IT Security Blog

Ireland is tired of spam and is putting legislation into law that will fine spammers up to 250,000 Euros if convicted according to this siliconrepublic.com story.  The story does not go into specifics of the law or what an email needs to contain in order to be in compliance (e.g. CAN-SPAM has several rules that marketers must follow in order to be compliant), but references "spammers" as a general term.

Lost in the noise of all of this let us not forget the difference between a "spammer" and a "spam message". 

Spammers are people who send nothing but spam 100% of the time.  Spammers utilize botnets to conceal the original message sender and utilize networks that they otherwise have no right or license to use. 

Compare this to a (accidental) sender of a spam message. 

Most ESPs occasionally sign up customers whose intentions are to use the ESPs network to send out email to purchased lists or to people who did not specifically opt-in to receive that mail.  Of course, this is unbeknownst to the ESP until the email goes out and the complaints roll in about spamtrap hits, unknown user rates, and users hitting the "This is Spam" buttons in their webmail clients.  The good ESPs will shut those folks down immediately and make them go troll their email elsewhere.  Does this make these ESPs spammers?  No.  Are they culpable under this new law?  Not sure yet, but those details will certainly come forward.

I can respect what Ireland is trying to do here, but I hope they can take a lesson from the United States and not repeat the same mistakes of CAN-SPAM.  If not implemented correctly (i.e. enforce policy on the true spammers and the ESPs who are not making good faith efforts to remove bad customers from their systems) the only people they may end up hurting are the legitimate email marketers who occasionally have an "oopsie" from a bad customer while the true spammers continue their practices unfettered.

Happy 5th Birthday to the CAN-SPAM Act (The Controlling the Assault of Non-Solicited Pornography and Marketing Act) of 2003!  The CAN-SPAM Act was the brainchild of Senators Burns of Montana and Wyden of Oregon in April 2003 before undergoing some revision and being signed into law by President Bush on December 16th, 2003 (ok, so the real birthday was yesterday).  The CAN-SPAM Act took effect on January 1, 2004.

Although a standard for how ESPs enforce compliance on the part of their customers, it has largely been ignored by spammers.  MX Logic has been tracking adoption of the CAN-SPAM Act since its inception and even at its peak only about 3% of all spam was in compliance.  This was in May 2004.  Compliance has typically hovered around 0.2-0.3% since 2005.  As a result, many have resorted to calling it the U-CAN-SPAM Act.

If you are not familiar with the CAN-SPAM act it imposes a number of requirements on commercial email:

-- Ensure that the "FROM" line clearly reflects the sender's identity

-- Include subject line text consistent with message content

-- Include the advertiser's valid postal address

-- Contain a working opt-out mechanism as a way for the consumer to decline to receive further commercial email from the sender

As part of the CAN-SPAM Act the FTC was also authorized to create a "Do Not Email" registry, much like the existing "Do Not Call" registry for telemarketing.

We blogged back in October about a loophole that auspiciously exists in the CAN-SPAM Act which does not disallow the mass sending of unsolicited political email, due to its non-commercial nature.  This opinion drew quite a bit of both positive and negative comments from both sides of the aisle. 

So, as we move forward into 2009 and you toast in the New Year, be sure to raise a glass to the CAN-SPAM Act.  Five years of reducing spam to nobody!

Jason Michael Milmont, the author of the Nugache worm, and the creator of what came to be known as "Fast Flux" has plead guilty to one count of unlawfully accessing computers, a felony, in a Wyoming federal court.

Fast Flux is an abuse of the domain name system (DNS) by which botnets will continually rotate the IP addresses associated with a malware infected web site to evade detection and forensic analysis.  This constant mobility makes the botnet very difficult to shut down.

There is also an evasion tactic called "Double Flux" which is similar to Fast Flux in that it will not only rotate a domain's responding IP addresses, but also that domain's authoritative name servers.  The reason that it is called "Fast" flux is because these IP addresses will rotate as often as every couple of minutes.
The Nugache worm was used to launch distributed denial of service (DDoS) attacks as well as steal personal information such as credit card numbers from the computers that were infected with Nugache.  It has been estimated that controlled up to as many as 15,000 on his botnet.

Under the terms of his deal Milmont has agreed to pay approximately $74,000 in damages and faces up to five years in federal prison. 

In my opinion, this story is only significant because of Milmont's contribution to the botnet community with how his Nugache worm used peer-to-peer networking technology and fast flux in order to create a fully redundant, interconnected network to prevent his botnet from easily being shut down.  The size of the Nugache botnet (about 15,000 computers) pales in comparison to some of the botnets that we are seeing today, but the work done by Milmont paved the way for worms like Storm which heavily relied on fast flux to stay alive.

I was forwarded this article this morning regarding an FBI sting operation using fake web links in an effort to catch people who surf to child porn sites.  I am all for prosecuting people who are breaking the law, particularly in relation to offenses relating to child porn, but the method described in the article has an uncomfortably high potential for false positives.

For starters, web sites are in the public domain and are accessible by anyone, anywhere, and at anytime regardless of how they got there.  How is the FBI to know that you found the web site as a result of one of their email lures and didn't stumble upon it some other way having no original intention to visit a child porn site?  Have you ever found yourself on a porn site or some other site that you weren't expecting as a result of a mistyped URL, unintended mouse click, or deceptive web site?  Sure you have! 

The article mentions another real possibility of accessing the site via an unsecured wireless connection.  Could you frame your neighbor with the dog that barks all day that you don't like by jumping on his open wireless network and surfing to this mousetrap site?  What if a bot on your PC was emulating clickthroughs to the site in an attempt to throw authorities on a wild goose chase?

I agree with the author where he states that this potentially sets a dangerous precedent if this type of surveillance continues to be allowed to stand up as evidence.  Granted, we've all heard the "someone must have been using my wireless network" and "I must have had malware on my PC" defenses before, but this situation could have some serious federal level consequences.  Sounds dangerous to me!