200 people responsible for 80%

3. Statistics

4. Statistics

5. Background • It’s cheap! • Wider audience • Profit guaranteed • Little work involved

6. Background • Address harvesting • Web pages • Forums • USENET • Dictionary attacks • Purchased lists • No way out

7. Profile of a Spammer • Alan Ralsky • 20 Computers • 190 Servers • 650,000 messages/hour • 250 millions addresses • \$500 for every million messages • Convicted Felon • 1992 Securities fraud • 1994 Insurance fraud

8. Technical Means • Text recognition • Black hole lists • Statistical modeling • Neural networks • Cryptography • Digital signatures • Payment schemes

9. Basic Asymmetric Cryptography • RSA • Pick two large primes, p and q • Find N = p * q • Let e be a number relatively prime to (p-1)*(q-1) • Find d, so that d*e = 1 mod (p-1)*(q-1) • The set (e, N) is the public key. • The set (d, N) is the private key. • Encryption: • C = Me mod N • Decryption: • M = Cd mod N

10. Basic Asymmetric Cryptography • d = e-1 mod (p-1)(q-1) • N = p*q is known! • But usually very large (1024 - 2048 bits) • RSA 1024 bit challenge: • 135066410865995223349603216278805969938881475605667027524485143851526510604859533833940287150571909441798207282164471551373680419703964191743046496589274256239341020864383202110372958725762358509643110564073501508187510676594629205563685529475213500852879416377328533906109750544334999811150056977236890927563 • 309 digits • \$100,000 prize

11. Asymmetric Cryptography Example

12. Digital Signature Example

13. DomainKeys • Asymmetric cryptography • Verified sender • Modified SMTP server • Additional DNS records

14. SpamAssassin • Multiple tests • Around 300 • Statistical modeling • Scoring

15. Example DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; +h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-tr +ansfer-encoding; +b=ARByWZ8/yk5cm8Ew/tJZ5UykezQZkm/fZUV6Wkd0RAb46slxGg8TRQ91Dc2yi8ZIhbVz1TOc94QeRGgHOfvALE +tjqeIA1L1z3yVtTa+4BJG4+oqiTsTicz+bI2hPdGlGFRixbSshslvoyc3FaISIICMx7HlcqCN/wmiG4Q0uub4= From: Matthew Eaton <mattheweaton@gmail.com> Reply-To: Matthew Eaton <mattheweaton@gmail.com> To: serge@guanotronic.com Subject: test from gmail X-Spam-Status: No, hits=-4.9 required=5.0 tests=BAYES_00 autolearn=no version=2.63 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on jabba.geek.haus

16. Sender Policy Framework • Prevents forgery • Requires DNS record • Recipient confirms sender • Open standard

17. Graylisting • Whitelist maintained • Other mail temporarily rejected • Spammers might give up • Mail delivery delayed • Spammers will adapt

18. The Hunt • Contact Info • URLs • Email Addresses • WHOIS/DNS • USENET • news.admin.net-abuse.email • Databases: • Spews.org • Spamhaus.org • OpenRBL.org

19. Legal Means • Foreign spam, local companies • One weak federal law • 35 State laws (as of 2003) • Two types: • Forged headers • “ADV” subject line

20. Telecommunications Consumer Protection Act • The TCPA (U.S.C 47 §227): • "equipment which has the capacity to transcribe text or images (or both) from an electronic signal received over a regular telephone line onto paper.“ • \$500 or \$1500 fine per message • Mark Reinertson v. Sears Roebuck • Michigan small claims

21. Telecommunications Consumer Protection Act • ErieNet, Inc. v. VelocityNet, Inc. • US Court of Appeals, 3rd Circuit, No. 97-3562 • September 25, 1998 • “it is my hope that the States will make it as easy as possible for consumers to bring such actions, preferably in small claims court.” –Senator Hollings • “The question, therefore, is whether Congress has provided for federal court jurisdiction over consumer suits under the TCPA.” • U.S.C. 28 §1331: The district courts shall have original jurisdiction of all civil actions arising under the Constitution, laws, or treaties of the United States

22. The CAN-SPAM Act15 U.S.C. §7702 • Requirements: • Deceptive Subjects • Falsified Headers • Valid Return Address • Opt-Out • Enforcement: • FTC • States • ISPs • Do-Not-Email List • Bounty Hunters • Sender: “a person who initiates such a message and whose product, service, or Internet web site is advertised or promoted by the message.” • Preemption

23. Virginia Laws • The VA Computer Crimes Act (18.2-§152) • Forged headers • \$10/message or \$25,000/day • AOL and Verizon • Verizon v. Ralsky: \$37M • AOL v. Moore: \$10M • U.S.C. 28 §1332: The district courts shall have original jurisdiction of all civil actions where the matter in controversy exceeds the sum or value of \$75,000, exclusive of interest and costs, and is between citizens of different States.

24. Pennsylvania Laws • The Unsolicited Telecommunications Advertisement Act (73 §2250) • Illegal activities: • Forged addresses • Misleading information • Lack of opt-out • Only enforced by AG and ISPs • \$10/message for ISPs • 10% from AG

25. Small Claims Court • Court summons: \$30-80 • Maximum claim: \$8000 • Winning by default because the spammer didn’t bother to show up: Priceless

26. So you’ve won a judgment… • Domesticate the judgment • Summons to Answer Interrogatories • Writ of Fieri Facias • Garnishment Summons

27. Criminal Penalties • You’ve got jail! • 1 year • 3 years: • \$5,000 profit • >2,500 in 24 hours • >25,000 in a month • >250,000 in a year • 5 years for second offense

28. Questions?