Anti-spam watchdog The Spamhaus Project is back at it again, providing prime fodder for anyone who appreciates a good brawl. This time, the guardian of all things spam challenges a Dutch ISP to a measure-off, and it looks like the locker room is going to clear out for this one, folks.

Ah, Spamhaus. For anyone with a well-honed sense of humor and irony (and I’m one of them), your 2011 has been a year worthy of a Monty Python sketch, or at least a stint on The Office (the real one, not the spate of so-so spinoffs). If you haven’t been keeping up with the venerable Spamhaus Project, here’s what’s happened so far: a not-for-profit venture based in the U.K. and founded by Steve Linford in 1998, The Spamhaus Project is responsible for identifying and blacklisting spammers, a noble venture to say the least. They made news earlier this year when a five-year long battle with the now defunct e360 Insights, LLC came to an unceremonious if not hilarious close. e360, which filed suit against Spamhaus back in 2006 for defamation to the tune of $130 million, was awarded three U.S. dollars. And they say that bad things don’t happen to bad people (in case that’s unclear, the bad people are e360).

Not Safe for Work?

Not to be outdone, however, Spamhaus has followed up with what appears to be a pending measure-off in the locker room. In a virtual sense, parents, you may want to usher your children out of the room for this one. Spamhaus routinely provides anti-spam DNS blocklists, or DNSBLs, which are widely used by ISPs – almost three-quarters of the Internet, according to Spamhaus – to reduce the amount of spam channeled through their email systems.

What’s in a Name?

Recently, the organization put in for a request to block all the traffic of a German ISP called Cyberbunker, more infamously known as CB3ROB. If you haven’t heard about CB3ROB, here’s a little taste. The ISP is best known for providing services for The Pirate Bay, which has been making news of its own recently.

CB3ROB, by Spamhaus’ accounting, “has long [been] seen involved in hosting cybercrime and spam outfits”. In fact, states Spamhaus, “If the name sounds familiar, it is: CB3ROB A/K/A ‘CyberBunker’ has a long history of run-ins with the law. It was also a host of the infamous “Russian Business Network” cyber-crime gang broken up by the FBI and other law enforcement agencies.”

Spamhaus also notes that their SBL (Spamhaus Block List) listings of CB3ROB have been:

“mounting steadily during 2011 for hosting malware, phishing and websites selling fraudulent goods advertised via spam.”

All in all, the type of pond scum we all know and despise, so no worries, right? Block away, Spamhaus!

But Wait…There’s More!

While there’s nothing unusual about Spamhaus’ treatment of CB3ROB, the real fun begins when a new player enters the arena – in this instance, a small Dutch ISP, A2B Internet. How are they involved, you ask? Well, simply put, cyberscum CB3ROB actually has a few server racks with one of A2B’s partners. Recognizing this, Spamhaus made several attempts to notify A2B, but apparently received no response. According to The Register:

“A2B, as an upstream provider, refused to block the full IP range of Cyberbunker and decided to block only one particular IP address that Spamhaus had identified as a source of spam.”

Not one to be shunned or ignored, Spamhaus decided to include the full range of A2B’s IP addresses in its block list. Not surprisingly, A2B was none too pleased about it, particularly when several of its clients’ services went dark. In fact, according to The Register, A2B Managing Director Erik Bais reported that some of A2B’s clients, “were practically offline as a result and couldn’t send or receive email.”

What’s a Poor ISP to do? Why, Call the Cops, of Course

Desperate, perhaps, A2B responded by filing a complaint with Dutch police, claiming that they were being “blackmailed,” according to The Register. In fact, if your curiosity hasn’t already gotten the best of you, you can go ahead and read Spamhaus’ humorous accounting of the incident, where Spamhaus reports that A2B also accused Spamhaus of “extortion” and “carrying out a ‘DoS attack’ on [A2B’s] network.”

So? Whose is Bigger?

This one’s just beginning, folks, so for now we’ll let you ponder the issues purported by both sides. Please chime in. Has Spamhaus overstepped its boundaries? Is A2B correct in its claims, or is it just clutching at straws? Or is this just another lame episode of “When Male Egos Attack?”

Weigh in and lay your bets before the real measure-off begins.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Spamhaus to Dutch ISP: Show Me Yours and I’ll Show You Mine

In an increasingly litigious world, it’s easy to tune out when you hear that one company is getting sued by yet another company for infringements – real or imagined. But in this edition of Spamfoolery, you’ll want to stay tuned to hear how much e360 Insight was awarded in the culmination of its long-running feud with the Spamhaus Project.

At very least, the endless litany of lawsuits in the tech world provide great fodder for blog writers. Even better, they also offer up a hearty chuckle once in a while, and the recent verdict in the long-running suit of e360 Insight LLC. v. the Spamhaus Project is no exception.

First, a little background to whet your appetite: in case you weren’t already familiar with it, the Spamhaus Project is a not-for-profit organization based in the U.K. and founded in 1998 by Steve Linford for the sole purpose of identifying and tracking spammers. All in all, pretty good stuff, since most spammers suck. I say ‘most’ because I still contend that the world needs some spammers – in much the same way I hate spiders, yet I acknowledge the need for spiders to keep other nasty vermin from spreading the way the Spanish Flu did in 1918.

Tune in for Another Episode of “As the Spam Turns…”

e360 Insights, LLC, on the other hand, is the alleged vermin in this soap opera. Way back in 2006, American Dave Linhardt, operating under the umbrella of e360, filed suit against Spamhaus for blacklisting his emailings and effectively labelling Mr. Linhardt a – you guessed it – spammer. Initially, the suit was tried in U.S. Federal District Court in Illinois, but the American law firm hired by Spamhaus petitioned the court to relocate the trial to the U.K., arguing that Spamhaus did not fall under U.S. jurisdiction. It gets more interesting from here on in, because the judge at the time ignored the request and British M.P. Derek Wyatt called for the American judge to be suspended from his post. Spamhaus also pulled out of the trial, prompting the judge to award e360 $11.7 million in damages.

Spamhaus refused to accept the judgement, stating that the court’s ruling had, “no validity in the U.K. and cannot be enforced under the British legal system.” Following the ruling, e360 filed suit to force ICANN to remove Spamhaus’ domain records until the matter was settled, inciting another interesting development. ICANN, a U.S. based entity with international responsibility for domain names, refused, stating they didn’t have the authority to cancel a British website’s domain records. In this matter, the same judge who awarded e360 the big chunk of cash sided with ICANN and Spamhaus, and poor little e360 found itself facing new problems.

It Gets Better…

In 2007, Chicago law firm Jenner & Block took Spamhaus’ case pro-bono and had the original damages overturned, thus sending the case back to district court. In early 2008, e360 filed for bankruptcy and terminated operations, citing its excessive legal costs in the matter of e360 v. Spamhaus.

Wait for it…

In 2010, another court reduced the damages from $11.7 million to $27,000, all this in the face of e360 filing for $135,173,577 (adjusted to $122,271,346 a week before trial) in damages!

Keeping in mind that: “the district court cited…Linhardt’s testimony regarding contracts with three customers who collectively paid e360 $27,000 per month for services performed,” it’s no surprise that the new judge in the case blasted e360’s counsel, stating: “this is just totally irresponsible litigation… You can’t just come into a court with a fly-by-night, nothing company and say ‘I’ve lost $130 million.’”

Wins Enough to Buy a Coffee!

Now for the really good part. On September 2, 2011, the soap opera finally came to an end, with the judge in the matter awarding e360 $3 in damages - no, that wasn’t a typo – from an asked $130 million to an award of $11.7 million, to $27,000, to (almost) enough to buy a coffee at Starbucks!

Who Said There’s no Justice for Spammers?

It sucks to be you, e360! It’s fun writing these articles, and I often find myself giggling like a schoolgirl when I write them. The case of e360 v. Spamhaus has been no exception, except that the ear-to-ear grin on my face has been accompanied by outright laughter as I sit alone by the pool, typing like a banshee. A strange sight, to be sure, and if any of the neighbors are watching, they must think me mad.

Maybe I am, but today I’m very happy.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Spamfoolery: Sucks to be You Edition

On January of 2009, the controller for Experi-Metal Inc. (EMI) accidentally entered his credentials into a website he followed when clicking on a link in a phishing email. In less than seven hours, $1.9 million dollars was transferred out of EMI’s accounts and sent to various accounts within the United States, Scotland, Finland, Russia, and Estonia. Forty-seven wire transfers were initiated before Comerica notified EMI that something was wrong. Even after that, another forty-six were completed. Comerica was able to reverse many of the transactions and recovered all but $560,000 of EMI’s funds.

At the heart of the suit is that $560,000. Comerica’s position was that fault lay with EMI, and that the full responsibility for the phishing attack rested with the EMI employee. EMI maintained that Comerica should have done more to prevent the transfers, and that they should have been more diligent in monitoring suspicious activities and investigating them. A key point was that in the two years before the attack, EMI had made only two wire transfers.

There are several interesting points that stand out about this case. At its most basic, this case resulted from a successful phishing attack. An authorized user received an email purportedly from the bank. The message stated that the bank was performing maintenance on its software and instructed recipients to log on to an alternate site linked within the email, and he did just that. As a result, the attacker had all the information necessary for them to login to the real bank website and initiate wire transfers to off-shore accounts. But there is a little more to it than just a simple case of stealing credentials.

