CAN-SPAM Act Turns 5 Today — What Went Wrong?

alphadogg writes "Five years ago, the US tech industry, politicians, and Internet users were wringing their hands over the escalating problem of spam. This prompted Congress to pass a landmark anti-spam bill known as the CAN-SPAM Act in December 2003. Fast forward five years. The number of spam messages sent over the Internet every day has grown more than 10-fold, topping 164 billion worldwide in August 2008. Almost 97% of all e-mails are spam, costing US ISPs and corporations an estimated $42 billion a year. What went wrong here?"

hint:criminals don't follow laws

[hguorbray]

especially when they are anonymous(or at least obfuscated) and in many cases, overseas and therefore beyond prosecution under this law

'I'm just saying

Re:hint:criminals don't follow laws

[russlar]

Also making headlines: Sky is blue. Film at 11.

Re:hint:criminals don't follow laws

[Sybert42]

Doesn't seem to stop the various IP police from doing their thing, does it? That doesn't even involve money, most of the time.

Re:hint:criminals don't follow laws

[Chris+Burke]

Thanks for the hint! Now I know why my life of crime has been so slow to take off.

Re:hint:criminals don't follow laws

[SgtAaron]

especially when they are anonymous(or at least obfuscated) and in many cases, overseas and therefore beyond prosecution under this law

After tiring of the increasing load on our incoming mail servers running spamassassin, I undertook to spend a couple of days finding as many netblocks that ONLY have spam coming from them.

It's shocking really, that I ended up spending more than two days since there were so many spread out all over the place at various colo companies. And I'm sorry to say that what I found is that nearly all of the snowshoe spammers I found were riddled around in colos here in the US. There are a bunch of ISPs out there that seem to be making a bunch of money from snowshoe spammers, so much so that they don't mind allocating half of a damned /19 for the spammers to use and populate with randomly generated domain names. And, of course, just to make it easier for us poor and broke sysadmins, these colos don't just put them all into nice contiguous blocks of IP addresses. I've about given up complaining to the likes of GalaxyVisions, Pacific Internet Exchange, AboveNet (yes, Abovenet is these days hosting lots of snowshoe spammers--sad). The list goes on and on.

I'm up to ~375 netblocks we no longer accept SMTP connections from. The load average on our three MXs is usually about half what it used to be now.

Re:hint:criminals don't follow laws

[the_womble]

It may be obvious, but it was not obvious to legislators....

Unless, of course, its more important to them to be seen to do something, rather than actually do something effective (like providing a budget for enforcement).

Re:hint:criminals don't follow laws

[macraig]

Ah, the wonders of anonymity strike again, eh?

Re:hint:criminals don't follow laws

It's night time here you insensitive clod!

Re:hint:criminals don't follow laws

[Sentry21]

It's not a new concept either. As the old saying goes, 'A lock is a device to keep an honest man honest.' It won't stop a crook.

Let's start penalizing ISPs that don't take sufficient measures to ensure spam doesn't leave their network. Once that's done and spam zombies in first-world countries are shut off (or at least, can't do any damage), then ISPs can start banning traffic from countries that don't bother to do anything about problems (such as Taiwan).

Re:hint:criminals don't follow laws

[collinstocks]

They also called it "CAN-SPAM" which implies...

Just sayin'

I wonder who comes up with these acronyms?

Re:hint:criminals don't follow laws

[lysergic.acid]

except in this case the people profiting from (and are the driving force behind) the crime aren't considered criminals. it makes no sense to outlaw spam but not go after the companies that hire spammers, and whose product advertisements are filling everyone's inbox.

even though a lot of spam is bounced through other countries, most of the products/services being advertised are of U.S. companies who operate completely out in the open and have easily traceable bank accounts. by going after these scummy businesses, you would cut off the money supply the fuels the spam industry and eliminate any financial incentive to send spam.

otherwise, this is like making it illegal commit murder but still allowing people to hire hitmen to do the killing for them.

Re:hint:criminals don't follow laws

How about you meet up with fellow sysadmins in your area and trade lists, have them contribute? Yes, I'm aware that it's a Legislative ( ) Technical (x) Market Based ( ) Vigilante (x) approach to the problem, yada yada yada, but if you keep it limited to offline groups (telephone, physical contact, fax, etc) and make sure you don't provide a big enough target for spammers to bother with, then there's no chance of a DDoS, list-harvesting or spammer-instituted counter-measures. Take a page from America's least unsuccessful enemies (vietcong, terrorists, etc) and use low-tech asymmetric guerrilla warfare - it's a lot more difficult to hit a large group of small targets than it is to hit a small group of large targets. Just make sure you force factions to fork into cells if it becomes too popular, that way any time a list is compromised, only one cell is affected.

Re:hint:criminals don't follow laws

especially when they are anonymous(or at least obfuscated) and in many cases, overseas and therefore beyond prosecution under this law

'I'm just saying

Yep, exactly. The internet is worldwide and you can pass all the laws you want, but if you cant enforce it.....

Re:hint:criminals don't follow laws

[CodeBuster]

One possible response would be for the various sysadmins everywhere to get organized and attempt to close ranks against ISPs which host spammers in any of their IP ranges. Then all of the sysadmins could collectively retaliate against the ISPs in question by blocking all traffic from their entire range. There would be collateral damage, of course, but the ISPs, faced with the fragmentation of the Internet, might relent and quit hosting spammers in return for a cut of the action. The botnets would still be a problem but their effectiveness would be reduced if the ISPs hosting the Command and Control / Relay servers were retaliated against.

Re:hint:criminals don't follow laws

[TheLink]

But why aren't they considered criminals?

Isn't fraud basically deception for gain?

Just a looking at the spam I get:
Fake subject line.
Fake date sometimes
Fake From: field
Garbage text in body to try to fool antispam stuff.
As for the actual claims and promises in the email body, after all that deception why do people still believe them and buy?

As you said, it's not all that out of reach. Just follow the money trail - pick the top offenders that are easy to track down (credit card etc).

Re:hint:criminals don't follow laws

[Hal_Porter]

The First Amendment doesn't say anything about being honest.

Re:hint:criminals don't follow laws

[ionix5891]

could you care to post these ip blocks on a blog or something please

Re:hint:criminals don't follow laws

[HungryHobo]

isn't this basicly what many of the spam blacklists do?
then of course you get people complaining because they bought hosting from a company which got blacklisted for nothing more than hosting spammers who sent out a few billion mails.

Re:hint:criminals don't follow laws

[theaveng]

30% of the world's spam comes the United States and the European Union.

If these two governments worked together, and passed effective laws to arrest companies/criminals that sent spam even if said criminals tried to flee across the Atlantic to Europe (or vice-versa to America), then they could reduce spam-related expenses by about one-fourth.

Re:hint:criminals don't follow laws

[fredklein]

I've said it before- Email Certification.

Want to run a Certified Email server? Go to your ISP (or other such companies that may arise to offer the service). They check you out (Are you who you say you are? Do you have valid contact information? Etc...), then have you produce a Public/Private key pair. You give them the 'Private' key, and keep the 'Public' one to configure your email server with. Your email server must add an additional header with your Certifier's Certification Server (usually their email server), and a header that is encrypted with your Public key.

An email client that is Certification-compatable will, when it reveives an email, look to see if it has those two headers. If not, it will handle it according to the user's wishes. This means NON-Certified email might be deleted, or sent to a different folder, or whatever. Whitelists/blacklists are still possible.

If the email has the headers, the email client will connect to the Certification Server listed in the one header, and download the 'Private' key to attempt to decrypt the other header. If the decrypted header is valid, the client treats the email the way it is configured to, usually by placing it in the Inbox. Again, whitelists and blacklists can still be used.

If the user receives Spam that is Certified, they can easily report it to the Certifier (email clients can have a 'Report Cetrtified Spam' button that automatically shoots an email off to the Certifier, for instance). The Certifier can then contact the owner of the Certified Server and notify them of the spam. This gives the server owner a chance to stop the spam, in case the server was hacked or the spam was accidental. If the Server owner does not stop the spam, the Certifier simply pulls the Certification, by removing the 'Private' key on their server. From that moment forward, ALL email the Email server in question sends will be NON-certified (and quite frankly, probably deleted by the recipients).

If the Certifier refuses to do anything about the Spamming Server (because they are 'in on it', friendly to spammers, or just incompetent), then ALL Certifications from that Certifier can be marked as 'bad', either on a client-by-client basis, or thru the use of a Certifier black-list.

-There is no 'Central Authority'- your ISP Certifies you for a modest fee.
-You can still send non-certified email, so hobby mailing lists and the like are not affected- the people who receive the mailing list just need to whitelist it.
-Legit email will (eventually, almost always) be Certified, so Certified emails can be sent straight to the Inbox. Non-certified email will (eventually, almost always) be spam, so it can be trashed.
-Any spam that is sent from a Certified server will quickly be reported by pissed-off recipients, and quick action will be needed to avoid that Certifier (and ALL the servers it has certified) from being put on a blacklist.
-Spam will dwindle as Spammers either move to 'spam-friendly' Certifiers (which are blacklisted so the spam never gets thru anyway), or will spend huge amounts of money switching ISPs every 2-3 days to get re-certified over and over. Of course, ISPs could take a clue from the Las Vegas Casinos, and keep a 'black book' of known spammers, and check new clients against them before Certifying them.
-This system does not need to be adopted all at once. Certified and non-certified emails can be handled both by email clients that are Certification aware and not.

It may not be perfect, but it'd be a good start.

Re:hint:criminals don't follow laws

I'm sure they meant it as the slang term "can" which means to dispose of. It's unfortunate that the non-slang meaning holds more true.

Re:hint:criminals don't follow laws

[Hordeking]

It may be obvious, but it was not obvious to legislators....

Unless, of course, its more important to them to be seen to do something, rather than actually do something effective (like providing a budget for enforcement).

Most things that would be obvious don't seem particularly obvious to legislators.

Politician: "Gee, let's make a law making condition Y illegal because some people are committing (already existing) crime X with condition Y."
Constituent: "But X is already illegal, and condition Y is appropriate in a lot of situations not involving crime X!"
Politician: "Well, the world will be a better place!"
Constituent: "But condition Y for me prevents crime X from happening to me! And criminals don't care if Y is illegal."
Politician: "Tough. I know what's best for you."

Re:hint:criminals don't follow laws

[Hordeking]

They also called it "CAN-SPAM" which implies...

Just sayin'

I wonder who comes up with these acronyms?

Noone. They come up with a catchy name, then expand it to make the name sound official with a catchy acronym.

Re:hint:criminals don't follow laws

[TheLink]

As I already said, fraud isn't just about being dishonest.

It includes the stuff they are talking about here:

http://www.usdoj.gov/criminal/fraud/internet/

Maybe they should stop wasting time busting people for smoking cannabis or similar stupidity and start working harder on catching the swindlers.

Re:hint:criminals don't follow laws

On my company's mail server, I block all "foreign" (non-North American) IP addresses, since we do not have any legitimate business contacts in overseas countries. This reduces our spam load by 90 percent or more.

The trend I am seeing more of lately is spam that sources overseas but relays through misconfigured U.S.-based servers. It isn't much (yet), but these spam messages do dodge our IP-based filters.

Re:hint:criminals don't follow laws

[Propaganda13]

Your explanation reminds me of a nearby city enacting a No Texting While Driving law while the Inattentive Driving law is already on the books.

Re:hint:criminals don't follow laws

[Dogers]

Sounds a bit like a forced DKIM combined with TLS to me?

Re:hint:criminals don't follow laws

[SCHecklerX]

For a corporate server, spamassassin should be your last line of defense, since it is the most expensive thing to run on the server. You should instead use mimedefang with triggers on obvious stupid crap* right there at the helo. That takes no real bandwidth and no real processor. Greylisting works wonders too.

I used to be the SMTP admin for a 50,000 employee company. Our false positive rate was a couple every few months, if that. False negatives were a few a month as well. Not bad. Losing legitimate mail is a really bad thing to do.

*on the spamhaus xen list, helo claims to be your own domain, helo claims to be rfc1918, fake 'bounces' without an origination from your domain, open relays not caught by spamhaus, a$$hats who have hit you in the past, etc.

Re:hint:criminals don't follow laws

What? You mean we can't just put a plug in the end of the criminal's tubes?

Thank you, thank you, I'll be here all week...

Re:hint:criminals don't follow laws

[Opportunist]

If you make the advertised product liable for the spam that promotes it, all you do is create a very convenient way to get rid of competition. You are my competitor? I'll hire a spammer to promote your product, you're liable for it and probably go out of business.

Not quite a solution.

Re:hint:criminals don't follow laws

[nasch]

You have public key encryption backwards. You never, ever, ever, give your private key to anyone. Ever. That's why it's called private. If I want to know if a message came from Company X, they need to encrypt part of it (call it the signature) with their private key. I try decrypting their signature using their public key. If it works, I know it could only have been encrypted using their private key. If they're the only ones who have access to that private key, it must have come from them.

If you use the public key for signing the email, all the sender has to do is spoof the from address, or whatever it is that indicates how to get the "private" key from the email certifier. Anybody has access to the public key (it's public after all), so anybody could send me that email and it would check out as legitimate.

What do the certifiers add to the process that someone like Verisign doesn't do already? Today a company (or individual) could already send me digitally signed email that I could verify, and I could set up my mail to reject any non-whitelisted mail that's not signed.

Re:hint:criminals don't follow laws

[lysergic.acid]

yea, and you can also frame people for murder, theft, rape, child abuse, etc. but that's not a reason to make all those crimes legal.

that's why we have trials and due process.

Re:hint:criminals don't follow laws

Framing those crimes is a little more difficult then copying and pasting a picture of Amazon.com into an e-mail. Just a little.

Not that I'd expect anyone on Slashdot to have this thing called 'perspective'.

Re:hint:criminals don't follow laws

[lysergic.acid]

yea, that's not how a criminal investigation works. making the act of hiring spammers a crime doesn't mean you arrest anyone whose product happens to be advertised in a spam message. that might be a good lead to follow in your investigation, but you still have to prove that the person/business is actually guilty of breaking the law.

or did you think that just dumping a dead body on someone's lawn gets them thrown in a gas chamber?

Re:hint:criminals don't follow laws

[fredklein]

You have public key encryption backwards. You never, ever, ever, give your private key to anyone. Ever. That's why it's called private.

Actually, the 'private key' and 'public key' are interchangeable. One will decrypt what the other has... crypted. Doesn't matter which you hand out, or which you keep.

If I want to know if a message came from Company X, they need to encrypt part of it (call it the signature) with their private key. I try decrypting their signature using their public key. If it works, I know it could only have been encrypted using their private key. If they're the only ones who have access to that private key, it must have come from them.

That's what I said:
Your email server must add an additional header with your Certifier's Certification Server (usually their email server), and a header that is encrypted with your Public key.

If you use the public key for signing the email, all the sender has to do is spoof the from address, or whatever it is that indicates how to get the "private" key from the email certifier.

That would be the encrypted header. How are they going to 'spoof' the encrypted header?

Anybody has access to the public key (it's public after all), so anybody could send me that email and it would check out as legitimate.

There are two keys. Let's forget 'public' and 'private', and call then 'A' and 'B'. My email server (controlled by me) has Key 'A'. It uses key 'A' to encrypt a header line in the email. Also in the header is an unencrypted line that points to "cert.MyCertifyingCompany.com". You receive my email, and your server (or client) contacts "cert.MyCertifyingCompany.com" and requests my key 'B'. Your server uses key 'B' to decrypt the encrypted header, and compare it to to the unencrypted header ("cert.MyCertifyingCompany.com") if it matches, then the email is considered 'certified'.

See, my 'private' key, 'A' is kept only on MY email server, my 'public' key, 'B', is kept by the certifying authority. As I said above, the keys are interchangeable, which one you call 'private', and which one you call 'public' is arbitrary.

What do the certifiers add to the process that someone like Verisign doesn't do already? Today a company (or individual) could already send me digitally signed email that I could verify, and I could set up my mail to reject any non-whitelisted mail that's not signed.

Sure, if you trust ONE COMPANY. With my idea, anyone could certify emails. Your ISP. A company. A government. An individual. You don't need to trust that one company won't go spam-friendly, or get hacked, or even go out of business.

Re:hint:criminals don't follow laws

[Opportunist]

Still, it would be trivial to drown a competitor in lawsuits. How hard is it to start a spamming campaign? Takes a few trips through IRC land and a few 1000 bucks to make them get tied up in more suits than even the RIAA's lawyers could handle.

Hmm... thinking about it... Could we get that law? Soon, if possible?

Re:hint:criminals don't follow laws

[nasch]

As I said, you had it backwards. The key you keep and use to sign your email is your private key. The key you give out (to a certifier, or the public, or whatever) is your public key. The reason they're not just called Key A and Key B is that it's very important which one is public and which is private.

Sure, if you trust ONE COMPANY. With my idea, anyone could certify emails. Your ISP. A company. A government. An individual. You don't need to trust that one company won't go spam-friendly, or get hacked, or even go out of business.

There is more than one company now giving out certificates, and there is nothing stopping anybody else from doing so. So how is your idea different from what we have now?

Re:hint:criminals don't follow laws

[Tubal-Cain]

Let me guess: gun control?

Re:hint:criminals don't follow laws

(...) comes the United States and the European Union. If these two governments worked together (...)

Those are 29 governments (US, 27 of EU member states + EU Council).

Re:hint:criminals don't follow laws

[Hordeking]

Let me guess: gun control?

That was my model for the sample conversation, but I've seen it occur elsewhere, not involving firearms. Firearms lend themselves well to this comparison, mostly due to the legislative thought(?) process. I'm sure all sorts of examples abound.

Really, the situation involves X and Y. X is pretty much illegal all the time. Y is something that sometimes occurs with X (is either instrumental or incidental to carrying out activity X, but not requred for X to occur). Y isn't always illegal, and usually it has mostly legitimate uses.

For instance, assault is illegal, whether or not one uses a pointy stick. But a pointy stick can be used for a lot of things, such as pointing, digging, stabbing, scratching, writing, etc (i.e. it is a tool). Do the already illegal actions justify strictly controlling the use of pointy sticks in all situations?

More enforcement would help

[alain94040]

Enforcement would be nice. How hard would it be for some FBI office to sign up to get all the possible spam out there, and start replying to all the great offers from African banks?

Of course, a lot of the perpetuators do not reside in the US, but quite a few do. The more legitimate a business looks like, the more likely it has a US presence that can be used to stop it.

So vote with your US tax dollars and force your government to allocate serious funds to the problem. Please!

--
http://fairsoftware.net/ -- where software developers share revenue from the apps they create

Re:More enforcement would help

[SomeJoel]

Yes, well, while the RIAA can evidently track down and prosecute a 6 year old downloading "Wheels on the Bus", the U.S. government can't seem to figure out which companies are responsible for the SPAM, even with all the contact information that must be available for the SPAM to have any value whatsoever.

Re:More enforcement would help

[Ethanol-fueled]

Of course, a lot of the perpetuators do not reside in the US, but quite a few do ...and they're mostly teenagers, senior citizens, and porn addicts who unwittingly installed RBN Genuine Advantage(tm) on their 'puters.

Re:More enforcement would help

[thetoadwarrior]

But the spammer is just a business man trying to make money. However the 6 year old is an evil communist terrorist trying to spread socialist values by stealing music. He deserves nothing less than a good water boarding at Guantanamo Bay.

Re:More enforcement would help

[DrLang21]

The problem is that the FBI's resources have largely been funneled to the War on Terror. As a result, a lot of crime is being left investigated. White collar crime among others is on the rise.

Re:More enforcement would help

[Wandering+Wombat]

Wooo! Cuba has the best wakeboarding!

Re:More enforcement would help

[Joce640k]

There's no enforcement 'cos the senators want their Viagara anonymously.

Re:More enforcement would help

[Dark_Gravity]

the U.S. government can't seem to figure out which companies are responsible for the SPAM

Everybody knows that Hormel is responsible for the delicious SPAM lunchmeat.

Oh, you meant the spam. Nevermind.

Re:More enforcement would help

[Antique+Geekmeister]

That's wire fraud, that's the Secret Service's responsibility as the enforcement arm of the Department of the Treasure. Of course, they're incompetent: there's not a single sign that they're any more competent now than when they raided Steve Jackson Games and every cracker they were incompetent enough to bother in Operation Sun Devil, and failed to get a single conviction.

Re:More enforcement would help

[tuxgeek]

Your suggestions, while good, will never work.

1) Most spam email originates in the US.
2) But the major spam dispensers are the mega botnets, which are controlled from overseas.
3) The zombie units of the botnet are the actual spam dispensers.
4) Your Aunt Tillie's machine is a member of the botnet.

(I just know I'll get flamed for this)
99.9% of the zombies comprising the botnet are compromised windows boxes.

The best solution is for owners of windows boxes to unplug their Cat-5 wire from the CPU and perform a re-install today. Maybe hide their machine behind a firewall router until they can get their clean installs updated. From then on they need to be rehabilitated from the compulsive behavior of clicking on advertisements saying "click here to see Angelina Jolie naked".
It's not much but it's a start.

Re:More enforcement would help

[Still+an+AC]

vote with your US tax dollars

wtf is that supposed to mean? tax are more or less mandatory. So my options are move to another country and continue to get spam, or goto jail and get something in can... Anyway the act is call CAN-SPAM as in I CAN continue to get SPAM.

Re:More enforcement would help

[Dralnu]

Its not that easy to track down a node on a botnet, nor to stop them from sending spam, plus the fact that not all the spam comes from the US. Its easier to write down an IP and call up an ISP telling them to hand over the info you need or you'll sue them into the ground, than to prevent someone in Siberia from sending spam to another continent.

Re:More enforcement would help

[The+Master+Control+P]

Egress filtering:

User: "Hi, I'd like to order $HIGH_SPEED_SERVICE."
Tech: "Ok, cool. Are you going to run an SMTP server?"
User: "Um... no, what's that?"
Tech: *Puts user down for modem w/firewall that rate-limits SMTP and doesn't allow sending to noncommercial IP blocks*

Spammer: "shit shit shit, my bots can't send any email!"

Re:More enforcement would help

[ultranova]

Of course, they're incompetent: there's not a single sign that they're any more competent now than when they raided Steve Jackson Games and every cracker they were incompetent enough to bother in Operation Sun Devil, and failed to get a single conviction.

Well of course they are. It's a job requirement for people working for an evil overlord in a magical girl show, after all ;).

"Sun Devil" indeed !

Re:More enforcement would help

[Erik+Hensema]

I think we've already reached the point where egress filtering should be the norm. Home users can and should use their ISPs smtp server for outgoing mail; mobile users can use port 587 for mail submission (which is just SMTP with required authorisation).

Here in .nl most consumer ISPs already do egress filtering. It really helps a lot.

Re:More enforcement would help

[skolima]

Can I get a CPU that I can plug Cat-5 wire into? I promise to only install Linux on it!

Re:More enforcement would help

[F�an�ro]

User: "Hi, I'd like to order $HIGH_SPEED_SERVICE."
Tech: "Ok, cool. Are you going to run an SMTP server?"
User: "Um... no, what's that?"
Tech: *Puts user down for modem w/firewall that rate-limits SMTP and doesn't allow sending to noncommercial IP blocks*

Spammer: "shit shit shit, my bots can't send any email!"

Spammer: "Guess my bots have to use the ISP's SMTP relay servers,
      which I can get from the User's mail clent.
      It may be rate-limited, but it is better than nothing."

Spamfighter: "This SMTP relay server is used to spam, put it on the blacklist."

ISP Tech: "OK, so if spammers use our SMTP server, it will get blacklisted.
    We can either block all mails from all users as soon as they are infected,
    in which case they will get mad and may cancel.
    Or we could unblock port 25 so spammers have no reason to use our SMTP server.
    Now which of these would be cheaper and easier to do...?"

Re:More enforcement would help

[smoker2]

I don't agree. I run my own servers, not at home but in a colo some considerable distance away. I own my domains, I run my own name servers. When the ISP for my home connection blocks smtp to any but their own smtp servers, I am disconnected from my own machines. Why should I be forced to operate under "rules for children" when I do not send any spam whatsoever. My mail servers are not open relays, they all require a login to accept smtp. So do the ISPs smtp servers, but the spam is still there, operating mostly from compromised home machines. Fix that problem before you interfere with perfectly honest and legal users of the network. Surely it is fairly trivial to spot forged From: headers when the user is trying to relay though an ISPs smtp servers ? If you want to fake your headers, use your own smtp servers outside the ISPs network. That way, any spamming servers MUST be outside the ISPs network and can be blocked efficiently. If a stream of spam is not using the ISPs servers to send, I would contend that it is none of their business and they should concentrate on incoming spam instead. Instead they decide to block the port, which breaks the internet.

On a side note, M$ have been pushing their stupid "I'm a PC" ads on tv a lot recently (in the UK), and the slogan the ads finish with makes me laugh - "Windows - Life without walls".
ROFL ! That statement is wrong on so many levels it's almost unfunny. First, if they had "walls" maybe there wouldn't be so many botted machines, and secondly, what part of proprietary code and DRMed up the spout indicates "no walls" ?

Re:More enforcement would help

[Erik+Hensema]

I don't agree. I run my own servers, not at home but in a colo some considerable distance away. I own my domains, I run my own name servers. When the ISP for my home connection blocks smtp to any but their own smtp servers, I am disconnected from my own machines.

No you're not. You can simply use smtp port 587 to submit mail to your colo. Providers should never do egress filering on port 587, only on port 25.

Re:More enforcement would help

Nah, it just proves that Free Enterprise is more efficient than government at most things. We shouldn't depend on the government to fix this, but ask the RIAA to do it. If we make it profitable, then it'll get done.

Re:More enforcement would help

[sowth]

I have a better idea. Why shouldn't ISPs charge for outgoing usage? Or for excessive outgoing usage? They just need a way for users to check their usage and also send an email when usage spikes.

This way everyone pays for what they send (much like the postal service or long distance telephone), and if anyone gets a virus or trojan, they will be damn sure to fix it. Unfortunately, the ISPs would use this to screw over people just like cell phone companies do.

What went wrong?

[girlintraining]

What went wrong? Nobody stopped to define "Spam" before trying to make it illegal. So they made something up, called it spam, and made that illegal. And when people called them up to ask why they were still getting spam, they replied: I don't see any spam here!

Re:What went wrong?

[HTH+NE1]

Musante: How are things here on the station?
Sheridan: Fine, fine. Status quo. We have had problems with the lurkers, but nothing--
Musante: Lurkers?
Sheridan: It's our version of the homeless. In many ways, we have the same problem Earth does.
Musante: Earth doesn't have homeless.
Sheridan: Excuse me?
Musante: We don't have the problem. Yes, there are some displaced people here and there, but they've chosen to be in that position. They're either lazy or they're criminal or they're mentally unstable.
Sheridan: They can't get a job.
Musante: Earthgov has promised a job to anyone that wants one. So if someone doesn't have a job, they must not want one.
Sheridan: Poverty?
Musante: It's the same.
Sheridan: Crime?
Musante: Yes, there is some, but it's caused by the mentally unstable. We've instituted correctional centers to filter them out at an early age.
Sheridan: Prejudice?
Musante: No, we're just one happy planet. Well, all right, there's the Marsies, but that won't change until they stop fighting the Earth rule.
Sheridan: And when exactly did all this happen?
Musante: When we rewrote the dictionary.

Musante: Captain, you're a good man. You're a fine soldier. A leader. You understand that sometimes before you can deal with a problem you have to redefine it.
Sheridan: But you can't deal with the problems by pretending they don't exist.
Musante: There's no need to embarrass our leaders by pointing out the flaws that they're aware of and dealing with in their own way. Some people just enjoy finding fault with our leaders. They're anarchists, troublemakers, or they're simply just unpatriotic. None of which describes you. Now, do you want people thinking otherwise?

Re:What went wrong?

Wow, so lame.

Re:What went wrong?

It wasn't a complete waste of money. Those who bought congress got just what they wanted...

Re:What went wrong?

[theaveng]

>>>Wow, so lame.

Babylon 5 is the most-intelligent, thought-provoking science fiction ever produced for television. If you think this particular scene is "lame" that is only because you are an idiot who could not grasp its higher concepts. (Notice how I conveniently redefined idiot as someone who doesn't understand Babylon 5.)

Re:What went wrong?

[earlymon]

Notice how I conveniently redefined idiot as someone who doesn't understand Babylon 5.

I noticed that and I'm confused - why was it you redefined moron as idiot?

It's just a piece of paper!

[sunami]

Yea, something was legislated against, therefore it will stop. What logic?

Possibly...

something to do with the fact that the US Congress doesn't have jurisdiction over international crime rings.

That, and the allure of free advertising in a world full of idiots.

Re:Possibly...

[Archangel+Michael]

I thought congress was one of the international crime rings. Silly me.

Re:Possibly...

[collinstocks]

GP meant that the US Congress doesn't have jurisdiction over other international crime rings.

What went wrong here?

[flaming+error]

1) Legislation was flawed
2) Problem transcends US Jurisdiction
3) Enforcement is spotty at best
4) Idiots buy their stuff

Re:What went wrong here?

[phantomcircuit]

2) Problem transcends US Jurisdiction

The vast majority of spam originates in the continental united states.

Re:What went wrong here?

[Zathain+Sicarius]

Considering we were responsible for 56.7% of the spam in 2005, I don't think that 14.9% is a very 'vast' majority. Granted, we're still twice the countries below us, but we've either become much better or the other countries have all become far worse.

Re:What went wrong here?

[bussdriver]

#1 source of spam is the USA
They didn't do enough plus they must have had loopholes.

I managed a few email servers with a few hundred users back when the law was passed. When it went into effect (not when it passed) I saw within a few days a jump in spam of about 50-75% (trying to recall) it jumped up to about 2-3 times during the rest the year; it didn't rise that quickly in previous years. I don't think it has risen as quickly since then but I don't know.

Connection? I don't know. That is what I observed.

Since the USA is the source for most spam, other measure should be taken besides kicking down the door of some old lady who's windows PC was hijacked by a dozen spammers.

At least that spam king was taken care of since the passing of the law. The law didn't do it; it just sent him over the edge and he took care of himself with a bullet and removed his genes from the genepool... (BTW, he lived in the USA)

Re:What went wrong here?

[hardburn]

I'm wondering how they're counting that, though. Many of the spam botnets out there originate in Russia or other countries with governments that just don't care, though the actual computer sending it is often going to be in the US. If it's counted just by backtracking the IP address of the original sender, it'll show up as being from the US, even though it's really from Russia.

I wouldn't be surprised if CAN-SPAM did in fact kill off the major parts of the US-born spam problem, but the problem just moved elsewhere.

Re:What went wrong here?

Before you talk more out of your ass, look at what happened when ONE (1) USA based ISP/hosting provider was taken down in November: SpamCop (year)

Re:What went wrong here?

[anilg]

#1 source of spam is the USA

More correctly, the number one source of Zombie machines is the USA. The controller can be (and very probably is) from a country with laxer laws.

Re:What went wrong here?

The CnC nodes for about 50%-75% of the world's spam are now located outside the US, whereas previously they were hosted by McColo.

Re:What went wrong here?

[ukemike]

The connection is that spammers feared that effective legislation might curb the business or put them in legal jeopardy, when the toothless CANSPAM act passed they knew they had free reign.

Nothing went wrong

[John+Hasler]

Look at the name of the law. Working as designed.

Re:Nothing went wrong

[Amazing+Quantum+Man]

Exactly. It's the "You CAN-SPAM with no consequences" Act.

Re:Nothing went wrong

[Yvan256]

No it's not. I get spam from a lot of places besides Canada.

Re:Nothing went wrong

[Chris+Burke]

Yeah, Spam already came in cans! Duh!

Re:Nothing went wrong

[dgcaste]

Or better yet, read the page title. Pretty sure it reads "I can spam". Yes I can.

Re:Nothing went wrong

[IronChef]

Poor grammar, though. It should have been the "MAY SPAM" act.

Re:Nothing went wrong

Or better yet, read the page title. Pretty sure it reads "I can spam". Yes I can.

Tragically funny. The law tells you EXACTLY what to do to legally send SPAM with ZERO RECOURSE for the recipient. The only thing you need is a source of email addys. If you don't have one internally, buy one. Just make sure the vendor gives NO HINT, NO WORD, NO WINKY-WINK WINK that the emails may be anything other than opt-in-to-receive-marketing-news-of-interest email addys. Once it is clear on paper that your email source is clean, all you need is to black list whoever manages to navigate through your convulted Active-X required, twenty-click opt-out procedure. Throw in a physical address and don't lie blatently in the subject or from lines and you are golding. F-ing A! I hate the fucking spammers too. In my estimate 80-95% of what PASSES THE FILTER, would be easily actionable if we had a sane law. $100 fine for the small-claims court claimant. That shit would clean up fast. The only problem - and this would be BIG - is that joe jobs would become much more dangerous to the victims. You could tie someone up in 10000 court cases unless there was a clearing house to legitimize SPAM A came from SOURCE B. That is really the only missing piece of the puzzle. I think some SPF-type voodoo (or whatever) might be able to solve the SOURCE problem. Anything not verified from SOURCE, should just be shit canned. For businesses at least.

Re:Nothing went wrong

[syousef]

Pretty sure it reads "I can spam". Yes I can.

        I would not SPAM them without a bot.
        So I could SPAM them quite a lot.
        I will SPAM them with a mouse.
        I will SPAM them in a house.
        I will SPAM them here or there.
        I will SPAM them anywhere.
        I only SPAM Viagra Ma'am.
        I like to SPAM them, SPAM-I-am.

Re:Nothing went wrong

[johanatan]

i can haz spam?

Legislation fixes nothing

[EmbeddedJanitor]

Legislation only allows some other mechanism to be used. Legislation on its own can do nothing.

All the legislation in the world won't fix teenage pregnancies, the War On Drugs, etc etc.

Since there is really no technical mechanism to kill spam, the legislation itself is ineffective.

Re:Legislation fixes nothing

[Whiney+Mac+Fanboy]

Since there is really no technical mechanism to kill spam, the legislation itself is ineffective.

IOW, your post doesn't advocates a:

( ) technical (X) legislative ( ) market-based ( ) vigilante

approach to fighting spam, in favour of advocating a:

(X) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting spam?

Re:Legislation fixes nothing

[Sancho]

If there were a technological means to fight spam, we wouldn't need the legislation.

What's needed is actual enforcement. Spammers make money because people buy their wares. Where there's money changing hands, there's a trail you can follow. The problem is seemingly that no one wants to follow that trail.

No enforcement? Practically no law.

Re:Legislation fixes nothing

All the legislation in the world won't fix teenage pregnancies
 
So how would you fix a pregnant teen?

Re:Legislation fixes nothing

duct tape, scissors and a paper clip?

Re:Legislation fixes nothing

[Luthair]

I disagree, I believe that there are definitely changes which could lower the amount of spam, the problem is that getting all parties (ISPs everywhere) on board a single standard is nigh impossible. Perhaps one possibility is to require that the sender's domain resolve to the system sending the mail. This doesn't correct hijacked servers, or spam servers, but it might eliminate spam sent from botnet zombies.

What really needs to happen is that big players (MS, Yahoo, Google, Comcast, British Telecom, etc.) get together and agree on a standard. Make the standard open, unencumbered, and state that as of date X they won't support anything else.

Re:Legislation fixes nothing

[dgatwood]

There's a trivial technological means to fight spam. It just requires abandoning SMTP and moving to a new protocol with the following requirements.

• All compliant mail transport daemons must require all connections from client computers to be authenticated.
• All compliant mail transport daemons must sign all messages as they pass them along.
• All compliant mail transport daemons must have a service record in DNS for their host name that provides a public key for verification of the signature.
• All compliant mail transport daemons must refuse to accept any email if the signature cannot be verified immediately (even if this is due to load), forcing the sending end to retry.
• All compliant mail transport daemons must refuse to accept any email if the host name does not resolve to the IP number from which the inbound message was received.

With that, spam is basically dead. As soon as you require those restrictions, suddenly spammers have to actually own a domain name and provide a working DNS server in order to deliver spam, and that DNS server must contain up-to-date mappings for those hosts to IP numbers. That pretty much obliterates the use of zombies for delivering mail. It also means that there is now a domain name, which by ICANN policy, is required to have a valid postal address, phone number, and other contact information associated with it. In effect, it means that you know who sent the spam definitively unless a company's DNS server and mail server both get compromised. It makes it a lot easier to pin the blame on spammers, which makes it a lot harder for them to repeatedly get off scot free.

In case you're wondering why it needs to be signed, i.e. why Sender ID, etc. are not sufficient, Sender ID and the like can be compromised by merely adding an additional authorized IP number to a list. That means that spammers can masquerade as a company by merely compromising their DNS server briefly, all without disrupting the company's business in any way. With a signed variant of this design, because the private key is be stored on the DNS server, the spammer would be unable to masquerade as the company without changing the public key in the service record. Doing so would cause the company's real outgoing mail to fail to be delivered---an action that would almost certainly be noticed immediately. Thus, adding digital signatures provides a significant bit of immunity from such spoofing attacks (spoofing of a company to customers of a compromised ISP notwithstanding).

Re:Legislation fixes nothing

[dgatwood]

Just to clarify, it is technologically trivial, but nearly impossible to actually implement in a way that completely blocks spam for everyone because it requires complete adoption before you can start rejecting all non-compliant email. Basically, we'd be better off just starting a new email system in parallel and letting the old one die off as people stop using it.

Re:Legislation fixes nothing

[Lost+Race]

All the legislation in the world won't fix teenage pregnancies, the War On Drugs, etc etc.

There's an easy legislative fix for the War On Drugs.

Re:Legislation fixes nothing

I disagree, I believe that there are definitely changes which could lower the amount of spam.

The problem is this: email users expect email to be cheap (i.e., cost of internet access), and they wish to send email to whomever without having that person's permission first in some fashion. Anything less would be untenable.

The only way to stop spam is to make it unprofitable. You can't wave it away with technology without destroying the aspects of email that make it popular, and you can't really make it more expensive.

Sure, you might be able to dampen the supply by making open relays unfeasible, but then the spammer just sets up a couple dozen MX servers of his own complete with domain name resolution for only a few bucks a year.

Re:Legislation fixes nothing

wire coat hanger.

Re:Legislation fixes nothing

[Antique+Geekmeister]

Or run a botnet.

I'm still sadly amused at Microsoft's solution to this, the 'SenderID'. Here, we'll sell lots of authentication keys that only work with our software, that you can only buy from us, and that we'll happily sell to spammers to get past your mail filters.

Re:Legislation fixes nothing

[zippthorne]

There most certainly is a technological means to fight spam. It would be a little rough on legitimate mailing lists, but you could whitelist those back in.

It's been suggested here on slashdot and other places, and there are papers available (and their full text is available through scholar.google.com).

The message digest method.

The principle is to make email expensive for mass mailers by requiring a substantial amount of CPU time (to the machine) which is barely noticeable from a human perspective.

You simply require the sending machine to repeatedly hash the message with the header and a variable string tacked on. Varying the string until a certain number of zeros (or an arbitrary sequence of characters) appears in the hash.

It scales well to processing power: as CPU/$ drops, you can simply lengthen the required string, and use longer hash algorithms if you need even more characters.

You would barely notice an extra one second spent sending an email. But do you think a spammer could profit if he could only send out 86,400 messages a day per machine? Even if it's being done with a bot-net, there's a level of requirement that reduces the message rate to a crawl / forces the botnet to use noticeable system resources on the compromised machines. They won't remain compromised for long if they use too much.

Granted, people with older machines will start to notice the time spent hashing, but you can always add them to your no-check whitelist and skip that step.

You don't have to make it impossible to spam. You only have to make it impossible to profit from it.

Re:Legislation fixes nothing

[Timothy+Brownawell]

There's a trivial technological means to fight spam. It just requires abandoning SMTP and moving to a new protocol with the following requirements.

• All compliant mail transport daemons must require all connections from client computers to be authenticated.
• All compliant mail transport daemons must sign all messages as they pass them along.
• All compliant mail transport daemons must have a service record in DNS for their host name that provides a public key for verification of the signature.
• All compliant mail transport daemons must refuse to accept any email if the signature cannot be verified immediately (even if this is due to load), forcing the sending end to retry.
• All compliant mail transport daemons must refuse to accept any email if the host name does not resolve to the IP number from which the inbound message was received.

You forgot one:

• All relevant DNS servers must implement DNSSEC.

With that, spam is basically dead. As soon as you require those restrictions, suddenly spammers have to actually own a domain name and provide a working DNS server in order to deliver spam, and that DNS server must contain up-to-date mappings for those hosts to IP numbers. That pretty much obliterates the use of zombies for delivering mail.

Unless they can 0wn a DNS server, or have the zombies send through the owner's legitimate outbound email accounts, or can get a steady supply of disposable domains somewhere (zombie-XXXXXX.disposable-20081217.com, etc).

It also means that there is now a domain name, which by ICANN policy, is required to have a valid postal address, phone number, and other contact information associated with it.

And when the spammers don't follow the policy? Sure the domains might get shut down after someone realized (and got the registrar to verify) that the contact info was bogus, but that's a bit too late.

Re:Legislation fixes nothing

[piojo]

You can't keep anonymous e-mail while preventing spam in this way. Services like gmail and hotmail can theoretically always be used to send spam.

Re:Legislation fixes nothing

[Sentry21]

All the legislation in the world won't fix teenage pregnancies, the War On Drugs, etc etc.

Until I see some zero-tolerance anti-teenager legislation, I'm going to assume that our governments don't really care about the issues that are causing the decay of our society.

Re:Legislation fixes nothing

[dgatwood]

Yes, but if a domain like gmail or hotmail gets sufficiently lax at verifying legitimacy of people applying for accounts, they'll eventually find their traffic getting blocked at the router level.... To some degree, prevention of spam does require systems like that to require at least a little effort to apply for an account (sufficient to make auto-registration impractical).

Re:Legislation fixes nothing

[dgatwood]

The thing is, disposable domains cost money. The reason spam is so profitable now is that they can send out millions of emails without paying a dime. When the second email from their domain to any given user causes the entire domain to get blocked for every user at that server, suddenly their effective cost of sending an advertisement jumps to about $5 per mailout (half the cost of a domain). At that price, the huge financial overhead causes spam to be unprofitable when compared with much cheaper advertising techniques like Google AdWords. Eliminate the funding source for spammers and you eliminate the spammers.

Oh, yes, that's right. We have to ban domain tasting. Then again, that should be obvious for many, many other reasons....

This applies even if spammers ignore the requirement for legit domain information. However, I think ICANN should tighten up the rules on domain registration. New registrants (and any registrants who have received spam complains against them) should have to provide proof of identity when registering their first domain name with a given registrar. There's simply no excuse for not requiring at least a minimal audit trail for registering a domain.

Re:Legislation fixes nothing

Why not create a law demanding usage statistics. Instead of calling out the companies for abuses all-the-while letting vengeful jerks take over, why not allow some sort of group or groups to provide expertise to fix the problem or improve their system. It would allow free market benefits by focusing on each business specific needs and allowing third parties to develop solutions to the problem per basis. Penalizing is one thing but to really fix the problem a lot of people would have to get their hands dirty. First it would be nice to know where the problems are at. Of course it would only fix the problem within the US but it would also force the costs on other countries that allow this type of behavior.

Re:Legislation fixes nothing

With that, spam is basically dead? LMAO.

What you suggest is already being tried. It's called domain keys. No, it's not required, but some big mail hosts (e.g. Hotmail) use them, and having your mail signed with domain keys gives you a much better chance of your mail coming through.

What do spammers want? A much better chance of spam coming through.

Who are going to be the first to implement domain keys on the sending side? Spammers.

I haven't seen a single non-spam e-mail signed with domain keys. But every single spam e-mail we send out (no, I'm not proud of working here) has a valid domain key signature.

I'm seriously considering adding rules to my spamfilter at home to delete any mail with a domain key signature. However I am afraid that big ISPs soon will start to sign all their customers' outgoing mail, thus making non-spam e-mail look exactly like spam.

Re:Legislation fixes nothing

[frisket]

No, back in the bad old days before the Internet management was taken over by commercial interests, if you misbehaved you just got cut off by your upstream connection. If you had sent unsolicited bulk email, your plug was pulled until your boss crawled and promised it would never happen again. All we need is to reinstitute that policy, and make it go right up the line upstream. But it'll never happen while it's more profitable to take the spammers' cash.

Re:Legislation fixes nothing

[Luthair]

Registering domains would add cost (or fraud I suppose) and the spammer domains could easily be blacklisted along with their servers.

My suggestion wasn't meant to be a solution, it was just to point out that there may actually be methods which could minimize it. Modifying the protocol might just change the vector, compromised machines could use their ISP's mail servers, but with blacklisting, and storage requirements, ISPs would have incentive to contact their customer if someone suddenly starts sending 60000 emails an hour.

Re:Legislation fixes nothing

[amRadioHed]

Drug addiction is not a legislative problem, but the War on Drugs most certainly is.

Re:Legislation fixes nothing

[shutdown+-p+now]

Just to clarify, it is technologically trivial, but nearly impossible to actually implement in a way that completely blocks spam for everyone because it requires complete adoption before you can start rejecting all non-compliant email. Basically, we'd be better off just starting a new email system in parallel and letting the old one die off as people stop using it.

Spam is not just about email. Even leaving the spam in blogs in forums aside, there's also IM spam, which seems to be growing very quickly - there isn't a day when I don't receive 2-3 spam messages on my IM accounts.

What went wrong.

[Afforess]

This prompted Congress to pass a landmark anti-spam bill

Duh.

Wait...

[wwwgregcom]

You mean you guys have still been getting spam?

what went wrong?

Anything that fails to remove the financial motivation behind sending SPAM will fail to prevent SPAM.

No one in their right mind ever thought CAN-SPAM would have any tangible benefit.

What went wrong with CAN-SPAM

[booyabazooka]

I don't see how anything went wrong. Politicians get props for being tough on spammers (it isn't poor Congress's fault that the law is barely enforceable), and the feds profit from imposing some hefty fines on the few criminals they do catch.

It's futile

[thetoadwarrior]

The spammers are too smart to get caught and a lot of them probably reside outside of the US where the law does not apply.

The law is about as useful as a law against breathing.

War on BS

Why am I not surprised. Ironic, kind of like the war on drugs. The stoners are winning.

Making things illegal WORKS

Remember when we made weed illegal and now you can't buy... ooh, wait a second.

Re:Making things illegal WORKS

[tukang]

That's not really the same. Drug prohibition doesn't work because it outlaws a victimless activity, so the parties involved have no motive to report the crime to the police.

Enforcing spam laws is also difficult but not for the same reason because spam victimizes unwilling participants by wasting their bandwidth. Spam laws are difficult to enforce because of the borderless nature of the internet and a lack of cooperation between countries but this is a political problem that - unlike prohibition - is solvable.

Obligatory

[Yvan256]

To summarize the summary of the summary: people are a problem. - Douglas Adams

Re:Obligatory

Insightful? Yeah right. Of course congress did a legislative approach, THAT'S THEIR JOB. They don't have any other authority.

Re:Obligatory

[eln]

Um...the fact that it's a legislative solution isn't the (only) problem...the rest of the post you're replying to mentions several other problems as well.

Re:Obligatory

Your Congress advocates a

( ) technical (X) legislative ( ) market-based ( ) vigilante

I think I've already been spammed that reply in dozens of slashdot articles. Any chance our server script overlords can introduce a spam filter for it? Its rigged to always say please give up now.

Re:Obligatory

[theaveng]

30% of the world's spam comes the United States and the European Union.

If these two governments worked together, and passed effective laws to arrest companies that sent spam even if said criminals tried to flee across the Atlantic to Europe (or vice-versa to America), then they could reduce spam-related expenses by about one-fifth.

Re:Obligatory

[Doghouse+Riley]

Time- and electron-saving version of the above, applicable to all proposed Congressional action in any field:

Your idea will not work. Here is why it won't work.

(X) Feel-good measures do nothing to solve the problem

On the bright side...

[CannonballHead]

It gives Barracuda a market.

What went wrong?

[Punto]

They should have called it CAN'T SPAM.

What went wrong? What could have gone right?

[Antique+Geekmeister]

Quite seriously, this law was specifically not aimed at spam. It was aimed at certain types of online fraud, and it deliberately took power away from local law enforcement to put it in the hands of a federal power that does _nothing_ about mere spam. It was carefully designed to allow 'opt-out' advertisements, and that first advertisement from any spammer, and it was carefully legislated that way by the Direct Marketing Association to avoid interfering with the advertisements of their funding agancies. It was also carefully designed to overrule more effective, state efforts.

Such laws should instead be modeled on the junk fax law, which has withstood the test of free speech challenges and ease of prosecution.

Re:What went wrong? What could have gone right?

[AK+Marc]

Once, for fun, I signed up on a "get a free x-box" site with a throw-away address. For one, being in Alaska, it was impossible for me to complete the necessary steps to get it. For another, it is the perfect spam generator. You can never take your name off the list. They don't send you any spam, so you can't get your name off. They just re-sell your address. Even if the people that bought it take it off their list, the list you are on will be sold and re-sold thousands of times. As long as the list holders never personally send the spam, they are never required to stop selling you name to others to spam. Any law that doesn't address this is a law that will have no effect. Either all spam must be opt-in (like faxes) or there would be some requirement with all UCE to include contact information of the company where they got their list and how to get of the list of not just the one sending it, but the place they got it as well (and requirements about not sending from a list more than 30 days old and not selling a list within 30 days of getting it or something like that so it won't be sold billions of times before you can get off it).

But yes, your general point is quite correct. It was desired by the spammers because without it any one state could have crafted a more restrictive law. With it, they can claim to be operating under the federal rules and that those trump the state requirements.

I'd make it a requirement that the company address (physical, not PO boxes) be included in every spam, as well as a phone number. The headers must be real. If any part of the spam is faked (IP addresses, from field, or such, as well as the contact information must be accurate for at least 30 days after the spam is sent), then prosecure them for fraud and illegal access of a computer. If some woman getting on myspace uses a fake name and gets convicted, so should spammers using false headers.

Re:What went wrong? What could have gone right?

There's a law against junk faxes? The business I manage gets those like 2 or 3 times a week. Highly annoying. "Paper SPAM", I call it. Upper management is too cheap to buy us caller ID, so there's no way to refuse the call (which *could* be from the home office). So we just waste two or three sheets of printer paper on random BS advertisements.

Just out of curiosity, were we talking about a real, jail-time-or-fines kind of law, or the vague, idiotic CAN-SPAM kind of law?

Re:What went wrong? What could have gone right?

[Haoie]

Go a step further: Stop spam emails that fudge the subject line with random words.

Re:What went wrong? What could have gone right?

[geminidomino]

Telephone Consumer Protection Act. $500-$1500 per junk fax (assuming you can find and afford to sue the sender)

More.

Re:What went wrong? What could have gone right?

One minor problem with your "requirements". Criminals tend not to follow requirements.

Obligatory

Your Congress advocates a

( ) technical (X) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
(X) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
(X) Lack of centrally controlling authority for email
(X) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(X) Asshats
(X) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
(X) Willingness of users to install OS patches received by email
(X) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
(X) Extreme profitability of spam
( ) Joe jobs and/or identity theft
(X) Technically illiterate politicians
(X) Extreme stupidity on the part of people who do business with spammers
(X) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(X) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
(X) Any scheme based on opt-out is unacceptable
(X) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
(X) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
(X) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

( ) Sorry dude, but I don't think it would work.
(X) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

There is a successful market for spam

Even I managed to get some real Vs over the internet.

It doesn't matter if it is illegal drugs, or penis enhancement or whatever.

As long as the response level to any spam is more than 0%, or laws otherwise prevent rational adults from wanting a few chill pills, this fight will continue. And it will be as fruitless as the war on drugs.

And more and more laws will only ruin the rest of the internet, but the spam will continue.

Enforcement

[bunyip]

Spammers know they won't likely be caught. And, if they're caught then the punishment won't be harsh.

Put a few in a federal PYITA prison. Put some heads on pikes outside the city walls. Send in some Navy Seals and install Vista on their machines. Do whatever it takes! :-)

3 things

[dark+grep]

Three things went 'wrong': 1. Moron sysadmins who allow their servers to act as relays or become exploited 2. Idiot end users with compromised systems 3. Unbelievably stupid people who respond, and buy, what the spam is advertising No legislation has ever overcome human stupidity.

can-spam???

[prndll]

As if anyone in government is ever going to be able to stop spam. Did anyone notice the irony of the link in the article (it took me to a symantec advertisement)? Spam will never be stopped until idiots are gone (which will be never). If you think the government is capable of stopping spam, then you don't understand government. They are more likely to make the problem worse.

What went wrong?

[Toonol]

In fairness, nobody with any amount of knowledge expected it to have any impact. It's not really accurate to say it 'went wrong' when most of us never expected it to work in the first place.

problems?

[memnock]

i use Yahoo! mail (4 accounts) for most of my email activity. i have a rarely used GMail account or two. i have an account through uni, that is now serviced by GMail. i get almost no spam. i had 2 accounts with Earthlink. now those two were somewhat spam-laden, but in recent months, the amount of spam dropped quite a bit.
if i didn't know any better, it would seem to me that the legislation worked. but i'm more inclined to believe it was a result of software changes that were implemented by the services to respond to complaints from users.

Laws dont solve technical problems.

[kwabbles]

Another example of why legislators shouldn't attempt solve problems that should be left to engineers.

Re:Laws dont solve technical problems.

[gad_zuki!]

To be fair, it was naive engineers who gave us SMTP to begin with. Accept any message without authentication? Craziness.

Of course this is all in hindsight.

I dont really see much spam, at this point domainkeys, reverse dns, filtering, etc have done a good job of keeping it out of the inbox, but its the bandwidth and server resources thats a problem. How can you stop people from using bandwidth without getting into some kind of national firewall (see china) or issues of censorship or even blocking entire countries.

Every ISP is free to explore these solution without the goverment. All the government did is draft a law to answer the legitimate question of "What is spam? How do we email our customers without lots of complaints?" So they defined spam and for legitimate organizations the law had a real effect, but no, it doesnt stop spam outright. It defines online marketing more or less.

Re:Laws dont solve technical problems.

Accept messages without authentication? On DARPANet why not?
You may as well ask why the ISS doesn't have a lock on the airlock door.

Re:Laws dont solve technical problems.

[kwabbles]

I know others have said this and it's been argued before, but SMTP as it is right now should be dead. A new protocol should replace it. Yes yes, I know what a huge Herculean feat that would be - but if you look at the effort and $$ the world has collectively dumped into spam control up until this point, to me it just makes sense to start over and gradually replace the old protocol. I'm in the same boat as you, as well as my users... hardly any spam makes it to the inbox, but the damned maintenance on perimeter spam control devices and all the eaten-up bandwidth is just nuts.

Re:Laws dont solve technical problems.

[gad_zuki!]

>You may as well ask why the ISS doesn't have a lock on the airlock door.

I hate this attitude. I hate how people dismiss basic security because for some reason, to them, its impossible that something used in one setting couldnt be used in a different setting or in a different way. Dont be naive.

How about more examples?

Anti-virus for a PDA?!?! Yes.

Anti-pirate weaponry on a cruise ship!?! Yes.

Antivirus on the space shuttle?!?! Yes.

Armed guards in churches?!? Yes

Bomb sniffer dogs at daycare??!? Yes.

Bulletproof armor for dogs!??! Yes.

Who is receiving spam?

[fermion]

I receive very little spam. Maybe 20%. That is hardly 97%. So where is it.

I know where it is, and why it is still a problem. It is not in my email box, or the email box of most people. It is in the spam filters of our email providers. And that is the problem. I don't see it so I don't care. Sure, it may increase my cost to get online, but by how much. DSL is dirt cheap to what I was paying 10 years ago, and at better bandwidth. So what do I care? I don't see it, the problem is solved. And I can delete the 5 messages of spam that get through.

So out of sight, out mind, right? Wrong. I also know for the average person, and for the average spammer, those five messages per person that gets through can mean huge amounts of money. Even if nothing is bought, the way that mail clients are set up and vulnerabilities in the mail and web clients can make the spammer money. For instance, most clients now render HTML and load images automatically. Apple still refuses to set an option in mail.app to turn off HTML permanently, though it does allow one to not load images. Still, most people load images, which registers as a hit on some scam web site and registers the email as valid. Rendering the HTML can allow viruses on the receivers machine. And even the semi legitimate spammer still has hope that someone will buy a product.

We won't be able to get rid of all spam, even though we can't get rid of mail scams though it is a felony. The best we can manage it. If we are to fix it more, then we have to bring the problem to the forefront by letting spam through, or some other methods.

Re:Who is receiving spam?

Just list your e-mail address with a domain name or post to Usenet. You'll get closer to 99.9% spam.

I've had the same e-mail address for 15 years so about only one out of every 10,000 messages I receive is legitimate. Spam is making my e-mail more of a hassle to use than it is worth. Bill Gates can lie all he wants and say that spam is not a problem and has never been a problem, but we all know that is a lie.

Re:Who is receiving spam?

[maxume]

Outlook doesn't load images by default. I don't think Outlook Express did, but I don't remember anymore. Neither Yahoo! Mail or Google mail load images by default.

If you measure by what people are using, you are wrong about most clients (at least, the current defaults).

Re:Who is receiving spam?

FWIW, I get over 4K spams a day to my 8-year-old email address, and they don't actually bother me much - combo of bogofilter and spamassassin that KMail automagically configured me. I get the occasional false negative (just a matter of clicking "this is junk" and it learns), but after the first couple of days training (you teach it known-good emails too), false positives stopped

Admittedly, I guess such spam filtering is cpu and bandwidth intensive, but the email address in question is yet to become unusable in practice.

Re:Who is receiving spam?

[mdmkolbe]

I have seen great variability in how much spam my accounts get depending on how widely I spread the addresses. On the accounts I only give to people I have met personally, I get almost no spam (less than 1 per day). On the accounts I use to sign up for online web-sites (e.g. slashdot.org, orbitz.com, etc.), I get so much spam that they are useless for anything else.

Many people claim that they don't give their e-mail out but still get a lot of spam. Strangely, however, when I have observed these people's habits, I found they were giving out their e-mail addresses without thinking about it. Even asking them right after they had filled out a form for some website that included their e-mail address, they would deny giving out their e-mail. Or if pressed, they might claim that that particular web site was trustworthy, so it didn't count.

I would say that guarding your e-mail address as tightly as you guard your Social Security Number or Credit Card Number, but considering how many people are willing to give those out to just about anybody, I'm not so sure it's all that good of advice. All I can say is (1) paranoia is your friend when guarding your e-mail address and (2) segregating your addresses helps when you have to provide an address to a place you don't trust.

Re:Who is receiving spam?

[Antique+Geekmeister]

Your upstream may be blocking a lot of it. Do you have direct incoming SMTP, and do you record things that are blocked by your blacklists?

Legislation as Public Relations

[DynaSoar]

CAN-SPAM like many other laws (can anyone say PATRIOT?) was written and passed for the benefit of voters and those they vote for. Very few cases of enforcement were actual attempts to enforce the law, most were attempts to fill press releases.

As I've quoted before, FTC Commissioner Orson Swindell said at the first FTC spam conference "What we need are a few good old fashioned hangings." Certainly in spirit, yes. If the Secret Service can round of a few dozen kids and a game designer and cause them all manner of grief, now that they know what they're doing, why can't they round up a few dozen spammers? Why do the "spam kings" get removed only to be replaced with no net (pun unintentional, but I like it) effect?

Isn't there an "or cause to" statement in the law? Those that hire spammers were supposed to be held accountable too. "I didn't know they would spam it" should only be taken to mean the owner was negligent in research and contract. Negligence isn't commission, but it's still a basis for guilt.

Spamming has become such a big multinational business, and increasingly associated with organized crime, it's only a matter of time before we start hearing about them offing each other and/or their providers. That's hearing about it, not to say it hasn't happened already and not recognized.

Nothing went wrong!

[www.sorehands.com]

The bill got the people who paid for it, what they wanted. Permission to send spam.

To fix the bill, it needs the following:

1. Outlaw spam. (yeah, won't probably happen, but I can dream.)
2. Require labeling. Make it easy for spam filters.
3. Permit private right of action for individuals.
4. Require attorney fees to be paid to successful plaintiffs.
5. Strict liability for the advertised party. No more, "Oh yeah, that affiliate didn't get permission to send that e-mail to you -- don't blame us."

The bill is incorrect, you can go after foreign spammers, it is just harder.

Re:Nothing went wrong!

[compro01]

2. Hasn't that been tried already?

3. Good idea.

4. "Loser pays" would be a good idea in general.

5. Very Good Idea.

Re:Nothing went wrong!

[Mister+J]

The last is a nice idea, but way to open to abuse:

1) Hire someone to spamvertise your competitor's website
2) Wait for the lawsuits against them to roll in
3) ???
4) Profit!

We took a knife to a gun fight.

[mellon]

Seriously, the problem with every anti-spam countermeasure I've seen so far is that they are all based on using SMTP as a mail transport. And SMTP is a protocol designed for a civilized Internet - one where every email sent is assumed to be one that the designated recipient wants.

In order to stop spam, we need to stop using SMTP and switch to a protocol that rejects mail by default. Unfortunately, this requires a flag day, and nobody's put forward a protocol like this yet, so we're still stuck with insane amounts of spam.

Nothing went wrong

[JoeF]

Nothing went wrong. It's name stated what it was for: Companies CAN SPAM. And that's what they did.

Make a Law

[maop]

There should be mandatory authentication of all emails coming from within the US or from a US email provider.

Re:Make a Law

[thejynxed]

Too bad that will never work. Think before you type. All the spammers would have to do is swap to services (coloes, etc) outside of the USA. Sure, we have spam "kings" living here, but so does Canada, China, The Phillipines, Israel, Russia and many other nations. Many of whom contract with U.S. service providers currently for bandwidth and hosting services, often using false credentials and from behind shadow companies.

So, all in all, your proposal fails. Miserably.

Re:Make a Law

[Antique+Geekmeister]

This just happened with the Mccolo botnet.

What Went Wrong?

[pete-classic]

In two words: your expectations.

When Congress swoops in to solve a problem I always expect them to fail. They almost never let me down.

-Peter

Re:We took a knife to a gun fight.

[Sybert42]

Um, flag day?

Wait for it...

[x] This article is useless and the comments will spawn over 9000 forms giving detailed explanations of why spam can't be stopped by technical, social, or legislative solutions.
[x] Pie
[ ] None of the above

Joe job

[tepples]

What's needed is actual enforcement. Spammers make money because people buy their wares. Where there's money changing hands, there's a trail you can follow. The problem is seemingly that no one wants to follow that trail.

I'm guessing that some high-profile business got joe-jobbed, discouraging law enforcement from following the money. A spammer could distract those who follow the money by advertising the shady businesses they normally deal with and then advertising smaller legitimate businesses as a decoy.

CAN-SPAM Worked Exactly as Expected

[ericgoldman]

Congress had no idea why spam was a problem and therefore did not draft legislation designed to address the problem. http://ssrn.com/abstract=487162 Instead, they took a shotgun approach of trying to legislate against a panoply of problems, which meant that the law was not designed to fix any single problem and therefore was not going to succeed even from day 1. Eric.

Well duh! Everything Congress touches goes to pot

Congress was compelled to pass cable legislation - prices have gone up rapidly ever since

Congress passes the Patriot Act - one of the most *un-patriotic* pieces of legislation ever written

So everybody who really thought CAN-SPAM would reduce spam, raise your hands...

I thought so.

There is no problem with CAN-SPAM

[SIR_Taco]

The problem is not that the CAN-SPAM act of 2003 is flawed.
The problem is that the US seems to assume that laws made in their country are globally accepted.
Prohibiting pretty much anything will just make those people that want it get it from another source. For example, look at the prohibition of alcohol in the US... suddenly many people had the urge to visit Canada and/or Mexico more often (even bring back 'souvenirs').

Just my 2-cents in the matter.

Who says what SPAM is

[Saysys]

Freedom of speech is more important than $42 billion a year.

Political speech, asking for a petition to be signed, telling someone about your faith, selling door knobs... there is a plethora of good bad and highly subjective things people can say, repressing speech, even 'commercial' speech both a constitutional violation and a vary dangerous precedent to set.

I don't like receiving 'get a bigger penis' adds any more than the next guy, but the legal action should be against the individual for lying, not for communicating speaking.

Re:Who says what SPAM is

[maxume]

Legislation needs sane limits, but frankly, you don't have any right to my inbox.

Re:Who says what SPAM is

[Dark_Gravity]

Political speech, asking for a petition to be signed, telling someone about your faith, selling door knobs.

You can't break into my house and spray paint it on my walls, which is what you advocate when you endorse spamming.

Re:Who says what SPAM is

[Saysys]

I assure you giving the government enough power to enforce spam-control is giving it enough power to censor free speech in general.

I have every right to attempt to communicate with you. Freedom of speech doesn't mean that you have to listen to every communication addressed to you, simply that you have no right to tell me not to send the information in the first place. If you want to block what I've got to say that's one thing, but trying to use the government to keep me from talking to you is something entirely different.

It doesn't matter if my communication with you is political protest, telling you to buy penis pills or waring a t-shirt that says "bush planed 9/11". Freedom of speech does not mean freedom from
You can delete my email or even spam-block it, but I fear the day when the government decides what communications are or are not "costing billions of dollars"

Re:Who says what SPAM is

[ratboy666]

Frankly, no. You may not force me to financially support your speech. Unless I get representation.

The USA went to WAR on this issue, for fucks sake. "No Taxation without Representation", I believe was the cry. The logical conclusion is the right to kill spammers, of course.

Re:Who says what SPAM is

Email is a recipient pays system.

Recipients have freedom from speech when that speech is paid for by the recipient.

You're done. You have no right to cost me money.

Re:Who says what SPAM is

[geminidomino]

The USA went to WAR on this issue, for fucks sake. "No Taxation without Representation", I believe was the cry. The logical conclusion is the right to kill spammers, of course.

We need to go back to declaring people outlaw... starting with spammers.

Make 'em afraid to poke their greasy, balding chickenboner heads up from their holes...

Laws just hamper the law abiding

[Alain+Williams]

Just like all this wire tapping, surveillance, air port searches, ... they don't really stop the criminals - they just get up everyone's nose and provide an excuse for those who ''investigate'' us with excuses to abuse our privacy.

Look at the people who blew up the hotels in Bombay (Mumbai these days) - just a few men in boats with guns -- sophisticated protection can't stop them every time. We might as well give up and spend the money on something useful.

Re:Laws just hamper the law abiding

[digitalunity]

You could require all men to carry guns. How far do you think the gunmen in Bombay would have made it if they knew every man they came upon would shoot back?

Certainly this plan has a lot of side effects, but it is not completely without merit.

Re:Laws just hamper the law abiding

[gandhi_2]

In the town of Virgin, Utah it is legally mandated that every household that can legally have a firearm must have one.

You don't see too many terrorists there. QED.

Re:Laws just hamper the law abiding

[geckipede]

I would really like to see (preferably from a safe distance) that approach tried in a large city, but only because years of action films have desensetised me to violence and I think it would be hilarious.

Re:Laws just hamper the law abiding

[IsMyNameTaken]

Exactly but I would also assume the best case high value target is a grain elevator for the local co-op or is Virgin larger than I think.

Still when has anyone successfully robbed a gun store?

Re:Laws just hamper the law abiding

[Futile+Rhetoric]

To be fair, it's not the guns protecting Utah from terrorists, but the magic underpants.

Also, your use of Q.E.D. could use some work.

Re:Laws just hamper the law abiding

[CheshireDragon]

There isn't much in Virgin, Utah that anyone would want or go after anyway. If I remember correctly it is in South Utah just outside of Zion Nat'l Park. I used to camp there a lot in Spring and Fall. TPing a house there(IF you can find one) might be most fun, as long as some psycho doesn't come and spray you with fox pee.

Re: Laws just hamper the law abiding

[mi]

How far do you think the gunmen in Bombay would have made it if they knew every man they came upon would shoot back?

Armed police weren't shooting... And in Greece they did shoot and the whole country is still struggling — perhaps, because they would not shoot again.

I'm not disagreeing with you, but simply arming everyone is not enough...

Re:Laws just hamper the law abiding

But you do see a violent crime rate higher than the US National Average http://www.bestplaces.net/city/Virgin-Utah.aspx

Re:Laws just hamper the law abiding

[mcrbids]

What, all three of them?

Sure, there aren't many terrorists that live there, but there isn't much of anybody who lives there...

Re:Laws just hamper the law abiding

[Darby]

Still when has anyone successfully robbed a gun store?

I've heard hilarious stories about people who have tried. Hopefully just urban legends though...that's a whole level of stupid I don't like think about actually existing.

Re:Laws just hamper the law abiding

[ultranova]

You could require all men to carry guns. How far do you think the gunmen in Bombay would have made it if they knew every man they came upon would shoot back?

Guns have long range. Shoot a few people in a thick crowd from a hidden location and watch the fireworks when some run and the rest will start shooting at anyone suspicious, meaning each other.

Certainly this plan has a lot of side effects, but it is not completely without merit.

Yes it is. It is roughly analogous to DOS'ing every machine named in the headers of a spam message.

Re:Laws just hamper the law abiding

[mjwx]

You could require all men to carry guns. How far do you think the gunmen in Bombay would have made it if they knew every man they came upon would shoot back?

Instead of 100's of dead, you'd have 100's of dead and no way to tell who started shooting in the first place. Person A Shoots persons B and C, Person D shoots person A, Person E sees person D shooting, assumes that Person D is responsible and Person E shoots Person D who is then taken out by person F and so on until you pretty much have no one left capable or willing to shoot. MAD only works if its never used. Your analogy assumes that the shooters will begin to fire ensuring that the MAD bluff is called so this is where MAD fails and a great many people get killed.

Certainly this plan has a lot of side effects, but it is not completely without merit.

Yes it has a great many side effects and this is why it is completely without merit. Your plan relies on the same flaw that all extremist philosophies rely on, that everyone thinks on the same path. In a situation like the one in Bombay no single person will have total awareness of the situation and cannot determine who are the attackers and who are the defenders, thus the person is forced to choose who to attack based on extremely limited observation and you can guarantee that at least 60% of the people will choose the wrong target. Let me add to this, if the myth that guns keep people safe were true, why aren't Somalia and Russia amongst the safest places to live? Firearms are very common in these places. Or perhaps you would look at South Africa, where no-one is willing to travel without a gun, not because Johannesburg is safe but because if you don't have it you will be a victim because crime is so high. Guns don't keep people safe, good laws and effective policing keep people safe. The US, Sweden and Russia have a lot of guns in the hands of civilians, why does Sweden have an order of magnitude less crime then the US (and several orders less then Russia), because of effective policing and a calm populace. Most Swedes will say they don't feel the need nor actually wish to carry guns.

Crime in the US is higher then any other western state (unless we include Russia) so please don't bring up US and the UK as examples of how gun legislation hurts. Properly enacted it will reduce the number of gun deaths (accidents in AU have dropped by 90%, whilst violent crime has not increased by the same amount as the US). You are 8-12 times more likely to suffer injury in by violent crime in the US then you are in Australia.

Re:Laws just hamper the law abiding

You may not see very many terrorists there, but I'll bet you don't see much of anything else there either. In your example, I don't think you've got the correlation right.

By the way, how many terrorists do you see anywhere in the US? I don't know that I've seen a single one, but if you do I think you should probably report them.

Re:Laws just hamper the law abiding

[Kaukomieli]

You advocate a

( ) technical ( ) legislative ( ) market-based (X) vigilante

approach to fighting crime. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Criminals do not care about laws
(X) Carrying a gun does not teach you how to behave correctly under attack
(X) Identifying people with guns in plain clothes shooting at each other gets difficult for the police
(X) Untrained cilivians shooting at trained criminals will get the civilians killed
(X) Untrained cilivians shooting at trained criminals will get other civilians killed
(X) It will increase the availability of guns, leading to more gunfights
( ) It will stop crime for two weeks and then we'll be stuck with it
( ) Courts will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from criminals
( ) Requires immediate total cooperation from everybody at once
( ) People cannot afford to lose business or alienate potential employers
( ) Anyone could anonymously destroy anyone else's career or business

--- snip ---

and the following philosophical objections may also apply:

(X) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical

(X) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
(X) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

( ) Sorry dude, but I don't think it would work.
(X) This is a stupid idea.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

Re:Laws just hamper the law abiding

If that was mandated, how many people would die by accidents because of the guns, and how many lives would be saved?

You're right, it's not without merit, it would probably help a lot against terrorists, but the side effects would probably be that a lot of people would die because of accidents with guns.

Re:Laws just hamper the law abiding

[Hal_Porter]

The murder rate will go up by a few hundred percent for a few decades. After that it will drop down. Essentially evolution will select people with good impulse control and self discipline, which in the long run will lead to a more civilised society.

You wouldn't have the charts full of rap, numetal and emo for a start.

Re:Laws just hamper the law abiding

In the town of Virgin, Utah it is legally mandated that every household that can legally have a firearm must have one.
You don't see too many terrorists there.

Not yet, but just wait. They'll be showing up later looking for their reward.

Re:Laws just hamper the law abiding

[Yvanhoe]

In the town of Virgin, Utah it is legally mandated that every household that can legally have a firearm must have one.

You don't see too many terrorists (*) there. QED.

(*) For some values of "terrorists".

Re:Laws just hamper the law abiding

Really? Amazing.

Hey, wanna buy this rock? It keeps tigers away.

Re:Laws just hamper the law abiding

[fprintf]

I know you are being funny about the gun store, but it does happen since gun stores are often not open for 24 hours. Locally we have a gun store that has been robbed a few times over the past 20 years. In one case the robbers burned the place down afterward, which was all over the news as the ammunition started to go off. They rebuilt at another location just down the street, with full cages on the windows. A few years later, at 3 in the morning, a robber drove his full sized pickup through the reinforced doorways and made off with only a few guns while the alarms were blaring.

They have since build a new building on top of a hill, presumably so any trucks can't get enough momentum to smash through the doors. They also have a building with concrete pillars around the doors *and* you have to walk down a long hallway past the shooting range to get into the retail section so there is no way to crash any vehicle smaller than a tank into the store. At least they learned eventually!

Re:Laws just hamper the law abiding

[theaveng]

In cities and states that overturned their anti-gun laws, the murder rate went DOWN.

In cities and states that passed anti-gun laws, the murder rate went up.

Re:Laws just hamper the law abiding

[theaveng]

>>>Identifying people with guns in plain clothes shooting at each other gets difficult for the police

That's true. It is much easier for the police to say, "Well he's the victim," as my corpse lays there in a pool of my own blood.

Personally I would rather carry a gun and try to prevent my own death, even if it does make the police job more difficult.

Re:Laws just hamper the law abiding

[RaigetheFury]

Whoa whoa buddy, your facts are ALL WRONG!!!

Somalia and Russia are a different playing field. More Somalia than russia really. People who have guns have power. Typically those without guns can't afford them. Plain as that. Comparing Somalia to the US is like comparing apples to oranges.

The world is a complex place, and "weapons" don't solve everything... but being a criminal, if you know that person has a gun typically you'll go after the person that doesn't. Less risk.

The US has laws in place that pretty much screws anyone who shoots their gun without using their brain. I wish i didn't live in a world where guns were needed but that's how it is. Before you pass judgment on me... I don't own a gun. The level of security i wish to live requires only two great dogs (labs) to alert me or let the criminal know that my house probably isn't the best place to rob.

However, there are a LOT of people who's way of life and experience require some form of protection. A gun is one of those things.

Another thing, when you're talking about the number of gun deaths, what about the crime rate? You quote VIOLENT crime... but what about overall crime. Hmm lets look!

http://www.gunsandcrime.org/auresult.html ... wait that can't be right it says the crime rate INCREASED... in fact it says the crime rate exploded... lets look at more references... this one must be flawed...

http://www.google.com/search?hl=en&q=AU+crime+rate+gun+legislation&btnG=Google+Search&aq=f&oq=

Well... I'll be damned. Government studies, independent studies and just plain facts show you're completely wrong. Here are some quotes from your own major news groups.

"Crime rate has been skyrocketing in the UK and AU since stricter gun control laws were enacted..."
"Australia saw its violent crime rates soar after it's gun control measures..."

It's littered with the same thing. You are WRONG. Your violent crime might be down but your crime went through the roof!!!!!

The only gun control the US needs is to require education on ALL purchasing of firearms, and much much stiffer penalties on those that illegally own firearms. I have NO problem with someone owning an automatic weapon as long as they have proven that they are trained to use it.

Re:Laws just hamper the law abiding

[terrabitter]

Most people in Sweden dont carry guns. Alot of people have weapons for hunting locked up, but those arent practical for p2p (person to person) situations. I've never seen a private non-hunting firearm in my life here in the hands of a civilian.

Re:Laws just hamper the law abiding

[geckipede]

Are those US statistics? I can believe it would be true there because the states have drifted into a situation where no force on Earth could get rid of the arms black market and so many people are armed that criminals are forced to be so that they are on an equal footing. Neither of those things are universally true for other countries.

Re:Laws just hamper the law abiding

[Erikderzweite]

Russia has very strict gun laws. It always had. And guess what -- when the Soviet Union was around, a gunshot murder was almost an emergency in Moscow (10 Mil. people) -- an occurance so seldom that you could be sure that the investigation is lead by a police general. Of course, many guns were illegaly sold after USSR has collapsed. Now gunshot murder happen on a daily basis there, a routine...

Re:Laws just hamper the law abiding

[tehcyder]

You could require all men to carry guns. How far do you think the gunmen in Bombay would have made it if they knew every man they came upon would shoot back?

The terrorists would just have to have been a bit more elaborate in their planning, maybe used planes or something.

Re:Laws just hamper the law abiding

Fucking Kangaroos.

Re:Laws just hamper the law abiding

[Sri.Theo]

Cite? After the Dunblane laws were enacted in the UK the exact opposite happened, deaths involving guns gradually decreased. They're practically non-existent now- although we do have pretty similar levels of violent crime, fewer people get killed because of it.

Re:Laws just hamper the law abiding

[KeatonMill]

I would think the exact OPPOSITE would happen -- cooler heads would get shot on impulses...

Re:Laws just hamper the law abiding

[Shotgun]

Virgin, Utah?

Forget about terrorist. You don't see too many PEOPLE there.

Re:Laws just hamper the law abiding

> Crime in the US is higher then any other western state (unless we include Russia) so please don't bring up US and the UK as examples
> of how gun legislation hurts. Properly enacted it will reduce the number of gun deaths (accidents in AU have dropped by 90%, whilst
> violent crime has not increased by the same amount as the US). You are 8-12 times more likely to suffer injury in by violent crime in
> the US then you are in Australia.

Accidents aside (I consider that a darwinian effect), you have a rather obvious problem with your statement: This never accounts for the fact that while gun deaths will go down, deaths via other methods will just go up to fill the void that they left. The problem is not guns, it's crime.

The presence of guns does not cause crime. Crime will exist regardless of whether they are available or not, and criminals will use whatever weapons are most convenient to them.

I'm fine with the murder rate here in the U.S., as it mostly represents criminals killing other criminals. Isn't that what we want?

Re:Laws just hamper the law abiding

OR, evolution will select the people most willing to use their gun on other people instead of be the "good impulse control" people having the gun turned on them.

Maybe the first step should be to make the legal system not a joke.

Re:Laws just hamper the law abiding

[zaffir]

Perhaps that's due to better hospital systems and medical techniques, and not the gun ban?

Re:Laws just hamper the law abiding

[amRadioHed]

Still when has anyone successfully robbed a gun store?

About 10 days ago.

Re:Laws just hamper the law abiding

[BooRolla]

Seems like people with good impulse control might go first

Re:Laws just hamper the law abiding

Or perhaps you would look at South Africa, where no-one is willing to travel without a gun, not because Johannesburg is safe but because if you don't have it you will be a victim because crime is so high.

So isn't that one example of a scenario where guns perform a deterrent role as the GP poster suggests?

Not that I disagree with you. As I see it, the point you are making is that the safety of a society is not correlated with the incidence of gun ownership, which, in my opinion, is a great argument for a lack of gun laws.

Re:Laws just hamper the law abiding

[supernova_hq]

As much as this sounds like a good idea, it's a "few years" part that messes up the entire idea. The problem is that elected officials are typically only in office for 1-4 years, so they will NEVER impose a law or regulation that will only be bad during their term and good for the next guy. It's pretty much political suicide.

Re:Laws just hamper the law abiding

[Smauler]

These columns are, in order : Year, Total injuries, Fatal injury, Serious injury, Slight injury, all from non air based firearms in the UK :

1998/99 864 49 162 653
1999/00 1,195 62 200 933
2000/01 1,382 72 244 1,066
2001/02 1,877 95 392 1,390
2002/03 2,179 80 416 1,683
2003/04 2,367 68 437 1,862
2004/05 3,856 77 410 3,369

The number of firearm crimes which resulted in injuries has more than doubled in six years: from 2,378 in 1998/99 to 5,358 in 2004/05. The largest rise was seen in crimes involving non-air weapons.

Where the fuck are you getting your statistics? These are from the Home Office. Honestly, you're just completely wrong.

Re:Laws just hamper the law abiding

[jonbryce]

No it's because people here mostly get killed with knifes rather than guns.

Re:Laws just hamper the law abiding

[mjwx]

Most people in Sweden dont carry guns. Alot of people have weapons for hunting locked up, but those arent practical for p2p (person to person) situations. I've never seen a private non-hunting firearm in my life here in the hands of a civilian.

Exactly what I was trying to point out. Most Swede's have some training with firearms and every Swede I've ever met knows how to take care of and properly store firearms (its the law in AU that if you own a firearm, you must be able to store it properly).

Re:Laws just hamper the law abiding

[mjwx]

Accidents aside (I consider that a darwinian effect), you have a rather obvious problem with your statement: This never accounts for the fact that while gun deaths will go down, deaths via other methods will just go up to fill the void that they left. The problem is not guns, it's crime.

The presence of guns does not cause crime. Crime will exist regardless of whether they are available or not, and criminals will use whatever weapons are most convenient to them.

You're making a critical mistake here. You're assuming that motive trumps opportunity, crime is 99% opportunity and 1% motive, when people have to go to extra lengths to commit crime they will usually be discouraged. I'll use the classic example of what if someone breaks into my house with a gun, well in Australia if a criminal is well connected enough to illegal own a firearm why they hell are they robbing me? take away a criminals firearms and they turn into cowards, when they have to put me in a position where I can easily fight back they tend to turn to crime where the victim cant fight back, hence you will see a rise in the amount of robberies and home invasions committed against the elderly. You will also note a sharp drop in violent crime. We have some gang crime here in AU but instead of having automatic weapons they are forced to fight with knives and clubs, first this reduces the number of actual deaths (more survivors from attacks) and dramatically decreases the number of innocent bystanders injured or killed from gang violence.

I'm fine with the murder rate here in the U.S., as it mostly represents criminals killing other criminals. Isn't that what we want?

What happens when they run out of criminals to shoot. Lets just ignore the various school shootings and other mass murder events shall we? Let me say that I'm not against gun ownership, I'm against unrestricted gun ownership. We are still permitted to own guns here in AU, we just have to be licensed for it. We make people get a drivers license before allowing them to drive because cars are dangerous when you don't know how to drive them and its worse with guns. So getting a gun license is just as easy as getting your drivers license (to get a drivers license you have to prove that you can use a car safely, same thing for a gun license).

Re:Laws just hamper the law abiding

[gnud]

Well, no.

The irrational, hasty people would shoot all thoss annoyingly calm and dastardly intelligent and eloquent motherfuckers.
=)

Re:Laws just hamper the law abiding

[mjwx]

OK, I've only bothered to half research your post and can see how wrong you are.

Allow me to enlighten you about laws, they don't work immediately so bringing statistics from 1997 wont help, lets look at 1996 to 2000 shall we.

Let's ignore the first link as you clearly cherry picked that one and go to the google link you so graciously provided.

there are a LOT of people who's way of life and experience require some form of protection. A gun is one of those things.

Another thing, when you're talking about the number of gun deaths, what about the crime rate? You quote VIOLENT crime... but what about overall crime. Hmm lets look!

http://www.gunsandcrime.org/auresult.html ... wait that can't be right it says the crime rate INCREASED... in fact it says the crime rate exploded... lets look at more references... this one must be flawed...

http://www.google.com/search?hl=en&q=AU+crime+rate+gun+legislation&btnG=Google+Search&aq=f&oq=

The first link off the google search you provided is: http://www.breakthechain.org/exclusives/australiaguns.html I'll list a few stats for you.
Armed robberies:
1995 - 27.8%
1996 - 25.3%
1997 - 24.1%
1998 - 17.6%
1999 - 15.2%
2000 - 14.0%
There was a shocking 10% decrease in the space of 2 years? how can this be explained?

The most shocking statistic (for you) is that criminals are now targeting those who cant fight back in a fair fight. Criminals are cowards so crime against the elderly has increased whilst crime overall has decreased.

Also firearm hospitalisations have decreased. http://www.aic.gov.au/media/2001/20010402.html

The number of crimes against People and households is decreasing. http://www.abs.gov.au/ausstats/abs@.nsf/bb8db737e2af84b8ca2571780015701e/8D4BD468F3B92E33CA2573D2001089F8?opendocument
The relevent info is under "13.4 Victims of Crime 2005" Overall crime has dropped, the only form of crime to increase are assaults, assaults are up whilst gun related deaths and gun related hosptial adminssions are down. The rise in this statistic also means that more assaults were reported to police, I tend to like the fact that if I'm attacked I'm going to live to tell about it. My wallet can be replaced, knife wounds heal, a gun shot is forever.

It's littered with the same thing. You are WRONG. Your violent crime might be down but your crime went through the roof!!!!!

*Cough*

The US has laws in place that pretty much screws anyone who shoots their gun without using their brain.

Which laws are these pray tell.

Gang violence is rife amongst many of your cities and you continue to protest that people who cant keep their guns under control are punished. Gun crime is a daily occurrence in the US, a single gun related murder is national news here in Australia

But this is exactly my point, contrary to the opinions of many uninformed Americans, guns are not banned in Australia they are restricted. I have a license, I can go and get myself a hunting rifle during lunch if I wanted to, I used to own guns but I sold them when I quit my blue collar job to further my education (they were for sporting purposes). American gun nuts tend to like bringing up the point that guns are no more dangerous then cars (which is total BS, guns are orders of magnitude more dangerous then cars, most people involved in car accidents survive while firearm accidents tend to ki

Re:Laws just hamper the law abiding

No, you are wrong. Places without guns are a lot saver. Just take a look at this attempted casino robbing in Garmisch-Patenkirchen, Germany.

http://www.focus.de/panorama/videos/panorama-dreister-casino-ueberfall_vid_3951.html

Re:Laws just hamper the law abiding

[shutdown+-p+now]

It sort of depends on which sources you prefer.

So far, I've seen several dozen studies on correlation between gun control and crime rate, and they all seem to say whatever the people who made them wanted them to say. So far, I'm not convinced either way, though I tend to be inclined towards the gun ownership croud (if only because we shouldn't ban something that's not conclusively proven harmful for the society... when it will be, then we can ban it).

Re:Laws just hamper the law abiding

[shutdown+-p+now]

... if the myth that guns keep people safe were true, why aren't Somalia and Russia amongst the safest places to live?

I can't tell anything about Somalia in this context, but Russia is a wrong example. It has extremely tight regulation on all self-defense weapons, including (but not limited to) guns. Getting a gun for yourself is pretty damn hard, and certainly not for an average Ivan - you've got to be a private security contractor or something. For us people, they offer to use: the shocker - available models severely limited in power to the point of being unusable; pepper spray - marginally useful against a single attacker at a very short distance, easy to get yourself caught in the spray; or a "traumatic pistol" (shooting very large caliber rubber balls) - would be good, but they are also extremely limited in power, to the extent that they do little aside from knocking off one's feet if the target is dressed in winter (thick) clothing. The limits stem from the restriction in the law on self-defence that any measures used should not "cause considerable distress", not cause any permanent damage (e.g. blindness, deafness, bone fracture), and not incapacitate for more than 10 minutes.

In practice, this means that even if you forgo any specialized self-defence tools and use your own hands, and happen to e.g. blind the attacker (which is about the only reasonable thing a weak victim can do to a strong attacker - stab into the face with the fingers and hope for the best) - you'll end up in the court, and will most likely be found guilty. God help you if you kill your attacker, even if it wasn't done on purpose, and merely a lucky strike/shot - that's a murder, and will be prosecuted as such.

Meanwhile, criminals, of course, have guns - handguns, mostly, but an occasional AK is not unheard of. And knifes / knuckles / batons (which are also all banned as a self-defense weapons). They do not hesitate to use them, either.

So, as a Russian, I can tell you that the supposedly beneficial gun control (and associated measures) is not only not working here, it results in quite likely the worst possible situation, where one simply cannot defend oneself, while the need to do arises often. Personally, I would feel much safer on the streets at evenings if I could carry a concealed handgun with me. Or at least a decent baton.

Re:Laws just hamper the law abiding

[mjwx]

So, as a Russian, I can tell you that the supposedly beneficial gun control (and associated measures) is not only not working here, it results in quite likely the worst possible situation, where one simply cannot defend oneself, while the need to do arises often. Personally, I would feel much safer on the streets at evenings if I could carry a concealed handgun with me. Or at least a decent baton.

In all likelihood it will become like Johannesburg in South Africa (even the most ardent anti gun activist will pack) as the criminals are so desperate/stupid that they will attack a clearly armed target. A mutually armed gun fight doesn't remove much of the risk for the criminal or any of the gain and most un-organised criminals aren't too bright, the organised ones will just bring backup. Criminals will not give up guns just because guns are easy for everyone to get. It's more likely that you will see more armed criminals, and more desperate criminals. If you want to get rid of something you need to target its demand, barring that go for the supply. an oversupply will not decrease demand, rather it will just drive down prices.

Before I say anything else, I 100% agree with people being able to carry non-lethal weapons (mace, baton, low powered taser). But harsh laws should be in place to discourage their use except in an emergency (self defence). I fancy my chances against an assailant with a knife then I do against an assailant with a gun even assuming I have the same weapon, my wallet can be replaced, most knife wounds heal completely where as a gunshot wound never heals completely if you are lucky enough to survive it.

Guns don't make people safer because it relies on too many variables. Can you trust that everyone on the street:
-knows how to operate a firearm.
-knows how to care for a firearm.
-will keep the safety on.
-can aim (big one here).
-can identify "the bad guy" from an innocent bystander.
-wont get any funny ideas about using that pistol he's carrying.
that last one is why gun crime gets so high when policing is ineffective. From what I've been told about Russia is that the Mafia pretty much owns everything and the government and police are impotent.

In practice, this means that even if you forgo any specialized self-defence tools and use your own hands, and happen to e.g. blind the attacker (which is about the only reasonable thing a weak victim can do to a strong attacker - stab into the face with the fingers and hope for the best) - you'll end up in the court, and will most likely be found guilty. God help you if you kill your attacker, even if it wasn't done on purpose, and merely a lucky strike/shot - that's a murder, and will be prosecuted as such.

By the sounds of it having a gun wouldn't help as even if you shot someone in self defence you still wouldn't be justified in the eyes of the law. Granted those eyes seem to be blind. The laws governing self defence need to be fixed before the gun laws in my opinion, understand the motive before the method.

I've never been to Russia or Moscow but I've got a few Russian friends who've moved to Australia. I've spent a bit of time in Phnom Pehn where as a foreigner I could buy a Colt .45 pistol (most likely Chinese copy) for US$20, every cop, even a simple traffic cop will have an M16 slung over his shoulder and I could hear a few gun shots from my hotel (granted a Khmer gang house was only 10 minutes away by foot) and this is in a country that tourists and foreigners are relatively safe in, the worst an armed khmer criminal will try to do is rob you and its not unusual for them to have a shotgun or Vietnam era assault rifle (Vietnam is pretty peaceful and those guns had to go somewhere). I'll grant that the Cambodians (Khmer) are quite poor and this tends to be a driver in crime. Still I'd rather live in Vietnam or Thailand where the only armed criminals the average ex-pat needs to worry about are the cops.

Re:Laws just hamper the law abiding

I apologize for poking at a particular point of your rebuttal, but the violent crime vs. non-violent crime point caught my sleeve as I went through this thread. What we observe in the north, when looking at such debatable statistics, is that as truely violent crimes drop (homocide & rape for example), the crime index increases, gun control or not. It's a matter of enforcement substitution. Using my province of Newfoundland and of Quebec: both have comperable crime and violent crime rates. This despite the fact that Quebec has a tendency to erupt into biker wars and the like at times, while Newfoundland see's about one murder per year. What keeps the rates comperable is the enforcement, in Newfoundland, of 'lighter' charges (i.e. assaults, mischief). Here, the courts often hear cases of fist fights which ended with nothing worse than a bleeding nose. (Incidently, the violent crime rates for both provinces are also similar, as assaults are counted in violent crime statistics: hence my use of 'truely violent crimes' above). Meanwhile, walking into a police station in Quebec and telling them of how some fellow cracked you one after you both were into an arguement at a bar will probably get you laughed out of the station. There is an inelasticity in policing budgets: If truely violent crimes begin to drop, these people continue to work, and they will process x number of cases as per their time & resources allow. It is therefore expected to see a shift in the nature of police-reported & persecuted crime, with crime rates rising overall - even if the "actual-factual-truethy" crime rate is in a state of decline. Statistics are prone to poor use, but for some reason gun control debaters like to raise this to a new high. I don't believe there is any decent website out there for either side of the argument.

Re:Laws just hamper the law abiding

[bluesnowmonkey]

Given that country A has low crime and few guns, and country B has high crime and lots of guns, you come to the conclusion that guns cause crime. I assume that crime causes people to want guns, and that crime is caused by other factors.

Re:Laws just hamper the law abiding

[mjwx]

Given that country A has low crime and few guns, and country B has high crime and lots of guns, you come to the conclusion that guns cause crime.

Given that country A has ineffective/corrupt policing few guns and does not suffer from a lot of violent crime and country B has ineffective/corrupt and lots of guns and does suffer from a lot of violent crime I came to the conclusion that guns serve to make crime worse. Take Thailand and Cambodia for example, both countries are Buddhist, have corrupt police forces, similar levels of non-violent crime (pick pockets, scams, white collar crime) but Cambodia has an abundance of guns (as a foreigner I could buy a pistol for US$20) and suffers from far more violent crime (muggings at gun point, murders, violent B&E). Put guns into a high crime area and it makes things worse.

I assume that crime causes people to want guns, and that crime is caused by other factors.

