Wednesday, April 30, 2003

Another DBA Farts...
RICHMOND, Virginia (AP) -- Internet mavens who clog computers with massive volumes of unsolicited e-mail pitches now risk landing in prison and losing their riches under a tough Virginia law signed Tuesday.

Although about half the states have anti-spam laws, no other allows authorities to seize the assets earned from spamming while imposing up to five years in prison, said Gov. Mark R. Warner.

The penalties can apply even if the sender and recipients live elsewhere because much of the global Internet traffic passes through northern Virginia, home to major online companies such as America Online and MCI and a conduit to major federal communications hubs in neighboring Washington and its suburbs.

"We want to be able to put out not only a potential criminal violation with the felony but also to seize the proceeds from this illegal activity -- their cars, boats, airplanes, homes," Warner said.

Warner, who became a multimillionaire as a high-technology investor before he was elected governor, said technical filters and civil penalties have proven inadequate.

The new law is directed at commercial bulk e-mail, with certain provisions that kick in when someone sends at least 10,000 copies of a message in a single day or makes at least $1,000 from one such transmission.

"That's different than an occasional e-mail gone awry," Warner said.

The Virginia law also prohibits tools that automate spam and the forging of e-mail headers, which contain identification information on the sender and its service provider. Spammers often forge the headers to hide their identity and cover their tracks.

The same provisions could affect noncommercial unsolicited e-mail from charities, churches or political candidates if they exceed the volume limit or disguise the sender's identity, said Tim Murtaugh, press secretary for Virginia's attorney general.

Spamming has grown into a costly problem and the No. 1 complaint of AOL's nearly 35 million users, said Randall Boe, AOL's chief staff attorney. AOL blocks billions of pieces of spam each week, but billions more get through, he said.

John R. Levine, a board member of the Coalition Against Unsolicited Commercial E-Mail, applauded tougher penalties for spammers, but questioned how effective Virginia law's will be.

"It depends on prosecutors to put them in line along with rapists, murderers and wife-beaters, so I don't think it will be very effective without additional funding," Levine said.

In a study released Tuesday in advance of a three-day forum on how government and businesses should deal with spam, the Federal Trade Commission said a third of spam e-mails contained false information.

Rep. Zoe Lofgren, D-California, plans to introduce legislation this week offering rewards for individuals who help track down spammers. Her bill would require marketers to label spam as "ADV:" and prohibit false or misleading message headers.

State laws with similar provisions have been hard to enforce because they require tremendous resources to track down elusive spammers.

Earlier this week, AOL, Yahoo! and Microsoft announced a joint initiative to combat spam through such techniques as identifying and restricting messages with deceptive headers.

I paid keen attention to the ability and design of the bulletin board and most rescent goes on the bottom. Winners choice tells me that I can not trust anyone under 45...

Rise of the Spam Zombies
by WarpKat at NoIntegrity.Org
Apr 28 2003 6:57PM

A better way would be to educate users on the follies of their actions and not to trust any attachment that comes to them from unfamiliar people and to even be wary of those that do.

Of course, the ultimate would be to get everyone off of Windows because of the BS that you purchase along with it and throw them on Linux, BSD or anything else that can't be easily thwarted.

Then again, with idiots like those at Microsoft striking down law after law that could help (see Oregon) in creating a more secure networking environment, the likelihood of regular users actually learning anything useful becomes slimmer and slimmer.

I, for one, am not surprised at all by this.

Rise of the Spam Zombies
by Mark Gruber
Apr 30 2003 3:36AM

Just want to say that coining an expression like "e-mail laundering" is a pure stroke of genius, from a linguist point of view :)

A good way to spot it
by Alan
Apr 27 2003 12:16PM

Any users with NAV2003 on it will have all their outgoing email scanned. If you see the popup in the bottom right going crazy scanning mail, be VERY suspicious. I saw some poor guy in an IRC help channel that said this happening, I guessed this was what was happening, now I've read this article its been confirmed. You should disconnect and hunt for rogue processes if this happens to you. Of course, if you have *up-to-date* antivirus it should detect it first.

Rise of the Spam Zombies

By Kevin Poulsen, SecurityFocus Apr 25 2003 4:45PM

Pressed by increasingly effective anti-spam efforts, senders of unsolicited commercial e-mail are resorting to outright criminality in their efforts to conceal the source of their ill-sent missives, using Trojan horses to turn the computers of innocent netizens into secret spam zombies.

"This is the newest delivery mechanism," says Margie Arbon, director of operations of anti-spam group MAPS. "I've been looking for it for a year, and in the last couple of months people have actually found Trojans that are doing it... They're carrying their own SMTP engines. Failing that, they install open proxy software."

One of those programs popped up last week. Named "Proxy-Guzu," when executed by an unwitting user the Trojan listens on a randomly-chosen port and uses its own built-in mail client to dash off a message to a Hotmail account, putting the port number and victim's IP address in the subject line. The spammer takes it from there, routing as much e-mail as he or she likes through the captured computer, knowing that any efforts to trace the source of the spam will end at the victim's Internet address.

Trojan horses generally rely on their wielder's ability to trick innocent people into executing them. Proxy-Guzu, naturally, arrives as spam -- in one sighting the program was offered as a naughty peek at an online webcam.

One early victim of the malware, posting to an anti-virus message board, says he detected it only when his desktop firewall program alerted him to large quantities of outgoing e-mail messages sent to unfamiliar addresses, with subject lines like "Don't tell your parents about this!" and "your bill."

Spammers are borrowing the trick from the method electronic vandals use to create computer armies capable of launching distributed denial of service (DDoS) attacks against webservers. What may have been the first Trojan horse custom-tailored for spammers emerged last November: called "Jeem," it grants the perpetrator full access to a victim computer, but also includes a built-in SMTP server to facilitate e-mail laundering.

Arbon says the spam worlds' plunge into adolescent hacking techniques is a result of spammers enjoying fewer and fewer online havens from which to operate. "With the filters and the lists and heurists and all the mechanisms out there people are using, I think the people that are trying to find a way to get the mail delivered are resorting to alternative tactics," she says. "It's untraceable. I hate to put that in print, but it's the truth."

Of course, it also puts the spammers squarely on the wrong side of the law. "As a general rule it's legal to send someone an e-mail even if they don't want it," says Mark Rasch, a former Justice Department computer crime attorney. "But once you break into their computer and get their computer to send e-mail to someone else, then you're violating federal and state computer crime laws."

This page is powered by Blogger. Isn't yours?

Subscribe to Posts [Atom]