Tweaking the CAN-SPAM Act

rbochan writes "The Register is reporting that the U.S. Federal Trade Commission is consulting on proposed changes to the CAN-SPAM Act. Changes would include clarifying the definitions of the terms person and sender, and altering the time allowed for a sender to to honor an opt-out request. The FTC proposal is available as a PDF on the official FTC site." From the article: "Critics have accused the Act of being narrow and weak, accusations that may be hard to deny given that the US sends more spam than any other, according to a recent report by anti-virus firm Sophos."

CAN CONGRESS

[lazuli42]

What we really need is a federal CAN CONGRESS act. Please, as though this is a problem that legislation can fix. If Congress really, truly wanted to end spam, why not allocate some grant money to improving anti-spam technology?

Re:CAN CONGRESS

[Nytewynd]

Congress simply jumped on spam because they know people hate it and want to be associated with attempting to stop it. What congressman wouldn't want to run their next campain as the guy that stopped porn from getting into a 10 year old's inbox?

It's not unlike the steroid nonsense. A couple of days ago one congressman implied to David Stern (NBA Commissioner) that the Piston/Pacer brawl might be a result of 'Roid Rage, simply because there was not any proof that Ron Artest was not taking steriods. Congress looks for an issue that resonates with the public, and tries to involve itself. Congressman make all kinds of fallacy-based arguments to stump speach for their cause. Another congressman started with the fact that he named one kid Nolan and the other Ryan. Congratulations. I guess that makes you the king of all things baseball.

What worries me the most, is that issues like SPAM and Steriods are garbage compared to the real problems. Are these really the representatives we all elected to solve our problems? Maybe someday people will vote for legislaters based on their credentials instead of whether or not they are For/Against Issue X.

Re:CAN CONGRESS

[pilgrim23]

America has always had the best government money can buy and Spammers have FAR more money then the rest of us. QED

...but it was supposed to label it

[jfengel]

The purpose of the CAN-SPAM act wasn't to stop spam, it was to legitimize spam sent by the DMA and its members. ...but make it easier to filter out.

I don't know whether the DMA mebers are complying or not. Most spam is still sent from outside the DMA's members. So we sure can't turn off our bayesian spam filters.

The theory was that the US would crack down on those people, who according to TFA are right here in the US, leaving us with just the easily-filterable DMA-approved ads.

That hasn't happened yet, perhaps because the FBI has more important things on its mind (i.e. terrorism). I can't imagine that the DMA is happy, because their actual sales pitches are getting lost among the scams, phishes, and frauds.

I'll worry about how evil the DMA is once I stop getting 92 spams a day for C$ALIS.

Charging for email is unnecessary.

[arete]

I'm all about stiffer legislative penalties and more consumer control over the listing of their information. But I'm ALSO for the market improving its filtering, and I don't think it requires charging, and I don't think there's a good way to charge.

The key point that IS true is that spam will exist as long as stupid people buy stuff from spam in sufficient quantity. Short of improving education and waiting 30 years, the only solution is to keep the spam from getting to most users.

Here's what we really need:
1) Improved server-client spam communication. This is whatwe don't have:
1A. An open standard "spam points" header system - so that IF your receiving mail server has a "ranking" filter that gives a point score to emails it can pass an email to your mail client but tell the mail client "this is 75% spam" This lets you run advanced server-maintained filters but make user-specific decisions about how "strictly" to interpret them. Mail clients already by default ignore extra headers, so all I'm suggesting is that the server filters need to add it in a standard way for the clients to use if they so choose. For bonus points, it should have the main header and "this is 90% from a misDNSed mail server." etc. Mail clients should by default have a fairly strict checking, because the users who don't know how to set it are the same users who are likely to be phished.

1B. An open standard for the mail client telling the receiving mail server "my user thinks message 232432432 was spam" Obviously, users are wrong sometimes, but this would let users who find spam automatically report it to automatically improve their server-side filters. Many servers will ignore this feature, which is fine. But as long as all the clients try in the same way, at least it will be easy for a server to account for it.

2. SPF & friends - letting at least some servers prove who they are. This exists, although of course adoption could be better. If sender and receiver have SPF, people can't pretend to be you anymore.

3. Good, tracking weighted server side filters. These already exist. It should let through email that fails only a couple of tests, but should assign a point value based on many factors. Note that we don't need to force everyone to do this, just a the few biggest targets.

3A. They should take into account use of SPF, whether the maildomain has a valid DNS and some valid RDNS, whether the netblock is commonly used for spam, how long the domain has been active and normal content filtering of the message & content. Netcraft's phishing list, etc.

You can safely use things like the RBL this way, as long as you only assign a limited weight to them. In plain English, being on the RBL doesn't mean you're a spammer, but it does make it somewhat more likely. You only reject messages that have a lot of clues.

3B. It should _also_ take into account the current volume of identical or nearly identical messages. I suspect that a worldwide system for IMMEDIATELY sharing a hash of messages that occur in large volume would be helpful; I know some private companies already use a similar system.

3C. It should _also_ take into account the past history of the IP, rDNS domain, and netblock. This includes the past history of the stuff above and also the past history of user reports as mentioned in 1B.

3D. A valid tactic for certain kinds of messages is to slow down the processing of them. So if you get something you think is probably spam, you can delay a few minutes and see if its score gets better or worse. It will get worse, for instance, if you find you have a lot of identical messages, but that was the first one.

3E. Good servers should have a user-specifiable point cutoff.

NOT the best government money can buy

[billstewart]

Congress certainly is NOT the best government money can buy. You should be able to buy a MUCH better government than that.

However, it's not the spammers buying government that made this mess. It's Congress trying to create the appearance that they're Doing Something Useful, without have the skill set to *actually* do anything useful, and (if you want to give them some credit, which they may or may not deserve), they were trying to stay out of serious trouble with either the First Amendment or Legitimate Big Businesses or their cronies or other things that would get them in trouble. In other words, they were grandstanding to look good, and any of them who were competent enough to understand the problem did know that. Their measurement of success or failure isn't whether spam actually gets stopped (though they'd be happy if that happened, just as they'd be happy if Global Warming vanished overnight), it's whether they can tell their constituents that they're Doing Something Productive. And if the voters believe them, well shame on them...

IMHO, it's simply not possible for one government to write a law draconian enough to stop a significant quantity of spam on a world-wide internet without significantly interfering with civil liberties and business productivity, because enough spammers are flexible enough to restructure their activities and find countries to work from where there are service providers who are perfectly willing to take their business, and find ways to use normal corporate-structure laws to insulate themselves from prosecution. Modern Internet and computer technology means that it's nearly free to communicate with the billion-or-so people who've got the most money, and the percentage of those people who are suckers has not significantly improved since P.T.Barnum measured their birth rate, and the percentage who are greedy enough to want to exploit them hasn't gone down much either. (That's not to say that the greedy people and the suckers don't overlap - they're just not the ones who make up most of Spamhaus's Top 200 Spammers list, and in fact they're often the best customers for the spamware vendors.) So the economics are there to make spamming look profitable, and often to actually be profitable, the people who want to profit from it are willing and able, and at least a few of them are creative enough to find workarounds for most laws, even if it means setting up an occasional $100 disposable corporation or paying extra for a bullet-proof Chinese website or renting an expendable army of zombies.

not so.....

[www.sorehands.com]

spammers are sending mail from outside of California, so they're not subject to California jurisdiction;

If you send advertising into California, are subject to California law. See Panavision v. Topen 141 F.3d 1316, 1320),. Burger King 471 U.S. at 475, and Calder v. Jones 465 U.S. 783.

Re:OT: what about regular mail spam?

[Motherfucking+Shit]

Before I try going to the post office and getting a glazed look from a postal grunt, does anyone know of a way to block all "Resident" mail, a complete opt-out of litter mills that don't even know my name?

The short answer is that it's not possible without a lot of effort on your part, perhaps more time than you spend filtering through the mail. The long answer is that you can cut junk mail to a trickle if you're willing to take the time. See Stopping Junk Postal Mail and ignore the Adwords on the right side, they're trying to charge $30 for mostly the same info.