Slashdot Mirror
FTC Chief Bashes Anti-Spam Bills
teutonic_leech writes "According to an MSNBC report FTC chairman Tim Muris has indicated that the antispam laws being considered by Congress 'just won't work and may even be counterproductive - some of the proposed laws could be harmful, or at best useless.' He further concluded that 'In the end, legislation cannot do much to solve the spam problem, because it can only make a limited contribution to the crucial problems of anonymity and cost shifting.'" Other spam bits: an anti-spam service has a funny interview with one of their users, and reader der.hans submits a story and some pretty pictures discussing the quantity of Sobig.f virus emails.
My boss, Bill, bashes spammers. No really, he does. We're one of the first ISPs to sue spammers. Check last months (2months ago? don't remember) Time magazine. Awwwh yeah.
spam is becoming a problem like pollution.... we can not get rid of it, so we will just have to live with it :(
http://www.xml-dev.com
Consensus is good, but informed dictatorship is better
Does this surprise anyone? Really? Coming from an administration that is loathe to consider government's proper position in regulatory matters I am not surprised that he said this.
Quintus malus puer est.
- Anti-Spam bills being considered currently inadequate: 100% correct
- Anti-Spam legislation not a primary solution: 100% incorrect.
Legislation is the ONLY way to get rid of spam. Effective legislation and prosecution, that is. The "they will all go offshore" excuse is BS. Sure, some might, but many won't. And then, the country that harbors the offshore spammer is squeezed just as korea was (do you see any korean spam any more? well, yes, but nowhere like the torrents we all received a year ago).Spam is a social problem, not a technological one. Social problems can only be solved by social contracts or laws. Technological solutions fail. Even bayesian filters, those much heralded bleeding edge anti-spam flavor of the moment, are being beaten regularly--my SpamBayes filter catches still a good deal, but more and more slip through despie over 150,000 'training' emails as the spammers get smarter. And, bayesian filters (even at the ISP level) don't begin to address the crucial problem of bandwidth use.
Legislate Now. Not big brother, not slippery-slope BS about john ashcroft in your inbox - just reasonable, progressive legislation to eliminate the spam epidemic.
As long as there is profit to be made, there will be an enterprising capitalist there to take advantage. Especially in the case of spam, where there is no real barrier to entering. If you get a miniscule response, you can make a huge return on a limited investment.
It's akin to regulation of the traveling snake-oil salesman of the nineteenth century. That sort of charlatan is no longer allowed (by law), and the same could happen with strong (and strongly enforced) spam laws.
Stop corporate
A government figure who actually admits there's not a whole lot they can do. Nice to see a guy with a little common sense (on this issue, at least) giving voice to his oppinions. Let's face it, he's right. Outlawing spam is -not- goingg to have an yeffect whatsoever. Look at underage drinking, pot use, etc. It's illegal, it still happens, and quite often. The 'spam bills' won't have any effect beyond making people think their senators are tech-minded.
perhaps the only way to solve spam is to go down the route of scrapping email as well know it and starting a new system from scratch that has solid anti-spam measures built in from the ground up. i believe such systems exist.
Arnie for Governor, Actors Speak Louder Than Words
I couldn't bear it!! I read about 6 lines. Who does that guy think he is? I've never heard of him but he seems to love himself!
Relative of Katz, perhaps?
Going to read an article about anti-spam legislation and being bombarded with pop-up ads
best quote from the Knowspam.net interview:
At first glance, it sounds like the FTC cheif has his head up his ass. After reading the article, I realised the man just does not want to pass a lame ass law that makes it HARDER to prosecute spammers. He is looking for a simpler plan to make it EASIER to shut down mass-spammers. Sounds like he needs our help, not our hostility.
JP
The facts expressed here belong to all, the opinions to me. The distinction between fact and opinion is yours to decide.
Is it just me, or is C/R spam filtering, really, intensely, annoying?
If I e-mail someone, and I get one of those "I think you're a spammer, prove you're not" messages back, then fuck it, you're not getting my e-mail. Challenge/response breaks the whole concept of e-mail.
I personally use SpamAssassin to drop mail scoring 5-10 into a crudbox, and 10+ just gets bounced.
I don't get much spam anymore.
Listen guys. You can't have laws saying "It's OK to be anonymous and post anything you want anywhere and threaten to do anything to anybody and download anything you want and it's all free and nobody can touch you; but spamming is bad. Then you go to jail." Trying to limit everybody else's actions while giving yourself complete freedom is known as "fascism".
Since they are taking the time to scan email for viruses, you would think they would take a second to check the validity of the "from" address. Or at least not send bounces to domains which have diff ips than the sender.
Now I get piles of bounces from people with viruses.
Great.
Hard to filter since I want to see bounces from my own mail.
How people spend so much time complaining about spam (unauthorized use of bandwidth) yet have no trouble at all making unauthorized use of someone else's data (file trading).
There shouldn't be much problem with a spam policy provided the proper definition of spam is included: bulk, unsolicited, commercial e-mail.
Defining spam as "any e-mail I don't want" is probably part of the problem with having a working anti-spam policy. It is also an incorrect definition of spam.
It also makes it impossible for people to do business, since it will be impossible for people to introduce themselves through e-mail.
Business isn't willing to pay for products, innovation and careers, so we get brands, mortgage commercials and layoffs.
I think spammers should be registered (like the mutants) and regulated... But this guy is nuts just by dismissing the problem saying that laws will not work. I expect from my leader solutions not just complains...
Big deal, I can all of my CPU power if I really wanted, its called using Windows.
Consider this article. Spam can be largely solved via technical means. If none of it gets through, then the incentive to spam in the first place is removed. Laws don't stop crime, they won't stop spam either.
Curb CO2 emissions: Kill yourself today!
File under 'M' for 'Manic ranting'
Put an end forever to these bogus claims by spammers that their free speech is being interfered with, that businesses have to pay to provide means to deliver their crap, and that to do otherwise is to interfere with their business and all of their other bogus claims.
The solution is to outlaw spam outright. Spammers will be caught the same way murders and and crackers are cautht today. It does not require a fundamental loss of privacy or anonymity on the web. Spamming will be reduced to a tollerable level the same way speed limit laws reduce traffic deaths. Spamming and the "cost shifting" involved are simply wrong and it's right to make laws against things that are wrong regardless of how well they work.
Friends don't help friends install M$ junk.
Spam is a big problem, but I think we should be really careful about pushing our lawmakers to pass laws that are that specific to computers. Whenever someone suggests introducing a law that could possibly invade someone's privacy, we're up in arms about it and claim that such problems should be solved a different way - that the lawmakers should stay away from what they don't understand, and that we could solve them by technical means, or by interpreting more general, existing laws to apply to computers.
When we're pushing for anti-spam legislation, we're saying it's suddenly okay to pass laws that specific just because it suits us and we can't see any possible way to lose out. Is this a fair way of doing things? Are we really decided on how far we want laws to extend into computers, and where we draw the line?
Moreover, a law which is not enforced by itself is useful when the authorities catch them for something else which is hard to prove (in the case of spam, probably fraud, misuse of other people's computers) or have jurisdiction problems. And it helps civil litigation too (I don't know if the US have a civil criminal litigation procedure, but it helps either way).
http://www.gnu.org/philosophy/words-to-avoid.html
For those who don't: The United States once made alcoholic beverages illegal by amending the Constitution. The very day it went into effect, organized crime took up where legitimate distribution left off. All the enforcement the government could muster did little to impact the real problem of illegal distribution and profit-making. In the end, the amendment was repealed because the cost of enforcing the amendment far outweighed the benefits of having it.
Now, spam certainly isn't in the same category as this, but the same basic problem remains. It has more in common with illegal alcohol than annoying telemarketing. Most of the spam I get isn't legitimate, in the sense that it offers and honors my "opt-out" requests. Heck, most of the spam nowadays I get doesn't even use the English language. Legitimate spam is already either easy to identify and block or easy to opt out of.
Legislation would be fine and good, but it wouldn't begin to solve the problem. "Legitimate" spammers would either be squeezed out of a business (unlikely) or resort to additional sneakery to get their job done. In that sense, while legislation is a nice idea, enforcing it would be impractical if not impossible and therefore probably wouldn't be done at all.
There's no need for a human to get involved. Have a protocol whereby in order to the receiver's machine automatically issues a small, dynamically-generated math problem which requires the sender's computer a few seconds of computing time to solve. The email only gets "authorized" if a correct solution is received. This would have very little impact on a regular user, but a spammer who sends out hundreds of thousands of emails would be facing some pretty prohibitive computational costs.
The bold print giveth, and the fine print taketh away
Nice in theory, but no go... as long as anonymity is allowed to exist in email, spam will exist. No two ways about it.
File under 'M' for 'Manic ranting'
"It may be impossible to prosecute enough spammers to have a serious deterrent effect, let alone stop, or even slow down, the problem." - FTC chairman and republican corporate lapdog Timothy Muris
"You tried your best, and you failed miserably. The lesson is, never try!" - Homer Simpson
We have the best government that money can buy.
Anonymity is something that I think is one of the things that makes the internet so valuable as a tool to help people fight oppressive governments and corporations. When it is impossible for a spammer to cover his tracks, it will also be equally impossible for a political or corporate dissident to do so as well.
The implication here is that spam can be solved by a technical solution, i.e., one that makes forging identity very very difficult. IPv6 or something like that, perhaps, with additional anti-terrorism/anti-spam identity measures, forcibly implemented (Carnivore anyone?) on ISPs and backbone providers. We'll be so happy to be rid of spam we won't realize what we gave up.
Spamming is a scale free phenomena- that is, a small fraction, 20 to 200, account for most of the sucessful spam. You'd just need the legal incentive to go after the big ones.
I agree that the proposed spam legislation is inadequate to solve the problem, and I commend the FTC for standing up, rather than passing more useless laws and backing an inneffective solution just to be able to say "look what we've done"
However, my problem has lately has not been the tradition UCE spam (Spamassasin does a pretty good job taking care of that); my problem lately has been outright criminal messages reaching my inbox.
Recently, I've been getting more and more messages spoofed as being from Paypal, Citibank, my ISP, etc, saying that my account has been suspended, and I need to verify my password, credit card number, even my mother's maiden name(!) These messages are getting more sophisciated, and appear to have (for example) a paypal.com address for me to click on.
After getting a few of these in a week's time, I checked the headers, and all seemed to come from China. I'm not sophicicated enough to trace them back any farther, but since these are so blatently criminal, I dont think they'd be originating in the US, as the potential for prosecution is so high.
Unfortunately, these messages are the most dangerous, and the hardest to stop (if they truly originate overseas.) I'd like to see some sort of internation cooperation to track and prosecute these degenerates.
OK...
I can do this. I am, after all,
a superhero!
It seems like these guys lay low so that geeks like us can't find them and harrass them. But, this has always begged the question in my mind, how do their customers find them?
Not that I want to spam mind you, but it seems like they have more than a few customers, and yet, it seems next to impossible to find a point of contact for these people.
-------------------------------------------------
Why do people always ask that question?
You catch spammers by, well, catching them! ISPs and other interested parties can trace IP numbers back to the machine that sent them, no matter how "fake" they are set. That's the same kind of detective work and reliance on witnesses that any normal crime is solved by. ISPs constantly cut off these creeps and they have to keep going from ISP to ISP to get their word out. It would be very sweet indeed for an ISP to be able to report their spammers to the police.
In any case, outlawing spamming will get rid of a large volume of crap. Jackasses who brag about the volume of spam they are able to send from their freaking mansions will be shut down right away. So will lots of other losers who have been investing in equipment to annoy the rest of us. Good riddance. It may not get rid of all of them, but it will get rid of a lot of them.
as long as anonymity is allowed to exist in email, spam will exist
As long as people exist, spam, murder, and all sorts of other foul things will exist. None of it will ever be defeated by any police state but the confines of a police state are more odius than pure anarchy. Laws that follow morals are good things. Laws that "surrender to practicality" they way you would are flawed and hateful.
Friends don't help friends install M$ junk.
Did anyone else receive that one? I thought it was nice! It was so full of bullshit (nor noteworthy amongst spam) and... it had no purpose. Spam is usually aimed at stupid and/or gullible people who are willing to believe anything they receive in their mailbox. Even if someone were to believe this one particular spam message, what would one do? Send Mr Fusion to a set of long/lat coordinates IN THE PAST? Is it some kind of joke?
Hate me!
I think the SPAM problem could be largely mitigated by altering the SMTP protocol to include cryptographic signatures which are used to authenticate the email address listed in the email's "From" field. The receiving SMTP server contacts the server listed in the From field to obtain a copy of the claimed sender's public key which the receiving server uses to authenticate the sender's true identity. The public key is user-settable so that alternate From addresses may be used as long as the sender is authorized to use that address in From fields.
"In prison you just have to shut your eyes and take it. Here you have to shut your eyes and give it."
Follow the packets, not user supplied headers.
An entirely new mail protocol probably still needs to be created though, but what I suggest is that mailservers which support the new protocol have a mechanism whereby, on a user by user basis, any SMTP-protocol mail coming in for users that have turned off SMTP could be rejected as soon as the header is finished. These mailservers would also be configured to automatically add a header for the users who don't reject the mail, maybe something like "X-Protocol: SMTP" so that they can have an idea whether or not they are still getting important stuff that way after the protocol has been around for a bit, and determine whether or not they should simply reject old SMTP from that point forward. Also, if the mailserver admin desires, *ALL* old SMTP protocol mail could be rejected this way, but presumably he wouldn't do that until he was confident that all the individual users were content with such a policy change. This sort of mechanism would give people the ability to slowly migrate to the new protocol, and in the interim, give people who wanted a quick and easy way to classify such emails by a specific email header that option.
File under 'M' for 'Manic ranting'
The interview in the story is from an anti-spam service called knowspam, which works pretty much like Blue Bottle: if you are not on my white list, you have to authenticate yourself to send me an e-mail.
But what happens when two people, both using such a service, decide to send an e-mail for the first time? Couldn't such a setup create a endless loop of authentication requests?
Legislation isn't always the correct tool to fighting something. Whenever we consent to Congress passing more and more laws, we are sure to lose some of our freedoms along the way.
I hate spam as much as the next guy, but it isn't worth letting Congress think up some hair-brained, rights-destroying scheme that probably won't work anyway.
Too bad they don't realize this on most issues out there.
"You spoony bard!" -Tellah
This is a critical failing of SMTP. It is impossible to authenticate that the email in question came from any of the IP addresses that might be found in the email.
File under 'M' for 'Manic ranting'
Now, a good anti-spam law can contribute by driving spam further into the criminal underworld, but let's face it, it's most of the way there already, and you're not going to cut it down much more in that direction.
The key point is anonymity. If you can send email anonymously, you can send spam, legally or illegally. If you are willing not to receive anonymous email, you can receive zero spam (using whitelisting), or next to zero spam (counting on blacklisting of known spammers by name). Contrary to what some people say, the existing technical SMTP protocols are perfectly adequate for spam-free email: you just need a virtual email network using smtp, to which anonymous users are not admitted. I think it quite likely that MSN, AOL, etc. will be setting this up within the next 12-24 months. They might screw it up by trying to lock out competitors, but it can only be useful if it's reasonably inclusive.
Personally, I want to receive anonymous email, from people who've seen my web sites, or old friends who've looked up my address, or whatever. But to get these emails, I'm bound to get spam as well, legally or illegally, and I'm prepared to live with it.
We can avoid spam if we just collectively start using another system for sending eachother messages. Sound difficult to get that off the ground?
:)
Try finding another planet to live on. Then compare
Many of these open relays are overseas. How, exactly, are you going to force their governments to cooperate?
File under 'M' for 'Manic ranting'
The one I use works like this: During the SMTP session when the email is attempting to be transfered, I run SpamAssassin from exim (my MTA). If the score is high enough, I send an SMTP 5xx rejection code. This causes the sending MTA to generate a challenge message. Because it is the sending MTA that creates this message, it is usually not fooled by forged From: addresses. More over, even if the sending MTA is fooled by a forged From: address, it is likely that the sender is on a blacklist and the domain of the forged sender can deal with it correctly.
Since this challenge is only generated when the email is almost certainly spam, most people will never see it. Most spamware will not be able to deal with the 5xx rejection code and therefore will not generate a challenge message to anyone.
Also, since this challenge message is created by the sender's MTA, it will more likely be in the correct language.
This challenge message, created by the sender's MTA, must be correctly interpreted and the correct action must be taken. This almost always requires a real human to do and moreover, it requires a cluefull human. It works very, very well.
I call this kind of challenge-response system a "bounce".
SPF support for most open source mail servers can be found at libspf2.
FTC: "No No, anti telemarketing laws bad. Nobody wants them!"
PEOPLE: "But it would be much easier on the telemarketers if there was a central list they could match against...
FTC: "Hell no."
PEOPLE: "OK.. Hey, it's a year later, and now we've got anti telemarketer laws in a majority of states"
FTC: "You fools! Why don't we just have a centralized list so those poor telemarketers don't have to deal with 50 different state agencies. Here. Use this one..."
PEOPLE: ">Sigh. Thanks I guess. Hey, what about this spam stuff..."
FTC: "Hell No. It's stupid and a waste of our time."
ISPs and other interested parties can trace IP numbers back to the machine that sent them, no matter how "fake" they are set.
What about infected end user machines that are being used as anonymizing zombies? There are, by all accounts, tens of thousands of them out there. You can bet that they don't keep logs.
Yes, Pareto's Principal applies to UCE too. There's about 150 spammers who are responsible for the majority of the spam.
I'm all for fighting spam, but so far, there are 3 problems:
First, there seems to be this naive belief among politicians that if they pass an anti-spam law, spammers will actually obey it. The majority of spammers have little regard for the law and their entire business model is based on deception and other activities of questionable legality. Any anti-spam laws will be ignored (and tied up in the courts by legal challenges).
Second, is enforcement. You can write all the laws you want, but they are meaningless if not enforced. If I am deluged by spam that violates an anti-spam law, who do I complain to? Who will investigate my complaint and take appropriate action - all the way through to prosecution? If you think about this for a minute, you quickly realize that *MEANINGFUL* enforcement of anti-spam laws will take a lot of resources -- i.e., it will be very expensive.
And finally, there's the international nature of the internet. Routing spam through a mail server in a foreign country is trivial. The only likely outcome of anti-spam legislation is that spammers will use foreign servers for their e-mail and websites.
I don't understand all this User, System, Idle nonsense.. I though it went User, System, SETI?
What the big deal over spam is. For years, everyone got junk [snail] mail in their [snail] mail boxes. People would complain about it occasionally but most just threw it away. Taking care of spam is easy: I use junk mail filters in my email client and have a Hotmail account set up for anything that requires me to "Enter your email address". That way, 99% of the spam goes to the hotmail account, and my filters take care of the rest.
Shut up brain or I'll stab you with a Q-Tip. - Homer Simpson
Let them try it. The traffic controling them can be traced back if it's against the law. Once again, difficulty in enforcemant is no reason to give up.
Friends don't help friends install M$ junk.
If you format the drives of their servers they can't spam any more.
And don't bother with this, "But that's stooping to their level!" or any other such cries. They are not a legitimate business, they are not advertising any legitimate product or service, they are hiding who they are (which goes with my previous point) and they are costing ISPs and us millions of dollars a year in lost productivity and bandwidth costs.
Sometimes one has to resort to drastic measures to get the results you want.
There have been other email worms out there before, and I have had some extra traffic because of them, but I have had over 500 SoBig infected emails in the past 24 hours.
The message doesn't appear to be particularly "catchy" and it seems to follow the infection vector of other worms, so why the traffic? Does it cause infected computers to send out messages more often?
Most importantly, when can I punch the person responsible for this?
Track them down (I'm sure there is a way of doing this but I've never learnt how) then, You proceed to whip them to death publicly (preferibly with toilet paper because it takes longer) and that would set the example to other spammers.
The amount of spam should decrease.
Just my 2c.
Take out the commercial part.
The definition is, and will always be, despite the efforts of the DMA and other spam friendlies, "unsolicited bulk email".
Not commercial, not porn, not fraudulent, but ALL unsolicited bulk email regardless of content.
Proletariat of the world, unite to kill spammers. Remember to shoot knees first, so that they can't run away while you slowly torture them to death
In Soviet Russia, I ruled you
I for one am getting so sick and tired of the attitude that [some piece of legistlation] doesn't do "enough" so we just shouldn't do anything at all. There is no perfect law and no, legistlation will never solve the whole problem. So does that mean we should just say, oh well, poor us, there's nothing we can do about it? Give me a break. You have to start somewhere!
