Senate Passes Anti-Spam Bill

Zendar writes "Yahoo! is reporting that the 'U.S. Senate passed the first national anti-spam bill on Wednesday, giving momentum to an issue that has riled consumers almost as much as dinnertime phone calls.' However, the bill, referred to as the 'Can Spam' bill, is unlikely to pass the House and be signed by the President. Senator John McCain sums it up: 'The odds of defeating spam by legislation alone is extremely low, but that does not mean we should stand idly by and do nothing about it.' CNN also has the story."

Politicians for Ya

[jazman_777]

Senator John McCain sums it up: 'The odds of defeating spam by legislation alone is extremely low, but that does not mean we should stand idly by and do nothing about it.'

Meaning, 'What we do has no effect, but we need to look like we're doing something useful.' And of course there _shall_ be unintended consequences, which will require yet another government "fix".

Re:Politicians for Ya

[stanmann]

The battle on spam must be fought on all available fronts, and providing penalties which can be levied against the company that hired the spammers is an important front. Granted, at this point there is no provision for a regulatory/investigative body to investigate and punish it... but one step at a time...

Re:Politicians for Ya

[CelloJake]

I agree with you. If the bill will have no effect then why waste important senate time with it.

Next he can pass a bill that will ban breast cancer. The odds of defeating breast cancer by legislation is extremely low, but that does not mean we should stand idly by and do nothing about it.

I think the statement would make sense if he were choosing to not promote the bill and instead try to do something else. Just because legislation won't stop the problem doesn't mean we have to sit idly by. Even a senator has other resources available than legislation to help with a problem.

-Jacob

Re:Politicians for Ya

[arthurs_sidekick]

The key to the post at the top of this thread is the mention of unintended consequences. We've already seen how laws dealing with technical subjects get misinterpreted by the courts; what exactly is going to count as spam under this law? What forms of communication will it affect, and how? Damn straight, I don't want to go to jail for making a programming or configuration mistake that sends out a bunch of unsolicited email and somehow falls under the legal definition, or judge's interpretation thereof, of "spam." { I don't want to make that sort of mistake at all, but if I do, there are other ways of dealing with me }.

Re:Politicians for Ya

[kiatoa]

Yup, all available fronts is good. Now, how about as many folks as possible start using the Active Spam Killer? I've been using it for a month or two and it seems great. If enough people used it then the wind would be taken out of the spammers sails (sales?) so to speak and the problem of spam would go away. Why spam if the message ain't getting through. So, hop over to sourceforge and download/install a-s-k, and do your part in the war against spam.

Re:Politicians for Ya

[gpinzone]

Conisdering this quote came from John McCain, I'd translate it as, "Look, legislation isn't a 100% cure, but we can at least do something that's within our power under the Constitution to minimize the onslaught of spam."

Re:Politicians for Ya

[Steve+B]

The battle on spam must be fought on all available fronts

A legal front that ought to be opened is the application of existing computer-crime laws to certain spamming techniques. The deployment of trojans to create open relays and even outright spamboxes is an obvious example.

Additionally, the use of forged headers, munged words, etc to evade spam filters is arguably a form of cracking in and of itself -- what is it, if not a deliberate attempt to use someone else's computer without the owner's permission, and indeed against the owner's express prohibition?

Fuck 'em.

[InterruptDescriptorT]

It's not going to help the influx of spam from China, Taiwan or Russia, which is where I seem to receive most of my spam.

I think the Senate, as usual, passed a do-nothing measure that will have not an ounce of effect on the literally 350 spams I receive a day. (Yes, I do use spam filtering.) Congress would be better off to provide tax credits for companies producing filters, starting a massive education campaign on how you can stop unwanted e-mails using these filters, and investing heavily in research projects to improve filtering.

But this is a bunch of more fucking useless bullshit--par for the course for this Administration.

Might want to think about changing the name..

[DrEldarion]

The name of the bill is a little bit misleading. When I first read it, I read it as "[you] can spam" as opposed to "can (get rid of) spam".

It's a shame that they think it won't go anywhere, though...

-- Dr. Eldarion --

Best Spam Recently

[da3dAlus]

A co-worker got one yesterday "Get Viagra - Half Off!". Kinda defeats the purpose, no? :)

Stuck with Outlook?

[rjamestaylor]

If you're one of the many who doesn't really have a choice but to use Outlook on Windows, there is anti-spam help available in the form of an open source SourceForge project called SpamBayes.

I downloaded and installed the latest version last night and am very impressed with this seemlessly integrated Bayesian Spam Filter (make sure anti-virus software is disabled before installing -- which can be difficult with McAfee as I discovered).

Very much recomeeded.

Well duh

Legislation alone won't solve the problem. Technology alone won't solve the problem. Technology combined with legislation can HELP.

What they really need to do

[andih8u]

Is go after the companies that sell ("rent") your information to the spammers. I know I didn't register for the national do-spam-me list, and I only gave my email out to "reputable" sights, so someone gave it away somewhere despite their privacy policy. You'd think there'd be a way to backtrack how these companies get this stuff.

Re:Drat

It has one thing that's really needed. Jail time. These spammers get caught from time to time, but just file for bankruptcy, so they have little fear of the government. A threat of jail time would end lots of spam even without enforcemnt.

Funny how that works

[Otter]

It goes to show you -- when it's clear that there's a real consensus, legislators don't hesitate to act, cynical sneering about "buying votes" notwithstanding. As soon as it became clear that the popularity of telemarketers with Americans was somewhere above Osama bin Laden and below Saddam, you've never seen any legislation move so fast. And now that it's dawning on them that spamers are about as popular (true, they don't bother you during dinner, but then telemarketers don't send bestiality pictures to your kids) they figure there are additional points to be scored.

This is great!

[apoplectic]

Until some local yocal judge from Oklahoma decides that the bill is unconstitutional, just like the do-not-call list.

And, of course, I must unoriginally question just how they plan to enforce this? Perhaps we should just invade any country that originates more than .01 spams per capita? Sounds democratic enough. And, hey!, we'd expand to 60 states in no time! If expansion is good for the NFL, it is good enough for the U.S. of A!

"CAN SPAM" = OK, you CAN SPAM at will

[Steve+B]

A couple of the bad provisions of this bill, as reported by the Washington Post:

1. Preemption of state anti-spam laws.

2. Individual right of civil action against spammers is expressly denied.

This should be called "The Spammer's Freedom Of Speach Charter"

Re:"CAN SPAM" = OK, you CAN SPAM at will

[SpaceLifeForm]

Then this bill is unconstitutional The Federal government can not take away rights from the states, nor can it prevent the citizens of those states from taking action against the spammers.

Amendment X

The powers not delegated to the United States by the Constitution, nor prohibited by it to the states, are reserved to the states respectively, or to the people.

Re:"CAN SPAM" = OK, you CAN SPAM at will

[Zathrus]

I think you need to read up on your legal knowledge.

Federal law trumps state law. Ammendment X is not applicable here, any more than it is for the Do Not Call list or the Fair Credit Reporting Act because this law is made under the auspices of interstate trade which the federal government is explicitly granted authority over in the Constitution. And spam is most certainly interstate... in fact, the state laws do little or nothing because enforcement ends at the state line. To a large extent it's questionable whether or not this law will do anything since enforcement will end at the US border, but if it's well designed (which is questionable) then it's at least a start.

Sadly, nothing short of completely replacing SMTP with a more secure protocol, including authentication, is going to stop spam.

End users can no longer sue

[realdpk]

From CNN:

"State and federal law enforcers and Internet service providers such as EarthLink, Inc. would be allowed to pursue spammers, but individual users could not sue directly."

That's majorly unfortunate. It basically means that spammers will be able to buy (through settlements) access to ISPs, and the customers will have no recourse.

Re:Drat

[DougMelvin]

Hate to say it, but I think it is time to move beyond email.

Such as... telepathy??

Follow the cash

[RT+Alec]

Yes, the spam mostly comes from IP addresses outside the U.S. However, it is almost always advertising something sold by an entity in the U.S.

This bill, if passed, can have an effect. If a company in the U.S. uses spam to advertise, and that spam has fraudulent headers, then the U.S. company can be prosecuted. That's the true origin of spam-- not the IP address of the sending machine. This allows for a non-technical approach to combat the true originators of the messages.

Why do spammers use fraudulent headers anyway? To evade technical spam-blocking techniques (RBLs, whitelists, etc.). As the spammers start to reduce their use of such methods, the technical techniques used by many ISPs and end users will be more effective. No silver bullet, to be sure, but every little bit helps.

Re:Follow the cash

[Pieroxy]

That's not the way spam works. An independant entity is doing SPAM and it is based in Russia. It will advertise "Get the lower rates for your mortgage" for example. Then, when someone respond to that and give its name/address, the Russian company will sell the personal informations collected to any company willing to pay $2 (or $n) for it in the U.S.

