Eric Goldman writes about how Federal Courts calculate spam damages for federal sentencing purposes. Interesting reading, considering that such spam damages are very difficult to attribute to a party. Is it the spam recipient’s damage from having to delete the emails, is it the ISP having to block or investigate complaints, or is it the spammer’s profits that should guide the damages? The number under each category can vary significantly, so this case is important.

In US v. Kilbride, 2007 WL 2774487 (D. Ariz. Sept. 21, 2007) the the judge ignores any alleged harm to end user-recipients because there was no evidence that the individuals suffered a pecuniary loss. Second, the court ignores the government’s argument that the loss should be measured by the defendants’ gain (over $1.1M in profits attributed to the spamming). Instead, the judge only gives credit to the evidence showing that the ISP (AOL) suffered less than $10,000 of "loss" from the spam, computed by AOL’s cost to investigate complaints over the spam (the government did not present evidence for other email service providers).

 

I now have the complaint. Thanks JP.

The news is slowly trickling through the news outlets so I would like to comment on it a little bit. For those not familiar with the story yet, a major anti-spam lawsuit has been filed in the U.S. District Court in Alexandria, Virginia. The suit was filed by Project Honeypot and seeks the identity of individuals responsible for harvesting millions of email addresses on behalf of spammers.

The lead attorney is Jon Praed, with whom I had the privilege to work, and I can only confirm what Honeypot are saying about him, [i]n the world of anti-spam lawyers, Jon is the best of the best.” I am sure that Jon would help the Internet community at large by taking this novel case to a success.

Now about the case. I do not have the complaint yet (will post it here as soon as I have it) but and the news sources provide sufficient initial information on the details. The complaint is filed on behalf of 20,000 honeypot users who have “installed” honeypots on their web pages. The honeypots are designed to be hidden from plain view so that only spiders can see them. Once a spider sees a honeypot, the honeypot issues a new and unique email address for the particular spider and then records the spider’s information. Project Honeypot then monitors the email addresses which were issued to spiders for spam. If a piece of spam comes then it can be linked to the spider and this allows Project Honeypot to identify spam email harvesters.

The lawsuit goes after the harvesters, and not the spammers. In fact, the harvester and the spammer may be the same person, but under CAN-SPAM Section 5(b)(1) it is unlawful to send spam if the spammer has actual knowledge or knowledge fairly implied from the circumstances that the spammed email address was obtained “using an automated means from an Internet website or proprietary online service operated by another person, and such website or online service included, at the time the address was obtained, a notice stating that the operator of such website or online service will not give, sell, or otherwise transfer addresses maintained by such website or online service to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.”

Based on this section, the lawsuit can target the harvesters and the spammers. As it is a “John Doe” lawsuit, the initial phase of the litigation will likely be to unmask the identities of the people standing behind the harvesters. According to Project Honeypot statistics, close to 23% of the harvesters are U.S.-based and subject to the District Court’s jurisdiction. It may be harder to unmask the Romanian (10%) or Chinese (7%) harvesters, but out of 15,610 total spam harvesters identified, this makes at least 3,000 harvesters that are based in the United States. Once the identify of the harvesters is verified, the next step is probably to see whether they are the actual spammers or they resell the email addresses to a third party. My hunch is that under the threat of large civil damages and an expensive lawsuit, a harvester is likely to disclose any relationship he or she may have with a spammer.

The strategy behind the lawsuit is brilliant and it shows what Jon Praed and Honeypot can do very well - find novel ways to gain an advantage in the increasingly difficult war against spam. Because this lawsuit is of enormous importance and magnitude, feel free to check back as I will be updating as often as I can about the status of the case and I will try to throw some of my thoughts into it as well.

Sophos has produced its latest report on the top twelve spam relaying countries over the third quarter of 2006. As the chart below shows, the US is by far the largest spam relay with almost 1/4 of all the world’s spam originating from the US computers. Some experts believe this lead is due to the emergence of over 300 strains of the mass-spammed Stratio worm.

Top Twelve Spam Relaying Countries in July-September 2006 Chart

David Lennon, a U.K. teenager has been sentenced by a Magistrate Judge in Wimbledon Magistrates Court to a two-month curfew for sending 5 million e-mails to Domestic & General Group which crashed its servers. The conviction came under the Computer Misuse Act which explicitly outlaws the "unauthorized access" and "unauthorized modification" of computer material. 

Lennon’s case was reviewed earlier by another judge who held that massive amounts of e-mail did not violate the Computer Misuse Act because e-mail servers were set up to receive e-mail and therefore each individual email constitutes an "authorized modification" to the server under the Act. The previous ruling was challenged by the prosecution and was sent back to the Magistrate Court.

The Magistrate Judge, in realizing that some damage has been made, said,

Even given his age at the time, this was a grave offense and caused serious damage, so I need to impose something to make him think again.