You are correct, IMO that spam is a social problem. But "social problems" are rarely fixed by mere legislation and prosecution. The last time I checked, various drugs were illegal, too. But this fact does not appear to have stopped the (illegal) drug trade. I *think* there also a whole lot of creative laws vs. market and stock fraud as well. I hear there's even an entire governmental agency to fight this, too.... Yet the Enron's, Worldcoms and Adelphia's execs still get away with it.
I for one wont hold my breath waiting for creative, effective legislation to stop Spam. The use of the three words creative, effective, and legislation together is almost an oxymoron anyway.
Its is more accurate, IMO to label Spam, as both a demand problem, like drugs, and a financial crime, very much like fraud. Spam, therefore couldn't sustain itself but for the combination of two factors:
1) the one out of a million (or whatever the number is) spam recipients who actually buy the spy-cam or p3n1s enlarger.
*and*
2) the usual/customary fact that email in ANY volume/frequency is ALWAYS free.
Problems like this, therefore need to be dealt with both economically (market forces) and by law.
A better solution IMO (and as I have seen numerous times before) is to front load the cost of email on the sender. Charge one (1) penny for each email, period. Bulk email could get a discount to reduce the cost to 1/10th of a cent.
This would be made policy by, you guessed it, legislation. Half of the funds would be kept as profit by the ISP, so they wouldnt kick up a fuss about making yet more money. The other half would go to enforcement of *effective* laws vs. spam, so the ones hacking the system to spam without paying (or the ISP which allows email without payment) could be hunted down. The extra funds collected could even allow for *gasp* innovation in email/SMTP security
Yeah we'd prolly pay an extra buck or two per month, but to seveery curtial spam, I for one would do it.
uR iGn0ranc3, Their Power
Spam is predominantly a marketing method for fraudulent or otherwise illegal business enterprises. Without a source of business, the people performing the spamming will be forced to move on.
You *can* easily catch the people running the businesses behind the spam; they collect money, and the money trail is easily followable. Lean on these people, and you can probably get the spammers if someone decides to make spamming illegal as well.
The key point is to not try to attack spam; it's only a symptom. The real cause is fraudulent business entperprises, and I'm mystified why the FTC or the FBI doesn't make them a higher priority. Even the DMA should back this, since it would make them look more reputable without a direct attack on a business practice they'd *like* to use.
Let's not forget about the recent clash between SPEWS.org and SomethingAwful.com . The toll the spam war takes on everyday users through organizations such as Spews who are too heavy handed. Treating spam as a war to be won at any cost has allready produced enough casualties.
Photos.
Get with the program and use a mail program that supports bayesian filters (like mozilla mail).
You have to train it with a few hundred e-mails for best results, but if you're complaining about spam you probably get that much anyway.
Bayesian filters work.
They are freely available.
Anyone who complains about spam now is just a whiner.
I for one do not want any more bad legislation being made, as we all know technology legislation has been "wonderful" (DMCA, Net act, patents).
If Spam is outlawed, only outlaws will have Spam.
Living with it doesn't have to be as painful an experience as you might think, however. The best practice I've yet heard of is where IT departments invoice the spammers for the lost productivity hours suffered as the result of inundated mail servers and mail service outtages suffered through poorly designed network topologies or lack of IT management savvy. It seems to me (imho) that as more and more corporations and personal computers use their computers for productivity and enjoyment the companies providing the unsolicited marketing interruptions into our days should be providing much more incentive (perks, paybacks, chotchkes) for those popups and other web application interfaces. Failing this, it should be legislated ( by the people, for the people ) that the companies responsible for these interruptions be required to accept invoice and process an account payable for each respondent who had, willing or not received said marketing verbage. The appropriate amount would be a calculated percentage based on the fee received by the marketer for the marketing push in direct and proportional relation to the amount of email that the public infrastructure ( the internet, billions and billions served TM ) needed to process. So as not to eliminate spam altogether, this will curtail mass mailings and ensure that marketing continues to be able to thrive, however, under a much more equitable arrangement for the infrastructure as a whole. Responsibility for the payment would be directed through the carrier as service provider to said marketing company, individual, anarcho-syndicalist commune, etc. The carrier, as well paid provider of the network services required to perpetrate such a mass marketing push would be responsible for its impact on the overall network in this scheme and would be required to take responsibility for its networked connections transmissions. This shift in responsibility for packets would balance the likelihood that service providers will continue to provide users with the ability to mass mail, or spam via web apps etc. ( insert your most loathesome client adware product here ). In order to protect carriers from inaccessible funds due to the inability of the marketer to pay, or potentially, other fraudulent marketing scams the carrier would be entitled to and recommended to take out insurance against such scenarios. This will force carriers to be more discerning as to whom they allow to connect to their services, and the appropriate credentials would be required when taking contract for the consumption of network services, thereby providing the government with a way of ultimately penalizing offenders, and protecting the public trust. These countermeasures and balances will curtail inappropriate network usage and promote more vigilance by carriers as to the content they're proliferating. The legislation should be multiply interoperative in various sectors so as to ensure that fairness and credibility be considered throughout. It wouldn't be easy legislation to write, but the fact that legislation is currently tabled gives rise to the possibility that a much more considerate approach could also be tabled, ratified, and maybe even "They signed you bill, now you're a law!" The polluters of our lakes and rivers have also been required to pay for cleanups and/or damages done to people and properties for their accidents or transgressions, it may be high time for netizens to push for a more 'network aware' government and ensure that pollution doesn't get out of hand in our new frontiers.
