[Asrg] [OT?] CIS Systems wins $1.08 billion in case against spammers

A May 30 BusinessWeek online article details a $1.08 billion courtverdict for CIS systems against three companies on spam-relatedcharges. An interesting part was the mention that "A CD-ROM popularamong spammers had some 2.8 million e-mail addresses for real andbogus CIS clients. It included names likes john(_at_)cis(_dot_)net andbuttcheese4ever(_at_)cis(_dot_)net". I seriously doubt that there anyoneactually chooses 'buttcheese4ever' as an email address (and CISsystems only had 5,000 customers anyway!). So, what is the possiblemotive of putting a fake email address on a 'spam CD'? Unlesssomeone put that in as a fake ID somewhere, or the harvesting systemis just putting together random IDs and domains (which seemsextraordinarily stupid, even for spammers).


chan=mz&

Jim

----

Article follows. URL Link: //www.businessweek.com/print/magazine/content/05_22/b3935012_mz001.htm?

(NOTE: This is reproduced under the Fair Use clause of US copyrightlaw, for education purposes only on a research-oriented mailinglist. The following text is copyright BusinessWeek Magazine,published by The McGraw-Hill Companies. No copyright by the authorof this message is claimed, nor is any infringement of copyrightintended. No commercial or noncommercial gains, other than theeducation of this research community of the IETF, are being made.)

How a small Iowa ISP and two antispam attorneys sued junk e-mailersand won a $1 billion judgement

The fight against big-time spammers is a tough one -- but sometimesthe little guy can win.

Case in point: Tiny CIS Internet Services. Beginning in 2000, theInternet service provider (ISP) based in Clinton, Iowa, (population:35,000) began to be deluged with tens of millions of spam e-mails. ACD-ROM popular among spammers had some 2.8 million e-mail addressesfor real and bogus CIS clients. It included names likes john(_at_)cis(_dot_)netand buttcheese4ever(_at_)cis(_dot_)net(_dot_)

Trouble was, CIS only had 5,000 customers, mostly rural Iowaresidents with dial-up service at the time. Its single T1 Internetconnection couldn't handle the e-mail onslaught, which caused serversthat should have run untroubled for months to crash frequently.

TURNING THE TABLES. After battling with the junk e-mails for twoyears, CIS founder Robert Kramer, 46, decided to fight back. Hecontacted antispam attorneys Paul "Pete" Wellborn III and KellyWallace. The duo have helped giant Atlanta-based ISP EarthLink(ELNK ) track down and sue dozens of other online purveyors of Viagraand herbal supplements. One, Howard Carmack, known as the BuffaloSpammer, was convicted and sentenced to up to seven years in jaillast year by a judge in Erie County, N.Y.

With Wallace taking the lead, the attorneys identified 300 "John Doe"spammers and filed suit in U.S. District court in Iowa in October,2003. Like so many other executives at ISPs, Kramer has been troubledby spammers for years. More than 80% of e-mail is estimated to bespam, according to e-mail security firm Postini. Microsoft (MSFT ),Time Warner's (TWX ) AOL unit, and EarthLink have filed dozens ofsuits to shut them down.

Now, it was Kramer's time to turn the tables. "They're criminals allthe way around," he says.

RACKETEERING CHARGES. Victory, at least moral, came last December.Setting a financial precedent, a federal judge awarded $1.08 billionin damages to CIS, blaming three companies identified as using itsservers to send unsolicited e-mail. None of the companies -- Florida-based Cash Link Systems and TEI Marketing, and Arizona-based AMPDollar Savings -- ever responded to the court. It didn't matter. Thejudgment was the largest ever against spammers.

More important, it delivered a message that the veil of anonymity onthe Web is lifting. "This is a stark reminder to spammers of the kindof punishment that can await them," says Ray Everett-Church, chiefcounsel at the Coalition Against Unsolicited Commercial Email(CAUCE), an antispam group.

Indeed, the CIS case shows how the law may finally be catching upwith cybercriminals. CIS sued them using an Iowa antispam law thatallows plaintiffs to claim damages of $10 per junk message -- asevere penalty for spammers pounding in-boxes with billions of e-mails each day. And they used the federal Racketeer Influenced &Corrupt Organizations (RICO) Act, which Justice Dept. officials sayis proving to be a useful tool in charging alleged cybercrooks.

"CONSTANT ATTACK." Indeed, in the ruling, U.S. District JudgeCharles Wolle agreed that CIS was harmed by a spam deluge thatmethodically filtered more than 10 million messages per day throughcompany servers. "There are people out there who think they're immunefrom prosecution," says Wallace, 34, who studied law at the GeorgiaInstitute of Technology.

The evidence against the spammers in the CIS case was substantial,says Wallace. The companies allegedly used a CD-ROM called"BulkMail4Dummies, Version 2" to hawk cashless ATMs, mortgages, andViagra. In court, Wallace showed log files indicating that each daybetween August and December, 2003, Cash Link Systems sent 60,000 spame-mails to CIS customers, AMP sent 120,000, and TEI sent another1,400. The actual numbers were much higher, says Wallace.

And those companies' alleged misdeeds were nothing compared to thefirehouse of spam that CIS suffered. CIS server logs showed that inone 24-hour period, more than 9 million connection attempts were madeto CIS servers by the three companies and dozens of others. Most weresuccessful. Spam experts say there's no limit to the amount of e-mailthat can be sent with each connection. And the wave of connectionshit every day for years. "This was a constant attack," says Wallace.

LEGAL BATTLES. Kramer is unlikely to see much of the money in theshort run. Cash Link Systems, which owes $360 million, had its assetsseized last year by the Securities & Exchange Commission. The fedsaccused the company of running a scam to lure investors for itscashless ATM business. Few of its ATMs were ever installed, accordingto an SEC complaint. AMP Dollar, tagged with a $720 million penalty,and TEI Marketing, which owes $140,000, have remained silent.

Since then, however, Wallace has filed another lawsuit on behalf ofCIS against the alleged operators of AMP, the husband and wife teamHenry Perez and Suzanne Bartok, seeking to collect damages. A judgedeclined their motion to dismiss the suit in March. The duo'sattorney, Davis Foster, says the case is now moving to discovery. Hedisputes that AMP, itself, was a spamming company.

The pain of dealing with spam has eased only slightly for Kramersince the judgment. After all, the authors of "BulkMail4Dummies" haveyet to be tracked down, despite an FBI investigation prompted byantispam attorneys Wellborn and Wallace. Kramer estimates he hasspent more than $200,000 to repair equipment, upgrade servers, andadd bandwidth to handle the continuing spam flood.

RAPID FIRE. Despite having launched DSL and wireless broadbandservice, his customer base has tumbled below 5,000, smaller than itwas before the lawsuit. Spammers still paste CIS e-mail addressesinto their "From" fields to hide the origins of their wares. Those e-mails are bounced back to Kramer from AOL, EarthLink, and other giantISPs, creating more spam. "These schmucks don't just blast you 3million times then go away," he says. "They hit you again and againand again."

Still, Kramer holds out hope that one day he will be able to look aconvicted spammer in the eye -- as he collects a huge check fordamages. "I have worked my ass off, and they have dominated my lifefor many years," he says. "It would be nice to see what type of aperson pushes a button and walks away." Meantime, he's savoring asmall but symbolic victory against the spam set.


By Brian Grow in Atlanta
EDITED BY Edited by Patricia O'Connell

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg