Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
The Courts Government News Your Rights Online

David Sorkin on Internet Law and Spam 168

Posted by michael from the fifty-spams-today-and-counting dept.
KC7GR writes "Cnet has published an interview with David Sorkin, associate professor at the John Marshall Law School. He's answering questions about the current state of cyberlaw, and he also has much to say about why current federal legislation being considered could make the problem of spam worse rather than curbing it."
This discussion has been archived. No new comments can be posted.

David Sorkin on Internet Law and Spam More

David Sorkin on Internet Law and Spam

Comments Filter:

  • Well... (Score:3, Insightful)

    by Kickstart70 ( 531316 ) on Friday September 20, 2002 @03:38PM (#4299331) Homepage
    I fail to see how the problem of spam could be much worse. Out of necessity an alias to my email is out on the net and I get 20-30 spam per day, most of the the incest/rape/animals varieties.

    What would be worse? 100 spam a day would take no more effort to delete (thanks to spamassassin), and I fail to see worse topics showing up in my mailbox.

    Kickstart
    • Well, legislation protecting spammers (preventing ISPs from kicking them offline) and/or creating legal penalties for reporting spam could make it worse.
    • It is illegal to use spamassassin, and you go to jail for not reading your spam?

      • Re:Never say never (Score:3, Insightful)

        by WeirdKid ( 260577 )
        This isn't a joke, really. Remember the TV exec who said that people who skip commercials are stealing television shows? I wonder if someday someone will effectively argue in the courts that by using a spamblocker, you are "stealing" the Internet. I know, and you know, that this doesn't make sense, but, well, look at DMCA, UCITA, ...
        • Worse, he said there was a "contract" between the viewer and the broadcasters, such that the viewer "agrees" to watch commercials, in exchange for being allowed to watch the (supposed) content for free.

          As someone on Slashdot said previously, when you watch TV, you are the product being sold. (Same for any advertiser funded medium)
        • People who skip commercials *are* stealing tv shows. How do you think that stuff get's paid for?
          • You can't call it stealing if it's worthless, can you? After all, only things of value can be stolen (after all, if you don't value it, you won't even notice it's missing. Would you complain if someone stole the dogshit you pick up when you walk your mutt? Or would you thank them?)

            .What's being stolen by the tv shows is your time, which should be more valueable than most of the crap out there, anyway.

          • Re:Never say never (Score:2, Insightful)

            by dissy ( 172727 )
            If you came by and dropped a laptop in my lap for no reason nor did i ask nor was anything said between us, you lose the right to ask me for payment at a later date.

            Noone even ever told me i had to pay to watch tv, short of owning a tv set.

            How do i think that stuff gets paid for? Why should i think about it when it is not my concern. If they wanted money in exchange for it they should sell it like cable.

            Then you get into the issue of 'they are transmitting their signal through me, so its not up to them to decide what happens with that signal any longer'

          • Re:Never say never (Score:3, Insightful)

            by orthogonal ( 588627 )
            People who skip commercials *are* stealing tv shows. How do you think that stuff get's (sic) paid for?

            In the U.S., television broadcasters are allocated radio spectrum (TV channels) essentially without payment (except for certain regulatory fees), because they are presumed to be providing a public service in return.

            When the broadcasters pay market rates for the radio spectra (as wireless telephone providers have in recent years in the U.S.), and when they contract with viewers to provide services in exchange for viewing commericals, perhaps they can argue that not watching some portion of their signal is theft.

            Until then, they use their spectra public trust, and without any contract with their viewers.

            Or shall I argue that since you've read this far, you're obligated to read my sig?
          • How do you think that stuff get's paid for?

            Commercials is not the only possible way to pay for the TV shows. In Denmark we have to buy a license if we want to own a television. But with our new government that might change. (So much for the commercial free TV.)
        • Even though a pro-spam business might argue that point, it would be pure nonsense. In fact, by fighting spam, you are, in a sense, doing what the television executive was doing: you are telling people who use your resources (or resources you pay for) without compensation to stop doing so.

          I still think that the television executive's claim is quite a stretch, because no one signs a contract to watch TV, and also because television is broadcast, whereas spammers target us personally. However, a spammer might claim that by allowing your email address to be viewed openly on the Internet, you have effectively "broadcast" it out.

          Those are just some thoughts I had. I'm still at the conclusion that avoiding commercials is not stealing and spamming is.

    • SpamAssassin for MS Outlook users: (Score:5, Informative)

      by jcapell ( 144056 ) <john@capell.net> on Friday September 20, 2002 @03:55PM (#4299430)
      The Pro version is available for MS Outlook users, and works wonders.
      • Sigh... nothing like failing to disclose an affiliate relationship when "recommending" a product.
      • Just for giggles I've been using Outlook 2000's Rules Wizard to filter out as much spam as possible. I've had some interesting results:

        - Delete anything that has more than 5 spaces in the subject: A good chunk of SPAM has a randomized identifier at the end, and they seperate it with a number of spaces. By looking for 5 spaces in the subject, I've diverted a bunch of SPAM.

        - Delete anything that contains the phrases 'to unsubscribe', 'opt', or 'to remove': All the unsolicited mail I get claims to be solicited. (yeah right.) I set up a few filters to catch those messages and had good results, too bad Outlook 2000 skips HTML mail. *Grrrr*

        - Delete anything that was sent to you and another address with hotmail in the name: This one surprised me a bit, but I've noticed that some SPAM may also be forwarded to people to other people as well systematically. At least in my case, a good deal of them have a hotmail address carbon copied.

        - Delete anything that's not specifically sent directly to you: Sometimes messages sent to me show up as 'undisclosed recipents'. So I have a rule that says "If the 'to' field doesn't match my email address, send it to another folder for verification."

        - I go by 'AnonV' in other places. So when places ask me for my first/last name, I go by 'AnonV, Coward'. (heh) I've found that if i filter 'AnonV' from the subject line, that catches a few unsolicited mails as well.

        Your mileage may very, and I cannot possibly guarantee that you wouldn't get false hits, but I thought you all would be interested in knowing how I deal with SPAM. Something as simple as creating an intentional typo in a registration form can clue you in on where the source of the SPAM is.
      • I fail to see how the problem of spam could be much worse...

      Funny you should mention that. I just got a bounced email with my address on it. It was sent from South Korea, OXLED.COM going through HANANET to be exact. I can easily imagine the same happening from China with kiddyporn, copyright violation offers, or general fraud.

      The way the US legislature has been writing laws, it's also easy to imagine a bill being passed that would land me in jail until I prove my innocence or the SC shoots it down eight to ten years later.

      So, while I think spam is bad, I don't think the US Congress is capable of making a law that wouldn't screw over the innocent while restricting the guilty.

    • I'm getting ready for a deluge to my new address on a DSL line.

      Of course, my advantage is location: my state has a valid anti-spam law and I'm going to take full advantage of it.. of anyplace that I can trace. (Everywhere else, I'll just block.)

  • Spam police? (Score:4, Insightful)

    by WeirdKid ( 260577 ) on Friday September 20, 2002 @03:38PM (#4299332)
    They can pass all the laws they want, but who's going to enforce them? It's illegal to send unsolicited faxes too, but my eFax number gets swamped by them daily.

    • Re:Spam police? (Score:5, Funny)

      by Kenja ( 541830 ) on Friday September 20, 2002 @03:47PM (#4299387)
      Who's going to enforce them? I will, along with my rag tag team of freedom fighters.

      cue the a-team theme song.

      • Who's going to enforce them? I will, along with my rag tag team of freedom fighters.

        Hmm, freedom fighters enforcing laws. That common in your neighbourhood???

        • freedom fighters enforcing laws.

          That's all the A-Team did. They just enforced the laws by shooting at a lot of people with fully automatic weapons (they never actually hit anyone).

          Funny, the A-Team would be considered terrorists now.
    • Here is a solution to the problem... Send this guy after the spammers.

      Problem solved.

      ---

      BayTsp (BAYTSP-DOM)
      3150 almaden Expressway #234
      San Jose
      CA,95118
      US
      Domain Name: BAYTSP.COM
      Administrative Contact, Technical Contact:
      Ishikawa, Mark M (MI70) marki@BAYTSP.COM
      Ishikawa,Mark
      PO Box 1314
      Los Gatos, CA 95031-1314
      US
      408-399-0600 408-979-7969
    • I thought we had killed
      spam dead by using haiku
      I guess I was wrong
  • "he also has much to say about why current federal legislation being considered could make the problem of spam worse rather than curbing it."

    I doubt it...
  • I would like to see more initiaves in self-moderation [slashdot.org] in the internet. Any suggestions? I rather hear /.ers instead of the courts on this.

  • I've tried many things (Score:4, Insightful)

    by SquadBoy ( 167263 ) on Friday September 20, 2002 @03:47PM (#4299384) Homepage Journal
    to block spam. But I think we are going to have to "go nuclear" if we ever want to win this war. What I mean by that is we are going to have to start blacklisting *anyone* who runs a open relay and I don't just mean mail I mean everything. Cut them off from the rest of the world. Only at that point will people get off their butts and solve the problem. That at least is whay I think. No more playing around time to bring out the big guns.
    • I think that blacklisting anyone running an open relay or knowingly hosting spammers is a great idea. Unfortunately, there are people who don't quite understand why spam is a bad thing and they will bitch and whine when their e-mails come through. They will file lawsuits and clueless judges who should be pulled from the bench and shot will rule in their favour.

      Personally, I'm in favour of having spammers publically tortured to death. I think that such a penalty (a legally enforced one, not a vigilante act) would really reduce the spam problem.
      • I guess I'm not quite tracking. How could someone sue me for putting a rule in my router/firewall saying to drop all traffic from their IP address? I mean what would their complaint be? If this where true they would be able to sue me when I walk off as they are talking and trust me if that was possible I would spend a lot of time in court. I just don't get your point. Please explain.
        • Simple. You're preventing their communication. Their claim has no merit in law, but that won't stop some idiot judges from ruling in their favor.
        • I think what he's saying is some people don't understand that stuff they've specifically OPTED IN FOR (and I don't mean by a 3rd party without their request, such as happened to me) and will see this as spam, get pissy, and sue.

          Alternately, we need to be able to FORCE companies that we've signed up for and then requested to opt-out to be held accountable. At one point, I signed up for messages from the NRA. I later decided I didn't want them any more and opted-out. I continued to get junk from them (despite the fact that their server swore my address wasn't in their database) until I threatened to introduce them to the RBL. Amazingly, I got a response from an actual PERSON saying that my address was deleted.
      • Personally, I'm in favour of having spammers publically tortured to death. I think that such a penalty (a legally enforced one, not a vigilante act) would really reduce the spam problem.

        Oh please. It's fucking email. Most of the people on the planet don't even have email, so considered your whiny ass very privileged just to have a computer and Net access.

        It's extra email. That's all. Nobody raped your mother. Nobody shot your sister. It's email. I find it really hard to believe that the extra second it takes you daily to nuke your spam is really *that* critical. Get over yourself. The extra second you have to spend deleting spam that you could instead spend playing whatever video game you play is really not that valuable. I could say that you should be publically tortured and executed because you wasted a minute of my time by posting such drivel.
        • > It's extra email. That's all. Nobody raped your mother. Nobody shot your sister.

          Hmph. That's not what my latest spam claimed to be selling pictures of.

          > It's email. I find really hard to believe that the extra second it takes you daily to nuke your spam is really *that* critical. Get over yourself.

          Tell you what. Your mailbox, your rules. You just hit delete.

          My mailbox, my rules. SPEWS rocks, and I blocks. Fuck ELI.NET for harboring Freeyankee/qves.com.

          > I could say that you should be publically tortured and executed because you wasted a minute of my time by posting such drivel.

          And I'd defend your right to say it -- but say it with your dime. Not mine.

          And as long as I'm exercising my First Amendment rights, fuck ELI.NET sideways with a wire brush. Fuck 'em crosswise with a wire brush. And don't even get me started on what I'd like to see done with Chinanet.

        • Does that mean that I can come over and spraypaint advertisements on your car? It's only chrome (or plastic, if you drive a Saturn).
        • My dad has his email on a website, and he gets about 40 spam messages a day. Since they do anything to disguise the nature of their spam, sometimes he loses email that he meant to keep.

          This is his business email address. He has lost *important* messages. He is not a technical person. This should not require expert intervention.

          And clearly, grandparent poster was kidding. A hefty fine for bulk violators would be completely fair. Spam does real damage.
      • Personally, I'm in favor of having you publically tortured to death. I think that such a penalty would really reduce the problem of sadistic idiots in this world.

    • Re:I've tried many things (Score:1, Funny)

      by Anonymous Coward
      George Bush (jr) has shown the way - preemptive strikes against our enemies! If anyone shows signs of going over to the spammers, well hell, we'll just have to go over there and pound the shit outta 'em!
    • I like your idea of going nuclear, though I like to use a different meaning of the word.

      nu*cle*ar adj.

      1. Biology. Of, relating to, or forming a nucleus: a nuclear membrane.
      2. Physics. Of or relating to atomic nuclei: a nuclear chain reaction.
      3. Using or derived from the energy of atomic nuclei: nuclear power.
      4. Of, using, or possessing atomic or hydrogen bombs: nuclear war; nuclear nations.

      Yes, we all know that spam is a huge problem and that it seems to be getting worse and not better. Your use of the world nuclear seems to suggest the use of a large scale attack, like that of a large bomb. But, if you look at the second definition listed you see that it pertains to the atomic nuclei, a very small thing indeed. If we combine the two aspects of the word Nuclear, (large and small) we have a strong weapon against the evil of spam. Just how do we do it though?
      • Q: If we combine the two aspects of the word Nuclear, (large and small) we have a strong weapon against the evil of spam. Just how do we do it though?

        A: Liberally

      • Interesting concept. Well in the big sense ,Which was the way I was using it, we simply block all traffic from any known offender. A simple ACL in a router or rule in any "good" firewall can easily accomplish this. If enough people do it soon they will find themselves unable to go anywhere or do anything on the Internet. ISPs will start losing money and get *very* upset and people will start taking care of their security problems.

        On the small and/or internal building blocks side of the house. I have to agree with the other post that SMTP needs to be scrapped and we need to implement something new that makes this kind of abuse much harder. Now I'm just a network guy so while I understand the first part I'm not so up on the second part but I would like to hear from those who do know.
        • SMTP is fine. There is no way around the fact that if you have an email address that anyone can send mail to, spammers will send mail to it any way they can.

          I don't see what changing SMTP will solve. I also don't see any flaws in SMTP that suggest it needs to be replaced.
      • Use this [paulgraham.com]. But on a large scale. Perhaps by convincing ISP's to install Bayesian filters on their mail relays? The spam gets silently dropped, and the good mail goes through. No need for the kind of sabre-rattling and politics that accompanies a blacklist plan.
  • What law does the Internet really need?
    I don't think that the Internet really needs much law--it's really just a question of figuring out how best to apply more general laws to the online environment.

    My man! Somebody nominate this guy for something. Like a legislature. Or the bench.
    • Well, we really only need three laws that can be applied to any situation or environment:

      (If I may paraphrase Asimov...)

      1) A human being may not injure a human being.

      2) A human being must protect its own existence as long as such protection does not conflict with the First Law.

      3) Stay the fuck out of my yard.

  • Simple Solution (Score:3, Funny)

    by Boss, Pointy Haired ( 537010 ) on Friday September 20, 2002 @03:54PM (#4299419)
    for unauthorised use of my computing resources.

    SPECIAL OFFER THIS MONTH ON DLL REPLACEMENT

    DLL Replacement $2.00 / month (** NORMALLY $3.00 **)

    Registry Entry in /SOFTWARE/Microsoft/Windows/CurrentVersion/Run $5.00 / month*

    Unrequested Email $5.00 / email
    (additional "do you think I was born yesterday" penalty if the email contains the words "This is not spam.")

    Application "Phone Home" Internet Access $0.50 / KB

  • When email was first designed it was a very open system with no real rules. What worked was good enough. The smtp protocol needs to be rewritten into something more advanced (amtp?) in order to prevent spam at the lowest (technological) level. If you can't sent spam you can't receive spam. It would all just disapear...

    • Re:could make the problem of spam worse? (Score:5, Insightful)

      by silentbozo ( 542534 ) on Friday September 20, 2002 @04:12PM (#4299532) Journal
      Ahh, but what exactly IS spam? Is it a mass mailing? Is it unauthorized use of server resources (spam and run)? Or is it UCE?

      There are legit uses for mass mailings (ie, mailing lists.) Spam and run only works with the clueless who persist in running unsecured mail relays. And UCE is a subjective measure (no matter how good your adaptive filters are), and to restrict the ability to mail based on content is a dangerous step.

      The most dangerous spammers today are not the whack-a-mole spammers that keep changing dialups, who relay-rape and advertise sites in Russia and China (whose admins could care less.) The most dangerous spammers are the big commercial outfits who sideline as legit operations, and who carry advertising from the likes of Amazon and AOL and run their own ISP feeds. These guys are hard to kill because they're semi-legit (ie, they tend to carry "legitimate" traffic), even though they're clearly spammers of the worst stripe.

      The only way to deal with these guys is to blackhole whole IP blocks. For the whack-a-molers, you blackhole open-relays and known dialups. For everything else, use adaptive filters on the receiving end. If you're a server admin, restrict sending to known clients only, from a restricted list of IPs. I don't think there are a lot of mods you can make to SMTP that haven't been made already to fight spam - maybe standardizing the tarpitting of dictionary attacks (where the spammer tries to ferret out working e-mails by attempting bogus mailing connection attempts.) The tools are there. The key is to make sure everyone uses them.
    • I fail to see how a new protocol would help. What do you want to change?

      You want to ask the remote system to calculate something? This gives advantage to spammers who own (or rather 0wn) beowulf clusters.

      You want a trust relationship between servers? Spam blocklists essentially do it without any changes. If the remote server is in the block list and I trust the list, I drop the connection. No changes in SMTP.

      You want to know who connects to you? You already have the IP address, and it's possible to require reverse DNS without SMTP changes. Any password authentication would involve a "big brother".

      You want to charge the sender? That essentially boils down to the problem of trust, and can be done without SMTP changes, unless you want the servers to negotiate the price.

      • No, why don't people just read the link? Nothing is calculated, nothing is forgeable, nothing is brute forceable.

        Unknown email correspondents are asked to enter a series of numbers and letters that are sent to them in an image format.

        Everybody on the internet today can now handle images.

        You wanna brute force it? Can't. It changes with every bad attempt ; and we're working with it right now. over 500 registered, happy users. The concept is simple and it makes a million times more sense then all these posts on using SSL to a trusted server on a trusted network... blah blah blah.... that ain't gonna happen, and if it did it would be a nightmare.

        • Everybody on the internet today can now handle images.

          Yeah, except those pesky blind people. (And yes, I know several people who are blind and use the internet via screen readers.)
          • I apologise, actually I was referring to the ability for monitors to display images and connect with enough bandwidth for images not to pose a problem.

            In actuality, the issue of the blind using our technology came up almost in the beginning and I am personally a big advocate of making computing more accessable to the handicapped. My company has been trying to acquire or atleast make use of the same technology used by the blind to find another solution ; such as characters with 'noise' added if that's at all possible.

            E.g. on a grid with characters only it is not, but with a grid of pins it very well may be. The answer may also lie in additional, but simple technology for the blind. Considering the relative importance of Email and the possibilities of such a system eliminating a very real problem - additional technology for the blind may be a small price to pay - and a price that could be paid by companies or the government.

            I know we would be happy to provide a low-cost device to any visually impaired person using our software, and of course similar access would have to be granted by other companies such as ISP's etc. The visually impaired make up a small enough percentage of the population that it is feasible to provide additional technology at corporate cost.

            Thank you for reminding me,

            --Ace905
            • Before I begin, I realize that some of my comments below may come off as flamebait, but that really isn't my intention - so if you take offense to what I'm saying here, I apologize in advance.

              actually I was referring to the ability for monitors to display images and connect with enough bandwidth for images not to pose a problem

              OK, all of my servers are headless - no monitor, no video card. They are all admin'ed either via remote (text-only) console, or serial console (often a modem - in some cases the speed is as low as 14.4kbps, as that's all the telephone lines in remote parts of the Arctic will support). I frequently connect from home (or elsewhere) to do admin tasks when needed, and these admin tasks frequently involve sending and recieving email. If I was forced to view images to use email, how exactly would I do that?

              Considering the relative importance of Email and the possibilities of such a system eliminating a very real problem - additional technology for the blind may be a small price to pay - and a price that could be paid by companies or the government.

              This sounds like you're more of a marketroid than a techie.. You're talking about replacing a solid, stable, mature standard with (what sounds like) a hap-hazzard mish-mash of technology, that would require some users to purchase additional technology to do what they can already do with their existing devices.

              I know we would be happy to provide a low-cost device to any visually impaired person using our software

              Any SMTP-replacement that would require additional hardware for anyone sounds like a bad idea. Imagine if Tim Berners-Lee decided that blind people had to have a special device to allow them to surf the web? Or Gopher, or FTP? All of a sudden, your average blind person would have to go out and buy a new device each time a new protocol was developed.

              I think what you're missing is that blind access isn't a single obstacle to overcome, but rather a prominent symptom that your entire approach is fundamentally flawed. Email is primarily a text medium - just like snail-mail, the primary use of person-to-person email is text (look at IM - again, primarily used to send text back and forth.) It's like this for a reason - text is important. It's simple, easy to make, and easy to understand. Most computers have the ability to play and record sound - it's trivial to make a spoken message and send that as an attachment, but (almost?) nobody does it. Why? Because text is easier.

              To paraphrase Henry Spencer, "Those who do not understand internet protocols are condemned to reinvent them, poorly."
        • Hmm... If this became standard, I wonder how long it would take for a spammer to make a system that would OCR the image and respond appropriatly.

          My guess is that the only reason it is working now is that it is uncommon/non-standard. The great advantage of standardization is its downfall in this case; standardization enables machine-comprehension.
        • The link doesn't say anything anything about replacing SMTP with another protocol.

          If my ex-girlfriend (who hasn't written me e-mails for years) writes me one day that she has divorced, I'm sure as hell don't want any frigging robot to check her intelligence!

        • "Everybody on the internet today can now handle images."

          Um... No. A good idea, but one that relies on faulty thinking - the same kind of thinking that assumes that everyone will have flash installed, javascript enabled, and is running Internet Explorer on a Windows PC.

          As much as I'd like to enhance SMTP to deny spammers, I can do without this "solution".


    • When email was first designed it was a very open system with no real rules. What worked was good enough. The smtp protocol needs to be rewritten into something more advanced (amtp?) in order to prevent spam at the lowest (technological) level.


      Just out of curiousity: what features would you require in your newly envisioned "amtp", that smtp of today is lacking? The basic requirement for me is to have an address, to which anyone can send mail. That, as others have said, leaves me open to receiving spam. How would "amtp" improve on this?

  • Slightly offtopic but... (Score:1, Informative)

    by Anonymous Coward
    There was an interesting article yesterday on the BBC [bbc.co.uk] News [bbc.co.uk] website yesterday concerning new spam prevention policies by that entity we all love, Hotmail... Here's the story [bbc.co.uk].

    Of more interest to me was the fact that the EU too has plans to legislate against spammers... I wonder whether these will prove to have any effectiveness whatsoever... I can't help but feel that technology will help separate more unsolicited email than legislation...

  • Could law legilate the need for utilities like Spam Interceptor [si20.com]?

  • Intellectual Property (Score:2, Interesting)

    by ancarett ( 221103 )
    Sure, spam's awful, but I find Sorkin's Don't Link [dontlink.com] cause (promoting the right to link on the net) fascinating. It was discussed here at slashdot [slashdot.org] last month.

    All of this has a lot of common ground with Lawrence Lessig, who was the subject of a Wired article [wired.com] also discussed here [slashdot.org]. Good to see some law professors pursuing freedom on the internet.

    If you're interested in following intellectual property arguments in more detail I recommend Negativland's IP page [negativland.com] as a great starting point.

  • "Chain of trust" (Score:3, Interesting)

    by wowbagger ( 69688 ) on Friday September 20, 2002 @04:17PM (#4299562) Homepage Journal
    The problem with email is there is no way to verify that what you are reading really came from BillyBob@foo.com - it could have been forged at any step of the way.

    What we need is the idea of a "trusted server":

    1) A trusted server only accepts mail from sources it can trust:
    1a) Users - users are trusted because their mail is sent via SSL, and signed with a private key the user has (with the mail server having the public key).
    1b) Other mail servers: they are trusted because they sign all mail they send with their private key. The public key is available via something like a DNS TXT record for that IP.
    2) The message is signed by each mail server it moves through. Thus, at any step, you can verify the mail by checking each level by getting the public key for the sender and computing an MD5 hash. If it doesn't check, then you know:
    2a) The message was bogus at that point,
    2b) The mail server that accepted it didn't verify the message, so
    2c) That mail server can no longer be trusted.

    Now, all that does is make sure that that ad for "Viagra for Goats!" originated with Ralsky@spammers.net - of itself it does not solve the problem. However, I can tell my mail server that anything coming through spammers.net is to be rejected out of hand. Also, if some chickboner sends me a spam, I know exactly where it came from and can raise hell with his ISP (and if they don't solve the problem to my satisfaction, they get blocked too.)

    This is the problem with blocklists now - you can blocklist the mainsleaze spammers, but the chickboners and the relay rapers will still crapflood you worse than reading at -1.

    (note: support for old clients can be supplied either by a proxy program on the client's PC, or by using a RADIUS lookup to verify that the person the mail is purportedly from matches the person authenticated on that IP.)

    • Re:"Chain of trust" (Score:3, Informative)

      by infiniti99 ( 219973 )
      TMDA [sf.net] is an anti-spam program that basically does this using the current email system. Unrecognized sending addresses are given a confirmation request email, to which they must reply in order for the message to continue delivery (sorta like a mailinglist signup). This prevents the spoofing problem, which is probably enough to solve all of SPAM, since an essential part of SPAM effectiveness is the ability to hide the origin.

      It is a shame that this "dialback" approach isn't standard in the protocol (like it is in Jabber), because now we either have to change the protocol or graft something on top of it (TMDA). I run TMDA at my server, and it works well. I get no SPAM (that's 'zero', baby), but it causes an extra inconvenience to first-time senders, which could otherwise easily be automated with a better email protocol.
      • But as soon as you finish typing the RFC with the better e-mail protocol including your verification step, some spammer (or better yet, a well-intentioned open source author who doesn't want to be bothered by the extra step) will write an automatic responder, which the spammer will have running in no time. It won't afford any more information than the existing "Received:" lines at the tops of messages. Unfortunately, the only way for that scheme to work is for it to be non-standard.

  • Even the left are getting scared! (Score:3, Interesting)

    by Ace905 ( 163071 ) on Friday September 20, 2002 @04:20PM (#4299578) Homepage
    " Which approach do you think produces the better results?
    I happen to think the best approach is a balance somewhere in the middle, but as business practices seem to get more and more invasive, I find myself leaning closer to the European approach, even though I'm normally quite wary of regulation.    "
    --

    Even the left wing are getting scared because of unfair business practices. The real answer is in re-writing the Email protocol. It is simply too lax on security and too simple to accomodate todays needs and provide the level of 'security' people want with the Internet.

    I propose that a working group be formed to incorporate the same type of Authentication we know works with email - and piggy back that authentication on an open platform like RFC 822's Email Protocol until it can be implemented as a required medium.

    Any interested contributors to this working group should email us at inquiries@solidblue.biz [mailto]. SolidBlue [solidblue.biz] is a leader in networked communications and protocol development.

    --Ace905
    • Any interested contributors to this working group should email us at inquiries@solidblue.biz [mailto]. SolidBlue [solidblue.biz] is a leader in networked communications and protocol development

      As long as you're promoting your business here, can you say if these "interested contributors" are going to be able to persuade you that your current ideas [slashdot.org] aren't very well thought out; that is, are you looking for serious input, or do you just want to have someone rubber-stamp your existing ideas?

      I propose that a working group be formed to incorporate the same type of Authentication we know works with email

      If you're serious about it, why don't you go to IETF?
      • As you can see I've responded to every critic you linked to, and while I'm not looking for a rubber stamp - I simply don't agree with them (as you can see from my replies).

        We are going to the IETF, what we're looking for is a working group before hand to submit ideas and not just 'rubber stamp' our own - so that we can come up with a reasonable, informed, justifiable reason for the IETF to grant us a working group.

    • I propose that a working group be formed to incorporate the same type of Authentication we know works with email

      And what would that be?

      As long as anyone can send anyone else email, there is nothing to be gained from redesigning the email protocols, and using legislation to force a solution on people. Authentication will require a central authority that one would have to beseech before running a mail server.

      until it can be implemented as a required medium.

      Yeah, I'm sure everyone wants a central authority that controls all email. It's bad enough what happened with DNS, now you want email to be at the whim of Verisign too?

      SolidBlue is a leader in networked communications and protocol development.

      Your message reads like a press release. I can't believe that this spam got modded up in a story about spam. Ironic.

  • Did anyone read the interview (Score:5, Interesting)

    by asscroft ( 610290 ) on Friday September 20, 2002 @04:22PM (#4299584)
    This guy is pretty smart and has a good grasp on things.

    here are some gems.

    "In the United States, one of the most important criteria used to evaluate any proposed restriction on the collection and use of personal information by businesses is the effect that it will have on industry. In Europe that's at most secondary to the individual and societal rights that are affected. " ..."as business practices seem to get more and more invasive, I find myself leaning closer to the European approach, even though I'm normally quite wary of regulation. "

    <B>How about grading the legislators as well?</B> [he had said earlier that the courts do a good job of learning about technology when interpreting laws that govern it's use]

    Unfortunately, I don't think that many legislatures have been anywhere near as scrupulous in learning about technology before trying to make laws to govern it. Take a look at all of the different state spam laws to see what I mean. Only one state has a law that is anywhere near consistent with the practices commonly followed on the Internet--Delaware, where it is a crime to send unsolicited bulk commercial e-mail. The other state spam laws don't focus on the central technical problem with spam, but instead deal with the symptoms, like forging message headers or failing to honor opt-out requests, or with completely different issues, like pornography and other content-related issues. "

    <B>What about deep linking? </B>
    "What about it? I guess I don't understand why everyone is so concerned about it. It's an inherent part of the Web, in the same way that nouns and verbs are essential parts of speech. If you don't want people linking to or accessing certain content on your Web site, you can implement whatever rules you want to in the design or configuration of your site. But if you put content in a public place with its own published address, it's pointless to pretend that the address is a secret, and you shouldn't expect the legal system to enforce that ridiculous notion. "

    "I don't think that the Internet really needs much law--it's really just a question of figuring out how best to apply more general laws to the online environment. "

    I'm glad to see a lawyer on our side for a change. Makes me want to move to europe though.

  • A thought... (Score:2, Interesting)

    by Kickstart70 ( 531316 )
    I'd like it if we all paid $0.01 per email sent (worldwide). The money could be used for internet hardware and research as well as giving ISPs a much needed boost in revenues with a percentage. The average user would pay less than $1 per month. Spammers however would be shut down quickly. SMTP relays could monitor emails passing through to make sure the charges were accurate. Hotmail and other free email providers would start charging customers, which would require billing info, making spammers using 'free' services trackable.

    A pipe dream, unfortunately. Though I think any intelligent techie would be up for this.

