Anti-spam legislature ideasHow about a realistic one? ( old news - 02:33PM Thursday Jul 24 2003) tags: Op/Ed MSNBC reports that according to a survey of some 1,200 Internet users conducted by ePrivacy Group "Three out of four Americans favor a 'Do not spam' registry". Modeled after the Federal Trade Commission's "Do not call" registry, it appears on the surface to be a good idea. That is until one realizes that a large percentage of spam comes from outside of the US and it would, of course, be impossible to enforce. Given this little tidbit one may go as far as saying that a "Do not spam" list would instead become a "Please spam me" one as enterprising spammers worldwide would gain access to a nicely formatted, easily accessible list of real e-mail addresses. Did I mention free? Fear not, despite this grim prediction, such a list will probably not come to life thanks to practically zero support for any anti-spam legislature in the Congress. So though the survey states what we already know -- people do not want spam -- the government is not exactly listening. Senator Charles Schumer of New York is creating warm and fuzzy feelings by supporting this idea but his efforts may perhaps be better served supporting something more definite and enforceable. One idea that comes to mind is enforcing the rules at the level of the ultimate seller, not just the spammer himself. Not only would this prevent companies from hiding behind contracted mailers it would bring these (mainly US-based) businesses under the control of US law and hit them where it hurts the most: in the pocket. Any anti-spam legislature whose basis is an opt-out type list is a black hole of wasted effort and will only appease the news media while providing little to no relief for those whose mailboxes are under deluge.
Related:- Who Knew Senior Citizens Hated Net Neutrality?
- Wall Street Journal Tries, Fails To Cover Metered Billing Debate
- Verizon, Comcast Still Fighting Over Silly VOD 'Channel' Counts
- Fairpoint Owes About $619 Million
- Some Metered Broadband Myths That Need Clearing Up
- Why Run Fiber When You Can Run Ads That Pretend You Do?
- Comcast Slammed For Non-Existent Throttling Changes
- Verizon's Hanging Up On Rural America
|
 
footballdude
Premium
join:2002-08-13
Imperial, MO | Penalties How about penalties for people that BUY from spam? Sort of like visiting with a prostitute. | |
|  | thephantom
join:2001-04-24
Alamo, CA |  Re: Penalties
There is no call to insult a hard working girl by bringing her down to the level of a spammer. | |
| | | RayW
Premium
join:2001-09-01
Layton, UT
clubs: | A politician passes laws Does not have to make sense, as long as he/she/it passes another one.
--
I am not lost, I find myself every time. | |
| 
Maxo
Your tax dollars at work.
Premium,VIP
join:2002-11-04
Tallahassee, FL
clubs: | Extreme Well, I don't normally support capital punishment or castration but I'm willing ot make exceptions.
--
God I love being a turtle. - Michaelangelo »www.maxolasersquad.com | |
| 
koitsu
Premium
join:2002-07-16
Mountain View, CA | What would you do for a Klondike bar? Re: 'Do not spam' registry enforced by politicians.
--
Making life hard for others since 1977. | |
| 
nixen
Rockin' the Boxen
Premium
join:2002-10-04
Alexandria, VA
 ·Cox HSI
 ·Speakeasy
| I'd Sign Up But, the address that I'd register would be the one that I use for my DCC processes. As such a registered address, it should never receive any emails, SPAM or legitimate. If the address never receives any email for at least a year, then I might consider registering my real address.
-tom
--
You can be only -so- accurate with a sledgehammer. | |
| | 
Marilla
I Am My Own Arbiter
Premium
join:2002-12-06
Belpre, OH
| Re: I'd Sign Up I commend your combination of open-mindedness, and yet practical common sense, in that approach.
Of course, in taking that approach, I think you do understand the basic reality; More than likely, the names on that list will get hit worse than ever imagined possible (I dunno... one day, and 200 mails in my 'Spam' folder on my Yahoo.com address is pretty ugly!)
Personally, I like an idea that was touched on here in this article; Make the ultimate advertiser responsible for ads they contract for. Of course, we need to be mindful of the possibility that competitors or even just pranksters will 'spam' on 'behalf' of a company, just to cause them trouble... but where we can clearly track a company to having bought advertising from another company with a knowledge that 'spamming' would have been part of it...
Actualy, though, I don't think 'spam' can be tackled - AT ALL - without a substantive change in the whole e-mail system itself. | |
| | | | | | |
Marilla
I Am My Own Arbiter
Premium
join:2002-12-06
Belpre, OH
| Re: I'd Sign Up Yup.. that's why I said it really needs a basic change to the whole system. Our E-Mail protocols were designed for a 'wide open' communication system.. the people that did this weren't expecting things like Spam or e-mail-borne virii.
Of course, it may be too late to really 'tear apart' e-mail and start all over... but one possibility... instead of USERS having to concern themselves with certificates, perhaps ISP's could begin to put in place a system where SMTP/POP3 servers authenticate each other, and SMTP servers become required to perform SOME sort of authentication of their own users, or else they get 'kicked out' of the system, in some way.
This could stray into the same sort of 'black listing' system many people fall into now, but what I'm suggesting is an industry-standard method of determining what servers can or can not... bleh... the more I think about this, the bigger headache I get!
I'll just switch all my e-mail to a 'white list' system, with a 'challenge' mechanism for every possible recepient.
Ugh | |
| | | | |
nixen
Rockin' the Boxen
Premium
join:2002-10-04
Alexandria, VA
·Cox HSI
·Speakeasy
| Re: I'd Sign Up said by Marilla  :
Of course, it may be too late to really 'tear apart' e-mail and start all over... but one possibility... instead of USERS having to concern themselves with certificates, perhaps ISP's could begin to put in place a system where SMTP/POP3 servers authenticate each other, and SMTP servers become required to perform SOME sort of authentication of their own users, or else they get 'kicked out' of the system, in some way.
Problem isn't really POP/IMAP authentication. Problem is pretty much with SMTP.
SMTP client authentication is fairly trivial to set up. Unfortunately, just because my SMTP server has authenticated the client, it doesn't really give any other SMTP server a reason to trust anything coming from my SMTP server. For this, you need to set up trust relationships.
Trust relationships are also fairly trivial to set up (however, depending on the method used, said trust relationships have to trade of scalability and management ease for security). Unfortunately, many people (myself included) don't like to pay hundreds of dollars of year to secure a server with a commercial SSL certificate. It's fairly likely that even fewer are going to want to spend that kind of money on securing a mail server.
That's why I was suggesting per-user. That way, I could always write my rules such that, if the originating user had authenticated with a certificate from a trusted authority, I wouldn't have to worry about whether I trusted any of the intervening mail hosts. Of course, SMTP would need to pass more than simply "Verify=OK" in the headers - it would need to include the verification certificate fingerprint, or something.
-tom
--
You can be only -so- accurate with a sledgehammer. | |
| | | | | |
Marilla
I Am My Own Arbiter
Premium
join:2002-12-06
Belpre, OH
| Re: I'd Sign Up I only mentioned POP3 servers because I don't believe any server, at all, that is involved in e-mail should accept any mail that is not 'approved', IF such a system were put in place... I do understand that POP3/IMAP really only deal with delivering the mail to the client.. but.. well, yes.. just remove 'POP3' from my list..
And I think it's much more realistic to expect SMTP servers to get certificates than to expect every single user on the Internet to do so. Doesn't it sound cheaper if an ISP only needs one cert per e-mail server, costing a couple hundred a year, as opposed to hundreds of millions of USERS having to get a certficate every year, costing whatever they will cost. Add to that the fact that the requirement to get a certificate to EVERYONE on the Internet would be a nightmare, in and of itself.
If such a plan caused a lot of 'small' e-mail servers to drop off the face of the planet.. including yours and mine... I'm perfectly happy. Hell, I got a server certificate for one of my websites that only has maybe 10 people using it... certainly, I would get it for my e-mail, OR I would let me ISP get it on their server and make sure they have me set to authenticate to it.
Actually, my home ISP already DOES require that I authenticate to their SMTP server. I'm sure they wouldn't be concerned about having to get a cert for the e-mail server, if it was being done globally, in order to prevent 'open relays' and other tools spammers can use.
