Senate Passes Anti-Spam Bill

Zendar writes "Yahoo! is reporting that the 'U.S. Senate passed the first national anti-spam bill on Wednesday, giving momentum to an issue that has riled consumers almost as much as dinnertime phone calls.' However, the bill, referred to as the 'Can Spam' bill, is unlikely to pass the House and be signed by the President. Senator John McCain sums it up: 'The odds of defeating spam by legislation alone is extremely low, but that does not mean we should stand idly by and do nothing about it.' CNN also has the story."

Politicians for Ya

[jazman_777]

Senator John McCain sums it up: 'The odds of defeating spam by legislation alone is extremely low, but that does not mean we should stand idly by and do nothing about it.'

Meaning, 'What we do has no effect, but we need to look like we're doing something useful.' And of course there _shall_ be unintended consequences, which will require yet another government "fix".

Re:Politicians for Ya

[stanmann]

The battle on spam must be fought on all available fronts, and providing penalties which can be levied against the company that hired the spammers is an important front. Granted, at this point there is no provision for a regulatory/investigative body to investigate and punish it... but one step at a time...

Re:Politicians for Ya

[CelloJake]

I agree with you. If the bill will have no effect then why waste important senate time with it.

Next he can pass a bill that will ban breast cancer. The odds of defeating breast cancer by legislation is extremely low, but that does not mean we should stand idly by and do nothing about it.

I think the statement would make sense if he were choosing to not promote the bill and instead try to do something else. Just because legislation won't stop the problem doesn't mean we have to sit idly by. Even a senator has other resources available than legislation to help with a problem.

-Jacob

Re:Politicians for Ya

[arthurs_sidekick]

The key to the post at the top of this thread is the mention of unintended consequences. We've already seen how laws dealing with technical subjects get misinterpreted by the courts; what exactly is going to count as spam under this law? What forms of communication will it affect, and how? Damn straight, I don't want to go to jail for making a programming or configuration mistake that sends out a bunch of unsolicited email and somehow falls under the legal definition, or judge's interpretation thereof, of "spam." { I don't want to make that sort of mistake at all, but if I do, there are other ways of dealing with me }.

Re:Politicians for Ya

[Steve+B]

The battle on spam must be fought on all available fronts

A legal front that ought to be opened is the application of existing computer-crime laws to certain spamming techniques. The deployment of trojans to create open relays and even outright spamboxes is an obvious example.

Additionally, the use of forged headers, munged words, etc to evade spam filters is arguably a form of cracking in and of itself -- what is it, if not a deliberate attempt to use someone else's computer without the owner's permission, and indeed against the owner's express prohibition?

Fuck 'em.

[InterruptDescriptorT]

It's not going to help the influx of spam from China, Taiwan or Russia, which is where I seem to receive most of my spam.

I think the Senate, as usual, passed a do-nothing measure that will have not an ounce of effect on the literally 350 spams I receive a day. (Yes, I do use spam filtering.) Congress would be better off to provide tax credits for companies producing filters, starting a massive education campaign on how you can stop unwanted e-mails using these filters, and investing heavily in research projects to improve filtering.

But this is a bunch of more fucking useless bullshit--par for the course for this Administration.

Stuck with Outlook?

[rjamestaylor]

If you're one of the many who doesn't really have a choice but to use Outlook on Windows, there is anti-spam help available in the form of an open source SourceForge project called SpamBayes.

I downloaded and installed the latest version last night and am very impressed with this seemlessly integrated Bayesian Spam Filter (make sure anti-virus software is disabled before installing -- which can be difficult with McAfee as I discovered).

Very much recomeeded.

What they really need to do

[andih8u]

Is go after the companies that sell ("rent") your information to the spammers. I know I didn't register for the national do-spam-me list, and I only gave my email out to "reputable" sights, so someone gave it away somewhere despite their privacy policy. You'd think there'd be a way to backtrack how these companies get this stuff.

Re:Drat

It has one thing that's really needed. Jail time. These spammers get caught from time to time, but just file for bankruptcy, so they have little fear of the government. A threat of jail time would end lots of spam even without enforcemnt.

Funny how that works

[Otter]

It goes to show you -- when it's clear that there's a real consensus, legislators don't hesitate to act, cynical sneering about "buying votes" notwithstanding. As soon as it became clear that the popularity of telemarketers with Americans was somewhere above Osama bin Laden and below Saddam, you've never seen any legislation move so fast. And now that it's dawning on them that spamers are about as popular (true, they don't bother you during dinner, but then telemarketers don't send bestiality pictures to your kids) they figure there are additional points to be scored.

"CAN SPAM" = OK, you CAN SPAM at will

[Steve+B]

A couple of the bad provisions of this bill, as reported by the Washington Post:

1. Preemption of state anti-spam laws.

2. Individual right of civil action against spammers is expressly denied.

This should be called "The Spammer's Freedom Of Speach Charter"

Re:"CAN SPAM" = OK, you CAN SPAM at will

[Zathrus]

I think you need to read up on your legal knowledge.

