The Spam Diaries

News and musings about the fight against spam.
 by Edward Falk

Tuesday, October 31, 2006

Groklaw coverage of e360 v Spamhaus

Groklaw has picked up the e360 vs Spamhaus case and has some good analysis of it. See Spamhaus is on the move...Ditto e360insight

Labels: , ,

Monday, October 30, 2006

Congressional Budget Office Server breached and email list stolen

From Computerworld: Budget Office’s Server Breached.

Anti-child exploitation site exploited by spammers

I first became involved in fighting spam when spammers started advertising rape pornography in the sexual abuse recovery newsgroups. It's sad to say that nothing has changed since then.

In today's news, ChatMag reports that the Perverted Justice web site — which specializes in catching and exposing child predators — has attracted large volumes of comment spam advertising mainly viagra.

I'd like to say I'm surprised at how low spammers can get, but actually, I'm not.

Sunday, October 29, 2006

Great quote on net neutrality

I mostly try to cover only spam in this blog, but this quote is worth repeating:
Imagine if you tried to order a pizza and the phone company said, "AT&T's preferred pizza vendor is Domino's. Press one to connect to Domino's now. If you would still like to order from your neighborhood pizzeria, please hold for three minutes while Domino's guaranteed orders are placed
— Craig Newmark
To see a really awful anti-neutrality commercial produced by the telecom companies, see this BoingBoing article.

Friday, October 27, 2006

I win my second lawsuit on jurisdiction!

This just in: Judge Irby has dismissed (pdf, 7 pages) Jerry Reynolds' computer crimes case against me for lack of jurisdiction.

The computer crimes case is this: Spam-fighter David Ritz is accused of computer crime for "stealing" Jerry Reynolds' DNS data by doing a "host -l" command to perform a DNS zone transfer. He's also accused — and I'm not making this up — of stealing Reynolds' Whois data.

Anyway, I was named as co-defendant because I linked to the Usenet post in which Ritz announced the results. Reynolds also obtained a TRO forbidding Ritz or myself from discussing Reynolds' servers in any way — achieving Reynolds' true goal of censoring my web page which discussed his spamming history. Armed with this TRO, Reynolds was also able to censor Usenet posts discussing his spamming activities.

As it is in the nature of lawyers to ask you not to discuss cases, I've mostly kept quiet about this one. Now that the case is no longer pending, and the TRO is no longer in effect, I have "unhidden" a number of previous posts about the case:
  • Second court hearing — discusses the upcoming jurisdiction hearing on the case
  • Today's court hearing — discusses how the hearing went. It dragged on forever and had to be continued. The best part was when my lawyer Kelly Wallace started tearing Reynolds' friend/sysadmin Brad Allison apart. When the questions got pointed and Allison started rocking back and forth in his chair, Reynolds' lawyer Harristhal stood up and used every trick he could think of to stop the hearing, finally obtaining success with "I have a plane to catch".
  • Little bit of good news in jurisdiction hearing — Harristhal's request for more expert witnesses was denied.
  • Legal documents — all legal documents are now available at Some are quite large (they're scanned pdfs) and most are quite boring. The high points are the parts where:
    • Harristhal quietly dropped my lawyer out of the loop and was thus able to obtain a default judgement against me.
    • The part where they admit to doing dns lookups on Ritz (which is exactly what Ritz is accused of)
    • Various conspiracy theory nonsense
    • Request for admission that I used whois. Yeah, really.
    • Request for admission from Ritz that he didn't have permission to use DNS.
    • The transcripts, which are plain text, quick to download, and kind of fun to read.
  • Documentation on the forged cancels that Reynolds or someone helping him issued in order to delete all the evidence from the usenet archives that I would have used to defend myself in the defamation case.
Hmmm. Looks like I didn't write anything about the continued hearing. No matter, the transcript is available here (part 1, part 2). The second half wasn't very exciting.

After the court hearing, there really wasn't much to do but wait for Judge Irby's decision. Harristhal tried a couple of tricks in the meantime, such as insisting that our statute of limitations on opposing the default judgement had expired while we were waiting for the jurisdiction decision, but the judge wasn't buying it.

The computer crimes case against David Ritz is still pending, and I will report on this from time to time as it progresses.

Labels: , , , ,

Microsoft wins case against German porn spammer

Read about it in PC Advisor.

In a nutshell, there are no anti-spam laws in Germany, which means that spammers normally get a free ride. In this particular case, the spammer was sued for using Microsoft's name in the return addresses of his spam. This ruling makes such misuses of a trademark-protected brand a criminal offence, subject to prosecution, according to Microsoft.

