About 15 months ago I started work on a project that measures our spam effectiveness. Just last week the first part of it finally went live, end-to-end. It was a long time coming but we finally got it done. If you're wondering what took so long, let me tell you:
- We need a source of spam.
- We need to capture it.
- We have to avoid interfering with legitimate mail delivery.
- We need to log the data.
- We need to adhere to privacy requirements.
- We need to create an isolated network within our network to actually do the filtering.
- We need to display the data afterwards.
None of those things is trivial because while the network is designed to mimic our existing filtering infrastructure, there are lots and lots of small differences. A pile of small differences adds up to a major engineering challenge.
Anyhow, the project originally started off as how to gauge our spam catch rate and false positive rate. As we started going along, it became clear to me that I had to scale back my expectations and I started concentrating and how to measure spam. Fancy charts, training the filter on false negatives, measuring false positives, post-examination, correlation between filters on missed messages... all of this stuff is cool but I had to first get up first rung on the ladder.
Now that we're looking at part 2, measuring our false positive rate, lots and lots of questions are popping up. How do we measure ourselves against our competition? How do we improve our effectiveness? How do we leverage this network? How do we correlate different false positives and false negatives across different filters? In other words, we now have some visibility and questions are arising about what this thing will look like at the end.
The truth is that I haven't completely thought everything through, I only have a rough outline. George Lucas has stated, of the Star Wars prequels, that when he wrote the stories back in 1975, he had a pretty good idea of what they would all look like. While he didn't have all the details ironed out the three new movies pretty much adhered to his basic storyline.
Well, similarly, while I haven't completely thought through all of the details and plot points, I have a pretty good idea of what this network will do when all is said and done. The end game is to create a network that measures how well we are doing on spam and non-spam, does training on false negatives/positives, determines our response time, compares ourselves to competitors and includes piles of statistics (because I like charts).
Now I need to hire a writer to get the dialogue to not be so cheesy.
Several of the characteristics of botnets are not only significant in and of themselves, but are emblematic of some of the unique challenges that cyberwarfare as a whole presents.
This is part of a series run by Stratfor with some additional commentary (and jokes) by me.
Analysis
Botnets are a conglomeration of thousands (or more) hijacked computers known as zombies. These networks can amass the processing power of many computers and servers from all across the globe and direct them at targets anywhere in the world. Botnets are used not only in massive spam campaigns on a daily basis but are also used in cyber-security attacks.
In DDoS attacks, individual bots can direct their computers to repeatedly access a particular target network or Web site — with the entire network of zombies doing so at the same time. These kinds of attacks, depending on their scale and the target system’s ability to cope, can begin to degrade accessibility or completely overwhelm and shut down access to that network, Web site or server. They can also autonomously exploit a user’s address book and e-mail server to send out spam or infected e-mails or distribute other types of malicious software — including copies of itself to further expand the network.
The good botnets has its software written and controlled by individuals; these botnets are often controlled by subnational actors — be they hackers, terrorist organizations or cybercriminals. Less effective botnets can be created by downloading existing software from the Internet, but because they are widely available, systems with up-to-date security software are generally already protected against them. In stock trading, it's kind of like trading the news -- there's no point because once it's widely distributed it is already priced in.
Ultimately, DDoS attacks can be a particularly crude method of challenging advanced systems. But while some technologies have been developed to help reduce their effectiveness, thus far this fairly simple technique has continued holding its ground against improvements in computer security, especially for short-duration disruptions and remains the most effective and unstoppable method of attack with large botnets. Even if the DDoS cease to be an effective tool, the capability to muster a massive pool of processing power will likely remain a key aspect of cyberwarfare for some time to come.
In my previous post, which is taken from a series that Stratfor has run recently, we looked at some of the motivations of hackers. Let's take a look at some more.
Altruism
The tenets of altruism vary greatly, depending on the person subscribing to it, but often they are based on an individual’s beliefs regarding the Internet and are often associated with what are considered positive actions intended to serve a perceived public good. These tenets can include the free flow of information, security preservation and user protection. In some ways, altruism can be understood as a variation of the Hacker Ethic with a benevolent bent. But because it all comes down to a personal perception and world view, “altruistic” hackers may sometimes perform actions that seem quite malicious to others (e.g., shutting down Web sites that are believed to be blocking the free flow of information).
Hackers who believe in altruism either aren't fans of Ayn Rand or haven't read anything by Ayn Rand.
Hacktivism
Hacktivism promotes the use of hacking to accomplish political goals or advance political ideologies. Depending on the campaign, these actions may involve both white-hat hackers and black-hat hackers and can include Web site defacement, redirects, DoS attacks, virtual sit-ins and electronic sabotage. Many hacktivist actions often fall under the media radar but their political, economic, military and public impact can be significant.
An example of this is way back in the 1990's when some hackers broke into the CIA web site and changed the name on the main site to the "Central Stupidity Agency." I actually don't know if this actually happened because I never personally verified it... but I think it falls under the hacktivism mantle.
Nationalism
Although a rare hacker ideology, nationalism can envelop large portions of the community given the right cause or circumstance. By their very nature, hackers are individualists who rarely pledge allegiance to other hackers or groups, let alone countries. This is partially due to the fact that the Internet itself and the hacker community it supports have their own cultural elements — indeed, some of the other motivations discussed above often supersede or transcend national identity. There are situations, however, when hackers can be motivated to act in what they perceive to be the best interests of their respective nations.
Those are some of the motivations of hackers. One day maybe I'll do a series on the motivations of spammers, but I think I can sum it up in one word: greed.
Those types of spammers would have no disagreement with Gordon Gecko who asserted that "Greed is good."
Why do hackers do what they do? Are they motivated by something? Altruism? Greed? Strafor examined this in one of their recent articles, parts of which I have below with some additional comments from me.
The personal motivations driving individual hackers are virtually infinite. But there are a handful of dominant ideologies that can offer insight into the mindsets and motivations of much of the larger hacker community. Not all hackers subscribe to or are driven by these beliefs, but most are shaped or affected by them in some fashion.
Any discussion of these ideologies must begin with the basic Hacker Ethic, the founding principle of the hacker community.
Hacker Ethic
Interpretation of this ethic can vary, but it essentially entails the following beliefs:
- Information should be free and accessible to all.
- Access to computers should be unlimited.
- Computers and the Internet can be a force for the betterment of humanity.
- Authority is not to be trusted.
- The principle of decentralization goes hand-in-hand with all of the above.
These fundamental principles, and variations thereof, are commonly held in the hacker community and have evolved over time into some of the ideologies described below.
Exploration
The basic principles of exploration — an outgrowth of the Hacker Ethic and the first ideology many hackers adopt — are to look into every corner of the Internet and bypass any security simply for the sake of improving skills and learning how to navigate cyberspace covertly. As a side note, I've been known to do this when playing around trying to improve my Linux skills - play trying out new commands to see what they do. That's how I acquired skill in awk and xargs. Of course, I wasn't trying to break into anything at the time.
In the process, explorationists generally try to leave no trace and to avoid any damage to the system (which would, inherently, be evidence of their intrusion). The better an explorationist is, the better they are at hiding their steps. Of course, sometimes ego can get in the way. Not me, though. I'm the least egotistical person I know.
Many of this ideology’s tenets originate from newer versions of the Hacker Ethic — especially the white-hat version, which emphasizes benevolent rather than malevolent actions.
Informationism
Another outgrowth of the original Hacker Ethic is informationism, which holds that information should be allowed to flow freely throughout the Internet and, by extension, throughout all human societies. Hackers who embrace this ideology often have specific areas of interest they monitor to identify developments and actors that they might perceive to be limiting the free flow of information. Once these hackers identify constraints, they attempt to remove them by a variety of means, from simply rerouting data to removing security protocols to staging comprehensive network attacks — essentially making that information free through force.
