Slashdot Mirror
Do-Not-Email Registries?
prgrmr writes "Wired has an article about Colorodo and Missouri's latest legislative proposals to deal with spam and with spammers. There appears to be actual consumer-protective teeth in these bills which mirror the telephone 'do not call' lists. A nice example of a government perpetuating a working concept instead of trying inventing new ways to break things."
To get an update on this registry, just send a blank email to opt-in@colorado.gov.
Next, try and get all spammers to admit that what they are sending is "unsolicited". That's not going to happen any time soon.
-- 'The' Lord and Master Bitman On High, Master Of All
Whatever happens, you'll still get the email equivalent of the following:
*phone rings*
"Excuse me, sir, are you interested in..."
"I thought I was on a fucking do-not-call list!"
"Sorry sir, you are, it was an accident. Sorry sir."
Direct marketing is here to piss the hell out of us for a long time yet.
-Mark
It seems like this would only protect us from spam by legitamate countries in America. I can just imagine trying to sue the fly-by-night spams I recieve, many of which I don't think are from this country.
I don't know how much this list will help.
Will there be an opt-in list for those of us who still want to enlarge our penises and make money fast?
---
Hello, Slashdot user. My name is Dr. Sbaitso. I am here to help you.
Fight Spammers!
In Washington State, spam is illegal and the attorney general encourages people to file complaints. These are often done by filling out a simple form.
To help argue against spammers saying "we didn't know this address originated from Washington State", there is online registration for users who reside in the state and do not want to receive spam. You can find it over here:
http://registry.waisp.org/
-trout
Accountability. The telephone companies have a limited number of telephone accounts, and they have a rough idea of who owns each one, where calls are coming from, etc, etc. And, most importantly, it's very easy for them to track down offenders and terminate connections. Spammers, though, don't face exactly that same problem. Jumping to a new vulnerable server is MUCH easier than getting a new telephone line. I wouldn't be surprised to see illegal spammers using these lists as a source for their spamming.
Hi. I an email market-person from Laos. Where I get list so...ummm...I know who... er...not ... to send e-mail?
I'm on a state no-call list, and it's practically worthless. No all my sales calls have callerID numbers like 999-999-9999. Obviously if my phone privacy can't be protected, this email no-call list will be equally useless. Not to mention that... I can already see that the no-call list would be the most extensive (and valuable) list ever compiled. Who would secure it and how?
I don't think this will work. Do not call lists (for telephone spam) work fairly well because it's rather easy for the government and/or utilities to investigate who is violating a DNC list. This is made even easier by the fact that phone/fax spam from abroad is almost non-existent in the USA.
With email, it is far more difficult to stop. First, the jurisdictional issues. Second, it is trivial for an email spammer to hide his identity -- there are plenty of open relays to bounce through.
I already receive spam for "500,000 opt-in email addresses on CD!" -- when do-not-email lists are in place, I'm sure I will be getting adverts for "500,000 do-not-email addresses on CD!". And nobody will be able to stop them.
Nevertheless, Congress has failed to pass any of the 19 national antispam bills introduced since 1999, thanks in part to lobbying efforts of the business community.
No antispam bill has passed because the DMA wanted to reserve the right for their members to spam you.
I don't get it.
They (CAUCE) complain that it shifts the burden onto the consumer to be a member of the opt-out list (which is free, and easy to get into). The complain that we are treating the symptoms and not the cause.
Bull. It costs the spammers money to even SEE the lists, and they face $500+ penalties if they don't check and mail first. Hence, this is a real financial deterrent (at least in those states). This artificially raises the transaction costs, which gets at the cause (that is, email is cheap and free).
Instead, CAUCE wants it to be like junk fax laws wherein no one can send you email without having established "a business relationship" with the recipient. I see too many ways of twisting this around in court that would prevent legitimate email from being sent to people when your first contact with them would be through that medium. It would scare people away from just sending email notes because they won't know how it'll be interpreted at the other end. I can envision paranoid use policies sprouting up in IT departments all over our fair land. Nooo!!!!
