Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Spam The Internet United States Your Rights Online

FTC Chief Bashes Anti-Spam Bills 296

teutonic_leech writes "According to an MSNBC report FTC chairman Tim Muris has indicated that the antispam laws being considered by Congress 'just won't work and may even be counterproductive - some of the proposed laws could be harmful, or at best useless.' He further concluded that 'In the end, legislation cannot do much to solve the spam problem, because it can only make a limited contribution to the crucial problems of anonymity and cost shifting.'" Other spam bits: an anti-spam service has a funny interview with one of their users, and reader der.hans submits a story and some pretty pictures discussing the quantity of Sobig.f virus emails.
This discussion has been archived. No new comments can be posted.

FTC Chief Bashes Anti-Spam Bills

Comments Filter:
  • bash? (Score:5, Interesting)

    by selfabuse ( 681350 ) on Thursday August 21, 2003 @08:31AM (#6753857)
    My boss, Bill, bashes spammers. No really, he does. We're one of the first ISPs to sue spammers. Check last months (2months ago? don't remember) Time magazine. Awwwh yeah.
    • Re:bash? (Score:3, Insightful)

      by letxa2000 ( 215841 )
      That's a good idea.

      New laws to outlaw spam are, as the FTC director said, probably useless. Most of the spam being sent is fraudulent or deceptive in some way--or porn spam that is also being sent to minors. Spammers aren't bothered violating current laws, why does anyone think they won't ignore new anti-spam laws?

      • i get this depressing feeling that the "war on spam" is going to suffer from the same problems as the "war on drugs" - excessive concentration on the supply side.

        i find it interesting that whenever something good happens economically, the "power of the market" (demand) gets all the credit, but when the government wants to stop something deemed bad, they blame the pushers or the spammers (supply side).

        the war on drugs has been a flop - why would they (the government) try the same techniques in a war on s

        • Re:bash? (Score:5, Interesting)

          by 4of12 ( 97621 ) on Thursday August 21, 2003 @10:25AM (#6754881) Homepage Journal

          excessive concentration on the supply side.

          You're quite right.

          There has to be a concentration on the demand side of the equation.

          Clients of the spammers need to feel it in the pocketbook for a solution to really work.

          Unfortunately, a 98% effective boycott of the spamhaus clients by recipients of spam won't do much, considering that response rates are less than 1% already. Rather than attack the spammers directly, the clients should be made to pay big time if they've employed a spammer for advertising.

          I don't trust Michael Powell. After caving in to media interests and allowing further consolidation [theatlantic.com] in the face of absolutely zero public support for such measures (and widespread opposition once the results of his hearings became known), his current position on spammers seems to be an attempt to position future policy to insure that there is no possible anonymity on the Internet. I dislike that solution to that problem because whistleblowers, politic dissidents in repressive regimes, etc. would be silenced alongside the despicable spammers.

          BTW, along the same lines of supply and demand, there's a recent article [seattleweekly.com] about current and former law enforcement officials that want a different approach to the "war on drugs" than what's been not working for the last number of decades.

      • Re:bash? (Score:4, Insightful)

        by schon ( 31600 ) on Thursday August 21, 2003 @09:31AM (#6754351)
        Spammers aren't bothered violating current laws, why does anyone think they won't ignore new anti-spam laws?

        The thing is, if you ask spammers, they'll tell you that they're not violating any laws..

        That's why we need a clear message that what they are doing is wrong - they need to be shown, without any doubt, that they are indeed breaking the law.
        • Re:bash? (Score:5, Interesting)

          by Brian Kendig ( 1959 ) on Thursday August 21, 2003 @10:44AM (#6755084)
          They need to be shown, without any doubt, that they are indeed breaking the law.

          And then they'll stop, just like all those people who used to download music, right?

          Legal action can help curb spammers, *if* it's pursued aggressively -- but technology still has a lot more it can do. For example:

          - Why do mail servers accept email whose sender address is invalid (malformed) or gives a domain which isn't resolvable?

          - Why do mail servers accept email which is sent in violation of the SMTP protocol -- for example, 'spam blasters' which dump a whole lot of commands on the receiving server then disconnect without waiting for a response?

          - Why don't mail servers automatically check services such as Razor? If an incoming message happens to have the same checksum as a message which has been reported to Razor several thousand times within the past half-hour, why accept the message for delivery?

          - Why don't mail servers have a built-in 'tarpit' feature? In other words: if there's an incoming message, and if system resources aren't tight, the mail server could sit on it for sixty seconds before accepting it. If the sender disconnects before sixty seconds, the mail will be rejected. This obeys the SMTP protocol, and it will be unnoticed by anyone except people who want to blast tens of thousands of emails in one shot -- suddenly it becomes more time-consuming to spam, and the spammer can be stopped before he can get very far.
  • Comments.. (Score:4, Insightful)

    by mumblestheclown ( 569987 ) on Thursday August 21, 2003 @08:35AM (#6753894)
    • Anti-Spam bills being considered currently inadequate: 100% correct
    • Anti-Spam legislation not a primary solution: 100% incorrect.
    Legislation is the ONLY way to get rid of spam. Effective legislation and prosecution, that is. The "they will all go offshore" excuse is BS. Sure, some might, but many won't. And then, the country that harbors the offshore spammer is squeezed just as korea was (do you see any korean spam any more? well, yes, but nowhere like the torrents we all received a year ago).