The bank uses two factor authentication for all transactions, requiring a username, pin, and token code. Even with the use of a security token, which should change its six digit code frequently, this was enough to provide the attacker(s) with access to EMI’s accounts, and to initiate over 90 wire transfers. Comerica had previously offered customers, including EMI, both the option to require two separate users to login to initiate any transfer, which EMI did not elect to use, as well as the option to require a separate authorization before a transfer could complete. EMI also chose not to add this protection.

As Comerica noticed suspicious activity and was concerned enough to contact the customer, it seems strange that they did not choose to stop any other transactions until they could confirm their legitimacy. There is also a question about whether the EMI employee who entered his credentials into the phishing site should have still had valid credentials to access the bank. EMI says he should not have; Comerica says that renewal notices were sent and processed appropriately.

Comerica intends to appeal the ruling, which may still include court costs or other punitive damages in addition to the $560,000 which they were not able to recover.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Precedent Setting Verdict Delivered in Phishing Case

On April 13th, the US Department of Justice and Federal Bureau of Investigation announced that they have disabled an international botnet infecting more than 2 million computers responsible for the theft of corporate data, user account details and financial information. The DoJ issued a press release detailing their takedown of Coreflood, malicious code that exploits security vulnerability in Windows operating systems. From the FBI website: “Coreflood allows infected computers to be controlled remotely for the purpose of stealing private personal and financial information from unsuspecting computer users, including users on corporate computer networks, and using that information to steal funds.”

Coreflood, according to court filings, is a nasty piece of malicious code that records keystrokes and monitors private communications. Once a computer has been infected, it becomes part of the botnet, which is remotely controlled by Coreflood’s C & C servers. The Coreflood botnet is believed to have been operating for nearly a decade, infecting more than two million computers around the world. The malware then steals user names, passwords and other private information, “allegedly used by the defendants for a variety of criminal purposes, including stealing funds from the compromised accounts,” the DoJ press release reports. Court filings released by the DoJ describe one example where Coreflood was able to take over an online banking session and fraudulently transfer funds into a foreign account by monitoring Internet communications between a user and the user’s bank.

In order to effect the takedown, the US Attorney’s office for the District of Connecticut filed a civil complaint against 13 ‘John Doe’ (i.e., unnamed) defendants and executed criminal seizure warrants along with a temporary restraining order, all of which comprise, “part of the most complete and comprehensive enforcement action ever taken by U.S authorities to disable an international botnet,” according to the government’s website. The complaint filed by the DoJ alleged that the defendants engaged in wire fraud, bank fraud and the illegal interception of electronic communications.

In addition to the civil complaint filed with the U.S. District Court for the District of Connecticut, the FBI seized five command and control servers scattered across the country and 29 domain names used by Coreflood. According to the DoJ, the TRO, authorized the government, “to respond to signals sent from infected computers in the United States in order to stop the Coreflood software from running, thereby preventing further harm to hundreds of thousands of unsuspecting users of infected computers in the United States.” The FBI also established 5 sinkhole servers to control the flow previously handled by Coreflood. All this action hasn’t removed the malicious code from the zombie computers, a daunting task that the FBI admits will take time and cooperation from those infected. Along with participating Internet Service Providers, the DoJ and FBI will be notifying infected users in order to help clean the infection.

Oddly enough, the government press release also states that, “identified owners of infected computers will also be told how to “opt out” from the TRO, if for some strange reason infected owners want to keep Coreflood running on their computers.” For the paranoid who don’t particularly relish the idea of having the federal government poking around inside their computers, the DoJ provided an assurance that, “at no time will law enforcement authorities access any information that may be stored on an infected computer.”

The bad news is that, as of the writing of this article, the FBI’s offer to help infected users only applies to PCs in the US, so international users are out of luck. The DoJ press release does point to a US Computer Emergency Response Team (US-CERT) information site which provides detail on Coreflood and the Microsoft updates required to immunize against the malware.

“The seizure of the Coreflood servers and Internet domain names is expected to prevent criminals from using Coreflood or computers infected by Coreflood for their nefarious purposes,” stated US Attorney David B. Fein of the District of Connecticut, where the complaint was filed.  “I want to commend our industry partners for their collaboration with law enforcement to achieve this great result.”

So, chalk up another victory for the good guys, right? Maybe, but even with the recent takedown of Rustock and now the malicious botnet known as Coreflood, it seems like there is much more work to be done. I don’t know if it’s coincidence or not, but since my recent article on how spam has been reported to be significantly reduced since Microsoft took out Rustock, the spam arriving in my inbox seems to have increased. Significantly. I’d certainly be interested in hearing anyone else’s recent experience. Are these good news stories and affirmative action reason to be optimistic, or are law enforcement agencies only sticking their fingers in one hole in the dike, only to see two more holes spring up elsewhere?

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

U.S. Authorities Pull the Plug on Major Botnet, 2 Million Zombie PCs Rejoice (Sort Of)

And then I come across a story like this one.

The mammoth media company Condé Nast – publishers of Vogue, Golf Digest, GQ, Vanity Fair, The New Yorker and Wired magazines, to name a few – was targeted by a spear phishing attack last November that cost the company $8 million in a series of wire transfers sent over several weeks. Last week, the US Attorney’s Office filed a complaint in Manhattan District Court alleging that the publishing giant got hooked by a single phishing email that was fabricated to appear as if it had come from Quad/Graphics, a company that prints Condé Nast’s magazines.

The email came in the form of an attached PDF file. According to one of Condé Nast’s companies, Wired.com, “The e-mail instructed Condé Nast to send payments for its Quad/Graphics account to a bank account number provided in the e-mail, and included an electronic payments authorization form. The e-mail indicated the account was for Quad Graph, a name similar to the real printer’s name.”

The alleged spammer – who has been identified as one Andy Surface of Alvin, Texas – established a bank account under the name Quad Graph and then sent the mail to the publishing company requesting that future payments be made to the new account. Condé Nast’s accounts payable department had no issues with the request, apparently, because someone from the department signed the Electronic Payment Authorization form and faxed it back to Surface, who is alleged to have shown BBVA Compass Bank in Alvin documents establishing that the company Quad Graph had been registered in a different country.

When Condé Nast authorized the form, they effectively gave their bank, JP Morgan Chase, permission to deposit funds in the fake account. Between November 17th and December 30th, they did just that, depositing a little less than $8 million in payables, intended for Quad/Graphics, into Surface’s account. The scam might have gone on longer, but on December 30th, Quad/Graphics (the real one) contacted Condé Nast to ask why the company hadn’t paid its outstanding invoices. According to eWeek.com, “Conde Nast had paid $7,870,530.02 into one account belonging to Quad Graph, and $47,137.91 into another account belonging to Andy Surface.”

Condé Nast was able to recover about $36,000 by reversing one of the wire transfers. The company immediately alerted the authorities and on January 10th, the US Secret Service was able to secure a warrant freezing the accounts before the scammer was able to transfer the money elsewhere. A forfeiture lawsuit is pending, and presumably criminal charges that might include wire fraud and money laundering. Surface has not yet been formally charged, but Wired.com reports that, “Forbes dug up a previous charge against someone with the same name and address who pleaded no contest in December to “terroristic threat of family/household.” The US Attorney’s office declined comment.

“Phishing now makes up 23 percent of all attacks in the realm of social media,” Paul Henry, forensics and security analyst at Lumension, told eWeek.com. “A recent IBM X-Force Trend and Risk Report found that while phishing attacks have declined since 2009, there was an increase in spear phishing in 2010. Spear phishing has become a significant attack vector, according to IBM X–Force.”

As for Condé Nast, it’s not surprising that they’re keeping mum on the whole situation.

“A Condé Nast representative said the company could not comment on a pending investigation,” eWeek.com also reports, and Henry raised an interesting perspective on the whole thing. “What’s most frightening is the fact that this isn’t just an unknowing private citizen being duped by a phony Facebook friend. This is a multibillion dollar corporation that clearly did not do its homework,” he said.

It is frightening. One might write this incident off as a very large corporation with so many transactions to fulfill that it might be ripe for the picking in a phishing scam like the one that netted Condé Nast. But Condé Nast got bilked out of $8 million off of one email. If it is that easy, then are there other incidents like this one – successful scams of other major corporations, scams that we’re not hearing about? Or is this just a blip, a random case of the one that didn’t get away?

The answer is unclear. However it happened, this much is clear: if a big fish like Condé Nast can fall victim to a simple spear phishing scam, what does that say for the state of enterprise wide security to protect against these types of schemes? With phishing schemes becoming more sophisticated (relatively speaking), is anyone safe?

I must make a confession. In 2006, I awoke one morning and while I enjoyed my first cup of coffee of the day, I read my email when I noticed what appeared to be a message from PayPal. The email asked me to update my account information, and without thinking (it was 6:15 AM and it was my first cup of coffee), I clicked the link provided by the email and was routed to a page that looked authentic enough. I proceeded to enter my username and password and after clicking ‘Enter’ I was shown a big ‘Thank You!’ and nothing else. It was only then that I remembered: I had recently changed my PayPal password, but the site had accepted the old one. I got off easy that morning, but as an IT professional, the revelation shook me to the core. Coffee or not, big corporation or not, we’re only one click away from financial mayhem.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Spear Phishing Email Nets $8m from Media Giant Condé Nast

Asis claims it spends over $3,000 a month dealing with over 200,000 pieces of junk mail. It’s filed no less than 20 lawsuits against various internet marketing firms and advertisers, prompting critics to accuse them of being trolls and attempting to abuse the CAN-SPAM Act to cash in and profit through frivolous lawsuits. They say the company filed many of the lawsuits against companies it had little or no proof of any spamming against.

