PrivacyLaws.us - Privacy. Data. Software. Security.

2005-03-08T12:32:00.000-05:00

First State File-Trading Conviction
Arizona gets involved in copyright law

For the first time, a State has convicted an individual for illegally downloading copyrighted material from the Internet, reports the Associated Press. Parvin Dhaliwal faces a three-month deferred jail sentence, three years of probation, 200 hours of community service and a $5,400 fine. Investigators claim he had "$50 million in music and movies" on his PC, and was selling the content to others.

2004-12-15T13:02:00.000-05:00

Sorry that things have been a bit quiet lately. That'll change shortly, and with the following we have a lot to digest:

Antispam law ruled unconstitutional

By Declan McCullagh
http://news.com.com/Antispam+law+ruled+unconstitutional/2100-1030_3-5491683.html

Story last modified Wed Dec 15 08:45:00 PST 2004

A Maryland judge has tossed out a lawsuit (ed. note - MaryCLE LLC v. First Choice Internet, Inc., No. 248514, PDF decision available here) against an alleged spammer, saying a state law restricting unsolicited e-mail is unconstitutional because it unfairly restricts interstate commerce.
Durke Thompson, a trial judge in Montgomery County, ruled that the Maryland law unduly discriminates against out-of-state commerce, a restriction that's generally prohibited by the U.S. Constitution.

Thompson dismissed a lawsuit that a Maryland business had brought against a New York firm, First Choice Internet, saying in a ruling on Thursday that the company and its president "did not intentionally direct their e-mails" to Maryland residents.

Read the entire story here.

2004-07-09T13:22:00.000-04:00

Anti-Spam Technical Alliance Publishes Industry Recommendations to Help Stop Spam

Yahoo!, Microsoft, EarthLink and AOL Propose Key Best Practices and Technologies to Tackle The Problem of Unsolicited Commercial E-Mail

SUNNYVALE, Calif., REDMOND, Wash., ATLANTA, and DULLES, Va., June 22, 2004 -- The Anti-Spam Technical Alliance (ASTA), whose participants include Yahoo! Inc. (Nasdaq “YHOO”), Microsoft Corp. (Nasdaq “MSFT”), EarthLink (Nasdaq “ELNK”) and America Online Inc. (NYSE “TWX”), today unveiled the result of more than a year of close collaboration by presenting a host of detailed best practices and technical recommendations for the entire industry in an effort to fight the scourge of spam.

The proposal provides recommended actions and policies for Internet service providers (ISPs) and e-mail service providers (ESPs) as well as large senders of e-mail including governments, private corporations and online marketing organizations. These recommendations primarily focus on two key issues: helping solve the e-mail forgery problem by eliminating domain spoofing through Internet Protocol (IP)-based and signature-based solutions; and best practices to help prevent ISPs and their customers from being sources of spam.

The complete ASTA proposal can be found at each adopting company’s Web site:

* Yahoo Anti-Spam Resource Center
* Microsoft Privacy Web site
* EarthLink spamBlocker
* American Online

ASTA was founded in April 2003 to bring together key industry stakeholders to drive technical standards and promote collaboration in the development of industry guidelines to address the spam problem. Current members include leading technology companies such as America Online, British Telecom, Comcast, EarthLink, Microsoft and Yahoo!

Comments

“With these proposed solutions, ASTA is taking a huge step toward collective and enforceable technologies in reducing spam and e-mail forgery,” said Brad Garlinghouse, vice president of Communication Products at Yahoo! Inc. “We are laying out clear best practices and Good Neighbor policies that will help change the rules of the game on spammers once and for all.”

“We believe that thanks to continued innovation and the ongoing cooperation of governments and industry around the world, we are on the right path to turn the tide against spammers — but further change is needed on an industrywide basis to thoroughly contain the problem for consumers and businesses worldwide,” said Ryan Hamlin, general manager of the Anti-Spam Technology & Strategy Team at Microsoft. “Our aim with this proposal is to help lay out a clear framework for the industry as we continue to work together to end the spam business and put our customers back in control of their inboxes once again.”

“Today’s announcement shows the industry’s commitment to working together to develop the best technical standards and practices that all providers can use to stop spam,” said Linda Beck, executive vice president of Operations at EarthLink. “By collaborating on new ways to better identify the origin of messages, we can help lift the veil of anonymity on spammers and restore the integrity of e-mail. We encourage continued testing and public discussion in order to move toward industry-standard technical solutions.”

“This announcement opens an entirely new chapter in spam fighting on behalf of all online consumers. Spam is an industrywide challenge that merits an industrywide solution. Creating a set of best practices puts us on a clear glide-path to winning a major battle against spammers, scammers and spoofers,” said Matt Korn, executive vice president, Network & Data Center Operations at America Online. “This proposal also shifts the spam fight toward identifying legitimate senders of e-mail to ensure prompt delivery of their e-mail. Now we’re going to focus on testing and evaluating cost-effective technologies that can identify legitimate senders of e-mail and help restore consumer trust in their e-mail inboxes.”

