Senate Passes Anti-Spam Bill

Zendar writes "Yahoo! is reporting that the 'U.S. Senate passed the first national anti-spam bill on Wednesday, giving momentum to an issue that has riled consumers almost as much as dinnertime phone calls.' However, the bill, referred to as the 'Can Spam' bill, is unlikely to pass the House and be signed by the President. Senator John McCain sums it up: 'The odds of defeating spam by legislation alone is extremely low, but that does not mean we should stand idly by and do nothing about it.' CNN also has the story."

Politicians for Ya

[jazman_777]

Senator John McCain sums it up: 'The odds of defeating spam by legislation alone is extremely low, but that does not mean we should stand idly by and do nothing about it.'

Meaning, 'What we do has no effect, but we need to look like we're doing something useful.' And of course there _shall_ be unintended consequences, which will require yet another government "fix".

Re:Politicians for Ya

[stanmann]

The battle on spam must be fought on all available fronts, and providing penalties which can be levied against the company that hired the spammers is an important front. Granted, at this point there is no provision for a regulatory/investigative body to investigate and punish it... but one step at a time...

Re:Politicians for Ya

[CelloJake]

I agree with you. If the bill will have no effect then why waste important senate time with it.

Next he can pass a bill that will ban breast cancer. The odds of defeating breast cancer by legislation is extremely low, but that does not mean we should stand idly by and do nothing about it.

I think the statement would make sense if he were choosing to not promote the bill and instead try to do something else. Just because legislation won't stop the problem doesn't mean we have to sit idly by. Even a senator has other resources available than legislation to help with a problem.

-Jacob

Re:Politicians for Ya

[arthurs_sidekick]

The key to the post at the top of this thread is the mention of unintended consequences. We've already seen how laws dealing with technical subjects get misinterpreted by the courts; what exactly is going to count as spam under this law? What forms of communication will it affect, and how? Damn straight, I don't want to go to jail for making a programming or configuration mistake that sends out a bunch of unsolicited email and somehow falls under the legal definition, or judge's interpretation thereof, of "spam." { I don't want to make that sort of mistake at all, but if I do, there are other ways of dealing with me }.

Re:Politicians for Ya

[schon]

The battle on spam must be fought on all available fronts, and providing penalties which can be levied against the company that hired the spammers is an important front.

Agreed - but an even more important front is the official recognition that spam is not acceptable behaviour (which a properly worded law would be.) Remember - a lot of spammers hide behind the "I'm not doing anything illegal" mask - a law against spam would remove that excuse from their arsenal, and give the average person some assurance that their feelings about spam are justified.

Re:Politicians for Ya

[no+reason+to+be+here]

No, what it means is that the odds of defeating through legislation only are very low. The odds of defeating spam through other means combined with legislation makes the fight against spam that much easier.

going through the books just to find laws that shouldn't be there but aren't enforced is completely useless. If they're not enforced, then they technically don't exist (a bit of trivia, marjuana is, in fact, illegal in the Netherlands, but no one gives a rat's ass, and the laws are never enforced, so it is essentially legal, or so it was explained to me by the owner of a hash bar in Amsterdam)

the laws that shouldn't be there, but are enforced get enough attention (PATRIOT Act, anyone?) that congressmen don't need to go looking for them; their constituents will let them know.

Re:Politicians for Ya

[Short+Circuit]

So, if my box gets rooted, and exim starts pumping out spam messages, then I have to prove I didn't set up the software to send out the junk mail in the first place?

Proving that would require showing how I got rooted in the first place, and I might not be able to find out. Especially if it's a Windows box. (But then, if it's Windows, I'll have statistics on my side.)

Screw the "unintended consequences" mantra, that's just plain dangerous legislation!

Fuck 'em.

[InterruptDescriptorT]

It's not going to help the influx of spam from China, Taiwan or Russia, which is where I seem to receive most of my spam.

I think the Senate, as usual, passed a do-nothing measure that will have not an ounce of effect on the literally 350 spams I receive a day. (Yes, I do use spam filtering.) Congress would be better off to provide tax credits for companies producing filters, starting a massive education campaign on how you can stop unwanted e-mails using these filters, and investing heavily in research projects to improve filtering.

But this is a bunch of more fucking useless bullshit--par for the course for this Administration.

Re:Fuck 'em.

[aborchers]

It's not going to help the influx of spam from China, Taiwan or Russia, which is where I seem to receive most of my spam.

No, it won't. But with a national policy with force of law against spam, all we (as admins) have to do is block mail from countries that refuse to abide by similar policies. If those countries want to communicate with the US, they will address their own spam problems.

I do not like the idea of Balkanizing the Net, but spam is an unsupportable catastrophe of scale that has to be stopped even if the surgery required is invasive. As long as the law criminalizes behavior rather than technology, I'm all for it...

On another point you made: subsidized or not, filters from commercial companies are bullshit. I should not have to pay to not receive crap I don't want.

Re:Fuck 'em.

[Salgak1]

One point:

But this is a bunch of more fucking useless bullshit--par for the course for this Administration

The Sponsor of the bill is Sen. Charles Schumer (D-NY). He's not exactly a part of the Administration. . .

Well duh

Legislation alone won't solve the problem. Technology alone won't solve the problem. Technology combined with legislation can HELP.

What they really need to do

[andih8u]

Is go after the companies that sell ("rent") your information to the spammers. I know I didn't register for the national do-spam-me list, and I only gave my email out to "reputable" sights, so someone gave it away somewhere despite their privacy policy. You'd think there'd be a way to backtrack how these companies get this stuff.

It's been said time and time again...

[Sebby]

Technical problems require technical solutions; trying to solve a technical problem with a law is completely futile.

Imagine trying to solve the powergrid problem with a law - people would simply laugh at that.

Re:Finished Quote...

[I8TheWorm]

Ah... but it's these same ridiculous laws that make cops stand by until it's legal to do something about it.

Re:Drat

It has one thing that's really needed. Jail time. These spammers get caught from time to time, but just file for bankruptcy, so they have little fear of the government. A threat of jail time would end lots of spam even without enforcemnt.

Funny how that works

[Otter]

It goes to show you -- when it's clear that there's a real consensus, legislators don't hesitate to act, cynical sneering about "buying votes" notwithstanding. As soon as it became clear that the popularity of telemarketers with Americans was somewhere above Osama bin Laden and below Saddam, you've never seen any legislation move so fast. And now that it's dawning on them that spamers are about as popular (true, they don't bother you during dinner, but then telemarketers don't send bestiality pictures to your kids) they figure there are additional points to be scored.

This will only momentarilly stop the hemorrhaging

[Brainiac252]

Great, now you've made it harder for "Joe Blow" to send spam. That's dandy, but over 70% of the spam in the world is accounted for by 20 or so people. Those 20 people also happen to be located offshore, and if they're not they'll be moving there shortly. I read an interesting story a couple of weeks ago that discussed the governments inability to stop spam from offshore. I don't know exactly what the answer is to spam but I know it's not legislation.

On a side note, as an end-user, I've experienced success with a service called Shadango.com. I started using it after my hotmail address became practically useless due to the amount of spam I was receiving. It has kept my inbox junk-free, and it allows me to check both my hotmail address and students address all from the same interface.It's definitely worth checking out.

Like I said this will only momentarily stop the hemorrhaging!

Brian Jensen

"CAN SPAM" = OK, you CAN SPAM at will

[Steve+B]

A couple of the bad provisions of this bill, as reported by the Washington Post:

1. Preemption of state anti-spam laws.

2. Individual right of civil action against spammers is expressly denied.

This should be called "The Spammer's Freedom Of Speach Charter"

Re:"CAN SPAM" = OK, you CAN SPAM at will

[Zathrus]

I think you need to read up on your legal knowledge.

Federal law trumps state law. Ammendment X is not applicable here, any more than it is for the Do Not Call list or the Fair Credit Reporting Act because this law is made under the auspices of interstate trade which the federal government is explicitly granted authority over in the Constitution. And spam is most certainly interstate... in fact, the state laws do little or nothing because enforcement ends at the state line. To a large extent it's questionable whether or not this law will do anything since enforcement will end at the US border, but if it's well designed (which is questionable) then it's at least a start.

Sadly, nothing short of completely replacing SMTP with a more secure protocol, including authentication, is going to stop spam.

End users can no longer sue

[realdpk]

From CNN:

"State and federal law enforcers and Internet service providers such as EarthLink, Inc. would be allowed to pursue spammers, but individual users could not sue directly."

That's majorly unfortunate. It basically means that spammers will be able to buy (through settlements) access to ISPs, and the customers will have no recourse.

Follow the cash

[RT+Alec]

Yes, the spam mostly comes from IP addresses outside the U.S. However, it is almost always advertising something sold by an entity in the U.S.

This bill, if passed, can have an effect. If a company in the U.S. uses spam to advertise, and that spam has fraudulent headers, then the U.S. company can be prosecuted. That's the true origin of spam-- not the IP address of the sending machine. This allows for a non-technical approach to combat the true originators of the messages.

Why do spammers use fraudulent headers anyway? To evade technical spam-blocking techniques (RBLs, whitelists, etc.). As the spammers start to reduce their use of such methods, the technical techniques used by many ISPs and end users will be more effective. No silver bullet, to be sure, but every little bit helps.

Re:Follow the cash

[mrex]

That's not the way spam works. An independant entity is doing SPAM and it is based in Russia. It will advertise "Get the lower rates for your mortgage" for example. Then, when someone respond to that and give its name/address, the Russian company will sell the personal informations collected to any company willing to pay $2 (or $n) for it in the U.S.

Maybe there are a few that work this way, but for the most part this is *not* how spammers operate. I will avoid posting a step by step, but its pretty easy to figure out what affiliate programs are really intended to do, and its damn obvious that all those dialup systems in other countries aren't owned by the spammers.

Most spammers are in the US, as are most businesses whos products spam advertises. They use fake affiliates to deflect complaints away from themselves ("oh, affiliate XYZ spammed you? spamming is strictly against our policy, that affiliate has been removed!"...yeah right) and hand off credit card processing to shady merchants. The actual machines sending out the spams are mostly compromised always-on boxen in technologically developing countries, but don't let that fool you -- the spammers are still in the US and thus subject to US law.

You do raise a good point though...an effective anti-spam law would prevent spammers from hiding behind complex organizational structures by exposing all the players to risk.

Problem with a do-not-spam registry

[SeanTobin]

The major problem with a do-not-spam registry is not that it would only affect domestic spam.. The major problem is that there will be a huge list of validated e-mail addresses that spamhauses can buy, send overseas, and spam all day and all night from offshore.

The only reason this isn't happening with the telephone do-not-call list is that the cost of international calls is still prohibitave... but I think VoIP might make this option attractive at some point. I'd just love to get a sales call from some guy in India trying to sell me a new car windshield. Also, phone numbers are published anyway, so there is no real need to harvest the do-not-call list.

I think the way this should be implimented is a national list of MD5's of the addresses. Make it illegal to email any address whose md5 matches one on the list (converted to lowercase so that capitalization is not a loophole). This would prevent address farming, and have the same integrity as the proposed do-not-spam list.

(BTW, consider this prior art in case anyone goes patenting md5's of email addresses... /me smacks the US patent system)

this bill

[codepunk]

The only legislation that is really needed is to make it unlawful to send mail with forged mail headers. They could pin them with computer and interstate commerce fraud.

Do Not Email List == Loss of Privacy == Abuse

[Ron+Bennett]

According to the article, there would be a "Do Not Email List" component to the law...

A "Do Not Email List" would cause a further loss of privacy...government (and its contracters, some of which are sketchy) would be able to associate email addresses with IPs and possibly other information...

If implemented, it's very likely one would be asked to not only supply the email address(es) they wish to add, but would also asked for their real name, postal address, and phone number too.

Now anyone who thinks that information will remain confidential is kidding themselves. Did you know most U.S. states sell driver license information, including DL pictures to private entities...even those states that have laws against such actions share the information too due to various loopholes in their respective state laws; information also shared with other government agencies, including the Feds (don't think for a second it's not).

Ok, got on a tangent there, but to make a point...

If the government were to compile a "Do Not Email List"...the following will *likely* occur...

* Email and associated collected information would be stored and added to other unrelated government/private databases too.

* Government and other private entities will use the list to help track/monitor people - ie. "Deadbeat Dads" ... while one can debate the issue of child support, the fact of the matter is that much privacy is being lost in the process; an excuse to further erode the rights of all Americans.

* The email addresses and likely their related information will be used by politicians for sending out spam...yep, there's likely an exception for that; there is for the national do not call list.

* Various private entities, mostly offshore, will obtain the "Do Not Email List" and use it in the exact opposite way for which it was intended...that is they'll send spam to those addresses.

Opt-Out doesn't work for email; its debatable whether it works for phone numbers either, but that another topic for another day.

Bottom line is that any decent anti-spam bill should NOT have a "Do Not Email List" component, but rather instead require companies, non-profits, politicians, etc to use double-verified OPT-IN email lists for sending ubsolicited email.

Ron Bennett

Real Solutions

[mabu]

This is yet another toothless waste of time of a bill. Toss it on the pile.

Now let's get real:

It's important to realize that there are certain characteristics of most spam:

1. Most "legitimate" promotional mail comes from a static, traceable source (i.e. mailing lists or a specific web site such as amazon.com) The more legitimate spammers, due to their visibility, are forced to maintain more responsible mailing practices or else they will be blocked or blacklisted.

2. The vast majority of spam comes from rapidly rotating sources difficult to trace and lock down (random IPs on the Internet that are either unauthorized or compromised SMTP servers). Regardless of the nature of the spam message content, most of these spam sources involve one or both: violation of the ISP's terms of service (which most disallow smtp relaying from direct client IPs), or an illegal exploitation of third-party computers.

#1 is easily dealt with. Any centralized operation that doesn't perform responsible mailing (opt-in/out, non-forged headers, published contact info, etc.) can be dealt with. We know who these people are and how to reach them; they are large, targetable operations.

#2 is the real problem and the major source of spam online. All the penis-enlargement, Nigerian scams, online pharmacies and home mortgage solicitations are promoted through the use of an ever-changing network of computers, most of which are broken into by spammers or otherwise re-routed through a plethora of foreign ISPs.

The key to solving the spam problem is nailing down #2. I believe that most of the rotating spam sources involve illegal computer exploitation and compromises. We're talking criminal activity - not civil wastes of time. This is the angle law enforcement should use. Go after relay hijacking and enact punitive damages on ISPs who have demonstrated a consistent disregard for the control of their IP blocks. If we go after the spammer-criminals, they will be forced to settle with spam-friendly ISPs or face criminal prosecution. At that point they either clean up their act, or their ISP will become blacklisted. So the solution is straightforward: go after the spammers who take over third-party SMTP servers and client machines. These are criminal offenses which the authorities have yet to actively enforce.

My solution to the Spamedemic:

Believe it or not, solving the Spam problem is really easy and practical. It does not involve infringing on freedom of speech. It does not involve denying ANY business interest the freedom to use e-mail for marketing.

1. FORM A DEDICATED CYBERCRIME ENFORCEMENT AGENCY. Populate the agency with well-trained IT people who know the laws and the nature of the problem. This agency does not need to encroach into areas covered by US Customs or the FTC (i.e. not be concerned with the content of spam, but merely focus on computer/network-tampering/exploitation). The FBI is not adequately equipped to fight cybercrime. A new agency separate from the other law enforcement organizations should be created.

How to fund this new agency? How about a small fee for domain registrations? I think most people would be willing to pay an extra $5/year per domain to ensure that the Internet is more secure and spam-free. In any case, there's plenty of frivolous spending that could be repurposed to fund this very useful agency.

2. ENFORCE CRIMINAL PENALTIES for computer exploitation: mail-relay-hijacking, trojan horse, worm, virus and vulnerability exploitation. There are already laws on the books criminalizing these activities, but since Americans like laws and have a short attention span, it wouldn't hurt to pass a new law which exclusively, specifically addresses the issue of computer/network/communications exploitation by third parties, and levies very intimidating CRIMINAL penalties. There should be no threshold of monetary damage before criminality is triggered: that only punishes diligent admins to catch attacks before extreme damage

Re:Stuck with Outlook?

[gpinzone]

I'm very happy with Yahoo Mail and it's free spam filtering system However, I've heard their premium service will (or now does) offer a Bayesian spam filtering service. They're also going to offer a "spam gourmet" service that will allow you to give out an email that can be discarded after you're done with it.

Re:Kiss Free Speech Good Bye

[blizzardsoup]

If you CC'd me on an email containing your resume that you also sent to 99 other companies, I'd make sure that you never worked for my company you lazy git.

Re:Ledgislation is BAD

[schon]

Passing a law to fix spam is a bad Idea

First of all, this law doesn't "fix" spam - which would be pretty difficult, as spam isn't really broken.

Second of all, a properly-worded anti-spam law is a great idea - it's a necessary step that will officially recognize that spam is both theft of service, and harrassment.

Just let the technology fix its self.

The problem is that the technology isn't broken. Spam exists because spammers want something for nothing, and don't care who they annoy or steal from. Technology can't "fix" that. We solve social problems with laws. Spam is a social problem.

Since when

[bigjnsa500]

Since when has legislation ever stopped anything before? Just another useless law on the books. If they really took a close look AT the spam they would realize its coming from outside the USA. Which we could never enforce the law, heck, we can't even enforce our own borders, what makes you think we can enforce this Spam bill on Joe Schmo?

Re:Other things the senate voted in

[clifyt]

So what?

It was a cost of living increase. I work for a public institution and we got shafted this year. We don't get merit increases and promotions are generally out of the question because every year more and more crap is shoved at you so that in all actuality, you are doing far more work than your job description asks for, as is everyone else, so its not in anyones best interest to do so.