The judge agreed to dismiss Asis’s lawsuit against Subscriberbase with prejudice and has delayed the action for 30 days to allow Subscriberbase to seek attorney’s fees. It’s not clear what the company plans to do about its other pending lawsuits but at least one defendant, Foggy.net, says it has no intentions of backing down.

This is a clear example of how suing spammers can backfire. Make sure you’re thoroughly familiar with the CAN-SPAM Act and that you’ve got plenty of proof before filing any lawsuits or your company could learn a very expensive lesson.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

ISP That Won $2.6 Million Drops Suit Under Threat of Bankruptcy

InNova claims the patent was granted to mathematician Robert Uomini in 1995. Unomini is credited as the founder in the lawsuit while InNova takes credit as the patent licensing company he went through. The technology is called “System for Adding to Electronic Mail Messages Information Obtained from Sources External to the Electronic Mail Transport Process” but few details have been given about how it actually works, other than the very vague “helps determine what emails are spam and which are legit”. However that hasn’t stopped the company from declaring that if it weren’t for them, the entire email system would fall apart.

          “More than 80 percent of email is spam, which is why companies use InNova’s invention rather than forcing employees to wade through billions of useless emails. Unfortunately, the defendants appear to be profiting from this invention without any consideration for InNova’s legal patent rights,” said patent-infringement attorney Christopher Banys.

The suit lists everyone from Bank of America to Frito-Lay, Dr. Pepper and RIM. It’s not yet known why InNova and Uomini waited so long to sue or why they chose the companies they did. The suit was filed in the U.S. District Court of East Texas. Texas has long been known as extremely friendly to those filing patent suits.

None of the companies named in the suit have yet commented.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Apple Facing Lawsuit Over Spam Filtering

Federal authorities say two men accused of running a spam campaign in Columbia Missouri that targeted college students reaped in the profits to the tune of over $4 million.  Investigators say Amir Shah, Osmaan Shah, and Paul Zucker began their spamming activities in 2004. They created programs designed to harvest the email addresses of students at over 2,000 colleges, starting with those at the University of Missouri at Columbia.

The spam messages hawked products such as tooth whiteners and a social networking site called Noog.com and claimed to be from officially authorized campus representatives and alumni owned businesses. To avoid detection they used a bullet proof hosting company in China that ignored take down requests and bought proxies. They also faked the headers and reply-to addresses in their messages, a blatant violation of CAN-SPAM laws. When a college complained, the addresses of their students were simply taken off the list.

The men made their money by both selling the products they offered in their spam messages and by affiliate marketing, using their spam to inflate their referrals. They tried to hide their profits by buying properties and funneling it to overseas accounts.

The Shahs and Zucker were indicted on 35 counts of fraud in connection with email, 6 counts of fraud in connection with a computer, and 1 count of conspiracy. All three charges are felonies and they face over 60 years in prison if convicted. Zucker pleaded guilty last week. The Shahs had originally entered a not guilty plea but were expected to change that to a guilty plea last week, but cancelled their hearing after Zucker pled guilty.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Feds Say Missouri Spam Operation Netted Over $4 Million

The spam was an attempt to drum up leads for an affiliate programs. Find a Quote said it does not tolerate spam and had no knowledge that its affiliates were using spam to get sign ups.  Presumably the judge didn’t buy that argument.

A U.S. District Court judge agreed with Asis’ argument that Find a Quote had violated the CAN-SPAM Act by sending emails with fake headers but awarded them an initial $865,000, which was then tripled because the company’s spamming was considered aggravated. Asis says Find  a Quote used directory attacks and automated scripts to create the fake email accounts it used to send the spam.  Asis said it cost them around $3,000 to process the spam.

It’s not likely Asis will ever see any of that $2.6 million. Find a Quotes website has vanished and there is no contact info available. They’ve had no comment on the matter and it’s not known if they even showed up in court or not.

Is filing lawsuits against spammers worth it to your company? Even if a monetary judgment is awarded the chances of actually seeing any of it are slim. Spammers either file for bankruptcy or are located in another country and are impossible to collect from.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

ISP Wins $2.6M Judgement Against Spammers

Among the incriminating evidence was a spreadsheet that showed the company had spammed over 3 million email addresses in a 5 hour campaign and records for the 8,000 fake Yahoo! mail accounts they used to send the spam. Diego’s sister insists all the addresses had opted in to the mailings and that the email addresses where only used to test mailing software.