Summary of ASTA Recommendations

ASTA’s proposal focuses on two key issues: helping solve the e-mail forgery problem by eliminating domain spoofing through IP-based and signature-based solutions, and best practices to help prevent ISPs and their customers from being sources of spam.. Recognizing that broad adoption of any technology or best practice is critical to solving the spam epidemic, all members of ASTA have agreed to the following recommendations:

Addressing E-mail Address Forgery

One of the key problems with today’s e-mail infrastructure is that messages do not contain enough reliable information to enable recipients to decide whether an e-mail message is legitimate and reliably identify the sender. Spammers take advantage of this fact and commonly disguise the origin of their messages by forging the sender addresses on their e-mail using someone else’s domain name. This is called “domain spoofing.”

Although the problem of identifying the origin of e-mail is complex, there are two promising new methods that organizations can implement to lay a foundation for future advances and promote authentication that verifies that senders of a message is who they claim to be:

1. Authenticating senders based on IP addresses. Currently, the only trustworthy attribute in an e-mail message header is the IP address of the server that is transmitting the e-mail. IP addresses can therefore be used by e-mail receivers to verify other attributes in the message header, such as the sending domain, and thus help reduce the common forms of phishing and forgery that are rampant today. This verification loop can be done using the existing Domain Name System (DNS) infrastructure combined with fairly simple changes to the receiver’s e-mail systems.
2. Authenticating senders based on content signing. Another approach to sender authentication uses a technology called Content Signing (CS). CS systems use public/private key pairs to generate the signatures that are used for sender verification. The public keys may be made broadly available through a variety of key exchange mechanisms or via publication in a directory or in DNS. The private keys are stored securely on the domain’s mail servers. When a user sends an e-mail message, the mail server uses the stored private key to automatically generate a digital signature for the message. When the recipient’s mail server receives the e-mail message, it retrieves the sender’s public key and uses it to verify the digital signature in the message. This verifies both the sender’s identity and the integrity of the message body (that the e-mail content was not modified during delivery).

As with IP-based sender authentication, the companies believe that content signing technologies are an important component of a long-term industry solution.

Throughout the process of implementing these technologies, ASTA members will provide feedback that along with other industrywide feedback will enable subsequent improvements to the specification to be completed, with the goal of providing for the best long-term, industrywide IP based authentication solution.

It is the belief of this group that the ubiquitous deployment of some or all of these proposals, combined with the most innovative anti-spam filtering technologies and approaches, continued litigation against the worst offenders, appropriate legislation and other measures, will serve to reduce the economic incentives and eliminate the entry points for spammers to continue their barrage of unwanted communications. ASTA looks forward to the community response to this proposal and invites participation from all segments of the community to assess the validity and impact of these proposed solutions and their accompanying technical specifications.

Addressing Spam Through Best Practices

In the proposal, ASTA recommends a number of best practices that organizations should implement as applicable. Many of these practices have already been adopted by responsible organizations using e-mail today, but broader global adoption is necessary, as the combined effect of implementing these approaches can serve to minimize opportunities for spammers. Those who do not adopt these proposals risk loss of online user confidence in the safe and trusted exchange of e-mail for the entire community.

Specifically, ASTA’s proposal outlines the following:

* Recommendations for ISPs and mailbox providers and organizations that provide Internet connectivity, such as these:
o Block or Limit the use of Port 25
o Implement rate limits on outbound e-mail traffic
o Control automated registration of accounts
o Close redirectors that can be abused
o Close all open relays
o Configure proxies for internal network use only
o Detect compromised computers (zombies)
o Educate users to increase use of existing tools
o Develop effective complaint reporting systems
* Recommendations for legitimate bulk e-mail senders, such as these:
o Do not harvest e-mail addresses through SMTP or other means (defined as collecting e-mail addresses, usually by automated means) without the owners’ affirmative consent.
o Register your e-mail domain with a creditable safelist provider.
o Always provide clear instructions to customers about how to unsubscribe or opt-out of receiving e-mail. Promptly respond to these requests.
o Do not use or send e-mail that contains invalid or forged headers.
o Do not use or send e-mail that contains invalid or nonexistent domain names in the From or Reply-To headers.
o Do not employ any technique to hide or obscure any information that identifies the true origin or the transmission path of bulk e-mail.
o Do not use a third party’s Internet domain name or allow mail to be relayed from or through a third party’s equipment without permission.
o Do not send e-mail that contains false or misleading information in the subject line or in its content.
o Monitor SMTP responses from recipients’ mail servers. Promptly remove all e-mail addresses for which the receiving mail server responds with a 55x SMTP error code (e.g., “user doesn’t exist”).
* Recommendations for consumers, such as these:
o Install firewalls on PCs as appropriate.
o Use anti-virus software and other screening tools to detect incoming viruses, malware, and harmful or suspicious code.
o Make use of spam filtering technologies and customize settings that provide the appropriate level of protection needed.

Some of these recommendations are already part of laws in various countries including the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act of 2003 in the United States. However, the disparity between laws and the absence of anti-spam laws in most countries means the industry needs to come together and adopt consistent policies and practices that drive spammers out of business.

Note to editors: If you are interested in viewing additional information on Microsoft, please visit the Microsoft Web page at http://www.microsoft.com/presspass/ on Microsoft's corporate information pages. Web links, telephone numbers and titles were correct at time of publication, but may since have changed. For additional assistance, journalists and analysts may contact Microsoft's Rapid Response Team or other appropriate contacts listed at http://www.microsoft.com/presspass/contactpr.asp.

