FTC Chief Bashes Anti-Spam Bills

teutonic_leech writes "According to an MSNBC report FTC chairman Tim Muris has indicated that the antispam laws being considered by Congress 'just won't work and may even be counterproductive - some of the proposed laws could be harmful, or at best useless.' He further concluded that 'In the end, legislation cannot do much to solve the spam problem, because it can only make a limited contribution to the crucial problems of anonymity and cost shifting.'" Other spam bits: an anti-spam service has a funny interview with one of their users, and reader der.hans submits a story and some pretty pictures discussing the quantity of Sobig.f virus emails.

bash?

[selfabuse]

My boss, Bill, bashes spammers. No really, he does. We're one of the first ISPs to sue spammers. Check last months (2months ago? don't remember) Time magazine. Awwwh yeah.

Re:bash?

[letxa2000]

That's a good idea.

New laws to outlaw spam are, as the FTC director said, probably useless. Most of the spam being sent is fraudulent or deceptive in some way--or porn spam that is also being sent to minors. Spammers aren't bothered violating current laws, why does anyone think they won't ignore new anti-spam laws?

Re:bash?

[selfabuse]

and here's the text of the article, for those of you that don't have time subscriptions Jun. 16, 2003 Cable-TV descramblers! FDA-approved diet pills! Viagra without a prescription! Instant access to XXX movies! Dramatically enhanced orgasms! If you have ever received e-mails advertising products and services like these -- some quite within the law, some clearly outside it -- chances are they came from a guy like Howard Carmack, professional spammer. Using three computers and working out of his mother's home in Buffalo, N.Y., Carmack sent an impressive 857,500,000 unsolicited e-mails in one year, something that is perfectly legal in New York State. But Carmack crossed the line, according to EarthLink, his Internet service provider, when he set up 343 accounts using stolen credit-card numbers to send these e-mails. EarthLink took notice and began a year-long cat-and-mouse game to discover Carmack's true identity. "My name's not on anything," he boasted at one point, according to investigators, when they reached him on his uncle's cell phone. "You'll never catch me." Fingered by his upstairs neighbor and a former employer, Carmack went to ground. A private detective was hired to stake out his mother's house. Carmack was finally caught running from his car to the front door and was served with a complaint. Now out on bail, he has been found liable in a $16.4 million civil lawsuit by EarthLink. Charges of criminal fraud filed by state attorney general Eliot Spitzer are still pending. "There are many more like Carmack," Spitzer warns. "This sends a message that we are pursuing them." Spitzer, a man who knows how to put himself in the spotlight, was the avenging angel of Wall Street last year. Now he is on a cybercrusade against spam. And no wonder. In the space of a year, according to research firm IDC, the number of uninvited entries into U.S. In boxes has shot up 85%, to a total of 4.9 trillion. Driven by cheap technology and the promise of easy profit, spammers have gone from pests to an invasive species of parasite that threatens to clog the inner workings of the Internet. For the first time last month, according to MessageLabs, more than half the emails received by U.S. businesses were unsolicited. The time we spend deleting or defeating spam costs an estimated $8.9 billion a year in lost productivity. Sensing an enemy as unpopular as al-Qaeda, lawmakers are pondering a plethora of solutions -- some of which, spam watchers say, could end up doing more harm than good. Why do spammers flood the Internet with ads nobody wants to read? Because some people do read them, and a tiny fraction actually respond -- which in the world of direct marketing is like money in the e-bank. Take former spammer Scott Hirsch of Boca Raton, Fla., who sold his e-mail marketing business last year for $135 million and retired at the age of 37. Florida is home to more spammers than any other state, and Hirsch -- who started his first bulk e-mail list way back in 1996--likes to take credit for helping make Boca Raton "the spam capital of the world." Hirsch filled his mailing lists with the e-mail addresses of people who had "opted in" by checking (or forgetting to deselect) one of those ubiquitous boxes on website order forms. "When people want to receive [e-mail]," he explains, "you get a much higher return." But for an increasing number of Hirsch's imitators, spamming is a numbers game that rewards excess. "The more times they deliver the message, the more money they make," says Charles Curran, general counsel for America Online, which last week filed lawsuits against more than 100 spammers. "They all want to get as close to infinity as possible." This is getting easier all the time, as high-speed Internet access gets cheaper and computer processor power continues to double every 16 months. Meanwhile, the software tools for spamming continue to improve. Web crawlers harvest e-mail addresses en masse from chat rooms and newsgroups. Dictionary-attack programs string together words or names in multiple languages, random numbers, an "@" and

Re:bash?

[schon]

Spammers aren't bothered violating current laws, why does anyone think they won't ignore new anti-spam laws?

The thing is, if you ask spammers, they'll tell you that they're not violating any laws..

That's why we need a clear message that what they are doing is wrong - they need to be shown, without any doubt, that they are indeed breaking the law.

Re:bash?

[4of12]

excessive concentration on the supply side.

You're quite right.

There has to be a concentration on the demand side of the equation.

Clients of the spammers need to feel it in the pocketbook for a solution to really work.

Unfortunately, a 98% effective boycott of the spamhaus clients by recipients of spam won't do much, considering that response rates are less than 1% already. Rather than attack the spammers directly, the clients should be made to pay big time if they've employed a spammer for advertising.

I don't trust Michael Powell. After caving in to media interests and allowing further consolidation in the face of absolutely zero public support for such measures (and widespread opposition once the results of his hearings became known), his current position on spammers seems to be an attempt to position future policy to insure that there is no possible anonymity on the Internet. I dislike that solution to that problem because whistleblowers, politic dissidents in repressive regimes, etc. would be silenced alongside the despicable spammers.

BTW, along the same lines of supply and demand, there's a recent article about current and former law enforcement officials that want a different approach to the "war on drugs" than what's been not working for the last number of decades.

Re:bash?

[Brian+Kendig]

They need to be shown, without any doubt, that they are indeed breaking the law.

And then they'll stop, just like all those people who used to download music, right?

Legal action can help curb spammers, *if* it's pursued aggressively -- but technology still has a lot more it can do. For example:

- Why do mail servers accept email whose sender address is invalid (malformed) or gives a domain which isn't resolvable?

- Why do mail servers accept email which is sent in violation of the SMTP protocol -- for example, 'spam blasters' which dump a whole lot of commands on the receiving server then disconnect without waiting for a response?

- Why don't mail servers automatically check services such as Razor? If an incoming message happens to have the same checksum as a message which has been reported to Razor several thousand times within the past half-hour, why accept the message for delivery?

- Why don't mail servers have a built-in 'tarpit' feature? In other words: if there's an incoming message, and if system resources aren't tight, the mail server could sit on it for sixty seconds before accepting it. If the sender disconnects before sixty seconds, the mail will be rejected. This obeys the SMTP protocol, and it will be unnoticed by anyone except people who want to blast tens of thousands of emails in one shot -- suddenly it becomes more time-consuming to spam, and the spammer can be stopped before he can get very far.

Comments..

[mumblestheclown]

• Anti-Spam bills being considered currently inadequate: 100% correct
• Anti-Spam legislation not a primary solution: 100% incorrect.

Legislation is the ONLY way to get rid of spam. Effective legislation and prosecution, that is. The "they will all go offshore" excuse is BS. Sure, some might, but many won't. And then, the country that harbors the offshore spammer is squeezed just as korea was (do you see any korean spam any more? well, yes, but nowhere like the torrents we all received a year ago).

Spam is a social problem, not a technological one. Social problems can only be solved by social contracts or laws. Technological solutions fail. Even bayesian filters, those much heralded bleeding edge anti-spam flavor of the moment, are being beaten regularly--my SpamBayes filter catches still a good deal, but more and more slip through despie over 150,000 'training' emails as the spammers get smarter. And, bayesian filters (even at the ISP level) don't begin to address the crucial problem of bandwidth use.

Legislate Now. Not big brother, not slippery-slope BS about john ashcroft in your inbox - just reasonable, progressive legislation to eliminate the spam epidemic.

Re:Comments..

[letxa2000]

Legislation is the ONLY way to get rid of spam.

Absolutely incorrect.

The "they will all go offshore" excuse is BS. Sure, some might, but many won't.

You probably have it backwards. Many will go offshore, but some won't.

Plus, it might not be necessary. There is so much spam and spammers are constantly dodging bullets to keep themselves anonymous I'm not sure if it'd really be necessary to go overseas. There are not enough resources to track down spammers that are covering their tracks unless some "public bounty" is authorized that gives the *public* an incentive to track them down themselves. Even then I think you'll find many of the shadier spammers will just use stolen credit cards and/or free ISP trials to send their spam. The trail is going to get awfully cold for a civilian trying to track down a spammer when you run into stolen credit card numbers or need to find the phone number that dialed into the ISP at a given date/time.

Spam is a social problem, not a technological one. Social problems can only be solved by social contracts or laws.

Spam is NOT a social problem any more than junk snail mail is a social problem. It takes advantage of available technology to serve a business purpose and as long as the technology is available to take advantage of, it will continue. The problem is that in the case of email the technology makes spam free.

The solution is make spamming not free (with lawsuits based on existing laws) or make the technology harder to abuse (with filters, etc.). New laws are completely unnecessary and, as the FTC director said, most would be counterproductive.

Technological solutions fail. Even bayesian filters, those much heralded bleeding edge anti-spam flavor of the moment, are being beaten regularly--my SpamBayes filter catches still a good deal, but more and more slip through despie over 150,000 'training' emails as the spammers get smarter.

Then get a better Bayesian filter. With just 3000 good and 10,000 bad emails my Bayesian filter is running at 99.8%. 5 spams have gone through my Bayesian filter so far this month out of 2415 spams--2 were in a foreign language and the other 3 were on-topic enough that they got by and might have even been something I was interested in. My Bayesian filter accuracy has been going up constantly for the last 4 months.

I'm willing to do deal with 1 spam in my inbox every 3 or 4 days to avoid federal legislation that will probably be less than perfect and certainly will not eliminate 99.8% of the spam.

And, bayesian filters (even at the ISP level) don't begin to address the crucial problem of bandwidth use.

Overnight, no. But if more and more people and ISPs implemented Bayesian less spam would be seen my users--including the dumb ones that respond to spam. In time the motivation to spam will decrease and that will decrease the bandwidth problem.

Legislation is NOT the answer.

Re:Comments..

[Otter]

How does a US law stop spam from other countries? You can't get *all* other countries to adopt US policy.

Read what he said -- there's nothing about getting *all* countries to stop spam. If adequate laws were passed regulating spammers (and more importantly, the businesses they advertise) in the G7 countries and a few others, that would make the problem much more tractable for anyone who can live without mail from China or Russia.

Anti-Spam laws are the only way to go

[Marxist+Commentary]

As long as there is profit to be made, there will be an enterprising capitalist there to take advantage. Especially in the case of spam, where there is no real barrier to entering. If you get a miniscule response, you can make a huge return on a limited investment.

It's akin to regulation of the traveling snake-oil salesman of the nineteenth century. That sort of charlatan is no longer allowed (by law), and the same could happen with strong (and strongly enforced) spam laws.

Re:Anti-Spam laws are the only way to go

[boatboy]

The illogic of your comment is that it ignores the other side of the coin. As long as there is profit to be made stopping spam, capitalism will find the cheapest, best way to do so- much cheaper and much better than any politician ever could. It also, as this century has proven for marxism, ignores the fact that where there is profit to be made, there will always be an enterprising politician to take advantage.

Your analogy is also incorrect. Snake oil salesmen were frauds. Fraud became illegal, not snake oil. I may buy snake oil (or magnet bracelets or crystals) as long as the seller is honest about what it is. Spammers may be frauds also, but the point is, if they are frauds-or in violation of other existing laws- then they should be prosecuted under those laws. If new laws are needed to clarify what sorts of advertisement are illegal, they should not deal with the technology but rather the core issue (ie. it is illegal to advertise indecent material to minors.)

I have a feeling most /.ers, if they thought about it, would trust technology over a politician any day...

Wow...

[InfinityWpi]

A government figure who actually admits there's not a whole lot they can do. Nice to see a guy with a little common sense (on this issue, at least) giving voice to his oppinions. Let's face it, he's right. Outlawing spam is -not- goingg to have an yeffect whatsoever. Look at underage drinking, pot use, etc. It's illegal, it still happens, and quite often. The 'spam bills' won't have any effect beyond making people think their senators are tech-minded.

best quote

[RevDobbs]

best quote from the Knowspam.net interview:

Q. What are you doing with all your extra time now that you aren't getting spam?

A. . . . Petting the cat. Not a entendre, by the way. Real cat. . . .

Headline Misleading

[kunsan]

At first glance, it sounds like the FTC cheif has his head up his ass. After reading the article, I realised the man just does not want to pass a lame ass law that makes it HARDER to prosecute spammers. He is looking for a simpler plan to make it EASIER to shut down mass-spammers. Sounds like he needs our help, not our hostility.

JP

Challenge/response spam filtering

[Mwongozi]

Is it just me, or is C/R spam filtering, really, intensely, annoying?

If I e-mail someone, and I get one of those "I think you're a spammer, prove you're not" messages back, then fuck it, you're not getting my e-mail. Challenge/response breaks the whole concept of e-mail.

I personally use SpamAssassin to drop mail scoring 5-10 into a crudbox, and 10+ just gets bounced.

I don't get much spam anymore.

Re:Challenge/response spam filtering

[KMitchell]

If you email me and get my "prove you're not a spammer" TMDA autoreply then you've never corresponded with me before (with the email address you're using). Any previous correspondence (to or from) and you won't get the autoresponse.

If you care enough to send email to me, you care enough to "hit reply" one time for a "new address". If I started the "conversation" you shouldn't ever get an autoresponder message.

Challenge/response breaks the whole concept of e-mail.

No. Spamming broke the concept of email years ago. The only question is how to fix things. Based on the hoops you're going through with SA, your email sounds just as broken. Been there, done that. If you don't want to email me, I'll cope somehow.

Technology legislation cuts both ways

Listen guys. You can't have laws saying "It's OK to be anonymous and post anything you want anywhere and threaten to do anything to anybody and download anything you want and it's all free and nobody can touch you; but spamming is bad. Then you go to jail." Trying to limit everybody else's actions while giving yourself complete freedom is known as "fascism".

Always funny

[cubicledrone]

How people spend so much time complaining about spam (unauthorized use of bandwidth) yet have no trouble at all making unauthorized use of someone else's data (file trading).

There shouldn't be much problem with a spam policy provided the proper definition of spam is included: bulk, unsolicited, commercial e-mail.

Defining spam as "any e-mail I don't want" is probably part of the problem with having a working anti-spam policy. It is also an incorrect definition of spam.

It also makes it impossible for people to do business, since it will be impossible for people to introduce themselves through e-mail.

Re:Always funny

[Hayzeus]

It also makes it impossible for people to do business, since it will be impossible for people to introduce themselves through e-mail.

I agree completely. So please allow me to introduce myself to you. I am Thomas N'Gemba, formerly of the Ministry of Finance of Nigeria. I and my associates have recently discovered aporximately USD$10,000,000.00 in unsecured funds...

I understand it, even though I don't like it.

[mark-t]

From the article:

"Proposals in both the House and the Senate require us to prove knowledge to bring an action against a seller that hires a spammer," Murin said.
Proving such awareness could be nearly impossible, he hinted.

It may suck, but it's right on the money... how can you possibly prove that the seller ever advocated the spamming? The *most* they could expect from a seller is for them to pull the spammer's account (if the spam was done as some sort of referral program), but often even that's not possible.

What the government CAN do....

[weave]

What the government can do and should do is pass a law that says the matter should be handled by the private sector, and affirm a mail system owner's right to decide what gets delivered, and also word it so third party services like spamcop are legal so they don't have to be threatened with legal actions.

Put an end forever to these bogus claims by spammers that their free speech is being interfered with, that businesses have to pay to provide means to deliver their crap, and that to do otherwise is to interfere with their business and all of their other bogus claims.

Re:spam is becoming a problem like pollution

[Trigun]

It is more problematic than just stopping the spammers. Any legislation should be based upon these criteria.

1) Spam cannot be routed via spurious methods.
2) Spammers can not blanket-target domains.
3) The companies who emply spammers should be held responsible.
4) The advertising should follow current laws and guidelines, with the consideration that minors may be using the internet. In general, follow the guidelines for movie trailers.
5) Transactions between companies and these 'advertising agencies' must be recorded.
6) Both the spammer and the company which sells the product must be held culpable.

Any deviation from these guidelines will only prove to make the anti-spam legislation exactly what the claims state it is, useless and filled with loopholes.

Automate the challenge/response ...

[tessaiga]

There's no need for a human to get involved. Have a protocol whereby in order to the receiver's machine automatically issues a small, dynamically-generated math problem which requires the sender's computer a few seconds of computing time to solve. The email only gets "authorized" if a correct solution is received. This would have very little impact on a regular user, but a spammer who sends out hundreds of thousands of emails would be facing some pretty prohibitive computational costs.

Anonymity will be surrendered to fight spam

[FearUncertaintyDoubt]

No spam law that doesn't help investigators find the real sender of the message would be effective he said.

Anonymity is something that I think is one of the things that makes the internet so valuable as a tool to help people fight oppressive governments and corporations. When it is impossible for a spammer to cover his tracks, it will also be equally impossible for a political or corporate dissident to do so as well.

The implication here is that spam can be solved by a technical solution, i.e., one that makes forging identity very very difficult. IPv6 or something like that, perhaps, with additional anti-terrorism/anti-spam identity measures, forcibly implemented (Carnivore anyone?) on ISPs and backbone providers. We'll be so happy to be rid of spam we won't realize what we gave up.

Forget UCE, they need to go after the criminals.

[gristlebud]

I agree that the proposed spam legislation is inadequate to solve the problem, and I commend the FTC for standing up, rather than passing more useless laws and backing an inneffective solution just to be able to say "look what we've done"

However, my problem has lately has not been the tradition UCE spam (Spamassasin does a pretty good job taking care of that); my problem lately has been outright criminal messages reaching my inbox.

Recently, I've been getting more and more messages spoofed as being from Paypal, Citibank, my ISP, etc, saying that my account has been suspended, and I need to verify my password, credit card number, even my mother's maiden name(!) These messages are getting more sophisciated, and appear to have (for example) a paypal.com address for me to click on.

After getting a few of these in a week's time, I checked the headers, and all seemed to come from China. I'm not sophicicated enough to trace them back any farther, but since these are so blatently criminal, I dont think they'd be originating in the US, as the potential for prosecution is so high.

Unfortunately, these messages are the most dangerous, and the hardest to stop (if they truly originate overseas.) I'd like to see some sort of internation cooperation to track and prosecute these degenerates.

So how does one find a spammer anyway?

[einTier]

It seems like these guys lay low so that geeks like us can't find them and harrass them. But, this has always begged the question in my mind, how do their customers find them?

Not that I want to spam mind you, but it seems like they have more than a few customers, and yet, it seems next to impossible to find a point of contact for these people.

Sender Verification for SMTP?

[Adrian+Lopez]

I think the SPAM problem could be largely mitigated by altering the SMTP protocol to include cryptographic signatures which are used to authenticate the email address listed in the email's "From" field. The receiving SMTP server contacts the server listed in the From field to obtain a copy of the claimed sender's public key which the receiving server uses to authenticate the sender's true identity. The public key is user-settable so that alternate From addresses may be used as long as the sender is authorized to use that address in From fields.

Anti-Spam Services

[Goo.cc]

The interview in the story is from an anti-spam service called knowspam, which works pretty much like Blue Bottle: if you are not on my white list, you have to authenticate yourself to send me an e-mail.

But what happens when two people, both using such a service, decide to send an e-mail for the first time? Couldn't such a setup create a endless loop of authentication requests?

