CAUCE North America

Should I Stay or Should I Go?

nospam@example.com (Neil Schwartzman) — Thu, 13 Nov 2008 11:12:30 -0800

If I stay there will be trouble … If I go there will be double – Joe Strummer (1952-2002)

“We can be heroes, just for one day” - David Bowie (1947- )

Working in the anti-spam and online malware fight can be depressing or at best invoke multiple personality disorder.

We all know things are bad on the net, but if you want a dose of stark reality, check out Brian Kreb’s fantastic ‘Security Fix’ blog on the Washington Post site. Written with both technical accuracy and readability ‘for the rest of us’, a rare thing indeed, Brian is the current raving-fav among the security set, due to his high profile, and willingness to call a spade a spade.

He has shone the spotlight of national media on some real embarrassments, situations like ICANN dragging their feet regarding the decertification of rogue registrar EstDomains (a service much-favoured by malware authors and spammers), (they are now offline), Atrivo, a California-based ISP which played a pivotal role in sustaining the Storm botnet, (they are now offline) and Krebs played a part in the latest victory for us good guys on the net, noting McColo was a host for botnet command-and-control technologies (yes, they too are now offline!)

So why the ambivalence Neil? Good question! Speaking to an old friend who asked me what I was doing these days, I recently likened the fight against this relentless onslaught to having one’s pinky in a dyke, and there are days when I don’t even think we have a dyke! We’ve certainly seen dedicated anti-spam/anti-malware volunteers suffer from burn-out, and drop off, over the years, a loss to all of us as an Internet community.

Running down the Security Fix headlines is an exercise in roller-coaster emotions, or split personality:

Anonymous Domain Sales: A Spammer's Delight - Oh No!

FBI, FTC Take Down Scammers & Spammers - Yay!

One Spammer Jailed, Another Walks - Woo hoo! Er, wait …

Security Software Suites No Match for Custom Attacks - Uh-oh!

And, of course, this morning’s headline: Internet drug peddlers raided in 9 countries - Yahooooo!

A few months ago I sat in a room in sunny San Diego with 180 law enforcement agents at the Digital Phishnet conference. The keynote speech was by Shawn Henry, the Assistant Director of the U.S. Federal Bureau of Investigations’’ cyber division.

It was crystal clear from Mr. Henry’s remarks that the FBI ‘gets it’.
They understand exactly how important the collaborative work of
independent researchers like Joe Stewart, Dan Kaminsky, and Gary Warner
is, in conjunction with industry partners and law enforcement really
is: “The adversary’s (work) is a world-wide threat to our economy. We
cannot allow this to happen”.

Just so!

Every one of the cops in that California room spends their days working
on cyber-crime. A mere six years ago when I attended an anti-phishing
event and stressed the infrastructural impact of botnets on the economy
and national security, I was met with blank stares and rolled eyes. We
have taken a quantum leap forward from those days of inaction, but our
politicians and bureaucrats are not moving forward as quickly as they
should be (no surprise there!):

Cybersecurity Panel Places Hill Oversight On Back Burner

Canadian Inactivity regarding Spam Laws

Nevertheless, McColo’s disappearance yesterday has had a widely reported and dramatic impact on spam. Check out what Spamcop’s weekly report shows!

Every once in a while, amidst the stream of bad news on the net, we as
a community see some major successes, and it heartens us tired old
spamfighters to continue the fight for another day.

What can you do to help the fight? Well go ahead, make my day, please
and undertake these two fixes today. Be a hero, do it now. Call your IT
Department and ask them if they have checked these things out and
patched them as need be, and if they haven’t, ask why they haven’t.
There truly is no excuse good enough.

Check your DNS server; make sure it isn’t operating in recursive mode

If you are running Windows, patch your systems regularly, and make sure you have addressed these issues

Come on and let me know, should I cool it or should I blow?