    Spam is a social problem, not a technological one. Social problems can only be solved by social contracts or laws. Technological solutions fail. Even bayesian filters, those much heralded bleeding edge anti-spam flavor of the moment, are being beaten regularly--my SpamBayes filter catches still a good deal, but more and more slip through despie over 150,000 'training' emails as the spammers get smarter. And, bayesian filters (even at the ISP level) don't begin to address the crucial problem of bandwidth use.

    Legislate Now. Not big brother, not slippery-slope BS about john ashcroft in your inbox - just reasonable, progressive legislation to eliminate the spam epidemic.

    • Legislation is the ONLY way to get rid of spam.

      ???

      How does a US law stop spam from other countries? You can't get *all* other countries to adopt US policy.

      The solution lies in the protocol. I never get spam via instant messenger. Why not add offline storage capabilities to an IM style of communication? In this respect, people can send me instant messages when I'm online, and send me stored messages when I'm offline.

      If someone wants to be added to my "list of accepted communications", then they need
      • Re:Comments.. (Score:3, Insightful)

        by HowlinMad ( 220943 )
        I never get spam via instant messenger

        I have, I leave my IM up all the time, I;ll come home and have a few IM from some lonely sorority babes that have a free cam, and I should come chat with them.

        Why not add offline storage capabilities to an IM style of communication? In this respect, people can send me instant messages when I'm online, and send me stored messages when I'm offline.

        Many IM protocols use this. Yahoo does. ICQ does. Jabber can.

        Problem solved.

        I'm actually baffled why an enterprising
      • Re:Comments.. (Score:5, Insightful)

        by Otter ( 3800 ) on Thursday August 21, 2003 @08:54AM (#6754045) Journal
        How does a US law stop spam from other countries? You can't get *all* other countries to adopt US policy.

        Read what he said -- there's nothing about getting *all* countries to stop spam. If adequate laws were passed regulating spammers (and more importantly, the businesses they advertise) in the G7 countries and a few others, that would make the problem much more tractable for anyone who can live without mail from China or Russia.

    • Very insighful (Score:2, Interesting)

      by mericet ( 550554 )
      I agree wholeheartedly. There are a lot of laws which are not activly enforced, but their existance in the books sets a social standard.

      Moreover, a law which is not enforced by itself is useful when the authorities catch them for something else which is hard to prove (in the case of spam, probably fraud, misuse of other people's computers) or have jurisdiction problems. And it helps civil litigation too (I don't know if the US have a civil criminal litigation procedure, but it helps either way).

      • a law which is not enforced by itself is useful when the authorities catch them for something else

        ooh, no, an unenforced law is a very dangerous thing imho. in general, if a law is unenforced then everyone will feel like they can do it, which leads lots of people to do it with no social stigma, and then the police can crack down on those ppl they don't like who are breaking the law and leave the others.

        if everyone breaks a law routinely, why is it there? (this could be applied to filesharing too)

        yes, it
    • Re:Comments.. (Score:3, Informative)

      by letxa2000 ( 215841 )
      Legislation is the ONLY way to get rid of spam.

      Absolutely incorrect.

      The "they will all go offshore" excuse is BS. Sure, some might, but many won't.

      You probably have it backwards. Many will go offshore, but some won't.

      Plus, it might not be necessary. There is so much spam and spammers are constantly dodging bullets to keep themselves anonymous I'm not sure if it'd really be necessary to go overseas. There are not enough resources to track down spammers that are covering their tracks unless some

      • Re:Comments.. (Score:3, Insightful)

        by schon ( 31600 )
        You probably have it backwards. Many will go offshore, but some won't.

        I think you have it backwards. Spammers are sociopaths. They have turned to spamming as an alternative to other types of fraud.

        Would you move to another country - turning your back on your family and friends, just so that you could continue harrassing innocent people? I doubt most spammers would either.

        Spam is NOT a social problem any more than junk snail mail is a social problem.

        Spam most definitely is a social problem - most s
      • Re:Comments.. (Score:3, Insightful)

        by jimfrost ( 58153 ) *
        Generally speaking I agree with your commentary, although we do need legislation if only to give a lever that individuals can use when tracking these people down.

        Right now if you want to track down a spammer you're pretty much SOL because you can't get a subpoena to extract identity information out of the ISP. You claim that it wouldn't help because they'll use stolen credit cards and whatnot; that may be true, however I was involved in a tracking operation where we tracked the guy to his office telephon

    • Legislation is the ONLY way to get rid of spam.

      I have a problem with anti-spam legislation. The solution to spam is to rearchitect the email system to integrate authentication, approved contact lists, and overall security. Everywhere spam of any sort prospers (snail mail, telephones, windows messenger, etc), it is because these kind of controls are not in place. Take icq and aim for example. In the past two or three years I have never seen a single unwanted junk message.