Too bad they don't realize this on every issue.

[Maul]

Legislation isn't always the correct tool to fighting something. Whenever we consent to Congress passing more and more laws, we are sure to lose some of our freedoms along the way.

I hate spam as much as the next guy, but it isn't worth letting Congress think up some hair-brained, rights-destroying scheme that probably won't work anyway.

Too bad they don't realize this on most issues out there.

The guy's right

[amcguinn]

First, in saying some recent bills may be counterproductive, he's only echoing what many anti-spam campaigners have been saying: the bills actually legalise a lot of spam.

Now, a good anti-spam law can contribute by driving spam further into the criminal underworld, but let's face it, it's most of the way there already, and you're not going to cut it down much more in that direction.

The key point is anonymity. If you can send email anonymously, you can send spam, legally or illegally. If you are willing not to receive anonymous email, you can receive zero spam (using whitelisting), or next to zero spam (counting on blacklisting of known spammers by name). Contrary to what some people say, the existing technical SMTP protocols are perfectly adequate for spam-free email: you just need a virtual email network using smtp, to which anonymous users are not admitted. I think it quite likely that MSN, AOL, etc. will be setting this up within the next 12-24 months. They might screw it up by trying to lock out competitors, but it can only be useful if it's reasonably inclusive.

Personally, I want to receive anonymous email, from people who've seen my web sites, or old friends who've looked up my address, or whatever. But to get these emails, I'm bound to get spam as well, legally or illegally, and I'm prepared to live with it.

The Problem with "Anti-Spam Legislation"

[rudy_wayne]

I'm all for fighting spam, but so far, there are 3 problems:

First, there seems to be this naive belief among politicians that if they pass an anti-spam law, spammers will actually obey it. The majority of spammers have little regard for the law and their entire business model is based on deception and other activities of questionable legality. Any anti-spam laws will be ignored (and tied up in the courts by legal challenges).

Second, is enforcement. You can write all the laws you want, but they are meaningless if not enforced. If I am deluged by spam that violates an anti-spam law, who do I complain to? Who will investigate my complaint and take appropriate action - all the way through to prosecution? If you think about this for a minute, you quickly realize that *MEANINGFUL* enforcement of anti-spam laws will take a lot of resources -- i.e., it will be very expensive.

And finally, there's the international nature of the internet. Routing spam through a mail server in a foreign country is trivial. The only likely outcome of anti-spam legislation is that spammers will use foreign servers for their e-mail and websites.

Treat the disease - fraud - not the symptom

[swb]

Spam is predominantly a marketing method for fraudulent or otherwise illegal business enterprises. Without a source of business, the people performing the spamming will be forced to move on.

You *can* easily catch the people running the businesses behind the spam; they collect money, and the money trail is easily followable. Lean on these people, and you can probably get the spammers if someone decides to make spamming illegal as well.

The key point is to not try to attack spam; it's only a symptom. The real cause is fraudulent business entperprises, and I'm mystified why the FTC or the FBI doesn't make them a higher priority. Even the DMA should back this, since it would make them look more reputable without a direct attack on a business practice they'd *like* to use.

Re:Yeah, well they bashed the anti telemarketer la

[gorbachev]

The FTC is not blasting the concept of passing an anti-spam law. They're bashing the existing anti-spam bills that are about to become law. They're essentially saying we need better laws.

Don't compare

[phorm]

Underage drinking, pot use, etc...

What you are describing are actions done by private citizens. Quite often younger citizens.

Now in many cases, spam is a business practice: for both the spammer and whomever he/she is advertising for. While regulating businesses may not have an immediate effect, or a fully-encompassing one, it is generally more effective than regulating private citizens.
Businesses stand to lose a lot. If pushed to bankruptcy and your business is tied to your personal life, you could even lose a house/car/etc. So yes, it could be more effective.

Now, if most private citizens were spamming, it might be not effective (see RIAA: filesharing). I have enough faith in humanity that is just a few evils causing most of the spam.
Getting the laws in place, and more importantly enforcing them should start to affect spam eventually, though.