So, we get cost of living increases. This year was a 2%. Our work load went up probably 20 - 30% more than last year.

I applaud the senate for taking their cost of living increases. They took a 2.2% raise. Is a shitty raise if you ask me.

I don't care what the rest of the economy is doing, public service SUCKS. Given that each and everyone of us from elected officials down to the janitors that work in the conditions we do, I think a 2.2% increase is the least they could do. It sets an example and if we can't afford that as a country, something is wrong.

I'm going to call my congressperson and ask that they take a 5% next year and vote that the rest of us get one too.

Fantasy

Their first instinct is that the US government should control the Internet.

I'm sure that when pressed, they will (individually) admit that the US government does not actually own or control the Internet.

But there's no question that they fantasize about "taking control" of the Internet, and, as a group, they act out that fantasy.

In the end, it doesn't really matter whether their spam legislation is effective or not. The important thing is that they need to act out their control fantasy by passing new law. After all, what the hell good are they if they don't try to exert control over things?

Re:Kiss Free Speech Good Bye

[Spl0it]

Just an FYI. Most people who send out there resume do address it to a company member, do include valuable information, DO NOT try and sell products, and do not falsify the return headers. When the return headers are true, and your addressing a member of a company with a legitimate request/email (say a response to a post about job openings) no judge is going to charge you with spam.

What can it possibly hurt?

[knautilus316]

I see a lot of valid complaints about how effective this is going to be, but honestly, I don't see it having any reverse effects. The spam problem can't possibly get any worsek, so whatever is done is a step in the right direction, however token it may be.

~Knautilus

Read what McCain actually said

[fiannaFailMan]

Why oh why are there so many people here with reading difficulties? Here is what McCain said:

"The odds of defeating spam by legislation ALONE is extremely low."

The keyword here is ALONE . This bill is one of many tools being used in the war on spam. If we all took the attitude of "well this action isn't going to be a magic quick-fix cure-all therefore we shouldn't bother with it" then everyone would give up and we'd be getting thousands of v1agra ads in our inboxes every hour.

Come on people! Credit where it's due! Every little helps! Spam filters alone are not going to kill spam. Legislation alone is not going to kill spam. Actions taken by ISPs alone are not going to kill spam. It is the combination of these efforts that is going to make the difference.

One unintended consequence

[nahdude812]

Non-US spammers buying the list for a big pile of confirmed email addresses. Of people who get lower than average spam perhaps (for a little bit?).

Re:Finished Quote...

[Fallen+Kell]

I think you posted to the wrong story. This time they're working against spammers i.e. bettering the lives of Americans. This isn't just another DMCA or something.

And I am sure you will be the first to sign up for the national "Do Not Spam List" which will be little more then the ultimate SPAMMERS PARADISE! What more could they ask for then a huge list of legit email addresses. There is no way to enforce this law outside of the US, and thus, any and all spammers who's operations reside outside of the US have the perfect list of people to spam. For why else put your email on the list if you didn't actually use it to read email?

List Cleaning

[Detritus]

The registry does not have to give out their list to spammers. They can require clients to submit a list of email addresses, delete any addresses that are in the registry, and return the modified list to the client.

HOWTO: Get legislature to pass anti-spam bills

[SlimFastForYou]

Screw root@127.0.0.1..... All you have to do is put in the email address of your representative whenever something on the Internet asks for an email address =). All you gotta do is get them on a few mailing lists... then the spamers will trade the addresses around =).

Anti-spam country, here we come.

This bill legalizes spam

[Animats]

This bill legalizes spam. It's intended to head off California's new law, which has real teeth.

First, the Senate bill is "opt-out", not "opt-in". After January 1, spam in California is simply a crime. You don't have to opt out.

Second, the Senate bill has no private right of action. It can only be enforced by Government action, and only in Federal court. California lets any victim sue. You can sue in small claims court (which goes to $10,000 in California), and you can sue in a class action, so the usual ambulance-chasers can go for the business.

Third, the California law lets you sue anyone who "sends, or causes to send" spam. "The true beneficiaries of spam are the advertisers who benefit from the marketing derived from the advertisements.", says the law. This lets you go after the advertiser, rather than the spammer. Just find out where the money goes when you put in a credit card number, and sue them. The Senate bill doesn't let you do that.

Fourth, the Senate bill preempts stronger state anti-spam laws. No more private anti-spam suits, no "ADV:" requirement, etc.

Finally, the Direct Marketing Association supports the weak Senate bill. As they put it, "Legitimate e-mail marketing is a promising vehicle for global commerce." That's a good reason to oppose it.