Slashdot Mirror
Tweaking the CAN-SPAM Act
rbochan writes "The Register is reporting that the U.S. Federal Trade Commission is consulting on proposed changes to the CAN-SPAM Act. Changes would include clarifying the definitions of the terms person and sender, and altering the time allowed for a sender to to honor an opt-out request. The FTC proposal is available as a PDF on the official FTC site." From the article: "Critics have accused the Act of being narrow and weak, accusations that may be hard to deny given that the US sends more spam than any other, according to a recent report by anti-virus firm Sophos."
The purpose of the CAN-SPAM act wasn't to stop spam, it was to legitimize spam sent by the DMA and its members.
News for Nerds. Stuff that Matters? Like hell.
What we really need is a federal CAN CONGRESS act. Please, as though this is a problem that legislation can fix. If Congress really, truly wanted to end spam, why not allocate some grant money to improving anti-spam technology?
"There's companies that are just so cool that you just can't even deal with it," - Bill Gates, about Google
"It is also proposing to shorten from 10 days to three the time a sender may take before honouring a recipient's opt-out request;"
Yeah, so now they only have 3 days to sell my address to 100 other spam lists.
João Pinheiro
I'm curious: what do the libertarian-minded say about CAN-SPAM? That the Internet can handle its own problems, perhaps?
WeRelate.org - wiki-based genealogy
It all speaks to our fondest value in the us, evident in places as diverse as SPAM, excessive plastic surgery, and corporate welfare/rights: so long is someone can believably assert that they are "just trying to make a buck," our national consciousness and our lawmaking machinery are \\absolutley loath\\ to do anything to slow them down, whether the argument is ethnical, environmental, logistical, criminal...
STOP . AMERICA . NOW
Your confusing CAN-SPAM with SPAM-CAN
The only things certain in war are Propaganda and Death. You can never be sure which is which though
Everyone knows that spam should be rightfully sold in JARS, so that we can at least guess at what type of meat it might be before purchasing.
- "Baked beans are off!"
- "Can I have spam instead?"
- "You mean spam spam spam spam spam spam spam spam spam spam spam and spam?!"
- "Yes."
- "Blaaarght"
João Pinheiro
I didn't want to be a spammer....
/me wanders of into the woods with a bunch of sinning mounties
Want I realy wanted to be was a lumberjack
Wouldn't it be nice if schools got all the money they wanted and the army had to hold jumble sales for guns
I'd call it the Can't Spam Act.
If someone says he and his monkey have nothing to hide, they almost certainly do.
Existing laws should be applicable. Lets see spam at a minimum usually involves
* forgery with the intention to deceive.
* theft of service
* trespassing
Reshape the existing laws to include new technologies.
While we are at it, go after the end benificiary of spam. The ones selling a product or service. I know some will say that it is too easy to set someone up. Is it? In the U.S. one is presumed innocent unless proven guilty beyond a reasonable doubt. Hmm... we should be able to spot a setup.
Heck why laws at all? Most times the parties involved cross multiple boundries/jurisdictions. Laws, in the long run, are not the way to go. The technology needs fixing
Keep the Classic Slashdot.
oops singing :)
Though the first may be more accriate
Wouldn't it be nice if schools got all the money they wanted and the army had to hold jumble sales for guns
You can't polish a turd.
All I want is the right for a simple small claims mediation. Let me shoulder the burden of prosecution! These guys are absolutely punishing my email servers and bandwidth. Let me hit them back! Here is how it would go:
:)
Me: I didn't ask for this email and I have no relationship with the vendor. Here is the proof that I got spam for their product, directing me to the following websites they control...
Mediator: Do you have proof that DaGoodBoy agreed to be solicited?
Spammer: Uh...
Mediator: That will be $500 bucks. Next!
If I lose, I'll agree to pay $500 for the trouble. Hell, let this happen on a teleconference with a mediation company sanctioned by the government instead of court. I bet I could make a living just from persuing my spammers!
Either this or just look the other way while I set up an anonymous payout deadpool for the members of the ROKSO list...
My God! It's full of Voids!