Only if youre a criminal. You make a critical assumption that you will be a victim of crime, I would rather have effective policing as opposed to guns. Also if I am to be a victim of crime I'd prefer to live to tell about it, a shoot-out tends to decrease those odds. Making firearms harder for the average person to get makes it an order of magnitude more difficult for the average criminal to get. In Australia if you are a criminal who is rich and well connected enough to get an illegal firearm then you are rich enough not to bother with petty crime. A classic example are the biker gangs in Australia, armed to the hilt but wont bother an ordinary person unless they provoke them (they make most of their money selling drugs). Gang wars in Australia have to be fought entirely with knives and clubs, this ensures that very few innocent people are caught in the crossfire as it's not unusual for fights between gangs (mostly Lebanese and Asian) at nightclubs or other hotspots frequently crowded. Effective gun control (not a total ban, control, in the same fashion as we control vehicle licensing) has raised gun safety amongst legit owners and reduced gun ownership amongst petty criminals.

It's been a success!

[mcbutterbuns]

The number of spam messages sent over the Internet every day has grown more than 10-fold, topping 164 billion worldwide in August 2008.

Those are great numbers. Imagine how much SPAM would have been sent had the law NOT been passed!

Private right of action

[gorbachev]

Private right of action got stripped out of it due to complaints from the direct marketers. That was strike one. With so much spam it's completely unreasonable to expect anyone to enforce the law. Crowdsourcing the enforcement through private right of action would've worked. And the direct marketers knew it...

The second strike was that the bill didn't anticipate the success of botnets and Russian organized crime. The law doesn't do jack s*** about that problem.

What went wrong?

[darjen]

Easy - Congress got involved. And, as usual, they are a complete waste of time, money, and effort.

ha

just goes to show that making laws about stuff wont change anything.

Like say, prohibition lol

1c / email

[zaax]

If very one was charged 1c per mail & laid down in legislation that is all that can be charged, it would close the free lunch table spammers are eating off.

Re:1c / email

[__aajfby9338]

One cent? It costs a lot more than that to send paper spam, yet my physical mailbox gets crammed full of the stuff nearly every day.

In other news

[jmv]

Five years after being passed, the law banning flies still hasn't reduced the amount of flies. What went wrong?

Friend codes

[tepples]

In order to stop spam, we need to stop using SMTP and switch to a protocol that rejects mail by default. Unfortunately, this requires a flag day

Not necessarily. The Wii game console implements a transitional protocol that enforces whitelisting, much like the friend code system of Nintendo WFC games. To send mail to someone's Wii Message Board, you have to be in his address book and he in yours. It interoperates with classic SMTP: when you add an SMTP address to your message board, the address gets an e-mail from wii.com asking the user to accept or reject this contact. People who need to accept random business contacts from suppliers or customers can set up a web form; this could be as simple as a form mailer or as sophisticated as an issue-tracking system such as Bugzilla or OTRS.

One word

[Phroggy]

Enforcement.

The law itself is just fine. It cautiously defines spam, in a way that makes virtually all current spam clearly illegal, without causing significant free-speech problems. But spammers won't voluntarily obey the law, and the government isn't prosecuting them for violations.

The Washington Post managed to get a huge amount of spam stopped just by making a phone call. The government should have been there first, and they weren't.

I work for a company that does opt-in mail lists

Our clients include many bands and music venues. We make every effort to be legit (unsubscribe links, legit reply email addresses, and all legit headers and DNS entries), but the rules of the game are not even available.

See, many ISP's (AOL, and my new target of wrath, earthlink) have rules about the maximum number of messages allowed to come from a single source to their domains in a given time period. Exceed those, and you are an abuser. Except they won't tell you how many messages or how long the period. On the one hand I understand as spammers could use this to get through. But you can't even call them and get info. I've emailed their abuse lines with no reply. It's as if NO ONE knows this info. How does one follow the rules when they are undocumented and beyond the legislative code?

Or when earthlink this past weekend decided we were a spammer, and spammed us back with abuse notices. But then they delivered our email to their customers many, many times in repetition. Like a dozen or more. It was not a server flaw on our side as confirmed by the database and log files. It was 'something' on their side that acted as a repeater for our legit email even as it was notifying us that we were spamming. We then get lots of nasty emails, which we reply to by hand. I spent half of the morning yesterday trying to get anything out of earthlink regarding the issue, but if you don't want to subscribe for service, they don't know what to do or where to have you call. I don't even know what the hoops are, much less can I jump through them.

I get lots of unwarranted spam, but I also get many distribution lists that I want and look forward to reading. Some places make that a nightmare if you want to provide that service.

Re:We took a knife to a gun fight.

[magarity]

Um, flag day?
 
At 0800GMT on the Nth of Y, all admins everywhere in the world will press the magic button and convert to the new email sending protocol.

It's all about the cost

Cost for a substantial compliant mailing setup - Around 30k
Cost for a substantial non-compliant mailing setup - Around $1-2k.

There's a significant part of your problem, and no amount of legislation is going to lower the cost of legit IPs/data anytime soon. When spammers can't spam compliant, they spam non-compliant.

What went wrong?

[damn_registrars]

Doesn't the question "What went wrong?" imply that there was something right to begin with? There was almost nothing right in this bill. Though the most obvious problems include:

• A massive loophole for most spam
• No good enforcement mechanism for any but the most egregious offenses

And probably the most important:

• It is a US law for an international problem.

Sure, the US is the originating point for a lot of spam,but there is plenty of spam that starts elsewhere. And if the offense is somehow tied to people in another country then good luck getting any enforcement.

Re:We took a knife to a gun fight.

[kybred]

Um, flag day?

Yes, a Flag Day.

the trail Re:Legislation fixes nothing

[damn_registrars]

Where there's money changing hands, there's a trail you can follow. The problem is seemingly that no one wants to follow that trail.

The problem with the trail has more problems than that. You can probe the trail yourself for any piece of spam you receive. Check the following for the next spam email you get:

• The IP address of the last mail server to relay it to your inbox
• The registration of the domain that is being spamvertised
• The identity of the registrar that sold the spamvertised domain
• The IP address for the webserver for said spamvertised domain

You'll probably find people and companies in at least 2, if not 3 or 4, countries in that list.

And getting them to care about CAN-SPAM - when likely at least one doesn't speak fluent English - will be near impossible.

Re:We took a knife to a gun fight.

[magarity]

one where every email sent is assumed to be one that the designated recipient wants.

The problem of being assumed wanted by the recipient pales to insignificance compared to the problem of the sender being correctly identified.

spam......

is the very same result of the concept
"free market"
u make booms..and boobs.....
at the same time

What went wrong (oblig)

[snarfies]

Your news story advocates a

( ) technical (X) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
(X) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
(X) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
(X) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
(X) Lack of centrally controlling authority for email
(X) Open relays in foreign countries
(X) Ease of searching tiny alphanumeric address space of all email addresses
(X) Asshats
(X) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(X) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
(X) Extreme profitability of spam
( ) Joe jobs and/or identity theft
(X) Technically illiterate politicians
(X) Extreme stupidity on the part of people who do business with spammers
(X) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(X) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
(X) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
(X) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
(X) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(X) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

Just a big stuffed animal.

[Neanderthal+Ninny]

CAN-SPAM less than toothless tiger, tiger still have claws and muscles and still can kill you.
The issue is that lobbyist has congress in their pockets and neutered the real CAN-SPAM act and now we have a big stuff animal of a tiger of an act.
What should have occurred is all people on all mailing are now cleared and people that still want to legitimately subscribe to the mailing list they want will still get their mail. All other mail they get is spam, in the eyes of the beholder. I work in biomedical/pharmaceutical research so what appears to spam to one person is legitimate to another so I have tuned my spam filter differently from others.
Also they need to properly search for, arrest and prosecute all of these morons and truly punish them. None of these released after pleading guilty and "promising" not to do it again and they are back on bot controller to start the sh&# again. Also they should get all of the money tey stole return money to rightful people. Also as punishment they should have NO access to any electronic devices during their sentence.
This should discourage most of the spammers that are spamming us now. There are the extremist that won't get "discouraged" from spamming and we have Gitmo for them....

What went wrong? Congress!

*Everything* Congress has touched has failed. I can't find a single thing they've done that's admirable.

    In this case, they assumed they controlled the internet: they don't. They can't, unless they kill it, and make another that runs only in America, costs too much for anyone to have, and has no content. Kinda like Amtrack.

- College tuition is so high because no matter the amount, the government will pay it.

- Banks collapsed when they were told they must make loans to people without jobs, just because they were black/hispanic/pick-one. This was just another spin-off of the never-effective "New Deal" which is otherwise known as the Democratic Bank Scandal. (Show me ONE Republican. Just one.)

- Funding welfare of all kinds hasn't changed the poverty a single percentage point in 70 years or so. (Anywhere) It doesn't work. It's time to stop funding the process, period.

- Amtrak runs places senators want to look good, not places people want to go.

- The Department of Education has consumed BILLIONS of dollars and never educated a single child.

- Sponsoring ethanol, rather than letting the free market do it has people overseas starving. Government funding means they get paid large amounts of money, even though it corrodes machinery. Even though it's not a great idea. And people starve.

        What does Congress have to do to be thrown out?

What went wrong here?

One word - Congress.

The very same Congress you want to manage your health care.

When will you people ever learn?

Spammer abilities

From TFA:

"...they are developing the ability to modify images so that each image sent in an e-mail is different."

Is this even possible?

Re:We took a knife to a gun fight.

Well, Internet Mail 2000. But good luck getting everyone to switch.

Education of the users is the answer.

[NeoTron]

Most of the comments I've read so far are either concentrating on legislation, and/or a technical solution to the spam problem.

Legislation won't solve the problem (a la drugs, guns, or any illegal vice you care to think of - they still happen despite legislation)...

Technical solutions would solve the problem - if only the whole planet would instantly switch over to "New Improved Email Services[tm]" at precisely the same time - again, at the moment this looks to be unlikely due to the sheer logistics of accomplishing such a task.

What I think is a better solution, is to begin educating whoever is going to be using an email system - and you begin that education EARLY.

Today's children are tomorrow's email users, consumers, workers, and contributors to Society. The current spam problem is NOT a technical or a political problem as such - it is a SOCIAL problem - i.e. a lot of humans are stupid and naiive - and it is this naivety which the spammers and surrepticious criminals prey upon. Why do most of us not recognise this?

Begin a program of - oh I don't know what you might call it - "Life Education classes" - in which you at least TRY to get young children to begin to get savvy to shysters, tricksters, con-men, whether offline OR online. Educate them on the dangers of following spam adverts, online scams, etc. Do this from kindergarten age upwards through high school - drum the message in.

At the end of it - when these kids exit high school or Univeristy, they at least have been ingrained with a certain skepticism about spam and other ways to get conned by crooks.

Another way of putting it is this : spammers, scammers, and criminals prey upon naivety - it is their oxygen supply. If we start imbuing new generations of future users with a healthy dose of awareness about the dangers of following these spams and scams, you're beginning to cut off that oxygen supply to the crooks.

This of course won't solve the immediate problem, but, again I point out, this is an escalating SOCIAL problem, and should NOT be considered a technological problem - what's happening now is the social problem is being exacerbated by the technology. Remove or reduce the social problem and the urgency of the technological and political problem is also reduced.

Re:We took a knife to a gun fight.

[Timothy+Brownawell]

In order to stop spam, we need to stop using SMTP and switch to a protocol that rejects mail by default.

I wasn't aware that SMTP was incompatible with whitelisting. In fact, I'm pretty sure I've heard of setups that do just that, result in an SMTP server that rejects connections from people it doesn't know.

Doomed to fail

[DaMattster]

This law was doomed to fail because it is not practically enforceable. You get the big fish and maybe drop the amount of spam for three days until a bigger takes its place. I like the technological/economical approach to combating spam. OpenBSD has come up with an ingenious way of using technology to take the economy out of sending spam. They have come up with spamd, a fake smtp daemon which can cause delivery of a single spam message up to 5 minutes thereby causing a massive queue clog on the part of the spammer. By causing a severe bandwidth clog on the spammer's end, you remove the economy of mass emailing. I have used this solution to rid my father's company of ALL of its spam. It makes me laugh with delight to comb the logs and see the fool spammers continuing to try delivery and there is 0 impact on our bandwidth.

Re:Doomed to fail

[value_added]

OpenBSD has come up with an ingenious way of using technology to take the economy out of sending spam. They have come up with spamd, a fake smtp daemon which can cause delivery of a single spam message up to 5 minutes thereby causing a massive queue clog on the part of the spammer.

There's a bit more to it than that, but yes, that approach (also available for the other BSDs) is one of the easiest to implement and one of the most effective.

I handle my own email on a DSL connection and opted for using Spamhaus' DNSBLs instead of going the spamd route. Not an option for some, obviously, but I get zero spam and have zero issues. My maillogs are filled with refused entries, of course, the majority of which are from people on dynamic DSL/cable connections (Comcast, etc.), with the remainder mostly from China, also mostly on dynamic connections. Unsurprisingly (or perhaps not), those same two groups are responsible for the spam I do receive from my ISP's Yahoo account and my Gmail account.

Fundamental problem fighting SPAM

[zorro-z]

SPAM is, without question, the most perfect business model ever conceived. It's simple math, really. Consider:

* It costs the same amount to send literally an infinite amount of unsolicited commercial e-mail messages as it does to send 1.
* If one person out of the infinite SPAM recepients buys the advertised product, the spammer makes money.
* Any finite number divided by infinity is zero.
* Therefore, a spammer makes money even with a *0 percent* response rate.

No way to beat that model. Therefore, it's overwhelmingly unlikely that a legal solution to spam will work. It also makes it almost impossible for a technological solution. The best advice re: SPAM is the one I give to all my users: delete SPAM messages as quickly as possible, devoting as little brain power as possible to the process.

Re:Fundamental problem fighting SPAM

[1s44c]

* It costs the same amount to send literally an infinite amount of unsolicited commercial e-mail messages as it does to send 1.

That could be changed. There was the idea to add some kind of encryption challenge in the SMTP transaction so that mail delivery had some cost.

It would be useful as part of a spam scoring system.

murder is a solution

If Barack Obama promised full pardons when you murder a spammer, things would change really fast

Re:We took a knife to a gun fight.

[mellon]

Not really. AIM and Skype do a pretty good job of it. So does ssh. It's a simple matter of public key cryptography, coupled with some variety of introduction and rendezvous mechanisms appropriate to the various ways you might know another person online.

Re:We took a knife to a gun fight.

[mellon]

Well, as another person mentioned, whitelisting is pretty useless because it's easy to forge a sender address. It's not a good argument for a pull protocol, but with a push protocol like SMTP, it's a real problem. If whitelisting were widely and effectively implemented, it would be one more incentive to spammers to crack your friends' and relatives' address books.

Nothing went wrong, it lived up to the name...

I don't understand the confusion... it was clear... they said you CAN-SPAM, right?

What went wrong: ICANN castrated itself!

[Helldesk+Hound]

What went wrong is that the ISPs have not been made responsible to ensure that their clients do not send out large quantities of spam.

If the ISPs were required by law to temporarily disable or even permanently terminate all internet connections that have ANY computer that is sending out quantities of spam - ie if the ISP was at risk of having their own network existence permanently deleted/deregistered by ICANN if they did not actively ensure their network was not a source of spam or a source of the management of spambots...

The onus needs to be forcibly put onto the ISPs in order to compel them to keep their part of the Internet free from spam - and the penalty needs to be draconian.

Otherwise the basic greed of the owners of that ISP will cause them to not do anything that would hurt their revenue from spammers.

Do that and spam will disappear within weeks - just as soon as ICANN finds the balls to start deleting/deregistering those ISPs from which spam is constantly spewing out.

Government failure? Oh no!

[marco.antonio.costa]

Government fights unemployment, we get more unemployment

Government fights a recession, a depression lasts for ten years.

Government regulates and prints money, hyperinflation and financial bubbles.

Government invades Iraq, never leaves.

Government passes law on spam, spam increases tenfold?! Oh Lord, what a surprise!

Who is receiving spam? I am!

Thats all well and good - what about 200+ ?

On occasions with various email accounts (publicly visible addresses) I have received at least this daily. Mail filters sucessfully caught at least 98% of all mails, but that isnt the point.

Everything else would have been a surprise.

[Kaukomieli]

the spammers CAN SPAM.

Re:We took a knife to a gun fight.

[magarity]

I meant significant problem as in more the root cause, not technical difficulty. If only the senders could be 100% verified, it would do a LOT more towards eliminating spam than identifying the recipient's desire to recieve.

Re:Singularity?

[Hal_Porter]

I dunno, it seems to me that once your brain has been uploaded to a computer getting turned into a zombie by malware and forced to spam all day would kind of suck. Of course some would say this is what has happened to cult members now.

The Name

[Frankie70]

CAN-SPAM Act Turns 5 Today -- What Went Wrong?

Maybe if they had named it CAN'T SPAM, it may have turned out better.

Who is supposedly profiting anyway?

[Ashtead]

Based on the spam I get here, there is no big incentive to buy anything from whoever's business being advertised to begin with. To the extent there even is any kind of business there at all.

To illustrate, from looking at some recent deleted spam I make the following observations:

First of all, my penis is just the size it should be and it works the way it should, so no need for enlargments and viagra, nor, presumably, subsequently having to carry it around in a wheelbarrow.

With that taken care of, next, I don't have time to do contract negotiations with alleged attorneys claiming to represent rich deceased people whom I've never heard of, living in countries where I've never been.

Neither do I care about spending time attempting to claim a prize in lotteries where I never bought a single ticket.

I don't use Paypal in French either.

Then there are the bankers in Ghana that send me notices of their new e-mail address, with wild and wonderful and completely unrelated titles. Since all these notices are basically formatted the same way, the precipitated hypothesis is that there are a lot of bankers in Ghana, and all of them are getting yahoo.com e-mail addresses. Well, I don't need Ghanesian banking services any time soon. If I ever should, I'd deal with someone whose e-mail address had a reasonable resemblance to the name of the bank and the country the bank is operating in, not just some random attention-getter I found in the spam-box.

And that is just looking at the stuff that comes in a language I can read. Sometimes it is Chinese or Hebrew, and sometimes it is in some mysterious language that merely renders as garbage.

Point of all this, there is hardly any legitimate business or services of any kind advertising through this spam channel at all. Hence no one to boycott.

Makes me wonder why do they bother.

Re:Who is supposedly profiting anyway?

[Thiez]

> Makes me wonder why do they bother.

Because sending email to many people is cheap. If one out of 200 spammed people buys the product the spam is advertising, the spammer is making a decent profit.

You lot are worrying about the wrong thing

[1s44c]

Believe it or not spam is a very minor problem.

One day whoever controls all these botnets is going to realize the data on the machines they already control is worth -WAY- more than what they make out of spam. All the botnet herders need is some decent indexing technology and/or keystroke loggers and they have access to all kinds of profitable stuff.

Another bad solution

[1s44c]

Sooner or later ISPs will be forced to block all TCP port 25 except to and from their own mail servers.

It will be a shame for those people who run their mail servers off a DSL line.

And of course the above means the government gets a copy of everything.

Execute them

[Snaller]

The death penalty for spamming - then slowly you'd get to the bottom of this problem.

solution: social networking?

[kwikrick]

Social networking sites, e.g. FaceBook, LinkedIn, etc, provide at least a partial solution to the problem: you only receive messages from friends, friends of friends (or bussiness connections). Confidence in the authenticity of a person can be gained because you can see their profile, follow their conversations with other people you know. And you can shut them out of your network if they are spamming.

Still, a solution is needed for more incidental communications, e.g. when ordering something on-line or when dealing with a company that you have not dealt with before. Maybe a quota system, where you will agree to accept a limited number of messages from a specific source?

 

So a user can take out the whole hospital?

[professorguy]

If the ISPs were required by law to temporarily disable or even permanently terminate all internet connections that have ANY computer that is sending out quantities of spam...."

.

So if a housekeeper using her desktop on my hospital network gets infected by malware, no doctor in the hospital can use email? Hmmm...I foresee no problems whatsoever. Let's do it!

Re:So a user can take out the whole hospital?

[Helldesk+Hound]

> So if a housekeeper using her desktop on my hospital
> network gets infected by malware, no doctor in the
> hospital can use email? Hmmm...I foresee no problems
> whatsoever. Let's do it!

Of course in a corporate environment that is behind a firewall, the only way for email to get out is via that corporation's SMTP server. I'm sure that a large corporation such as a hospital would be able to manage what is connected to its network.

And, of course, you're taking a totally blind approach to what I suggested. I'm saying that ICANN needs to have TEETH and needs to use those teeth against those ISPs who do nothing about spam traveling out of their network when they should be contacting their customer in order to get the spambot removed from the network and fixed before it is permitted to connect to the network again.

Ignorance != Bliss

[jman.org]

Professional lawmakers are typically more expert in crafting rules than understanding their effects. This is natural, because, while they are comprised of a cross-section of society (Doctors, Lawyers, Engineers, etc.), those skills become secondary to their current job of telling us how we must (or may not) act.

Combined with the "market will fix itself" mentality so pervasive in both the Executive and Legislative branches, it's no wonder the letter of the law is so out of touch with the spirit.

Not 200 - a LOT more!

[Gonoff]

http://news.bbc.co.uk/1/hi/technology/7719281.stm says 1 in 12 million.

Wrong start

Because CAN-SPAM set out with the wrong mindset.

Now, if they had started out with a CANNOT-SPAM mindset, they might actually have gotten somewhere.

Seriously. CAN-SPAM didn't make it illegal to send spam, it set up some simple rules making it LEGAL to send spam. Things like the unsubscribe link (you know, the one that confirms that this address is active) actually has to unsubscribe you from that exact "mailing list". (But don't worry, next week we'll be sending spam to you on a different list).

You expected it to work?

[creamy_red]

You expected Can-Spam to help? All it did was define what were LEGAL methods for spammers to use, thus giving them even more loopholes. Anyone who thought that enforcement would be good was deluding themselves.

What went wrong was ...

[rs232]

What went wrong was the CAN-SPAM act was never designed to prevent spam, instead it brought in provisos that actually forbid end-users from suing the spammers and also provided safe harbor for ISPs and 'online marketers', er spammers ...

One measure against spam was putting an `ADV' keyword in the subject of the email, but this was argued against by Bill Gates who instead argued for setting up 'safe harbor' that would absolve online marketers from getting sued ...

strike two and three ..

[rs232]

"Private right of action got stripped out of it due to complaints from the direct marketers"

Strike two was the ISPs getting imdemnified against getting sued and strike three was dropping any suggestion that spam should be flagged in the header such as putting an `ADV' in the subject line. The only canning of spam in the Can-Spam Act 2003 was in the title ..

If there were ever a case for ...

[LorenzoV]

... Extraordinary Rendition, then professional spammers in foreign countries is it.

Given that law enforcement in Russia is not helpful in getting spammers shut down, at least, and better prosecuted, then the remedy should be to just go in and get 'em and deliver 'em to GitMo.

Note: I do not support unconstitutional means nor violating international treaties in any way. However, since it's on the books, use it where it is necessary.

Sure about that?

[Tran]

Wouldn't the people with good impulse control and self discipline be dead - shot by those who don't?
Just asking.

Re:Sure about that?

Ya. It will be those with dead aim and a quick trigger finger who will be alive. Or those with the foresight to buy good body armor (with rifle inserts). Personally, if everyone was armed with a gun, I'd be trying to get my hands on a few tac nukes. Those would end any argument quickly.

Nothing went wrong

[orev]

Nothing went wrong... CAN-SPAM was not meant to stop spam, and suggesting otherwise is irresponsible. It was meant to bring accountability to spam operations operating in the USA, which it did. Because of that, almost all of the "legal" email marketers out there are now out of business, and what we have today are almost all illegal spammers.

Did you RTFA?

[mitchplanck]

Ok, I know it's a /. tradition not to read the article (I only read the 1st page) but even in the first page it talks about the changing nature of spam.

Back then, 45% of all e-mails were unwanted pitches for such products as Viagra, penny stocks or porn sites.

It's a bit different now.

Today, more than 83% of spam contains a URL for a Web site that is trying to infect computers with malicious software.

I've run spam scanning servers for a small ISP since 2000 and the changes that I've seen follow this trend. At one point I installed OCR scanning software for the penny stock image scams. Later it was PDF scanners. Then there was the password-protected zip files which had to be binary scanned. It's back to text now and lots of URL scanning. Grabbing the SARE signatures for ClamAV helps weed out that kind of crap.

It's become very hard to blacklist IPs because so many of them are from botnets and scattered so widely.

Basically, it's all a royal pain and a lot of work.

Kicking the barn doors after the cows are gone

[swordgeek]

There weere two problems with this law:
1) Too little.
2) Too late.

Whether it would have been possible to restrict spam via legislation at all is a theoretical question. However, this law was not written to stop spam--it couldn't have worked, because there were too many ways around it.
Furthermore, it was a law in a single country, and we already knew that that would be pointless.

HOWEVER, the real problem stems from the fact that when spam started to get rolling, a handful of rogue ISPs (AOL, I'm looking at YOU!) refused to take responsibility for it. They allowed enough momentum to develop that it became profitable, and once it was both profitable and legally questionable, it was inevitable that organised crime would step in.

Now we're facing Russian gangs acting across multiple countries in eastern Europe. Think any legislation in the USA is going to slow them down?

What went wrong

[Toll_Free]

The bill was lip service. If you're not going to hire the 25 computer forensic specialists, then give the FBI the manpower it needs to actually bust these idiots, then making laws doesn't mean shit.

Seriously, people. Let's make a bunch of laws about spam, then fight implementing them.

CanSpam law. Making idiots of lawmakers since 2003.

--Toll_Free

How about

[BigJClark]

The fact that there is a market for it? Here's a clue, stop buying the penis enlargers and viagra pills and this market will dry up. The only reason spam exists, is because, golly, its working. Dumb people are buying these dumb products.

THE QUICK FIX

Its a basic illusionary premise that all is well and prosperous. One senses something not quite right one day, and lo and behold, heads turn the other way. Then later that day one goes out and buys someting they can't afford with virtual money.
The quick fix enigma. The LONG fix would be that one would do some research and explore sources, read the flags, or at least program flags in. Ah, but this would take too long a time, and we only get 4 to 5 hours a sleep and I gotta get to my other job, and then a class at 7PM. - CRASH!!!

CAN-SPAM is bad law (should be opt-IN not opt-OUT)

[dwheeler]

The CAN-SPAM law's purpose is to make it LEGAL to spam people. Which means that if you want to get rid of spam, the CAN-SPAM law is FUNDAMENTALLY flawed. Just read the CAN-SPAM law itself. CAN-SPAM says you can legally spam, as long as you follow some rules such as putting your "correct" header information on and including an opt-out clause message.

The primary failing with CAN-SPAM is an "opt-out" system, that is, it pretends that spam is okay as long as the sender includes an "opt out" address. That's fundamentally wrong; that means that senders can constantly create new shell organizations that send "one-time" messages every time they send something. If you're stupid enough to "opt out", you're immediately added to the "valid email" lists (aka a "sucker list"). Reputable articles about spam will SPECIFICALLY tell you to NEVER reply to a spam message, so the legislation requires law-abiding victims to do what they should absolutely NEVER do.

Legislation doesn't solve all problems; murder still happens, even though it's against the law. But the anti-fax-spam law, which is very similar, has been a resounding success. The difference is that the anti-fax-spam law made spam illegal, and required existing commercial ties or an opt-in into a list. Most companies still have and use fax machines, but spam is simply a non-problem for them.... in part because the legislation got this one right. So if you sent commercial spam by fax, then you ALREADY broke the law. Versus "CAN-SPAM", which is opt-out (not opt-in).

We need a law that makes spam ILLEGAL, not LEGAL. If you didn't EXPLICITLY opt into a list, and the message is sent to lots of people, then it needs to be illegal. I would love to see that happen, and with some teeth; spam is making email systems really painful to use. Then the U.S. can stop being one of the spam havens of the world, its current shameful position.

Re:We took a knife to a gun fight.

[mellon]

The root cause is twofold. First, SMTP is inherently opt-out, not opt-in. By default, you always accept an email message unless it is from someone you know is a spammer. Being able to accurately identify the sender isn't all that helpful because most senders will be unknown to you, and thus whether or not they are spammers will not be known. Furthermore, generating new identities ought to be cheap, but in order for knowing the identity of the sender to be useful in the context of SMTP, it has to be expensive.

Contrast this with a pull-oriented email strategy, where my server contacts yours because we are "friends," to see if you have anything new to say to me. Now no traffic passes unless the recipient wants it to. The sender has no opportunity to attempt to fool the recipient, because there is no context for unsolicited traffic.

In this case, knowing the identity of the sender isn't all that important. We need to know that the message is from a person we said we wanted to hear from, but we do not need to know precisely who that person is. Receiving messages is a question of preference, not trust. If you start sending me spam, I un-friend you, and that's it - no more junk mail from you.

Laws don't produce legal behaviour

[Opportunist]

That's the fallacy here. And we see more and more of it every day. X is harmful for people? Ok, outlaw X. It has zero impact, though. Why? Because laws don't change people's behaviour. They may make that behaviour illegal, but whether or not people change their behaviour first and foremost depends on one single factor:

Do they understand why it is illegal? Do they support this law?

That's basically the first thing to ask when you want to know whether people will observe a law. Do they support it? Do they agree that X should be illegal? If they do, all is fine already. They won't break it. They most likely didn't break that law before it became law anyway, out of moral concerns or out of consciousness. Because they themselves thought that this kind of behaviour is "wrong".

If they don't, if they don't consider the law "morally supportable" and consider breaking it, the law's survivability depends on three criteria:

1. How likely is it that you're being caught?
2. How high is your gain?
3. How high is the penalty if you're caught?

And that's it. Nothing else matters. Actually, even only the first one really matters, judging from copyright and the ensuring madness. Zero gain, insane penalties and still people copy. They don't support the law, they don't consider it "morally wrong" to duplicate copyrighted content and the threat of being caught is infinitly small.

And it's exactly the same for Spam. But with the insane gain and (let's be honest here) incredibly low penalty as an added bonus. You want to fight Spam? Then fight it. Making a law about it doesn't do jack if the law is toothless. It's like saying the penalty for dumping oil in the sea is about a tenth of what you save by dumping it instead of recycling it. Then the penalty is just a cost factor, not a penalty. Cost for dumping: Ship, loading, crew, penalty. Most likely even in descending order or magnitude.

And for $deity's sake, enforce it! A law unenforced is a dead law. We already got plenty of them, we don't need more.

We're currently making laws as if this is the perfect solution to any problem. It isn't. Just because something is illegal people don't stop doing it.

PLEASE MOD (AC) PARENT UP!!!

[earlymon]

Email is a recipient pays system.

The AC parent is 100% correct. No way, shape or form is this a free speech issue. It's an advertising issue. A few decades ago, we had a small shop and did a bulk mailing to our neighborhood. We got a bulk rate from the post office - and we paid it. It was a cordial mailing, generated business and goodwill.

That method still exists - but it costs spammers money. TF bad for them and boo hoo!

Political emails and so forth are NOT freedom of speech - they're fucking spam. You want to BROADCAST your message? You get a web site. You pay other web sites to advertise for yours. Just like one TV show is advertised during another.

Any hijacking of any medium from its intended purpose is SPAM. It's really simple.

Please mod parent up - about +1E5, Right On! should just about do it.

PPS - For those getting free email - many providers have it backwards!!!! Who remembers Juno? It was free email. The ads came to you, the USER, until/unless you paid. The ads did NOT go out at the bottom as footers, fer crying out loud.

What's in a name?

[strawberryutopia]

If you name it CAN-SPAM, you can't seriously expect it to have any effect, can you?

Re:We took a knife to a gun fight.

[MatthewHays]

I mostly use facebook to send and receive messages to/from my friends, its largely replaced my personal emails. How about a similar system where you can only receive messages from people on your white list (who have been authenticated)?