      A legislative solution *might*
    • Re:Comments.. (Score:2, Informative)

      by kevinz ( 591587 )
      Legislation is the ONLY way to get rid of spam. Effective legislation and prosecution, that is. The "they will all go offshore" excuse is BS. Sure, some might, but many won't. And then, the country that harbors the offshore spammer is squeezed just as korea was (do you see any korean spam any more? well, yes, but nowhere like the torrents we all received a year ago).

      So the spammers move their relays to another location, while they still cash the checks in Florida and Louisiana. How does that help? Even

    • Re:Comments.. (Score:3, Informative)

      by Kjella ( 173770 )
      Legislation is the ONLY way to get rid of spam. Effective legislation and prosecution, that is.

      There are already laws. But we're nowhere near a technically feasible way to gather evidence to prosecute, or even blacklist. Let's say Joe Q. Average gets a SPAM. How does he deal with it or report it? Something that doesn't take more of his time than to hit 'delete', and would lead to something effective?

      In case you haven't noticed, in the MS blaster fallout there's kazillions of "You've been sending virus em
    • "Legislate Now. Not big brother, not slippery-slope BS about john ashcroft in your inbox - just reasonable, progressive legislation to eliminate the spam epidemic."

      If John Ashcroft is in my Inbox, then my spam filter is even more useless than I thought.
    • Re:Comments.. (Score:3, Interesting)

      by bafu ( 580052 )

      It makes me sad to see someone who thinks "technological solution" == "filters" get a +5 Insightful, but whatever. If you are a troll, derive whatever personal satisfaction you can from the fact that I am taking your post at face value...

      Spam is a social problem, not a technological one.

      You are missing the point of the spam problem. The fact that there are people who have no ethical problem engaging in spamming could be seen as a social problem, but their ability to engage in it is a technological pro

  • by Marxist Commentary ( 461279 ) on Thursday August 21, 2003 @08:36AM (#6753899) Homepage
    As long as there is profit to be made, there will be an enterprising capitalist there to take advantage. Especially in the case of spam, where there is no real barrier to entering. If you get a miniscule response, you can make a huge return on a limited investment.

    It's akin to regulation of the traveling snake-oil salesman of the nineteenth century. That sort of charlatan is no longer allowed (by law), and the same could happen with strong (and strongly enforced) spam laws.
    • by boatboy ( 549643 ) on Thursday August 21, 2003 @10:19AM (#6754812) Homepage
      The illogic of your comment is that it ignores the other side of the coin. As long as there is profit to be made stopping spam, capitalism will find the cheapest, best way to do so- much cheaper and much better than any politician ever could. It also, as this century has proven for marxism, ignores the fact that where there is profit to be made, there will always be an enterprising politician to take advantage.

      Your analogy is also incorrect. Snake oil salesmen were frauds. Fraud became illegal, not snake oil. I may buy snake oil (or magnet bracelets or crystals) as long as the seller is honest about what it is. Spammers may be frauds also, but the point is, if they are frauds-or in violation of other existing laws- then they should be prosecuted under those laws. If new laws are needed to clarify what sorts of advertisement are illegal, they should not deal with the technology but rather the core issue (ie. it is illegal to advertise indecent material to minors.)

      I have a feeling most /.ers, if they thought about it, would trust technology over a politician any day...
  • Wow... (Score:5, Insightful)

    by InfinityWpi ( 175421 ) on Thursday August 21, 2003 @08:36AM (#6753902)
    A government figure who actually admits there's not a whole lot they can do. Nice to see a guy with a little common sense (on this issue, at least) giving voice to his oppinions. Let's face it, he's right. Outlawing spam is -not- goingg to have an yeffect whatsoever. Look at underage drinking, pot use, etc. It's illegal, it still happens, and quite often. The 'spam bills' won't have any effect beyond making people think their senators are tech-minded.
    • But outlawing it, like everything else, will create additional markets for law enforcement.

      Its like make-work-day, for the whole country.
    • Don't compare (Score:4, Insightful)

      by phorm ( 591458 ) on Thursday August 21, 2003 @11:10AM (#6755422) Journal
      Underage drinking, pot use, etc...

      What you are describing are actions done by private citizens. Quite often younger citizens.

      Now in many cases, spam is a business practice: for both the spammer and whomever he/she is advertising for. While regulating businesses may not have an immediate effect, or a fully-encompassing one, it is generally more effective than regulating private citizens.
      Businesses stand to lose a lot. If pushed to bankruptcy and your business is tied to your personal life, you could even lose a house/car/etc. So yes, it could be more effective.

      Now, if most private citizens were spamming, it might be not effective (see RIAA: filesharing). I have enough faith in humanity that is just a few evils causing most of the spam.
      Getting the laws in place, and more importantly enforcing them should start to affect spam eventually, though.
  • best quote (Score:5, Funny)

    by RevDobbs ( 313888 ) on Thursday August 21, 2003 @08:40AM (#6753940) Homepage

    best quote from the Knowspam.net interview:

    Q. What are you doing with all your extra time now that you aren't getting spam?

    A. . . . Petting the cat. Not a entendre, by the way. Real cat. . . .

  • by kunsan ( 189020 ) on Thursday August 21, 2003 @08:41AM (#6753943)
    At first glance, it sounds like the FTC cheif has his head up his ass. After reading the article, I realised the man just does not want to pass a lame ass law that makes it HARDER to prosecute spammers. He is looking for a simpler plan to make it EASIER to shut down mass-spammers. Sounds like he needs our help, not our hostility.

    JP
  • by Mwongozi ( 176765 ) <slashthree AT davidglover DOT org> on Thursday August 21, 2003 @08:41AM (#6753945) Homepage
    Is it just me, or is C/R spam filtering, really, intensely, annoying?

    If I e-mail someone, and I get one of those "I think you're a spammer, prove you're not" messages back, then fuck it, you're not getting my e-mail. Challenge/response breaks the whole concept of e-mail.

    I personally use SpamAssassin to drop mail scoring 5-10 into a crudbox, and 10+ just gets bounced.

    I don't get much spam anymore.
    • by tessaiga ( 697968 ) on Thursday August 21, 2003 @08:53AM (#6754040)

      There's no need for a human to get involved. Have a protocol whereby in order to the receiver's machine automatically issues a small, dynamically-generated math problem which requires the sender's computer a few seconds of computing time to solve. The email only gets "authorized" if a correct solution is received. This would have very little impact on a regular user, but a spammer who sends out hundreds of thousands of emails would be facing some pretty prohibitive computational costs.

      • A few seconds of computing time on what, exactly? My 28MHz Amiga A1200 does a perfectly acceptable job as a Pine station, but I'd really rather not have it solve something the Athlon 2800+ takes 'a few seconds' over every time it sends an email!
      • "This would have very little impact on a regular user, but a spammer who sends out hundreds of thousands of emails" -- or a legitimate mailing list server -- "would be facing some pretty prohibitive computational costs."

      • Don't say it's the only, or the best, or even good solution. It is not. There is a fundamental difference in approaches to spam. One approach is to leave technology as it is and use legislation (old or new) to smack the spammers. Another one is to use technological solutions to make spam impossible. But technological solutions will not work, because in case of spam it is trying to undo the technological progress itself. Face it, e-mail is free. It is free because of the technology and unless you shut down t
    • by KMitchell ( 223623 ) on Thursday August 21, 2003 @09:01AM (#6754102)
      If you email me and get my "prove you're not a spammer" TMDA autoreply then you've never corresponded with me before (with the email address you're using). Any previous correspondence (to or from) and you won't get the autoresponse.

      If you care enough to send email to me, you care enough to "hit reply" one time for a "new address". If I started the "conversation" you shouldn't ever get an autoresponder message.

      Challenge/response breaks the whole concept of e-mail.

      No. Spamming broke the concept of email years ago. The only question is how to fix things. Based on the hoops you're going through with SA, your email sounds just as broken. Been there, done that. If you don't want to email me, I'll cope somehow.
      • No. Spamming broke the concept of email years ago. The only question is how to fix things. Based on the hoops you're going through with SA, your email sounds just as broken.

        I agree with grandparent, C/R is a lame response to spam. It puts the burden of your spam problem on those legitimate users that may want to mail you. Forgetting the technical problems, that's just rude. I am *not* your spam filter and, like parent, if I receive a C/R response I will just ignore it.

        Technically, C/R is also lame.

    • personally use SpamAssassin to drop mail scoring 5-10 into a crudbox...

      I'm amazed you (and most others) have it so high. For me, anything over 3 gets junked and, if it was any higher, i'd get tonnes of spam in my index.

      ...and 10+ just gets bounced.

      Neat. Excuse my ignorance but would you be so kind so show me how would I go about setting that up?

      Thanks.

      • I have it set high because I get a lot of HTML mail. I don't mind HTML mail at all, I just don't like spam. 5 is an adequate setting.

        I use Sieve [cyrusoft.com] to sort (and bounce) my e-mail.

        • I have it set high because I get a lot of HTML mail. I don't mind HTML mail at all, I just don't like spam.

          I'm the same too. But if I put it any higher, i end up with loads of spam passing the spamassassin tests (because they rank around the 3.5 - 4.5).

          Cheers for the link. Will check it out.

  • by Anonymous Coward on Thursday August 21, 2003 @08:41AM (#6753947)
    Listen guys. You can't have laws saying "It's OK to be anonymous and post anything you want anywhere and threaten to do anything to anybody and download anything you want and it's all free and nobody can touch you; but spamming is bad. Then you go to jail." Trying to limit everybody else's actions while giving yourself complete freedom is known as "fascism".
    • Exactly. The only way to eliminate spam is to force everyone to include real-world indentification data in every single email and Internet posting. Do you really want your SSN on every post you make to Slashdot and the natalie-portman-fantasies mailing list ready for future employers and partners to find?

