Tweaking the CAN-SPAM Act

rbochan writes "The Register is reporting that the U.S. Federal Trade Commission is consulting on proposed changes to the CAN-SPAM Act. Changes would include clarifying the definitions of the terms person and sender, and altering the time allowed for a sender to to honor an opt-out request. The FTC proposal is available as a PDF on the official FTC site." From the article: "Critics have accused the Act of being narrow and weak, accusations that may be hard to deny given that the US sends more spam than any other, according to a recent report by anti-virus firm Sophos."

In your face China!

US sends more spam than any other

Whoooo, number 1 baby, yeah!

Of course it doesn't stop spam

[Doktor+Memory]

The purpose of the CAN-SPAM act wasn't to stop spam, it was to legitimize spam sent by the DMA and its members.

CAN CONGRESS

[lazuli42]

What we really need is a federal CAN CONGRESS act. Please, as though this is a problem that legislation can fix. If Congress really, truly wanted to end spam, why not allocate some grant money to improving anti-spam technology?

Re:CAN CONGRESS

[J+Barnes]

Because it doesn't matter to them if the action they take actually works, they just want to be able to take credit for taking action.

You have to judge by what sounds better in a campaign stump speech:

"I facilitated the allocation of grant money to a series of projects that resulted in technological improvements that ware eventually incorporated into many software packages, eventually having a slight reduction on the amount of spam that reaches your email inbox"

or

"I passed legislation to curb the tide of spam."

With the second option, you don't have to make any claims of how well your legislation worked. You just have to say that you voted (for/against) the legislation on the (personal rights/social issue/crime prevention or punishment) your constituents (do/do not) approve of.

Re:CAN CONGRESS

[Nytewynd]

Congress simply jumped on spam because they know people hate it and want to be associated with attempting to stop it. What congressman wouldn't want to run their next campain as the guy that stopped porn from getting into a 10 year old's inbox?

It's not unlike the steroid nonsense. A couple of days ago one congressman implied to David Stern (NBA Commissioner) that the Piston/Pacer brawl might be a result of 'Roid Rage, simply because there was not any proof that Ron Artest was not taking steriods. Congress looks for an issue that resonates with the public, and tries to involve itself. Congressman make all kinds of fallacy-based arguments to stump speach for their cause. Another congressman started with the fact that he named one kid Nolan and the other Ryan. Congratulations. I guess that makes you the king of all things baseball.

What worries me the most, is that issues like SPAM and Steriods are garbage compared to the real problems. Are these really the representatives we all elected to solve our problems? Maybe someday people will vote for legislaters based on their credentials instead of whether or not they are For/Against Issue X.

Re:CAN CONGRESS

[pilgrim23]

America has always had the best government money can buy and Spammers have FAR more money then the rest of us. QED

Whoohooo!

[JoaoPinheiro]

"It is also proposing to shorten from 10 days to three the time a sender may take before honouring a recipient's opt-out request;"

Yeah, so now they only have 3 days to sell my address to 100 other spam lists.

Re:Whoohooo!

[mazarin5]

Oh, they have all the time in the world to whore out your inbox. They are only restricted in how long they can fill it with shit themselves.

Libertarians

[joeljkp]

I'm curious: what do the libertarian-minded say about CAN-SPAM? That the Internet can handle its own problems, perhaps?

Re:Libertarians

[Intron]

Q. What do the libertarian-minded say about CAN-SPAM?

A. The government should not be spending my money protecting me from the internet! I can do that myself. The free market provides spam filters if I feel that I need them. But, I don't trust the folks that make those, so I don't use them. I read every piece of mail and analyze it in case its from Liberals trying to get onto my computer. Not only that, but have you seen those guys working on the phone lines? They look suspicious as hell, too. I bet they're tapping my line. I need to go out and check the voltage on my fence.

Re:Libertarians

[billstewart]

Libertarians think that free-ipod signature lines are generally fraudulent, but sometimes they think it's fun to feed trolls....

• Libertarians don't think that governments are competent enough to solve most difficult problems, so when a bill named YOU-CAN-SPAM doesn't stop spammers, we're not surprised. Some of us care enough to actually read the bill, and we're even less surprised.
• Libertarians like market-based solutions, and would like someone out there in the market to develop them. And lots of people have been working on the problem, but so far the economics make spamming enormously attractive, and proposals to artificially distort the economics (e.g. postage/taxes on sending email) are either doomed to failure, or if they did succeed in distorting price structures enough to affect spam significantly, they'd cause far more havoc than they're worth. Soviet Five-Year Plans didn't work.

