FTC Chief Bashes Anti-Spam Bills

teutonic_leech writes "According to an MSNBC report FTC chairman Tim Muris has indicated that the antispam laws being considered by Congress 'just won't work and may even be counterproductive - some of the proposed laws could be harmful, or at best useless.' He further concluded that 'In the end, legislation cannot do much to solve the spam problem, because it can only make a limited contribution to the crucial problems of anonymity and cost shifting.'" Other spam bits: an anti-spam service has a funny interview with one of their users, and reader der.hans submits a story and some pretty pictures discussing the quantity of Sobig.f virus emails.

bash?

[selfabuse]

My boss, Bill, bashes spammers. No really, he does. We're one of the first ISPs to sue spammers. Check last months (2months ago? don't remember) Time magazine. Awwwh yeah.

Re:bash?

[4of12]

excessive concentration on the supply side.

You're quite right.

There has to be a concentration on the demand side of the equation.

Clients of the spammers need to feel it in the pocketbook for a solution to really work.

Unfortunately, a 98% effective boycott of the spamhaus clients by recipients of spam won't do much, considering that response rates are less than 1% already. Rather than attack the spammers directly, the clients should be made to pay big time if they've employed a spammer for advertising.

I don't trust Michael Powell. After caving in to media interests and allowing further consolidation in the face of absolutely zero public support for such measures (and widespread opposition once the results of his hearings became known), his current position on spammers seems to be an attempt to position future policy to insure that there is no possible anonymity on the Internet. I dislike that solution to that problem because whistleblowers, politic dissidents in repressive regimes, etc. would be silenced alongside the despicable spammers.

BTW, along the same lines of supply and demand, there's a recent article about current and former law enforcement officials that want a different approach to the "war on drugs" than what's been not working for the last number of decades.

Re:bash?

[Brian+Kendig]

They need to be shown, without any doubt, that they are indeed breaking the law.

And then they'll stop, just like all those people who used to download music, right?

Legal action can help curb spammers, *if* it's pursued aggressively -- but technology still has a lot more it can do. For example:

- Why do mail servers accept email whose sender address is invalid (malformed) or gives a domain which isn't resolvable?

- Why do mail servers accept email which is sent in violation of the SMTP protocol -- for example, 'spam blasters' which dump a whole lot of commands on the receiving server then disconnect without waiting for a response?

- Why don't mail servers automatically check services such as Razor? If an incoming message happens to have the same checksum as a message which has been reported to Razor several thousand times within the past half-hour, why accept the message for delivery?

- Why don't mail servers have a built-in 'tarpit' feature? In other words: if there's an incoming message, and if system resources aren't tight, the mail server could sit on it for sixty seconds before accepting it. If the sender disconnects before sixty seconds, the mail will be rejected. This obeys the SMTP protocol, and it will be unnoticed by anyone except people who want to blast tens of thousands of emails in one shot -- suddenly it becomes more time-consuming to spam, and the spammer can be stopped before he can get very far.

Re:spam is becoming a problem like pollution

[BWJones]

spam is becoming a problem like pollution.... we can not get rid of it, so we will just have to live with it

No, most spam is distributed by a few known individuals. Make laws against distributing spam with harsh penalties (especially for porn spam that kids can be exposed to) and the problem will go away. After all, after the do not call registry went into effect, we have had almost zero telephone calls in the evening from people looking to sell us stuff.

What the government CAN do....

[weave]

What the government can do and should do is pass a law that says the matter should be handled by the private sector, and affirm a mail system owner's right to decide what gets delivered, and also word it so third party services like spamcop are legal so they don't have to be threatened with legal actions.

Put an end forever to these bogus claims by spammers that their free speech is being interfered with, that businesses have to pay to provide means to deliver their crap, and that to do otherwise is to interfere with their business and all of their other bogus claims.

Very insighful

[mericet]

I agree wholeheartedly. There are a lot of laws which are not activly enforced, but their existance in the books sets a social standard.

Moreover, a law which is not enforced by itself is useful when the authorities catch them for something else which is hard to prove (in the case of spam, probably fraud, misuse of other people's computers) or have jurisdiction problems. And it helps civil litigation too (I don't know if the US have a civil criminal litigation procedure, but it helps either way).

Automate the challenge/response ...

[tessaiga]

There's no need for a human to get involved. Have a protocol whereby in order to the receiver's machine automatically issues a small, dynamically-generated math problem which requires the sender's computer a few seconds of computing time to solve. The email only gets "authorized" if a correct solution is received. This would have very little impact on a regular user, but a spammer who sends out hundreds of thousands of emails would be facing some pretty prohibitive computational costs.

So how does one find a spammer anyway?

[einTier]

It seems like these guys lay low so that geeks like us can't find them and harrass them. But, this has always begged the question in my mind, how do their customers find them?

Not that I want to spam mind you, but it seems like they have more than a few customers, and yet, it seems next to impossible to find a point of contact for these people.

It's easy, practical and sensible to outlaw spam.

[twitter]

Oh... and just *HOW* do you propose that we do that? Follow the return address?

Why do people always ask that question?

You catch spammers by, well, catching them! ISPs and other interested parties can trace IP numbers back to the machine that sent them, no matter how "fake" they are set. That's the same kind of detective work and reliance on witnesses that any normal crime is solved by. ISPs constantly cut off these creeps and they have to keep going from ISP to ISP to get their word out. It would be very sweet indeed for an ISP to be able to report their spammers to the police.

In any case, outlawing spamming will get rid of a large volume of crap. Jackasses who brag about the volume of spam they are able to send from their freaking mansions will be shut down right away. So will lots of other losers who have been investing in equipment to annoy the rest of us. Good riddance. It may not get rid of all of them, but it will get rid of a lot of them.

as long as anonymity is allowed to exist in email, spam will exist

As long as people exist, spam, murder, and all sorts of other foul things will exist. None of it will ever be defeated by any police state but the confines of a police state are more odius than pure anarchy. Laws that follow morals are good things. Laws that "surrender to practicality" they way you would are flawed and hateful.

Hmm

[Dark+Lord+Seth]

That time travel guy, I think. Did you ever get it? That guy who was looking for aliens who had perfected time travel because he needed to go back and fix something? It was a rambling treatise about the nature of time and him trying to convince the reader he was dead serious about this and there didn't seem to be any other point to the thing. No URL, no offer to increase my penis size, nothing.

Did anyone else receive that one? I thought it was nice! It was so full of bullshit (nor noteworthy amongst spam) and... it had no purpose. Spam is usually aimed at stupid and/or gullible people who are willing to believe anything they receive in their mailbox. Even if someone were to believe this one particular spam message, what would one do? Send Mr Fusion to a set of long/lat coordinates IN THE PAST? Is it some kind of joke?

Sender Verification for SMTP?

[Adrian+Lopez]

I think the SPAM problem could be largely mitigated by altering the SMTP protocol to include cryptographic signatures which are used to authenticate the email address listed in the email's "From" field. The receiving SMTP server contacts the server listed in the From field to obtain a copy of the claimed sender's public key which the receiving server uses to authenticate the sender's true identity. The public key is user-settable so that alternate From addresses may be used as long as the sender is authorized to use that address in From fields.

Anti-Spam Services

[Goo.cc]

The interview in the story is from an anti-spam service called knowspam, which works pretty much like Blue Bottle: if you are not on my white list, you have to authenticate yourself to send me an e-mail.

But what happens when two people, both using such a service, decide to send an e-mail for the first time? Couldn't such a setup create a endless loop of authentication requests?

Too bad they don't realize this on every issue.

[Maul]

Legislation isn't always the correct tool to fighting something. Whenever we consent to Congress passing more and more laws, we are sure to lose some of our freedoms along the way.

I hate spam as much as the next guy, but it isn't worth letting Congress think up some hair-brained, rights-destroying scheme that probably won't work anyway.

Too bad they don't realize this on most issues out there.

The guy's right

[amcguinn]

First, in saying some recent bills may be counterproductive, he's only echoing what many anti-spam campaigners have been saying: the bills actually legalise a lot of spam.

Now, a good anti-spam law can contribute by driving spam further into the criminal underworld, but let's face it, it's most of the way there already, and you're not going to cut it down much more in that direction.

The key point is anonymity. If you can send email anonymously, you can send spam, legally or illegally. If you are willing not to receive anonymous email, you can receive zero spam (using whitelisting), or next to zero spam (counting on blacklisting of known spammers by name). Contrary to what some people say, the existing technical SMTP protocols are perfectly adequate for spam-free email: you just need a virtual email network using smtp, to which anonymous users are not admitted. I think it quite likely that MSN, AOL, etc. will be setting this up within the next 12-24 months. They might screw it up by trying to lock out competitors, but it can only be useful if it's reasonably inclusive.

Personally, I want to receive anonymous email, from people who've seen my web sites, or old friends who've looked up my address, or whatever. But to get these emails, I'm bound to get spam as well, legally or illegally, and I'm prepared to live with it.

Re:What is needed is a new email protocol

[amcguinn]

What would the new protocol give you that SMTP doesn't?

What allows spam isn't SMTP, it's the way SMTP is used: Any ISP will accept email for their customers from just about any ISP, many of whom in turn will allow just about anyone to sign up as a customer and send email, without proving identity or showing any bona fides beyond payment for the service.

How will your new protocol magically stop that happening?

A slight improvement could be brought about by:

• Insisting all messages have a "sender:" which reflects the actual network origin
• ISPs' outgoing servers accept mail only from their own connected customers (happens already), and that the "sender:" matches the customer sending the message.
• ISPs' incoming servers accept mail only if the "sender:" matches the domain of the server that is sending the message

With this in place, you could whitelist reliably on the non-forgeable "sender:" field. It would cause some reconfiguration, and upset some people. It would require no changes to SMTP.

ISP's would then be able to add a new header field to outgoing mail, indicating "This is a bona-fide idenifiable, accountable customer", if it really was (and remove any such header field if the customer is not identifiable). The ISP at the receiving end could remove the header if it does not really trust the sending ISP to keep track of its users. Customers would then have the option of receiveing from only such "reliable" senders, plus a whitelist. Again, this is only extensions to current mailserver functionality, not changes to the protocol. All the software to run this scheme already exists.

(Corporations, universities etc. who do not send or receive mail through ISPs count as ISPs themselves under this scheme.)

Today, the demand for such steps is not there, but it may be within the next few years.

There are a few details to fill in: obviously ISPs would have to provide filtering options to their customers based on the new headers, to save customer bandwidth, but the gist of the system is all there.

Re:Anti-Spam laws are the only way to go

[boatboy]

The illogic of your comment is that it ignores the other side of the coin. As long as there is profit to be made stopping spam, capitalism will find the cheapest, best way to do so- much cheaper and much better than any politician ever could. It also, as this century has proven for marxism, ignores the fact that where there is profit to be made, there will always be an enterprising politician to take advantage.

Your analogy is also incorrect. Snake oil salesmen were frauds. Fraud became illegal, not snake oil. I may buy snake oil (or magnet bracelets or crystals) as long as the seller is honest about what it is. Spammers may be frauds also, but the point is, if they are frauds-or in violation of other existing laws- then they should be prosecuted under those laws. If new laws are needed to clarify what sorts of advertisement are illegal, they should not deal with the technology but rather the core issue (ie. it is illegal to advertise indecent material to minors.)

I have a feeling most /.ers, if they thought about it, would trust technology over a politician any day...

Re:Comments..

[letxa2000]

I think you have it backwards. Spammers are sociopaths.

I think you are using the definition of "sociopath" very liberally if you think that all--or even most--spammers are sociopaths. I hate spammers as much as the next guy, but sociopaths? The definition of sociopath is "One who is affected with a personality disorder marked by antisocial behavior." Spammers are insensitive and thieves, but I don't think that most of them suffer from a personality disorder.

Would you move to another country - turning your back on your family and friends, just so that you could continue harrassing innocent people? I doubt most spammers would either.

If the spammer is making a few hundred thousand per year I don't think a move to Cancun is going to hurt that much. After all, if they are sociopaths are their links to families and friends going to be all that important? They're sociopaths after all. :)

And the technology will always exist - or are you advocating the dismantling of email?

No, I'm advocating that we lock our doors before we ask Congress to do something about people breaking into our houses. We have the technical means to pretty much solve the spam problem and I think we should obviously exploit those technical means before we go crying to Washington for help that, frankly, they probably won't do a very good job at anyway.

How do filters make the technology "harder to abuse"? It's just as easy to abuse, and (more importantly) you're still paying for it

It's harder to abuse if the spammer has a harder time delivering his message to his intended victim. Filters make it less likely that a spammers' message will get through, thus less likely that a dumb idiot will respond to the spammer, that reduces the profits of the spammer which lowers the incentive to spam in the first place. It's not a silver bullet that will solve the spam problem in one day, but Congress isn't going to be able to give us a silver bullet either.

A "better filter" will only help you to avoid the problem, it doesn't make the problem go away.

See above. You're looking for instant gratification. As they say, the spam problem didn't hit us overnight and we won't defeat it overnight. But widely implemented effective spam filters will reduce even further the response rate of spam which will mean less motivation to send it in the first place. So, yes, a better filter will eventually help the problem go away as long as it is widely implemented. And we have the technical means to implement them widely.

Oh. My. God. You consider that you pay for 2420 pieces of email that you don't want a good thing?!?!?!

Those 2420 pieces of spam consumed 11MB of bandwidth. If I go over my bandwidth allocation (which I don't), I pay $2/GB. So if we assume that I'm paying $2/GB those 11MB of spam cost me about two pennies. Now I'm not saying that I think that it's good that I have to pay anything at all, but my time is much more valuable than the bandwidth cost of spam. And people need to understand that. The bandwidth is annoying, but the real cost of spam is in the time that everyone has to spend dealing with it.

So, yes, the fact that in the last 3 weeks I've had to manually delete 5 spams instead of 2420 is a good thing. If we can get rid of spam and save me three or four pennies per month, great, but I'd rather lose a nickle per month in bandwidth than invite the Federal government to start regulating aspects of email.

Re:Comments..

[bafu]

It makes me sad to see someone who thinks "technological solution" == "filters" get a +5 Insightful, but whatever. If you are a troll, derive whatever personal satisfaction you can from the fact that I am taking your post at face value...

Spam is a social problem, not a technological one.

You are missing the point of the spam problem. The fact that there are people who have no ethical problem engaging in spamming could be seen as a social problem, but their ability to engage in it is a technological problem. Spam exists because of the way our email system is designed, and that system is not some immutable force of nature. Change the system of incentives in that email system and, without changing human nature or the number of scam artists in existence, you will change the amount of spam in the email system. IOW, they currently use it because the technical design of our email system makes it easy for them to engage in their particular form of antisocial behavior. If and when it doesn't, they will not disappear (or, in most cases, give up antisocial behavior in general), they will just stop sending spam through the email system.

So, I agree that filters and so on are not solutions... after all, they only treat the symptoms. That isn't an argument against a technological solution, however. The people who are proposing "technological solutions" to the overall problem are actually talking about changes to the system itself, not filters slapped on top of it.