CMU Usable Privacy and Security Laboratory Suing Spammers for Fun and Profit Serge Egelman.

Slides:



Advertisements
Similar presentations
How Lawsuits Against Spammers Can Aid Spam-Filtering Technology: A Spam Litigators View From the Front Lines Jon Praed Internet Law Group
Advertisements

Basic Communication on the Internet:
TrustPort Net Gateway traffic protection. Keep It Secure Entry point protection –Clear separation of the risky internet and secured.
Spam Edward W. Felten Dept. of Computer Science Princeton University.
Confidentiality and Privacy Controls
By: Mr Hashem Alaidaros MIS 326 Lecture 6 Title: E-Business Security.
Anonymity and SPAM The Good, the Bad and the Ugly!
New Canadian Anti-Spam Legislation Robert Lipson – April 8, 2014.
1.3 Control of Information In this section you must be able to: Describe the legal rights and obligations on holders of personal data to permit access.
Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.
CMU Usable Privacy and Security Laboratory Suing Spammers for Fun and Profit Serge Egelman.
Issue Project - SPAM - EDCI 564 Vaithinathan Vanitha & Sookeun Byun.
COS 125 DAY 4. Agenda Questions from last Class?? Today’s topics Communicating on the Internet Assignment #1 due Assignment #2 will be posted next week.
Introduction to PKI Mark Franklin September 10, 2003 Dartmouth College PKI Lab.
Fighting Spam Randy Appleton Northern Michigan University
Copyright © 2015 Pearson Education, Inc. Confidentiality and Privacy Controls Chapter 9 1.
Security Jonathan Calazan December 12, 2005.
Computer Science Public Key Management Lecture 5.
COEN 351 Non-Repudiation. A non-repudiation service provides assurance of the origin or delivery of data in order to protect the sender against false.
WE Can Stop the Spam! June 16, 2003 Author: Mr. Jack P. McHugh Presented by: Nidhi Dalwadi.
Untouchable?: A Canadian Perspective on the Anti- Spam Battle Michael Geist Canada Research Chair in Internet & E- commerce Law University of Ottawa, Faculty.
Responsible Targeting Chapter One. Content from The Essential Guide to Web Strategy for Entrepreneurs unless otherwise noted Chapter One Opt-in.
Copyright ©1997 NetDox, Inc. All Rights Reserved. CONFIDENTIAL 1 DATE HERE Julie Grace - NetDox, Inc. Emerging Internet Commerce.
Thurs. Sept. 13. constitutional restrictions on service.
Sending Mark Kruger Coldfusionmuse.com Cfwebtools.com.
Suing Spammers for Fun and Profit Serge Egelman. Background Over 50% of all mail Less than 200 people responsible for 80%
Suing Spammers for Fun and Profit Serge Egelman. Background Over 50% of all mail Less than 200 people responsible.
Chapter 18-Internet Law www World Wide Web-Wild,Wild West? New Global Community has caused many ethical dilemmas Unequal Access increasing wealth gap.
AQA Computing A2 © Nelson Thornes 2009 Section Unit 3 Section 6.4: Internet Security Digital Signatures and Certificates.
XP New Perspectives on The Internet, Sixth Edition— Comprehensive Tutorial 2 1 Evaluating an Program and a Web-Based Service Basic Communication.
Tutorial 2: Basic Communication on the Internet: .
Computer Ethics.
CS 4001Mary Jean Harrold1 Class 24 ŸFreedom of speech in cyberspace ŸAssign ŸAssignment 8—due today ŸTerm paper—due 11/20.
The Internet 8th Edition Tutorial 2 Basic Communication on the Internet: .
MIT Spam Conference 2006 How Spammers Deal with CAN-Spam: Costa Rica, “microbranding” & 18 USC §2257 Jon Praed Internet Law Group jon.praed(at)i-lawgroup.com.
Chapter 17 E-Commerce and Digital Law
Ethical Issues in Computer Science (slides modified by Erin Chambers)
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
Internet Security. Four Issues of Internet Security Authenticity: Is the sender of a message who they claim to be? Privacy: Are the contents of a message.
COPYRIGHT © 2011 South-Western/Cengage Learning. 1 Click your mouse anywhere on the screen to advance the text in each slide. After the starburst appears,
1 Information Security Practice I Lab 5. 2 Cryptography and security Cryptography is the science of using mathematics to encrypt and decrypt data.
Protecting Privacy “Most people have figured out by now you can’t do anything on the Web without leaving a record” - Holman W. Jenkins, Jr
Marketing Amanda Freeman. Design Guidelines Set your width to pixels Avoid too many tables Flash, JavaScript, ActiveX and movies will not.
Deliverability Making it to the inbox
COEN 351 Non-Repudiation. A non-repudiation service provides assurance of the origin or delivery of data in order to protect the sender against false.
Government of Brazil Ministry of Justice Department of Consumer Protection and Defense Consumer Protection and Defense in Electronic Commerce Eliane Moreira.
Chapter 11.  Electronic commerce (e-commerce)  The sale of goods and services by computer over the Internet  Internet (Net)  A collection of millions.
Federal Trade Commission FTC & Spam. Federal Trade Commission CAN-SPAM Act of 2003 (“Controlling the Assault of Non-Solicited Pornography.
Oz – Foundations of Electronic Commerce © 2002 Prentice Hall Legal Issues.
Presentation will begin shortly. (Please Stand By)
RECENT DEVELOPMENTS IN DIGITAL MEDIA ADVERTISING LAW : CANADIAN EDITION VALERIE WARNER DANIN, ESQ.
Encryption Basics Module 7 Section 2. History of Encryption Secret - NSA National Security Agency –has powerful computers - break codes –monitors all.
© 2010 Pearson Education, Inc., publishing as Prentice-Hall 1 INTERNET LAW AND E-COMMERCE © 2010 Pearson Education, Inc., publishing as Prentice-Hall CHAPTER.
© 2004 West Legal Studies in Business A Division of Thomson Learning BUSINESS LAW Twomey Jennings 1 st Ed. Twomey & Jennings BUSINESS LAW Chapter 11 Cyberlaw.
Lecture 11 Overview. Digital Signature Properties CS 450/650 Lecture 11: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
Privacy and Security Topics From Greenlaw/Hepp, In-line/On-line: Fundamentals of the Internet and the World Wide Web 1 Introduction Known Information Software.
Internet Privacy Define PRIVACY? How important is internet privacy to you? What privacy settings do you utilize for your social media sites?
Security By Meenal Mandalia. What is ? stands for Electronic Mail. much the same as a letter, only that it is exchanged in a different.
Spam By Dan Sterrett. Overview ► What is spam? ► Why it’s a problem ► The source of spam ► How spammers get your address ► Preventing Spam ► Possible.
"You Have Mail" And Other Terms Are Generic Produced by: Asia Green.
From Facebook to Mugshots Facebook/MySpace EDD: Legal, social & ethical issues in use of modern personal posting technologies in law enforcement and academic.
Sender Reputation in a Large Webmail Service by Bradley Taylor (2006) Presented by : Manoj Kumar & Harsha Vardhana.
Unit 3 Section 6.4: Internet Security
Wiretapping and Encryption
Confidentiality and Privacy Controls
Tues., Sept. 10.
The United States Court System
Module 4 System and Application Security
Presentation transcript:

CMU Usable Privacy and Security Laboratory Suing Spammers for Fun and Profit Serge Egelman

CMU Usable Privacy and Security Laboratory / “Two years from now, spam will be solved” -Bill Gates, February 24th, 2004

CMU Usable Privacy and Security Laboratory / Background Over 65% of all mail Over 65% of all mail Less than 200 people responsible for 80% Less than 200 people responsible for 80%

CMU Usable Privacy and Security Laboratory / Statistics

Statistics

Background It’s cheap! It’s cheap! Wider audience Wider audience Profit guaranteed Profit guaranteed Little work involved Little work involved

CMU Usable Privacy and Security Laboratory / Background Address harvesting Address harvesting Web pages Forums USENET Dictionary attacks Dictionary attacks Purchased lists Purchased lists No way out No way out

CMU Usable Privacy and Security Laboratory / Profile of a Spammer Alan Ralsky Alan Ralsky 20 Computers  190 Servers  650,000 messages/hour  250 millions addresses  $500 for every million messages Convicted Felon  1992 Securities fraud  1994 Insurance fraud

CMU Usable Privacy and Security Laboratory / Technical Means Text recognition Text recognition Black hole lists Black hole lists Statistical modeling Statistical modeling Neural networks Cryptography Cryptography Digital signatures Payment schemes

CMU Usable Privacy and Security Laboratory / Asymmetric Cryptography Example

CMU Usable Privacy and Security Laboratory / Digital Signature Example

CMU Usable Privacy and Security Laboratory / Basic Asymmetric Cryptography RSA RSA Pick two large primes, p and q Find N = p * q Let e be a number relatively prime to (p-1)*(q-1) Find d, so that d*e = 1 mod (p-1)*(q-1) The set (e, N) is the public key. The set (d, N) is the private key. Encryption:  C = M e mod N Decryption:  M = C d mod N

CMU Usable Privacy and Security Laboratory / Basic Asymmetric Cryptography d = e -1 mod (p-1)(q-1) d = e -1 mod (p-1)(q-1) N = p*q is known! N = p*q is known! But usually very large ( bits) RSA 1024 bit challenge:   309 digits  $100,000 prize

CMU Usable Privacy and Security Laboratory / DomainKeys Asymmetric cryptography Asymmetric cryptography Verified sender Verified sender Modified SMTP server Modified SMTP server Additional DNS records Additional DNS records

CMU Usable Privacy and Security Laboratory / SpamAssassin Multiple tests Multiple tests Around 300 Statistical modeling Statistical modeling Scoring Scoring

CMU Usable Privacy and Security Laboratory / Example DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;h=received:message-id:date:from:reply- to:to:subject:mime-version:content-type:content-transfer- encoding;b=ARByWZ8/yk5cm8Ew/tJZ5UykezQZkm/fZUV6Wkd0RAb46slxGg 8TRQ91Dc2yi8ZIhbVz1TOc94QeRGgHOfvALEtjqeIA1L1z3yVtTa+4BJG4+oqi TsTicz+bI2hPdGlGFRixbSshslvoyc3FaISIICMx7HlcqCN/wmiG4Q0uub4= From: Matthew Eaton Reply-To: Matthew Eaton To: Subject: test from gmail X-Spam-Status: No, hits=-4.9 required=5.0 tests=BAYES_00 autolearn=no version=2.63 X-Spam-Checker-Version: SpamAssassin 2.63 ( ) on jabba.geek.haus

CMU Usable Privacy and Security Laboratory / Sender Policy Framework Prevents forgery Prevents forgery Requires DNS record Requires DNS record Recipient confirms sender Recipient confirms sender Open standard Open standard

CMU Usable Privacy and Security Laboratory / Graylisting Whitelist maintained Whitelist maintained Other mail temporarily rejected Other mail temporarily rejected Spammers might give up Spammers might give up Mail delivery delayed Mail delivery delayed Spammers will adapt Spammers will adapt

CMU Usable Privacy and Security Laboratory / The Hunt Contact Info Contact Info URLs Addresses WHOIS/DNS WHOIS/DNS USENET USENET news.admin.net-abuse. Databases: Databases: Spews.org Spamhaus.org OpenRBL.org

CMU Usable Privacy and Security Laboratory / Legal Means Foreign spam, local companies Foreign spam, local companies One weak federal law One weak federal law 35 State laws (as of 2003) 35 State laws (as of 2003) A few heuristics: A few heuristics: Forged headers “ADV” subject line Misleading subject