For the Sobig.f statistics, check out the virus stats page of the University of Vienna also.
The FTC is not blasting the concept of passing an anti-spam law. They're bashing the existing anti-spam bills that are about to become law. They're essentially saying we need better laws.
In Soviet Russia, I ruled you
Do a google search on terms such as "SASL", "SMTP AUTH", "GPG", "SMTP TLS", etc.
Before you get your hopes up that "the spam problem could be largely mitigated by altering the SMTP protocal to include cryptographic signatures", you should do some investigation about previous systems that have failed to largely mitigate spam.
SPF support for most open source mail servers can be found at libspf2.
I don't care whether spam is advertising a product, or asking for money, or asking for my vote. If it's unsolicited, bulk email then it's spam. Note bulk, not a single email to a single person about a topic that concerns him specifically. I don't see how you could confuse an offer to invest in my company (which couldn't be part of a bulk mailing, right?) with spam.
If these systems have failed to mitigate SPAM it's because of a lack of widespread adoption, not because the systems themselves have "failed" to mitigate SPAM. I'm sure they'd be reasonably effective if widely adopted.
"In prison you just have to shut your eyes and take it. Here you have to shut your eyes and give it."
Whoa there! At risk of going off topic, are you sure you want laws based on morals? I know it's an age old question, but whose morals? Yours? Mine? George W.'s? John Ashcroft's?!? There are a select few things most of us can agree on from a moral standpoint (murder, rape, theft), but the vast majority of morality can have wild variation from person to person. I would much rather have my laws be practical than moral. If a law isn't practical, maybe it shouldn't be a law.
My $.02 on topic: Spam is a nuissance for most people. Stopping a nuissance is not worth giving up freedom for. Anonymity and spam is better than a lack of both. The spam blocker in my mail client (Mac mail) does a decent job.
All the HTML I know I learned on Slashdot
"What the American public doesn't know is what makes them the American public." -Ray Zalinsky (Tommy Boy)
I thought it was interesting that both sides in this fight (the FTC Chief Vs. the current Bills) are treating anonymity as a problem. The FTC Chief stated it outright while the existing bills (according to the article) attack the "crime" of sending anonymous e-mail. Depending upon how that is worded that could make any and all remailers, anonymizers and other tools illegal within the U.S.
.01% really worth our right to anonymity?
That scares me greatly.
Is reducing the rate of spam by
Someone suggested that if spammers moved to other countries (where many already are) then the U.S. would somehow "squeeze" those countries to extradite those spammers. That's ludicrous. The U.S. has far greater things to worry about in terms of international politics. If Americans are going to try to influence other countries, let it be for human rights, disarmament, peace, food, medical care, etc. -- not something that is merely an inconvenience associated with a technological advantage.
Seperately: I don't have the reference right now, but I recently read an article where the author suggested that spammers of the future might get around challenge-response by farming out response work to humans in low-wage countries. A penny for ten responses! The spammer would just raise their rates a little to sellers, maybe call it an extra service....
$nice = $webHosting + $domainNames + $sslCerts
This story was printed recently as the cover for a weekly indie paper in Boston. The story reads more as a cover sheet for neophytes rather than for the hardcore Slashdot crowd, so you've probably heard most of it already, but there are a few points of interest:
-- Some legislators have built up backing for a "do not email" list, similar to the "do not call" list that can get telemarketers in trouble. However, there's little hope it will pass. Not only would most offshore spammers ignore the list, but a list full of working emails would be gold to most spammers.
-- The article briefly restates the idea that putting a price tag on emails could help the problem. The idea is that spammers make profits only because they can spam freely in such large quantities. If there were a 10 cent bill attached to emails sent, spammers would see greatly diminished returns. Small price to pay?
-- The article also gives this interesting thought in a "do's and don't's" sidebar: Use "plus addressing" (offered at EFN) if you care about who's giving out your e-mail address. Here's how it works: Get an e-mail account. For example, nospam@efn.org. What's different with plus addressing is that nospam1, nospam2, nospam3 and so on will also be sent to you, only they'll each come into individually labeled folders. Next, when you sign up for a Victoria's Secret card and they ask for your e-mail, you give them one of those plus addresses, such as nospam14. If you ever get a spam e-mail sent to the nospam14 folder, you know which organization sold or shared your e-mail, and therefore where not to buy your panties.
Libertarians somehow believe that private businesses should be stronger than governments but weaker than individuals.
So why create a new one?
Underage drinking, pot use, etc...
What you are describing are actions done by private citizens. Quite often younger citizens.
Now in many cases, spam is a business practice: for both the spammer and whomever he/she is advertising for. While regulating businesses may not have an immediate effect, or a fully-encompassing one, it is generally more effective than regulating private citizens.
