View
216
Download
0
Tags:
Embed Size (px)
Citation preview
CMU Usable Privacy and SecurityLaboratory
http://cups.cs.cmu.edu/
Suing Spammers for Fun and Profit
Serge Egelman
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ • Serge Egelman
“Two years from now, spam will be solved”
-Bill Gates, February 24th, 2004
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ • Serge Egelman
Background Over 80% of all mail• 2006 MAAWG report
Less than 200 people responsible for 80%• According to Spamhaus.org
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ • Serge Egelman
Background It’s cheap!
Wider audience
Profit guaranteed
Little work involved
$250
$2,200
$0
$500
$1,000
$1,500
$2,000
$2,500
Email USPS
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ • Serge Egelman
Background Address harvesting• Web pages• Forums• USENET
Dictionary attacks
Purchased lists
No way out
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ • Serge Egelman
Profile of a Spammer Alan Ralsky• 20 Computers at home
190 Servers around the world
650,000 messages/hour 250 millions addresses $500 for every million
messages Do the math!
• Convicted Felon 1992 Securities fraud 1994 Insurance fraud
• 2008 stock fraud indictment
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ • Serge Egelman
Technical Means Text recognition• Keywords• Statistical modeling
Black hole lists
Greylisting
Cryptography• Digital signatures• Payment schemes
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ • Serge Egelman
Asymmetric Cryptography Example
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ • Serge Egelman
Digital Signature Example
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ • Serge Egelman
DomainKeys Asymmetric cryptography
Verified sender
Modified SMTP server
Additional DNS records
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ • Serge Egelman
SpamAssassin Multiple tests• Around 300
Statistical modeling
Scoring
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ • Serge Egelman
Example
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;h=received:message-id:date:from:reply-
to:to:subject:mime-version:content-type:content-transfer-encoding;b=ARByWZ8/yk5cm8Ew/tJZ5UykezQZkm/fZUV6Wkd0RAb46slxGg8TRQ91Dc2yi8ZIhbVz1TOc94QeRGgHOfvALEtjqeIA1L1z3yVtTa+4BJG4+oqiTsTicz+bI2hPdGlGFRixbSshslvoyc3FaISIICMx7HlcqCN/wmiG4Q0uub4=
From: Matthew Eaton <[email protected]>Reply-To: Matthew Eaton <[email protected]>To: [email protected]: test from gmailX-Spam-Status: No, hits=-4.9 required=5.0 tests=BAYES_00 autolearn=no version=2.63X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on jabba.geek.haus
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ • Serge Egelman
Sender Policy Framework Prevents forgery
Requires DNS record
Recipient confirms sender
Open standard
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ • Serge Egelman
Greylisting Whitelist maintained
Other mail temporarily rejected
Spammers might give up
Mail delivery delayed
Spammers will adapt
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ • Serge Egelman
The Hunt Contact Info• URLs• Email Addresses
WHOIS/DNS
USENET• news.admin.net-abuse.email
Databases:• Spews.org• Spamhaus.org• OpenRBL.org
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ • Serge Egelman
Legal Means Foreign spam, local companies
One weak federal law
38 State laws (as of 2006)
A few heuristics:• Forged headers• “ADV” subject line• Misleading subject
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ • Serge Egelman
Telecommunications Consumer Protection Act
The TCPA (U.S.C 47 §227):• "equipment which has the capacity to
transcribe text or images (or both) from an electronic signal received over a regular telephone line onto paper.“• $500 or $1500 fine per message
Mark Reinertson v. Sears Roebuck• Michigan small claims
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ • Serge Egelman
Telecommunications Consumer Protection Act
ErieNet, Inc. v. VelocityNet, Inc.• US Court of Appeals, 3rd Circuit, No. 97-3562• September 25, 1998
“it is my hope that the States will make it as easy as possible for consumers to bring such actions, preferably in small claims court.” –Senator Hollings
“The question, therefore, is whether Congress has provided for federal court jurisdiction over consumer suits under the TCPA.”
U.S.C. 28 §1331: The district courts shall have original jurisdiction of all civil actions arising under the Constitution, laws, or treaties of the United States
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ • Serge Egelman
The CAN-SPAM Act15 U.S.C. §7702
Requirements:• Deceptive Subjects• Falsified Headers• Valid Return Address• Opt-Out
Enforcement:• FTC• States• ISPs
Do-Not-Email List Bounty Hunters Sender: “a person who initiates such a message and whose
product, service, or Internet web site is advertised or promoted by the message.”
Preemption
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ • Serge Egelman
Virginia Laws The VA Computer Crimes Act (18.2-§152)• Forged headers• $10/message or $25,000/day• AOL and Verizon
Verizon v. Ralsky: $37M AOL v. Moore: $10M U.S.C. 28 §1332: The district courts shall have
original jurisdiction of all civil actions where the matter in controversy exceeds the sum or value of $75,000, exclusive of interest and costs, and is between citizens of different States.
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ • Serge Egelman
Pennsylvania Laws The Unsolicited Telecommunications
Advertisement Act (73 §2250)
Illegal activities:• Forged addresses• Misleading information• Lack of opt-out
Only enforced by AG and ISPs• $10/message for ISPs• 10% from AG
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ • Serge Egelman
Small Claims Court Court summons: $30-80
Maximum claim: $8000
Winning by default because the spammer didn’t bother to show up: Priceless
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ • Serge Egelman
So you’ve won a judgment… Domesticate the judgment
Summons to Answer Interrogatories
Writ of Fieri Facias
Garnishment Summons
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ • Serge Egelman
Criminal Penalties You’ve got jail!• 1 year• 3 years:
$5,000 profit >2,500 in 24 hours >25,000 in a month >250,000 in a year
• 5 years for second offense