CMU Usable Privacy and Security Laboratory Suing Spammers for Fun and Profit Serge Egelman

CMU Usable Privacy and Security Laboratory Serge Egelman “Two years from now, spam will be solved” -Bill Gates, February 24th, 2004

CMU Usable Privacy and Security Laboratory Serge Egelman Background Over 80% of all mail 2006 MAAWG report Less than 200 people responsible for 80% According to Spamhaus.org

CMU Usable Privacy and Security Laboratory Serge Egelman Statistics

CMU Usable Privacy and Security Laboratory Serge Egelman Statistics

CMU Usable Privacy and Security Laboratory Serge Egelman Background It’s cheap! Wider audience Profit guaranteed Little work involved

CMU Usable Privacy and Security Laboratory Serge Egelman Background Address harvesting Web pages Forums USENET Dictionary attacks Purchased lists No way out

CMU Usable Privacy and Security Laboratory Serge Egelman Profile of a Spammer Alan Ralsky 20 Computers at home  190 Servers around the world  650,000 messages/hour  250 millions addresses  $500 for every million messages  Do the math! Convicted Felon  1992 Securities fraud  1994 Insurance fraud 2008 stock fraud indictment

CMU Usable Privacy and Security Laboratory Serge Egelman Technical Means Text recognition Keywords Statistical modeling Black hole lists Greylisting Cryptography Digital signatures Payment schemes

CMU Usable Privacy and Security Laboratory Serge Egelman Asymmetric Cryptography Example

CMU Usable Privacy and Security Laboratory Serge Egelman Digital Signature Example

CMU Usable Privacy and Security Laboratory Serge Egelman DomainKeys Asymmetric cryptography Verified sender Modified SMTP server Additional DNS records

CMU Usable Privacy and Security Laboratory Serge Egelman SpamAssassin Multiple tests Around 300 Statistical modeling Scoring

CMU Usable Privacy and Security Laboratory Serge Egelman Example DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;h=received:message-id:date:from:reply- to:to:subject:mime-version:content-type:content-transfer- encoding;b=ARByWZ8/yk5cm8Ew/tJZ5UykezQZkm/fZUV6Wkd0RAb46slxGg 8TRQ91Dc2yi8ZIhbVz1TOc94QeRGgHOfvALEtjqeIA1L1z3yVtTa+4BJG4+oqi TsTicz+bI2hPdGlGFRixbSshslvoyc3FaISIICMx7HlcqCN/wmiG4Q0uub4= From: Matthew Eaton Reply-To: Matthew Eaton To: Subject: test from gmail X-Spam-Status: No, hits=-4.9 required=5.0 tests=BAYES_00 autolearn=no version=2.63 X-Spam-Checker-Version: SpamAssassin 2.63 ( ) on jabba.geek.haus

CMU Usable Privacy and Security Laboratory Serge Egelman Sender Policy Framework Prevents forgery Requires DNS record Recipient confirms sender Open standard

CMU Usable Privacy and Security Laboratory Serge Egelman Greylisting Whitelist maintained Other mail temporarily rejected Spammers might give up Mail delivery delayed Spammers will adapt

CMU Usable Privacy and Security Laboratory Serge Egelman The Hunt Contact Info URLs Addresses WHOIS/DNS USENET news.admin.net-abuse. Databases: Spews.org Spamhaus.org OpenRBL.org

CMU Usable Privacy and Security Laboratory Serge Egelman Legal Means Foreign spam, local companies One weak federal law 38 State laws (as of 2006) A few heuristics: Forged headers “ADV” subject line Misleading subject

CMU Usable Privacy and Security Laboratory Serge Egelman Telecommunications Consumer Protection Act The TCPA (U.S.C 47 §227): "equipment which has the capacity to transcribe text or images (or both) from an electronic signal received over a regular telephone line onto paper.“ $500 or $1500 fine per message Mark Reinertson v. Sears Roebuck Michigan small claims

CMU Usable Privacy and Security Laboratory Serge Egelman Telecommunications Consumer Protection Act ErieNet, Inc. v. VelocityNet, Inc. US Court of Appeals, 3 rd Circuit, No September 25, 1998 “it is my hope that the States will make it as easy as possible for consumers to bring such actions, preferably in small claims court.” –Senator Hollings “The question, therefore, is whether Congress has provided for federal court jurisdiction over consumer suits under the TCPA.” U.S.C. 28 §1331: The district courts shall have original jurisdiction of all civil actions arising under the Constitution, laws, or treaties of the United States

CMU Usable Privacy and Security Laboratory Serge Egelman The CAN-SPAM Act 15 U.S.C. § 7702 Requirements: Deceptive Subjects Falsified Headers Valid Return Address Opt-Out Enforcement: FTC States ISPs Do-Not- List Bounty Hunters Sender: “a person who initiates such a message and whose product, service, or Internet web site is advertised or promoted by the message.” Preemption

CMU Usable Privacy and Security Laboratory Serge Egelman Virginia Laws The VA Computer Crimes Act (18.2-§152) Forged headers $10/message or $25,000/day AOL and Verizon Verizon v. Ralsky: $37M AOL v. Moore: $10M U.S.C. 28 §1332: The district courts shall have original jurisdiction of all civil actions where the matter in controversy exceeds the sum or value of $75,000, exclusive of interest and costs, and is between citizens of different States.

CMU Usable Privacy and Security Laboratory Serge Egelman Pennsylvania Laws The Unsolicited Telecommunications Advertisement Act (73 §2250) Illegal activities: Forged addresses Misleading information Lack of opt-out Only enforced by AG and ISPs $10/message for ISPs 10% from AG

CMU Usable Privacy and Security Laboratory Serge Egelman Small Claims Court Court summons: $30-80 Maximum claim: $8000 Winning by default because the spammer didn’t bother to show up: Priceless

CMU Usable Privacy and Security Laboratory Serge Egelman So you’ve won a judgment… Domesticate the judgment Summons to Answer Interrogatories Writ of Fieri Facias Garnishment Summons

CMU Usable Privacy and Security Laboratory Serge Egelman Criminal Penalties You’ve got jail! 1 year 3 years:  $5,000 profit  >2,500 in 24 hours  >25,000 in a month  >250,000 in a year 5 years for second offense

CMU Usable Privacy and Security Laboratory Serge Egelman Questions?