While some privacy advocates are uncomfortable with such warrants and are concerned about abuse, the Electronic Frontier Foundation is satisfied with how the FBI handled the matter.

“Assuming the warrant is valid and satisfied the Fourth Amendment … the government’s conduct in this case certainly satisfied one of our biggest concerns,” says EFF staff attorney Kevin Bankston. “We think a warrant should be required to access cloud data.”

Google says that when it receives a request from law enforcement it notifies the user as long as it is allowed under law and doesn’t compromise any investigation. They say they do their best to give their users a chance to contest the search requests in court.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Google Docs Account Leads to Spammers’ Downfall

Along with the settlement the company was barred from sending such messages again and ordered to change its recruitment process, something it’s already accomplished. Tagged blames the mess on a viral experiment that went haywire and on simple human error, and says they have made changes to ensure it never happens again. They seem to have made good on their promise. There have been no recent spam complaints or lawsuits and users can now easily opt out of inviting their friends if they wish. Before the process was murky and many users were tricked into sending them, but now the site has made things crystal clear and left sending invites up to the users themselves.

In an interesting twist Tagged recently won a lawsuit it filed against a spammer. In January they won a $201,975 default judgment against a man they said spammed their members with links for an adult site.

There’s an important lesson to be learned here. If your company is thinking about an ad campaign that could be considered at all spam like, don’t do it. You will get burned. Be especially cautious with viral campaigns.  If you find your company the target of spam complaints or a lawsuit, own up to any mistakes you may have made and fix them quickly. Honesty is often the best PR in such situations!

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Renewed and Reformed,Tagged.com Settles Final Spam Complaint

“To Whom It May Concern,” the message says, “On the link below is a copy of the lawsuit that we filed against you in court on March 11, 2010. Currently the Pretrail Conference is scheduled for April 11, 2010 in courtroom #36. The case number is 3485934. The reason the lawsuit was filed was due to a completely inadequate response from your company for copyright infrigement that our client Touchtone Advisories Inc is a victim of Copyright Infrigement. Touchtone Advisories has proof of multiple copyright law violations.”

The company name and courtroom number appear to vary. A link provided prompts the recipient to download a .doc or .rtf file that contains an embedded object that looks like a .pdf but is really a hidden .exe file containing malware. The file, RTF.EmbedEXE.Gen, is a Trojan that once installed immediately begins downloading a variety of additional malware.

As startling as the email may be it is also full of red flags including the generic greeting, extremely poor grammar, and numerous misspellings. The biggest flag of them all is the scammer’s apparent complete ignorance of the legal process. Lawsuits are not served via email – papers are either given in person via a process server or through the mail via Registered/Certified Mail. Be sure to warn your users not to fall for this and to keep your anti-virus programs up to date.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

New Spam Attack Threatens Lawsuit

Classmates settled with members for $9.5 million.

Millions of netizens hounded every day by spam from Classmates.com must have felt a measure of vindication last week when the company agreed to settle for an estimated $9.5 million a lawsuit leveled against it by its members.

What prompted the lawsuit filed in federal district court in Seattle was Classmates’ practice of sending emails to registered users telling them one of their schoolmates from the past was looking for them. If you want to see who’s allegedly trying to contact you, though, you needed to upgrade your membership to the “gold” level at $39 a year. (Currently, those memberships are being deeply discounted to $9.95) Problem was, after upgrading their memberships, people were finding no one was looking for them at all.

Under the terms of the settlement of the class action lawsuit initially filed in 2008, everyone who upgraded to a gold account after receiving an email enticing them to do so to see  a classmate who signed their “guestbook” has the choice of receiving $3 in cash or a $2 credit when they renew their membership. It’s estimated that could affect an estimated 3.16 million members.

In addition, all paying and non-paying members who have joined the outfit since Oct. 30, 2004 must be offered a $2 credit should they decide to renew or buy a gold account.

What’s more, Classmates must pick up the legal tab for the members who sued it, which amounts to $1.3 million, and will be restricted, through an injunction, for two years on how it can use the term “guestbook” and must clarify how guestbooks at the site work.

As is often the case in these kinds of lawsuits, Classmates did not admit to any wrongdoing as a condition of settling the litigation. “Neither this Settlement Agreement, nor any document referred to or contemplated herein, nor any action taken to carry out this Settlement Agreement, is, may be construed as, or may be used as an admission, concession or indication by or against Defendants of any fault, wrongdoing or liability whatsoever,” the settlement agreement stipulated.

For years, the company has been a consumer complaint magnet. At ConsumerAffairs.com there are 177 pages of gripes, largely about unauthorized credit card charges, about the service dating back to January 2006.

The company has also been linked to three companies engaged in dubious “post-transaction marketing” tactics. Those tactics sometimes offer consumers additional offers as part of the online payment process that squeeze more money from buyers without their knowledge.

The companies–Affinion, Vertrue and Webloyalty–were cited last November in a probe of the practice conducted by a Congressional committee . In that investigation, legislative bloodhounds found that 88 companies made more than $1 million by partnering with Affinion, Vertrue, and Webloyalty, including Classmates.com, which made more than $70 million.

“[T]his Committee has found that the companies we are investigating have figured out very clever ways to manipulate consumers’ buying habits so they can make a quick buck,” U.S. Senate Committee on Commerce, Science, and Transportation Chairman John D. (Jay) Rockefeller IV, D-W. Va., said in a statement.

“Millions of Americans are getting hit with these mystery charges every month,” he added. “We have to do all we can to protect the hard working families relying on us to look out for their wallets and well-being.”

Recently, Classmates’ parent company, United Online, said its agreements with the three companies were being either “terminated or modified.”

Classmates isn’t out of the legal woods yet. Last week, two members sued the company over changes it made to its default settings to make member information more generally available on the Internet. Those changes, the lawsuit maintains, open up members to all kinds of unsavory activities such as identity theft, harassment and stalking. It also asserts that the changes are a breach of the service agreement between Classmates and its members, as well as violate the federal Electronic Data Privacy Act and Washington state consumer protection law.

In recent months, privacy has been a sore point at social networking sites. Changes in the privacy settings used by Classmates’ leading rival, Facebook, set off howls of protest on the Internet.

“These new ‘privacy’ changes are clearly intended to push Facebook users to publicly share even more information than before,” railed Senior Staff Attorney Kevin Bankston in a commentary published at the Electronic Frontier Foundation Web site. “Even worse, the changes will actually reduce the amount of control that users have over some of their personal data.”

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Classmates settles spam suit

The irony is that the site’s co-founder, Greg Tseng, was himself fined $900,000 back in 2006 when his company, Jumpstart Technologies, was found in violation of the CAN-SPAM Act. What’s more, this past November, Tagged reached a $750,000 settlement with the Attorney Generals of New York and Tennessee over its own invitation practices.

The site has had a bad reputation for some time, and some anti-fraud advocates consider it a phishing site.

Whether the suit and the site’s recent revamp of its invitation process means the site is turning over a new leaf remains to be seen, but the irony is hard to ignore!

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Tagged.com Wins Suit Against Spammer

A CAN-SPAM court decision may hurt the private domain registration business.

Spammers hiding behind private registration of domain names to spread junk email received a slap in the face recently by a federal district court in California. In their attempt to nullify the U.S. CAN-SPAM Act the garbage pedlars argued, among other things, that the law was unconstitutionally vague because anyone trafficking in private domain registrations could be held liable for materially falsifying an identity under the statute.

Ironically, private domain registrations were created to protect domain owners from spammers, scammers, telemarketers and other unsavory types. Under the process, domain owners who want to keep their personal  information private enlist another company, a proxy registrar, to register their domain for them. The domain owner retains control of the domain, but for public purposes, such as listing in the WHOIS directory, the proxy’s contact information is listed as the owner of the domain. The rub to the process, though, is that anyone can use it–even spammers seeking to hide ownership of their domains. It’s a  pair of such spammers that found themselves  appealing their prosecution before the Ninth Circuit Court of Appeals.

The case, U.S. v. Kilbride, involved a pair of porn spammers operating through a company based in the small African nation of Mauritius. Their spam, which generated 662,000 complaints with the U.S. Federal Trade Commission, violated CAN-SPAM in a number of ways including forged headers, fake email addresses and phony contact information. A jury, after a three week trial, convicted the defendants of criminal CAN-SPAM violations and other charges. One smut circulator received a 6.5 year prison term; the other, five years in the Big House.

In their arguments before the court, the skin merchants asserted that CAN-SPAM is too vague in its definition of material falsification to meet constitutional standards because it criminalizes private registration of domain names. The court, however, wasn’t buying that contention. “We fail to perceive any vagueness on this point,” the judges opined.

Passed in 2003, CAN-SPAM provides penalties for anyone, among  other things, who “materially falsifies header information in multiple commercial electronic mail messages and intentionally initiates the transmission of such messages” or “registers, using information that materially falsifies the identity of the actual registrant, for five or more electronic mail accounts or online user accounts or two or more domain names, and intentionally initiates the transmission of multiple commercial electronic mail messages from any combination of such accounts or domain names…”

The court also rejected the notion that the material falsification definition allows innocent people to be investigated for violating the law until their intent can be determined. That, the spammers asserted, invited law enforcement officials to abuse the law. “This may be so, but it does not make the statute
unconstitutionally vague,” the court said.

