From: Kee Hinckley <nazgul(_at_)somewhere(_dot_)com>
The email addresses they provide go to free web mail sites.
The web addresses they go to go to IP addresses, or to free-website
sites, or to real sites that have an open-redirect, or to real domain
names that are hosted on some web server in China and have whois
information that doesn't point me to a real company. Or in those
cases were it might, it means calling some random phone number in a
country on the other side of the world.
Which of those cannot be traced? For example you might pass them a
credit card number and then serve papers on the credit card factor
that tries to collect. In an anti-junk fax mailing list, I've seen
many reports of successful applications of this tactic. The reason
they use this tactic is that many junk faxers are just as shy about
releasing their real names and postal addresses.
...
I know, ignore that. I should go to the web site and use that to
track them down. Right? Follow the money?
...
And then I'd have to track down those companies and see if they are
real, or whether they are the spammer. Maybe they are innocent
parties and they are just paying for leads. That's going to take
more tracing, more phone calls, possibly even a court order.
That's probably not a good example, because reports from those who
have chased mortgage broker spammers say that the spammers are paid
real money by real mortgage brokers for leads and the real brokers
are often happy to cooperate in identifying the spammer.
So. Yes. Eventually we can follow the money. That is very
different from "identification".
No, it is "identification," but it isn't point-and-click. Contrary
to the crypto authentication snake oil, there will never be point-and-click
interfaces to mechanisms that destroy spammers. Spammers will always
use shells and screens. If you somehow force them to buy Verisign
certs, they'll use false names, brokers, and middle men like Domains
by Proxy. The only effective way to identify spammers will always be
variations of "follow the money."
What good does this do to the average user on the net? We can now
tell them that if they hire a computer consultant to spend several
hours of time they might be able to find out the name of the person
who is spamming them from China.
There's identifiable, and there's *usefully* identifiable. I don't
buy the claim that this identifies the advertiser in any real sense.
And this is one of the more trackable pieces of spam in my inbox.
I agree, it is not usefully identifiable to people who are not motivated
by something more than a single $500-$1500 fee.
anonymous that any spammer. Any spam received through an SMTP server
that is not utterly broken and lame has a Received header that accurately
identifies the IP address of a computer owned by at least one party
that is at least partly responsible for the spam. Many and probably
Yup. This one was clearly identified as coming from an open proxy in Brazil.
Again, a spammer's IP address (or any conceivable crypto authentication)
is about useful as the telephone number in a TCPA case. In many
and perhaps cases they are useless. You have to follow the money.
...
used to whack them with fines ranging from $500 to millions of dollars.
For examples, see http://www.fcc.gov/eb/tcd/ufax.html
I know. I've provided the FCC with a number of complaints for junk
faxes and phone calls. They even follow up to every report with a
letter containing a printout of several pages on their web site.
Until the Colorado do-not-call law went into effect in July, 2002,
and my junk faxes abruptly stopped, I had trained the FCC letter
openers to respond with junk paper copies of the TCPA and so forth
only every half dozen monthly packages of paper copies of junk faxes.
I suspect from the affidavits and other hints that the FCC occassionally
asked me to sign that our packages and reports were significant in
the $M actions against 21st Century.
Thus, there is no non-technical need for any more identification of
spammers than we already have. The only sane and honest justification
Whoa. Backup. Those junk faxes and phone calls; they had a contact
phone number in them. I fed that number to the FCC, they look it up,
now they have a name and address. ...
Do they really? Don't some 1-900 phone system outfits shield their real
customers?
Why couldn't the FTC do the same with spam that the FCC does with
junk faxes? Hasn't the FTC already done exactly that with several
dozen spammers?
Now compare the amount of time it would take to track down the spam I
just mentioned. And add in the fact that, unlike the fax/call case,
it needs to be done by someone technical.
No one technical (in the TCP/IP or SMTP sense) is needed to follow a
credit card number. On the other hand, the identification in the 21st
Century junk faxes consisted of a 1-900 phone number. Could you have
done anything with that? I couldn't.
I was also unable to convert Denver area phone numbers on some junk
faxes to addresses. I suspect that subpoenas or other legal crowbars
would have convinced the local telco to help, but I found that barrier
too high for a mere $500-$1500 pay off.
Phone and fax spam provides enough information for someone's
grandmother to file a complaint.
So does spam. Your grandmother could print the whole spam with
headers and treat it as I treated 21st Century's junk faxes.
I didn't need to know the next to nothing I know about 1-900
phone numbers, ANI, and so forth to mail paper copies to people
who do have clues, can issue subpoenas, and ask me to sign
affidavits saying that I'm in charge of a fax machine and that
21st Century did not have permission to send their junk.
Email spam is hidden behind a maze of temporary identities. It often
isn't possible to trace if you don't respond to it immediately. I
don't see how you can argue that this bears any relationship at all
to phone and fax spam. The difficulty in tracking down a spammer is
different by several orders of magnitude.
That is not true if you normalize the difficulties for both to the
common person. A 21st Century junk fax had no identification except
1-900 numbers. I don't know about you, but for me it's "several orders
of magnitude" easier to chase SMTP headers and IP addresses than to
convert a 1-900 number into an address for sending papers for small
claims court.
There's another lesson in the TCPA and junk faxes that is waiting to
be learned by those who are not stuck on peddling authentication snake
oil. The TCPA requires that all faxes carry an equivalent to a banner
that identifies the sending fax machine. If you've seen many junk
faxes, you know that many junk faxers ignored that requirement. If
you have a fairly recent fax machine, you've surely configured it to
reject some junk faxes based on valid or invalid source telephone
numbers such as "@".
Vernon Schryver vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg