Austria Bans Spam

Dan Kegel writes "PC Welt reports the Justice Committee of Austria's Parliament has decided to ban spam. Commercial e-mail in Austria must go only to people who have opted in. Violations are to be punished with a large fine. The new law presumably still needs to be approved by the full house. Seen in the German Linux site LinuxTicker.com. " Der Webpage ist auf Deutsch. Use Babelfish. I suspect the only way we'll kill spam is if we start charging a penny per email or something, but thats a bummer of a solution. I'd settle for simply requiring unsolicited emails to say in the subject that they were spam.

Re:Broadband will make Spam a Huge Burden

[Fastolfe]

I got a spam recently that ended up being from an ADSL customer. His ISP (bcnet.com? I don't remember) e-mailed me back (not a form letter, which was nice) to let me know that not only had they cancelled his ADSL account, but they'd actually gone out and REMOVED THE EQUIPMENT from his residence. That felt good. :)

This ISP also had a rather novel method for using dynamic hostnames with dynamically assigned IP addresses: They place the MAC address in the hostname. Quite excellent not only for tracking purposes, but for network services (such as IRC) where losers on dynamic IP addresses usually give us headaches.

Re:Broadband will make Spam a Huge Burden

[Tom+Christiansen]

You could just get a program that allows you to delete the mail off the server without downloading it.

I'm wondering whether `just' does not in this context constitute a four-letter word. :-)

This is silly

[Lumpy]

Now, everyone knows that 99.9% of the spam out there is sent using the point and drool spamming tools that are available" for a limited time purchase!!! get spamthem and 90billion email address free!"

Now, we cant stop them with laws... we can but their spam butts with technology... a spamprogram specific virus that when it detects ant spam software it erases the hard drive of the spammer and then eats the flash-bios.

This would be one virus that the world would tout as the best thing for humanity...

Otherwise, make the penalty a large bruiser gang wielding baseball bats, you can spam, but these guys get to hit your head once for every email you sent.

Good, now lets get it here.

[Accipiter]

As an experiment, I opened up a Hotmail Account, and I just let it sit. I never used it, and never published it's address to anyone. Within 2 weeks, it was getting regular E-Mails for "Affordable dental / Optical plan" and "See the best Cocksuckers HERE!" Makes you wonder how much MSN is getting in Kickbacks for them to shut up.

Needless to say, this crappy mail ALSO pounds the accounts of people who don't really want it. (not just hotmail, but I get the occasional spam e-mail in my ISP account too. I've been very careful of letting that addy get out.) My philosophy is, if you don't ask for it, you shouldn't get it. You can say "Yeah, but do you ASK for television commercials? Isn't THAT spam?" Yes, you DO ask for it, and no it's NOT spam. You ask for the sponsored advertising because you are using the product (watching the show). Since you don't pay for the show, commercials aren't a problem. But, when you have an E-mail address to talk to friends and family, you wouldn't want porno ads flooding in. There's a difference.

When we see laws in effect Nationally, it will be a better place. However, laws aren't going to stop all of the Spam. People can still forge headers, and close accounts on AOL. But hopefully, it'll decrease significantly.

-- Give him Head? Be a Beacon?

A better solution

[cshotton]

There is a better solution to the spam problem, but it involves upgrading the e-mail (SMTP) backbone to something beyond 1975 technology.

Specifically, e-mail should contain a header with an authenticated signature for the originator. Any mail message that doesn't contain an authenticated signature can be refused at the server level and the spam problem will stop much closer to its source.

Unfortunately, that means that someone somewhere would have to manage a pretty large key repository for everyone who wanted to send e-mail outside of their LAN. Still, it's not an insurmountable problem, since we already have to maintain an equally large repository of information, namely the DNS system. It's more efficient than DNS, since you don't have to check the signature at every mail hop, just when you want to verify someone's identity.

And this doesn't preclude sending mail in the form (essentially anonymous) that we use today. The lack of any authentication in mail messages today doesn't prevent people from using it. If you choose to opt out of sending authenticated mail, you just have to be prepared to have intervening systems refuse to carry your mail traffic.