  Market-based solutions that look like "I'll accept your email if you attach a micropayment of X cents on it" can work quite well, because they capture the fundamental economic value, which is the recipient's time, and let the recipient charge whatever price the market will bear for it. Unfortunately, they also attract the usual checkbox-responses of "Users hate these things and will never accept them", and there aren't any really good anonymity-preserving micropayment systems out there, partly because it's a difficult problem and partly because of government interference.

• Libertarians think that in a world-wide network where it's extremely inexpensive to communicate with anybody else, it's difficult to interfere with spam without far more dangerous interference with free speech. We would normally suspect government proposals to do anything effective about spam to be really motivated by a desire to interfere with free speech, except that any of us who've run for office know that politicians are more strongly motivated by a desire to Look Good, and Look Like They're Leaders, so just it's incompetence (malice is the Executive Branch's job), and even the Great Firewall of China which is designed to interfere with free speech doesn't bother blocking spam.
  
• "Guns. Lots of Guns." Libertarians believe that "Gun Control is Hitting Your Target". We don't think the authors of CAN-SPAM had very good aim, and we don't think the FTC's tweaking their work will improve it much.
  
• Anonymous Free Speech is really important - and it's hard to reconcile that with stopping spam.
  

Captalism as its finest

[aussersterne]

It all speaks to our fondest value in the us, evident in places as diverse as SPAM, excessive plastic surgery, and corporate welfare/rights: so long is someone can believably assert that they are "just trying to make a buck," our national consciousness and our lawmaking machinery are \\absolutley loath\\ to do anything to slow them down, whether the argument is ethnical, environmental, logistical, criminal...

Re:Captalism as its finest

[jellomizer]

Well the problem is wording it correctly. Just like setting up Spam filters.

I work for a small buisness. I don't Spam. But I do advertise via email. How is this not evil? Well I know that a customer is having problem with X and my previous solution was to expensive for them to fix. A week later I found a cheaper solution that stills works. So I email the customer saying Hey I found a better solution to the problem and it only costs $y

Now if the CAN-SPAM act was to strick this honest buisness dealing could be considered Spam which it is not.

Ok you say that is fine because it is one on one comunication. So let me move it 1 step further. Say I know 5 clients that have the probem and I send them the email.

following this pattern there will be a point where I move from normal sales to spamming. That is why we have a hard time making laws on excessive things because they will could become to a point where they hinder good intentional uses.

Re:Lets me be the first to say

[JoaoPinheiro]

- "Baked beans are off!"
- "Can I have spam instead?"
- "You mean spam spam spam spam spam spam spam spam spam spam spam and spam?!"
- "Yes."
- "Blaaarght"

Re:Lets me be the first to say

[ThePilgrim]

I didn't want to be a spammer....

Want I realy wanted to be was a lumberjack /me wanders of into the woods with a bunch of sinning mounties

I'd make one change

[Anita+Coney]

I'd call it the Can't Spam Act.

why new laws?

[Monoman]

Existing laws should be applicable. Lets see spam at a minimum usually involves

* forgery with the intention to deceive.
* theft of service
* trespassing

Reshape the existing laws to include new technologies.

While we are at it, go after the end benificiary of spam. The ones selling a product or service. I know some will say that it is too easy to set someone up. Is it? In the U.S. one is presumed innocent unless proven guilty beyond a reasonable doubt. Hmm... we should be able to spot a setup.

Heck why laws at all? Most times the parties involved cross multiple boundries/jurisdictions. Laws, in the long run, are not the way to go. The technology needs fixing

Re:Lets me be the first to say

[ThePilgrim]

oops singing :)

Though the first may be more accriate

Give me the tools to defend my network!!

[DaGoodBoy]

All I want is the right for a simple small claims mediation. Let me shoulder the burden of prosecution! These guys are absolutely punishing my email servers and bandwidth. Let me hit them back! Here is how it would go:

Me: I didn't ask for this email and I have no relationship with the vendor. Here is the proof that I got spam for their product, directing me to the following websites they control...

Mediator: Do you have proof that DaGoodBoy agreed to be solicited?

Spammer: Uh...

Mediator: That will be $500 bucks. Next!

If I lose, I'll agree to pay $500 for the trouble. Hell, let this happen on a teleconference with a mediation company sanctioned by the government instead of court. I bet I could make a living just from persuing my spammers!

Either this or just look the other way while I set up an anonymous payout deadpool for the members of the ROKSO list... :)

Re:Give me the tools to defend my network!!

[DavidD_CA]

What happens, then, when a company decides to send out spam promoting their competitor across the street?

