What to do about spam forged with @cyberspace.org return path?

Jan 11 08:49 UTC 2003

A small group of spammers has come up with an annoying new variation on
the spam they send out.  Here's the apparent situation:

#1 one (or a small group) of spammers have bought a CD and
        software to send spam.

#2 the spammer composes his spam in HTML.

#3 the software goes out, probably uses a dialup IP address to find
        some sort of unwitting proxy server or open relay, and sends
        out the spam.  It sends it out to a large list of people,
        sorted by domain, probably one message per domain, and then
        using a fake forged return path that points to some random name @
        cyberspace.org  It is efficient to send one message to a domain,
        so the spammer can get away with a low-speed dialup connection.

#4 the open relay or proxy server, which very likely failed to record
        the dialup IP address, then sends the spam onwards to the
        target domain.

#5 the target domain attempts to deliver the spam.  The delivery fails
        for some users, either because their mailbox does not exist,
        the mailbox is full, or anti-spam rules stop the HTML spam.

#6 the target domain then sends at least one bounce message to the
        return path, which points to us.  Each bounce contains the
        entire original message plus lots of information on the
        bounce.  This increases the size of the bounce by a factor of
        2.  Some domains instead deliver several hundred bounce
        messages.  This further multiplies the effect by one or two
        orders of magnitude.  There are at least 2 of these spammers,
        another factor of 2.  So we see at least 400 times as much
        traffic over our shared DSL connection as the spammer generated
        over his unshared dialup connection.  The spammers have
        been at this a number of days.  So far, this resulted in filling
        up at least 2 mailboxes with 1 M worth of bounces, and probably
        a lot more text has failed to be delivered.

Some options I ccan think of:
#1 ignore the problem.
        It might go away, or it might increase in magnitude in time.
        If "@cyberspace.org" addresses become common on spam:
                a. any address used by a spammer becomes useless
                        to its legitimate owner on grex, because
                        his mailbox instantly floods with spam bounces.
                b. our network connection will become useless
                a. other sites might just start blocking all incoming
                        mail addresses as being from "@cyberspace.org"
                        regardless of legitimacy.
#2 block bounces for spam not originated on grex.
        This only helps with 1a.
#3 change mailbox syntax or domain name.
        Changing mailbox syntax breaks all existing names.  Possible syntax:
                remmers+@cyberspace.org         works
                remmers@cyberspace.org          does not work.
        major user education headache.
        Keeping the same domain means we still see bounces & have site
                block issues.
        Changing the domain means giving up "@cyberspace.org".  How
                attached are people to this?
                We might be able to keep:
                "@grex.cyberspace.org" which might be of some attraction.
                Or we could add "@mail.cyberspace.org" which might argueably
                be the right thing to do.
#4 complain to the proxy site, ISP owning the web site, etc.
        Everybody does that with spam already.  The spammer is probably
        fully prepared to deal with the probable consequences of this.
        I'm not at all convinced this is even worth attempting.
        It may even make it harder to proceed with legal or criminal
        complaints - by causing the spammer to flee scott-free, and
        giving him a chance to multiply.
#5 seek legal action against the spammer proper.
        Seeking legal action gives us rights we would not ordinarily
        have.  For instance, in a law suit, I *think* we can subpoena
        or otherwise cause the ISP to cough up the name or other
        contact information of the spammer.  Legally, the ISP cannot
        otherwise just give us that information; there are various
        privacy laws that result in this.  Cons: hiring a lawyer can be
        expensive.  Some work can be cheap or free.  An initial
        consultation is free.  A 'cease and desist' letter should only
        be $100 or so.  Actual court costs are relatively low.
        Actuallying going to court can cost $thousands.  If we go that
        route, we'll either need major fund raisers, or we'll need to
        find lawyers who can work for much less cost or pro bono.  This
        is not necessarily unreasonable; as a 501c3 corporation that is
        "well-known", there are even organizations (legal aid
        societies) that actually specialize in providing free or
        low-cost legal coverage for such cases, so we have decent odds
        of finding such a person, given sufficient begging.  In a civil
        suit, we merely have to find "compelling" evidence the spammer
        did it - we don't have to prove anything "beyond a shadow of a
        doubt".  If we win a civil suit, there's some chance of
        recovering at least part of any money we invest in such a
        suit.
#6 file a criminal complaint.
        Michigan has a tough "fradulent use of computer resources" law.
        pros: somebody else does all the work.  Free.  Tough penalties.
        cons: not clear the prosecutor will care.  They may not have
                the experience or interest to successfully prosecute such a
                case.  Also, stricter standards for evidence make conviction
                harder.

