Information Security News: Major Anti-Spam Lawsuit to Be Filed in Virginia

[InfoSec News <alerts () infosecnews org>]

http://www.washingtonpost.com/wp-dyn/content/article/2007/04/25/AR2007042503098.html

By Brian Krebs
washingtonpost.com Staff Writer
April 25, 2007

A company representing Internet users in more than 100 countries is 
expected to file a lawsuit in Virginia on Thursday seeking the identity 
of individuals responsible for harvesting millions of e-mail addresses 
on behalf of spammers.

The suit will be filed in U.S. District Court in Alexandria on behalf of 
Project Honey Pot, a service of Unspam Technologies LLC, a Utah-based 
anti-spam company that consults with private companies and government 
agencies.

The lead attorney on the case, Jon Praed of the Arlington, Va.-based 
Internet Law Group, has represented America Online and Verizon Online in 
successful cases against junk e-mailers. Praed said the group hopes to 
follow the trail from the people doing the harvesting of e-mail 
addresses to the actual spammers.

"It is clear that the key to stopping spam is identifying those 
responsible for it, and getting that information into the hands of those 
capable of doing something about it," he said.

The Virginia court has been the venue of choice for a number of 
previously successful anti-spam cases filed by some of the world's 
largest Internet service providers. But this is thought to be the first 
anti-spam case brought by a class of Internet users not affiliated with 
any single Internet service provider.

"This isn't just some [Internet service provider] trying to get good 
press, this is a community of Internet users saying we're sick and tired 
of this crap and we want it to stop," said Matthew Prince, Unspam's 
chief executive officer.

The company is filing the suit on behalf of some 20,000 people who use 
its anti-spam tool. Web site owners use the project's free software to 
generate pages that feature unique "spam trap" e-mail addresses each 
time those pages are visited. The software then records the Internet 
address of the visitor and the date and time of the visit. Because those 
addresses are never used to sign up for e-mail lists, the software can 
help investigators draw connections between harvesters and spammers if 
an address generated by a spam trap or "honey pot" later receives junk 
e-mail.

Spam recipient lists typically are generated by automated programs that 
scour the Internet for e-mail addresses. Similarly, the sending of spam 
is also automated, as the bulk of junk e-mail is routed through 
compromised personal computers to mask its true source.

In many cases, those responsible for harvesting e-mail addresses are not 
the same people sending the spam, but rather individuals who will sell 
the lists to known spam operators. Project Honey Pot also has found that 
in a great number of cases, e-mail harvesters do not appear to try to 
hide their Internet addresses.

"We've found that the Internet addresses of those doing the harvesting 
is a much smaller universe of those who are actually sending the 
messages, and locating [the harvesters] may give us good indicators of 
who out there is at the top of these spam operations," Prince said.

The suit filed today names defendants as "John Doe," meaning that the 
plaintiffs will ask the court for the authority to subpoena records from 
ISPs to verify the identities of owners and operators of e-mail 
harvesters.

The federal court in Alexandria is known for its expertise in 
adjudicating anti-spam cases, but the plaintiffs also chose that 
location because evidence points to a great deal of spamming activity 
emanating from Virginia. According to the complaint, since January 2005 
the project has identified more than 15,000 unique Internet addresses 
associated with e-mail harvesting activity, 22 percent of which were 
located in the United States.

Roughly 175 Project Honey Pot Web sites located in Virginia have 
distributed approximately 36,000 e-mail addresses to harvesters 
worldwide. Of those, 111 e-mail harvesters used Internet addresses 
located in Virginia, and another 21,000 Virginia-based PCs have been 
identified as direct sources of junk e-mail. On 245 occasions, the John 
Does named in the suit have relied entirely on Virginia-based Internet 
addresses to harvest e-mail addresses and to blast out junk e-mail, the 
complaint alleges.

Lawrence Baldwin, founder of myNetWatchman, a company that tracks 
hacking and spam activity, said the Honey Pot Project's legal approach 
to fighting spam looks promising.

"If they're successful, I think it will yield some very usable 
information in terms of identifying who the real miscreants are," 
Baldwin said. "Let's just hope some of them are here in United States 
and therefore reachable."

The cases were filed under the Virginia anti-spam statute, as well as a 
federal 2003 anti-spam law. The statute penalizes fraudulent senders of 
unsolicited bulk e-mail at $1 per message, or $25,000 per day that any 
offending message was transmitted. The federal law, known by its acronym 
"CAN-SPAM," authorizes fines of $100 for every attempted transmission of 
a spam message containing false or misleading transmission information. 
Damages increase three-fold if a victim's e-mail address was harvested 
from a public Web site.

Despite previous lawsuits against spam operators, the volume of junk 
e-mail flooding inboxes has skyrocketed over the past several years 
since CAN-SPAM's enactment. Spam comprised more than 80 percent of the 
e-mail sent globally over the past six months, according to Postini, an 
e-mail security firm based in San Carlos, Calif.

"As long as long as there is big money to be made, the spammer's target 
will move," said Jerry Upton, executive director of the Messaging 
Anti-Abuse Working Group, an industry consortium of ISPs and e-mail 
providers. "It's an ongoing war, and the weapons keep getting better on 
both sides."

The Honey Pot Project's Prince acknowledged that the lawsuit is not 
going to solve the spam problem.

"But if we can take two or three major spammers offline, that's a huge 
victory for the Internet as a whole."

© 2007 Washingtonpost.Newsweek Interactive

__________________________
Subscribe to InfoSec News
http://www.infosecnews.org