Businesses stand to lose a lot. If pushed to bankruptcy and your business is tied to your personal life, you could even lose a house/car/etc. So yes, it could be more effective.
Now, if most private citizens were spamming, it might be not effective (see RIAA: filesharing). I have enough faith in humanity that is just a few evils causing most of the spam.
Getting the laws in place, and more importantly enforcing them should start to affect spam eventually, though.
Taking an idea from Icelandic history, why not declare spammers to be outlaws? An outlaw is outside the protection of the law. You are free to take his property, beat him or kill him.
Mea navis aericumbens anguillis abundat
You know what, most businesses don't support filetrading. They prefer to avoid the legal entanglements and inform employees that warez software and unauthorized Mp3's (aka unowned) are not permitted.
And you know what... they're also the ones that suffer the most productivity/bandwidth/etc loss due to spam. Yes, it's a problem for everyone, even Joe SixPC... but businesses are the ones who are most affected, and thus will be the ones to push for an anti-spam solution.
The spammers can and do try to remain anonymous, but their very purpose is to make people buy something, which means that at some point there has to be a way for customers to reach the vendor paying for the spam to be sent. And that's what should be targeted. Fine those who pay to have spam sent, and they'll stop doing it. There need to be some safeguards, of course, so that a competitor does not maliciously have spam sent in another's name, to get their competitor fined, but that should be something that can be addressed.
some of the proposed laws could be harmful, or at best useless
That's never stopped legislators before - why start now?
Force anyone using a standard DSL or dialup (read this as a NON business account) to use the ISP that you are connecting to's mail server by blocking all accesses to port 25 except for their mail server ( This is trivial for them to do at their routers - drop all TCP/UDP connections to port 25 except for their server). Wouldn't this effectivly kill most spammers ? They could also do stuff like, limit people to no more than say 50 emails/hour ( how many people will actually hit that limit ). If they have people riding the limits, that should send up some sort of red flag to check what the person is mailing out ( from the sendmail/qmail/etc. logs ).
UPS Sucks
As long as the Internet is an international open network, is there really much an individual nation can do to regulate it??? As long as the SPAM is sent from outside the offended nation, can much really be done about it??? I don't know, just asking...
Doesn't SPAM exist more for Technical than Legal reasons??? IE, Email is sent over the net without a reliable electronic ID, hence you can't easily filter out SPAM???
HenryJamesFeltus.com
However, what will not work is requiring every email have an "opt-out" box. That's just a way of getting more spam; any opt-out list has to be one, single list. And having a national email list, with cleartext email addresses, is clearly a non-starter - that would just ensure more spam, by those who don't care about the law.
The simple solution is to store cryptographic hashes of email addresses - not the email addresses themselves. That way, having the address list doesn't actually give you a list of valid email addresses - it just gives you a way to (painfully) check if a given name exists on it. More details are at: http://www.dwheeler.com/essays/stopspam.html#opt-o ut-list>
This isn't perfect, but it might be a step in the right direction.
The current legislation makes it okay to spam as long as you do a few stupid things that harms consumers. That's worse than the current situation; at least some state laws have a small bite. But it makes sense - they're listening to the spammers, and not the people being harmed. They need to enact stronger laws than they've been willing to consider so far.
- David A. Wheeler (see my Secure Programming HOWTO)
This is something we anti-spam zealots have feared for some time. By outlawing certain types of spam we are in effect legalizing the other types of spam. For example if we say that all spam with adult content must have "ADV ADLT: " prepended to the Subject line then all spam with that mark can't be considered illegal spam, hence no lawsuit can be filed. The spam issue is a grand one. The ONLY people who can provide accurate and meaningful insight on the problem are the people who actually deal with it on a daily basis. If you don't know all the spammers tricks then you can't begin to dream of crafting a law that encompasses any and all of them. The NANAE regulars should have a enormous amount of input into any law that might get passed IMHO.
I have an idea: the amount of spam on the net may be huge, but it's all coming from a small number of spammers. If these people were to "disappear" suddenly, the spam problem would pretty much disappear too.
heh friend of mine that does operate several porn sites, his boss requested that any spam filters be turned off so he can "see" what the competition is up to. His subscribers mainly are ones that have signed up though that get newsletters from him.
And all very cheap to implement. If there was going to be any anti-spam laws then why not have the parent post ideas become requirements for all ISPs?
You could complain that it might be expensive to implement, but I seriously doubt it and it might even be a net savings for ISPs because they would have a significant drop in mail loads.
Debunking the "59 Deceits"
False positives are bad when you're filtering spam, worse when you handing out subpoenas.
As a parting note, please exercise parallel construction next time. It makes it easier to indentify the qualities being compared.
Ex. How people spend so much time complaining about spam (unauthorized use of bandwidth), yet have no trouble at all with file trading (making unauthorized use of someone else's data).
Do I contradict myself? Very well, then I contradict myself, I am large, I contain multitudes. -- Walt Whitman
I for one love getting spam.
:)
I mean who doesn't? You get to keep current with all the latest new mini wireless cameras. This way you can create your own p0rn and not have to keep relying on the p0rn spam
"A synonym is a word you use when you can't spell the word you first thought of." - Burt Bacharach
There's a business/etc using the spammer to advertise their goods.