2004-06-23T11:51:00.000-04:00

From Legal Affairs Magazine
$t0pp^ng $p@m!!
The private sector needs to regulate spam because the government can't.
By Paul Jamieson

LOSE 20 POUNDS IN 20 DAYS on the amazing grapefruit diet pill! Expand the size of your body parts! You have emerged one of the winners of the EGOLI LOTTERY SOUTH AFRICA!

Spam is that rare legal and public policy problem in which the behavior in question is anathema to nearly every publicly identifiable interest holder. Legitimate businesses that use e-mail as a marketing tool support spam reform because their communications are often lost in the avalanche. Consumers and businesses that rely on e-mail for transactions and communication overwhelmingly dislike spam for the same reason and make their displeasure known to elected officials. Internet service providers, or ISPs, such as Yahoo and Earthlink, oppose it because junk e-mail taxes their networks.

Nevertheless, five months after the effective date of a sweeping federal law imposing stiff civil and criminal penalties on spammers, well over half of all e-mail is still spam. There is just as much if not more spam now than there was before the legal barriers were erected. What gives?

The short answer is that legal measures may be largely powerless to affect the spam problem because the architecture of e-mail is resistant to traditional methods of government regulation. While members of Congress and the Federal Trade Commission will be quick to claim credit in the event that the spam problem is reduced, the role they play is small. Consumers and businesses suffering from the torrent of spam must look for relief not from formal law developed on Capitol Hill or in a watchdog agency, but from the people who write the code that makes the Internet run, and then from the private businesses that put the code to work.

THE CONTROLLING THE ASSAULT OF NON-SOLICITED PORNOGRAPHY AND MARKETING ACT, or CAN-SPAM, was signed by President George W. Bush in December 2003 and is ambitious in intent if not effect. Under the statute, unsolicited commercial e-mail isn't banned, but it must contain headers revealing that a message is an advertisement or solicitation. All unsolicited commercial e-mail must come from a valid e-mail address and contain an accurate postal address to which a recipient can write back. Misleading message headers are also banned, even for recipients who have agreed to receive commercial mail, as with users who checked a box asking for future promotional material about dog food on the Pets.com website.

Under the statute, Internet service providers are not held liable for routine conveyance of e-mail. If you get spam from loseweight@earthlink.net, you can't sue Earthlink. But all of those who send or who contract to send illegal commercial e-mail are subject to civil suits by Internet service providers, the FTC, and state law enforcement officials. Penalties are severe. For example, if a state brings a suit, a spammer may be forced to pay damages of $250 per e-mail, up to $2 million (the cost of 8,000 e-mails), plus attorneys' fees. Egregious spammers, as repeat offenders, may also face felony charges with prison terms of up to five years per violation.

But the law has had no appreciable effect on reducing spam. Consumers surveyed by the Pew Internet Project report that the volume of spam is the same or has increased since January 1, when the law went into effect. Postini, a company that runs a spam-filtering service processing one billion messages a week for 2,500 other companies, said that spam rates have stayed virtually constant since before that date.

* * *

Several factors constrain the law's regulation of spam. First, the nature of e-mail makes it hard to locate perpetrators. Because of the Internet's configuration, spammers can easily hide their actual e-mail addresses in addition to their countries of origin, using false header information and bogus domain names. One popular tactic is to send messages that appear to be from technical support staff of the recipient's Internet service provider (e.g., administrator@msn.com) with a message that the user's account needs to be updated or fixed. Sending a message that appears to come from one of these accounts requires no specific access to either MSN or Earthlink. Spoofing an address requires only an Internet connection and a few minutes to learn how to falsify the information.

Identifying purveyors of spam, then, is challenging. Of the 222 defendants of recent CAN-SPAM lawsuits filed by the four largest ISPs, only seven were named, because the plaintiffs' attorneys couldn't figure out who they were going after. And even if spammers could be identified, many are beyond the jurisdiction of American law. AOL reported that, one week after the new statute went into effect, approximately 10 percent of the 2.4 billion spam e-mail messages it was receiving daily had shifted in origin to offshore locales.

The economics of spam are so favorable to spammers that no matter how high regulation erects the barrier to entering the business it wouldn't be high enough. Direct mail and telemarketing require companies to spend a lot of money—to pay people to spend time on the phone, and for printing messages and sending them through the mail. But spam puts nearly all the costs on recipients, ISPs, and the companies that built and that run the "pipes" through which e-mail travels. Sending an e-mail promoting Viagra to 500,000 users costs a spammer about the same as sending it to 50.

PRIVATE SECTOR REGULATION by the "code" of cyberspace, rather than by formal law, has been crucial to the Internet's development, to which the government has contributed most significantly by being restrained in its use of regulation. The development of encryption standards that protect the exchange of financial information over the Internet makes a good example. As a result of development by companies of encryption protocols that are strong but easy to use, it's now no more dangerous to type your MasterCard number into Amazon.com than it is to give the number to a phone operator. This encryption technology came entirely from the private sector and not from the government, which chose not to enact strong encryption standards in part because it feared that they would limit the FBI's surveillance powers.

A similar effort by the private sector to regulate spam by code is being mounted by influential code writers. Microsoft's Bill Gates announced in February that he was helping to create a loose consortium of companies called the Global Infrastructure Alliance for Internet Safety, formed to share ideas about technical solutions to Internet security threats as well as spam, which many people see as the major threat to the continued expansion of the Internet. Gates cited several technological innovations designed to combat spam, including a sort of caller ID for e-mail that would verify the sender's e-mail name address conveyed as a series of numbers that the software could look up.

Another authentication proposal under consideration by members of the consortium is a system known as challenge-response, under which a sender not already on a recipient's "safe" list would have to confirm his identity by responding to an automatic message from the recipient's e-mail system. The computer-generated reply message would direct the sender to a website to answer questions—such as "What is the number of states in the United States?"—that would rotate each time a sender went there, and which would be simple for humans to answer but hard for machines.

Still another coalition option would be implementing a form of postage for e-mail (say, some fraction of one cent charged to senders by their ISPs) that would only lightly burden regular users but would be prohibitively expensive for mass e-mailers. ISPs are also reviewing restrictions on the number of e-mail messages that can be sent at one time, in an effort to undercut spammers who send thousands at once.

The government's CAN-SPAM law doesn't undermine these solutions, each of which holds great promise, and several of which could also be used to help protect other technologies—such as cellphones and instant messaging—likely soon to face spam onslaughts. But CAN-SPAM doesn't help, either.

To solve the spam problem, the federal government should create incentives for the private sector to develop solutions. It could subsidize effective technological solutions to spam, much like what the government does to subsidize the availability of Internet access in the nation's schools and libraries. Or it could require that a company license any truly effective solution to anyone who wants it. Government could also be more aggressive in supporting industry consortia, including the recognition of an industry standards-setting body that would develop practices to combat spam and share the best ones. If it turned out that the best anti-spam strategy required ISPs to employ a particular method of authentication, the government could mandate compliance with that standard.

In the meantime, as e-mails pile up that come from the ostensible fortune-wielding children of "Nigerian dictators" and from network administrators asking us in vaguely worded messages to open attachments, it's clear that we are far from having a good solution to spam. Until the government figures out a new way of working effectively with programmers, we will just have to keep hitting "delete."

Read the entire article here.

2004-06-07T17:19:00.000-04:00

Spam messages on the increase
[Ed. note - Now I always take studies from companies whose mission it is to sell you anti-spam software as part of their services with a large grain of salt, but anecdotal evidence, along with my own inbox observations appear to, if nothing else, confirm that spam certainly hasn't gone down.]

Spam messages on the increase
Story from BBC NEWS:
http://news.bbc.co.uk/1/hi/technology/3746023.stm

Junk mail now accounts for nearly 70% of e-mails worldwide, according to filtering firm MessageLabs. Despite efforts in the US to cut down on the sending of unsolicited messages, new laws seem to be having the opposite effect. Spammers are simply adapting rather than shutting up shop.

"The law goes part way to legitimise spam rather than outlaw it," said Natasha Staley, information security analyst at MessageLabs.

* * *

SPAM TRENDS
40% is healthcare related
37.8% is financial
12.8% is direct products
4.8% is pornography
Source: Clearswift
"We expect global levels to reach 80% by the middle of the year," Ms Staley told BBC News Online.
The US Can-Spam Act, which came into force at the beginning of the year, has been dismissed by experts as ineffectual.

Spammers can adhere to requirements such as providing a legitimate return address without it affecting their business practices.

"The law hasn't had as much of an impact as we hoped. I imagine it will have to be revised as there are wide gaping holes," said Ms Staley.

* * *
Read the entire article here - http://news.bbc.co.uk/go/pr/fr/-/1/hi/technology/3746023.stm

2004-05-11T15:52:00.000-04:00

Canada Eyes World Treaty to Deal with Spammers
Tue May 11, 2004 03:45 PM ET
By Gilbert Le Gras

OTTAWA (Reuters) - Countries may need international treaties to deal with large-scale computer spam, because individual governments cannot deal with the problem by themselves, Canada said on Tuesday.

* * *
Canada's Industry Minister Lucienne Robillard told Reuters there was an urgent need for an international effort, perhaps a treaty, that might even include the extradition of suspected large-scale spammers.

* * *
Fraudulent e-mails designed to draw credit card and bank details from Internet users passed the three billion mark in April, according to San Francisco-based Brightmail, one of the largest spam e-mail filtering firms.
* * *
Officials said the treaty idea is also being discussed at the Asia Pacific Economic Cooperation forum.

Read the entire article here.

2004-05-01T18:31:00.000-04:00

U.S. Hits Four with Criminal Anti-Spam Charges
Thu Apr 29, 2004 01:35 PM ET

WASHINGTON (Reuters) - U.S. authorities said Thursday they had arrested two e-mail marketers and were searching for two others in the government's first use of a new law designed to crack down on "spam" e-mail.

U.S. agents have raided a Detroit-area operation accused of sending out millions of e-mail advertisements for a fraudulent weight-loss patch, the Federal Trade Commission said.

Daniel Lin, Mark Sadek, James Lin and Christopher Chung could face up to five years in jail under a new anti-spam law that took effect in January.

They also face mail-fraud charges, which carry a maximum 20-year sentence.

Through their company Phoenix Avatar, the four defendants earned nearly $100,000 per month selling a diet patch that had no effect at all, the FTC charged.

The defendants used the e-mail addresses of others to cover their tracks, a technique known as "spoofing," the FTC said.

Innocent e-mail users often are swamped by undeliverable return mail when their addresses are spoofed, the FTC said. Spoofing is illegal under the new anti-spam law.

Read full article here.

