Targeting Spam at the Source

By Brian Krebs Staff Writer
Friday, April 27, 2007

A company representing Internet users in more than 100 countries filed a federal lawsuit yesterday seeking the identities of people responsible for collecting millions of e-mail addresses on behalf of spammers.

The lawsuit, filed in U.S. District Court in Alexandria, was filed on behalf of Project Honey Pot, a service of Unspam Technologies, a Utah firm that consults with companies and government agencies.

The company filed the lawsuit on behalf of 20,000 people who use its anti-spam tool. The software records the Internet protocol addresses of visitors who collect e-mail addresses from Web sites and forward them to spammers.

"This is a community of Internet users saying, 'We're sick and tired of this crap, and we want it to stop,' " said Matthew Prince, Unspam Technologies' chief executive.

The lawsuit, filed under federal and state anti-spam laws, identified defendants as "John Doe," meaning that the plaintiffs will ask the court for authority to subpoena records from ISPs to verify the identities of owners and operators of e-mail collectors.

Spam-recipient lists typically are generated by automated programs that scour the Internet for e-mail addresses. The sending of spam is also automated, as most junk e-mail is routed through compromised personal computers to mask its source.

In many cases, those responsible for harvesting e-mail addresses are not the same people sending the spam, but rather individuals who will sell the lists to known spam operators. Project Honey Pot also has found that in a great number of cases, e-mail harvesters do not appear to try to hide their Internet addresses.

"We've found that the Internet addresses of those doing the harvesting is a much smaller universe than those who are actually sending the messages, and locating [the harvesters] may give us good indicators of who out there is at the top of these spam operations," Prince said.

According to the complaint, roughly 175 Project Honey Pot Web sites in Virginia have distributed about 36,000 e-mail addresses to harvesters worldwide. Of those, 111 e-mail harvesters used Internet addresses located in Virginia, and another 21,000 Virginia-based PCs have been identified as direct sources of junk e-mail, the lawsuit alleges.

© 2007 The Washington Post Company