“As we recently noted,” it continued, ” ‘[w]hat renders a statute vague is not the possibility that it will sometimes be difficult to determine whether the incriminating fact it establishes has been proved; but rather the indeterminacy of precisely what that fact is.’”

“While determining as a factual matter whether the requisite intent for culpability under [CAN-SPAM]exists may prove difficult, this does not demonstrate
that the concept of intent as used in the statute is an entirely indeterminate, subjective one,” it added. “Hence, the problem Defendants identify is irrelevant to the vagueness inquiry.”

Of course, the Ninth Circuit is only one court, and its decisions don’t necessarily carry any weight outside its jurisdiction. Another court could very well find that CAN-SPAM’s falsification provisions are unconstitutional and send the whole issue to the Supreme Court.

For now, however, the question remains will court decisions that discourage netizens from using private registrations or registrars from offering them make a dent in the spam volumes which are consistently over 90 percent of all email on the Internet? Probably not. If the government gets tough in probing private registrations, it will probably discourage the innocent from engaging in the practice  while Black Hats, who live by subterfuge, will continue to keep it in their bag of dirty tricks.

One thing is certain, if the courts continue to crackdown on private registrations, it won’t favorably impact the registrars who turn a buck on them. As one attorney waggishly observed in his blog, “I don’t see the domain name proxy business as a growth industry.”

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Private registration no defense for spammers

Microsoft said in the suit that Funmobile-doing business here as Mobilefundster, sent IM’s with links to a site called MeetYourIM. Those who clicked on it were brought to the site and asked to type in their MSN username and password. Upon doing so the company collected all the addresses in the users contact list and spammed them with the same message.

          “This kind of activity crosses the line from legitimate third party services to ‘parasiteware’ that harms our customers,” wrote Tim Cranton, a lawyer with Microsoft’s Internet Safety Enforcement group, in a blog posting.

Such spam is called “Spim” and can be particularly effective because it looks to the recipient like it came from a friend. The suit also claims that Funmobile used a fake MS support page as part of its phishing activities and directed users to porn sites.

Microsoft says they hope the suit will send a message to other companies thinking of using the same techniques. Funmobile has had no comment about the suit.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Microsoft Sues Ringtone Company for Spamming

Cuomo claims that between April and June Tagged.com sent out messages to consumer’s contacts that were fake notifications that looked as though they were coming from a friend. He says his office intends to sue for deceptive email-marketing and invasion of privacy.

The company denies any wrongdoing, blaming the problem on a registration process that has since been discontinued and also blamed its own customers, suggesting they accidently gave their consent for the spam emails to be sent out.

“We realize that some were confused and accidentally agreed to invite their friends,” said Greg Tseng, Tagged’s chief executive, in a prepared statement. “We are truly sorry for any inconvenience or frustration that these people experienced.”

What both Cuomo and Tagged.com do agree on is that when people registered on the site, emails were sent to all their contacts stating that one of their friends “sent you photos on Tagged.” The link provided would prompt them to register on the site and the cycle would begin again. Not good business practice at all.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

NY Attorney General Announces Intent to Sue Tagged.com

The possible spam charges come as a result of another barrage of emails he sent in an attempt to pursuade Utah lawmakers to override a veto of a law that would have made the sale of video games labled Mature illegal. Thompson is a rabid anti-video game activist.

          “In the grip of such legislative ignorance, Mr. Waddoups has today threatened Mr. Thompson with criminal prosecution by Utah’s Attorney General for writing him, the ultimate purpose of which is to encourage Utah legislature to override Gov. Huntsman bizarre veto,” reads Thompson’s press release. “Thompson also informed Sen. Waddoups that the same Attorney General he wants to have prosecute Thompson has received thousands of dollars from the video game industry whom Mr. Shurtleff now helps protect. Gov. Huntsman has received their money as well. What a surprise. This is pay to play in Utah. Maybe the whistle blowing as to this is what concerns Mr. Waddoups the most.”

The email in question included an image of two barely clad women about to give a Grand Theft Auto IV character a lap dance. When State Senate President Waddoups asked to be removed from Thompson’s email list, he refused, leading Waddoup to seek charges under the CAN-SPAM Act, which carries fines of up to $11,000. Thompson pledges to fight any charges and keep his vendetta against video games going strong.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Former Florida DA Faces Spam Charges

The site’s true intent is to harvest email addresses and passwords. While the site provides a disclaimer advising the user NOT to use their Facebook password or any other password already in use on a different site or account, they know many users use the same password everywhere, in fact they are banking on it.

Neither Facebook or Wallace has commented on the suit, but this is nothing new for Wallace. A little less than a year ago, MySpace won a lawsuit against him, and over the years he’s also been sued by CompuServe, AOL, and the FTC.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

“Spam King” Hit With Yet Another Lawsuit