The Spam Diaries

News and musings about the fight against spam.
 by Edward Falk

Monday, April 30, 2007

Mark Mumma loses badly

Last November, I wrote about the Mummagraphics case. In short, Mark Mumma threatened to sue for spamming him, and identified them as spammers on his web site. Cruise then counter-sued for defamation. Mumma's petition for summary dismissal of the defamation case was denied (pdf, 17 pages) by the court, which ruled that Cruise had not materially violated the CAN-SPAM law.

As far back as March, 2005, Spam Kings predicted that this would turn into a train wreck.

In February, Direct magazine (a magazine dedicated to direct marketing, including email) interviewed Mumma. The title of the article, "Anti-Spammer Goes Ballistic; Admits His Address Was Registered", did not bode well for Mumma. In short, Mumma admitted that someone had signed him up at Cruise's web site, which means the mail was solicited as far as Cruise knew.

Last week, according to reports, a jury awarded $2.5M.

While Cruise is not entirely without fault in this story — best practices require that you confirm such sign-ups precisely to avoid problems like this — it looks like the court was correct to rule that they had not violated CAN-SPAM as Mumma had alleged. Still, I can't help but be disappointed in the ruling. It seems to me that Mumma genuinely believed that Cruise was in violation of CAN-SPAM, and he thought he had the evidence (in the form of misleading header information) to back up his case. If he genuinely thought Cruise are spammers, is it defamation to say so, even if the court eventually rules that they're not?

See John Levine's blog for an excellent take on the story, and Eric Goldman's analysis of the legal points. See also coverage from Venkay Balasubramani's Spam Notes and Daniel Solove's Concurring Opinions ("The 4th Circuit holding makes the very narrow and ineffective CAN SPAM law even more narrow and ineffective.")

Labels: ,

Is your corporate network breeding spambots?

Briefly mentioned elsewhere, but worth mentioning here as well: Support Intelligence of San Francisco, is running a project known as "30 Days of Bots" with the intent of naming and shaming major companies which are allowing spambots to run unchecked from within their networks.

Among the companies named: 3M (pump-n-dump spams), Oracle (phishing attack on PayPal), HP, Best Buy (thousands of spams per week), ExxonMobile, American Electric Power, Indymac Bank, Dow Jones (penis pills), Thomson Financial (pump-n-dump), AIG (fake Rolexes, porn, drugs), Aflac (penis pills), Business Week (penis pills), Toshiba (pump-n-dump, fake Rolexes), Conseco (porn, penis pills, warez), Bank of America (warez), Clear Channel (drugs, warez, phishing), Borders (drugs), Home Depot (drugs), and Affiliated Computer Services (warez, drugs, pump-n-dump). Expect more reports in the future; monitor their blog for updates.

Now here's the scary part: Networks that have spam-spewing zombies could just as easily have keystroke loggers or other spyware. Bank of America recently acquired the company that manages my credit cards. Believe me, this does not instill confidence in the safety of my credit account with them. Do you do business with any of the above companies (or any of dozens that Support Intelligence hasn't reported yet)? Better start checking your credit card receipts.

More references: Slashdot, The Register, New York Times, Washington Post.


Wednesday, April 25, 2007

Ameriquest settles with Robert Braver

In a nutshell, spam-fighter Robert Braver responded to a few mortgage spams in order to see who was behind them. One of the spamming mortage companies was Ameriquest, whom Braver duly sued under the CAN-SPAM act and the Oklahoma anti-spamming law.

One interesting twist in the story was that one of the defendants in the case, Lead Association — whose name came up in discovery — then sued Braver for $1M, claiming his actions had cost them their lucrative contract with Ameriquest. The core of their claim was that Braver had signed up under a false name (a practice akin to using a tagged email address in order to track a spammer) and that this constituted fraud in some way.

At any rate, the case has now been settled. As with most out-of-court settlements, the details are not available to me, but I do know that Lead Association's counterclaim against Braver has been dismissed, that Ameriquest has essentially ceased its retail loan operations, and that Braver says the case has been settled to his satisfaction.

For the full backstory, see

Labels: ,

Tuesday, April 24, 2007

Astroglide to customers: bend over

Yet again, a major online business has exposed customers' personal data. This time, it was Astroglide which leaked the names and addresses of something like 250,000 on-line customers on their web page. The information was made so public that it was even picked up by the Google search engine.

