Spam: December 2004 Archives

AOL Reports Blocked Spam Down

According to a Reuters story, AOL has seen a 50 percent reduction in spam detected over the past year. At the same time subscriber complaints due to spam are down 75 percent.

The article (which reads like a press release for AOLs new security initiative) does not speculate about the cause of this decline. One obvious possible cause is a reluctance on the part of spammers to become a test case for tough spam laws in the Commonwealth of Virginia (where AOLs servers are located).

Where I work spam blocks routinely account for 80 percent of all incoming email so I wouldn't make a global generalization about spam based on what AOL is reporting.

By Roger on December 27, 2004 7:27 PM |

Plea Rejected in AOL Membership List Theft

The Washington Post reports that the Judge in the case against the AOL employee who stole the AOL Membership list and sold it to spammers has rejected a guilty plea on the grounds that a crime may not have been committed.

While employed at AOL the software engineer stole 92 million email addresses and sold them to spammers for $100,000. However he is charged under the Federal CAN-SPAM act which the Judge says requires proof of deception. Normally this deception is in the form of forged mail headers and return addresses.

I would suspect that this cretin would be seen as a co-conspirator with the spammer and thus the spammers deception would also be his own. So at a re-hearing in January perhaps they can push this thing through.

Still it seems to me that this is illustrative of what happens when Congress creates law for the problem of the day instead of allowing currently law to do the job. I tend to think that if this guy was charged with theft of trade secrets there wouldn't be this grey area. Of course from my cyberlaw class, they would have had to prove that the membership list was really a trade secret and was adequately protected by AOL. At least then they wouldn't have a clearly established area of law instead of creating a potential test case of the CAN SPAM statute and potentially having problems with activist Judges.

By Roger on December 21, 2004 6:39 PM |

1 Billion Dollars

http://story.news.yahoo.com/news?tmpl=story2&u=/ap/20041218/ap_on_hi_te/spam_lawsuit
Robert Kramer, whose company provides e-mail service for about 5,000 subscribers in eastern Iowa, filed suit against 300 spammers after his inbound mail servers received up to 10 million spam e-mails a day in 2000, according to court documents.

AMP Dollar Savings Inc. of Mesa, Ariz., was ordered to pay $720 million and Cash Link Systems Inc. of Miami, Fla., was ordered to pay $360 million. The third company, Florida-based TEI Marketing Group, was ordered to pay $140,000.

Kramer's attorney, Kelly Wallace, said he is unlikely to ever collect the judgment, which was made possible by an Iowa law that allows plaintiffs to claim damages of $10 per spam message. The judgments were then tripled under RICO.

By Roger on December 19, 2004 5:35 PM |

eWeek Article misinforms readers on Yahoo Domain Keys

"Scammers Exploit DomainKeys Anti-phishing Weapon." So screams the headline in a recent eWeek article.

Oh boy. Here we go again. Another uninformed article from a tech writer who couldn't learn from the response to the uninformed articles about spammers abusing SPF. These articles are really dangerous. They lack any understanding about what SPF and Yahoo! Domain! Keys! actually are intended to accomplish. The articles are read by decision makers and implementers who haven't taken the time to read up on these new technologies and they take the article at face value.

eWeek has an area for comments on its articles. One insightful comments is purportedly by Dave Anderson CEO Sendmail. He says "Authentication does not prevent fraud. It does not prevent spam. It does prevent impersonation. None of the proponents has ever suggested otherwise. Once we have email authentication we know who is sending emails and can take many actions to prevent abuse."

It isn't a shock to anyone but these tech writers that an open standard which can be used by anyone, is used by a spammer. Merely having a SPF record or a Domain Key should not grant passage to a message. Instead it verifies the source of the message.

The article mentions spammers using domain keys with a yahoo account. Great! If every spammer did that, when you saw a yahoo return address, you would be guaranteed the spam came through the Yahoo system and you know who to complain to.

The closing paragraph of the article is the most interesting. And most likely the most factually incorrect part of the article. "They [phishers] then send out normal phishing messages that take the recipient to an attacker-controlled page located on the bank's server. These attacks are insidious because the victim is visiting a legitimate site, security experts warn." According to this the phisher already has hacked the banks server. If this is the case, game over. Phishing is unnecessary, they are inside the banks server. Most likely the author was trying to say the phishing site often uses images from the legitimate server to maintain the same look and feel.

The thing that galls me most about this horrible article is that I learned about it through a SANS newsletter. They passed the URL on and quoted the article without comment. Its as if they were endorsing this article.

By Roger on December 1, 2004 9:58 AM |
« Spam: September 2004 | Main Index | Archives | Spam: April 2005 »

Search