When I read the book "Spam Kings", there was a brand of informationism. Whenever somebody would post a spammer's contact information, piles of more anti-spammers would mirror that data and repost it on their own sites. Authorities might be able to shut down the original poster, but they couldn't catch them all (like Pokemon). In effect, anti-spammers would ensure free access to information, namely the identity of known spammers, by sheer volume.
In my next post, I'll get to a few more motivations.
There are more than just blue, black and white hat hackers. There are a few more types of folks out there that don't fit into the above categories. This article is taken from Stratfor with some commentary by myself.
Coders
Many of the hackers described in my previous post are also coders, or “writers,” who create viruses, worms, Trojans, bot protocols and other destructive “malware” tools used by hackers.
Spammers who write their own viruses (to infect PCs into botnets) have an advantage over other spammers. Spammers who are coders with some background in marketing or psychology have a bigger advantage still.
Crackers
Crackers are hackers who circumvent or bypass copyright protection on software and digital media. The most prominent recent example of cracking was the “unlocking” of Apple’s iPhones in order to break software-imposed restrictions on the use of GSM cellular networks other than AT&T (which made a deal with Apple to be the sole provider of iPhone service).
In anti-spam, a type of cracker might be someone who attempts to crack a spam filter. For example, some spammers will sign up for Hotmail accounts and spam themselves until something gets through. Once they do, they spam all of their Hotmail spammees.
Script Kiddies
Script kiddies represent an intermediate category of actor between regular computer user and hacker. A script kiddie is more knowledgeable about computers and the Internet than most users but has yet to develop the skills, experience and expertise to be a truly effective actor. This would be a lot like me pre-2004.
Script kiddies know just enough to get themselves in real trouble or to bring real trouble to bear on others. In my own world, I know just enough about our back end databases to be dangerous. It's really useful to be able to insert into the database, but at the same time it took me two hours to restore all the rules when I accidentally forgot to specify the rule number when I said update SpamRules set text='this is changing the spam rule'; Not including the "where rule_id=xx" really cost me some time.
After I did it a second time, I learned my lesson.
Bots and Zombies
Not all actors in cyberspace are human. This is not to classify every server and application in cyberspace as an actor. But there is a unique non-human actor in cyberspace known as a zombie, which is a computer wholly or partially controlled by a bot. A bot, for our purposes, is a parasitic program that hijacks a networked computer and uses it to carry out automated tasks on behalf of a hacker. Individual bots can be building blocks for powerful conglomerations of bots. One famous example is the conglomeration of bots infected by the Storm worm.
Once many bots and bot herders have been amassed, they can be consolidated into a collective computing network called a botnet, also called a “bot army.” This allows a single hacker to wield simultaneously the computing power of many thousands of machines — or more — and accomplish tasks that would otherwise be impossible with a single computer. Mass spam campaigns are one of the uses of botnets. It makes it possible for spammers to send out piles of spam without triggering reputation filtering.
One of the other web sites I subscribe to is Stratfor. It's a global intelligence website and doesn't really have much to do with spam. But I like politics so I read it. They have some articles which you can get for free, but the better stuff you have to pay for.
About two weeks ago, they ran a three-part series on Cyberwarfare. The first article was the title of this post, which you can access here (requires registration... not sure if it's free). In the article they described different types of cybercriminals and not-so-criminals which they referred to under the umbrella as "hackers." I'm not going to reprint the entire article here but will quote some parts.
A hacker can be many things. For our purposes here, it is someone with sufficient understanding, skill and experience in the nuances and inner workings of computer systems and networks to be able to wield meaningful power and influence events in cyberspace — even if only in concert with others. Such a person must then actively choose to exercise that capability and act boldly on that stage (hacking is almost universally illegal).
This is a simplified definition but it works.