      The price you'll pay for anti-spam laws is the complete end to anonymity on the Net: personally I think that's a pretty lousy trade compared to local filters and ready use of the delete key.
  • by Anonymous Coward
    Since they are taking the time to scan email for viruses, you would think they would take a second to check the validity of the "from" address. Or at least not send bounces to domains which have diff ips than the sender.

    Now I get piles of bounces from people with viruses.
    Great.
    Hard to filter since I want to see bounces from my own mail.
  • Always funny (Score:5, Insightful)

    by cubicledrone ( 681598 ) on Thursday August 21, 2003 @08:43AM (#6753957)
    How people spend so much time complaining about spam (unauthorized use of bandwidth) yet have no trouble at all making unauthorized use of someone else's data (file trading).

    There shouldn't be much problem with a spam policy provided the proper definition of spam is included: bulk, unsolicited, commercial e-mail.

    Defining spam as "any e-mail I don't want" is probably part of the problem with having a working anti-spam policy. It is also an incorrect definition of spam.

    It also makes it impossible for people to do business, since it will be impossible for people to introduce themselves through e-mail.
    • Re:Always funny (Score:3, Insightful)

      by garcia ( 6573 ) *
      using someone else's data is beneficial to you, getting spam in your mailbox is nothing but an annoyance.
    • Re:Always funny (Score:2, Insightful)

      by letxa2000 ( 215841 )
      It also makes it impossible for people to do business, since it will be impossible for people to introduce themselves through e-mail.

      Unless it's personal, one-to-one conversation from a friend of mine recommending some company for something my friend knows I'm interested in, I don't *WANT* to be introduced to any company via email. If I'm interested in a company's product, I'll go Google and find it. Then we can have an email exchange if necessary. But I positively never want to receive a "cold call"

    • by Hayzeus ( 596826 ) on Thursday August 21, 2003 @09:23AM (#6754278) Homepage
      It also makes it impossible for people to do business, since it will be impossible for people to introduce themselves through e-mail.

      I agree completely. So please allow me to introduce myself to you. I am Thomas N'Gemba, formerly of the Ministry of Finance of Nigeria. I and my associates have recently discovered aporximately USD$10,000,000.00 in unsecured funds...

    • Take out the commercial part.

      The definition is, and will always be, despite the efforts of the DMA and other spam friendlies, "unsolicited bulk email".

      Not commercial, not porn, not fraudulent, but ALL unsolicited bulk email regardless of content.

      Proletariat of the world, unite to kill spammers. Remember to shoot knees first, so that they can't run away while you slowly torture them to death
  • by mark-t ( 151149 ) <markt AT nerdflat DOT com> on Thursday August 21, 2003 @08:45AM (#6753978) Journal
    From the article:
    "Proposals in both the House and the Senate require us to prove knowledge to bring an action against a seller that hires a spammer," Murin said.
    Proving such awareness could be nearly impossible, he hinted.
    It may suck, but it's right on the money... how can you possibly prove that the seller ever advocated the spamming? The *most* they could expect from a seller is for them to pull the spammer's account (if the spam was done as some sort of referral program), but often even that's not possible.
  • by weave ( 48069 ) on Thursday August 21, 2003 @08:45AM (#6753979) Journal
    What the government can do and should do is pass a law that says the matter should be handled by the private sector, and affirm a mail system owner's right to decide what gets delivered, and also word it so third party services like spamcop are legal so they don't have to be threatened with legal actions.

    Put an end forever to these bogus claims by spammers that their free speech is being interfered with, that businesses have to pay to provide means to deliver their crap, and that to do otherwise is to interfere with their business and all of their other bogus claims.

    • The thing I never got about this whole "free speech thing" (Ha I am English anyway, we have no "rights"), sure I respect your right to stay what you want and think what you like. What i don't understand is why I have to listen to it! You have the right to say what you like, not force everyone to listen to what your saying. Is the right to freespeech of someone else greater than my right to privacy?

      James
  • by twitter ( 104583 ) on Thursday August 21, 2003 @08:45AM (#6753981) Homepage Journal
    What crap! Anonymity is a crucial part of free speech. Atempts to eliminate it from email are about as unAmerican as unique CPU numbers or bar-code tatoos. They are also technically unnecessary. IP numbers do not have to reveal a user's identity to be blocked. Laws that attempt to elimiante spam by making it technically imposible are about as sensible as making murder technically imposible by outlawing privacy and pointy metal objects. I'm sick of such stupid shit.

    The solution is to outlaw spam outright. Spammers will be caught the same way murders and and crackers are cautht today. It does not require a fundamental loss of privacy or anonymity on the web. Spamming will be reduced to a tollerable level the same way speed limit laws reduce traffic deaths. Spamming and the "cost shifting" involved are simply wrong and it's right to make laws against things that are wrong regardless of how well they work.

    • The solution is to outlaw spam outright. Spammers will be caught...

      Oh... and just *HOW* do you propose that we do that? Follow the return address? It's always faked. Contact the seller? You'd be *EXTREMELY* hard pressed to prove that the seller advocated the spam. Heck, maybe the spam was sent by some bloke who works for the competition trying to disrepute these guys. How can you prove otherwise?

      Nice in theory, but no go... as long as anonymity is allowed to exist in email, spam will exis

      • Oh... and just *HOW* do you propose that we do that? Follow the return address?

        Why do people always ask that question?

        You catch spammers by, well, catching them! ISPs and other interested parties can trace IP numbers back to the machine that sent them, no matter how "fake" they are set. That's the same kind of detective work and reliance on witnesses that any normal crime is solved by. ISPs constantly cut off these creeps and they have to keep going from ISP to ISP to get their word out. It would be v

        • You catch spammers by, well, catching them! ISPs and other interested parties can trace IP numbers back to the machine that sent them, no matter how "fake" they are set
          Wrong.

          This is a critical failing of SMTP. It is impossible to authenticate that the email in question came from any of the IP addresses that might be found in the email.

        • ISPs and other interested parties can trace IP numbers back to the machine that sent them, no matter how "fake" they are set.

          What about infected end user machines that are being used as anonymizing zombies? There are, by all accounts, tens of thousands of them out there. You can bet that they don't keep logs.
          • What about infected end user machines that are being used as anonymizing zombies?

            Let them try it. The traffic controling them can be traced back if it's against the law. Once again, difficulty in enforcemant is no reason to give up.

  • Passing Laws (Score:3, Insightful)

    by aking137 ( 266199 ) on Thursday August 21, 2003 @08:47AM (#6753995)
    Spam is a big problem, but I think we should be really careful about pushing our lawmakers to pass laws that are that specific to computers. Whenever someone suggests introducing a law that could possibly invade someone's privacy, we're up in arms about it and claim that such problems should be solved a different way - that the lawmakers should stay away from what they don't understand, and that we could solve them by technical means, or by interpreting more general, existing laws to apply to computers.

    When we're pushing for anti-spam legislation, we're saying it's suddenly okay to pass laws that specific just because it suits us and we can't see any possible way to lose out. Is this a fair way of doing things? Are we really decided on how far we want laws to extend into computers, and where we draw the line?
  • by FearUncertaintyDoubt ( 578295 ) on Thursday August 21, 2003 @08:58AM (#6754083)
    No spam law that doesn't help investigators find the real sender of the message would be effective he said.

    Anonymity is something that I think is one of the things that makes the internet so valuable as a tool to help people fight oppressive governments and corporations. When it is impossible for a spammer to cover his tracks, it will also be equally impossible for a political or corporate dissident to do so as well.

    The implication here is that spam can be solved by a technical solution, i.e., one that makes forging identity very very difficult. IPv6 or something like that, perhaps, with additional anti-terrorism/anti-spam identity measures, forcibly implemented (Carnivore anyone?) on ISPs and backbone providers. We'll be so happy to be rid of spam we won't realize what we gave up.

  • Spamming is a scale free [sciam.com] phenomena- that is, a small fraction, 20 to 200, account for most of the sucessful spam. You'd just need the legal incentive to go after the big ones.
  • by gristlebud ( 638970 ) on Thursday August 21, 2003 @09:03AM (#6754123)
    I agree that the proposed spam legislation is inadequate to solve the problem, and I commend the FTC for standing up, rather than passing more useless laws and backing an inneffective solution just to be able to say "look what we've done"

    However, my problem has lately has not been the tradition UCE spam (Spamassasin does a pretty good job taking care of that); my problem lately has been outright criminal messages reaching my inbox.

    Recently, I've been getting more and more messages spoofed as being from Paypal, Citibank, my ISP, etc, saying that my account has been suspended, and I need to verify my password, credit card number, even my mother's maiden name(!) These messages are getting more sophisciated, and appear to have (for example) a paypal.com address for me to click on.

    After getting a few of these in a week's time, I checked the headers, and all seemed to come from China. I'm not sophicicated enough to trace them back any farther, but since these are so blatently criminal, I dont think they'd be originating in the US, as the potential for prosecution is so high.

    Unfortunately, these messages are the most dangerous, and the hardest to stop (if they truly originate overseas.) I'd like to see some sort of internation cooperation to track and prosecute these degenerates.

  • by einTier ( 33752 ) on Thursday August 21, 2003 @09:05AM (#6754142)
    It seems like these guys lay low so that geeks like us can't find them and harrass them. But, this has always begged the question in my mind, how do their customers find them?

    Not that I want to spam mind you, but it seems like they have more than a few customers, and yet, it seems next to impossible to find a point of contact for these people.
    • All large volume spammers are well known to the anti-spamming circles. Their information is listed on such resources as ROKSO (Registry Of Known Spam Operations) [spamhaus.org], SPEWS [spews.org] (down due to DDOS by spammers on its nameservers) and Google Groups searches on newsgroups like news.admin.net-abuse.email or news.admin.net-abuse.sightings.