After that, ISP's can more pro-actively observe traffic from their users... when users seem to be engaging in 'mass e-mailing', the ISP can look closer, and they'll HAVE A USERNAME it's connected to. IT would be up to the ISP themselves to be certain that it's not too easy to simply 'sniff' those usernames over the Internet... perhaps by being certain that SMTP logons don't go OVER the Internet itself, but stay on the ISP's local network.
Given the costs that ISP's claim are associated with handling spam, I think something like this COULD work... but it would really require a different setup than we have right now, I think... and it would take a while to get EVERYONE on it, so that it would be effective. | |
| | | | | | |
nixen
Rockin' the Boxen
Premium
join:2002-10-04
Alexandria, VA
·Cox HSI
·Speakeasy
| Re: I'd Sign Up said by Marilla :
And I think it's much more realistic to expect SMTP servers to get certificates than to expect every single user on the Internet to do so. Doesn't it sound cheaper if an ISP only needs one cert per e-mail server, costing a couple hundred a year, as opposed to hundreds of millions of USERS having to get a certficate every year, costing whatever they will cost.
Sounds cheaper, until you get to the point where you get charged for each and every email address you wish to use. Personally, I use a unique email address for every web site or internet service I sign up for. That way, if I ever receive SPAM at that address, I know who it was that sold my address. That way, I can cease doing business with said service and deadmail the tainted address.
said by Marilla :
Add to that the fact that the requirement to get a certificate to EVERYONE on the Internet would be a nightmare, in and of itself.
Err... but you're in agreement that everyone should have to authenticate? That everyone should be identifiable? Yet, you don't want to go the next logical step? Besides, personal certificates also mean that you can sign and encrypt your emails (thus upping the privacy of correspondence). It's also a bit more difficult to forge an authentication identity when personal certificates are used.
said by Marilla :
If such a plan caused a lot of 'small' e-mail servers to drop off the face of the planet.. including yours and mine... I'm perfectly happy.
Ah, one of the people who's perfectly happy to give up a little bit of personal freedom in exchange for a little bit of security, I see. Fan of the Patriot Act, too? At any rate, I won't bother to quote Ben Franklin. 
said by Marilla :
Hell, I got a server certificate for one of my websites that only has maybe 10 people using it...
Unless you're selling something off that website and are only doing it to provide an encrypted channel, you'd have been better served generating your own certificate.
said by Marilla :
After that, ISP's can more pro-actively observe traffic from their users... when users seem to be engaging in 'mass e-mailing',
Like running a listserv/majordomo, or even something as innocuous as telling everyone in their address book, "we just had a baby," or "I am getting shipped to the gulf," or "I'm moving," (etc.).
said by Marilla :
the ISP can look closer, and they'll HAVE A USERNAME it's connected to. IT would be up to the ISP themselves to be certain that it's not too easy to simply 'sniff' those usernames over the Internet... perhaps by being certain that SMTP logons don't go OVER the Internet itself, but stay on the ISP's local network.
So, having given up my ability to have function-oriented email addresses, I'm to also give up my ability to do SMTP transactions as myself, no matter where I am? I mean, what you're proposing means, if I am over at a friend's house who has a different ISP that has such a policy, I am not going to be able to send email (and no, craptacular Web/Mail gateways are not acceptable).
said by Marilla :
Given the costs that ISP's claim are associated with handling spam
And, as an ISP, they're already offloading that cost to the service users (cuz they sure as heck can't offload it to the SPAMmers). What do you think is going to be the real price difference for the end user if mail server choice is reduced?
Personally I think that everyone that cares about privacy, identity theft, etc., should be screaming for affordable and quickly/easily installed personal certificates. But, that's really a separate issue.
-tom
--
You can be only -so- accurate with a sledgehammer. | |
| | | | 
godsmack
join:2003-06-08 | I'll take what I can get.........
Don't forget you have to start some where........ | |
| |
Marilla
I Am My Own Arbiter
Premium
join:2002-12-06
Belpre, OH
| Re: I'll take what I can get......... Well, if this happens, I guarantee you'll get much more than you can take. hehe
(note here: I'm assuming you are talking about the no-spam list... if not, then ignore me!)
