Tuesday, October 14, 2003
Posted by: Mark Gilfand
Spamcop reports that it processes 1/2 million spams daily for its spam source database. This is from a combination of customer accounts, spam traps scattered around the Internet, and spam reported by non-customer volunteers (such as me). A recent Spamcop "spam in progress" study showed that the 11 top spam sources in the world, and 14 of the top 15, were mainland Chinese servers. At other times, top sources have been in Taiwan or Korea. In the 30-minute period before I wrote this paragraph (Sunday, June 15, around 2100 MDT), Spamcop identified 68 spam sources in the preceding 30 minutes. A quick glance at its statistical analysis shows at least half of the spam sources were foreign, and many of the others were apparently DSL customers with security holes in their home machines, merrily spamming away. This is why I look with some skepticism at legislative proposals currently in front of the United States Congress.
There are nine pieces of spam-related legislation introduced in the Congress currently. As I write this, S877 is moving in the Senate. Writing about legislation while a legislative body is in session and considering them is akin to shooting at a moving target. Because of this, the AITP legislative committee will provide a link on its web site that will contain current information on the various spam bills, updated as new information comes in.
Bills with an HR designation were introduced in the House, while those with an S were first introduced in the Senate.
- REDUCE Spam Act of 2003 [H.R.1933]
- CAN-SPAM Act of 2003 [S.877]
- Ban on Deceptive Unsolicited Bulk Electronic Mail Act of 2003 [S.1052]
- Wireless Telephone Spam Protection Act [H.R.122]
- SPAM Act [S.1231]
- Reduction in Distribution of Spam Act of 2003 [H.R.2214]
- Anti-Spam Act of 2003 [H.R.2515]
- Computer Owners' Bill of Rights [S.563]
- Criminal Spam Act of 2003 [S.1293]
S877, if complied with by spammers, will put SPEWS out of business, because there is a prohibition in 5(b) on sending spam to harvested addresses. Since all spammers are such fine, upstanding ethical business people who would never dream of doing anything contrary to law, and therefore won't ever again mail to the harvested spamtraps used by SPEWS to detect spam, this would make the SPEWS business model non-functional.
One provision of S877 is a global 'do not spam' list, which regrettably has some serious causes for concern. Ignore the problem that much spam is currently being routed through foreign servers, frequently servers in China. The bill requires would-be spammers to wash their lists against the database. However, there is no provision currently to ensure that the addresses on the database will remain secure. Some have proposed that a hashing algorithm be used to accomplish that security, and that may yet make it into the bill, but until it does many are understandably leery of presenting spammers with a large list of verified addresses.
Another problem with the bill as originally written was that addresses will be placed on the list one at a time, with no provision for domain-wide listing. When an individual or business creates a new domain, we have the option of receiving mail in a default mailbox if a particular address has not been assigned to a specific person. This gives us the opportunity to catch email to "bad" addresses rather than bouncing it. These addresses are still valid, and should still be added to the list if the domain owner so chooses. Any email address can include up to 255 lower case letters, upper case letters, numbers, unicode and special characters. The number of possible combinations of characters in the user addresses for just one domain means that the FTC will be spending more money on storage next year than the total projected $1.3 trillion in revenue that the federal government expects to bring in. If someone decides to add a second domain to the list in a similar fashion, we'll be bankrupt. The only solution to this problem is to provide for domain-wide listing. Failing that, investing in the common stock of hardware companies such as EMC DASD would seem to be indicated. Even the direct marketers, who in general favor this bill, see the problems inherent in this list.
AITP has in the past endorsed legislation that is similar in design to the Bowen bill in California (discussed below). It seems far easier for marketers to develop lists of the limited number of people who actually want their communications, rather than developing much larger and more complex lists of those who do not. Unfortunately, the legislation currently introduced in either house of Congress does not meet that criterion.
The Computer Owner Bill of Rights [S563] is an interesting piece of legislation that will probably go nowhere. I included it in this legislative summary because it includes a provision for a "do not spam" list similar to the one found in S877. However, its main thrust is aimed at shoddy customer service. It requires software companies to stand behind and support their products, run help desks that actually help people, and act quickly to fix bugs and security holes. No hearings have been scheduled for it yet.
Something on the order of 30 states currently have laws on the books dealing with spam. In general, they require a valid opt-out procedure listed on the mail, a tag which is usually some variant of ADV: on the subject line, a bar on deceptive subject lines, and a prohibition on theft of resources from third parties. Technically, that is the use of open proxies or open relays in most cases. Most of them permit end users and ISPs to sue, usually in small claims courts, for anywhere from $10 to $500 per offense. Some of them permit State Attorneys General to go after spammers. With over half the states having enacted these laws already, spam is a rapidly decreasing problem, isn't it? A review of your state statutes, minus ones passed in the last few months, can be found at the Spamcon Foundation at http://law.spamcon.org/.