    Kickstart
    • I agree but I had heard of $.10 per and the first 1000 per month, per user free. But as a admin, I would dread what this would require. It would end the spam no doubt but this would require other countries to get in on the plan and we all know that a few asian countries cough*korea*cough would ignore the fees and keep them open relays a-humming. For now, "relays.ordb.org, spamhaus.relays.osirusoft.com, dun.dnsrbl.net, spam.dnsrbl.net, bl.spamcop.net, dnsbl.njabl.org" are doing the fighting for me.
    • Unfortunately, this would require billing in advance. How would an ISP determine in advance how many emails will be sent if they don't know who is a spammer? Do you want a bill for $100,000.00 up front just in case you might be a spammer?

      The only way I can see this working is with a system that has a pre-established deposit amount and a way of cutting off service if that amount hits $0.00. Sadly I am sure spammers will find a way to hack this or piggy-back on some business account.
    • Of course... but then the spammers would just start their own ISPs.

      "But," you say, "the ISP upstream of the spam ISP would charge them the $.01 per e-mail."

      If this were the pricing structure, you (a normal user) might wind up paying $.05, one cent to your ISP, one to the upstream provider, etc.

    • Didn't I read this idea in a magazine somewhere?

  • Legislation is a good idea (Score:5, Interesting)

    by gad_zuki! ( 70830 ) on Friday September 20, 2002 @04:32PM (#4299685)
    Sorkin: Of course it doesn't make sense to regulate a relatively borderless environment with laws that vary according to geography.

    The internet has borders and vulnerable spots - they're called ISPs. A federal law fining open relays would be a good start. ISPs can attach the the fine, and even a profit attached to it, onto their TOS when they or the government catch Joe DSL or Generic Company T1 with an open relay. The ISPs would have more of an incentive to attack the problem of open relays. Fining the ISP per email sent by a registered user running their own SMTP engine or the ISPs mail server would take care of those paying for one months service to send out gigabytes of mail.

    A simple 'ADV' in the subject line for filters to find would take care of the first amendment issue. Advertising is not protected speech, its been ruled again and again that it can be legally limited.

    That would more or less take care of American spam. The anti-legislation crowd can cry 'but they will go overseas' all day long, but certainly cannot prove that they will ALL go overseas. Not to mention if this works, other internet heavy countries might take notice and try the same thing. Less spam is better than more spam, especially now that dummy-proof spam software and mailing lists can freely be downloaded via kazaa.

    The downside is that your ISP would need your credit card info if you were to get an email account with them in case they do get fined, but chances are they have that information already and is it such a terrible price to pay for spam free mail?

    Imagine ISPs encouraging stronger passwords, email limits(500 emails a month - want more then ask and tell why), shutting down open relays, and blocking port 25 to customers not authorized to run a mail server. Horrible I know.
    • That would more or less take care of American spam...

      But unfortunately, it would have little effect on the spam you get in America. As you noted, most spam is sent through open relays. From my experience, most of these are found in Asia. Why not America? Heh. I don't know. So, even if the spammers are in America, one spoofed IP address and an Asia helper and they're free...


    • A simple 'ADV' in the subject line for filters to find would take care of the first amendment issue.

      There IS no first amendment issue. Regardless of how much spammers whine that they have the right to send their stuff, it's just plain BS.

      The "first amendment" issue is a red herring thrown up by spammers to thrown the lawmakers off the trail of the real problems.

      The first amendment guarantees the right to speak, it does NOT guarantee the right to be heard, nor does it guarantee the right to force people to pay to listen to you.

      Spam is theft. Because I pay for bandwidth, I am forced to pay for spam I recieve, even if I don't want it. It doesn't matter if I can filter it based on something in the message - I've got to recieve it before I can filter it, and by then I've already paid for it.

      To quote Saturday the 14th, it's like bolting the barn door after the horses have eaten your children.
    • Here's the problem:
      Spammers don't care about rules.

      Some of them will put ADV in the subject header. Others will ignore it and claim that they don't have to, citing 'free speach' (and even if it doesn't apply, that does not stop them from whining to anyone who will listen about it). Others will move overseas. None of this will solve the problem wherein the ISP is already footing the bill by allowing the advertisement into their system, thus letting it eat up bandwidth.

      Spammers are, without exception, lying criminal scum and most of them are also exceptionally stupid. There is no reason to write pussy laws that effectively legitimize spam if it is done in some 'approved' fashion. The answer lies in making the act itself illegal. The big problem is less about your inbox and more about their actions driving up the cost of doing business for ISPs who would be quite happy never to see that crap cross into their netspace again.
    • But ISPs could make it part of their Terms of Service that they periodically do unannounced scans of port 25 of their customers' IPs. Anything that answers is given an automated open relay test. If it proves not to be an open relay, fine, it's left alone. If it is an open relay, an operator is notified and handles the problem. An equally effective and much less restrictive solution to that problem.

  • John Marshall Law School (Score:3, Informative)

    by MAXOMENOS ( 9802 ) <mike&mikesmithfororegon,com> on Friday September 20, 2002 @04:34PM (#4299703) Homepage
    Some info on John Marshall Law School [jmls.edu] (disclaimer: I have family members who work there)

    John Marshall is basically well known for two things: Trial Advocacy [jmls.edu] and Computer Law [jmls.edu]. I think they have one of the first programs dedicated to computers and the law in the country. They have a computer law journal [jmls.edu] and recently hosted the American Bar Association's first conference on computer crime [cybercrimeconference.org]. They also host the American Bar Association Mock Trial Competition [abacrimtrial.com] every year.

    It's really a relatively small school without the cutthroat competition of places like Harvard or Stanford. On the one hand, this means you'll have a better chance to pick apart the law. On the other hand, it doesn't have the Harvard or Stanford name.

    I'm not a lawyer (ironically) and so I don't know what John Marshall's reputation is in the legal world. The ABA seems to like it.

    Hope this helps.

  • I'll bet if we called them terrorists... (Score:3, Interesting)

    by aengblom ( 123492 ) on Friday September 20, 2002 @04:44PM (#4299775) Homepage
    I'll bet if we called them terrorists things would get a lot easier. ;-)

  • Cut the spam tree off at the roots (Score:3, Interesting)

    by dtabraha ( 557054 ) on Friday September 20, 2002 @04:46PM (#4299798) Homepage Journal
    I might be a little off the subject, but I think the issue is less the fact that you get spammed, and more the fact that your email address is sold over and over and over again, just because you were dumb enough to fill it out on your credit card application. Even if you signed up for an internet site and didn't check any "spam me" boxes they can still sell your contact info to other businesses. Just read the fine print on their sites.

    An Actual Privacy Policy:
    "However, without your consent, we do not make your, or your gift or message recipient's email addresses available to third parties (except for subsidiaries, subcontractors or agents acting on our behalf in compliance with this Privacy Policy)or any Successor (see below) to our business."

    Wait... what was that about except for subsidiaries, and who?

    The same thing happens with your phone number and your home address.
    You get spammed with email, spammed with phone calls, spammed with faxes, and spammed in your mailbox.

    I think a better solution to the problem is to make it illegal to sell people's contact information for the purpose of making money.
    Not "If you check here" or "If you agree to these terms", not for any reason.

    When you give your contact information to a business, you are giving it to them with the trust that they will use that information only to contact you if necessary. I can guarantee you that 0% of the people that sign up for a service are actually glad that their contact information is sold or traded so that they can get phone calls about low home equity loan rates.

    At least from a legal perspective it would be easier to enforce. If you determined that a corporation or a business was selling people's contact information, just notify the authorities and have Uncle Sam come down on their ass. If they're actually getting paid for it they can't correctly report it on their taxes, and we know how much the government gets pissed off when they find out you've been hiding money from them.

    The extreme alternative is to become so paranoid about your personal information that you won't give it out to anyone for any reason! Imagine buying a house and telling the bank financing your loan that you can't give them your phone number or home address because you know they're going to sell that information to a third party. Either that or you want royalties from them every time they make money from selling your information.

    Hey, now we're talking about information ownership, right?
    That sounds like intellectual property, kinda like music, right?
    That means we can get it covered under the DMCA, right? Right??

    Yeah... RIIIGHT.

  • Dude, by now what I'm doing is having spamprobe [sourceforge.net] filtering all my e-mail using Paul Graham's much mentioned bayesian techniques. There's even a way to have spamassassin cooperate with spamprobe, making a filter that I guess will be all but impenetrable for those pesky spams.

    Someone pointed out that, by the point my filters get to "read" and categorize e-mail, the spammer's already used up my bandwidth and storage space. I don't care too much, as long as I don't have to see the spam myself. Also, this makes spammer's life a little harder. Maybe if we all had some sort of spam filter the spammers would realize they're not even getting that 0.1% response rate they want and finally go away or die. Cuz man, they can make all the laws they want, but someone will always break them. You don't leave your house's door open hoping the mere existence of laws will prevent people from coming in and stealing your stuff!
  • We already have anti-spam laws, heck, we could modify 47USC227 for prohibition of spam, but it doesn't do anything unless the laws are actually enforced. Lets try enforcing a few first and see how it goes.

  • LOL (Score:2)

    by Archfeld ( 6757 )
    and he also has much to say about why current federal legislation being considered could make the problem of spam worse rather than curbing it."

    Errr could that be because the average legislator is a MORON and has his/or her head jammed up a contributing sponsors colon ? Has the US governmant EVER successfully regulated, or EVEN DE-REGULATED and industry ? Trucking went to hell, the Phone/Cable companies have been screwing the public for years now under government de-regulation. We ALL know how well the government has been regulating and monitoring the Airlines....

  • Our fault (Score:3, Insightful)

    by captaineo ( 87164 ) on Friday September 20, 2002 @09:32PM (#4301284)
    I think we, the Internet technical community, have to face up to the fact that we fucked up. We committed ourselves to an email system (SMTP) that is extremely vulnerable to abuse and exploitation.

    Of course we didn't intend to do this. Microsoft probably didn't intend the scripting "features" of Outlook to be exploited by virii either.

    This is a technical problem in need of a technical solution. Laws will have no effect (spammers just move out of the jurisdiction). Smarter spam filters are a good band-aid, but they only mask the problem.

    There are plenty of possibilities for building a spam-proof email infrastructure - charging money to receive an email from an unknown sender, forcing senders to perform some expensive action for each recipient, etc. Some of these ideas probably won't work, but some will.

    The biggest problem will be encouraging wide-spread adoption of the best solution. It can't just be geeks in the open-source community; we really need the likes of Microsoft, Apple, and co. to push this technology to the masses. (cf the failed adoption of email encryption)

Slashdot Top Deals

What is research but a blind date with knowledge? -- Will Harvey

Close