Presentation is loading. Please wait.

Presentation is loading. Please wait.

CMU Usable Privacy and Security Laboratory Suing Spammers for Fun and Profit Serge Egelman.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "CMU Usable Privacy and Security Laboratory Suing Spammers for Fun and Profit Serge Egelman."— Presentation transcript:

1 CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ Suing Spammers for Fun and Profit Serge Egelman

2 CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ / “Two years from now, spam will be solved” -Bill Gates, February 24th, 2004

3 CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ / Background Over 65% of all mail Over 65% of all mail Less than 200 people responsible for 80% Less than 200 people responsible for 80%

4 CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ / Statistics

5 Statistics

6 Background It’s cheap! It’s cheap! Wider audience Wider audience Profit guaranteed Profit guaranteed Little work involved Little work involved

7 CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ / Background Address harvesting Address harvesting Web pages Forums USENET Dictionary attacks Dictionary attacks Purchased lists Purchased lists No way out No way out

8 CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ / Profile of a Spammer Alan Ralsky Alan Ralsky 20 Computers  190 Servers  650,000 messages/hour  250 millions addresses  $500 for every million messages Convicted Felon  1992 Securities fraud  1994 Insurance fraud

9 CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ / Technical Means Text recognition Text recognition Black hole lists Black hole lists Statistical modeling Statistical modeling Neural networks Cryptography Cryptography Digital signatures Payment schemes

10 CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ / Asymmetric Cryptography Example

11 CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ / Digital Signature Example

12 CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ / Basic Asymmetric Cryptography RSA RSA Pick two large primes, p and q Find N = p * q Let e be a number relatively prime to (p-1)*(q-1) Find d, so that d*e = 1 mod (p-1)*(q-1) The set (e, N) is the public key. The set (d, N) is the private key. Encryption:  C = M e mod N Decryption:  M = C d mod N

13 CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ / Basic Asymmetric Cryptography d = e -1 mod (p-1)(q-1) d = e -1 mod (p-1)(q-1) N = p*q is known! N = p*q is known! But usually very large (1024 - 2048 bits) RSA 1024 bit challenge:  135066410865995223349603216278805969938881475 605667027524485143851526510604859533833940287 150571909441798207282164471551373680419703964 191743046496589274256239341020864383202110372 958725762358509643110564073501508187510676594 629205563685529475213500852879416377328533906 109750544334999811150056977236890927563  309 digits  $100,000 prize

14 CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ / DomainKeys Asymmetric cryptography Asymmetric cryptography Verified sender Verified sender Modified SMTP server Modified SMTP server Additional DNS records Additional DNS records

15 CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ / SpamAssassin Multiple tests Multiple tests Around 300 Statistical modeling Statistical modeling Scoring Scoring

16 CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ / Example DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;h=received:message-id:date:from:reply- to:to:subject:mime-version:content-type:content-transfer- encoding;b=ARByWZ8/yk5cm8Ew/tJZ5UykezQZkm/fZUV6Wkd0RAb46slxGg 8TRQ91Dc2yi8ZIhbVz1TOc94QeRGgHOfvALEtjqeIA1L1z3yVtTa+4BJG4+oqi TsTicz+bI2hPdGlGFRixbSshslvoyc3FaISIICMx7HlcqCN/wmiG4Q0uub4= From: Matthew Eaton Reply-To: Matthew Eaton To: serge@guanotronic.com Subject: test from gmail X-Spam-Status: No, hits=-4.9 required=5.0 tests=BAYES_00 autolearn=no version=2.63 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on jabba.geek.haus

17 CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ / Sender Policy Framework Prevents forgery Prevents forgery Requires DNS record Requires DNS record Recipient confirms sender Recipient confirms sender Open standard Open standard

18 CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ / Graylisting Whitelist maintained Whitelist maintained Other mail temporarily rejected Other mail temporarily rejected Spammers might give up Spammers might give up Mail delivery delayed Mail delivery delayed Spammers will adapt Spammers will adapt