See, the mortgage company is not involved in the SPAM at all! The mortgage company just buys the name/addres of someone interested by low rates.

No one does anything wrong in the U.S. with this model.

Re:Follow the cash

[mrex]

That's not the way spam works. An independant entity is doing SPAM and it is based in Russia. It will advertise "Get the lower rates for your mortgage" for example. Then, when someone respond to that and give its name/address, the Russian company will sell the personal informations collected to any company willing to pay $2 (or $n) for it in the U.S.

Maybe there are a few that work this way, but for the most part this is *not* how spammers operate. I will avoid posting a step by step, but its pretty easy to figure out what affiliate programs are really intended to do, and its damn obvious that all those dialup systems in other countries aren't owned by the spammers.

Most spammers are in the US, as are most businesses whos products spam advertises. They use fake affiliates to deflect complaints away from themselves ("oh, affiliate XYZ spammed you? spamming is strictly against our policy, that affiliate has been removed!"...yeah right) and hand off credit card processing to shady merchants. The actual machines sending out the spams are mostly compromised always-on boxen in technologically developing countries, but don't let that fool you -- the spammers are still in the US and thus subject to US law.

You do raise a good point though...an effective anti-spam law would prevent spammers from hiding behind complex organizational structures by exposing all the players to risk.

Problem with a do-not-spam registry

[SeanTobin]

The major problem with a do-not-spam registry is not that it would only affect domestic spam.. The major problem is that there will be a huge list of validated e-mail addresses that spamhauses can buy, send overseas, and spam all day and all night from offshore.

The only reason this isn't happening with the telephone do-not-call list is that the cost of international calls is still prohibitave... but I think VoIP might make this option attractive at some point. I'd just love to get a sales call from some guy in India trying to sell me a new car windshield. Also, phone numbers are published anyway, so there is no real need to harvest the do-not-call list.

I think the way this should be implimented is a national list of MD5's of the addresses. Make it illegal to email any address whose md5 matches one on the list (converted to lowercase so that capitalization is not a loophole). This would prevent address farming, and have the same integrity as the proposed do-not-spam list.

(BTW, consider this prior art in case anyone goes patenting md5's of email addresses... /me smacks the US patent system)

this bill

[codepunk]

The only legislation that is really needed is to make it unlawful to send mail with forged mail headers. They could pin them with computer and interstate commerce fraud.

Do Not Email List == Loss of Privacy == Abuse

[Ron+Bennett]

According to the article, there would be a "Do Not Email List" component to the law...

A "Do Not Email List" would cause a further loss of privacy...government (and its contracters, some of which are sketchy) would be able to associate email addresses with IPs and possibly other information...

If implemented, it's very likely one would be asked to not only supply the email address(es) they wish to add, but would also asked for their real name, postal address, and phone number too.

Now anyone who thinks that information will remain confidential is kidding themselves. Did you know most U.S. states sell driver license information, including DL pictures to private entities...even those states that have laws against such actions share the information too due to various loopholes in their respective state laws; information also shared with other government agencies, including the Feds (don't think for a second it's not).

Ok, got on a tangent there, but to make a point...

If the government were to compile a "Do Not Email List"...the following will *likely* occur...

* Email and associated collected information would be stored and added to other unrelated government/private databases too.

* Government and other private entities will use the list to help track/monitor people - ie. "Deadbeat Dads" ... while one can debate the issue of child support, the fact of the matter is that much privacy is being lost in the process; an excuse to further erode the rights of all Americans.

* The email addresses and likely their related information will be used by politicians for sending out spam...yep, there's likely an exception for that; there is for the national do not call list.

* Various private entities, mostly offshore, will obtain the "Do Not Email List" and use it in the exact opposite way for which it was intended...that is they'll send spam to those addresses.

Opt-Out doesn't work for email; its debatable whether it works for phone numbers either, but that another topic for another day.

Bottom line is that any decent anti-spam bill should NOT have a "Do Not Email List" component, but rather instead require companies, non-profits, politicians, etc to use double-verified OPT-IN email lists for sending ubsolicited email.

Ron Bennett

Real Solutions

[mabu]

This is yet another toothless waste of time of a bill. Toss it on the pile.

