On 10 Feb 2004, Franck Martin wrote:
If he subscribes himself, then we have his e-mail address and then his
provider and may be an IP and time, so we could track him down in the
real world and may be sue him...
So instead of using his own email address, the abuser sends a virus to a
bunch of people, and when they get infected, the infected "send" the spam,
and then we just track down an infected user, and disinfect them.
There's more, see below.
As I've said for some time, most of the junk we are getting is currently
from viruses run by abusers, not from genuine spammers. Now the
statistics are starting to show this. I just saw some stats on the top 95
real spammers that show that most are complying with the new federal
anti-spam law, and that over half (56%) are fully compliant. Yet,
checking my own inbox, I find very little spam that is compliant, or even
partially compliant. Apparently, most of the "spam" doesn't come from
real spammers.
Some might say "so what? it doesn't matter whether the abusers really want
to sell products/services/scams etc". Actually, it does matter.
When you realign your anti-spam efforts from control of business to
control of techno-terrorists, the problem is quite a bit different, and
you can see also that things like signing and other things aren't going to
work.
Now we have the criminal law tools needed to go after the abusers: That is
road to stopping spam. You don't need to sue anyone--you need to
prosecute them for criminal violations of the can-spam act, and criminal
violations of the Computer Fraud and Abuse Act (for virus infection).
Criminal investigations have a much easier time of getting the information
that is needed to identify and prosecute the criminals.
I don't expect that this is going to net spammers. I expect it will net
anti-spam radicals seeking to annoy people into a ban on spam. Here's why:
A careful review of the history of the spam wars shows that the radicals
have been conducting the abuse from the time of the Internet E-Mail
Marketing Council (IEMMC).
The IEMMC was formed in May of 1997 between Cyberpromotions and AGIS and
some others. Its goal was to encourage voluntary spam labeling and opt-out
lists, and to work out a compromise on spam between the advertising and
technical community. It truly infuriated anti-spam radicals.
In August 1997, Cyberpromo's web site was hacked, and files and email were
deleted.
AGIS then came under a large Denial of Service attack, and finally
succumbed and disconnected Cyberpromo and withdrew from the IEMMC, in
September, 1997. When the IEMMC collapsed the radicals probably thought
their abuse tactics were effective, and were probably encouraged to
continue their abusive behavior.
One might say this is ancient history, but in fact, the IEMMC position on
spam was practically legislated in the CAN-SPAM act, with the caveat for
criminal violations. Its also interesting in light of the attacks on
Cyberpromo and AGIS. These attacks are typically associated with groups of
script kiddies. Vixie has subsequently reported that he is in contact
with the "script-kiddies" and that they are mostly anti-spam. Being
anti-spam is not the same a being anti-mailbombing, which is the
script-kiddie term for their fake spamming. What the CAN-SPAM act did was
revive the ideas of the IEMMC, and in doing so, it changed genuine spammer
behavior so that genuine spammers can be distinguished from that of the
radicals/abusers. Now it is just a matter to use the criminal provisions
to track down the abusers, and punish them.
What does this mean? For one thing, it means that we will be able to use
criminal investigations to identify the abusers. I expect that these are
essentially the same radicals who were attacking cyberpromo with DOS
attacks in 1997; that have been filling email boxes with spam and fake
opt-out links since 1997 in the hope of motivating people to demand the
spam be banned; that have released many viruses that send spam. But it
will be interesting in any case. Importantly, it will eventually stop the
abuse.
Criminal complaints can also be issued against individuals outside of the
United States with good effect. It is much more difficult to exercise a
civil suit internationally.
The second thing it means is that you can forget trying to create
technical solutions to spam. Not only can't such schemes succeed in
preventing techno-terrorism for reasons drawn from information theory as
previously explained, but they are now unnecessary.
--Dean