CMU Usable Privacy and Security Laboratory / Telecommunications Consumer Protection Act The TCPA (U.S.C 47 §227): The TCPA (U.S.C 47 §227): "equipment which has the capacity to transcribe text or images (or both) from an electronic signal received over a regular telephone line onto paper.“ $500 or $1500 fine per message Mark Reinertson v. Sears Roebuck Mark Reinertson v. Sears Roebuck Michigan small claims

CMU Usable Privacy and Security Laboratory / Telecommunications Consumer Protection Act ErieNet, Inc. v. VelocityNet, Inc. ErieNet, Inc. v. VelocityNet, Inc. US Court of Appeals, 3 rd Circuit, No September 25, 1998 “it is my hope that the States will make it as easy as possible for consumers to bring such actions, preferably in small claims court.” –Senator Hollings “it is my hope that the States will make it as easy as possible for consumers to bring such actions, preferably in small claims court.” –Senator Hollings “The question, therefore, is whether Congress has provided for federal court jurisdiction over consumer suits under the TCPA.” “The question, therefore, is whether Congress has provided for federal court jurisdiction over consumer suits under the TCPA.” U.S.C. 28 §1331: The district courts shall have original jurisdiction of all civil actions arising under the Constitution, laws, or treaties of the United States U.S.C. 28 §1331: The district courts shall have original jurisdiction of all civil actions arising under the Constitution, laws, or treaties of the United States

CMU Usable Privacy and Security Laboratory / The CAN-SPAM Act 15 U.S.C. § 7702 Requirements: Requirements: Deceptive Subjects Falsified Headers Valid Return Address Opt-Out Enforcement: Enforcement: FTC States ISPs Do-Not- List Do-Not- List Bounty Hunters Bounty Hunters Sender: “a person who initiates such a message and whose product, service, or Internet web site is advertised or promoted by the message.” Sender: “a person who initiates such a message and whose product, service, or Internet web site is advertised or promoted by the message.” Preemption Preemption

CMU Usable Privacy and Security Laboratory / Virginia Laws The VA Computer Crimes Act (18.2-§152) The VA Computer Crimes Act (18.2-§152) Forged headers $10/message or $25,000/day AOL and Verizon Verizon v. Ralsky: $37M Verizon v. Ralsky: $37M AOL v. Moore: $10M AOL v. Moore: $10M U.S.C. 28 §1332: The district courts shall have original jurisdiction of all civil actions where the matter in controversy exceeds the sum or value of $75,000, exclusive of interest and costs, and is between citizens of different States. U.S.C. 28 §1332: The district courts shall have original jurisdiction of all civil actions where the matter in controversy exceeds the sum or value of $75,000, exclusive of interest and costs, and is between citizens of different States.

CMU Usable Privacy and Security Laboratory / Pennsylvania Laws The Unsolicited Telecommunications Advertisement Act (73 §2250) The Unsolicited Telecommunications Advertisement Act (73 §2250) Illegal activities: Illegal activities: Forged addresses Misleading information Lack of opt-out Only enforced by AG and ISPs Only enforced by AG and ISPs $10/message for ISPs 10% from AG

CMU Usable Privacy and Security Laboratory / Small Claims Court Court summons: $30-80 Court summons: $30-80 Maximum claim: $8000 Maximum claim: $8000 Winning by default because the spammer didn’t bother to show up: Priceless Winning by default because the spammer didn’t bother to show up: Priceless

CMU Usable Privacy and Security Laboratory / So you’ve won a judgment… Domesticate the judgment Domesticate the judgment Summons to Answer Interrogatories Summons to Answer Interrogatories Writ of Fieri Facias Writ of Fieri Facias Garnishment Summons Garnishment Summons

CMU Usable Privacy and Security Laboratory / Criminal Penalties You’ve got jail! You’ve got jail! 1 year 3 years:  $5,000 profit  >2,500 in 24 hours  >25,000 in a month  >250,000 in a year 5 years for second offense

CMU Usable Privacy and Security Laboratory / Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.