Senate Passes Anti-Spam Bill

Zendar writes "Yahoo! is reporting that the 'U.S. Senate passed the first national anti-spam bill on Wednesday, giving momentum to an issue that has riled consumers almost as much as dinnertime phone calls.' However, the bill, referred to as the 'Can Spam' bill, is unlikely to pass the House and be signed by the President. Senator John McCain sums it up: 'The odds of defeating spam by legislation alone is extremely low, but that does not mean we should stand idly by and do nothing about it.' CNN also has the story."

Politicians for Ya

[jazman_777]

Senator John McCain sums it up: 'The odds of defeating spam by legislation alone is extremely low, but that does not mean we should stand idly by and do nothing about it.'

Meaning, 'What we do has no effect, but we need to look like we're doing something useful.' And of course there _shall_ be unintended consequences, which will require yet another government "fix".

Re:Politicians for Ya

[stanmann]

The battle on spam must be fought on all available fronts, and providing penalties which can be levied against the company that hired the spammers is an important front. Granted, at this point there is no provision for a regulatory/investigative body to investigate and punish it... but one step at a time...

Re:Politicians for Ya

[CelloJake]

I agree with you. If the bill will have no effect then why waste important senate time with it.

Next he can pass a bill that will ban breast cancer. The odds of defeating breast cancer by legislation is extremely low, but that does not mean we should stand idly by and do nothing about it.

I think the statement would make sense if he were choosing to not promote the bill and instead try to do something else. Just because legislation won't stop the problem doesn't mean we have to sit idly by. Even a senator has other resources available than legislation to help with a problem.

-Jacob

Re:Politicians for Ya

[arthurs_sidekick]

The key to the post at the top of this thread is the mention of unintended consequences. We've already seen how laws dealing with technical subjects get misinterpreted by the courts; what exactly is going to count as spam under this law? What forms of communication will it affect, and how? Damn straight, I don't want to go to jail for making a programming or configuration mistake that sends out a bunch of unsolicited email and somehow falls under the legal definition, or judge's interpretation thereof, of "spam." { I don't want to make that sort of mistake at all, but if I do, there are other ways of dealing with me }.

Fuck 'em.

[InterruptDescriptorT]

It's not going to help the influx of spam from China, Taiwan or Russia, which is where I seem to receive most of my spam.

I think the Senate, as usual, passed a do-nothing measure that will have not an ounce of effect on the literally 350 spams I receive a day. (Yes, I do use spam filtering.) Congress would be better off to provide tax credits for companies producing filters, starting a massive education campaign on how you can stop unwanted e-mails using these filters, and investing heavily in research projects to improve filtering.

But this is a bunch of more fucking useless bullshit--par for the course for this Administration.

Well duh

Legislation alone won't solve the problem. Technology alone won't solve the problem. Technology combined with legislation can HELP.

What they really need to do

[andih8u]

Is go after the companies that sell ("rent") your information to the spammers. I know I didn't register for the national do-spam-me list, and I only gave my email out to "reputable" sights, so someone gave it away somewhere despite their privacy policy. You'd think there'd be a way to backtrack how these companies get this stuff.

Re:Drat

It has one thing that's really needed. Jail time. These spammers get caught from time to time, but just file for bankruptcy, so they have little fear of the government. A threat of jail time would end lots of spam even without enforcemnt.

Funny how that works

[Otter]

It goes to show you -- when it's clear that there's a real consensus, legislators don't hesitate to act, cynical sneering about "buying votes" notwithstanding. As soon as it became clear that the popularity of telemarketers with Americans was somewhere above Osama bin Laden and below Saddam, you've never seen any legislation move so fast. And now that it's dawning on them that spamers are about as popular (true, they don't bother you during dinner, but then telemarketers don't send bestiality pictures to your kids) they figure there are additional points to be scored.

"CAN SPAM" = OK, you CAN SPAM at will

[Steve+B]

A couple of the bad provisions of this bill, as reported by the Washington Post:

1. Preemption of state anti-spam laws.

2. Individual right of civil action against spammers is expressly denied.

This should be called "The Spammer's Freedom Of Speach Charter"

Re:"CAN SPAM" = OK, you CAN SPAM at will

[Zathrus]

I think you need to read up on your legal knowledge.