I expect any day now we'll be seeing a press release from Astroglide telling us all how they take these things seriously.

Monday, April 23, 2007

What if they held a lawsuit and nobody came?

Last month, I wrote that Dave Linhardt (of E360Insight) had filed another SLAPP suit against various anti-spammers.

Well word has just reached me that the lawsuit has been dismissed.

Word on the street is that nobody from either side showed up in court. (This was to be expected on the anti-spammers' side, since none of them had been served). Apparently Linhardt's lawyers phoned the court and said they were dismissing without prejudice.

It's not over yet (it's never really over), since Linhardt still has the option of refiling.

Labels: , ,

Friday, April 20, 2007

Mail server report — no, a robot didn't really detect abnormal activity from your IP address

Just received two identical copies of this from from the same sender in the Czech Republic (but with different "From" lines):

Dear Customer,

Our robot has fixed an abnormal activity from your IP address on sending e-mails.
Probably it is connected with the last epidemic of a worm which does not have patches at the moment.
We recommend you to install a firewall module and it will stop e-mail sending. Otherwise your account will be blocked until you do not eliminate

The enclosed zip file is, of course, a virus of some sort. If you're reading this, you're probably smart enough not to fall for it, but you should probably tell your more trusting friends and relations to ignore this email when they get it.

Labels: ,

Wednesday, April 18, 2007


SpamhausClickZ News reports that Spamhaus is now a registered trademark in Europe. This trademark was obtained with the permission and support of the Hormel corporation, the owners of the SPAM® trademark, who conceivably could have put up a fuss and opposed Spamhaus.

It's not immediately clear to me why Spamhaus needs a trademark, but I can imagine all sorts of nasty legal tangles this could avoid in the future. Kudos goes to Hormel for being so gracious about it all.


Friday, April 13, 2007

E360 vs Spamhaus news

Well worth visiting: (Spamsuite is a site which tracks legal documents in significant spam-related lawsuits.)

The documents in question deal with a request by E360 that Spamhaus show cause as to why they've listed more E360 IP addresses in defiance of a court order. Of particular interest is the allegation that Time Warner has terminated E360 for spamming, apparently due to the Spamhaus listing.

Spamhaus has responded that the listing in question was in response to spam sent from "Rocky Mountain Internet Services" which is anonymously registered in Florida, and that there was no identifying information tying it to E360. Additional spam came from "XO Communications", also registered anonymously in Florida. E360 asked Spamhaus to remove the listings, and Spamhaus asked E360 for evidence of ownership.

E360 has steadfastly refused to provide any proof of ownership of the affected domains, and also refuses to provide a list of domains to Spamhaus. Spamhaus says that the domains in question do not belong to E360, but rather to E360's business partners and are thus not subject to the injunction.

For these reasons, Spamhaus is asking the court for permission to conduct discovery to determine exactly what companies, domains, and IP ranges are owned or controlled by E360.

E360 in turn responded that it doesn't need to provide a list of IP ranges to Spamhaus and it doesn't need to provide any proof that it owns ranges it wants removed from the Spamhaus SBL. As exhibits, E360 provides documentation that Dave Linhardt is the owner of Rocky Mountain Internet Services and Bay City Hosting.

Essentially, E360 is arguing that Spamhaus should be required to de-list any domain which E360 tells them to de-list. The spamhaus affidavit points out that this could provide a windfall for any spam domain for whom E360 is willing to do a favor. For this reason, Spamhaus argues, they should not be required to de-list domains without adequate proof that they fall under the court injunction.

Now, one interesting fallout from this round of legal bickering is that E360 will be forced to provide proof that they own Rocky Mountain Internet Services and XO Communications. If they do this, then all spam ever seen from those domains could reasonably be folded into the case as proof that E360 are the spammers that Spamhaus has accused them of being.

Labels: , ,

Thursday, April 12, 2007

Ameritrade does it again — more email addresses leaked

Last July, I wrote an article about how Ameritrade had either sold or leaked (probably leaked) customer email addresses to spammers.

Well, it looks like they did it again. Multiple correspondants have informed me that tagged addresses given to Ameritrade have received pump-n-dump spam within the last few days.

It should be interesting to hear what, if anything, Ameritrade has to say about this latest incident.