Black Hats
The most threatening hackers are known as black hats, or “dark side” hackers. These are hackers whose primary activities and intentions are malicious and often criminal. Black hats attempt to locate, identify and exploit security gaps or flaws within operating systems, computers and networks in order to gain control of them, steal information, destroy data or orchestrate other illicit activities.
White Hats
The antithesis of the black hat is the white-hat hacker, also known as an “ethical” or a “sneaker.” White hats are ethically opposed to the abuse or misuse of computer systems. Like their black-hat counterparts, white hats actively search for flaws within computer systems and networks. These efforts often occur with systems in which a white hat has a vested interest or of which they have substantial knowledge. They distinguish themselves by either repairing or patching these vulnerabilities or alerting the administrator of the system or the designer of the software. Basically, white hats attempt to maintain security within the Internet and its connected systems.
Other Hats
Other hackers “wear” colored or hybrid hats. Grey hats, for example, are a blend of the black hat and the white hat. Drawing on experience from both sides can make for a very robust skill set. Computer security professionals are often known as blue hats. Their activities are not unlike those of white hats but are more focused on the interests of paying customers. Hackers wear an assortment of other colored hats, and not all warrant definition here.
Using these basic definitions, let's attempt to classify the people in the spam industry.
- Spam fighters (who get paid for it, like me) are blue hats.
- Spam fighters, who don't get paid for it (like some of the guys/girls in Spam Kings) are white hats or grey hats.
- Phishers are black hats.
- Spammers are tough to classify since they don't technically try to break into computer systems. Maybe grey hats?
While these labels don't completely apply, in my next post we'll look at a few more definitions.
I'm not familiar with retail trends (which is made obvious by the fact that whenever I buy stocks in the retail sector I lose money) but I have observed an interesting spam phenomenon that has held true in each of 2006, 2007 and 2008. The peak spam season tends to hit in December and then the new year sees a drop off in spam. In fact, April tends to be the lowest month in total for spam.
This year, I am observing a 1/4 decline in the total amount of spam from the peak in February. In 2006, it was about the same, and in 2007 we saw around 20% (but the peak occurred in December 2006). While it is certainly possible to attribute this to chance, I am going out on a limb and saying that this is a trend.
So why do we see less spam at the start of the year as opposed to the end of the year? Here are some theories:
- Law enforcement officials are more aggressive on spammers at the start of the year, knocking out major spammers and/or botnets.
- Software vendors (ie, Microsoft) have all their employees back from Christmas vacation at the start of the year and put out security patches. During the summer, more people are on vacation so development cycles take longer, therefore spammers can react quicker when they find security flaws.
- Spammers go on vacation during the start of the year. Everyone needs a vacation, spammers are no different.
- Consumers are tapped out at the start of the year. January and February are slow in the retail sector after the Christmas rush, and spammers have figured this out. Ergo, not much point to spamming.
Those are the ones I can think of off the top of my head. Is there anything else?
A couple of weeks ago, I posted three posts about security and back doors. My point was that in computer systems, secret back doors are useful to certain people but inherently weaken the overall security of the system.
Well, just yesterday, I drove down to the bank to deposit a check. I got to the parking lot and pulled the check out of my jacket and signed it. I got out of my car, locked the door (by pressing the button on the side of the door) and went and deposited it. When I got back, I couldn't find my keys. Sure enough, I had placed them on the seat next to me when I took them out of the ignition. I do that sometimes; normally, I take my keys with me immediately when I get out of the car but if I don't do it right away, that breaks my routine and bad things can happen.
At that point, I really wished I had a back door to get into my car. But alas, I did not. Now, I know that I could have a secret key (literally) planted on my car somewhere in a magnetic box and that most people wouldn't even think to look there. That's security by obscurity. I could also have a secret remote unlocker planted on my car. That way I could unlock the car but it still wouldn't start because my car has an electronic immobilizer so that it won't start without the key. That would solve the problem of somebody getting a hold of the remote unlock but they wouldn't be able to take the vehicle.
