Australian Rules to Crackdown on Spam

siffty writes "Internet service providers could face huge fines if they do not provide spam filtering or impose email sending limits under new rules set down by a communications watchdog. The Australian Communications and Media Authority ( ACMA Media Release ) today registered the world's first legislative code of practice for internet and email service providers. Dealing with unsolicited email or spam costs business and home internet users millions of dollars each year in wasted time and upgrading security systems. But under the new code, ISPs will have to offer spam filtering options to subscribers and provide a system of handling complaints. They will also have to impose reasonable limits on the rate at which subscribers can send email."

Running the Stats

[Mattygfunk1]

The rate of spam originating in Australia had fallen in the past 12 months from 2 per cent to 1 per cent. But there was no accurate assessment of the amount of spam coming from overseas sources.

How do they know the percentage of Australian spam if they don't know the total amount of spam?

Re:Running the Stats

[phukraut]

They probably mean the average rate, which can be determined from a sample. This can be used to estimate the rate of the population of spam.

Re:Running the Stats

[shellbeach]

But since when has mathematical truth interfered with policy making?

Hey, leave maths out of it! Since when has truth interfered with policy making??

Don't worry

[DigiShaman]

The AU government will get spammed with products on how to crack down on spam.

Re:Total internet clusterfuck down under

It could be worse. They could emulate the USA's "CAN-SPAM" act, where there are no civil penalties, the criminal penalties take the FBI to actually care, and it's literally OK to spam until the victim whines, then you get to keep spamming for three more days, and after that you can't send that particular spam message again.

It's as if you can grab a passerby, open their legs, and when they say no, you still get to thrust without penalty for three more days. After the three days, if you catch them on another street (use a different email address for them) or you change your clothes (send them a different spam from a different throwaway company address) you get to start all over again.

Stupid.

[Pig+Hogger]

This is stupid. It won't do anything against spam sent by spamming criminals who use arrays of trojaned zombies, which are the most prominent source of spam.

Re:Stupid.

[FireFury03]

If the ISPs, all ISPs, set a maximum of, say, 1 outgoing email per second for all of their general users, wouldn't that make a zombied PC too slow to be viable? If not, how about 1 per 5 seconds? Or 10?

It would do absolutely no good because the limits would almost certainly be placed on the number of mails being relayed through the ISP's servers and spammers don't do this - they either send directly from a compromised machine or via an open relay.

Stopping people sending directly would be a Bad Thing (I for one only use my ISP for an internet connection, I don't use their mail servers, etc).

Passing some laws that require ISPs to kick customers off who run open relays would be a good start (and very easilly testable). Kicking customers who don't patch their machines would also be an excellent idea but hard to test.

IMHO the ISPs should do a "credit rating" type system like the banks use - if you're shown to get cracked regularly and/or don't clear up your mess quickly then you get a bad "internet rating" and no ISP will give you an unfiltered account. I.e. persistent offenders will end up with only being able to surf the web. At the moment there really is no motivation for people to run secure systems - most trojans and worms don't actually cause much trouble for the owner of the compromised machine. (If people lost all their work whenever they got compromised they might give more of a damn :)

Re:Stupid.

[MichaelSmith]

Stopping people sending directly would be a Bad Thing (I for one only use my ISP for an internet connection, I don't use their mail servers, etc).

If the Government here in .au heard of this and comprehended it the port blocks would go up on port 25 in no time at all.

I use a static smtp route through my ISP because some networks maintain lists of dynamic IP addresses and reject mail from them. Its just easier that way.

Aussie Rules?

[lovedew]

I thought Australian's iconic sports is forcing players to cut down on fatty food.

That's all fine & good

[70Bang]

But here in the US, we need to have something which actually works. The DMA (Direct Marketing Association) wrote the law - in order to guarantee opt-in wasn't a premise because they didn't believe it to be "financially viable option" translated: if we can't ensure our ability to make money, it's its a bad thing. Those who have been interviewed about the issue and have been willing to discuss it have admitted it left a long skid mark.
I can pull up the cite if someone wants it.


If spam legislation is supposed to work, why do we get more? It can't be because we don't click on the opt-out list. Those are a crock. I've seen some which do nothing more than display text files which say, "Thanks!" and an error is produced because they didn't know what they were doing with VBScript under ASP.

Re:Telstra

[Paska]

> I'm wondering if this would have gone ahead if Telstra was still owned by the Government. They're our biggest ISP.

51.8% of Telstra is owned by the Australia Government, that gives them the majority share.

Depends on what the % means.

[Chuck+Chunder]

The quote only really makes sense if it means that 1% of all email sent in Australia is spam, not that 1% of spam is Australian.

It's so badly worded it could mean anything though...

Logging IP Address

[clockwise_music]

(I previously posted this on zdnet.com.au)

What I don't understand is section 8.1: "ISPs directly responsible for the allocation of IP addresses to their subscribers (eg, all of them) will use all reasonable efforts to retain information pertaining to those allocations for a minimum period of seven days."

Can someone tell me what this has got to do with spam? Isn't this just a case of our privacy being thrown out the window but disguising it within a "spam act"?

7 days is a bit of a joke.. what this means in reality is that ISP's will now have to store your account name, IP address and logon-logoff times in a db. Sounds to me like law enforcement want more evidence available for either prosecution or spying.

Re:Logging IP Address

[grrrl]

7 days is a bit of a joke.. what this means in reality is that ISP's will now have to store your account name, IP address and logon-logoff times in a db. Sounds to me like law enforcement want more evidence available for either prosecution or spying.

well, I can log into my ISP's web-based account manager and get my login/logout times and IP details for the last month.

how can you assume they aren't keeping track already?? the implementation seems trivial.

Re:Logging IP Address

[glesga_kiss]

Can someone tell me what this has got to do with spam?

If your ISP are able to map IPs to users, they can take a spam complaint and find out where the spam came from. Most spam doesn't go through an ISPs mail gateway; the spammer (or zombie PC) simply connects directly to the target mailserver. That mailserver will log the IP source of all messages.

7 days is a bit of a joke.. what this means in reality is that ISP's will now have to store your account name, IP address and logon-logoff times in a db.

If you live in the UK or the USA, they already do this and keep it way longer than 7 days. It's several years here in the UK and I think there are already laws stating the minimum period.

1/sec, 50/min, 200/hour, 1,000/day.

[khasim]

Now, 1,000 messages a day should far exceed the needs of 99% of the legitimate home users out there.

The problem with rate limits is that there are a few people who will have a legitimate need to send more than 1,000 messages a day, every day.

And the ISP costs go up once any of their tech support people have to answer a phone because your joke of the day list is being blocked after 1,000 sendings.

There's no easy way around this. Somewhere, someone is going to have to pay money to start solving this problem.

Conflicting agendas.

[khasim]

I don't know about you, but here's what I want:
#1. No one sending me ads if I haven't, personally, given you my email address.

#2. When I opt out, you drop me from all further ads and "informational" mailings. You only send me my invoice and my shipping notification.

#3. You send me, once a month/quarter/year, a notification that I am on your list so that I may change my address or opt out at that point. This is very helpful if I am an email admin and I'm trying to be nice and opt-out people who are no longer at the company.

Now, what the advertisers want is:
A. A list of people that they can send ads to, cheaper than snail mail.

B. See A.

So, looking at it in that fashion, you can see why there is a problem.

If the legitimate retailers would just start behaving like legitimate retailers, a big chunk of the spam problem would vanish. But they won't.

Re:Conflicting agendas.

[ahodgson]

Technically, without fully signed messages, theres no way a business can determine if YOU signed up for a mailing list or if somebody else did it for you.
There is no way round this with current practices.

Confirmed opt-in is the industry standard. Send one message with a cryptographically strong token that must be clicked on or returned to confirm that the addressee wants to be on the list. If you don't get confirmation, you never email that address again. It's been available forever and works fine. "Marketers" may not like it, because it doesn't integrate with their CRM crap spamming software, but it has to be done.

Re:Total internet clusterfuck down under

[dbIII]

Is it just me or is Australia's internet regulation the most inadvertently fucked up system in place?

Yes, and to make it even more ironic we control the Christmas Island domain ".cx" as well and the PM's son was a spammer. Making noise about internet regulation has been a way to get the merchant in the temple sort of imitation religeous freaks on side, since the federal government is not run by a single party but a mainly right wing coalition and needed various weirdos in the senate.

The other complicating factor is the efforts over the last decade to sell off the government communications infrastucture, which has been complicated by appointing management that refuses to work for the shareholders and directors and keeps on importing more and more of his friends to divide up the corpse of the government communications infrastructure. As a result even the infrastructure in Estonia - which is actually building stuff as distinct from Australia - is edging furthur ahead and regulation is getting weird and counterproductive. For $200 per month and less than 15km from the CBD of a state capital you would expect better than 1500/256kbs to be available to a business site in a major industrial park - but more would require the mostly government corporation (Telstra) to upgrade their exchange and perhaps even add in more lines.

So is political spam still exempt?

[0x00]

The Prime Minister, John Howard, used spam provided by his son's company in the last election campaign. Unsoliticated email was sent containing Liberal Party election material to voters.

http://www.abc.net.au/news/newsitems/200408/s11863 89.htm

--

0x00

Re:Total internet clusterfuck down under

[Marlor]

They will eventually get the ISPs under the government's thumb. Whether it be through direct laws requiring certain filtering features or through oversight-free regulation via governmental agencies, they will succumb.

This regulation was primarily developed by Australia's Internet Industry Association (which is made up of ISPs), working together with the Australian Government. The IIA have made it clear that this was primarily their work, as part of their spam-fighting measures. So, the Government is not "getting the ISPs under their thumb", this was just a way to codify best-practices, and ensure that all ISPs adhere to them.

The code of practice seems pretty fair to me. The only that could affect customers would be the mailing limits, and this would only be an issue if you were running a high-volume mailing list. But if this is the case, it would probably be courteous to inform the ISP anyway, and I'm sure that they could remove the limits on mail sending if you had a legitimate reason why you needed to send large volumes of mail.

A Real Spam Solution

[trazom28]

How about a law that requires up to date anti-virus software on everyone's computer. Granted, enforcement would be a bitch, but hear me out on this one..

Judging from the customers that come through the door and the complaints, a good.. 75-80% of spam seems to originate not from one person sending out massive emails.. but rather trojan zombie computers. 300 compromised computers on a high speed connection of any kind, sending a small volume of spam mail make a significantly bigger impact than one uncompromised machine at a spammer's house sending out email.

Ok.. now you may shred this idea up :)

Re:Oi

[aXis100]

It's just a slow news week is all. The Australian government regularly does stupid things, it's just this week it got noticed by the press.

Most of it never eventuates because Howard does a backflip once he's reminded that 80% of the Australian people think he's a twit.