Slashdot Mirror
California Tries Spam Ban
Schlemphfer writes "Spammers have likely received their biggest setback yet, when California governor Gray Davis today signed a bill outlawing all unsolicited email sent to and from the state. Two things about this new law stand out: first, it puts the burden on senders to prove that they are sending solicited email. Second, it bans the entire practice of spamming, with no loopholes at all like allowing messages with ADV: in the subject. Keep in mind California has the world's fifth largest economy, and they are planning to enforce the law with fines amounting to $1000 per each piece of spam. This law could be ruinous to spammers when it takes effect January 1st."
What has to be a resident in the state to get the benefits of this bill? The human, or the mail server?
Don't blame me, I voted for Kodos
Spammers generally sell product, if I buy a product from them (yeah I'll play dumb) and if the value of the product is less than the value of the damages I could receive, I still get good compensation for the effort :-)
...in bed
Nice deficit he's got going, maybe this will balance things out. Enforcable? Suuuuuuure.
;)
Boy, he sure puts his nose to the grindstone when you threaten to throw him out of office. About time he actully DID something other than whine about how W ratcheted up state spending to put us $38B in the hole.
When the RIP Act was released in 2000 in the UK, it contained a lot of nasty legislation including some about encryption whereby the burden was placed on people to prove that they did not still have the key. This opened up the possibility of prosecution of innocent parties who could not prove their innocence (and were therefore guilty until proven innocent). While this law is notionally a good idea, does it not create the same problems of senders having to prove their mail was solicited or face being prosecuted? I am not advocating spam of course, just interested on the civil liberties side.
I can deal with spam. What i'd rather see is a law that requires mail server admins to immediately stop the sending of virus generated mails. They should be required to trash every message that tries to go out with an attachment that we all know is from a current virus (.pif for example) and therefore stop the rest of us from receiving these and some people from getting infected by them and just spreading the damn thing.
That way I wouldn't have to suffer through events like two weeks ago when I received over 5000 emails from the same ip address in a 48 hour period, while my requests to the sending ip's tech contact went ignored.
Most spam has forged return headers and either a phone number or a website included in the spam...its like a leaflet -- it doesn't matter how you get it.
...Xoff
Phineas J. Whoopie, you're the greatest!
Washington State has an anti-spam law that forbids sending deceptive spam to state residents.
One judge tried to strike down the law, saying it created too high a burden on businesses to figure out whether an email address belonged to a Washingtonian.
The next judge up the appeals chain said in effect no, the law's just fine, the only "burden" is on companies who lie about their email address, unsubscribe policies and products, and while the law is supposed to facilitate legitimate commerce it doesn't have to cut slack for deception.
If judges in CA follow the same reasoning, the law may not survive challenges.
Good luck enforcing this law. Last week it was mandatory health insurance. According to a Long Beach Press-Telegram article, Boeing pays $1 million in worker's compensation insurance (not claims, just the insurance payment) per plane. Thats quite a few $45,000 jobs right out the window. I think tonight I am going to buy myself a 40, go down to Long Beach, sit on the sand and watch the jobs sail right out of the port. At least I'll be there to wave good-bye.
The spam issue must be fixed in the community. I receive very little spam after my filters get through with it. Maybe one or two messages get through per day and I never lose legitimate messages. I don't use anything fancy, I just search for certain phrases that every piece of spam seems to contain, and my mail server blocks known spam hosts. The problem is much more severe on my free internet mail accounts, but I only use them for registrations and such. People who have serious spam problems are not very good at dealing with it.
This is from the law:
(b) "California electronic mail address" or "California e-mail address" means any of the following:
(1) An e-mail address furnished by an electronic mail service provider that sends bills for furnishing and maintaining that e-mail address to a mailing address in this state.
(2) An e-mail address ordinarily accessed from a computer located in this state.
(3) An e-mail address furnished to a resident of this state
I'd say that based on the intent of the law, the answer to that is "no", but it could be argued that point (2) does apply to your situation.
If this is written rationally, and the state really is prepared to do it, I'd vote against the recall just based on this law, if I lived in California. As it is, I'm thinking I need to move my mail server to California!
who's moderating the meta-moderators?
the punishment for annoyance is death? hm.
i submit that the gross overractions to what is, essentially, a minor irritation is going to have some serious backlashes. viz:
i will never send another email to a resident of california again. proving that it was "solicited" is way too tough... and i've got to protect myself.
2 1337 4 u!
Or this example of someone who has spent $10,000 so far going after a spammer, and has yet to receive anything more than a court settlement but he's still out 10 grand. http://archives.seattletimes.nwsource.com/cgi-bin/ texis.cgi/web/vortex/display?slug=spam11&date=2003 0911&query=spam
Don't be bitter just because Gore lost the election.
1) Commercial speech is not a protected form of free speech as Nike just recently found out. Telemarkters are running into the same thing since the introduction of a national "Do Not Call" list here in then the states. I still generally can't stop someone from saying something (prior restraint) but now someone also can't force me to both listen to them and pay for the mechanism they use to transmit to me (i.e., my phone or my internet account). This issue was also addressed some time ago with regard to junk faxes. It costs the recipient and the sender cannot force the recipient to pay for something they don't want.
2) The California law would probably be difficult to enforce against unsolicited, non-commercial (e.g., political, religeous, charitable, etc.) e-mail for the same reason. These are generally protected speech. I would be very surprised if they didn't allow this loophole.
3) The concern about "guilty until proven innocent" is unfounded since this just says that the burden of proof that someone wanted to get a particular e-mail is on the sender. That is, whoever sends the spam has to have some sort of "opt in" record if someone challenges them. This is as opposed to each individual recipient being required to prove a negative: that they never requested the spam.
They that can give up essential liberty to obtain a little temporary safety deserve neither safety nor liberty.
Ben
the punishment for annoyance is death?
In addition to being an annoyance, spam is also theft to the tune of billions of dollars per year.
STOP MISUSING APOSTROPHES, YOU MORONS!!!
Thanks. Between this case and the abortion clinic cases it has been pretty well codified that free speech is the right to speak and be heard by willing listeners. The word 'willing' is very important.
To some extent the 'willing' comes from the right to assemble. If speech was not limited by the willingness of the recipient then you could use free speech rights to disrupt an attempt to assemble.
Big Brother Bush is doubleplus ungood.
It would be relatively easy for a responsible company to prove that they didn't send the spam. At that point they could countersue Company A for damages and libel. All this talk about spoofing in email is really bullshit. You can't spoof everything. I've been fighting spam professionally for a good many years now. I archive and report tens of thousands of pieces of spam each year. It's not hard to find out where a piece of spam came from if you know where and what to look for.
I reside in arkansas, but my mailserver is located in california. Does this law apply to mail sent to me?
The problem is the ability to send email with complete anonymity. I can setup a throw-away domain and a website for $80 (or less), and get a free month's dial-up ISP, all on a stolen credit card number. I send out my 10M spam messages, collect orders at $30 per from the .025% that respond within two weeks, and disappear with $75K. Do this every three months with a different "product" and gross $300K/year. Not a bad income.
The authorities will always be six months behind. Virtually impossible to keep up.
Or worse, how about I spoof the IP address of my biggest competitor's mail server, forge headers to look like messages are coming from a real mailbox on their server, and send out one of their press releases to 50K California residents? After all, I don't need to receive SMTP responses in order to send messages, I just assume to get valid responses and blindly send away. It's even faster that way! Then I sit back while my competitor files for bankruptcy after getting hit with a $50M fine. How would they prove they didn't do it?
As well meaning as this and every other anti-spam law may be, they will not make any difference in eliminating illegitimate spam. What is needed is a change to SMTP to require server/domain authentication via authenticated certificates. While I cringe at the prospect of sending more money in Verisign's direction (they are, after all, the biggest certificate authority), I can't see any reasonable alternative.
Please be aware that not everyone is in your situation. Some people will have an easier time spam-filtering than others, specifically because of the nature of their online presence.
I operate an online business, so I have had e-mail addresses for that business on the Web for years now, and it would not be a good idea to change them. So I get more spam than most people. But no matter how heavily I customize my Bayesian filters, I still get false positives from customers (and lots of customers tend to format their mail in ways that make it look suspicious, for some reason). "Certain phrases that every piece of spam seems to contain" -- well, you are lucky. Lots of legit mail I get contains some of the common spam phrases as well. (At least I can assume that anything mentioning "Viagra" or "penis" is spam... I suppose if my business was a pharmacy or doctor's office that would be tougher.) At least I'm only getting a few false negatives daily. But I am getting more than you are. There's a certain level that I can't seem to drop below without generating too many false positives.