Now let's get real:

It's important to realize that there are certain characteristics of most spam:

1. Most "legitimate" promotional mail comes from a static, traceable source (i.e. mailing lists or a specific web site such as amazon.com) The more legitimate spammers, due to their visibility, are forced to maintain more responsible mailing practices or else they will be blocked or blacklisted.

2. The vast majority of spam comes from rapidly rotating sources difficult to trace and lock down (random IPs on the Internet that are either unauthorized or compromised SMTP servers). Regardless of the nature of the spam message content, most of these spam sources involve one or both: violation of the ISP's terms of service (which most disallow smtp relaying from direct client IPs), or an illegal exploitation of third-party computers.

#1 is easily dealt with. Any centralized operation that doesn't perform responsible mailing (opt-in/out, non-forged headers, published contact info, etc.) can be dealt with. We know who these people are and how to reach them; they are large, targetable operations.

#2 is the real problem and the major source of spam online. All the penis-enlargement, Nigerian scams, online pharmacies and home mortgage solicitations are promoted through the use of an ever-changing network of computers, most of which are broken into by spammers or otherwise re-routed through a plethora of foreign ISPs.

The key to solving the spam problem is nailing down #2. I believe that most of the rotating spam sources involve illegal computer exploitation and compromises. We're talking criminal activity - not civil wastes of time. This is the angle law enforcement should use. Go after relay hijacking and enact punitive damages on ISPs who have demonstrated a consistent disregard for the control of their IP blocks. If we go after the spammer-criminals, they will be forced to settle with spam-friendly ISPs or face criminal prosecution. At that point they either clean up their act, or their ISP will become blacklisted. So the solution is straightforward: go after the spammers who take over third-party SMTP servers and client machines. These are criminal offenses which the authorities have yet to actively enforce.

My solution to the Spamedemic:

Believe it or not, solving the Spam problem is really easy and practical. It does not involve infringing on freedom of speech. It does not involve denying ANY business interest the freedom to use e-mail for marketing.

1. FORM A DEDICATED CYBERCRIME ENFORCEMENT AGENCY. Populate the agency with well-trained IT people who know the laws and the nature of the problem. This agency does not need to encroach into areas covered by US Customs or the FTC (i.e. not be concerned with the content of spam, but merely focus on computer/network-tampering/exploitation). The FBI is not adequately equipped to fight cybercrime. A new agency separate from the other law enforcement organizations should be created.

How to fund this new agency? How about a small fee for domain registrations? I think most people would be willing to pay an extra $5/year per domain to ensure that the Internet is more secure and spam-free. In any case, there's plenty of frivolous spending that could be repurposed to fund this very useful agency.

2. ENFORCE CRIMINAL PENALTIES for computer exploitation: mail-relay-hijacking, trojan horse, worm, virus and vulnerability exploitation. There are already laws on the books criminalizing these activities, but since Americans like laws and have a short attention span, it wouldn't hurt to pass a new law which exclusively, specifically addresses the issue of computer/network/communications exploitation by third parties, and levies very intimidating CRIMINAL penalties. There should be no threshold of monetary damage before criminality is triggered: that only punishes diligent admins to catch attacks before extreme damage

5 year prison terms

[andy1307]

Spammers please note: Spammers will get 5 year prison terms. Trying to sell tool enhancement therpies in prison is not a good idea..you'll get to know what "choke her with your large johnson" really means.

Problem with "opt out" legislation

[polymath69]

I have an unlimited(?) number of valid email addresses. The 'opt-out' provision would require me to generate as many of them as I could and then deliver them to the spammers -- and then, if the spammers could think of ones I missed, then it would be OK for them to spam me at those addresses. Need I point out that this is a flawed proposal?

I've thought of generating a bunch of legal addresses and putting them on a CD-ROM, to show to my congresswoman with the message 'Here are 60 million of my legal e-mail addresses. This disk is full. How many more should I make?'

I'm glad that this bill is unlikely to pass, though it makes up something like 70% of my mail. We need opt-in legislation, and we need it with teeth. Large and increasing fines, individual grounds to sue, and possibly even the death penalty after some number of convictions; maybe 10?

Who Can Prosecute?

[schnarff]

After reading about this in the Washington Post, where they noted that only e-mail providers or government entities could bring suit, I decided to look up the actuall bill to see if I, as a private e-mail administrator, could bring an action against someone under this bill. The text in question, however, said only "A provider of Internet access service adversely affected" could bring action. So I wrote my Senators to find out if they meant this to be only those who provide actual ISP service, or if people like me who run private e-mail servers could bring complaints. Should be interesting to find out what they say.