Federal law trumps state law. Ammendment X is not applicable here, any more than it is for the Do Not Call list or the Fair Credit Reporting Act because this law is made under the auspices of interstate trade which the federal government is explicitly granted authority over in the Constitution. And spam is most certainly interstate... in fact, the state laws do little or nothing because enforcement ends at the state line. To a large extent it's questionable whether or not this law will do anything since enforcement will end at the US border, but if it's well designed (which is questionable) then it's at least a start.

Sadly, nothing short of completely replacing SMTP with a more secure protocol, including authentication, is going to stop spam.

End users can no longer sue

[realdpk]

From CNN:

"State and federal law enforcers and Internet service providers such as EarthLink, Inc. would be allowed to pursue spammers, but individual users could not sue directly."

That's majorly unfortunate. It basically means that spammers will be able to buy (through settlements) access to ISPs, and the customers will have no recourse.

Follow the cash

[RT+Alec]

Yes, the spam mostly comes from IP addresses outside the U.S. However, it is almost always advertising something sold by an entity in the U.S.

This bill, if passed, can have an effect. If a company in the U.S. uses spam to advertise, and that spam has fraudulent headers, then the U.S. company can be prosecuted. That's the true origin of spam-- not the IP address of the sending machine. This allows for a non-technical approach to combat the true originators of the messages.

Why do spammers use fraudulent headers anyway? To evade technical spam-blocking techniques (RBLs, whitelists, etc.). As the spammers start to reduce their use of such methods, the technical techniques used by many ISPs and end users will be more effective. No silver bullet, to be sure, but every little bit helps.

Re:Follow the cash

[mrex]

That's not the way spam works. An independant entity is doing SPAM and it is based in Russia. It will advertise "Get the lower rates for your mortgage" for example. Then, when someone respond to that and give its name/address, the Russian company will sell the personal informations collected to any company willing to pay $2 (or $n) for it in the U.S.

Maybe there are a few that work this way, but for the most part this is *not* how spammers operate. I will avoid posting a step by step, but its pretty easy to figure out what affiliate programs are really intended to do, and its damn obvious that all those dialup systems in other countries aren't owned by the spammers.

Most spammers are in the US, as are most businesses whos products spam advertises. They use fake affiliates to deflect complaints away from themselves ("oh, affiliate XYZ spammed you? spamming is strictly against our policy, that affiliate has been removed!"...yeah right) and hand off credit card processing to shady merchants. The actual machines sending out the spams are mostly compromised always-on boxen in technologically developing countries, but don't let that fool you -- the spammers are still in the US and thus subject to US law.

You do raise a good point though...an effective anti-spam law would prevent spammers from hiding behind complex organizational structures by exposing all the players to risk.

Problem with a do-not-spam registry

[SeanTobin]

The major problem with a do-not-spam registry is not that it would only affect domestic spam.. The major problem is that there will be a huge list of validated e-mail addresses that spamhauses can buy, send overseas, and spam all day and all night from offshore.

The only reason this isn't happening with the telephone do-not-call list is that the cost of international calls is still prohibitave... but I think VoIP might make this option attractive at some point. I'd just love to get a sales call from some guy in India trying to sell me a new car windshield. Also, phone numbers are published anyway, so there is no real need to harvest the do-not-call list.

I think the way this should be implimented is a national list of MD5's of the addresses. Make it illegal to email any address whose md5 matches one on the list (converted to lowercase so that capitalization is not a loophole). This would prevent address farming, and have the same integrity as the proposed do-not-spam list.

(BTW, consider this prior art in case anyone goes patenting md5's of email addresses... /me smacks the US patent system)

this bill

[codepunk]

The only legislation that is really needed is to make it unlawful to send mail with forged mail headers. They could pin them with computer and interstate commerce fraud.

Do Not Email List == Loss of Privacy == Abuse

[Ron+Bennett]

According to the article, there would be a "Do Not Email List" component to the law...

A "Do Not Email List" would cause a further loss of privacy...government (and its contracters, some of which are sketchy) would be able to associate email addresses with IPs and possibly other information...

If implemented, it's very likely one would be asked to not only supply the email address(es) they wish to add, but would also asked for their real name, postal address, and phone number too.

Now anyone who thinks that information will remain confidential is kidding themselves. Did you know most U.S. states sell driver license information, including DL pictures to private entities...even those states that have laws against such actions share the information too due to various loopholes in their respective state laws; information also shared with other government agencies, including the Feds (don't think for a second it's not).

Ok, got on a tangent there, but to make a point...

If the government were to compile a "Do Not Email List"...the following will *likely* occur...

* Email and associated collected information would be stored and added to other unrelated government/private databases too.

* Government and other private entities will use the list to help track/monitor people - ie. "Deadbeat Dads" ... while one can debate the issue of child support, the fact of the matter is that much privacy is being lost in the process; an excuse to further erode the rights of all Americans.

* The email addresses and likely their related information will be used by politicians for sending out spam...yep, there's likely an exception for that; there is for the national do not call list.

* Various private entities, mostly offshore, will obtain the "Do Not Email List" and use it in the exact opposite way for which it was intended...that is they'll send spam to those addresses.

Opt-Out doesn't work for email; its debatable whether it works for phone numbers either, but that another topic for another day.

Bottom line is that any decent anti-spam bill should NOT have a "Do Not Email List" component, but rather instead require companies, non-profits, politicians, etc to use double-verified OPT-IN email lists for sending ubsolicited email.

Ron Bennett

Real Solutions

[mabu]

This is yet another toothless waste of time of a bill. Toss it on the pile.

Now let's get real:

It's important to realize that there are certain characteristics of most spam:

1. Most "legitimate" promotional mail comes from a static, traceable source (i.e. mailing lists or a specific web site such as amazon.com) The more legitimate spammers, due to their visibility, are forced to maintain more responsible mailing practices or else they will be blocked or blacklisted.

2. The vast majority of spam comes from rapidly rotating sources difficult to trace and lock down (random IPs on the Internet that are either unauthorized or compromised SMTP servers). Regardless of the nature of the spam message content, most of these spam sources involve one or both: violation of the ISP's terms of service (which most disallow smtp relaying from direct client IPs), or an illegal exploitation of third-party computers.

#1 is easily dealt with. Any centralized operation that doesn't perform responsible mailing (opt-in/out, non-forged headers, published contact info, etc.) can be dealt with. We know who these people are and how to reach them; they are large, targetable operations.

#2 is the real problem and the major source of spam online. All the penis-enlargement, Nigerian scams, online pharmacies and home mortgage solicitations are promoted through the use of an ever-changing network of computers, most of which are broken into by spammers or otherwise re-routed through a plethora of foreign ISPs.

The key to solving the spam problem is nailing down #2. I believe that most of the rotating spam sources involve illegal computer exploitation and compromises. We're talking criminal activity - not civil wastes of time. This is the angle law enforcement should use. Go after relay hijacking and enact punitive damages on ISPs who have demonstrated a consistent disregard for the control of their IP blocks. If we go after the spammer-criminals, they will be forced to settle with spam-friendly ISPs or face criminal prosecution. At that point they either clean up their act, or their ISP will become blacklisted. So the solution is straightforward: go after the spammers who take over third-party SMTP servers and client machines. These are criminal offenses which the authorities have yet to actively enforce.

My solution to the Spamedemic:

Believe it or not, solving the Spam problem is really easy and practical. It does not involve infringing on freedom of speech. It does not involve denying ANY business interest the freedom to use e-mail for marketing.

1. FORM A DEDICATED CYBERCRIME ENFORCEMENT AGENCY. Populate the agency with well-trained IT people who know the laws and the nature of the problem. This agency does not need to encroach into areas covered by US Customs or the FTC (i.e. not be concerned with the content of spam, but merely focus on computer/network-tampering/exploitation). The FBI is not adequately equipped to fight cybercrime. A new agency separate from the other law enforcement organizations should be created.

How to fund this new agency? How about a small fee for domain registrations? I think most people would be willing to pay an extra $5/year per domain to ensure that the Internet is more secure and spam-free. In any case, there's plenty of frivolous spending that could be repurposed to fund this very useful agency.

2. ENFORCE CRIMINAL PENALTIES for computer exploitation: mail-relay-hijacking, trojan horse, worm, virus and vulnerability exploitation. There are already laws on the books criminalizing these activities, but since Americans like laws and have a short attention span, it wouldn't hurt to pass a new law which exclusively, specifically addresses the issue of computer/network/communications exploitation by third parties, and levies very intimidating CRIMINAL penalties. There should be no threshold of monetary damage before criminality is triggered: that only punishes diligent admins to catch attacks before extreme damage