I don't want people to get too tied up in the technical aspects here.
I'll enter a different item in garage in case people want to talk about
that.  Here, I want people people to think in terms of the policy issues.
ie,
        do we care about internet mail accessibility?
        do we value "@cyberspace.org" as our mail domain name?
        do we want to bother trying the usual spam complaint?
        are we willing to pursue legal remedies for people fradulently
                infringing on "@cyberspace.org"?

response 2 of 26:

Jan 11 11:20 UTC 2003

If the "return path" is set to glenda than I am very interested.

If it's the To: header I'm not at all interested, and if it's the From:
header I am only mildly interested -- send it to uce.

response 4 of 26:

Jan 11 17:22 UTC 2003

(another con to the legal action scenario is that Grex could find it
difficult to pursue action against an offshore spammer.  that said, I
don't think we're going to find a perfect, one-size-fits-all solution.
however, we should still do *something*.)

response 8 of 26:

Jan 12 03:41 UTC 2003

Are they even doing anything illegal?  Last I heard there were no laws
against spamming.  It may be hard to win a case like this.  (That may not
matter, though -- a cease-and-desist letter can be pretty effective
regardless of whether or not it has a legal leg to stand on.)

response 10 of 26:

Jan 12 04:31 UTC 2003

I'd be in favor of sending cease-and-desist letters, except that I fear that
finding a useful address to send the letters to would require lots of
expensive legal proceedings.  ISPs don't turn over records casually; we'd
almost certainly have to go to court to get them before we could even send a
letter to the spammer, wouldn't we?

response 12 of 26:

Jan 13 03:32 UTC 2003

That would be option #4 in the original text.  I believe it will be
completely ineffective - I went through some of the IP addresses and
sites referenced in the spam, and became convinced these are
"experienced" spammers who expect to have their sites shut down
frequently.  Or more precisely, I think it's one entity that does the
actual spamming, and a number of customers, who buy "advertising" from
the spammer.  The "customers" would sometimes have more than one DNS
name per IP address, or the same address would appear for 2 different
company names, it all looked pretty fly by night, so I have little
confidence that complaining to the ISPs will actually solve our problem,
which is not that they send spam, but that they direct bounces at us.

response 14 of 26:

Jan 13 22:11 UTC 2003

Um, never mind - yes, drew is receiving genuine bounces from forged
spam.  At least he's not receiving 6 megabytes/day, which is true for 8
other particular accounts, and what I initially feared might be the case
for drew.

response 16 of 26:

Jan 21 13:56 UTC 2003

I don't think that's ever been true.  A postmaster address is required
by one of the RFC's, I think, but it's not like there are net.cops who
will come knocking on your door if you violate that rule.

I think there is a service somewhere that runs a DNS-based blacklist of
sites that don't provide such an address, though, so people who want to
can ostracize them.

response 18 of 26:

Jan 21 22:40 UTC 2003

I frequently get back spam reports sent to abuse@ and then I send them to
postmaster@ and they don't come back again.

response 20 of 26:

Jan 22 10:05 UTC 2003

re #17 .. and those things might be ???????

response 22 of 26:

Jan 22 20:29 UTC 2003

Today I got back another mail sent to abuse@hyomon.co.kr (or something
similar) from postmaster@ (so I sent the mail back to postmaster asking them
to close their open relay).

response 24 of 26:

Jan 24 18:48 UTC 2003

I get back immediate responses from sending simply to abuse@yahoo.com and
sometimes they write back saying they took action.