The actual findings against the spammer were a slap on the wrist. The spammer must promise not to forge Hotmail into his headers or face a €250,000 fine. He must also give Microsoft detailed information about his spam business activities.

Mansfield fined $1M

Spammer Wayne Mansfield was fined $1 million by the Australian Federal Court for sending 280 million spam messages. His company Clarity1 was fined an addition $4.5 million.

Full story at

I last mentioned Mansfield in April. The wheels of justice and all that...

Thursday, October 26, 2006

Verizon Business spam support

From monitoring the newsgroup, I see that UUNet (now known as Verizon Business) seems to have moved Atriks from their old block of IP addresses ( - to a new block ( - See Usenet article Re: SPEWS: S2955 IP range attributed to an entity no longer hosted. The move came to light when an innocent third party was given the tainted IP range vacated by Atriks, and found themselves listed in SPEWS.

If true, this is pretty serious stuff. It means that UUNet is still engaged in active spammer support, despite having been purchased by the formerly white-hat Verizon. It also indicates that UUNet is using innocent third parties as "human shields" — that is, deliberately placing them into tainted blocks of IP addresses in the hopes that the maintainers of DNSBLs will drop the listings. This may have the opposite effect of causing SPEWS to expand the listing rather than playing a constant game of where-did-UUNet-hide-the-spammer.

The most disturbing thing here is that it shows that Verizon is either unwilling or unable to clean house with UUNet. The most ironic thing is that according to the original post, is now blocking Verizon Business. This isn't the first time an ISP has blocked itself for spamming, but it's always interesting to see.

Friday, October 20, 2006

Thoughts on the death of Premier Services

An excellent blog from a few years ago that I stumbled across in random surfing:

Thoughts on the death of Premier Services

In 2000, spammer Premier Services was revealed to by operated by one Rodona Garst when an irate sysadmin hacked into her computer and downloaded all of the evidence of her spamming that he could find. This pretty much put an end to Premier Services.

A few years later, someone on a network operator's email list wrote this excellent essay on why nothing has changed for the better.

Thursday, October 19, 2006

Small victory in Spamhaus case

Judge Kocoras has denied e360's request for another sanction without Spamhaus even having made a single filing. In a nutshell, the judge has ruled that e360's request is overbroad and excessive.

In its moving papers, e360 requested three forms of relief for the claimed noncompliance: first, suspension of Spamhaus's domain name until it complies with the terms of the injunction; second, steps to prevent third parties from accessing Spamhaus's technology or permission to add them as defendants to this suit if they continue to do so; and third, a monetary sanction against Spamhaus for each day that it fails to comply with the injunction. When e360 appeared in court to present the motion, we noted the breadth of the requested relief and directed e360 to submit a draft order that was more tailored.

The proposed order is limited to only the first remedy, suspension of the domain name by The Internet Corporation for Assigned Names and Numbers ("ICANN"), the entity responsible for coordinating unique identifiers used for Internet communication, or Tucows, Inc., the registrar through which Spamhaus obtained ts domain name. Neither of these outfits are parties to this case. Though more circumscribed than the preceding request, this relief is still too broad to be warranted in this case. First, there has been no indication that ICANN or Tucows are not independent entities, thus preventing a conclusion that either is acting in concert with Spamhaus to such a level that they could be brought within the ambit of Fed. R. Civ. P. 65(d). Though our ability to enforce an injunction is not necessarily coterminous with the rule, the limitations on its scope inform an exercise of our power to address contempt. See, e.g., Rockwell Graphic Systems, Inc. v. DEV Industries, Inc., 91 F.3d 914, 920 (7th Cir. 1996). Second, the suspension would cut off all lawful online activities of Spamhaus via its existing domain name, not just those that are in contravention of this court's order. While we will not condone or tolerate noncompliance with a valid order of this court, neither will we impose a sanction that does not correspond to the gravity of the offending conduct.

This is consistent with my earlier comments about the judge — he didn't rule against Spamhaus out of cluelessness, as some people have suggested, but simply because when the defendant doesn't appear in court, he doesn't have much choice. Now that Spamhaus has decided to play along and challenge jurisdiction, things will be very different.

Here's to hoping there will be sanctions against e360, although my own experiences, and Spamhaus's earlier experiences have shown that this is unlikely.

Update: Here's a copy of the ruling. Looks like it was produced by some sort of OCR.

Labels: , ,

Wednesday, October 18, 2006

Spamhaus gets new legal counsel

Word on the street is that Spamhaus has obtained new legal counsel in the e360 case. On Friday, documents were filed in Illinois which have the effect of preserving their right to appeal. This part of the story is pretty minor news.