      Then there're mainstream companies that have managed to fake legitimacy that target not the fly-by Viagra peddlers, but real businesses, politicians (you may recall the Howard Dean spam
  • Hmm (Score:3, Interesting)

    by Dark Lord Seth ( 584963 ) on Thursday August 21, 2003 @09:09AM (#6754173) Journal
    That time travel guy, I think. Did you ever get it? That guy who was looking for aliens who had perfected time travel because he needed to go back and fix something? It was a rambling treatise about the nature of time and him trying to convince the reader he was dead serious about this and there didn't seem to be any other point to the thing. No URL, no offer to increase my penis size, nothing.

    Did anyone else receive that one? I thought it was nice! It was so full of bullshit (nor noteworthy amongst spam) and... it had no purpose. Spam is usually aimed at stupid and/or gullible people who are willing to believe anything they receive in their mailbox. Even if someone were to believe this one particular spam message, what would one do? Send Mr Fusion to a set of long/lat coordinates IN THE PAST? Is it some kind of joke?

    • I think it was sent by somebody who hopes that time travellers really do exist and are visiting this time period & have e-mail addresses & will take sympathy on him...

      Kind of a long shot, but with the cost of sending spam so low, who knows? :-)
  • by Adrian Lopez ( 2615 ) on Thursday August 21, 2003 @09:10AM (#6754177) Homepage
    I think the SPAM problem could be largely mitigated by altering the SMTP protocol to include cryptographic signatures which are used to authenticate the email address listed in the email's "From" field. The receiving SMTP server contacts the server listed in the From field to obtain a copy of the claimed sender's public key which the receiving server uses to authenticate the sender's true identity. The public key is user-settable so that alternate From addresses may be used as long as the sender is authorized to use that address in From fields.
    • I think the SPAM problem could be largely mitigated by altering the SMTP protocol to include cryptographic signatures which are used to authenticate the email address listed in the email's "From" field.

      SMTP doesn't know about the From: field. Or the To: field, for that matter.

      • SMTP doesn't know about the From and To fields? What do you mean? SMTP requires that users specify a From and To field, and while it might not respond immediately with information about the validity of an email address, it is nevertheless possible for SMTP servers to establish the validity of an email address. My server, for instance, does this:

        helo caribe.net

        250 OK
        mail from: me@caribe.net
        250 me@caribe.net OK
        rcpt to: nosuchuser@caribe.net
        550 is not a valid mailbox

        SMTP seems like the natural place to verify

  • But retaining backwards compatibility with SMTP would invariably allow spamming to continue.

    An entirely new mail protocol probably still needs to be created though, but what I suggest is that mailservers which support the new protocol have a mechanism whereby, on a user by user basis, any SMTP-protocol mail coming in for users that have turned off SMTP could be rejected as soon as the header is finished. These mailservers would also be configured to automatically add a header for the users who don't reje

    • What would the new protocol give you that SMTP doesn't?

      What allows spam isn't SMTP, it's the way SMTP is used: Any ISP will accept email for their customers from just about any ISP, many of whom in turn will allow just about anyone to sign up as a customer and send email, without proving identity or showing any bona fides beyond payment for the service.

      How will your new protocol magically stop that happening?

      A slight improvement could be brought about by:

      • Insisting all messages have a "sender:" whic
  • Anti-Spam Services (Score:3, Interesting)

    by Goo.cc ( 687626 ) * on Thursday August 21, 2003 @09:12AM (#6754193)
    The interview in the story is from an anti-spam service called knowspam, which works pretty much like Blue Bottle: if you are not on my white list, you have to authenticate yourself to send me an e-mail.

    But what happens when two people, both using such a service, decide to send an e-mail for the first time? Couldn't such a setup create a endless loop of authentication requests?
  • by Maul ( 83993 ) on Thursday August 21, 2003 @09:12AM (#6754196) Journal
    Legislation isn't always the correct tool to fighting something. Whenever we consent to Congress passing more and more laws, we are sure to lose some of our freedoms along the way.

    I hate spam as much as the next guy, but it isn't worth letting Congress think up some hair-brained, rights-destroying scheme that probably won't work anyway.

    Too bad they don't realize this on most issues out there.
  • The guy's right (Score:5, Interesting)

    by amcguinn ( 549297 ) on Thursday August 21, 2003 @09:15AM (#6754222) Journal
    First, in saying some recent bills may be counterproductive, he's only echoing what many anti-spam campaigners have been saying: the bills actually legalise a lot of spam.

    Now, a good anti-spam law can contribute by driving spam further into the criminal underworld, but let's face it, it's most of the way there already, and you're not going to cut it down much more in that direction.

    The key point is anonymity. If you can send email anonymously, you can send spam, legally or illegally. If you are willing not to receive anonymous email, you can receive zero spam (using whitelisting), or next to zero spam (counting on blacklisting of known spammers by name). Contrary to what some people say, the existing technical SMTP protocols are perfectly adequate for spam-free email: you just need a virtual email network using smtp, to which anonymous users are not admitted. I think it quite likely that MSN, AOL, etc. will be setting this up within the next 12-24 months. They might screw it up by trying to lock out competitors, but it can only be useful if it's reasonably inclusive.