19 CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ / The Hunt Contact Info Contact Info URLs Email Addresses WHOIS/DNS WHOIS/DNS USENET USENET news.admin.net-abuse.email Databases: Databases: Spews.org Spamhaus.org OpenRBL.org

20 CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ / Legal Means Foreign spam, local companies Foreign spam, local companies One weak federal law One weak federal law 35 State laws (as of 2003) 35 State laws (as of 2003) A few heuristics: A few heuristics: Forged headers “ADV” subject line Misleading subject

21 CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ / Telecommunications Consumer Protection Act The TCPA (U.S.C 47 §227): The TCPA (U.S.C 47 §227): "equipment which has the capacity to transcribe text or images (or both) from an electronic signal received over a regular telephone line onto paper.“ $500 or $1500 fine per message Mark Reinertson v. Sears Roebuck Mark Reinertson v. Sears Roebuck Michigan small claims

22 CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ / Telecommunications Consumer Protection Act ErieNet, Inc. v. VelocityNet, Inc. ErieNet, Inc. v. VelocityNet, Inc. US Court of Appeals, 3 rd Circuit, No. 97-3562 September 25, 1998 “it is my hope that the States will make it as easy as possible for consumers to bring such actions, preferably in small claims court.” –Senator Hollings “it is my hope that the States will make it as easy as possible for consumers to bring such actions, preferably in small claims court.” –Senator Hollings “The question, therefore, is whether Congress has provided for federal court jurisdiction over consumer suits under the TCPA.” “The question, therefore, is whether Congress has provided for federal court jurisdiction over consumer suits under the TCPA.” U.S.C. 28 §1331: The district courts shall have original jurisdiction of all civil actions arising under the Constitution, laws, or treaties of the United States U.S.C. 28 §1331: The district courts shall have original jurisdiction of all civil actions arising under the Constitution, laws, or treaties of the United States

23 CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ / The CAN-SPAM Act 15 U.S.C. § 7702 Requirements: Requirements: Deceptive Subjects Falsified Headers Valid Return Address Opt-Out Enforcement: Enforcement: FTC States ISPs Do-Not-Email List Do-Not-Email List Bounty Hunters Bounty Hunters Sender: “a person who initiates such a message and whose product, service, or Internet web site is advertised or promoted by the message.” Sender: “a person who initiates such a message and whose product, service, or Internet web site is advertised or promoted by the message.” Preemption Preemption

24 CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ / Virginia Laws The VA Computer Crimes Act (18.2-§152) The VA Computer Crimes Act (18.2-§152) Forged headers $10/message or $25,000/day AOL and Verizon Verizon v. Ralsky: $37M Verizon v. Ralsky: $37M AOL v. Moore: $10M AOL v. Moore: $10M U.S.C. 28 §1332: The district courts shall have original jurisdiction of all civil actions where the matter in controversy exceeds the sum or value of $75,000, exclusive of interest and costs, and is between citizens of different States. U.S.C. 28 §1332: The district courts shall have original jurisdiction of all civil actions where the matter in controversy exceeds the sum or value of $75,000, exclusive of interest and costs, and is between citizens of different States.

25 CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ / Pennsylvania Laws The Unsolicited Telecommunications Advertisement Act (73 §2250) The Unsolicited Telecommunications Advertisement Act (73 §2250) Illegal activities: Illegal activities: Forged addresses Misleading information Lack of opt-out Only enforced by AG and ISPs Only enforced by AG and ISPs $10/message for ISPs 10% from AG

26

27 CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ / Small Claims Court Court summons: $30-80 Court summons: $30-80 Maximum claim: $8000 Maximum claim: $8000 Winning by default because the spammer didn’t bother to show up: Priceless Winning by default because the spammer didn’t bother to show up: Priceless

28 CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ / So you’ve won a judgment… Domesticate the judgment Domesticate the judgment Summons to Answer Interrogatories Summons to Answer Interrogatories Writ of Fieri Facias Writ of Fieri Facias Garnishment Summons Garnishment Summons

29 CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ / Criminal Penalties You’ve got jail! You’ve got jail! 1 year 3 years:  $5,000 profit  >2,500 in 24 hours  >25,000 in a month  >250,000 in a year 5 years for second offense

30 CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ / Questions?

Download ppt "CMU Usable Privacy and Security Laboratory Suing Spammers for Fun and Profit Serge Egelman."