So how does this relate to computer systems? Well, maybe a secret key that unlocks everything is a bad idea, but what about a key that unlocks access to authorized personnel? Now before you get all snarky and say "We already have those, they're called passwords" what happens if you forget the password (analogous to me locking myself out)?
I'm not a security expert but I'm sure that functionality like what I describe probably exists one way or another. I guess they have the things like "answer these questions and you can reset your password." That's security by obscurity as well. Not great, but better than staying locked out of your account.
There's an article on InfoWorld where Microsoft takes credit for taking down the Storm botnet. To briefly summarize the article, Microsoft's Malicious Software Removal Tool is designed to get rid of malware and spyware. This tool is distributed for free every month as part of Windows Update.
The tool specifically targeted the Storm malware and eventually the people behind the bots realized it was a losing battle. While Microsoft did take credit for eliminating the worm, they (we) were also realistic: "What we did was to drive them [the Storm bot herders] elsewhere. They're probably out there still making money with some other botnet."
I wasn't involved in any of this, but I think it's actually a pretty momentous feat. The antimalware research team typically focuses on spyware and malware, while the Hotmail team (and us) deal with the problem of botnets. We're two separate entities. Getting the two to work together is a challenge because it requires collaboration across multiple teams, co-ordination, data sharing, etc. It doesn't sound like a big deal but it really is because Microsoft is a complex operation. We're always working on the next release.
It's basically a time management problem. There are initial planning meetings, requirements documents, testing, staging, operations considerations, and so forth. People don't just decide to write a fix and push it out as soon as possible; that model doesn't work because when Microsoft writes code, it needs to be done in such a way that it is maintainable for 10 years into the future. Thus, there are complex processes required in order to get a good product out there.
So, the ability for a number of teams to come together and target a specific botnet is an impressive accomplishment. I have to give a hat tip to the Microsoft Antimalware team on this one.
A friend of mine sent me this link to a spoof of a 70's type B-movie starring a spammer, or rather, how to get a spammer. I thought it was clever.
Microsoft chairman Bill Gates has described Facebook as a walled garden, that is to say, inside is very nice but only certain people can get in. Facebook is based on trust, only friends can view your profile and not just any old person can talk to you. They first have to acquire your trust. This is actually a lot like challenge/response email filtering (which many in the antispam community have great disdain for... you guys know who you are). This contrasts from MySpace where anyone can add you to their friends list. This is similar to email with no spam filtering.
This Facebook security model works only so far as users implement it. By that, I mean that so long as you are screening the people who try to add you as friends, you should be immune from people sending you random messages or cluttering up your inbox since only people you trust are allowed to talk to you. However, if you start adding people who you don't know to your friends list, you risk opening up your walled garden to people you wouldn't normally communicate with.
And this brings me to my recent Facebook experience. I have had one person get in contact with me who knows me through this blog and when they requested to add me, they said that they know me from the blog. I granted this request. However, in the past few weeks, I have had two people (girls in their twenties, from the looks of their profiles) request to add me as friends even though I don't know who they are.
So I'm in a bit of a dilemma. Now, I know I'm pretty awesome and everyone wants to be my friend, but do I open up the risk of allowing these people into my walled garden? Perhaps they know me from my blog... but perhaps (probably) it is a mistake of mistaken identity. What do I do? I could add the person to my profile and check out theirs to see if I know them, and if not, remove them. The weakness of this is that I'm kind of lazy and might just forget about actually taking the time to do this. On the other hand, I could simply refuse the request. Maybe I've been in security for too long but I'm kind of paranoid about these kinds of things (particularly since I know people who will troll my Friends list in order to pull pranks on me... I banned those people from my profile).
So really, my point is this: if you're going to add someone to your Facebook Friends list, if you're not sure your potential friend knows who you are, at least send them a message explaining who you are to jog their memory.
InfoWorld recently released a report where they compared the effectiveness of various spam filters. It's mostly about on-premise anti-spam appliances. They do touch on hosted solutions but don't go into much detail. At the end, they do a filter-by-filter comparison. You can view the results of their study by looking at the pretty image here.