And many of the big spammers I have heard of on slashdot run spam as a business, albeit a semi-private one and often home-run (defining a business as an enterprise that provides their primary income, anyhow).
What else should they be based on?
Bribes?
Female Prison Rape in NY
This is a test. slashdot@kma.eu.org
slashdot@kma.eu.org
I really doubt people in China want your CC address or paypal account. More likely, it's open relays in China where spammers (probably US-based) open accounts. I can think of no simple solution to this issue, perhaps best is to just cut off these ISPs (think: internet death thread) from the major ISP links here in the US. No need to kill all of China, just the last point of accountability on their side, and let them clean up their own act.
Make sure everyone's vote counts: Verified Voting
Here's an example of one that came from New Zealand but was sent through an unsecured relay in China (go to bottom of thread to see how it was traced).
I kinda agree with him. The laws usually leave out important things like the definition of spam. See also laws about copyrights online, piracy, etc.
For example, I bought penis enlargment pills from a company in California, then returned them in person with a witness along with my demand letter. They kept spamming, but I have not gotten another spam from them after they were served with a lawsuit last Monday.
For more information on my spam fighting activities.
Fight Spammers!
Even so, let a judge and jury tell the spammers they are wrong!
Make money from home with your computer....sue a spammer!
Fight Spammers!
It is called agency! The tenet of agency theory is that a principal is liable for the acts of its agents.
Fight Spammers!
You don't only go after the person who originates the spam, but link in the chain. If someone hires a spammer to "market" for them, you go after them under agency theory.
Fight Spammers!
Jun. 16, 2003
Cable-TV descramblers! FDA-approved diet pills! Viagra without a prescription! Instant access to XXX movies! Dramatically enhanced orgasms! If you have ever received e-mails advertising products and services like these -- some quite within the law, some clearly outside it -- chances are they came from a guy like Howard Carmack, professional spammer.
Using three computers and working out of his mother's home in Buffalo, N.Y., Carmack sent an impressive 857,500,000 unsolicited e-mails in one year, something that is perfectly legal in New York State. But Carmack crossed the line, according to EarthLink, his Internet service provider, when he set up 343 accounts using stolen credit-card numbers to send these e-mails.
EarthLink took notice and began a year-long cat-and-mouse game to discover Carmack's true identity. "My name's not on anything," he boasted at one point, according to investigators, when they reached him on his uncle's cell phone. "You'll never catch me." Fingered by his upstairs neighbor and a former employer, Carmack went to ground. A private detective was hired to stake out his mother's house. Carmack was finally caught running from his car to the front door and was served with a complaint. Now out on bail, he has been found liable in a $16.4 million civil lawsuit by EarthLink. Charges of criminal fraud filed by state attorney general Eliot Spitzer are still pending. "There are many more like Carmack," Spitzer warns. "This sends a message that we are pursuing them." Spitzer, a man who knows how to put himself in the spotlight, was the avenging angel of Wall Street last year. Now he is on a cybercrusade against spam.
And no wonder. In the space of a year, according to research firm IDC, the number of uninvited entries into U.S. In boxes has shot up 85%, to a total of 4.9 trillion. Driven by cheap technology and the promise of easy profit, spammers have gone from pests to an invasive species of parasite that threatens to clog the inner workings of the Internet. For the first time last month, according to MessageLabs, more than half the emails received by U.S. businesses were unsolicited. The time we spend deleting or defeating spam costs an estimated $8.9 billion a year in lost productivity. Sensing an enemy as unpopular as al-Qaeda, lawmakers are pondering a plethora of solutions -- some of which, spam watchers say, could end up doing more harm than good.
Why do spammers flood the Internet with ads nobody wants to read? Because some people do read them, and a tiny fraction actually respond -- which in the world of direct marketing is like money in the e-bank. Take former spammer Scott Hirsch of Boca Raton, Fla., who sold his e-mail marketing business last year for $135 million and retired at the age of 37. Florida is home to more spammers than any other state, and Hirsch -- who started his first bulk e-mail list way back in 1996--likes to take credit for helping make Boca Raton "the spam capital of the world." Hirsch filled his mailing lists with the e-mail addresses of people who had "opted in" by checking (or forgetting to deselect) one of those ubiquitous boxes on website order forms. "When people want to receive [e-mail]," he explains, "you get a much higher return."
But for an increasing number of Hirsch's imitators, spamming is a numbers game that rewards excess. "The more times they deliver the message, the more money they make," says Charles Curran, general counsel for America Online, which last week filed lawsuits against more than 100 spammers. "They all want to get as close to infinity as possible." This is getting easier all the time, as high-speed Internet access gets cheaper and computer processor power continues to double every 16 months. Meanwhile, the software tools for spamming continue to improve. Web crawlers harvest e-mail addresses en masse from chat rooms and newsgroups. Dictionary-attack programs string together words or names in multiple languages, random numbers, an "@" and the names of common mail servers. Presto: millions of
So how many sobig.f related messages have everyone here received so far? Over the last 3 days I count in excess of 300, if you include bounces and mailing list software saying "huh?" cause it doesn't understand any of the "commands" in the message... for some reason I'm getting *many* more bounces than I am actual copies of the virus (anyone know why? Does it use a different selection method for sender addresses than target addresses?).