LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for November 27, 2008

LWN.net Weekly Edition for November 20, 2008

MinGW and why Linux users should care

LWN.net Weekly Edition for November 13, 2008

NLUUG/ELCE: Embedded devices and free software

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

The CAN-SPAM bill examined

The CAN-SPAM bill examined

Posted Nov 26, 2003 6:32 UTC (Wed) by AnswerGuy (subscriber, #1256)
Parent article: The CAN-SPAM bill examined


Thus U.S. legislative process is systemically broken at this point. Almost no consideration remains for mainstream popular interests --- it's all special interest pandering; mostly purchased by professional lobbyists, with a few
nods to politically influential extremists on a few knee-jerk issues (abortion, gun control, etc).

It is almost inconcievable that any law could materially reduce spam.

A "do not spam" list could be implemented in a distributed and technically sound way that didn't give spammers a simple new target list. I would specify a sort of DNS query sort of like a negated SMTP VRFY --- call it a "NOMAIL" query. So, if I have a purported e-mail address in your domain I can make the query --- if I get a "TRUE" back it mean that I may NOT send mail to that address at that domain.

Trying to harvest addresses through this won't work --- if you make up addresses I'll just return a TRUE for any possible address. I will ONLY return a "false" NOMAIL for those (very few) people who *want* to receive spam. I'd extend that spec. a little to provide rate throttling. So the extra fields for this query would say: "don't ask about *any* other NOMAIL addresses for at least N minutes" It would be illegal to violate that part of the spec (from the client side) :)

In my version of the "opt-out" list each ISP would be free to have a policy that all spam is unwelcome (if you want spam go join another ISP) or to treat the default as "NOMAIL" and internally implement it as more of an "opt-in" mechanism. Commercial mailers would be required to make a NOMAIL query before sending unsolicited bulk mail (defined as 100 or more recipients in 24 hours, 1000 or more per week or 10000 or more per year).

Would this be too much of a "burden" for legitimate commercial mailers? Certainly not on a technical level. There is only a tiny incremental cost to the extra DNS query. On a political level --- HELL YEAH! It would prove to all and sundry that almost NO ONE wants to get unsolicited mail. Almost NO ONE would sign up for this (and many ISPs would publicly state that customers who did want spam were unwelcome at their site).

In other words it would reveal, even more starkly than the U.S. national "Do Not Call" list, that people are tired to pushy forms of advertising.

Jim

(Log in to post comments)

The CAN-SPAM bill examined

Posted Nov 26, 2003 12:02 UTC (Wed) by ekj (subscriber, #1524) [Link]

Too complicated. I am completely convinced that allowing spam at all has no positive benefit for the economy or society whatsoever. Why not simply forbid it ? The Scandinavian countries have, and it works ok.

The bill needed is not complicated. It is forbidden to send comercial email to a person unless this is either a) a current and ongoing customer of you or b) the person has given prior, informed consent to receiving such.

Yes, this *does* mean that say my online-bank can legally "spam" me aslong as I am a customer there. But the thing is: they have a very strong incentive not to; they want to *keep* me a customer there.

I fail to see why all US legislation and debate assumes as a default that random people on the Internet want to receive spam, and only want to provide a way for you to say that you don't. In my experience the reality is completely the oposite: 99% of the people do *not* want any spam, and it'd be sufficient to provide a way for the remaining 1% to say "yes please".

Make a national "spam please" list, people on the list can be spammed, others not. See how popular the list will be....

The CAN-SPAM bill examined

Posted Nov 26, 2003 15:21 UTC (Wed) by mmarsh (subscriber, #17029) [Link]

>The bill needed is not complicated. It is forbidden to send comercial
>email to a person unless this is either a) a current and ongoing customer
>of you or b) the person has given prior, informed consent to receiving such.

Unfortunately, as sound as this seems, I don't think it'll work in practice. I've been getting spam for years claiming (fraudulently) that I signed up to receive it. I get telemarketing calls like this, too, which usually begin with something like, "Hi. I'm responding to your request for information about our luxury dream time-share homes in prime swamp real estate." The other standard line is, "Either you or a friend or relative signed you up to receive this offer." You could add teeth to such a law by requiring companies to keep proof of consent for every email address (or phone number) on their list, but that still puts the burden on the victim to track down and file suit against each spammer.

There's another trick that further complicates matters. Not long after sign-up began for the U.S. "do not call" registry, random prize drawing or similar postcard-type offers started appearing. Entering the contest, or whatever the relevant gimmick was, also included granting permission to have your name and number sold to telemarketers. This was, of course, in the fine print that virtually nobody read, but it's still valid. Now just imagine what a spammer or address harvester could do with hidden form entries.

On the other hand, we can't and shouldn't ban true opt-in mailing lists, whether their aim is advertising or not. There are even some that aren't really opt-in but should be allowed, such as intra-organization mailing lists that serve administrative functions. It seems to me that there's really no way to craft a useful law that the spammers won't, in general, be able to get around and yet which still allows useful mailing lists. I think there really just needs to be more education of all these "entrepreneurs" who see mass-emailing as the greatest marketing tool in the world. The only other viable option is probably to assign some tangible cost to sending email. This brings up the whole morass of e-stamps and the like, or solving puzzles to "pay" for the transmission. Either one requires enough changes to infrastructure and clients that we'd be just as well off scrapping email as it exists today and building a new asynchronous message system.

Good gravy...that's a long way to say "Nah, it won't work."

The CAN-SPAM bill examined

Posted Nov 27, 2003 11:23 UTC (Thu) by rwmj (subscriber, #5474) [Link]

One good trick to use:

Telespammer: This is luxury kitchens ltd. Can I speak to Mr. Jones please?

Me: Sure, I'll just go and get him.

Go off and continue what you were doing for half an hour. Then come back
and place the phone back on the hook.

Works for me!

Rich.

I actually think this is doable, but won't work

Posted Nov 26, 2003 16:51 UTC (Wed) by pflugstad (subscriber, #224) [Link]

The FTC now has the authority to implement a do-not-spam list. Congress (AFAIK - I did not look at the bill) has not specified any implementation of it. So the FTC can implement it any way it wants, including something like how AnswerGuy described.

As far as being too complicated - only the techs at the ISP see this - you simply tell your ISP if you want to be on the list or not and they setup the DNS server appropriately. This would probably be a straightfoward extension to what they're already doing with various real-time black lists.

Anyway, just thinking. I doubt it would honestly work in any case. We need the equivalent of the anti-junk-fax law for spam - let the people go after the spammers and those who buy their services. That'd fix this problem with no effort from the gov't. But nooooo, we can't have people actually taking any responsibility on their own...

Free flow of information

Posted Nov 28, 2003 18:28 UTC (Fri) by giraffedata (subscriber, #1954) [Link]

The bill needed is not complicated. It is forbidden to send comercial email to a person unless this is either a) a current and ongoing customer of you or b) the person has given prior, informed consent to receiving such.

Well, we have this love of the free flow of information in this country. If I'm selling Viagra for half the usual price, I have a right to let it be known that I'm doing so.

Furthermore, commercial communication is a GOOD thing. If you're a regular user of Viagra, it is in your best interest as well as mine that you find out I'm selling it cheap.

I object to the government blocking my email box just as much as I object to the spammers doing it. (The spammers do it by creating such a flood of email that I couldn't pick out truly interesting unsolicited commercial emails even if they were there. And that is the only reason they aren't there!).

I support any law that gets me (and my ISP) more information to use in filtering out uninteresting email -- e.g. genuine headers -- but not a law that attempts to define which emails I don't want.

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds