Slashdot Mirror
FTC Chief Bashes Anti-Spam Bills
teutonic_leech writes "According to an MSNBC report FTC chairman Tim Muris has indicated that the antispam laws being considered by Congress 'just won't work and may even be counterproductive - some of the proposed laws could be harmful, or at best useless.' He further concluded that 'In the end, legislation cannot do much to solve the spam problem, because it can only make a limited contribution to the crucial problems of anonymity and cost shifting.'" Other spam bits: an anti-spam service has a funny interview with one of their users, and reader der.hans submits a story and some pretty pictures discussing the quantity of Sobig.f virus emails.
My boss, Bill, bashes spammers. No really, he does. We're one of the first ISPs to sue spammers. Check last months (2months ago? don't remember) Time magazine. Awwwh yeah.
- Anti-Spam bills being considered currently inadequate: 100% correct
- Anti-Spam legislation not a primary solution: 100% incorrect.
Legislation is the ONLY way to get rid of spam. Effective legislation and prosecution, that is. The "they will all go offshore" excuse is BS. Sure, some might, but many won't. And then, the country that harbors the offshore spammer is squeezed just as korea was (do you see any korean spam any more? well, yes, but nowhere like the torrents we all received a year ago).Spam is a social problem, not a technological one. Social problems can only be solved by social contracts or laws. Technological solutions fail. Even bayesian filters, those much heralded bleeding edge anti-spam flavor of the moment, are being beaten regularly--my SpamBayes filter catches still a good deal, but more and more slip through despie over 150,000 'training' emails as the spammers get smarter. And, bayesian filters (even at the ISP level) don't begin to address the crucial problem of bandwidth use.
Legislate Now. Not big brother, not slippery-slope BS about john ashcroft in your inbox - just reasonable, progressive legislation to eliminate the spam epidemic.
As long as there is profit to be made, there will be an enterprising capitalist there to take advantage. Especially in the case of spam, where there is no real barrier to entering. If you get a miniscule response, you can make a huge return on a limited investment.
It's akin to regulation of the traveling snake-oil salesman of the nineteenth century. That sort of charlatan is no longer allowed (by law), and the same could happen with strong (and strongly enforced) spam laws.
Stop corporate
A government figure who actually admits there's not a whole lot they can do. Nice to see a guy with a little common sense (on this issue, at least) giving voice to his oppinions. Let's face it, he's right. Outlawing spam is -not- goingg to have an yeffect whatsoever. Look at underage drinking, pot use, etc. It's illegal, it still happens, and quite often. The 'spam bills' won't have any effect beyond making people think their senators are tech-minded.
You don't like spam? Hit the delete key. Don't make a law about it.
spam is becoming a problem like pollution.... we can not get rid of it, so we will just have to live with it
No, most spam is distributed by a few known individuals. Make laws against distributing spam with harsh penalties (especially for porn spam that kids can be exposed to) and the problem will go away. After all, after the do not call registry went into effect, we have had almost zero telephone calls in the evening from people looking to sell us stuff.
Visit Jonesblog and say hello.
Going to read an article about anti-spam legislation and being bombarded with pop-up ads
best quote from the Knowspam.net interview:
At first glance, it sounds like the FTC cheif has his head up his ass. After reading the article, I realised the man just does not want to pass a lame ass law that makes it HARDER to prosecute spammers. He is looking for a simpler plan to make it EASIER to shut down mass-spammers. Sounds like he needs our help, not our hostility.
JP
The facts expressed here belong to all, the opinions to me. The distinction between fact and opinion is yours to decide.
Is it just me, or is C/R spam filtering, really, intensely, annoying?
If I e-mail someone, and I get one of those "I think you're a spammer, prove you're not" messages back, then fuck it, you're not getting my e-mail. Challenge/response breaks the whole concept of e-mail.
I personally use SpamAssassin to drop mail scoring 5-10 into a crudbox, and 10+ just gets bounced.
I don't get much spam anymore.
Listen guys. You can't have laws saying "It's OK to be anonymous and post anything you want anywhere and threaten to do anything to anybody and download anything you want and it's all free and nobody can touch you; but spamming is bad. Then you go to jail." Trying to limit everybody else's actions while giving yourself complete freedom is known as "fascism".
Since they are taking the time to scan email for viruses, you would think they would take a second to check the validity of the "from" address. Or at least not send bounces to domains which have diff ips than the sender.
Now I get piles of bounces from people with viruses.
Great.
Hard to filter since I want to see bounces from my own mail.
How people spend so much time complaining about spam (unauthorized use of bandwidth) yet have no trouble at all making unauthorized use of someone else's data (file trading).
There shouldn't be much problem with a spam policy provided the proper definition of spam is included: bulk, unsolicited, commercial e-mail.
Defining spam as "any e-mail I don't want" is probably part of the problem with having a working anti-spam policy. It is also an incorrect definition of spam.
It also makes it impossible for people to do business, since it will be impossible for people to introduce themselves through e-mail.
Business isn't willing to pay for products, innovation and careers, so we get brands, mortgage commercials and layoffs.
File under 'M' for 'Manic ranting'
Put an end forever to these bogus claims by spammers that their free speech is being interfered with, that businesses have to pay to provide means to deliver their crap, and that to do otherwise is to interfere with their business and all of their other bogus claims.
The solution is to outlaw spam outright. Spammers will be caught the same way murders and and crackers are cautht today. It does not require a fundamental loss of privacy or anonymity on the web. Spamming will be reduced to a tollerable level the same way speed limit laws reduce traffic deaths. Spamming and the "cost shifting" involved are simply wrong and it's right to make laws against things that are wrong regardless of how well they work.
Friends don't help friends install M$ junk.
Ah, but much, if not most, of the spam that gets passed around on the Internet comes from outside our borders and therefore outside the reach of any anti-spam law. I don't think the same is true for telemarketers.
Spam is a big problem, but I think we should be really careful about pushing our lawmakers to pass laws that are that specific to computers. Whenever someone suggests introducing a law that could possibly invade someone's privacy, we're up in arms about it and claim that such problems should be solved a different way - that the lawmakers should stay away from what they don't understand, and that we could solve them by technical means, or by interpreting more general, existing laws to apply to computers.
When we're pushing for anti-spam legislation, we're saying it's suddenly okay to pass laws that specific just because it suits us and we can't see any possible way to lose out. Is this a fair way of doing things? Are we really decided on how far we want laws to extend into computers, and where we draw the line?
It is more problematic than just stopping the spammers. Any legislation should be based upon these criteria.
1) Spam cannot be routed via spurious methods.
2) Spammers can not blanket-target domains.
3) The companies who emply spammers should be held responsible.
4) The advertising should follow current laws and guidelines, with the consideration that minors may be using the internet. In general, follow the guidelines for movie trailers.
5) Transactions between companies and these 'advertising agencies' must be recorded.
6) Both the spammer and the company which sells the product must be held culpable.
Any deviation from these guidelines will only prove to make the anti-spam legislation exactly what the claims state it is, useless and filled with loopholes.
Moreover, a law which is not enforced by itself is useful when the authorities catch them for something else which is hard to prove (in the case of spam, probably fraud, misuse of other people's computers) or have jurisdiction problems. And it helps civil litigation too (I don't know if the US have a civil criminal litigation procedure, but it helps either way).
http://www.gnu.org/philosophy/words-to-avoid.html
There's no need for a human to get involved. Have a protocol whereby in order to the receiver's machine automatically issues a small, dynamically-generated math problem which requires the sender's computer a few seconds of computing time to solve. The email only gets "authorized" if a correct solution is received. This would have very little impact on a regular user, but a spammer who sends out hundreds of thousands of emails would be facing some pretty prohibitive computational costs.
The bold print giveth, and the fine print taketh away
Anonymity is something that I think is one of the things that makes the internet so valuable as a tool to help people fight oppressive governments and corporations. When it is impossible for a spammer to cover his tracks, it will also be equally impossible for a political or corporate dissident to do so as well.
The implication here is that spam can be solved by a technical solution, i.e., one that makes forging identity very very difficult. IPv6 or something like that, perhaps, with additional anti-terrorism/anti-spam identity measures, forcibly implemented (Carnivore anyone?) on ISPs and backbone providers. We'll be so happy to be rid of spam we won't realize what we gave up.
I agree that the proposed spam legislation is inadequate to solve the problem, and I commend the FTC for standing up, rather than passing more useless laws and backing an inneffective solution just to be able to say "look what we've done"
However, my problem has lately has not been the tradition UCE spam (Spamassasin does a pretty good job taking care of that); my problem lately has been outright criminal messages reaching my inbox.
Recently, I've been getting more and more messages spoofed as being from Paypal, Citibank, my ISP, etc, saying that my account has been suspended, and I need to verify my password, credit card number, even my mother's maiden name(!) These messages are getting more sophisciated, and appear to have (for example) a paypal.com address for me to click on.
After getting a few of these in a week's time, I checked the headers, and all seemed to come from China. I'm not sophicicated enough to trace them back any farther, but since these are so blatently criminal, I dont think they'd be originating in the US, as the potential for prosecution is so high.
Unfortunately, these messages are the most dangerous, and the hardest to stop (if they truly originate overseas.) I'd like to see some sort of internation cooperation to track and prosecute these degenerates.
OK...
I can do this. I am, after all,
a superhero!
It seems like these guys lay low so that geeks like us can't find them and harrass them. But, this has always begged the question in my mind, how do their customers find them?
Not that I want to spam mind you, but it seems like they have more than a few customers, and yet, it seems next to impossible to find a point of contact for these people.
-------------------------------------------------
Why do people always ask that question?
You catch spammers by, well, catching them! ISPs and other interested parties can trace IP numbers back to the machine that sent them, no matter how "fake" they are set. That's the same kind of detective work and reliance on witnesses that any normal crime is solved by. ISPs constantly cut off these creeps and they have to keep going from ISP to ISP to get their word out. It would be very sweet indeed for an ISP to be able to report their spammers to the police.
In any case, outlawing spamming will get rid of a large volume of crap. Jackasses who brag about the volume of spam they are able to send from their freaking mansions will be shut down right away. So will lots of other losers who have been investing in equipment to annoy the rest of us. Good riddance. It may not get rid of all of them, but it will get rid of a lot of them.
as long as anonymity is allowed to exist in email, spam will exist
As long as people exist, spam, murder, and all sorts of other foul things will exist. None of it will ever be defeated by any police state but the confines of a police state are more odius than pure anarchy. Laws that follow morals are good things. Laws that "surrender to practicality" they way you would are flawed and hateful.
Friends don't help friends install M$ junk.
Did anyone else receive that one? I thought it was nice! It was so full of bullshit (nor noteworthy amongst spam) and... it had no purpose. Spam is usually aimed at stupid and/or gullible people who are willing to believe anything they receive in their mailbox. Even if someone were to believe this one particular spam message, what would one do? Send Mr Fusion to a set of long/lat coordinates IN THE PAST? Is it some kind of joke?
Hate me!
I think the SPAM problem could be largely mitigated by altering the SMTP protocol to include cryptographic signatures which are used to authenticate the email address listed in the email's "From" field. The receiving SMTP server contacts the server listed in the From field to obtain a copy of the claimed sender's public key which the receiving server uses to authenticate the sender's true identity. The public key is user-settable so that alternate From addresses may be used as long as the sender is authorized to use that address in From fields.
"In prison you just have to shut your eyes and take it. Here you have to shut your eyes and give it."
The interview in the story is from an anti-spam service called knowspam, which works pretty much like Blue Bottle: if you are not on my white list, you have to authenticate yourself to send me an e-mail.
But what happens when two people, both using such a service, decide to send an e-mail for the first time? Couldn't such a setup create a endless loop of authentication requests?
Legislation isn't always the correct tool to fighting something. Whenever we consent to Congress passing more and more laws, we are sure to lose some of our freedoms along the way.
I hate spam as much as the next guy, but it isn't worth letting Congress think up some hair-brained, rights-destroying scheme that probably won't work anyway.
Too bad they don't realize this on most issues out there.
"You spoony bard!" -Tellah
Now, a good anti-spam law can contribute by driving spam further into the criminal underworld, but let's face it, it's most of the way there already, and you're not going to cut it down much more in that direction.
The key point is anonymity. If you can send email anonymously, you can send spam, legally or illegally. If you are willing not to receive anonymous email, you can receive zero spam (using whitelisting), or next to zero spam (counting on blacklisting of known spammers by name). Contrary to what some people say, the existing technical SMTP protocols are perfectly adequate for spam-free email: you just need a virtual email network using smtp, to which anonymous users are not admitted. I think it quite likely that MSN, AOL, etc. will be setting this up within the next 12-24 months. They might screw it up by trying to lock out competitors, but it can only be useful if it's reasonably inclusive.
Personally, I want to receive anonymous email, from people who've seen my web sites, or old friends who've looked up my address, or whatever. But to get these emails, I'm bound to get spam as well, legally or illegally, and I'm prepared to live with it.
We can avoid spam if we just collectively start using another system for sending eachother messages. Sound difficult to get that off the ground?
:)
Try finding another planet to live on. Then compare
Legislation is not the only way to go.
I disagree. It's the best way to go.
Consider this article. Spam can be largely solved via technical means.
I read the article - it won't stop spam. The author says that the confimation is a step that spammers "do not and will not take" - how does he come to that conclusion, exactly? What's to stop a spammer from setting up an autoresponder to get past it? - Oh yeah, and say goodbye to legitimate anonymous email, too.
If none of it gets through, then the incentive to spam in the first place is removed.
You're talking about this as if its the first time anyone has tried a technological method to stop spam.. There have been LOTS of other methods tried, and what has the result been? Spammers adjusting their methods to get around them, not spammers quitting.
I think that it's been proven that technological solutions have no effect on spam, except to make email less useful.
Laws don't stop crime, they won't stop spam either.
Laws don't stop crime, but they do reduce the amount of it. Laws may not stop spam, but they will surely go a long way to reducing it.
To paraphrase you;
"If you throw spammers in jail, then the incentive to spam in the first place is removed."
I'm all for fighting spam, but so far, there are 3 problems:
First, there seems to be this naive belief among politicians that if they pass an anti-spam law, spammers will actually obey it. The majority of spammers have little regard for the law and their entire business model is based on deception and other activities of questionable legality. Any anti-spam laws will be ignored (and tied up in the courts by legal challenges).
Second, is enforcement. You can write all the laws you want, but they are meaningless if not enforced. If I am deluged by spam that violates an anti-spam law, who do I complain to? Who will investigate my complaint and take appropriate action - all the way through to prosecution? If you think about this for a minute, you quickly realize that *MEANINGFUL* enforcement of anti-spam laws will take a lot of resources -- i.e., it will be very expensive.
And finally, there's the international nature of the internet. Routing spam through a mail server in a foreign country is trivial. The only likely outcome of anti-spam legislation is that spammers will use foreign servers for their e-mail and websites.
Bad analogy. Drug trafficking becomes the more profitable the more it's outlawed because the addicty will pay literally any price. Not so with spam, where the demand is quite limited and will not put up with inflated prices.
The illegal we do immediately. The unconstitutional takes a little longer.
--Henry Kissinger
What allows spam isn't SMTP, it's the way SMTP is used: Any ISP will accept email for their customers from just about any ISP, many of whom in turn will allow just about anyone to sign up as a customer and send email, without proving identity or showing any bona fides beyond payment for the service.
How will your new protocol magically stop that happening?
A slight improvement could be brought about by:
With this in place, you could whitelist reliably on the non-forgeable "sender:" field. It would cause some reconfiguration, and upset some people. It would require no changes to SMTP.
ISP's would then be able to add a new header field to outgoing mail, indicating "This is a bona-fide idenifiable, accountable customer", if it really was (and remove any such header field if the customer is not identifiable). The ISP at the receiving end could remove the header if it does not really trust the sending ISP to keep track of its users. Customers would then have the option of receiveing from only such "reliable" senders, plus a whitelist. Again, this is only extensions to current mailserver functionality, not changes to the protocol. All the software to run this scheme already exists.
(Corporations, universities etc. who do not send or receive mail through ISPs count as ISPs themselves under this scheme.)
Today, the demand for such steps is not there, but it may be within the next few years.
There are a few details to fill in: obviously ISPs would have to provide filtering options to their customers based on the new headers, to save customer bandwidth, but the gist of the system is all there.
Spam is predominantly a marketing method for fraudulent or otherwise illegal business enterprises. Without a source of business, the people performing the spamming will be forced to move on.
You *can* easily catch the people running the businesses behind the spam; they collect money, and the money trail is easily followable. Lean on these people, and you can probably get the spammers if someone decides to make spamming illegal as well.
The key point is to not try to attack spam; it's only a symptom. The real cause is fraudulent business entperprises, and I'm mystified why the FTC or the FBI doesn't make them a higher priority. Even the DMA should back this, since it would make them look more reputable without a direct attack on a business practice they'd *like* to use.
The FTC is not blasting the concept of passing an anti-spam law. They're bashing the existing anti-spam bills that are about to become law. They're essentially saying we need better laws.
In Soviet Russia, I ruled you
I don't care whether spam is advertising a product, or asking for money, or asking for my vote. If it's unsolicited, bulk email then it's spam. Note bulk, not a single email to a single person about a topic that concerns him specifically. I don't see how you could confuse an offer to invest in my company (which couldn't be part of a bulk mailing, right?) with spam.
This story was printed recently as the cover for a weekly indie paper in Boston. The story reads more as a cover sheet for neophytes rather than for the hardcore Slashdot crowd, so you've probably heard most of it already, but there are a few points of interest:
-- Some legislators have built up backing for a "do not email" list, similar to the "do not call" list that can get telemarketers in trouble. However, there's little hope it will pass. Not only would most offshore spammers ignore the list, but a list full of working emails would be gold to most spammers.
-- The article briefly restates the idea that putting a price tag on emails could help the problem. The idea is that spammers make profits only because they can spam freely in such large quantities. If there were a 10 cent bill attached to emails sent, spammers would see greatly diminished returns. Small price to pay?
-- The article also gives this interesting thought in a "do's and don't's" sidebar: Use "plus addressing" (offered at EFN) if you care about who's giving out your e-mail address. Here's how it works: Get an e-mail account. For example, nospam@efn.org. What's different with plus addressing is that nospam1, nospam2, nospam3 and so on will also be sent to you, only they'll each come into individually labeled folders. Next, when you sign up for a Victoria's Secret card and they ask for your e-mail, you give them one of those plus addresses, such as nospam14. If you ever get a spam e-mail sent to the nospam14 folder, you know which organization sold or shared your e-mail, and therefore where not to buy your panties.
Libertarians somehow believe that private businesses should be stronger than governments but weaker than individuals.
Underage drinking, pot use, etc...
What you are describing are actions done by private citizens. Quite often younger citizens.
Now in many cases, spam is a business practice: for both the spammer and whomever he/she is advertising for. While regulating businesses may not have an immediate effect, or a fully-encompassing one, it is generally more effective than regulating private citizens.
Businesses stand to lose a lot. If pushed to bankruptcy and your business is tied to your personal life, you could even lose a house/car/etc. So yes, it could be more effective.
Now, if most private citizens were spamming, it might be not effective (see RIAA: filesharing). I have enough faith in humanity that is just a few evils causing most of the spam.
Getting the laws in place, and more importantly enforcing them should start to affect spam eventually, though.
The spammers can and do try to remain anonymous, but their very purpose is to make people buy something, which means that at some point there has to be a way for customers to reach the vendor paying for the spam to be sent. And that's what should be targeted. Fine those who pay to have spam sent, and they'll stop doing it. There need to be some safeguards, of course, so that a competitor does not maliciously have spam sent in another's name, to get their competitor fined, but that should be something that can be addressed.
Here's the big deal.
1) Bulk paper mail subsidises personal letter mail. They pay well for the privilege of sending out stuff that no one reads.
2) Spam recipients pay for the spam they get. Disk space is used, bandwidth consumed, and ISP bills are higher. Not to mention the fact that we now need extra software (more computer resources, more maintenance, more time, more money) to filter this shite out.
YOU ARE PAYING for every spam you receive, as well as every spam you filter. By the time it's left the spammer's computer, the load has been incurred, and the costs go up.
FURTHERMORE, it's easy to tell the difference between paper junk mail and real mail. It's not always as easy (esp. for filters) to distinguish, and as a result you have spam that gets through to you, as well as real mail that gets trapped by your filters. Worse yet, the spammers are exploiting this--they've turned it into a war of escalation, with better crafted spam vs. better filtering. As long as they have free reign, we will be paying higher costs and continue to have the value of email service degraded.
Of course nearly all of the "I don't get it" comments come from spammers, so you probably already know this and are just trying to excuse your behaviour.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
I kinda agree with him. The laws usually leave out important things like the definition of spam. See also laws about copyrights online, piracy, etc.