Who is the Senate sponsor of the Can_Span act? I sure will give him/her a piece of my mind. It doesn't matter if it is my Senator or not. Whoever it is has to accept responsability for putting this piece of trash into law and needs to hear from everyone affected by it.
There is no such thing as anti-spam technology.
Spam filters, RBL lists, etc don't stop spam they just suppress it.
Spam begins with a desire for $$. Eliminate the payoff for soam and spam will die.
The Government doesn't know how to solve problems, all they know how to do is create legislation using their limited understanding of the problem. "Spam is bad, therefore we should make it illegal!" Nice job, congress, CAN-SPAM has been around for how long now? anyone notice a difference? Gmail does more to can my spam than any government ass could do anyday.
Wouldn't it be funny if there was a SPAM lobby that was paying fat sacks of cash money to sentaors and congressmen to "inform" them as to the benefits of SPAM? 'if we don't spam peoeple, we will be a country of small penis-ed, non-working-at-home, erectile dysfunctioned, people WITHOUT FREE IPODS!'
and the man on the tape said that they'd suffocate, if the sharks would stop swimming in circles.
What if I connect to Chinese ISP from US? Or the other way round... who is to blame?
The purpose of the CAN-SPAM act wasn't to stop spam, it was to legitimize spam sent by the DMA and its members. ...but make it easier to filter out.
I don't know whether the DMA mebers are complying or not. Most spam is still sent from outside the DMA's members. So we sure can't turn off our bayesian spam filters.
The theory was that the US would crack down on those people, who according to TFA are right here in the US, leaving us with just the easily-filterable DMA-approved ads.
That hasn't happened yet, perhaps because the FBI has more important things on its mind (i.e. terrorism). I can't imagine that the DMA is happy, because their actual sales pitches are getting lost among the scams, phishes, and frauds.
I'll worry about how evil the DMA is once I stop getting 92 spams a day for C$ALIS.
If the spam is required to be labeled with a subject line starting with ADV: it makes it very easy to filter and easy for a judge and jury to determine that it does break the law when they don't include it. Under the California law, if you leave out required labeling, it is deceptive allowing individuals to sue for $1000 for each one.
Fight Spammers!
You are obviously jaded by your exposure to what you perceive as reality. I recommend that you pick up a copy of Bill Clinton's autobiography or simply read the White House press briefing site for a while.
You will quickly find that your current way of thinking is just ... too difficult for you. You don't need to go to all that effort. Relax, and let them do the work.
If you feel you must stay informed, watch a little CNN or Fox News (one or the other, not both), so you don't have to constantly hear people disagreeing with one another.
Never again will you think that you can't trust your government.
sigs, as if you care.
So far, so good.Dude, you have nothing to worry about as long as the DMA can pay lobbyists.How did you get their addresses?No. It isn't about quantity.
It's about unsolicitated commercial ads.
If 10,000 people have personally contacted you looking for Product X, and you personally reply to those 10,000 people saying that you have Product X in stock, that would be fine.Nope. It's quite easy as a matter of fact.
The key is HOW the addresses you are sending to are obtained.
In a legitimate, non-spam business, they will be obtained by those people giving you their email addresses and expecting to receive emails from you.
In a spam business, emails are harvested and/or purchased in bulk.
All that the US needs to do is to define non-spam as email sent by a company that you have provided your info to and for that company to have a record of that (your IP address, your email address, the web page/domain you were at when you provided it).
Anything else is spam.
No "affiliates", no "partners", no one other than that one company you provided the information to.
Legitimate companies will not have a problem with this. Give them 6 months to update their mailing lists to meet the new criteria.
Spammers (and companies using them) are the only ones that will be affected by this.
This is very bad news for all those legitimate banks that purchase email leads from spammers, but I really don't give a rat's ass about whether they like it or not. I'm tired of getting mortgage spam and I'm tired of people saying that their email was flagged as spam just because they were discussing their mortgage options with their bank.
Before "CAN-SPAM", the various states would pass their own anti-spam laws.
... one worthless Federal law that trumps all of the state laws.
Some states had really good (anti-spammer) laws.
Some didn't.
So the DMA lobbied the government to deal with the "problem" of different states having different laws.
The end result
To be clear:
1> "human persons" must *not* send spam, "corporate persons" are exempt.
2> To distinguish the "sender" between the "transmitter" of the message and the identity in the message's "From" data field, see <1>
3> "Spam": see also "pork".
--
make install -not war
National Do Not Call list law is passed. I put my phone number on the list. Literally within weeks, the number of telemarketing calls plummets from a flood to a tiny trickle. (The trickle being charities and political campaigns).
CAN SPAM act is passed. Nothing happens.
And most of the SPAM has every appearance of being generated in the U. S. You gotta think the CAN SPAM act is ineffective, perhaps by design.
"How to Do Nothing," kids activities, back in print!
... and the older (trumped) California or Washington laws should be put into place.
Spammers should be forced to provide absolute PROOF that you signed up (and verified) that you wanted marketing mail. No selling of email lists. Ever get spams that claim "You're getting this because you subscribed from 207.92.115.25 on $date" at all? they should be able to *prove* that *I* subscribed.
CAN-SPAM has done nothing but open the floodgates for spammers. I have seen it in action, seeing as how I worked for a company that's now on the ROKSO list. I got to deal with it every single day.
CAN-SPAM is a *total failure* and the only right thing to do is repeal it and send it back to the drawing board, allowing the states to come up with their own laws.
I'm all about stiffer legislative penalties and more consumer control over the listing of their information. But I'm ALSO for the market improving its filtering, and I don't think it requires charging, and I don't think there's a good way to charge.
The key point that IS true is that spam will exist as long as stupid people buy stuff from spam in sufficient quantity. Short of improving education and waiting 30 years, the only solution is to keep the spam from getting to most users.
Here's what we really need:
1) Improved server-client spam communication. This is whatwe don't have:
1A. An open standard "spam points" header system - so that IF your receiving mail server has a "ranking" filter that gives a point score to emails it can pass an email to your mail client but tell the mail client "this is 75% spam" This lets you run advanced server-maintained filters but make user-specific decisions about how "strictly" to interpret them. Mail clients already by default ignore extra headers, so all I'm suggesting is that the server filters need to add it in a standard way for the clients to use if they so choose. For bonus points, it should have the main header and "this is 90% from a misDNSed mail server." etc. Mail clients should by default have a fairly strict checking, because the users who don't know how to set it are the same users who are likely to be phished.
1B. An open standard for the mail client telling the receiving mail server "my user thinks message 232432432 was spam" Obviously, users are wrong sometimes, but this would let users who find spam automatically report it to automatically improve their server-side filters. Many servers will ignore this feature, which is fine. But as long as all the clients try in the same way, at least it will be easy for a server to account for it.
2. SPF & friends - letting at least some servers prove who they are. This exists, although of course adoption could be better. If sender and receiver have SPF, people can't pretend to be you anymore.
3. Good, tracking weighted server side filters. These already exist. It should let through email that fails only a couple of tests, but should assign a point value based on many factors. Note that we don't need to force everyone to do this, just a the few biggest targets.
3A. They should take into account use of SPF, whether the maildomain has a valid DNS and some valid RDNS, whether the netblock is commonly used for spam, how long the domain has been active and normal content filtering of the message & content. Netcraft's phishing list, etc.
You can safely use things like the RBL this way, as long as you only assign a limited weight to them. In plain English, being on the RBL doesn't mean you're a spammer, but it does make it somewhat more likely. You only reject messages that have a lot of clues.
3B. It should _also_ take into account the current volume of identical or nearly identical messages. I suspect that a worldwide system for IMMEDIATELY sharing a hash of messages that occur in large volume would be helpful; I know some private companies already use a similar system.
3C. It should _also_ take into account the past history of the IP, rDNS domain, and netblock. This includes the past history of the stuff above and also the past history of user reports as mentioned in 1B.
3D. A valid tactic for certain kinds of messages is to slow down the processing of them. So if you get something you think is probably spam, you can delay a few minutes and see if its score gets better or worse. It will get worse, for instance, if you find you have a lot of identical messages, but that was the first one.
3E. Good servers should have a user-specifiable point cutoff.
Looking for freelance Actionscript (Flash/Flex) or ColdFusion work and/or freelance developers. Email me, put Slashdot
CA also required opt-in, whereas You Can Spam is opt out. That's why the federal law preempts the state laws, they were too tough on the spammers.
Intron: the portion of DNA which expresses nothing useful.
Stats for May 15-May16 for inbound mail attempts to one small domain - somewhere on the Internet
Mail rejected because account didn't exist (BRT)
server1: 1,411,109 (May15 16:24 - May 16 18:05)
server2: 1,423,574 (May15 20:32 - May16 18:09)
server3: 1,309,968 (May15 10:14 - May16 18:13
Mail rejected by RBL
server1: 235,397 (May15 16:24 - May 16 18:05)
server2: 287,573(May15 20:32 - May16 18:09)
server3: 279,709(May15 10:14 - May16 18:13)
Mail actually delivered to mail spool
(i.e. before spam assassin checking):
server1: 112,634 (May15 00:06 - May16 17:58)
server2: 146,300 (May15 08:47 - May16 18:08)
server3: 57,055 (May15 11:31 - May16 18:13)
Totals and percentage of total mail processed over ~24 hours:
Mail Delivered: 315,989 6%
Mail Rejected RBL: 802,679 15%
Mail Rejected BRT: 4,144,651 79%
Judging by my own e-mail, and the amount of spam that gets through for spamscope to dispatch less than 6% of all e-mail being sent is legitimate.
"Science is about ego as much as it is about discovery and truth " - I said it, so sue me.
The new act will be called U-CAN-SPAM, and it will be aimed at big corporate political donors.
f u cn rd ths u cn gt a gd jb n cmptr prgmng
espo
Too many people have been paid off to get rid of the I-CAN-SPAM act. But, if it made to be easy to filter, and easy to sue for anything that makes it passed the filter (because they broke the law), then the I-CAN-SPAM act won't smell too bad.
Fight Spammers!
It's gotten to the point where may street mailbox averages about 3 letters and about 30 pages of ads crammed into my little mailbox. The mailman is pretty good about keeping the letters on top, but then, how do I really know when I toss most of the stack into the adjacent trash bin?
Before I try going to the post office and getting a glazed look from a postal grunt, does anyone know of a way to block all "Resident" mail, a complete opt-out of litter mills that don't even know my name?
After reading the act originally, I always thought that by "can spam" they didn't meaning "can it", as in "knock it off", but rather "package it and put it on the shelf - it's safe, really!". As in "canned", like a commercial, or something. As noted earlier, CAN-SPAM didn't deter so much as it legalized it.
Spam is about consent, not content. What about spam which does not ask for money? Phishing?
I can throw myself at the ground, and miss.
If the spam is required to be labeled with a subject line starting with ADV: it makes it very easy to filter and easy for a judge and jury to determine that it does break the law when they don't include it.
That would be more than nice. While they are at it, maybe all of those junk snail mail ads that say "Important account information" or "Dated material" should be less deceptively labeled as advertisements.
However, it's not the spammers buying government that made this mess. It's Congress trying to create the appearance that they're Doing Something Useful, without have the skill set to *actually* do anything useful, and (if you want to give them some credit, which they may or may not deserve), they were trying to stay out of serious trouble with either the First Amendment or Legitimate Big Businesses or their cronies or other things that would get them in trouble. In other words, they were grandstanding to look good, and any of them who were competent enough to understand the problem did know that. Their measurement of success or failure isn't whether spam actually gets stopped (though they'd be happy if that happened, just as they'd be happy if Global Warming vanished overnight), it's whether they can tell their constituents that they're Doing Something Productive. And if the voters believe them, well shame on them...
IMHO, it's simply not possible for one government to write a law draconian enough to stop a significant quantity of spam on a world-wide internet without significantly interfering with civil liberties and business productivity, because enough spammers are flexible enough to restructure their activities and find countries to work from where there are service providers who are perfectly willing to take their business, and find ways to use normal corporate-structure laws to insulate themselves from prosecution. Modern Internet and computer technology means that it's nearly free to communicate with the billion-or-so people who've got the most money, and the percentage of those people who are suckers has not significantly improved since P.T.Barnum measured their birth rate, and the percentage who are greedy enough to want to exploit them hasn't gone down much either. (That's not to say that the greedy people and the suckers don't overlap - they're just not the ones who make up most of Spamhaus's Top 200 Spammers list, and in fact they're often the best customers for the spamware vendors.) So the economics are there to make spamming look profitable, and often to actually be profitable, the people who want to profit from it are willing and able, and at least a few of them are creative enough to find workarounds for most laws, even if it means setting up an occasional $100 disposable corporation or paying extra for a bullet-proof Chinese website or renting an expendable army of zombies.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I have a notice on my web site that explains that I will bill anyone sending spam to any e-mail address on my domain.
:)
I was able to collect $500 from one spamer
Marx's critiques of capitalism, as written in that utterly dull and wildly bogus book Das Kapital, assumed that workers weren't able to afford to own the means of production and that therefore the evil nasty greedy rich capitalists who *could* afford them would be able to ruthlessly exploit them. It wasn't really true back in 1867, but it's certainly not true in 2005. You can buy a new computer for two weeks' wages at Macdonald's that's more powerful than an early 1980s mainframe or supercomputer, or a decent used computer for two weeks' worth of cigarette money, and at least five years ago, one of the stereotyped spammer categories was Bubba in his Double-Wide selling Nigerian Herbal Fake Viagra pills online, or whatever else will sell. And even if 99.99% of our national consciousness really did want spam stopped, the other 0.01% is enough for Bubba to make money off of them. There are almost certainly a thousand people in America dumb enough to fall for a Nigerian 419 scam or fake lottery or whatever, and it's cheap enough to send 100,000 emails to annoy other Americans that the profit from your first sucker will pay for it. And once you've hooked the first one, or sold your first couple of bottles of pills, it's all profit from there, unless you're one of the unlucky few who get caught.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
But usually a US corporation is enough legal separation, and if Evil.Example.Com gets caught spamming and gets convicted, and it not only has all its assets confiscated, but Attorney General Alberto "The Torturer" Gonzales burns its corporate charter at the stake in the Miami FBI Building's parking lot, the worst it means for Billy-Bob the Spammer is that he needs to spend another $100 registering another corporation that'll get burned the next time. And if the YOU-CAN-SPAM act hadn't interfered with state laws, the most effective of them would generally mean that there's no criminal prosecution that might have a chance of piercing the corporate veil - it's strictly limited to getting a huge judgement against a corporation that doesn't have any significant assets, just petty cash, a rental contract on a 1-U computer, and the latest batch of 100 bottles of pills that they buy for $10 and sell for $50, so the corporation goes bankrupt, paying off a small part of the judgement, and Billy-Bob's personal assets aren't touched.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Tony, you're in Florida, the spammers aren't that far away (though you're in Orlando, and most of them are closer to Miami.)
You're just using the wrong kind of Spam Assassin....
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
That particular sender's not planning to send you any more mail, so you're automatically removed from the list. That fairly identical-looking piece of spam you got last week was sent by my evil twin Zoot, and she's promised not to do it again either.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Of course there are also lots of spammers that *are* selling fraudulent products; one reason people advocate anti-spam laws for stopping those people is that spam is annoying, but another reason is that it's sometimes easier to catch a spammer with enough proof that he's spamming than it is to get enough proof that he's actually defrauded anybody, rather like busting Al Capone for income tax evasion.
Friends of mine have a civil liberties organization that really *does* want to hear from people in Nigeria and other parts of Africa with corrupt evil dictators, and some of the people they'd like to hear from are likely to be using the same cybercafes that other people are using to pretend to be widows or orphans of corrupt evil dictators who are trying to get money out of the country. They find the spam problem very frustrating :-)
I don't approve of ISPs automatically blacklisting spam-heavy countries. On the other hand, it's nice that my email provider does give users a checklist for countries that they don't want to receive any mail from, or that they want to have extra-heavy spam-filtering for. Cutting out China, Korea, and Nigeria really does help a lot.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
The only really useful anti-spam law was S.1618 - it didn't pass, but for a few years a popular spammer trick was to include a footnote that under S.1618, their email was not spam, and S.1618 was a sufficiently unique phrase that my spam filters could automatically trash anything that included it.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Fight Spammers!