2004-04-15T02:32:00.000-04:00

http://www.ftc.gov/opa/2004/04/adultlabel.htm
Corrected
For Release: April 13, 2004

FTC Adopts Rule That Requires Notice That Spam Contains Sexually-Explicit Material

Starting May 19th 2004, spam that contains sexually oriented material must include the warning “SEXUALLY-EXPLICIT: ” in the subject line or face fines for violations of federal law. The CAN-SPAM Act, passed by Congress in 2003, directed the Federal Trade Commission to adopt a rule requiring a mark or notice to be included in spam that contains sexually oriented material. The purpose of the notice is to inform recipients that a spam message contains sexually oriented material and to make it easier to filter out messages they do not wish to receive. Establishing the mark was one of several actions Congress directed the Commission to undertake by enacting the CAN-SPAM Act, which was signed into law on December 16, 2003. The CAN-SPAM Act required the Commission to prescribe the mark or notice within 120 days after passage of the Act.

The Commission published a notice of proposed rulemaking in the Federal Register on January 29, 2004, and accepted comments until February 17, 2004. The Commission received 89 comments, mostly from individual consumers.

The FTC’s final rule prescribes the phrase “SEXUALLY-EXPLICIT: ” as the mark or notice mandated by the CAN-SPAM Act. The final rule follows the intention of the CAN-SPAM Act to protect email recipients from unwitting exposure to unwanted sexual images in spam, by requiring this mark to be included both in the subject line of any e-mail message that contains sexually oriented material, and in the electronic equivalent of a “brown paper wrapper” in the body of the message. This “brown paper wrapper” is what a recipient initially will see when opening a message containing sexually oriented material. The “brown paper wrapper will include the prescribed mark or notice, certain other specified information, and no other information or images.

There are four ways in which the final rule differs from the rule as originally proposed in the notice of proposed rulemaking:

* The final mark is shorter than the proposed version. The Commission proposed that the mark be "SEXUALLY-EXPLICIT-CONTENT: ". Commenters opined that an excessively long mark would tend to crowd out all or part of what the sender might wish to say in the subject line. The Agency determined that a shorter mark,"SEXUALLY-EXPLICIT: ", likely can achieve the desired purpose as well, or nearly as well, as the longer mark; The final rule excludes sexually oriented materials from the subject line of a sexually explicit email message;

* The final rule requires the mandatory disclosure of the sender’s “valid physical postal address” to be “clear and conspicuous,” like the other required disclosures; and

* The final rule requires that the mark appear using elements of the American Standard Code for Information Interchange ("ASCII") character set, and a definition of the term “character” has been added as part of that change.

In addition, in response to a comment received from the Department of Justice, the Statement of Basis and Purpose clarifies that the Commission interprets provisions of the CAN-SPAM Act that direct the FTC to prescribe the mark to cover both visual images and written descriptions of sexually explicit conduct.

The Commission vote to approve publication of the Federal Register notice was 5-0.

Copies of the federal register notice are available from the FTC’s Web site at http://www.ftc.gov and also from the FTC’s Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The FTC works for the consumer to prevent fraudulent, deceptive, and unfair business practices in the marketplace and to provide information to help consumers spot, stop, and avoid them. To file a complaint, or to get free information on any of 150 consumer topics, call toll-free, 1-877-FTC-HELP (1 877-382-4357), or use the complaint form at http://www.ftc.gov. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.

RELATED DOCUMENTS
16 C.F.R. Part 316: Rules Implementing The Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (The CAN-SPAM Act): Label for Email Messages Containing Sexually Oriented Material: Final Rule

Text of the Federal Register Notice

2004-04-06T05:26:00.000-04:00

Interesting fight going on between tech journalist Stephen Manes, who I'm acquainted with, and Lawrence Lessig. To whit...

Stephen Manes, Let's Have Less of Lessig, Digital Tools, Forbes.com, available at http://www.forbes.com/2004/04/02/cz_sm_0402manes.html (last visited Apr. 5, 2004).

"I suspect the Mies van der Rohe estate won't sue me for saying it's clearer than ever that when it comes to copyright law, Lessig is Moron. Stanford law professor Lawrence "Larry" Lessig has lately been the Great Oz of copyright law, with student acolytes, members of the self-important blogosphere and Tin Woodmen of the press hanging on the latest droppings from his Palo Alto, Calif., Emerald City tower about the supposedly pernicious evils of today's copyright system.

Lessig has had a remarkable free ride in the public prints, but apparently he had a nightmarish vision of the curtain coming down on his radically silly ideas when he read my lambasting of his wacky new book, Free Culture, in the March 29 issue of Forbes (see "The Trouble With Larry"). Not only did Lessig take to blustering and bloviating in his March 20 blog entry, but he seems to have been the victim of a meltdown worthy of the Wicked Witch of the West. "
* * *
Rest of article here.

2004-03-10T13:09:00.000-05:00

US net providers pursue spammers
Four of the largest internet providers in the US have filed six lawsuits against hundreds of spammers.

Microsoft, AOL, Earthlink and Yahoo are joining forces to fight the millions of junk e-mails that are sent out every day. The companies said the defendants include some of the nation's most prolific large-scale spammers. The providers are taking advantage of new legislation passed in the US earlier this year.

Shared resources

"Congress gave us the necessary tools to pursue spammers with stiff penalties, and we in the industry didn't waste a moment moving with speed and resolve to take advantage of the new law," said Randall Boe, AOL's top lawyer.