Federal law trumps state law. Ammendment X is not applicable here, any more than it is for the Do Not Call list or the Fair Credit Reporting Act because this law is made under the auspices of interstate trade which the federal government is explicitly granted authority over in the Constitution. And spam is most certainly interstate... in fact, the state laws do little or nothing because enforcement ends at the state line. To a large extent it's questionable whether or not this law will do anything since enforcement will end at the US border, but if it's well designed (which is questionable) then it's at least a start.

Sadly, nothing short of completely replacing SMTP with a more secure protocol, including authentication, is going to stop spam.

End users can no longer sue

[realdpk]

From CNN:

"State and federal law enforcers and Internet service providers such as EarthLink, Inc. would be allowed to pursue spammers, but individual users could not sue directly."

That's majorly unfortunate. It basically means that spammers will be able to buy (through settlements) access to ISPs, and the customers will have no recourse.

Follow the cash

[RT+Alec]

Yes, the spam mostly comes from IP addresses outside the U.S. However, it is almost always advertising something sold by an entity in the U.S.

This bill, if passed, can have an effect. If a company in the U.S. uses spam to advertise, and that spam has fraudulent headers, then the U.S. company can be prosecuted. That's the true origin of spam-- not the IP address of the sending machine. This allows for a non-technical approach to combat the true originators of the messages.

Why do spammers use fraudulent headers anyway? To evade technical spam-blocking techniques (RBLs, whitelists, etc.). As the spammers start to reduce their use of such methods, the technical techniques used by many ISPs and end users will be more effective. No silver bullet, to be sure, but every little bit helps.

Re:Follow the cash

[Pieroxy]

That's not the way spam works. An independant entity is doing SPAM and it is based in Russia. It will advertise "Get the lower rates for your mortgage" for example. Then, when someone respond to that and give its name/address, the Russian company will sell the personal informations collected to any company willing to pay $2 (or $n) for it in the U.S.

See, the mortgage company is not involved in the SPAM at all! The mortgage company just buys the name/addres of someone interested by low rates.

No one does anything wrong in the U.S. with this model.

Problem with a do-not-spam registry

[SeanTobin]

The major problem with a do-not-spam registry is not that it would only affect domestic spam.. The major problem is that there will be a huge list of validated e-mail addresses that spamhauses can buy, send overseas, and spam all day and all night from offshore.

The only reason this isn't happening with the telephone do-not-call list is that the cost of international calls is still prohibitave... but I think VoIP might make this option attractive at some point. I'd just love to get a sales call from some guy in India trying to sell me a new car windshield. Also, phone numbers are published anyway, so there is no real need to harvest the do-not-call list.

I think the way this should be implimented is a national list of MD5's of the addresses. Make it illegal to email any address whose md5 matches one on the list (converted to lowercase so that capitalization is not a loophole). This would prevent address farming, and have the same integrity as the proposed do-not-spam list.

(BTW, consider this prior art in case anyone goes patenting md5's of email addresses... /me smacks the US patent system)

this bill

[codepunk]

The only legislation that is really needed is to make it unlawful to send mail with forged mail headers. They could pin them with computer and interstate commerce fraud.

For those of you interested...

[Misch]

For those of you interested, the bill is S.877

CAUCE (Coalition Against Unsolicited Email) opposes this bill.

The bill isn't "Can Spam" in terms of canning spam. It's "Can Spam" in terms of "You Can Spam. Sure. Go ahead." It's opt-out, not opt-in. Prepare to have your mailbox flooded. Legally.

Sec. 105 (a):

(4) PROHIBITION OF TRANSMISSION OF UNSOLICITED COMMERCIAL ELECTRONIC MAIL AFTER OBJECTION- If a recipient makes a request using a mechanism provided pursuant to paragraph (3) not to receive some or any unsolicited commercial electronic mail messages from such sender, then it is unlawful

(5) INCLUSION OF IDENTIFIER, OPT-OUT, AND PHYSICAL ADDRESS IN UNSOLICITED COMMERCIAL ELECTRONIC MAIL- It is unlawful for any person to initiate the transmission of any unsolicited commercial electronic mail message to a protected computer unless the message provides--

On the other hand, Sec. 105 (b) (1) (A) (i) and (ii) make it illegal to use address harvesters or dictionary attacks to send spam.

I'm also worried that Sec. 105 (e)'s restrictions on sexually explicit advertising will be struck down as unconstitutional, and may have adverse effects on the rest of the law.

Just use a "+"

[ClioCJS]

There is. It's the plus symbol. This tends to only work on unix server, but anything after a "+" but before the "@" is ignored by your mailserver.

So let's say my address is ClintXYZ@unix.org. I could sign up for something as ClintXYZ+ajkfdsjdfasjoifdoj@unix.org and the email would still be received by me.

Come up with a system, like ClintXYZ+yahoodotcom@unix.org. Then, if a spammer ever harvests your address, and doesn't cleanse out the extra characters, and then spams you, you will know it was yahoodotcom that did it. [This is just an example; don't sue me Yahoo.]

This has worked at least once for me (After doing it for a few years). A yahoo store violated yahoo privacy policy by doing this, and I reported them to yahoo. Never followed up though.

It's also good for mailfiltering. ClintXYZ+slashdot@unix.org for example if I wanted to filter everything that came from slashdot into its own filter.

Beware of webforms that don't allow +'s in the email addresss. It's a grey area of email address validity.