What is unclear is whether both the spammer and the spammee (sp ?) have to be in the same state (or in states with similar laws) for this to be effective. In that case, all the spammers will just base their operations in Florida where half the GDP comes from MLM and other scams.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
..this is it!
Can you imagine what will happen when the spammers get the list?
No?
So what good is it?
Is this truly the only Earth I can live on?
Jay Nixon is the attorney general of Missouri where I reside.
He has been very active in ensuring his office in on the net and useful.
He has made great strides in the nocall area. His legislation is used as a template by most states.
Here is an older story with much more info on the legislation and what it brings to the table.
Good to see state government making a national impact.
Second, if you don't verify the information carefully, at minimum with double-opt-in and some kind of Turing test (e.g."type the number from the gif into this box"), there'll be all sorts of abuse, signing up people who don't want to be there, automated h4X0r b0ts trying to kill everybody in the state, random crap like that. Do you trust your average state government to implement something like that right? (If you answered "yes", and live in California or New Jersey, you obviously don't bother reading headlines about state government computer project debacles, and if you live somewhere else, your local government is just as stupid by I haven't been paying attention to them :-)
Third, there are ways to provide some privacy protection while still maintaining a blocking list. For instance, instead of keeping a database of addresses that pass the double-opt-in test, publish a list of harder-to-abuse hashes of the addresses:
Fourth, this doesn't always mix well with newer tagged-format addresses ("username+tag1@example.com") or domain or subdomain addresses ("anything@mydomain-example.com" or "anything@username.fastmail.fm") unless the rules are tediously explicit and accurate for how to use them. These kinds of addresses let you give every recipient a unique address, which your email programs can filter on to discard stuff that's obviously abuse and sort stuff that's from real people.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
One of the proposed laws gives the consumer $10 for successfully sueing a spammer. Gimme a break, who's got the time to go to court for $10? Another of the proposed laws awarded the spamee $5000 (or was it $2000?) if they had registered on the no-spam list but gets spammed anyway. That would certainly be more of a deterrant, but it doesn't address the problem of finding the spammer to begin with. While it's good to see someone trying to do something about the problem, this ain't it.
The spammers will just hide thier tracks using servers outside the US in safe havens for shady activities.
Practically speaking I'd like to see international law recognize that those profiting from spam (the people who are actually taking the money for the products) are responsable for the spam even if the spam cannot be traced directly back to them. Fines with teeth would be needed for enforcement.
Go here to create your own Slashdot dis
First off, let's assume that DNC lists work for phone and paper direct marketing. (We all know that they don't, but let's pretend.)
DNE lists *can't* work, for several reasons:
* There's not a one-to-one correlation between people and email addresses. Many (most?) people have several addresses: Even AOL members get up to eight. So do those people have to "unsubscribe" eight times? What about those of us who invent new email addresses for different uses? It's not unusual for someone to have dozens or even hundreds of addresses.
* Let's not forget role addresses: root, webmaster, postmaster, etc. Someone would have to put those on the DNE list.
* What about the poor schmuck who gets "fallback", i.e. [anything]@domain.com? That's the default in many systems.
* Some email addresses have several people connected to them -- for example, mailing lists. Who unsubscribes those?
* Some email addresses have *no* people connected to them -- for example, those controlling processes. Would anyone even know to add them to the DNE?
Some proposals have included a provision that allows one to add entire domains to a DNE list. These are somewhat better, but they have several problems with them. For one, it would trump the individual preferences of those using the domain.
But ultimately, the main problem is that *the burden shouldn't be on the recipient*. Unlike phone (a common carrier) or postal mailboxes (government property), email boxes are private property, requiring private funds. Access without permission is trespass.
BTW, see law.spamcon.org for a list of states with current antispam laws. I live in one with an opt-in law: California Business and Professions Code 17538.45.
--Tom Geller
Founder, SpamCon Foundation
Tom Geller
The article says that the law will allow "consumers to sue marketers who ignore their wishes [not to be spammed]" I'm curious over how the law would treat individual spammers. Would it allow people to sue Hot_Cindy9876@yahoo.com? or would it be the supplier of the product that Cindy was advertising that is held responsible. This might be especially difficult if the product (or website) is foreign, eg CrazyAsianPron.tw
It also seems a bit negative for anti-spam groups to criticise the laws before they are enacted.
I would have thought they would be all for this kind of thing, even if it doesn't work, at least it is a start and shows that some States are trying to do the right thing.
Just because they haven't done it perfectly first time is no reason to complain. Wait and see what happens, it might work out ok, and if it doesn't then start pushing for it to be reworked.
Great, we'll stop the spammers by building a huge central repository of working email addresses, and then give access to the lists to spammers worldwide. How could THAT backfire?
scott
As the article points out, there are a lot of issues that need to be addressed. Not all spamers are in the US. A large amount of spam is forged. And the Colorado law sounds like it will draw in fakes that are just out for money, and thus, waist the courts time. And whats in place to protect those lists? What if they get hacked? Now we have illegal spam from forged addresses comming from outside our jurisdiction causing conjestion in our courts from gready people out to make a buck.
I think they need a new plan... Untill someone gets an international plan set, it will be difficult to crack down on any spam. I'll stick to my filters, thanks.
More government?
www.brainclone.com
has a cheese idea... but you need to sign a damn NDA to see deatils.
Why?
Bad execution. This is a great idea in theory, but you look at reality and it falls through. Look at where the Do- Not- Call lists are now: In court. Besides, how many spammers are really worried about the legality of their spam, so long as it GETS to you. Many of them have virtual immunity, as they may send the command to mail from their base here in the US, but the actual e-mail is sent from servers outside the United States.
When it comes down to it, there's only one way to defeat spammers: Not buying into their advertising. Unfortunately, far too many people don't understand what a bad idea it is to actually pay attention to Spam.
What does this mean? We, my friends, need to find an alternative method to fight Spam. My guess? We do it by being just as annoying to the spammers as they are to us. There are any number of ways to do this, but what it comes down to is, use good spam intercepting software, and junk mail accounts. MS can afford the space, why not make them use it?
"In the losing battle against spam..."
I did not think that we were losing anything. There have been software add-ons/pluggins that limit what spam we see. Legislators have taken an active role to limit/penalize spammers. ISPs have taken spam seriously as it costs them both directly and indirectly. I dont see spam as being as much of a problem in the next 2 or 3 years.
We can conquer spam quicker by emailing our representatives our feelings toward spam.
later,
epicstruggle
"Im drowning here, and you're describing the water!"
'nuff said.
Sounds like a great idea...but....
with a forged packet headers, open relays, and a global internet not subject to any one state or country's laws..is this in any way enforceable?
The do-not-call lists work well because overseas calls are prohibitvely expensive for telemarketers. Not so for spammers. This will require some over seas assistance. But perhaps the fees will outweigh the payoffs, and it will all work out in the end? I can only hope. It should cut down on domestic spam however. Now to get it implemeted in my state (Oregon).
See the site in my sig. Uses MD5 to distribute addresses so the spammers can remove addresses that match, while not exposing the others for harvesting. Of course, it can be brute-forced, but the chances of getting a match that way are so slim that I doubt any spammer would make an effort to do so when there are easier ways to harvest addresses. Then there is the issue of the spammer getting a match and moving it to a "better" list because they would know it was a live address. All risks, of course, but what doesn't have risk on the Internet?
Labeling is serving as a proxy for content. I for one am objecting to ads not because of any specific product that they're trying to sell me, but because they bear advertising content of any kind. There is a common message to buy goods or services, and that's your content. You may be thinking of the slightly different matter of viewpoint discrimination.
Since the intended effect of the labeling is to get rid of spam altogether by means of everyone filtering the spam, the true intent of labeling provisions is to silence both a wide class of speakers (commercial speakers) and content (commercial messages), such that they will no longer even be sent.