The big news, however, is that their new legal counsel is Jenner & Block, one of the top firms in Chicago, who have agreed to take the case Pro Bono. The lead attorney on the case, Matthew Neumeier, is a senior partner at the firm, former Supreme Court clerk, and an Adjunct Professor at The John Marshall Law School, where he teaches graduate courses on High Technology Litigation and Computers & the Law.

As one observer put it: "I would imagine, for the e360 attorneys, getting notice that Jenner is on the case is a bit like being an amateur boxer who strolls into the ring down at the local YMCA only to find not only are you fighting a young Mike Tyson, but he's decided to fight for free just because he wants to see you crushed."

Update: Covered by Computerworld.

Labels: , ,

Tuesday, October 17, 2006

State of Utah leaks email addresses from children's no-spam list

Some months ago, I wrote about laws which would establish do-not-spam lists for children.

In yesterday's news, there was an article about how the state of Utah had accidentally exposed a few email addresses from their do-not-spam-children registry. This incident is being framed as revealing a fundamental flaw in the system. To wit: the registry will not only not protect children, but it actually increases the risk that children's email addresses will be exposed.

It's worth noting that the leak did not come from the registry maintainer, Unspam Technologies, but from the state itself. In this case, the email addresses in question had been listed in complaints filed by parents, and the state failed to redact them when making the citations available to the E-mail Sender and Provider Coalition. (This is the same organization which successfully lobbied against a similar child protection law in Georgia.)

The actual do-not-spam-children registry maintained by Unspam is stored in a hashed format which makes it impossible to extract email addresses. To quote Mathew Prince, CEO of Unspam: "Even if ordered by a court or held at gunpoint, there is no feasible way that I, any Unspam employee, or any state official could provide you even a single address that has been submitted for compliance by any sender,"

In all fairness, I should point out that although it's impossible for Unspam to provide any email address, a spammer could compare their before and after lists after having their lists filtered through the Unspam database, and obtain children's email addresses in that manner. This is the technique which was probably used by the spammer who sent threatening letters to Blue Frog subscribers earlier this year.

Spamhaus appeals default judgement

News from the legal world: An appeal of the default judgement against spamhaus has been filed and the case has been kicked up to the 7th circuit court. It seems very unlikely that the court order compelling ICANN to suspend Spamhaus' registration will ever be signed.

More information as it becomes public.

Sunday, October 15, 2006

McDonalds gives MP3 players infected with spyware as prizes

And speaking of spyware: McDonalds had a contest in Japan and gave away 10,000 MP3 players as prizes. However, the players contained spyware such that once you connected the player to your PC, your PC became infected with the spyware. See article: McDonalds gives MP3 players infected with spyware as prizes.

180 Solutions/Zango accused of stealing referral fees

Via Slashdot: An article in discusses how spyware vendor Zango (formally 180solutions) is stealing referral fees. The article is mainly about how the adult industry is just becoming aware of the problem, but the problem is not limited to the adult industry and has been ongoing for some time.

Saturday, October 14, 2006

Some legal good news on another front

Anti-spam activist Robert Braver has made progress in his lawsuit against the Ameriquest mortgage company which uses spam to advertise. The lawsuit includes the spammers hired by Ameriquest and the various intermediaries. One of the defendants, Stecroft Holdings (formerly Go Apply, Inc.) d/b/a eLeadz, filed to have the suit dismissed on various grounds.

The judge in the case has ruled against the defendants (scanned pdf, 9 page) on their bid to dismiss. In a nutshell, it seems that the spammers had argued that Braver had not met the requirements to sue for fraud while the judge says that Braver has met the requirements to sue under CAN-SPAM and Oklahoma's Fraudulent Use of Electronic Mail laws, which have different standards. The spammers also argued that Braver had forgotten to dot his 'i's and cross his 't's sufficiently and that the suit should be dismissed on a technicality, but the judge was having none of that. Finally, Stecroft argued that the Oklahoma law did not apply to someone who paid someone else to do their spamming for them.

You can read the full history of the case, which has been ongoing for over two years, at

Friday, October 13, 2006

MP calls for suspension of judge in Spamhaus case

This is rather amusing. British MP Derek Wyatt has called the actions by a US court against Spamhaus outrageous and has called for the the suspension of Judge Kocoras.

Well, good luck with that. Much as I hate the judge's decisions in this case, I'm afraid they were the only ones he could render under the circumstances when Spamhaus didn't show up in court.

Meanwhile, a British MP has even less chance of suspending an American judge than an American judge has of suspending a British domain registration.

