Why does this group have so much spam?

[Steven D'Aprano]

On Wed, 02 Sep 2009 21:53:15 +0200, David wrote:

>> As for the argument that home users who send spam are the victim,
>> that's true up to a point, but not very far. Here's an analogy: suppose
>> that terrorists sneak into your house after picking the lock -- or in
>> the case of Windows users with no firewall or anti-malware, stroll
>> through the unlocked front door -- and spend the next six months camped
>> in your spare bedroom, using your home for their base of operations
>> while they make terrorist attacks. When the FBI kicks your doors down,
>> don't you think you would be arrested and would have to prove that you
>> couldn't be reasonably expected to know they were there? If millions of
>> spam emails are coming out of your PC, that's prima facie evidence that
>> YOU are spamming. You would need to prove that you're an innocent
>> victim who couldn't *reasonably* be expected to know that your machine
>> was hijacked -- you would need to prove that the spam bot was so
>> sophisticated that it infected your PC despite the firewall, that you
>> didn't install it yourself in order to get some stupid game, that no
>> commonly available anti-malware program detects it. Anything less than
>> that is *at least* negligence, and possibly willful negligence.
> 
> Mmh, sounds like a presumption of guilt. I wouldn't go so far on this
> way. The metaphor of terrorists in the bedroom applies up to a point.
> While it's evident that you can not be unaware of people living in your
> home, modern malware is made to be silent to the infected computer, so
> it's a hidden menace and not so evident.

Presumption of innocence doesn't apply when it comes to breaking of terms 
of service. If an ISP wants to treat customers as guilty unless proven 
innocent, the market will decide whether that's acceptable behaviour.

As for criminal charges against people sending spam, it's not presumption 
of guilt. The prosecutor still needs to prove you were sending spam. But 
if spam is coming from your machine, that's prima facie ("in the face of 
it") evidence that you are sending spam, or at least, that you were aware 
of it and did nothing to stop it. In the same way that if you are found 
standing over a corpse who has been stabbed to death, the murder weapon 
in your hand, blood to your elbows, that's prima facie evidence that you 
stabbed the victim. You still have the opportunity to refute the 
evidence, say by arguing that the blood is on your arms (but not 
splattered all over your face and clothes) because you tried to save the 
victim's life, and you had just picked up the knife.

The burden of reasonable efforts to avoid sending spam isn't high. Are 
you using a platform which is resistant to malware (Mac or Linux, say)? 
If you are using a platform prone to malware, do you have at least one 
each of "industry practice" anti-virus and anti-spyware programs? Do you 
run them regularly? Are they regularly updated? Do you have a firewall 
enabled, blocking the usual ports? Are you blocking outgoing port 25? Do 
you avoid installing random software and games (including Flash-based 
games) from untrusted web sites? If your computer starts playing up, with 
unexpected slow-downs, popups, crashes and so forth, do you take steps to 
have it serviced?

If you answer No to more than one of the above, then you should be taking 
extra efforts to ensure you're not sending spam, and failure to do so is 
negligent. If you can answer Yes to all of the above, and nevertheless 
have been infected, then you have done pretty much everything the random 
non-expert computer user should be reasonably expected to do.



> You are depicting a situation where the owner is perfectly aware of
> whats happening on his machine, but this is not always the case. I agree
> that ignorance is not an excuse but I wouldn't use the harsh manners at
> first.

"At first"???

Viruses and malware have existed on computers for thirty years, if not 
longer! Spam has been a huge problem for a decade or more. How many more 
warnings do people need before they will do something about the spambots 
on their computers?

We don't let people play load music at 3am disturbing the neighbours. 
Regardless of whether they were aware of what they were doing or not, we 
make them turn their stereo down, and if they don't, they can be charged 
with disturbing the peace. Why should sending out millions of spams be 
treated more lightly? At the moment, the only incentive people have to 
remove spambots from their computer is if it causes performance problems 
or extra ISP charges. It's time to hold computer users responsible for 
what their computer does.



-- 
Steven