The four providers have shared information and resources in an effort to clamp down on the menace of spam. They are helped in large part by new US legislation passed at the beginning of the year that addresses some of the tricks spam gangs use to get their unwanted messages to millions of internet users.

The law, called the CAN_SPAM Act, demands that unsolicited e-mails must include a mechanism for recipients to indicate that they do not want future mass mailings.

It also prohibits spammers from disguising their identity by using a false return address or misleading subject line.

Huge problem

Finally the legislation aims to bring a halt to the practice of harvesting addresses from web sites.

Spam is a huge worldwide problem, accounting for a minimum of 40% of all e-mails sent.

According to anti-spam activists Spamhaus, 90% of junk e-mails can be traced to just 200 known spam gangs.

[Full article available here - Story from BBC NEWS:
http://news.bbc.co.uk/go/pr/fr/-/2/hi/technology/3499230.stm]

2004-03-05T12:23:00.000-05:00

Ed. note -- It's an idea with great surface appeal, but the arbitrage opportunities would be potentially immense, and the abuse and micro-transactions tracking and accounting requirements huge. Would the "stamp" be based on, as now, some "weight" (or message length) combined with the "distance" traveled? If so, who would set these amounts, and how would they operate in a global fashion where distance has essentially no meaning? How would counterfeiting be prevented? How would price increases be decided and implemented? Would refunds be available for "undeliverable" mail? Who would be responsible for maintaing postal "forwarding" a la the current USPS 1-year forwarding scheme, etc. etc.? This proposals strikes me as presenting potentially insurmountable problems, coupled with an even larger chicken-and-egg situation that could make the cure worse than the disease.

Gates: Buy stamps to send e-mail
Paying for e-mail seen as anti-spam tactic

NEW YORK (AP) --If the U.S. Postal Service delivered mail for free, our mailboxes would surely runneth over with more credit-card offers, sweepstakes entries, and supermarket fliers. That's why we get so much junk e-mail: It's essentially free to send. So Microsoft Corp. chairman Bill Gates, among others, is now suggesting that we start buying "stamps" for e-mail.

Many Internet analysts worry, though, that turning e-mail into an economic commodity would undermine its value in democratizing communication. But let's start with the math: At perhaps a penny or less per item, e-mail postage wouldn't significantly dent the pocketbooks of people who send only a few messages a day. Not so for spammers who mail millions at a time.

Though postage proposals have been in limited discussion for years -- a team at Microsoft Research has been at it since 2001 -- Gates gave the idea a lift in January at the World Economic Forum in Davos, Switzerland. Details came last week as part of Microsoft's anti-spam strategy. Instead of paying a penny, the sender would "buy" postage by devoting maybe 10 seconds of computing time to solving a math puzzle. The exercise would merely serve as proof of the sender's good faith."

Retrieve entire article at http://www.cnn.com/2004/TECH/internet/03/05/spam.charge.ap/index.html.

2004-02-16T22:10:00.000-05:00

Bulk e-mail fees near as spam filters fail
By Scott Morrison in San Francisco

Published: February 16 2004 19:09, Financial Times - full article here.

US internet service providers are coming round to the idea that they may have to start levying "postage" fees on those who send out huge amounts of commercial e-mail, because anti-spam filters have failed to keep down the growth of junk e-mail.

The idea of fee-based e-mail is controversial among internet libertarians and groups such as the Direct Marketing Association, the politically powerful lobbying group that comprises 4,700 companies, many of which use e-mail to advertise to customers.

But advocates of a fee-based system for bulk e-mail believe it would help distinguish between legitimate e-mail from respectable corporations and offensive spam from shady operators who presumably could not afford to send tens of millions of messages a day.

Proponents of e-mail payment systems argue that corporations that have adopted online marketing are concerned that up to 20 per cent of their e-mails are not getting past spam filters.

Another concern is that rapid growth in legitimate bulk e-mail could further stress network capacity and place huge financial burdens on ISPs and corporations that carry and receive the messages.

These groups have already been forced to hire technicians, deploy filters and bolster network capacity to cope with the flood of spam.

Estimates suggest that spam costs US companies and ISPs about $10bn-$20bn (€7.8bn-€15.6bn, £5.3bn-£10.6bn) a year in direct costs and lost productivity.

Yahoo!, one of the top US internet service providers, said it was evaluating technology from Goodmail, a Silicon Valley start-up that is developing a 1-cent "stamp" system for bulk e-mail.

Meanwhile rivals Earthlink, America Online and Microsoft's MSN are all weighing alternative measures.

"Payments could and probably should happen at some point. We certainly don't want to charge people for individual e-mail," said Robert Sanders, chief systems architect at Earthlink.

"We need to find a way to distinguish between individual e-mails and commercial e-mails."

Bill Gates of Microsoft has taken up the cause as well, predicting last month that new technologies including payment systems could virtually eradicate spam within two years.

ISPs also want to develop an internet-wide identity verification system that would help ISPs and users distinguish between legitimate e-mails from "trusted" sources and offensive junk e-mail from spammers who try to hide their identities.

Filters have reduced the amount of spam reaching individuals, but the volume of junk e-mail on the internet continues to rise, and now accounts for about 65 per cent of all e-mail traffic.

A US anti-spam law enacted at the start of this year appears to have had no effect on the growth of junk e-mail.