The thing to keep in mind here is that the 'no-spam list' is NOT a 'baby step' in the right direction; It's a Quantum Leap in the wrong direction. It's solving one of the spammers BIGGEST problems ever: Getting a nice, fresh list of active e-mail addresses, at lost cost (free!), and in an easy-to-use format.
And to top it ALL off... the names of people on it will tend not to be Highly Internet Savvy types... since a good percentage of us who are sick of spam also understand why it is a no-spam database won't work... so we're not going to sign up on it; Only people who don't entirely understand how it all works, will... and those people are the most likely to actually 'click through' on those ads, in the first place. | |
| 
Unit649
I B U, Who U B?
Premium
join:2000-01-22
Stockton, CA
·Comcast
| Dual Costs Since its not illegal for americans to have accounts in ISPs offshore, this will never work. The spammers will just get servers outside of the US, and more money will be leaving the US to services outside of it.
The spam won't go away, and at the same time, more jobs and money will go to companies outside of the US.
--
U ::::Founder, ForeverChat IRC Network:::: »www.foreverchat.net | |
| |
Marilla
I Am My Own Arbiter
Premium
join:2002-12-06
Belpre, OH
| Re: Dual Costs This is why I believe that this issue really is NOT about laws. Schumer is, to me, exposing himself to be a politician who really doesn't care enough to know what he is talking about (or, to be fair, even getting a staffer to learn about it) but instead is just hopping on the bandwagon because it seems like the 'popular' thing to do.
The fact is, ultimately people will 'spam' from any country that allows it. Of course, linking the ads back to the company being advertised for COULD help, as long as we're careful to weed out the 'false positives' there; But a lot of this junk isn't legitimate products in the first place, so even THAT won't "fix" the issue, once and for all.
So that's why I think this issue must have a TECHNICAL solution, not a legislative one. Yes, I am aware that some 'hackers' will find a way around any such solution, but hackers have found ways to compromise secure websites, too... that doesn't mean that the vast majority of such sites are perfectly safe to use. | |
| | |
Unit649
I B U, Who U B?
Premium
join:2000-01-22
Stockton, CA
·Comcast
| Re: Dual Costs Plus the simple fact is, if they ban one medium of spamming (email) they will move to another. Whats next, massive IM spamming (it happens but could be larger scale). Websites you can't visit till you click on the spam? The possibilities are endless!
--
U ::::Founder, ForeverChat IRC Network:::: »www.foreverchat.net | |
| | | |
Marilla
I Am My Own Arbiter
Premium
join:2002-12-06
Belpre, OH
| Re: Dual Costs Well, the IM spam thing can be dealt with fairly easily: don't accept messages at all from people not on your list. If people did this, OR if the software set this setting by default, IM spam (which actually IS something of a problem) would dry up and blow away.
As for websites that do such things... that's easy, too; I'll simply never visit the site. Of course, I say that's easy for me... I visit very few sites as it is.. hehe | |
| | | | |
Unit649
I B U, Who U B?
Premium
join:2000-01-22
Stockton, CA
·Comcast
| Re: Dual Costs My point basically is there is always another way. If there wasn't, there would be a massive fight over this.
What scares me is what kind of liability this stuff will carry. I run a mailserver. If I accidentally unsecure it (say I reinstall it and it takes me a little bit to reconfigure it), then I'm liable if some idiot grabs it and turns it into a relay.
Not that I would ever do so purposely, but sometimes "sweeping" legislation scares me too. I think the first thing would be PUBLIC EDUCATION, I'm sure there are alot of insecure mailservers out there, if they would come out DEFAULTED to being secure, we'd probably have less spam already. Then its just a matter of ISPs enforcing AUP-if you have someone using a cable modem to send spam, and once the IP gets blocked they just reconnect, you get them off the network, cancel them, and enforce your AUP-go after them monitarily. It should be obvious when you see that type of traffic. Hit them in the pocketbook. Most ISPs won't though because its too much trouble. If some of these guys started getting held accountable, there would be alot less of it too. But till that happens, its a profitable business and they will keep doing so. Land a few of them in jail. Alot of ISPs don't allow servers on non business, non static lines. I know that pisses alot of people off, but you know, this stuff is why we have this going on-people whine when ports get blocked, so they don't do it, and mr spammer is right back in business. I pay for a business account because I want to run servers. I think if you really want to, you should be required to-if I do anything against the AUP, I have a static IP, its easy to trace. Maybe ISPs should use a static IP system, then each person has one IP, and any traffic is the responsibility of the person with that IP....no wait, that would be too easy.
If ISPs would enforce AUPs a bit more like they should, a bigger portion of these people wouldn't be around, I would think. If I can run an IRC server and have it monitored to the point that if I exceed my bandwith allocation and get easily billed for that overage, I would think ISPs could tell when a particular line is being used to send copious amounts of spam. You would think the DNS requests alone from that one IP would tip them off. If not, the obvious traffic coming out of port 110?
Sorry about the rant. 
--
U ::::Founder, ForeverChat IRC Network:::: »www.foreverchat.net | |
| cbs228
Geeks Of The World, Unite
join:2000-09-04
Saint Louis, MO
| News just in... ... 3 out of 4 Americans have absolutely no clue how to effectively deal with spam!
A "Do Not Spam" registry would simply be the biggest, most convenient, gold mine for spammers who already operate their servers outside of U.S. boarders.
The only way to effectively deal with spammers is to cut them off at the money. Even though spamvertised sites are almost always in the Far East (Probably some Korean with his cheap 40 Mbit connection), there has to be a credit transfer from American financial institutions at some point. That point is where spammers are vulnerable.
Of course, it never hurts to close open relays or to report AUP violators (do ISP's really enforce those things as heavily as they should for their frame relay/T1+ customers?).
And for your personal enjoyment, instructions for creating a 100% spam-free account:
1. Create new email address composed of no less than 10 alphanumeric characters, and don't forget the numeric characters either.
2. Do NOT post your address to ANY publicly indexed website, including your own. If you must post your address, obfuscate it.
3. Do not give out your new address via any HTML FORM.
Brightmail, take a hint: Base64 encoding = spam. A large number of HTML comments of random characters = spam.
--
"If you stare too long into the abyss the abyss stares back at you." -Nietzsche
GENERAL FAILURE READING ©: DRIVE
(A)bort, (R)etry, (F)rivolous Lawsuits, (B)ribe Congress? | |
| 
Lurkerer
@exo.com | ... i dont like this one bit. | |
| JPCass
join:2001-01-23
Denver, CO
|  Is the devil, or the silver lining in the details?
The point at which I think spam is really vulnerable to disruption, is the credit card payments. Virtually all SPAM that comes to the US, regardless of where it originates, relies on being able to electronically transfer money from the recipient in the US. If spam - unsolicited, commercial mass-mail - is a federal crime, and the feds can go to Visa/MC, AMEX and Paypal and get spammers' revenue sources suspended and turned off, that will just be the end of it. Even users might be empowered to, say, follow the SPAM through and make a payment, then immediately contact the credit card company and get the charge reversed and the merchant account instantly suspended from cashing out incoming payments for 24 hours pending resolution. The credit card companies will get tough about even giving out merchant accounts that might be abused for SPAM and have to be shut off. No money in it, no SPAM, end of story.
p.s. To those who keep saying users should implement the solution: number one, I don't think I should be responsible for the costs and hassles caused by someone else trying to use a trusted public resource for advertising, and number two, there will always be enough newbies and suckers that spammers can get enough of a miniscule response to make it profitable. | |
| 
bbrown
May Peace Prevail On Earth
join:2002-03-23
Earth
| Make selling email addresses illegal There are some spam enabling companies that offer off-shore hosting and will sell email lists to potential spammers. Those spam-enabling companies are in the US even though the spam they spew comes from overseas.
I consider my email address my property. Someone making a profit from selling my property to tons of people without my prior written consent should be illegal. Similar to a copyright. | |
| | | |
|
|