I guess this really boils down to providing a more robust SMTP server architecture that really validates senders of mail before propogating the messages. Client side and legislative solutions are doomed to failure as long as spammers get to ride the mail backbone anonymously and free of charge.

Re:A better solution

[IntlHarvester]

Doesn't IPSec contain a Public-Key-in-the-DNS system?

I've thought about this a bit, and while everyone hates spam, I don't think the idea of authenticated e-mail would go over very well with Internet culture, as it stands. For example, it would be impossible to send anonymous pro-Linux flames to Bob Metcalfe.

I've even seen resistance to Corporate LAN e-mail systems such as Exchange or Notes precisely because senders are authenticated. (For example, if a secretary sends a message from the Boss, the message will read From:Boss Sent By:Secretary = Boss gets mad because secretary can't impersonate him/her)

Furthermore, it would probably take a long time to push the infrastructure out far enough to be actually useful. If you require authenticated e-mail for customerservice@xyz.com, customers that are still on non-authenticated systems will just go through the roof. This will happen even after Authenticated mail has been "standard" for 10 years.

So, we're really stuck with baseline SMTP for a long time. Everytime ORBS or some one catches or blocks an open relay, clueless admins somewhere in the world set up three more. (Also, noone wants to spring for commercial sendmail that supports ORBS.) What's really needed is for the upstream networks to put a No Open Relay clause in their service agreements. If all the IP traffic from a spam center starts to get blocked at UUNet or MCI, the problem would solve itself in a couple of days.
--

Broadband will make Spam a Huge Burden

[Gorphrim]

Right now many of us are still stuck on 56K (and slower) modems. When broadband ramps up I assume spammers will begin to attach/embed pix and movie files in their emails. Assuming I've got two or three of those waiting on the server, next time I check my email I could be waiting 5, 10, or even 30 minutes just to get through to the legitimate emails. I'm not quite sure of the best remedy, but the unsolicited spam fines seems like a good start.

Re:Broadband will make Spam a Huge Burden

[Tom+Christiansen]

This is not realistic for many reasons.

Not everyone lives by POP. In fact, I doubt whether most people do. I know I certainly do not.

It places the burden on the individual programmer to devise his own personal solution to a pernicious and global problem. This assumes a skill level or global availability of off-the-shelf software for all possible platforms which simply does not exist.

Your approach does nothing to relieve the burden on the mail servers. If you do not think it's the end user who will ulimately bear the burden of these costs, then you're just fooling yourself.

I like the analogy that spam is like direct marketing through collect phone calls - the recipient always pays. It's a succinct and easily understandable statement that leads easily and directly to illegalization.

Send it back

[Farce+Pest]

I'm the double-bounce postmaster for over a thousand domains, so I get a lot of spam that bounces (because the recipient doesn't exist) and then bounces again (because the envelope sender is bogus). In the last month or so, the spammers have shifted heavily back to using multiple relays. I report these to ORBS and lately RRSS. We don't filter based on these lists, in the usual sense, but we do use them for "quality-of-service". I.e. the more lists you are on, the worse your service gets, and the more your queue backs up...

Once upon a time I would notify relay postmasters that their relays were open and that they should fix them. That became impractical, so now I'm taking another approach: If I get a double bounced spam that has come from a host listed on ORBS, RRSS, or IMRSS, I have a script that automagically sends it back to the relay's postmaster. This doesn't always work; some of those hosts don't have a postmaster address, or won't accept mail for their own IP. Most of the time it works. This tends to magically break language barriers and soon thereafter the relays seem to close up, or at least I stop getting spam from them.

So, if you have the bandwidth to pull this off, make your postmaster policy "return to sender": Send undeliverable spam back to the relay. And report open relays to one or more of the above lists. I report 30-70 relays a DAY, which probably makes it relatively expensive to spam us. Who are we? HA! Keep guessing, spammers...

Re:What could be the worst solution...