The table contains a very nice looking comparison. It has total valid mail, spam percentage (catch rate), false positive rates, and the like. It is twelve categories in all. But at the very end, we still are having trouble answering the question of which one performed the best. We can see that Ironport and Barracuda have the lowest catch rates, but Ironport has a pretty good FP rate. There's a lot of numbers, how can we summarize them?
To do this, let's go back and look at my Relative Performance Index. Recall that this is a metric I created that combines the catch rate and false positive rates and normalizes the results. Also recall our definition of spam in the inbox (SITI), a measurement that combines the amount of spam and non-spam that the end-user sees in their mailbox. The results are below:
| Barracuda | Borderware | Ironport | Mirapoint | Proofpoint |
| RPI | 5 | 1 | 91 | 7 | 7 |
| SITI | 7% | 10% | 12% | 8% | 7% |
| | IronMail | Sendio | Symantec | Tumbleweed |
| RPI | 5 | 3 | 51 | 22 |
| SITI | 4% | 0% | 10% | 17% |
From this table, we can clearly see that IronPort has the best RPI (higher is better). In fact, they totally crush their competition using this metric due to their low FP rates. So, while the catch rate of Borderware was higher, the FP rate boosts the Relative Performance of Ironport.
The numbers change a bit when we look at Spam in the Inbox. Here, Ironport's lower catch rate negatively affects the user experience in spam, but better FP evasion improves it.
It would be better still if we further combined RPI and SITI (or SITI, catch rate and false positive rate). I will leave that for another post.
I've blogged about broken CAPTCHA's in the past, but I thought I'd touch on it again. Websense is reporting on their discovery that a new botnet is breaking Hotmail's CAPTCHA in order to send out spam. It really is a nice report and demonstrates the sophistication of this particular strain. Some highlights from the report:
- The bot hooks itself into Internet Explorer on the victim's machine.
- The bot consistently tries-breaks, tries-breaks, tries-breaks, etc.
- The CAPTCHA images are collected as hidden files from the victim's machine during different sign-up attempts.
- Once broken for a variety of accounts, the bot carries out the mass mailing through a variety of accounts.
From the report:
Stage 1: One in every 8 to 10 attempts to signup a hotmail account are successful. Hence success rate approximately ranges between 10 to 15%.
Stage 2: Spam campaigns from one Hotmail account is sent to multiple accounts in CC and BCC lists at a time. The same Hotmail account (or “from account/ address”) is not repeatedly used for sending spam campaigns continuously. They are changed in timely fashion by the bot. The same is the case with targeted accounts (or “to account(s)/ addresses) for spamming.
The total response time for CAPTCHA breaking averages about 6 seconds.
Even though spammers are my mortal enemy (along with milkshakes, which have a habit of making my stomach sick), this method of spamming is one of the more elegant solutions. It's not just Hotmail that need worry, all of the other players like Yahoo and Gmail are potential targets.
I just posted on e360 losing its case against Comcast, so I thought I would look a bit into Comcast's defense, available at this link here.
e360 had a long list of allegations against Comcast. Many of them were answered by Comcast saying "Comcast is without knowledge or information sufficient to form a belief as to the remaining allegations of this paragraph 20, and therefore denies these allegations." Let's look at the ones Comcast specifically denied:
24. Comcast has transmitted fraudulent bounce information to e360’s mail servers specific to email addresses contained on e360’s opt-in marketing list. The responses sent by Comcast mail servers to e360 are fraudulent because they contain information indicating that the email address is invalid and not active. <snip> ANSWER: Comcast denies the allegations of paragraph 24.
The complaint basically alleges this: Comcast is sending NDR notifications back to e360 indicating that the user does not exist. However, the user really does exist and the only reason that they are bouncing them back is because they don't want e360 to transmit any more mail to Comcast users. Thus, they are fraudulently representing the status of the accounts that e360 is trying to send to, and therefore infringing on e360's ability to do business.
