US House, Senate Agree on Anti-Spam Bill

Folic_Acid writes "Rep. Billy Tauzin, chairman of the House Energy and Commerce committee, has announced that the House and the Senate have reached a deal to both pass an anti-spam bill, the first ever federal anti-spam law in the United States. Specifically, the law contains: opt-out, authority for the FTC to set up a "Do-Not-SPAM" registry, criminal charges for fraudulent spam, including five years in prison, statutory damages of $2 million for violations, tripled to $6 million for intentional violations, unlimited damages for fraud and abuse." News.com has a copy of the bill and a story.

The RIAA/MPAA has their mitts in this one too!

[corebreech]

Go to http://thomas.loc.gov [loc.gov] and do a bill search on "anti-spam" and read the Senate version, from which I quote:

...the term `unsolicited commercial electronic mail message' does not include an electronic mail message sent by or on behalf of one or more lawful owners of copyright, patent, publicity, or trademark rights to an unauthorized user of protected material notifying such user that the use is unauthorized and requesting that the use be terminated or that permission for such use be obtained from the rights holder or holders.

Unbelievable.

Finally!

[jon3k]

This has been a long time coming, I hope we're actually able to enforce it. Although, its going to be tough with all the world wide spam.

Is this really just fluff to impress voters? Or do you think it will actually carry any weight?

deeply dissapointed

[cluge]

A few things that the bill missed

1. No requirement for opt-in
2. No jail time only monetary damages
3. No public stonings

Finally..

[herrvinny]

Finally, we get an antispam bill. Only this time, it won't be delayed like the nocall list was. What spammer would object to it publicly? If he/she did, they'd be lynched (I'll be the one holding the 10 yr old motherboard; can't use the comp for anything else, so might as well go to a good cause).

First thing, I'm going and registering all the domains I own, and my comcast account. Then, for good measure, I'm going to see if I can pipe all emails through servers in California.

One question: does this federal law overrule the Calif law, and if so, is it for better or worse? What's CAUCE's opinion on this?

Re:Finally!

[aborchers]

its going to be tough with all the world wide spam.

Not a problem. Mail server operators simply block the network ranges of countries that refuse to enact similar policies and if they want to have traffic with the US they will comply.

I already block .ru, .hk, .ch, and .tw, and others because a large fraction of my spam came from there and I received essentially 0 legitimate mail from those blocks. My rejection notice includes a link to a Web form that will allow innocents to bypass the filters.

Missing some points

[spidergoat2]

It seems very weak. Under the heading, "Illicit harvesting of electronic mail addresses", it says that "uses an automated means to obtain electronic mail addresses from an Internet website or proprietary online service operated by another person, without the authorization of that person and uses those addresses in another violation of this chapter, shall be fined under this title or imprisoned not more than one year, or both." Nowhere does it state anything about using someone elses list that MAY have been illegally generated. And what about overseas spammers? What prevents me from going to Tobago and setting up shop? And what prevents Tobago, or some other 3rd world country, from becomming the haven for spammers? After all, if it generates tax revent for them, it's doing some good for them.

Re:SPAM fines

[sfjoe]

But as for unlimited damages for fraud and abuse, I think it's a good idea that the US Gov't has the power to bankrupt SPAM companies that lie, cheat and steal. How can I convince my own govrenment (Canada) to do something like this?

get your own government to actually do something useful instead of this piece-of-shit legislation. Here's a quote about it from Spamhaus.org:
All todays spammers applaud Tauzin's "Reduction in Distribution of Spam Act", as does the Direct Marketing Association. It's what spammers have always dreamed of. They would no longer need to hide their identities to thwart disconnection, on the contrary, once spamming is legal they would be able to sue any Internet Service Providers who disconnect them for 'spamming legally'.

See http://www.spamhaus.org/news.lasso?article=10 for the whole article then let your congrescritter know whether or not you support them.

Re:Finally!

[masoncooper]

My question is how would one go about No-Spam listing their entire domain. I'm sure plenty of people here have Catch-All's and it would be impossible to include every iteration.
The same goes for ISP's. We have all seen Earthlink, Yahoo, even Hotmail include anti-spam methods, could they have their entire domain listed? Should they?
This raises several other questions, but at least in response to your (2), this would cover all recipients of a domain without giving a single address away.

Re:Finally!

[Anonymous Coward]

The easiest solution to #2 is to have the database consist of MD5 hashes of email addresses. A potential advertiser could easily chech an address against the list but could not easily turn the list into addresses.

Re:Do-not-spam list

[g_adams27]

> Putting your address will give foreign spammers a list of lots of active US email addresses.

It doesn't have to. Consider the Unix/Linux password system. When your account is created, your password is encrypted and stored in /etc/shadow. When you login, the password you enter is encrypted and compared with the password stored on disk. If they match, then the system knows you typed in the right password and lets you in. At no point does your stored password have to be decrypted.

Applying that concept to the FTC's Do-Not-Spam list is left as (an easy) exercise for the reader. (hint: it should be obvious that the spammer need never decrypt the Do-Not-Spam list in order to be able to use it.)

Re:deeply dissapointed

[JuggleGeek]

4. No right of private action.

We all know that the government isn't going to do much in the way of enforcing this. The only way that it will be enforced is if the people who are tired of receiving the spam have some method of doing something themselves.

I'm currently dealing with bounces from spammers who are forging my domain into the From field of their spam. That will be illegal under this law (and is already illegal under Texas state law) but the government isn't going to enforce it.

I still think this is a good thing. It won't solve the problem. It probably won't even help. But the next law we see after that is more likely to be written from the spam recipients point of view. This one was written to make sure that the "large legitimate corporate" spammers got what they wanted.

Re:Here's what I'm going to do:

[ph0enix]

Hypothesis: The first account will start receiving spam almost immediately. Due to the nature of the spam, the second should never receive spam unless someone is sending email to random 8-character accounts at my domain (brute force attack).

Instead of publishing a list of opt-out addresses, the FTC or whomever could simply publish a list of SHA1 hashes of the addresses. The spammer could check for an address on the list by hashing it and looking for the hash, but would be unable to use the list to spam to.

Sure, a dictionary attack is possible, but hashing like this makes it much more expensive to use the list for the wrong reason. (And by adding different random salt to the list for each spammer you send it to, anong with some trap email addresses, it would be possible in many cases to identify the spammer(s) who perform this attack)

#1

[krray]

#1 -- I will not "OPT-OUT". Ever. I have, on occasion, will decide to OPT-IN. Those thinking OPT-OUT are blocked on the first (#1) violation. No questions asked and only a personal phone call, if you know me, will I allow further such traffic.

Just as I refuse/block UNAVAILABLE calls and judiciously decide what profanity of choice to use on PRIVATE callers.

With _any_ OPT-OUT type of choice shortly I'll simply white-list a very few and block everybody else. Email is pretty much dead already anyway. How many hundreds of thousands, if not millions of business' are there in the US alone? For next to nothing they'll all be spamming me -- no thanks. :)

I guess this means I won't be getting funds transfered to my bank account from Africa. Darn.