CAUCE Executive Director Neil Schwartzman on CTV Newsnet speaking to Canadian Inactivity regarding Spam Laws

nospam@example.com (Neil Schwartzman) — Sun, 09 Nov 2008 03:47:48 -0800

CAUCE Executive Director Neil Schwartzman appeared on CTV Newsnet November 07, 2008

http://watch.ctv.ca/news/latest/spammed-out/#clip110343

The Root of All Email

nospam@example.com (J.D. Falk) — Mon, 06 Oct 2008 10:30:36 -0700

This week, the Internet Engineering Task Force (IETF) published a number of what they call "RFCs," which originally meant "Requests for Comment" -- the standards documents which specify the technical underpinnings of the internet. Two of these, numbered 5321 and 5322, replace earlier documents defining the very core of internet email. On the surface, each of these seem surprisingly simple; one aims "...to transfer mail reliably and efficiently," while the other defines itself as "...a definition of what message content format is to be passed between systems." Yet without general industry-wide acceptance of (and compliance with) these standards, internet email simply would not exist.

This week also marks ten years since the death of Jon Postel, who arguably had more influence over the creation of the internet than any other single person. One of Jon's most enduring recommendations is to "be conservative in what you send and liberal in what you receive," which Vint Cerf (who had only slightly less influence over the early internet), described as "...a reminder that in a multi-stakeholder world, accommodation and understanding can go a long way towards reaching consensus or, failing that, at least toleration of choices that might not be at the top of everyone's list."

This philosophy is the root of all email, from the earliest standards discussions to the latest theories of authentication, reputation, and deliverability.
The earliest discussions about email standards culminated in August of 1982, when a predecessor to the IETF published RFCs 821, written by Jon Postel, and 822, in which Dave Crocker updated earlier drafts dating all the way back to 1973. With these documents, email between disparate systems became possible, and increasingly common -- so that now, with the click of a button, we can take it for granted that a message sent from an Apple iPhone in Denver can pass unchanged through multiple relays and be read by someone running Microsoft Outlook in Berlin.

Actively used standards evolve over time, from those early versions through the familiar 2821 and 2822 in 2001, and now these latest updates. Along the way, some concepts that made sense at the time have faded into obsolescence: for example, RFC 821 included a feature that would display a message on the recipient's screen if they were logged in (very much like today's instant messaging), or email it to them if they weren't. (Imagine if the spammers got hold of that!) Newer ideas, such as MIME (which allows the HTML email so many of today's users are fond of) or sender authentication, have been added in separate documents intended to augment the existing infrastructure -- without creating unnecessary incompatibilities.

During these past ten years, many people have concluded that what Jon Postel and Dave Crocker and other smart people defined in 1982 was inherently insecure, inadequate for today's business needs. They say (quite correctly) that it was obviously desined for a non-commercial internet which hasn't existed in decades, with a level of trust that we cannot rely upon today. Yet it is impressive that so many of those early ideas still apply, and still work exactly as intended. In his more recent role as Senior Technical Advisor to the Messaging Anti-Abuse Working Group (MAAWG), our friend Dave Crocker often reminds us that the purpose of a standard is to define the set of operations required for interoperability -- and in this light, RFCs 822 and 821 have succeeded wonderfully.

If someone wants to build something else on top of those core requirements later, they can. Clearly many have. But if they ignore Jon Postel's urging to "be conservative in what you send and liberal in what you receive," they may find that they have made themselves incompatible with the rest of the internet.

That's the inherent power of a standard, whether dry and technical and suitable for coding (like an RFC) or based on a review of business practices like the requirements for a whitelist like Return Path's Sender Score Certified, or a special sending channel like Goodmail's CertifiedEmail. Those who comply with the standard can interoperate effectively with everyone else who complies with the standard. Those who don't, can't. It's worth noting that Jon recognized this possibility early on, and wrote about it in RFC 706 in 1975 -- predicting the rise of local blacklists and rate limiting, neither of which were regularly needed in email systems until twenty years later.

The American business instinct is often to send (or sell) extremely liberally, only considering the consequences when sales decline. This practice defies standards for interoperability, and is thus incompatible with the rest of the internet -- but it's the state that many email marketers and other inadvertent spammers find themselves in before they start asking for help. Following the RFCs, many technologists (including myself) would tell them that a well-designed sending-side email server must be conservative, sending only correctly-formed messages which comply with all standards, and a well-designed receive-side email server should be liberal, allowing for minor variances in how the standards are interpreted. This is how our predecessors' technology interoperated in 1982, and it's how everybody's technology interoperates today. Instead, starting at a higher level, the saner elements of the anti-spam community will tell them that a well-designed email marketing campaign must be conservative, sending only messages that are relevant and desired in the eyes of the recipient -- and when it is, this conservatism is rewarded by a liberal receiving policy, allowing those messages through to the inbox.

As you can see, Postel's deceptively simple philosophy permeates the network. Perhaps there is something to be learned for other aspects of our global society as well.

A slightly different version of this article was originally published by Return Path, and is reproduced here with permission.

Virginia Court Overturns anti-spam law

nospam@example.com (John Levine) — Sat, 13 Sep 2008 16:03:19 -0700

On Friday the Virginia Supreme Court threw out the state's anti-spam law, and with it the 2004 conviction of large-scale spammer Jeremy Jaynes, on the grounds of First Amendment overbreadth. While not disagreeing that Jaynes was guilty as charged and convicted, they found that the law could place too great a burden on non-commercial speech. CAUCE president John Levine commented in this blog entry.

While CAUCE is dismayed at this outcome, we see little practical effect beyond this single case. This case predates the Federal CAN SPAM law, which does not have the First Amendment issues of the Virginia law, which would clearly apply if Jaynes were to do the same things today he did in 2003. Nor do the other state anti-spam laws have similar overbreadth issues. CAUCE believes that it is possible to create more effective anti-spam laws than the weak CAN SPAM without running afoul of First Amendment issues and will continue to work to help pass them.

CAUCE Executive Director Neil Schwartzman interviewed by CBC Radio

nospam@example.com (J.D. Falk) — Tue, 09 Sep 2008 16:50:11 -0700

Earlier today Neil Schwartzman, the CAUCE Executive Director, did a series of interviews for the Canadian Broadcasting Corporation radio 'drive' shows. He focused on why Canada doesn't (yet) have anti-spam legislation, who is behind the spam we all receive, why and how laws will help, and how internet users can protect themselves. Here's a recording of one of the interviews, conducted by All Points West host Jo-Ann Roberts for the Victoria, British Columbia CBC Radio One station, reproduced with permission.

ACLU, Anti-Spam Laws, and the First Amendment

nospam@example.com (J.D. Falk) — Fri, 08 Aug 2008 09:34:12 -0700

In an article published by the Technology Liberation Front, Cato Institute adjunct scholar Tim Lee dissects a recent argument by the American Civil Liberties Union regarding free speech & anti-spam laws.

It's been interesting to watch the ACLU wrestle with anti-spam legislation. Their entire purpose is to work through the legal system to protect our civil rights, as defined in the First Amendment -- which is why I've been a card-carrying member since before I was old enough to vote -- so of course they're going to push back against any perceived abridgment of the right to free speech, including anonymous speech. Yet as Tim Lee argues, the amount of speech afforded to spammers before they run afoul of the Virginia statue is enormous: "someone may (a) send out an unlimited number of emails using a real email address, (b) send out 9999 emails per day (99,999 per month, 999,999 per year) while falsifying email headers, or (c) send out an unlimited number of emails with falsified addresses to people who have previously consented to receive them."

In order to violate this Virginia statute, you have to be very bad. In order to violate CAN-SPAM & get even more federal attention, you have to be even worse. Anyone with a real need for free, anonymous speech will have a myriad of other, simpler, and very likely cheaper avenues available to them -- including, unfortunately, sending 9999 forged, unsolicited emails each & every day.

US Senate Approves Bill to Dramatically Improve Cyber-Crime Laws

nospam@example.com (J.D. Falk) — Thu, 31 Jul 2008 14:04:36 -0700

The Washington Post reports that the U.S. Senate has passed legislation that would allow law enforcement to go after a much larger percentage of modern online crime. Specifically, it will:

remove the requirement that each affected individual must have suffered at least $5,000 in damages
"make it a felony to install spyware or keystroke-monitoring programs on 10 or more computers regardless of the amount of damage caused"
give identity theft victims the ability to seek restitution
criminalize attempts to extort companies by threatening to publish stolen information

These provisions were added to an unrelated bill, the Former Vice President Protection Act, which must next be voted on by the House of Representatives before it becomes law.

CAUCE is very pleased that the Senate has taken this action to protect people living within the United States, and particularly support the provisions adding a private right of action against the criminals who prey upon all of us daily.

Eddie Davidson

nospam@example.com (Neil Schwartzman) — Thu, 24 Jul 2008 22:18:17 -0700

When doing a job that you love it is natural enough to immerse oneself, to become somewhat myopic, about the relative importance and meaning of one’s work, but every once in a while context is thrust forward, rending fantasy and reverie aside, leaving one faced with a reality of what really matters.

Such are the sad events surrounding the murder-suicide that ended convicted spammer Eddie Davidson’s life today. For further details on the situation, please follow this link.

CAUCE extends our sympathies to the friends and families of the victims of this needless tragedy.

Good news from three spam cases in the U.S.

nospam@example.com (J.D. Falk) — Wed, 16 Jul 2008 10:35:05 -0700

They say (whoever "they" are) that good things come in threes, and that certainly seems true for law enforcement against spammers this week.

In New York, Adam Vitale was sentenced to 30 months in prison and ordered to pay $183,000 in restitution for a week of spamming AOL back in 2005. He's also allegedly linked to advertisements for prostitution on craigslist, and is already in jail for even worse crimes.

In Illinois, an FTC settlement requires Spear Systems and company executives Bruce Parker and Lisa Kimsey to give up $29,000, stop making "false or unsubstantiated claims about health benefits" of their products, and bars them from violating CAN-SPAM ever again. Related litigation continues against defendants in Quebec and Australia; you may remember this gang as the hoodia spammers.

And finally, in Seattle, the Robert Soloway case continues. He pled guilty back in March to wire fraud, CAN SPAM fraud, and tax evasion, but not identity theft -- which was dismissed. Even so, he could be sentenced to up to 20 years, though that's reportedly unlikely. The difficulty for the judge appears to be that there isn't a lot of precedent for how long spammers should spend in jail. CAUCE would encourage Judge Marsha Pechman to look for precedents from other, non-internet-related fraud cases, multiply by the number of victims, and throw away the key.

But what makes the Soloway case particularly interesting is what else is being revealed. Soloway's business model was to sell advertising services, promising that all of his recipients had opted in -- even though none of them had, so it was 100% spam. This reportedly earned him over $1 million in a 3-year period, along with many extremely unhappy customers and nearly $18 million in judgements thus far.

So that's three more down, but many more to go.

(Note on the Soloway case: CAUCE President John Levine testified for the prosecution during both the trial and the sentencing.)

Changes to the CAUCE North America Leadership

nospam@example.com (J.D. Falk) — Tue, 15 Jul 2008 18:42:56 -0700

It is with regret that we note that CAUCE founder Scott Hazen Mueller has resigned his position as President of CAUCE North America. We are happy to note Scott will maintain his position on the iCAUCE (international CAUCE) board, as well as the CAUCE North America board in the position of Founder and Director, emeritus.

As well, while John Levine plans to move to England in the early fall, he has agreed to remain on the executive board and he will become President effective immediately.

Lastly, Dennis Dayman has graciously accepted the position of Secretary-Treasurer and was confirmed as such by unanimous vote.

Congratulations, Dennis, and thank you Scott for your years of service.