Spammers hapless fate = ISP toil and sweat
Pedro Ramalho Carlos prc at co.ip.pt
Thu Sep 18 23:16:56 CEST 1997
I think we all agree that the technical efforts that each of us has endured
for the last few months trying to get ahead of spammers' tricks have
produced some results...until they get some new trick (like the unallocated
IP-BGP one from Nick. I hope AGIS is not on this list :(...
At 10:28 18-09-1997 -0400, Keith C. Howell wrote:
>On 18 Sep 1997, Espen Vestre wrote:
> [...]
>The other unfortunate thing is that the law enforcement agencies will not
>assist ISP's in tracking down spammers. If the culprit has a dial-up
>account and dials into a network, you can get all sorts of information on
>them. But even if the caller is stupid enough not to suppress caller ID (or
>make the call from a payphone), the phone companies will not release the
>address that matches the phone number.
...unless there is a judge's order to do so (at least that's how it works
here).
And one can reject incoming calls that don't have Caller-ID, ISDN Calling
Party ID, etc. (but then they will start by attacking the PTT telephone
switch :(
We all agree that results from going after each spam individually, each isp
on it's own, is not pratical:
- it has high technical labour costs,
- it has high legal costs;
- it has VERY limited effect on the problem as a whole, because there are
way too many clueless companies willing to pay 200USD to send a mass mailing.
However we tend to address this problem only from a technical perspective
(probably because this where we feel we can do something about spam)... and
laws and lawyers are generally "tabu".
However, if we agree that:
- most spams are originating in the US;
- the justice system seems to work there;
- spams are eventually payed by businesses (that buy "spamming services"
from spam operations);
- the US has explicit laws agains spam, aka "unsolicited bulk email" ( US
Code Title 47, Sec.227(a)(2)(B) - is supposed to define a $500USD
compensation for EACH e-mail message spooled;
- the US has the largest concentration of lawyers and law-firms eager to
get a few million USD more;
- that businesses are not especially fond of getting a huge suit asking
for compensation, especially if the suitor is represented by one big-shot
law-firm.
What about organizing something along this lines?
- pick up a case where most of us have been hit by spams for the same
company products where at least 10.000 instances of the same message can be
individually identified in our combined spool/mails. Collect a copy of each
message, with headers and organize them as proof.
- select one of the large law firms in the US, and file a suit for
10.000 x $500 USD = 5 mill, USD against that company. They would have the
"carrot" of getting x% of the compensation actually paid. If some minimum
fee is needed it would be supported by us/RIPE. (x can be as high as 99% if
we feel comfortable with it)
- have them win the case;
- make a lot of publicity directly and get a lot of it indirectly.
Ideally:
- RIPE could organize this, and we would all delegate to RIPE all the
compensations for the action (that RIPE would continue to use in the
benefit of Europe's part of the Internet:)
- the target company(ies) should be big enough to be able to pay the 5
mill USD only marginally without going bankrupt, should be listed on one of
the stock exchanges, so that a suit against it would have to be published
by the company itself under stock exchange laws.
If we're lucky, their stock prices will fall sharply, getting attention
also from the "Business Press", etc.
Possibly a series of several suit's against a few such companhies would be
needed to get enough publicity (but if one wins the first the next will be
easier).
What I would hope for, is that the attention raised on the media on the
VERY NEGATIVE business results of "cheap massive Internet mailings" (as
"spam" is known in the business world), would refrain anyone but the
clueless to resort to spamming.
Even, if it doesn't completely stop all of them, it will make the number of
companies buyng spamming services smaller because of the legal action risk,
and that would make spam prices higher (or make spam operators unable to
pay smart people to develop tricks to work around our spam-blocks) and
create a positive feedback cycle here that would eventually put spam back
into the small dimension it was a few years back.
I guess this is a bit maquievelic, and I might be a bit too much willing
to use legal tricks against them, but as a RIPE member I would clearly
support an action from RIPE to get some "legal counsel" to check what the
odds are of winning such a case are...
On the technical side, however, I propose that all of us stop our clients
ability to use other people's mail relays, by blocking SMTP access to all
but the ISP's own relays. This seems pretty easy to implement on most
dialup/permanent connections these days.
This brings me back to Keith:
>If someone could suggest how to identify a spammer *before* they start
>sending out email, then I am sure every person who has to deal with the
>spam would be most gratefull, it will save them alot of time and money.
>
>When an ISP sells a connection to a company, they have no idea what the
>customer will use the connection for. Certainly, here at UUNET, our AUP is
>enforced. But if the spammer just buys another connection, how would we
>identify them? All the outside world will see is "another UUNET connected
>spammer", but to us, this is a separate customer.
...this "UUNET connected spammer" would probably be very easily detected by
UUNET itself, if he would only be able to use UUNET's email relays,
wouldn't he?
just my .02 Euro
kind regards,
---
pedro ramalho carlos Pedro.Carlos at co.ip.pt IP SA
tel: +351-1-3166724 Av. Duque de Avila, 23
fax: +351-1-3166701 1000 LISBOA - PORTUGAL
PGP Key fingerprint = B7 45 B2 F9 F3 1F 67 19 1F 24 76 67 8D F6 2C B2
[ lir-wg Archives ]