    Personally, I want to receive anonymous email, from people who've seen my web sites, or old friends who've looked up my address, or whatever. But to get these emails, I'm bound to get spam as well, legally or illegally, and I'm prepared to live with it.

    • Personally, I want to receive anonymous email, from people who've seen my web sites, or old friends who've looked up my address, or whatever. But to get these emails, I'm bound to get spam as well, legally or illegally, and I'm prepared to live with it.

      How anonymous do you need? I mean, I'll never know user@free-email-domain.com's real name, he probably didn't sign up for it in the first place, which is enough anonymity for 99,99% of us. But if he is using that email to commit crimes (and SPAM is a crime,
      • What if he signed up from an internet cafe? What if he signed up from a large company that needs months to go through its logs, or doesn't have secure access internally? What if he signed up from Bangladesh? (Nothing against Bangladesh, it's just somewhere fairly remote and difficult for my local police to deal with).

        If he's planning a terrorist bombing, the police can have a go at tracking him down, but at least where I live it's hard enough to get police to spend resources investigating a burglary, n

  • by rudy_wayne ( 414635 ) on Thursday August 21, 2003 @09:48AM (#6754492)
    I'm all for fighting spam, but so far, there are 3 problems:

    First, there seems to be this naive belief among politicians that if they pass an anti-spam law, spammers will actually obey it. The majority of spammers have little regard for the law and their entire business model is based on deception and other activities of questionable legality. Any anti-spam laws will be ignored (and tied up in the courts by legal challenges).

    Second, is enforcement. You can write all the laws you want, but they are meaningless if not enforced. If I am deluged by spam that violates an anti-spam law, who do I complain to? Who will investigate my complaint and take appropriate action - all the way through to prosecution? If you think about this for a minute, you quickly realize that *MEANINGFUL* enforcement of anti-spam laws will take a lot of resources -- i.e., it will be very expensive.

    And finally, there's the international nature of the internet. Routing spam through a mail server in a foreign country is trivial. The only likely outcome of anti-spam legislation is that spammers will use foreign servers for their e-mail and websites.
  • I don't understand all this User, System, Idle nonsense.. I though it went User, System, SETI?
  • There have been other email worms out there before, and I have had some extra traffic because of them, but I have had over 500 SoBig infected emails in the past 24 hours.
    The message doesn't appear to be particularly "catchy" and it seems to follow the infection vector of other worms, so why the traffic? Does it cause infected computers to send out messages more often?
    Most importantly, when can I punch the person responsible for this?
  • by swb ( 14022 ) on Thursday August 21, 2003 @10:00AM (#6754595)
    Spam is predominantly a marketing method for fraudulent or otherwise illegal business enterprises. Without a source of business, the people performing the spamming will be forced to move on.

    You *can* easily catch the people running the businesses behind the spam; they collect money, and the money trail is easily followable. Lean on these people, and you can probably get the spammers if someone decides to make spamming illegal as well.

    The key point is to not try to attack spam; it's only a symptom. The real cause is fraudulent business entperprises, and I'm mystified why the FTC or the FBI doesn't make them a higher priority. Even the DMA should back this, since it would make them look more reputable without a direct attack on a business practice they'd *like* to use.
  • Let's not forget about the recent clash [somethingawful.com] between SPEWS.org and SomethingAwful.com . The toll the spam war takes on everyday users through organizations such as Spews who are too heavy handed. Treating spam as a war to be won at any cost has allready produced enough casualties.
  • by twoallbeefpatties ( 615632 ) on Thursday August 21, 2003 @10:55AM (#6755189)
    This story [weeklydig.com] was printed recently as the cover for a weekly indie paper in Boston. The story reads more as a cover sheet for neophytes rather than for the hardcore Slashdot crowd, so you've probably heard most of it already, but there are a few points of interest:

    -- Some legislators have built up backing for a "do not email" list, similar to the "do not call" list that can get telemarketers in trouble. However, there's little hope it will pass. Not only would most offshore spammers ignore the list, but a list full of working emails would be gold to most spammers.

    -- The article briefly restates the idea that putting a price tag on emails could help the problem. The idea is that spammers make profits only because they can spam freely in such large quantities. If there were a 10 cent bill attached to emails sent, spammers would see greatly diminished returns. Small price to pay?

    -- The article also gives this interesting thought in a "do's and don't's" sidebar: Use "plus addressing" (offered at EFN) if you care about who's giving out your e-mail address. Here's how it works: Get an e-mail account. For example, nospam@efn.org. What's different with plus addressing is that nospam1, nospam2, nospam3 and so on will also be sent to you, only they'll each come into individually labeled folders. Next, when you sign up for a Victoria's Secret card and they ask for your e-mail, you give them one of those plus addresses, such as nospam14. If you ever get a spam e-mail sent to the nospam14 folder, you know which organization sold or shared your e-mail, and therefore where not to buy your panties.

A committee takes root and grows, it flowers, wilts and dies, scattering the seed from which other committees will bloom. -- Parkinson

Working...