Updates on the spamhaus case can be found at

eBay helps to phish themselves

Sent to me by Neil Schwartzman of CAUCE, Canada. Phishers are exploiting an open redirector at eBay. This means that users are given a clickable link which really does go to eBay.

Copy it into your browser address if you want; just don't fill out the form.

Update: The link is now down.

I'm being joed, how droll

Found a couple hundred bounces in my inbox this morning. These are coming from a spam run in which the spammer has put my domain name in the "From:" line of every email. Sites which bounce undeliverable addresses are bouncing them back to postmaster at my domain for me to deal with.

Most sites don't include full headers in their bounces so it's impossible to determine where the spam originally came from. Analysis of the few headers I received shows that the spams are being sent from all over, which means a zombie farm*.

The spam advertises diet pills on a server in China and I can't figure out who the hosting provider is, so no joy there.

At least one of the spams went to a "spamtrap@" address. This won't affect me, but the isp of the zombie that sent that one may find itself blocked.

Many of the bounces are coming from people whose mailboxes are over quota. Are these mailboxes flooded with spam, I wonder? Or perhaps belong to someone who abandoned their email boxes because spam made them unusable?

Wednesday, October 11, 2006

ICANN declines to yank Spamhaus' domain name

SPAMHAUSGood news for Spamhaus today. ICANN issued a statement yesterday stating that they have neither the neither the authority nor ability to suspend a domain registration.

It remains to be seen what, if anything, Tucows will do with the court order if it's issued.

Monday, October 09, 2006

U.S. Judge may order ICANN to yank Spamhaus domain

SPAMHAUSAs I reported last month, Atriks partner David Linhardt filed an $11M defamation lawsuit against Spamhaus for listing him as a spammer. Spamhaus declined to defend themselves, arguing that U.S. courts do not have jurisdiction over a U.K. organization

Unfortunately, the legal system has a nasty catch-22: You can't just claim that a court doesn't have jurisdiction over you; you need to go to that court and convince it that it doesn't have jurisdiction. Otherwise, the court will assume it does have jurisdiction and act accordingly. (For example, earlier this year, I spent many thousands of dollars in legal costs proving to a court in North Dakota that North Dakota did not have jurisdiction over me in California.)

It's an ugly situation. Any time a rich plaintiff wants to use the court system to attack a poorer defendant with a SLAPP suit, neither truth nor jurisdiction is a defense. One way or the other, that defendant is committed to spending money they don't have defending a case that should never have been filed in the first place.

Since spamhaus declined to defend themselves in Illinois, the judge had no choice but to find for the plaintiff. Last month, the judge awarded $11M to Linhardt. Of course collecting will be another matter, as Spamhaus has no assets to seize in the U.S.

Now in retrospect, it looks like Spamhaus received less than stellar legal advice. By ignoring a court — even a court that arguably does not have jurisdiction — Spamhaus have now put themselves in contempt. If they ever do appear, either to argue jurisdiction or fight the case on its merits, they will have put themselves in the unenviable position of appearing before a judge who's probably rather annoyed at them right now.

Which brings us to the present: Not surprisingly, Judge Kocoras is not amused by Spamhaus' refusal to respect his authority and is now considering a proposed court order (pdf, 2 pages) which would order ICANN and Spamhaus' registrar to suspend Spamhaus' domain name, effectively disconnecting them from the internet.

From here, the future is too muddy to forsee. ICANN might decide, as an international organization, that a U.S. court does not have the authority to order it to suspend a registration. If this happens, the battle is taken to a new level as the various sides argue over whether or not ICANN is subject to U.S. law. If ICANN caves and obeys the court order, or if they lose a jurisdictional battle, a new international battle will begin over who controls ICANN. The United States only barely managed to retain controll of ICANN in response to international pressure. If ICANN winds up suspending the registration of a U.K. organization due to the order of a U.S. court, we can expect to see a new movement to have ICANN removed completely from U.S. control.

And if the spammers succeed in removing Spamhaus' registration, what then? First of all, we can expect to see Spamhaus re-open with a .uk registration. Every service provider which depended on Spamhaus for help with their spam filtering would be forced to update their software to make use of the new domain name.

Spamhaus may or may not decide to come to the U.S. to fight the case in Illinois. If so, they face an uphill battle. Whether they fight the case on jurisdiction or on its merits, my own personal experience shows that this will be a very expensive fight. (If this happens, expect calls for a defense fund on this and other forums.)

If Spamhaus continues to ignore the U.S. courts, they may find themselves subject to criminal contempt charges. Although not enforceable in the U.K., it could mean a very uncomfortable time for any Spamhaus officers if they should ever choose to trave in the U.S..

Just how fucked are we anyway?

I believe we are in nothing less than a fight to save the internet. Twelve years ago, spammers discovered Usenet and flooded it with spam until it was useless to regular users. Usenet was effectively destroyed by the spammers.

Having stripped Usenet to the bones, the locusts spammers have moved on to email. While not dead yet, email is clearly being destroyed as well. Every week I hear more and more stories of people who are abandoning email because the spammers have made it useless. The spammers themselves have seen this coming and have already moved on to blog comment spam, message board spam, and phone spam.

We are now in a situation where spammers have learned that they can cripple or even bring down spam-fighting organizations by filing frivolous lawsuits or launching DOS attacks. Witness what happened to MAPS, Blue Security, and Osirusoft.

As long as the courts — especially U.S. courts — give spammers free rein to abuse the legal system without repercussions, the situation will continue.

What needs to happen, and soon, is for the ISPs to start giving some real support to the volunteer anti-spam activists on whom they depend. The courts need to start holding spammers accountable for the frivolous lawsuits they file. The legal system needs to pass some anti-spam laws with real teeth (hint: use European anti-spam laws as a model.) Spam-friendly ISPs need to be held accountable along with the spammers they harbor.

Some years ago, anti-spam activists declared a moratorium on their scanceling activities which were keeping Usenet functional. For one week, no spam was cancelled. Not surprisingly, Usenet was immediately brought to its knees by spam. Many servers crashed outright under the load.

If the spammers succeed in shutting down the anti-spam organizations of the internet, we can expect to see email collapse in a similar way, but this time it won't be for just a week.

Further reading

Spamhaus legal answers

Ars Technica: Court likely to order ICANN to suspend Spamhaus' domain.

Securiteam blog: Article by Gadi Evron and legal analysis by Mathew Prince.

Slashdot: Perspectives on Spamhaus's Dilemma.

Computer World: Illinois court threatens Spamhaus with shutdown.

Section 230 of the Communications Decency Act, USC 47 § 230 (c)(2) seems to cover actions taken in good faith to block objectionable material.

Google Groups search for 60035 "box 1132" group:*.sightings in .sightings returns many examples of e360 spam.

Labels: , ,

Friday, October 06, 2006

OS Fingerprinting used to help identify spam

Very cute little article on the use of p0f in the fight against spam: Justin Mason: Happy Software Prole: Some p0f Data From Craig.

In a nutshell: p0f is a utility that passively monitors network connections and identifies the operating system being run by the remote host. (Similar to queso, but passive and safer.) Craig Hughes has compiled statistics on which operating systems are more likely to transmit spam. Not surprisingly, Windows boxes transmit mostly spam while Unix boxes do not. Windows boxes transmit between 60 and 100% spam, with the more modern versions tending to transmit the most spam. Linux boxes transmit 18.3% spam while FreeBSD and Solaris transmit less than 2% spam.

The numbers are not definitive enough to be used for spam filtering on their own, but they would make an excellent input to Bayesian filters.

The article does not discuss the reasons Windows boxes are more likely to send spam than legitimate email, but it's easy to speculate. First and foremost, Windows boxes are the ones being hijacked and turned into Zombies. Secondly, spamming software is generally written for Windows boxes. Thirdly, the mail servers of legitimate ISPs are usually running one of the Unix variants.

Tuesday, October 03, 2006

Coca Cola spamming in Norway

From SpamHuntress: Coca Cola spam reaches Norway.

Executive summary: Coca Cola launched a new product in Australia with an ad campaign that involved graffitti and spamming. Apparently the campaign was successfull enough that they've started in Norway.

Spammers exploit Evite

And this article from the Washington Post. Spammers have found a way to get around Evite's anti-spam restrictions. The article doesn't say how, but I assume that 'bots were used to open multiple Evite accounts or create multiple events.

The spam informed victims that they'd just won a Scottish lottery. It was probably an advance fee fraud of some sort, or perhaps a phish.

Sprint and Verizon hit with cellphone spam has a short article about how Sprint Nextel and Verizon were hit with 550,000 spam text messages. Verizon has already begun gearing up to take legal action as soon as the responsible party is identified.

Sunday, October 01, 2006

CBC to do a documentary on spam.

CBC News World will be broadcasting a documentary on spam on Tuesday, Oct 17 and Sunday, Oct 21. Look for our friends John Levine, Neil Schwartzman, and Spamhaus as guests, along with some guy named Terry Jones.

I don't have any of the details yet, but I look forward to seeing it — assuming I can get someone in Canada to record it for me.