For those of you interested...

[Misch]

For those of you interested, the bill is S.877

CAUCE (Coalition Against Unsolicited Email) opposes this bill.

The bill isn't "Can Spam" in terms of canning spam. It's "Can Spam" in terms of "You Can Spam. Sure. Go ahead." It's opt-out, not opt-in. Prepare to have your mailbox flooded. Legally.

Sec. 105 (a):

(4) PROHIBITION OF TRANSMISSION OF UNSOLICITED COMMERCIAL ELECTRONIC MAIL AFTER OBJECTION- If a recipient makes a request using a mechanism provided pursuant to paragraph (3) not to receive some or any unsolicited commercial electronic mail messages from such sender, then it is unlawful

(5) INCLUSION OF IDENTIFIER, OPT-OUT, AND PHYSICAL ADDRESS IN UNSOLICITED COMMERCIAL ELECTRONIC MAIL- It is unlawful for any person to initiate the transmission of any unsolicited commercial electronic mail message to a protected computer unless the message provides--

On the other hand, Sec. 105 (b) (1) (A) (i) and (ii) make it illegal to use address harvesters or dictionary attacks to send spam.

I'm also worried that Sec. 105 (e)'s restrictions on sexually explicit advertising will be struck down as unconstitutional, and may have adverse effects on the rest of the law.

Musings on how this might work

[Daniel+Zappala]

Clearly, you can't just give this database to a spammer and say "here, don't send these people email." What a great recipe for getting more spam.

Instead, the list would need to be secret, and a spammer could send a query: "Is joe@yahoo.com on the list?".

You need to avoid the naive solution, where the list-keeper says "yes" if the address is on the list and "no" if it is not on the list. Otherwise, a spammer could just do a dictionary-type attack on the list to discover as many email addresses as she could. "How about joeb@yahoo? joec?"

You need to instead say "yes" if the address is on the list and then randomly choose "yes" or "no" otherwise. This way if a spammer gets "yes" she doesn't know whether she has a real email address or not.

Ah, but more problems. If the response is truly random, then a spammer can make a repeat request for all the addresses that the list-owner said "yes" for. The ones that actually aren't on the list will have a chance of coming up "no" a second time. Repeat as many times as you want to get a higher certainty that you have obtained usable addresses.

So you instead need some history -- always say yes to "fooxyz@yahoo" even if it is not on the list. And now your memory requirement becomes infinite. Sure you could keep a cache of your most recent responses, but this just delays the time it takes for the spammer to find out who is on the list.

From this brief thought-exercise, I don't know if a "do-not-spam" list is doable. Maybe I'm missing something.

What is clearly much easier to implement is a "please-spam-me" list. The memory requirements would sure be smaller. And no problem making this a publicly-available list. Likewise, it would be easy to prove you are not on the list when you get some spam. And hey, if 90% of uses don't want spam, why should we force them to say "no"?

Buyer Beware!

[Angram]

I've said it before and I'll say it again: You have to make buying from spam illegal. You can't prosecute the international spam supply - you can target the domestic demand for spam, however. It's simple economics, people!

There's ALWAYS a Way

[LittleGuy]

However, the bill, referred to as the 'Can Spam' bill, is unlikely to pass the House and be signed by the President.

They should have called it something like "Mary Sue's Law for Liberty and Freedom". It would have been signed by dinnertime today.

Also, have a link between spam, Bin Laden, Hussain, and peodphiliac drunk drivers.

Just use a "+"

[ClioCJS]

There is. It's the plus symbol. This tends to only work on unix server, but anything after a "+" but before the "@" is ignored by your mailserver.

So let's say my address is ClintXYZ@unix.org. I could sign up for something as ClintXYZ+ajkfdsjdfasjoifdoj@unix.org and the email would still be received by me.

Come up with a system, like ClintXYZ+yahoodotcom@unix.org. Then, if a spammer ever harvests your address, and doesn't cleanse out the extra characters, and then spams you, you will know it was yahoodotcom that did it. [This is just an example; don't sue me Yahoo.]

This has worked at least once for me (After doing it for a few years). A yahoo store violated yahoo privacy policy by doing this, and I reported them to yahoo. Never followed up though.

It's also good for mailfiltering. ClintXYZ+slashdot@unix.org for example if I wanted to filter everything that came from slashdot into its own filter.

Beware of webforms that don't allow +'s in the email addresss. It's a grey area of email address validity.