It is interesting to note how the U.K. Courts have struggled with applying the Computer Misuse Act in computer contexts such as this one. Arguably, as the initial court held, sending e-mail messages to a server is "authorized" and should not be criminal even if done on a large scale basis (5 million).  In reality, some damage has been done to the servers because they crashed under the heavy load, and the Magistrate Judge seemed to realize this, but still seem uncomfortable.  In the United States, early e-mail spam cases were brought under the Computer Fraud and Abuse Act (or state equivalents) with mixed success. Although it is not exactly clear whether the CAN-SPAM Act has had any significant impact on the amount of spam, it has provided an easy to use and clear tool to fight spam in the United States.

Because of cases such as this one, the U.K. Computer Misuse Act has been considered insufficient to stop crimes such as large scale spam or denial-of-service attacks and amendments have been proposed which would increase penalties and would criminalize behavior such as "maliciously impairing the operation of a computer or preventing access to programs or data." [Will Sturgeon, U.K. cybercriminals threatened with 10-year term, CNET , Jan. 26, 2006]

A recent decision by the U.S. District Court for the District of Maryland upheld the Maryland Commercial Electronic Mail Act (MCEMA), Md. Code Com. Law § 14-3001 (2002). The challenge was made by an out-of-state advertising network arguing that the statute violates the dormant commerce clause of the United States Constitution. Plaintiff was an ISP who sued website operators claiming that operators were generating unsolicited commercial emails in violation of the Maryland Anti-Spam statute.

The court held that the benefits to ISPs and users in reducing strains on system and irritation from clutter created by unwanted messages clearly outweighed any burdens on interstate commerce, and that in enacting the CAN-SPAM, Congress expressly accorded states right to regulate false and misleading email transmissions. The court relied on Washington v. Heckel, 24 P.3d 404 (Wash. 2001), in which the Washington Supreme Court upheld that state’s nearly identical anti-spam statute against a dormant commerce clause challenge.

Beyond Systems, Inc. v. Keynetics, Inc., 2006 WL 687156, D.Md.,2006., Feb 14, 2006 (sorry, could not find readily available PDF of opinion, if you have a link, please share it)

Interesting materials on the technical and legal fight against spam - the 2006 MIT Spam Conference was held this week and the organizers have already posted webcasts of the events. Coming soon are ISOs of DVDs with materials and higher quality video streams.

You know that there is a problem when the UN comes out and gives an authoritative opinion.

"Some ISPs are very proactive, and are spending huge amounts of money combating spam. The problem is not all ISPs are doing this. A smaller group of ISPs profit from carrying spam or take no action, and those bad apples touch the rest of the ISP community," said Susan Schorr, regulatory officer with the ITU’s telecommunications development bureau.

The International Telecommunication Union (ITU) is the UN organization responsible for global telecom standards. According to them, ISPs should be required (by whom?) to enforce conduct codes regarding their customers and block spammers’ access to email.

"We’re proposing regulators could pass legislation to require ISPs to enter into enforceable codes of conduct for their customers," Schorr told ZDNet UK.

Nice idea, but does the ITU realize how hard it is to write new laws that force ISPs to create codes of conduct for their users? Shouldn’t the market do this?

[More at  ZDNet UK, UK -]

Verizon Wireless, the #2 US mobile carrier, has won a permanent injunction against Passport Holidays, a Florida company, to stop them from sending unsolicited text-messages Verizon subscribers. The lawsuit was a result of 98,000 messages being sent to Verizon customes in October. At an average rate of 5¢ per text-message, this makes for approximately $5,000 in fees that Verizon charged its customers due to the spam. Verizon also received a $10,000 judgment from Passport Holidays.

Text-messaging spam has different economics that ordinary email spam. In addition to the annoyance of receiving an ad on the cell phone, many mobile subscribers are charged for each incoming text-message (in fairness, many plans have included a number of free in/out text-messages while other plans have free incoming messages.) Thus, mobile phone spam presents a more serious economic threat than email spam and it is good to see providers become active in prosecuting this type of threat.

How effective is text-messaging spam anyway? Users receive a short message on their mobile phones that tries to sell them a vacation cruise and lists a call-back number for people to dial. How many people actually do through the trouble to dial that number despite (possibly) the annoyance and (hopefully) suspicion?

People who were trying to predict the success of a movie at the Sundance festival could just do a simple spam filter analysis. Unspam Technologies, based in Park City, Utah, have tweaked a spam filter and have used the results to predict (with certain success) the success of a movie.

Two of the films they selected, a documentary called "God Grew Tired of Us" and a drama called "Quinceañera" won the festival’s coveted jury prize awards Saturday night.

Here’s how Unspam did it - instead of filtering spam, they modified the filter to look for the signs of a successful film based on data from 10 years of Sundance film guides, which include descriptions of each movie, along with information found in the Internet Movie Database and box office figures.

Despite missing some movies which were successful, the spam-filtering technology (based on Bayesian classification system) may prove to be useful in other areas. Oscars, anyone?

[Via InternetNews.com -]

« Previous entries