This is certainly an interesting angle. It's also a lot of work in real life. The fact is that default behavior of mail servers is to attempt to deliver the mail and if the mailbox doesn't exist, bounce it back to the originating sender saying "Mailbox doesn't exist." In other words, it is doubtful that Comcast is singling out e360, it is simply their mail servers working by design.
At least they bounce back these notifications. They could do a catch-all and simply accept without acknowledgement all mail and then subsequently delete them.
40. Comcast intentionally and knowingly engaged in denial of service attacks upon e360’s system by slowing process times of its emails by hours. Such delay slowed and all but stopped e360’s systems from being able to function. ANSWER: Comcast denies the allegations of paragraph 40.
Near as I can tell, e360 is allegedly that Comcast is bouncing back email notifications and slowing e360's servers down, and thus is engaging in a denial-of-service attack on them. This is wrong, e360 is the one sending email to Comcast to non-existent email addresses and Comcast is responding back with NDR notifications (ie, bounce notifications that the mailbox does not exist).
While it may be true that the volume of mail is slowing down e360's servers, e360 is the one who is originating the mail, not Comcast. In other words, even if this were an actual DOS attack (which it isn't), e360 is doing it to itself.
51. Comcast’s arbitrary and capricious use of its network to systematically deny e360 the ability to send commercial emails to its customers and consumers who have asked to or agreed to receive such emails is a violation of e360’s First Amendment rights. ANSWER: Comcast denies the allegations of paragraph 51.
e360 is alleging that Comcast's filtering of their emails denies e360's First Amendment rights. This is ridiculous, Comcast is a private institution and the First Amendment specifically prohibits the government from infringing on the rights of citizens to freedom of speech and freedom of expression. Comcast is a private entity, they are allowed to filter their mail as they see fit.
I'm always the last spam blogger to comment on these legal cases. I'll continue in that tradition by throwing in my two cents.
SpamSuite has a copy of the ruling which is only seven pages long. Some highlights from the document:
- Plaintiff e360Insight, LLC is a marketer. It refers to itself as an Internet marketing company. Some, perhaps even a majority of people in this country, would call it a spammer.
Now there's an understatement. I wondered what e360 was doing going after a big player like Comcast. Comcast has deep pockets composed a very long rebuttal against e360. Apparently the court agrees with their characterization.
- It is clear that Congress understood that it would not be enough to pass a law against mass electronic mailings. It knew that servicers like Comcast would create software to identify, filter, and block e-mail messages that were unwanted.
Congress thinking ahead? Since when does that happen?
- It knew, too, that the details of such software could not be publicly disclosed, so as to prevent them from being easily evaded.
I have seen it speculated that e360 had no hope of winning this lawsuit and that the only reason that they launched it was in order to figure out Comcast's spam filter. In other words, they filed the suit in order to make it easier to spam. Congress foresaw and passed provisions granting antispam providers immunity if they did it in good faith: No provider or user of an interactive computer service shall be held liable on account of –
(A) any action voluntarily taken in good faith to restrict access to or availability of material that the provider or user considers to be . . . objectionable, whether or not such material is constitutionally protected; or
(B) any action taken to enable . . . the technical means to restrict access.
This grants antispam vendors the means to block mail that they feel is illegitimate and grants no recourse to senders, even if they are in compliance with the CAN-SPAM act.
- But compliance with CAN-SPAM, Congress decreed, does not evict the right of the provider to make its own good faith judgment to block mailings.
Exactly. The CAN-SPAM act says what mass senders have to do in when they send bulk mail. It doesn't mean that recipients are then obligated to receive it. It would be like requiring banks to disclose all the terms and conditions (which they already do) but then requiring the loan applicant to accept the loan once it is offered.
Comcast now has a countersuit on the table against e360. This case could end up sinking those guys if Comcast decides to follow it all the way through.