By Brian Krebs
washingtonpost.com Staff Writer
Thursday, April 26, 2007 2:31 PM
A company representing Internet users in more than 100 countries today filed a lawsuit in Virginia seeking the identity of individuals responsible for harvesting millions of e-mail addresses on behalf of spammers.
The suit was filed in U.S. District Court in Alexandria on behalf of Project Honey Pot, a service of Unspam Technologies LLC, a Utah-based anti-spam company that consults with private companies and government agencies.
The lead attorney on the case, Jon Praed of the Arlington, Va.-based Internet Law Group, has represented America Online and Verizon Online in successful cases against junk e-mailers. Praed said the group hopes to follow the trail from the people doing the harvesting of e-mail addresses to the actual spammers.
"It is clear that the key to stopping spam is identifying those responsible for it, and getting that information into the hands of those capable of doing something about it," he said.
The Virginia court has been the venue of choice for a number of previously successful anti-spam cases filed by some of the world's largest Internet service providers. But this is thought to be the first anti-spam case brought by a class of Internet users not affiliated with any single Internet service provider.
"This isn't just some [Internet service provider] trying to get good press, this is a community of Internet users saying we're sick and tired of this crap and we want it to stop," said Matthew Prince, Unspam's chief executive officer.
The company filed the suit on behalf of some 20,000 people who use its anti-spam tool. Web site owners use the project's free software to generate pages that feature unique "spam trap" e-mail addresses each time those pages are visited. The software then records the Internet address of the visitor and the date and time of the visit. Because those addresses are never used to sign up for e-mail lists, the software can help investigators draw connections between harvesters and spammers if an address generated by a spam trap or "honey pot" later receives junk e-mail.
Spam recipient lists typically are generated by automated programs that scour the Internet for e-mail addresses. Similarly, the sending of spam is also automated, as the bulk of junk e-mail is routed through compromised personal computers to mask its true source.
In many cases, those responsible for harvesting e-mail addresses are not the same people sending the spam, but rather individuals who will sell the lists to known spam operators. Project Honey Pot also has found that in a great number of cases, e-mail harvesters do not appear to try to hide their Internet addresses.
"We've found that the Internet addresses of those doing the harvesting is a much smaller universe of those who are actually sending the messages, and locating [the harvesters] may give us good indicators of who out there is at the top of these spam operations," Prince said.
The suit filed today names defendants as "John Doe," meaning that the plaintiffs will ask the court for the authority to subpoena records from ISPs to verify the identities of owners and operators of e-mail harvesters.
The federal court in Alexandria is known for its expertise in adjudicating anti-spam cases, but the plaintiffs also chose that location because evidence points to a great deal of spamming activity emanating from Virginia. According to the complaint, since January 2005 the project has identified more than 15,000 unique Internet addresses associated with e-mail harvesting activity, 22 percent of which were located in the United States.
Roughly 175 Project Honey Pot Web sites located in Virginia have distributed approximately 36,000 e-mail addresses to harvesters worldwide. Of those, 111 e-mail harvesters used Internet addresses located in Virginia, and another 21,000 Virginia-based PCs have been identified as direct sources of junk e-mail. On 245 occasions, the John Does named in the suit have relied entirely on Virginia-based Internet addresses to harvest e-mail addresses and to blast out junk e-mail, the complaint alleges.
Lawrence Baldwin, founder of myNetWatchman, a company that tracks hacking and spam activity, said the Honey Pot Project's legal approach to fighting spam looks promising.
"If they're successful, I think it will yield some very usable information in terms of identifying who the real miscreants are," Baldwin said. "Let's just hope some of them are here in United States and therefore reachable."
The case was filed under the Virginia anti-spam statute, as well as a federal 2003 anti-spam law. The statute penalizes fraudulent senders of unsolicited bulk e-mail at $1 per message, or $25,000 per day that any offending message was transmitted. The federal law, known by its acronym "CAN-SPAM," authorizes fines of $100 for every attempted transmission of a spam message containing false or misleading transmission information. Damages increase three-fold if a victim's e-mail address was harvested from a public Web site.
Despite previous lawsuits against spam operators, the volume of junk e-mail flooding inboxes has skyrocketed over the past several years since CAN-SPAM's enactment. Spam comprised more than 80 percent of the e-mail sent globally over the past six months, according to Postini, an e-mail security firm based in San Carlos, Calif.
"As long as long as there is big money to be made, the spammer's target will move," said Jerry Upton, executive director of the Messaging Anti-Abuse Working Group, an industry consortium of ISPs and e-mail providers. "It's an ongoing war, and the weapons keep getting better on both sides."
The Honey Pot Project's Prince acknowledged that the lawsuit is not going to solve the spam problem.
"But if we can take two or three major spammers offline, that's a huge victory for the Internet as a whole."