I cannot just blindly rely on filtering, or I will anger my customers and lose money. I can't change my address or customers with the old address may be unable to reach me and I will lose money. I can't remove my address from the Web; same problem. So instead I have to spend time every day going through the filtered mail to find the false positives. At least it's quicker than it was digging through the spam when it all went into the same mailbox, but I spend time and money I shouldn't have to, to deal with this.
Not to mention that well over 50% of our mail is spam now, and there are associated costs with having our mail volume here be double what it should be.
I honestly don't know how they will enforce this law, but I entreat anyone who thinks "spam is easy to deal with" just because it is easy for you, to try to walk in the shoes of those of us who have been completely overwhelmed by the volume of spam lately. I am glad that you aren't having a problem, but we are dealing with it the best we can. I cannot risk losing customer mail, so dealing with it any more aggressively is not an option.
//
the punishment for annoyance is death?
Spam is worse than most other crimes. For example, murder is a particularly bad crime, but if it isn't you or anyone you know who's being murdered, it doesn't really affect you. Spam, on the other hand, is happening to you.
and what if company B hacks in company A's email server? how can you mount the reasonable doubt campaign? If company B's aim is for company A to be sued out of existance obviously the spam wouldn't be for Viagra but for something that company A indeed sells.
I believe it would be -really- hard to prove in court that your mail server was hacked if said hacking was done by somebody competent...
-- the cake is a lie
On the other hand, California does have a lot of unemployed or underemployed computer experts (sorry, consultants in private practice who are available on short notice), many of whom have the spare time and skills to start hunting spammers. Most of them don't have the legal skills to negotiate these things through the courts efficiently - but there are also a lot of unemployed technology-oriented lawyers (sorry, lawyers in private practice or small firms who are available on short notice) who might be interested in some joint activities on spec. The lower end of this business is hunting down $1000 spams; the higher end is bounty-hunting for ISPs.
On the other hand, it does increase the opportunity for email about "You can make Thousands of Dollars in your Spare Time Hunting Down Spammers! Buy our Instruction Kit!"...
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I'm not a spammer - never have been, never will be. I don't work or do business with spammers. I hate them with a passion.
That said, these laws scare me. I've had client's who's competitors sent out spam in their names to try to get their web sites shut down. I've spent countless hours trying to convice customers that their email account wasn't "hacked" because some other than them sent mail from their domain. I've spent countless hours trying to explain forged headers in spam and viruses.
Can you imagine trying to explain all this to 12 technophobes? And even if you win it, think of your legal bills. Our legal bills on normal months, where nothing unusual happened - just standard contracts, etc. is around $5000 a month. And we are a SMALL business. Imagine the bills from days/weeks/months of defending yourself against false claims.
Like someone smarter than me said, "you can't trust your fate to 12 people who aren't smart enought to get out of jury duty..."
Since you fight spam professionally, can you please tell me, when I report spam messages to abuse@wherever, does it actually do any good?
Well, let's see... you have a piece of spam, and the spam has to somehow pay the spammer, right? So you can follow the money.
One common way is that when the person clicks on the link to buy, it buys with a special signature.
Okay, so I forward the spam to the District Attorney, saying "it's spam". His office waits until it has 100 copies of the spam, and collects all the copies it can. Then it goes ahead and "buys" the item, tracking the IP Addres, codes, and everything.
Then they subpoena the records of the host, or alternatively of the company selling the product, or of the credit card company. Needless to say, they place these purchases on a credit card, and they never have to pay (because they have a warrant showing that the sale was illegal).
When the money is tracked, they can track down the spammer. *IF* you've paid for the spam to be sent, and can't provide the spammer, then it is presumed that you are the spammer.
Sounds workable to me.
Of course, this is going to drive new forms of spam and new forms of payment, as the spammers try to avoid accountability. I have no idea what will pop up next.
What we really need is pgp source authentication, and the ability of SMTP servers to dump badly authenticated email at any point. Aside from that, it would be nice to have "percent unwanted email" flags, so that when you say "this is spam", that pgp source goes all the way back to its source, flagging every server. Server admins can then set their machines to service those with the lowest percentage "unwanted" requests, first.
In other words, if you rent your network out to spammers, it takes longer and longer for your email to get through. At such a point, you're going to see most ISPs come up with service contracts that prohibit spam, and you're going to see spamming become legally actionable by the ISPs against the spammers. Also, Korea will drop off the map.
Correct Horse Battery Staple: 72 bits of entropy. Enter "Correct H" into google. When it generates the phrase, that's