Spammers hapless fate = ISP toil and sweat
Pedro Ramalho Carlos prc at co.ip.pt
Thu Sep 18 23:16:56 CEST 1997
I think we all agree that the technical efforts that each of us has endured for the last few months trying to get ahead of spammers' tricks have produced some results...until they get some new trick (like the unallocated IP-BGP one from Nick. I hope AGIS is not on this list :(... At 10:28 18-09-1997 -0400, Keith C. Howell wrote: >On 18 Sep 1997, Espen Vestre wrote: > [...] >The other unfortunate thing is that the law enforcement agencies will not >assist ISP's in tracking down spammers. If the culprit has a dial-up >account and dials into a network, you can get all sorts of information on >them. But even if the caller is stupid enough not to suppress caller ID (or >make the call from a payphone), the phone companies will not release the >address that matches the phone number. ...unless there is a judge's order to do so (at least that's how it works here). And one can reject incoming calls that don't have Caller-ID, ISDN Calling Party ID, etc. (but then they will start by attacking the PTT telephone switch :( We all agree that results from going after each spam individually, each isp on it's own, is not pratical: - it has high technical labour costs, - it has high legal costs; - it has VERY limited effect on the problem as a whole, because there are way too many clueless companies willing to pay 200USD to send a mass mailing. However we tend to address this problem only from a technical perspective (probably because this where we feel we can do something about spam)... and laws and lawyers are generally "tabu". However, if we agree that: - most spams are originating in the US; - the justice system seems to work there; - spams are eventually payed by businesses (that buy "spamming services" from spam operations); - the US has explicit laws agains spam, aka "unsolicited bulk email" ( US Code Title 47, Sec.227(a)(2)(B) - is supposed to define a $500USD compensation for EACH e-mail message spooled; - the US has the largest concentration of lawyers and law-firms eager to get a few million USD more; - that businesses are not especially fond of getting a huge suit asking for compensation, especially if the suitor is represented by one big-shot law-firm. What about organizing something along this lines? - pick up a case where most of us have been hit by spams for the same company products where at least 10.000 instances of the same message can be individually identified in our combined spool/mails. Collect a copy of each message, with headers and organize them as proof. - select one of the large law firms in the US, and file a suit for 10.000 x $500 USD = 5 mill, USD against that company. They would have the "carrot" of getting x% of the compensation actually paid. If some minimum fee is needed it would be supported by us/RIPE. (x can be as high as 99% if we feel comfortable with it) - have them win the case; - make a lot of publicity directly and get a lot of it indirectly. Ideally: - RIPE could organize this, and we would all delegate to RIPE all the compensations for the action (that RIPE would continue to use in the benefit of Europe's part of the Internet:) - the target company(ies) should be big enough to be able to pay the 5 mill USD only marginally without going bankrupt, should be listed on one of the stock exchanges, so that a suit against it would have to be published by the company itself under stock exchange laws. If we're lucky, their stock prices will fall sharply, getting attention also from the "Business Press", etc. Possibly a series of several suit's against a few such companhies would be needed to get enough publicity (but if one wins the first the next will be easier). What I would hope for, is that the attention raised on the media on the VERY NEGATIVE business results of "cheap massive Internet mailings" (as "spam" is known in the business world), would refrain anyone but the clueless to resort to spamming. Even, if it doesn't completely stop all of them, it will make the number of companies buyng spamming services smaller because of the legal action risk, and that would make spam prices higher (or make spam operators unable to pay smart people to develop tricks to work around our spam-blocks) and create a positive feedback cycle here that would eventually put spam back into the small dimension it was a few years back. I guess this is a bit maquievelic, and I might be a bit too much willing to use legal tricks against them, but as a RIPE member I would clearly support an action from RIPE to get some "legal counsel" to check what the odds are of winning such a case are... On the technical side, however, I propose that all of us stop our clients ability to use other people's mail relays, by blocking SMTP access to all but the ISP's own relays. This seems pretty easy to implement on most dialup/permanent connections these days. This brings me back to Keith: >If someone could suggest how to identify a spammer *before* they start >sending out email, then I am sure every person who has to deal with the >spam would be most gratefull, it will save them alot of time and money. > >When an ISP sells a connection to a company, they have no idea what the >customer will use the connection for. Certainly, here at UUNET, our AUP is >enforced. But if the spammer just buys another connection, how would we >identify them? All the outside world will see is "another UUNET connected >spammer", but to us, this is a separate customer. ...this "UUNET connected spammer" would probably be very easily detected by UUNET itself, if he would only be able to use UUNET's email relays, wouldn't he? just my .02 Euro kind regards, --- pedro ramalho carlos Pedro.Carlos at co.ip.pt IP SA tel: +351-1-3166724 Av. Duque de Avila, 23 fax: +351-1-3166701 1000 LISBOA - PORTUGAL PGP Key fingerprint = B7 45 B2 F9 F3 1F 67 19 1F 24 76 67 8D F6 2C B2
[ lir-wg Archives ]