[IntlHarvester]

Yeah - I almost brought that up. "DNS with Authentication" seems like a wonderful opportunity for Microsoft to embrace and extend ActiveDirectory out to general Internet usage.

What I don't see is SMTP going away in favor of some proprietary RPC protocol. Even MS and Lotus are moving to (E)SMTP as their "native" protocol (with HTML/MIME instead of propritary RTF). The "lock-in" for corporate e-mail systems never happened, and now coprorate customer are demanding interoperablity.
--

Re:Only one solution to spam

[schon]

I guess you've never heard of the MAPS RBL (Mail Abuse Protection System Realtime Blackhole List.)

This is pretty much what you describe, and isn't limited to "the top ten ISPs" - any ISP can use it (in fact, Sendmail 8.9 has a configuration macro to use their database.)

MAPS is very successful, and has been turned against such 'giants' as Microsoft and AOL (forcing them to close open relays.)

Charge Them

[Edward+Teach]

Here is the reply I sent many a spammer. Pissed off alot of them and eventually caused one to complain to iName, where I had a permanent email address forward. Lost the account.

By sending an "unsolicited advertisement" to my computer, which is equiped with all nessessary components to be classified as a "telephone facsimile machine", any and all knowing participants in this unlawful email system are in violation of Title 47 United States Code, section 227(b)(1)(C). As per Title 47 United States Code, section 227(b)(3) it is my right to take each offender to court and collect damages in the amount of $500.00 per offence and per offender. I make it policy to offer offending individuals and businesses the opportunity to settle matters equitably for an amount of $200.00 which allows all parties to avoid possible further legal actions. Those who are not knowing participants need only disregard the monetary portions of this message and consider it an official complaint against a SPAMMER or SPAMMERS. If you are an entity who, by your business practices, promotes, supports or endorses SPAMMING, either by action or inaction, please feel free to change your ways because I will always be sending a copy of this message to you as a reminder.

This settlement may be remitted, payable in U.S. Currency, to:

My Home Address Here

Globecomm: Please consider this an official "SPAM" complaint.

Original Message Follows:
-------------------------------

Litigation?

[scriptkiddie]

I live in Seattle, where for over a year now there has been a US$500 fine for any spammer who sent mail to an address in Washington state. The law seems to work: I haven't received ANY spam on any of my local e-mail accounts, and it's really nice to be able to give sites my address and use anon FTP with relative security. Unfortunately, (I'm not a legal wiz so I might be wrong on this) the law defines spam as any e-mail with a FALSE RETURN ADDRESS.

Obviously this leads to complications- what if I send mail with my friend's return address? What if I send out a million e-mails with my real address (and somehow claim they were not unsolicited)? I run a small Linux box that serves shell accounts to about 30 students. On the web site, I have a simple PHP3 script which allows visitors to click on any user and send an e-mail. Of course, a Web site can't determine the sender's address, so I ask senders to type it in. Since this mail is technically sent from my server, what happens if somebody clicks on a user's name, types in a false return address, and sends it? Even though the script can only send mail to users on that box, I might be exposing myself to liability. I haven't recieved any fines yet, and I doubt that I will, but I can only hope that mailers type in their real address. (P.S. No, we don't have open relays!)

I am a member of the Seattle FreeBSD Users' Group, aka Seafug, mailing list. Recently some spam got through our cleverly designed procmail filters (I don't know how, it was now supposed to). Even though the spammer never got our individual e-mail addies, the spam was sent to all of us. To complicate the story, the actual server box is in fact the infamous dub.net, colocated somewhere fancy in Tucson. So although the spammer had an address that was in Tucson, the messages reached a few dozen people in Seattle.

I think our spam laws are remarkably well designed, considering that th people who wrote them were civil servants annoyed that their SMTP servers were crashing, not expert hackers. But I think any legal solution to the problem is inevitably bound to have loopholes. That's why we need a technical solution to the problem - certificates would work, but a decent way for users to configure mail filtering from a client would be nice too.