California, which already has one anti-spam law on the books, is currently considering legislation that goes a step further. In a bill that was heard in mid-June, State Senator Debra Bowen proposed that the state eliminate "opt-out" e-mail lists, instead forcing mailers to use an opt-in method. The bill also allows spam recipients to sue spammers. However, that bill failed, and was replaced by what Bowen charges is a weaker bill.
"It's against the law for advertisers to send you sales pitches that burn fax paper and toner or fill up your phone answering machine and voice mail, so why should advertisers be allowed to overwhelm your e-mail inbox with ads you didn't ask for and don't want?" Bowen asked.
According to a Washington Post article about the bill, Bowen charges that the bill died because of 11th hour arm twisting by Microsoft. "[T]heir focus has been on getting immunity for themselves and preserving their ability to strike deals to send spam," she said. Microsoft denied the charge, claiming that the substitute bill that the company supports is similar in all key areas. However, according to the Post, the final language of the substitute bill has not yet been drafted. Whether it will contain the opt-in language of Bowen's version remains to be seen.
Bowen is looking for ways to bring her bill back.
Missouri Attorney General Jay Nixon had similar complaints in his state, where he claims that Microsoft opposed his "do not spam" registry. Microsoft opposes "do not spam" registries, expressing security concerns. Microsoft argues that spam laws should aggressively target the purveyors of scams and pornography, who would ignore a no-spam registry anyway.
However, Nixon voiced a position similar to that of AITP, saying that spam is about consent, not content. His view is that a registry would permit consumers to tell all marketers not to send them spam.
The AITP Legislative Committee shares Microsoft's concerns about security, as well as objecting to the size of a database that would contain individual addresses. Microsoft's concerns, and ours, could be addressed by permitting domain level listing and creation of a hashing function to protect individual addresses. However, such a directory would still legitimize the opt-out model versus the opt-in model that we favor, and we feel that a directory of e-mail addresses of people who actually want to receive spam would be significantly smaller and less wasteful of storage space.
The All Party Parliamentary Internet Group (APIG) is holding a public inquiry into stemming the flow of bulk unsolicited email ("spam") to UK Internet users.
The inquiry will focus upon the following:
- The developing legislative situation (UK, EU, US and elsewhere)
- Technical methods that may prevent spam from reaching users
- Social methods that may prevent problems with spam
- Future trends in spam
- Spam's effect on other platforms (e.g. mobile phones and other devices)
The first step of the process was a July 1 summit meeting at Westminster. Invited participants included Spamhaus principal Steve Linford of London. There was a subsequent public meeting on July 3, and a concluding meeting on July 10. It is expected that the APIG will propose legislation as a result of this series of meetings. The legislation is expected to be closer to the preferred AITP model calling for confirmed opt-in, rather than the U.S. Congressional model which some fear will legitimize spam.
Australia's federal government is expected to submit legislation after the Parliament comes off winter break, probably following Europe's opt-in model rather than the opt-out model seemingly favored by the U.S. Congress. However, Messagecare reports that only 0.5% of all spam comes from Australian servers, meaning that this Australian law will have little effect on spam in Australia or worldwide. Their calculations are based on their evaluation of 10 million spams analyzed over two weeks. The same study showed that the US, mainland China, and Korea were the leading sources of spam worldwide, collectively responsible for originating 60% of all spam.
Messagecare's figures are based on where the mail servers are located. "There may be a user in some other country connecting to an open relay in the U.S., and that would count for the U.S.," Messagecare's CEO Andrew Kent said. This may indicate that Australia has done a better than average job of fixing security holes in its servers such as open relays and open proxies.
There have been a few proposals floated to put some sort of per-message charge on all e-mail, on the theory that the costs would destroy the business model that makes spam cost-effective. Hopefully, these proposals will go nowhere, since they will destroy e-mail as an effective communications medium while doing little or nothing to stop spam. For them to have any chance of working, they'll have to be collected fairly and accurately. That means that the open relays and open proxies now being abused by spammers would have to be closed. If they are closed, though, spammers will lose their primary medium for delivering their messages. We'll then be better able to identify and block their true points of origin and spam will end as a scourge, without the tax having contributed in any way to the solution.
Charles Oriez has an MS-CIS from the University of Denver and writes and speaks on e-mail issues in the Denver area.
Looking for more information on Spam? Check out the next two articles in this series, "Complaining About Spam 101" and "Spam in the Courtroom," which will be published in the November/December 2003 issue of Information Executive.