And of course, the means are so crudely tailored to the intent that I think there's even a question per a rational basis analysis, much less the no-brainer against regulation under a strict scrutiny test.
The registry is pretty similar... it might be equated to a 'no tresspassing' sign on one's door (which is allowed), but OTOH mailboxes are IIRC held to be inherently somewhat open to the public regardless of the recipient's wishes, because it's so trivial a matter to get rid of mail that is unwanted, and the burdens to speech would be so high.
As for the unsolicited nature of the communication, I would regard it as being insufficient to hang one's hat on. All discussions HAVE to begin with an unsolicited comment.
Throughout the latter half of the 20th century, commerical free speech has grown to be nearly the equal of private free speech. Labeling requirements, truth requirements, and TPM restrictions are about all that's left of note. False headers, content, or addresses might be something you could try to ban, but again it's almost entirely unenforcible.
Private filters are the way to go -- it may be a little bit more burdensome, but it's better than the relatively short trip junk mail takes from mailbox to trash can.
-- This and all my posts are in the public domain. I am a lawyer. I am not your lawyer, and this is not legal advice.
With a Do Not Call list, one single entry covers all my phone extensions. Since the teleslimers will be comparing only the basic phone number, and not the number with its extension, against the list, by simply having my number without any extension in the list, a proper lookup will match and they can skip that number. None of my extensions will be called.
The issue is how to do this for email addresses. Many mail servers allow for "extensions" by having a certain special character such as "-" or "+" or "." followed by an "extension". By simply having the email account of the part before the separator, you automatically have every possible extension. Some people call this tagged email. And example would be jsmith-foobar@example.net where only jsmith@example.net would be in the list.
Many people even have their own vanity domain names, and regardless of what username is used before the @-sign character, they get the mail like the whole username were the extension.
For a registry to work, for at least those who are required to use it, it must meet at least these two requirements:
I looked at the registry run by the Washington Association of Internet Service Providers and found that the verification process only works one at a time. This makes their registry virtually useless. Of course, distributing the addresses in the raw will be worse, as it will get in the hands of spammers out of the country, and everyone will just get more spam because now spammers will have a list of address that are even more likely to have someone reading. And some will be mass mailing to such a list just to destroy the effectiveness of registering.
One option is to distribute an SHA1 checksum of each address. Then all that needs to be done on the mailer's end is to test each address by generating the checksum and looking that up in the database.
But even that has a risk, and I'm wondering if even that should be allowed. That risk is that spammers will run all their millions of email addresses through the process, and produce a subset of those who are registered, and then from out of the country ... they will spam the hell out of just those.
In the end I think the only real solution is for a law that establishes two distinct networks (same address assignment base, but disjoint routing), one where spamming is allowed, and one where it is entirely prohibited under threat of jail time (for the executives in the case of corporations, LLCs, etc). Each ISP can then choose to service one or the other or set up dual but separate facilities to serve both. Wanna bet which network most will choose?
now we need to go OSS in diesel cars
I understand the problem with SPAM, but why a legal solution to a technical problem?
Because it's not a technical problem- it's a social problem that happens to involve technology. I suppose the phone company should come up with technical method to stop telemarketers as well, but the failure of technical solutions in solving the telemarketer problem was what prompted the creation of the do-not-call list. Technical solutions to spam have so far been a failure as well. The most you can hope for is a perpetual arms race.
It reminds me of the litgation induced from "deep linking," when in reality the web master simply needs to better configure his/her server.
That's a case of corporate idiots bursting onto the scene and applying political and legal pressure to destroy the protocols that made the web successful, because they want to shape it into something that favors their own myopic interests, and they think they can spend the money to get the courts to back them with a poorly reasoned decision. The fact that there's a technical solution to what they're whining about is convenient but irrelevant. Even if there weren't a technical solution to prevent deep linking, their case would be bankrupt.
Similarly there are technical solutions to this. If I'm on a "do-not-email" list, then why don't I configure my email client to only accept emails within my address book? Many email clients can do this filtering, even web based ones, so what's the problem? Effectively, this is what these people want and there's a solution so why the red tape?
