No Federal Do-Not-Spam Registry For Now

Decaffeinated Jedi writes "The AP reports today that the U.S. government has no plans to create a do-not-spam registry in the immediate future. Why not? They argue that the proper technology is not yet in place. 'A national do-not-e-mail registry, without a system in place to authenticate the origin of e-mail messages, would fail to reduce the burden of spam and may even increase the amount of spam received by consumers,' said the commission." The moral of the story is: never try. See the FTC's press release or their report (pdf).

Obligatory Simpsons

[swordboy]

Homer: Trying is the first step towards failure.

Not yet ready..

[CommanderData]

I'm glad that they haven't jumped in headfirst, I can't imagine how they could enforce such a list right now with so much spam coming from outside of the United States and from unknowing zombie PCs within the US. If they did create a list it would place an expectation in the public eye that the US government can enforce it, when it obviously (to us slashdot readers) cannot.

Like it or not, we need to come up with more clever hardware or software solutions like Yahoo's "Domain Keys", Meng Weng Wong's SPF (Sender Policy Framework), or god forbid, Microsoft's Caller ID for E-mail.

Re:Not yet ready..

[surreal-maitland]

i absolutely agree with you. this reminds me of a situation which is currently in place here in boston. they have decided to start randomly IDing people when they take the T. clearly, knowing who is on the T at a given time doesn't prevent or deter that person from bringing a bomb on board. however, it gives some people a false sense of security. that's exactly what this would be: a false sense of security and, as an earlier poster mentioned, a bunch of valid email addresses in a nice little list for a spammer from china. oh, and of course, a waste of taxpayer money.

Wait wait wait...

[JoeLinux]

I thought they had this now: Isn't it the "Opt-Out" thingy?

At least they realize that.

[suso]

At least they are smart enough to realize that it is not technically feasible yet. Score 1 for the FTC.

Knee Jerk?

[FortKnox]

The moral of the story is: never try.

Come now, michael. If it is most likely going to CAUSE more spam, its something that shouldn't be done.

Its a "damned if you do, damned if you don't by people with kneejerk reactions that normally hate everything you do anyway" thing, isn't it?

FTC is right

[sulli]

A do-not-spam list right now would be a spam-me-now list. So many spammers are beyond the reach of the law at the moment that adding your address or domain to this list would be like adding it to WHOIS.

The real moral is

[b00m3rang]

Don't hand the spammers what would probably be the worlds largest distribution list on a silver platter.

Too Bad

[jumpingfred]

They should have a do not spam list. It will kill off at least one segment of spam. Spam mails trying to sell you a list of valid email adresses.

Murphy's Law

[Networkink*Man]

Spammed if you do, spammed if you don't.

Re:Not yet ready.. BINGO!

[AtariDatacenter]

Your message probably best sums up the response to this, and nothing else really needs to be said by anyone. If you create a list of email addresses and attach to it an American law governing their use, then someone from China isn't going to care one bit. The global nature of the Internet (which defies censorship) is also the same thing that allows for spam.

Personally, I'd get a little scared if they can legalize away spam. Although a different medium, if they go all-out for spam, it probably makes for a good sign/precident for 'other things' to be eliminated from the Internet. (Be it pirated files, porn, 'ideas that my citizens shouldn't be having', etc.)

But I still wish spam would go away, like everyone else.

Commentary by Michael

[Scott+Richter]

The moral of the story is: never try.

No, Michael, it's not. What they said was

'A national do-not-e-mail registry, without a system in place to authenticate the origin of e-mail messages, would fail to reduce the burden of spam and may even increase the amount of spam received by consumers,'

And quite frankly they're right. Additionally, it's not in the FTC's jusrisdiction, I don't believe, to change the SMTP protocol. As such, they do not have the ability to actually solve the problem.

Given the degree to which the FTC fought for the Do-not-call registry, I think they deserve more credit than Michael's snide editorial remarks. They also deserve credit for having the courage to admit that they can't solve the problem under the current situation and providing a damned good reason why, as well as leaving bad enough alone and not doing something simply for the sake of doing it. Sometimes, inaction is the best course, and it takes maturity to realize it.

Right now, setting up a do-not-email registry would be as smart as responding to the "Please remove me" addresses. In short, it would be absolutely stupid.

So let's leave the FTC alone, shall we?

Re:But wait

[squiggleslash]

Funny, when someone does propose an anti-spam solution, people here can't poke holes in it fast enough.

That's because 90% of the so-called "solutions" for spam have serious flaws. They usually end up blocking legitimate email and usually can be worked around by some means. Really, for ordinary users forced to endure some largely unaccountable sysadmins idea of what email should be, the only workable environment involves a combination of Bayesian-style filters coupled with white lists for known good addresses (to ensure they're not accidentally dropped.) For those of us able to administer SMTP servers, seperate email addresses for each entity that needs to contact us with no published permanent "public" addresses generally works.

The "solutions" we see posted from time to time rarely are as straightforward or effective. SPEWS type filtering blocks customers of ISPs regardless of whether they themselves are abusive or not. The DUL blocks by a criteria which has nothing, on the face of it, to do with spam, and simply makes things like configuration-free email an impossibility and roaming more difficult. ISP-lead outgoing port 25 blocking makes configuration-free email impossible and undermines user privacy. ISP-lead incoming port 25 blocking makes it impossible for knowledgable end users to deploy certain effective methods of spam block. The SPF, in an environment in which port 25 blocks and the DUL are active and in which ISPs rarely offer "authenticated SMTP" connections for external users will make roaming even more difficult.

And those are just the current methods taken seriously and proposed at every turn. Meanwhile, people propose all sorts of "solutions" like using encrypted authentication and even getting rid of SMTP which are about as easy as creating world peace ("All we have to do is stop fighting each other!"), and which open all sorts of new cans of worms.

In the case of this article, someone was seriously contemplating having the FTC create a Do-Not-Spam list, a list that wouldn't have applied to foreign owned businesses and one that would have, if anything, legitimized spam ("Hey, we're only posting to people off the list, leave us alone!")

When people stop proposing daft and damaging ideas, people on Slashdot will stop poking holes in them. Spam is a solvable problem, but an unholy alliance of BOFHs and zealots is causing immeasurable damage without actually making much of a dent, if any, in the volumes we're talking about. Interestingly, by-and-large, the solutions that work involve enfranchising the receiver, a principle the current anti-spam culture is reluctant to accept.

Obligatory anti-spam checklist

[spoonyfork]

Your post advocates a

(*) technical (*) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

(*) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
(*) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
(*) Requires too much cooperation from spammers
(*) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
(*) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
(*) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
(*) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
(*) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
(*) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

( ) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
(*) Any scheme based on opt-out is unacceptable
(*) SMTP headers should not be the subject of legislation
( ) Blacklists suck
(*) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
(*) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
(*) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

( ) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!