Feeds

Big US ISPs set legal attack dogs on big, bad spammers

Taking them out, 'one kingpin at a time'

  • alert
  • submit to reddit

SANS - Survey on application security programs

America's four leading ISPs today announced the filing of the first big lawsuits under the new federal anti-spam law, the CAN-SPAM Act.

America Online, EarthLink, Microsoft and Yahoo! last night filed six lawsuits against hundreds of defendants, including individuals suspected of being among the US's most prolific spammers. The suits are overwhelming against unnamed defendants (only Yahoo! alone names those it's gunning for). At a press conference in Washington DC today top legal officers from AOL et al explained that federal laws allow the names of defendants to be inserted at a later stage in proceedings.

Defendants in the civil suits (filed in federal courts in California, Georgia, Virginia and Washington state) are collectively charged with sending hundreds of millions of spam messages to customers of the four networks.

A wide variety of products - ranging from get-rich-quick schemes, to prescription drugs, pornography, instructions for conducting spam campaigns, banned CDs, mortgage loans, university diplomas and cable descramblers - were punted in these junk messages.

Tricks and subterfuge

Spammers used a variety of deceptive and criminal techniques in their attempts to make sure their spam was read. These tricks included: sending spam through third-party computers to disguise their point of origin (i.e. using open proxies); falsified 'from' email addresses (spoofing); omitting a physical address in messages; and failing to include a valid unsubscribe option.

Each trick violates CAN-SPAM. The law provides for serious penalties against large-scale spammers who use fraud, deceit and evasion to send junk email to consumers. Two in three spam messages contain deceitful elements actionable under CAN-SPAM, according to America's big four ISPs.

Follow the money

They are targeting high-volume outlaw spammers in
a campaign which will see "stepped-up and co-ordinated civil enforcement programs". The next targets are likely to be the firms which hire spammers to promote their services.

Investigators will follow the money to bring spammers to book. US residents who operate off-shore are not beyond the reach of US law, the ISPs warned in a press conference today.

Randall Boe, AOL general counsel, said his company is
committed to dismantling the junk mail industry "one spam kingpin at a time if necessary.

"Our actions today clearly demonstrate that CAN-SPAM is alive and kicking - and we're using it to give hard-core, outlaw spammers the boot."

CAN-SPAM really can

CAN-SPAM gives the industry a "significant new advantage" in its fight against spam, according to Yahoo! general counsel Mike Callahan. "We're holding spammers directly accountable for the relentless infiltration of people's inboxes," he said, adding that the industry has formed a "more unified front" in its fight against spam.

AOL, EarthLink, Microsoft and Yahoo! formed the Industry Anti-Spam Alliance last year. Since then they have shared information, resources and investigative best practices in assembling their lawsuits.

But legal enforcement is only part of the answer, they say. Wider user of anti-spam technologies, consumer education, stronger partnerships between industry and government are also needed. the Industry Anti-Spam Alliance is working to establish improved certification and authentication of email as an Internet standard.

Case Summaries

AOL v. Davis Wolfgang Hawke, et al

Davis Wolfgang Hawke (AKA Dave Bridger), Braden Bournival and unknown defendant co-conspirators are alleged to have transmitted millions of spam email messages directing AOL members to Web sites selling "Pinacle" penis enlargement pills, weight loss supplements, handheld devices advertised as "personal lie detectors" and a product labelled "the Banned CD".

These messages have generated 10,000 user complaints since last July, according to AOL.

In addition, the complaint alleges that Hawke also offered to provide or sell illegal "bulk-friendly hosting" services, "cracked" bulk mailer programs and millions of AOL addresses.

AOL v. John Does 1 to 40
AOL's complaint alleges that from at least November 2003 to the present, unknown defendants transmitted millions of spam messages to AOL members advertising numerous websites selling a variety of products, including mortgage leads, adult-content websites and business opportunities. The messages (with misleading subject lines, natch) were transmitted through fraudulent means to make it difficult to determine the identity of those responsible.

The unnamed defendants used various tactics in an attempt to evade AOL's spam filters, including random text in the body of their messages. These spam messages generated more than 500,000 complaints from AOL members.

EarthLink v. John Does 1 to 25 (The "Prescription Drug Spammers"); John Does 26 to 35 (The "Mortgage Lead Spammers"); John Does 36 to 45 (The "Cable Descrambler Spammers"); John Does 46 to 55 (The "University Diploma Spammers"); John Does 56 to 65 (The "Get Rich Quick Spammers"); and John Does 66 to 75 (other spammers)

These varied unnamed defendants have sent sending millions of spam email messages to advertise websites selling prescription drugs, mortgage leads, cable descramblers, university diplomas and get-rich-quick schemes to EarthLink members again using deceptive practices. Some of the defendants have used text randomizers to insert long passages of gibberish in messages in attempts to evade EarthLink's spam filters.

Microsoft Corp. v. JDO Media of Florida, and John Does 1 to 50 (U.S. District Court, Western District of Washington)

This lawsuit charges JDO Media and other unknown defendants of operating an automated multilevel marketing program advertised through spam. Microsoft Hotmail subscribers have been barraged by millions of illegal email messages touting this program.

The lawsuit alleges that the spam used to promote the program is intentionally routed through open proxies, contains header information that is false and misleading, and uses other deceptive methods to disguise the senders' identities in violation of CAN-SPAM.

Microsoft Corp. v. John Does 1 to 50, doing business as Super Viagra Group

The "Super Viagra Group" sent Microsoft Hotmail subscribers "hundreds of millions of illegal email messages" advertising either 'Super Viagra' or a weight-loss patch. The lawsuit contends that Super Viagra Group routes its email messages through open proxies and hijacked computers in countries around the world, uses misleading transmission information and subject lines. Approximately 40 domain names registered throughout the world were promoted in these junk mail messages.

Yahoo! Inc. v. Eric Head, Matthew Head and Barry Head, and their companies Gold Disk Canada, Head Programming, and Infinite Technologies Worldwide, collectively known as "The Head Operation"

The defendants were on Yahoo! Mail's "Most Wanted" spammer list for allegedly sending millions of spam messages. In January 2004, Yahoo! Mail received about 94 million email messages from The Head Operation.

Messages consisted of solicitations for life insurance, mortgage and debt consolidation, and travel services sent using open proxies all over the world. The defendants allegedly used colour font tricks to hide randomized text in an attempt to circumvent Yahoo's SpamGuard filter. ®

External Links

Critique of CAN-SPAM by anti-spam organisation Spamhaus
All six CAN-SPAM lawsuits (on Findlaw)

Related sories

Californian ISP sues Bob Vila site for spam (using CAN-SPAM)
Spammers not deterred by Can Spam Act
AOL and Earthlink chase spammers through the courts
Earthlink brings down the Buffalo Spammer
Feds seek input on spammer sentencing

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.