Similar presentations

How Lawsuits Against Spammers Can Aid Spam-Filtering Technology: A Spam Litigators View From the Front Lines Jon Praed Internet Law Group

How Lawsuits Against Spammers Can Aid Spam-Filtering Technology: A Spam Litigators View From the Front Lines Jon Praed Internet Law Group
Basic Communication on the Internet:

Basic Communication on the Internet:
TrustPort Net Gateway Email traffic protection. WWW.TRUSTPORT.COM Keep It Secure Entry point protection –Clear separation of the risky internet and secured.

TrustPort Net Gateway traffic protection. Keep It Secure Entry point protection –Clear separation of the risky internet and secured.
Spam Edward W. Felten Dept. of Computer Science Princeton University.

Spam Edward W. Felten Dept. of Computer Science Princeton University.
Confidentiality and Privacy Controls

Confidentiality and Privacy Controls
By: Mr Hashem Alaidaros MIS 326 Lecture 6 Title: E-Business Security.

By: Mr Hashem Alaidaros MIS 326 Lecture 6 Title: E-Business Security.
Anonymity and SPAM The Good, the Bad and the Ugly!

Anonymity and SPAM The Good, the Bad and the Ugly!
New Canadian Anti-Spam Legislation Robert Lipson – April 8, 2014.

New Canadian Anti-Spam Legislation Robert Lipson – April 8, 2014.
1.3 Control of Information In this section you must be able to: Describe the legal rights and obligations on holders of personal data to permit access.

1.3 Control of Information In this section you must be able to: Describe the legal rights and obligations on holders of personal data to permit access.
Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.

Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.
CMU Usable Privacy and Security Laboratory Suing Spammers for Fun and Profit Serge Egelman.

CMU Usable Privacy and Security Laboratory Suing Spammers for Fun and Profit Serge Egelman.
Issue Project - SPAM - EDCI 564 Vaithinathan Vanitha & Sookeun Byun.

Issue Project - SPAM - EDCI 564 Vaithinathan Vanitha & Sookeun Byun.
COS 125 DAY 4. Agenda Questions from last Class?? Today’s topics Communicating on the Internet Assignment #1 due Assignment #2 will be posted next week.

COS 125 DAY 4. Agenda Questions from last Class?? Today’s topics Communicating on the Internet Assignment #1 due Assignment #2 will be posted next week.
Introduction to PKI Mark Franklin September 10, 2003 Dartmouth College PKI Lab.

Introduction to PKI Mark Franklin September 10, 2003 Dartmouth College PKI Lab.
Fighting Spam Randy Appleton Northern Michigan University

Fighting Spam Randy Appleton Northern Michigan University
Copyright © 2015 Pearson Education, Inc. Confidentiality and Privacy Controls Chapter 9 1.

Copyright © 2015 Pearson Education, Inc. Confidentiality and Privacy Controls Chapter 9 1.
Email Security Jonathan Calazan December 12, 2005.

Security Jonathan Calazan December 12, 2005.
Computer Science Public Key Management Lecture 5.

Computer Science Public Key Management Lecture 5.
COEN 351 Non-Repudiation. A non-repudiation service provides assurance of the origin or delivery of data in order to protect the sender against false.

COEN 351 Non-Repudiation. A non-repudiation service provides assurance of the origin or delivery of data in order to protect the sender against false.
WE Can Stop the Spam! June 16, 2003 Author: Mr. Jack P. McHugh Presented by: Nidhi Dalwadi.

WE Can Stop the Spam! June 16, 2003 Author: Mr. Jack P. McHugh Presented by: Nidhi Dalwadi.

Similar presentations

Ads by Google