2004-02-10T00:19:00.000-05:00

FTC: 'Can Spam' Law Only a Mild Deterrent
Tuesday, February 10, 2004
Foxnews

WASHINGTON — The law meant to curb large amounts of unwanted e-mail went into effect on Jan. 1, but consumers have found that their expectations of a large drop in spam mailings may have been a little wide-eyed.

"One spammer thinks I have a child, and have reproduced, and it's a toddler running around; and then Viagra thinks I need help in that department. I think maybe they should e-mail back and forth and leave me out of it," said John Forrest Ales, one e-mail user who says he regularly finds his inbox filled with annoying e-mail from companies that have no idea who he is.

Ales and many other consumers thought the "can spam" law (search), signed by President Bush on Dec. 16, would stem the flow of unwanted e-mail pitches, but the Federal Trade Commission (search) says that's not the way the new rules work.

"There certainly hasn't been any significant reduction in the number of spams that have been forwarded to our mail boxes," said Howard Beales, director of the FTC's Bureau of Consumer Protection.

The new law does not make spam itself illegal, but it does require marketers to stop some of the shadier methods they use. For instance, e-mail marketers cannot use false headers, "subject" or "from" line information.

Pornographic spammers must clearly label their advertisements, and senders must provide valid information so messages can be traced. Companies sending bulk commercial e-mail must also provide consumers an "opt out" (search) option that they must also honor. Somewhere on the mail, a link must be placed so that recipients can click on it if they don't want any more mail.

Full article here.

2004-01-28T12:00:00.000-05:00

Interesting article ...

Filters Force Spammers to Use Gibberish
(25 January 2004)
Though the incidence of spam may not be decreasing, the coherence of
the messages is definitely decreasing. Spammers who wish to evade
filters must garble their messages; most people are unlikely to open
e-mail with subject lines full of gibberish.

http://news.com.com/2102-1024_3-5147038.html?tag=st_util_print

2004-01-27T15:03:00.000-05:00

As an aside to Eldred...

I was sitting here musing about copyrights yesterday, and checking through last year's Eldred Supreme Court case, when I noticed in Eldred's brief that the big name lawyers (Lessig, Sullivan, etc.) focused on the "for a limited time" language in Art. I of the Constitution's grant of power to congress to establish patents and copyrights, but the purpose of copyrights was not the main focus.
Certainly every case is filled with strategic decisions, but it seems to me a productive course would have been not to primarily argue that the constitution's "limited time" language, which is certainly vague and clearly open to different interpretations, didn't mean 70 years but rather that extending copyright protection to life of the author plus 70 years was contrary to the purpose of copyrights as originally understood and as previously defined by the Supreme Court. The Supreme court's opinion (Eldred v. Ashcroft, 537 U.S. 186) certainly cited repeatedly a seminal case, Mazer v. Stein, 347 U.S. 201, 219 (1954), and its statement that:

"The economic philosophy behind the clause empowering Congress to grant patents and copyrights is the conviction that encouragement of individual effort by personal gain is the best way to advance public welfare through the talents of authors and inventors in 'Science and useful Arts.' ".

However, in the end it may not have mattered.

2004-01-26T12:35:00.000-05:00

Recent New York Times Articles on Spam

TECHNOLOGY | January 26, 2004
Gates Predicts That Spam Will Go Away
By THE NEW YORK TIMES (NYT) News

TECHNOLOGY | January 26, 2004
Gallery Show Seeks the Art in Spam, Seen Through the Eyes of the Future
By SAUL HANSELL (NYT) News

WEEK IN REVIEW | January 25, 2004
Politics of the Web: Meet, Greet, Segregate, Meet Again
By AMY HARMON (NYT) News

WEEK IN REVIEW | January 25, 2004
That Gibberish in Your In-Box May Be Good News
By GEORGE JOHNSON (NYT) News

INTERNATIONAL | January 25, 2004
Make Spammers Pay, Bill Gates Says
By THE ASSOCIATED PRESS (AP) News

BUSINESS/FINANCIAL DESK | January 19, 2004, Monday $
As Consumers Revolt, a Rush to Block Pop-Up Online Ads
By SAUL HANSELL (NYT) 1269 words

2004-01-24T23:42:00.000-05:00

Gates forecasts victory over spam
By Tim Weber
BBC correspondent in Davos

Spam will be a thing of the past in two years' time, Microsoft boss Bill Gates has promised.
Spammers - senders of bulk e-mail that mostly offers dubious products or pornography - were innovative, he said.

However, a three-pronged strategy would soon stamp out the problem, he said in remarks at the World Economic Forum (WEF) in Davos. [full remarks available here].

He hailed search technology firm Google as a "great company"; its approach reminded him of Microsoft 20 years ago.

But he also predicted that Microsoft search technology would soon outpace that of its rival.

Mr Gates, by now a fixture at the annual WEF's meeting of business leaders and top politicians, said a lot of progress had been made during the past year to stop spam e-mail.

"Lots of mail you get is from people on your contact list. So what's the problem? Strangers!"

Filters could do a lot to sort spam from real mail, Mr Gates said: "Does the e-mail say it's about 'enlargement' - that might be spam."

But by adding random words in subject lines and replacing text with pictures, spammers were trickier to catch and in the long run filters would "not be the magic solution".

More promising were "human challenges" - forcing the sender to solve a puzzle, or the computer sending the e-mail to do a simple computation.