You get an email for XYZ Pizza. You take them to court and they cannot prove you opted in. They get fined $500 and eventually go out of business.

Meanwhile, ABC Pizza snickers because they're the ones behind the email.

Re:Give me the tools to defend my network!!

[DustMagnet]

Mediator: Do you have proof that DaGoodBoy agreed to be solicited?

Spammer: Yes! I have a receipt from Joe Blow's Low-Cost Opt-In Lists.

Mediator: And everyone on this list opts-in for e-mail advertising, even quack pills?

Spamer: That what Joe told me.

Mediator: Case dismissed.

Sponsor of Can Spam Act?

[SloWave]

Who is the Senate sponsor of the Can_Span act? I sure will give him/her a piece of my mind. It doesn't matter if it is my Senator or not. Whoever it is has to accept responsability for putting this piece of trash into law and needs to hear from everyone affected by it.

No such thing

[subl33t]

There is no such thing as anti-spam technology.

Spam filters, RBL lists, etc don't stop spam they just suppress it.

Spam begins with a desire for $$. Eliminate the payoff for soam and spam will die.

Legislation

[Tedington]

The Government doesn't know how to solve problems, all they know how to do is create legislation using their limited understanding of the problem. "Spam is bad, therefore we should make it illegal!" Nice job, congress, CAN-SPAM has been around for how long now? anyone notice a difference? Gmail does more to can my spam than any government ass could do anyday.

Wouldn't it be funny if there was a SPAM lobby that was paying fat sacks of cash money to sentaors and congressmen to "inform" them as to the benefits of SPAM? 'if we don't spam peoeple, we will be a country of small penis-ed, non-working-at-home, erectile dysfunctioned, people WITHOUT FREE IPODS!'

Re:Legislation

[Elminst]

You forgot... "and the terrorists will win!!"

...but it was supposed to label it

[jfengel]

The purpose of the CAN-SPAM act wasn't to stop spam, it was to legitimize spam sent by the DMA and its members. ...but make it easier to filter out.

I don't know whether the DMA mebers are complying or not. Most spam is still sent from outside the DMA's members. So we sure can't turn off our bayesian spam filters.

The theory was that the US would crack down on those people, who according to TFA are right here in the US, leaving us with just the easily-filterable DMA-approved ads.

That hasn't happened yet, perhaps because the FBI has more important things on its mind (i.e. terrorism). I can't imagine that the DMA is happy, because their actual sales pitches are getting lost among the scams, phishes, and frauds.

I'll worry about how evil the DMA is once I stop getting 92 spams a day for C$ALIS.

One treak, label all spam with ADV: in the subject

[www.sorehands.com]

If the spam is required to be labeled with a subject line starting with ADV: it makes it very easy to filter and easy for a judge and jury to determine that it does break the law when they don't include it. Under the California law, if you leave out required labeling, it is deceptive allowing individuals to sue for $1000 for each one.

Is it still your email address?

[khasim]

I work for a small buisness. I don't Spam. But I do advertise via email.

The key is how do you get those addresses you send your ads to.

How is this not evil? Well I know that a customer is having problem with X and my previous solution was to expensive for them to fix. A week later I found a cheaper solution that stills works. So I email the customer saying Hey I found a better solution to the problem and it only costs $y

So you, personally, are sending an email to follow up on a contact that was initiated by the potential customer that that potential customer personally sent to you.

So far, so good.

Now if the CAN-SPAM act was to strick this honest buisness dealing could be considered Spam which it is not.

Dude, you have nothing to worry about as long as the DMA can pay lobbyists.

Ok you say that is fine because it is one on one comunication. So let me move it 1 step further. Say I know 5 clients that have the probem and I send them the email.

How did you get their addresses?

following this pattern there will be a point where I move from normal sales to spamming.

No. It isn't about quantity.

It's about unsolicitated commercial ads.

If 10,000 people have personally contacted you looking for Product X, and you personally reply to those 10,000 people saying that you have Product X in stock, that would be fine.

That is why we have a hard time making laws on excessive things because they will could become to a point where they hinder good intentional uses.

Nope. It's quite easy as a matter of fact.

The key is HOW the addresses you are sending to are obtained.

In a legitimate, non-spam business, they will be obtained by those people giving you their email addresses and expecting to receive emails from you.

In a spam business, emails are harvested and/or purchased in bulk.

All that the US needs to do is to define non-spam as email sent by a company that you have provided your info to and for that company to have a record of that (your IP address, your email address, the web page/domain you were at when you provided it).

Anything else is spam.

No "affiliates", no "partners", no one other than that one company you provided the information to.

Legitimate companies will not have a problem with this. Give them 6 months to update their mailing lists to meet the new criteria.

Spammers (and companies using them) are the only ones that will be affected by this.

This is very bad news for all those legitimate banks that purchase email leads from spammers, but I really don't give a rat's ass about whether they like it or not. I'm tired of getting mortgage spam and I'm tired of people saying that their email was flagged as spam just because they were discussing their mortgage options with their bank.

The laws WERE effective. So they had to be changed

[khasim]

Before "CAN-SPAM", the various states would pass their own anti-spam laws.

Some states had really good (anti-spammer) laws.

Some didn't.

So the DMA lobbied the government to deal with the "problem" of different states having different laws.

The end result ... one worthless Federal law that trumps all of the state laws.

Compare SPAM and telemarketing

[dpbsmith]

National Do Not Call list law is passed. I put my phone number on the list. Literally within weeks, the number of telemarketing calls plummets from a flood to a tiny trickle. (The trickle being charities and political campaigns).

CAN SPAM act is passed. Nothing happens.

And most of the SPAM has every appearance of being generated in the U. S. You gotta think the CAN SPAM act is ineffective, perhaps by design.

CAN-SPAM should be repealed immediately

[EvilStein]

... and the older (trumped) California or Washington laws should be put into place.

Spammers should be forced to provide absolute PROOF that you signed up (and verified) that you wanted marketing mail. No selling of email lists. Ever get spams that claim "You're getting this because you subscribed from 207.92.115.25 on $date" at all? they should be able to *prove* that *I* subscribed.

CAN-SPAM has done nothing but open the floodgates for spammers. I have seen it in action, seeing as how I worked for a company that's now on the ROKSO list. I got to deal with it every single day.

CAN-SPAM is a *total failure* and the only right thing to do is repeal it and send it back to the drawing board, allowing the states to come up with their own laws.

Charging for email is unnecessary.

[arete]

I'm all about stiffer legislative penalties and more consumer control over the listing of their information. But I'm ALSO for the market improving its filtering, and I don't think it requires charging, and I don't think there's a good way to charge.

The key point that IS true is that spam will exist as long as stupid people buy stuff from spam in sufficient quantity. Short of improving education and waiting 30 years, the only solution is to keep the spam from getting to most users.

Here's what we really need:
1) Improved server-client spam communication. This is whatwe don't have:
1A. An open standard "spam points" header system - so that IF your receiving mail server has a "ranking" filter that gives a point score to emails it can pass an email to your mail client but tell the mail client "this is 75% spam" This lets you run advanced server-maintained filters but make user-specific decisions about how "strictly" to interpret them. Mail clients already by default ignore extra headers, so all I'm suggesting is that the server filters need to add it in a standard way for the clients to use if they so choose. For bonus points, it should have the main header and "this is 90% from a misDNSed mail server." etc. Mail clients should by default have a fairly strict checking, because the users who don't know how to set it are the same users who are likely to be phished.

1B. An open standard for the mail client telling the receiving mail server "my user thinks message 232432432 was spam" Obviously, users are wrong sometimes, but this would let users who find spam automatically report it to automatically improve their server-side filters. Many servers will ignore this feature, which is fine. But as long as all the clients try in the same way, at least it will be easy for a server to account for it.

2. SPF & friends - letting at least some servers prove who they are. This exists, although of course adoption could be better. If sender and receiver have SPF, people can't pretend to be you anymore.

3. Good, tracking weighted server side filters. These already exist. It should let through email that fails only a couple of tests, but should assign a point value based on many factors. Note that we don't need to force everyone to do this, just a the few biggest targets.

3A. They should take into account use of SPF, whether the maildomain has a valid DNS and some valid RDNS, whether the netblock is commonly used for spam, how long the domain has been active and normal content filtering of the message & content. Netcraft's phishing list, etc.

You can safely use things like the RBL this way, as long as you only assign a limited weight to them. In plain English, being on the RBL doesn't mean you're a spammer, but it does make it somewhat more likely. You only reject messages that have a lot of clues.

3B. It should _also_ take into account the current volume of identical or nearly identical messages. I suspect that a worldwide system for IMMEDIATELY sharing a hash of messages that occur in large volume would be helpful; I know some private companies already use a similar system.

3C. It should _also_ take into account the past history of the IP, rDNS domain, and netblock. This includes the past history of the stuff above and also the past history of user reports as mentioned in 1B.

3D. A valid tactic for certain kinds of messages is to slow down the processing of them. So if you get something you think is probably spam, you can delay a few minutes and see if its score gets better or worse. It will get worse, for instance, if you find you have a lot of identical messages, but that was the first one.

3E. Good servers should have a user-specifiable point cutoff.

Some stats from a real live domain

[cluge]

Stats for May 15-May16 for inbound mail attempts to one small domain - somewhere on the Internet

Mail rejected because account didn't exist (BRT)
server1: 1,411,109 (May15 16:24 - May 16 18:05)
server2: 1,423,574 (May15 20:32 - May16 18:09)
server3: 1,309,968 (May15 10:14 - May16 18:13

Mail rejected by RBL
server1: 235,397 (May15 16:24 - May 16 18:05)
server2: 287,573(May15 20:32 - May16 18:09)
server3: 279,709(May15 10:14 - May16 18:13)

Mail actually delivered to mail spool
(i.e. before spam assassin checking):
server1: 112,634 (May15 00:06 - May16 17:58)
server2: 146,300 (May15 08:47 - May16 18:08)
server3: 57,055 (May15 11:31 - May16 18:13)


Totals and percentage of total mail processed over ~24 hours:
Mail Delivered: 315,989 6%
Mail Rejected RBL: 802,679 15%
Mail Rejected BRT: 4,144,651 79%

Judging by my own e-mail, and the amount of spam that gets through for spamscope to dispatch less than 6% of all e-mail being sent is legitimate.

Re:The laws WERE effective. So they had to be chan

[espo812]

The end result ... one worthless Federal law that trumps all of the state laws.

Federalism: A system of government that creates a central government and local state governments. The powers of the national and state governments are divided and balanced.

Re:One treak, label all spam with ADV: in the subj

[dodobh]

Spam is about consent, not content. What about spam which does not ask for money? Phishing?

NOT the best government money can buy

[billstewart]

Congress certainly is NOT the best government money can buy. You should be able to buy a MUCH better government than that.

However, it's not the spammers buying government that made this mess. It's Congress trying to create the appearance that they're Doing Something Useful, without have the skill set to *actually* do anything useful, and (if you want to give them some credit, which they may or may not deserve), they were trying to stay out of serious trouble with either the First Amendment or Legitimate Big Businesses or their cronies or other things that would get them in trouble. In other words, they were grandstanding to look good, and any of them who were competent enough to understand the problem did know that. Their measurement of success or failure isn't whether spam actually gets stopped (though they'd be happy if that happened, just as they'd be happy if Global Warming vanished overnight), it's whether they can tell their constituents that they're Doing Something Productive. And if the voters believe them, well shame on them...

IMHO, it's simply not possible for one government to write a law draconian enough to stop a significant quantity of spam on a world-wide internet without significantly interfering with civil liberties and business productivity, because enough spammers are flexible enough to restructure their activities and find countries to work from where there are service providers who are perfectly willing to take their business, and find ways to use normal corporate-structure laws to insulate themselves from prosecution. Modern Internet and computer technology means that it's nearly free to communicate with the billion-or-so people who've got the most money, and the percentage of those people who are suckers has not significantly improved since P.T.Barnum measured their birth rate, and the percentage who are greedy enough to want to exploit them hasn't gone down much either. (That's not to say that the greedy people and the suckers don't overlap - they're just not the ones who make up most of Spamhaus's Top 200 Spammers list, and in fact they're often the best customers for the spamware vendors.) So the economics are there to make spamming look profitable, and often to actually be profitable, the people who want to profit from it are willing and able, and at least a few of them are creative enough to find workarounds for most laws, even if it means setting up an occasional $100 disposable corporation or paying extra for a bullet-proof Chinese website or renting an expendable army of zombies.

not so.....

[www.sorehands.com]

spammers are sending mail from outside of California, so they're not subject to California jurisdiction;

If you send advertising into California, are subject to California law. See Panavision v. Topen 141 F.3d 1316, 1320),. Burger King 471 U.S. at 475, and Calder v. Jones 465 U.S. 783.

Re:OT: what about regular mail spam?

[Motherfucking+Shit]

Before I try going to the post office and getting a glazed look from a postal grunt, does anyone know of a way to block all "Resident" mail, a complete opt-out of litter mills that don't even know my name?

The short answer is that it's not possible without a lot of effort on your part, perhaps more time than you spend filtering through the mail. The long answer is that you can cut junk mail to a trickle if you're willing to take the time. See Stopping Junk Postal Mail and ignore the Adwords on the right side, they're trying to charge $30 for mostly the same info.