Because we shouldn't have to resort to whitelists. I cannot compile a list of everyone in the world who isn't an asshole and who I might want to get email from. Maybe you never get mail except from six people, but some of us have to distribute our contact information.
If there's an email address I can respond to I'll go find an open relay host and forward through that email to them consisting of a nice letter saying that I was glad to get their mail and that they may have goofed a bit. Along with it I'll usually send a large (say 2000 by 2000) tiff (or xcf) file with a picture of a can of spam and a text message "Go Away" written on it. If they've really pissed me off I'll send a dozen or so.
More often they give no usable email, but do give http urls. Since they've solicited my response, I respond to these with a couple thousand curl url fetches. I make sure that there are reasonable delays in between so it is not a DOS attack - though if they really manage to get me pissed off I'll shorten the delay and up the count. In these I always encode my feelings (my favorite is "spam spam spam..." repeated ten thousand or so times) in the UA, in the referrer and in the url itself - more or less randomly mixed up on each fetch.
Does this do anything? Probably not, but if their webmaster is responsible they'll at least see the message and with a bit of luck it will also drive their bandwidth costs up. Yah, I know, they'll probably report this back to the spam purchaser as a "hit".
They did ask me to visit their web pages after all. So I do. I don't look at the response, but so what.
Rather, I think that banning or mandating labels on spam violates the First Amendment for a trivial reason and would fail to actually accomplish anything in any event
God DAMN IT, not that same old fucking canard about free speech AGAIN!
A spammer's right to speak does not confer a license to use MY property to do so. Spamming is a property-rights issue, not a free speech issue.
A spammer can say whatever the hell he wants at his OWN expense, not at MINE.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
So everytime I give out my email address to someone that I am willing to receive email from, I have to get their email address and enter it into my address book before I can receive their email. And if I have someone who I exchange email with and they change email addresses, we can no longer communicate via email.
Press 5 if you think that technology is improving the quality of your life.
I will do what I always do, change my email address when I start getting too much spam (through the filters.)
Open source development is my way of competing with the low-cost programmers in India...
This all leads back to a particular favourite of mine: Targetted advertising.
Advertisers in general do not care how many people see their advert, but rather how many potential clients see their advert. Sending 50000 spams is no good if no-one buys anything from them, while sending 100 which generate 20 sales is a huge return (at the moment only about 1 spam / month gets past spamassassin, so I don't see the majority of them). While it doesn't cost much to send an email, it does cost something. I would like there to be a central registry of items individuals are interested in, so I can register and gt targetted adverts. I have no interest in penis enlargement, breast enhancement, sanitary towels, buying a new car (at the moment) so anyone who advertises these things at me irritates me, and receives no return. Any company that wastes my time prejudices me against them if I ever do want to buy a product they offer. Right now, I'm thinking of buyng a new dual-head graphics card, so anyone advertising a low cost Radeon 8500 would be providing me with information I want, outcome: I don't have to hunt for prices as much, companies can spend less on advertising but generate more sales, I can watch an hour of TV without having 15 minutes of adverts. I'm happy, commercial enterprise is happy. People who send untargeted advertising are laughed at for being so crude. The solution to spam is not to block it, not to legislate against it, simply to show that it doesn't work. Let commercial Darwinism will take care of the problem
I am TheRaven on Soylent News
1. The per message fine has to be enough to make it worth pursuing. MO has the right idea: $5000 per message.
2. It has to allow for individual enforcement (i.e., small claims court). Law enforcement, frankly, should be frying bigger fish.
3. It should be a felony to promote anything with SPAM without permission of the entity being promoted.
4. In addition to the spammer, the fine should apply any entity being promoted by SPAM unless they are willing to file a criminal complaint against the spammer (for violating rule number 3). Note that filing a false criminal complaint is also very illegal; so, this would not be likely t be misused.
An engineer who ran for Congress. http://herbrobinson.us