Monday, April 09, 2007

Rombom continues to attack OsiruSoft

In January, I wrote that the courts had found in favor of Joel Jared in the suit filed against him by Steven Rombom. Rombom sued Jared and OsiruSoft for listing Rombom as an open relay. Although the courts have ruled that Section 203 of the Communications Decency Act provides immunity to entities that help block spam, Rombom has now petitioned to have the case re-opened. You can read his petition and Jared's response at

In a nutshell, Rombom is arguing that the CDA only protects those who use technical means to protect themselves, and that a blocking list is not "technical". He also argues that immunity is only provided to content-based spam filters. There is also considerable complaining about the procedures the courts used in the case, and a circular argument about what constitutes "good faith". He also seems to argue that Jared somehow broke into his computers by listing them as open relays.

Jared's response is essentially that his system was clearly technical in nature, and that the courts had already been satisfied on the good faith requirements. He goes into some detail on how open relays are exploited by spammers. He also complains that Rombom waited until now to make arguments he could just have easily made at the beginning.

Jared is still soliciting donations to help defray legal costs in this. See his web site for more information on how you can help.


SLAPP SUIT, the movie

For a moment's diversion, visit where you can view the trailer and read about the movie SLAPP SUIT, Adventures of an Anti-Spammer. Judging by the trailer, it's mainly about the adventures of Mark Mumma and his legal battle with

The trailer is amusing. Is there an actual movie in the works? Will it get distribution? Only time will tell.

Friday, April 06, 2007

Don't give your password to; it's a phishing site

Well, it's been a very busy couple of weeks for me (more on this later), so I have a lot of catching up to do. Are you sitting comfortably? Good; let's begin.

Got a piece of email today. A friend had invited me to one of the many new social networking sites that have been springing up lately. I figured what the hell, she's my friend, I'll go ahead and click on the link.

The next thing I know, I'm being asked for my gmail account name and password.

Yes, I was suckered into signing up with a phishing site. No, I wasn't suckered into actually giving them my password. But I'll bet plenty of people were. It should be interesting to see what my friend has to say. Odds are, she never even sent out the invite in the first place.

Here's a blog entry by someone else who fell for it.

I wrote about a similar scam,, a few months ago.

Update: Another blog gives's MO in much more detail. So far, the phishing only seems intended to drive more traffic to the site.

Yes, you too can make money on pump-n-dump stocks

Something I've always suspected: ZDNet had an article last month in which Ryan Naraine described how he made 25% on paper in five weeks by shorting pump-n-dumped stocks.

The theory is simple enough. Pump-n-dump makes money for the spammers because the spammers buy the stock cheap, convince a bunch of suckers to buy it, and sell their own shares when the price goes up. The price then goes back down and all those suckers lose their money.

Ryan Naraine's technique was pretty obvious: when you get the spam, you assume it's too late to buy the stock before it goes up, so you short sell the stock and make a profit when it inevitably collapses.

Of course, this is all theoretical and probably won't work in practice. The trick here is to actually find the stock to borrow. Since the pump-n-dumpers specialize in Pink Sheet stocks, it may not be so easy. Naraine's profit was on paper only; I don't know of anybody to ever do this for real.

E360insight sued for spamming

According to the Register, William Silverstein is suing David Linhardt, his company E360insight, and under the CAN-SPAM act. Silverstein has received at least 87 spams from E360. He's also asking for $11.7M in punative damages (the amount E360 sued Spamhaus for).

This will be an interesting one to follow.

Labels: , ,

Thursday, April 05, 2007

Not a new botnet after all

Last week I mentioned mysterious network activity which had been seen on ports 1720 and 1863 from both Windows and Linux systems. Analysts were worried that this was a new botnet coming on line, although no actual network traffic had been observed. I noted that port 1720 was associated with video conferencing and perhaps the observed behavior simply represented video conferencing software waiting for incoming connections. (Also, port 1863 is associated with file-sharing software.)

Turns out I wasn't far off. It seems that the network activity came not from the host computers, but from a firewall product which was acknowledging network connections from the outside on the behalf of the hosts on the inside of the firewall. This sort of makes perfect sense since both video conferencing and file sharing are peer-to-peer protocols that require that client software find a way around the firewalls.

Arguably, this is very bad form, but it's not malicious. Nothing to see here; we can all go home now.