"That's easy for a machine sending a few e-mails, but gets very difficult and expensive for a computer sending lots of spam," Mr Gates said.

But ultimately, Mr Gates predicted, spam would be killed through the electronic equivalent of a stamp, also known as "payment at risk".

This would force the sender of an e-mail to pay up when an e-mail was rejected as spam, but would not deter senders of real e-mail because they could be confident that their mail would be accepted.

"Microsoft is pursuing all three approaches, and spam will soon be a thing of the past," Mr Gates asserted.

Full story from BBC NEWS:
http://news.bbc.co.uk/go/pr/fr/-/2/hi/technology/3426367.stm

© BBC MMIV

2004-01-14T09:42:00.000-05:00

JUDGE ORDERS END OF SPAM BY INDIAN FIRM
Associated Press

In a landmark judgment, a court on Tuesday ordered an Indian company to
stop jamming an Internet service by sending junk e-mails, or spam, a
news report said. Judge R.C. Chopra ordered McCoy Infosystems Private
Ltd. to stop transmission of unsolicited bulk electronic mail to any
user of the state-owned Internet services provider, VSN Limited, the
Press Trust of India news agency said.

http://news.findlaw.com/ap/ht/1700/1-13-2004/20040113080003_08.html

2004-01-14T09:41:00.000-05:00

INBOX TRAUMA: NEW ANTI-SPAM TOOLS FALTER
Associated Press

Software makers have spent millions of dollars developing new tools for
battling spam, and a new federal anti-spam law went into effect on Jan.
1. So are our e-mail inboxes any less cluttered? In the week since the
law took effect, spam-filtering company Brightmail Inc. flagged 58
percent of incoming e-mail as spam, showing no change from December.
And America Online Inc. saw a 10 percent jump in spam from overseas,
possibly from spammers trying to evade U.S. law.

http://news.findlaw.com/ap/ht/1700/1-11-2004/20040111091502_06.html

Why The New "CAN Spam" Law Probably Won't Work
http://practice.findlaw.com/cyberlaw-0104.html

2004-01-13T13:30:00.000-05:00

"A Two-Tiered Registry System to Regulate Spam" - From UCLA Journal of Law and Technology.

Shelley Cobos reviews the advantages and disadvantages of the current mechanisms in place to regulate spam on the internet. Cobos proposes a two-tiered registry system under federal control by which legitimate unsolicited commercial e-mail, better known as "spam," may be separated from illegitimate spam so that the Internet's potential will not be rendered superfluous. Cobos finally explores the limitations of such a two-tiered registry system due to the topology of the Internet.
Click here for online article.
Click here for Adobe PDF.

2004-01-03T19:50:00.000-05:00

Basex Free report on the history of spam and its impact on productivity and IT spending is available for download at
http://www.basex.com/poty2003.nsf/download?OpenForm

2003-12-26T18:46:00.000-05:00

Microsoft aims to make spammers pay
By Jo Twist
BBC News Online technology reporter
http://news.bbc.co.uk/go/pr/fr/-/2/hi/technology/3324883.stm

Despite efforts to stem the billions of spam e-mails flooding inboxes, unwanted messages are still turning e-mail into a quagmire of misery.

Spammers send out tens of millions of e-mails to unsuspecting computer users every day, employing a myriad of methods to ensure their pills, loans and "requests for our lord" pleas fox e-mail filters.
Some are even turning to prose and poetry to fool the technological safeguards people put in place.

But a group of researchers at Microsoft think they may have come up with a solution that could, at least, slow down and deter the spammers.

The development has been called the Penny Black project, because it works on the idea that revolutionised the British postage system in the 1830s - that senders of mail should have to pay for it, not whoever is on the receiving end.

Stamp of approval

"The basic idea is that we are trying to shift the equation to make it possible and necessary for a sender to 'pay' for e-mail," explained Ted Wobber of the Microsoft Research group (MSR).

The payment is not made in the currency of money, but in the memory and the computer power required to work out cryptographic puzzles.

"For any piece of e-mail I send, it will take a small amount computing power of about 10 to 20 seconds."

For this scheme to work, it would want to be something all mail agents would want to do
Ted Wobber, MSR
"If I don't know you, I have to prove to you that I have spent a little bit of time in resources to send you that e-mail.
"When you see that proof, you treat that message with more priority."

Once senders have proved they have solved the required "puzzle", they can be added to a "safe list" of senders.

It means the spammer's machine is slowed down, but legitimate e-mailers do not notice any delays.

Mr Wobber and his group calculated that if there are 80,000 seconds in a day, a computational "price" of a 10-second levy would mean spammers would only be able to send about 8,000 messages a day, at most.

"Spammers are sending tens of millions of e-mails, so if they had to do that with all the messages, they would have to invest heavily in machines."

As a result of this extra investment, spamming would become less profitable because costs would skyrocket in order to send as many e-mails.

All this clever puzzle-solving is done without the recipient of the e-mail being affected.

Bogging them down

The idea was originally formulated to use CPU memory cycles by team member Cynthia Dwork in 1992.

But they soon realised it was better to use memory latency - the time it takes for the computer's processor to get information from its memory chip - than CPU power.

That way, it does not matter how old or new a computer is because the system does not rely on processor chip speeds, which can improve at rapid rates.
A cryptographic puzzle that is simple enough not to bog down the processor too much, but that requires information to be accessed from memory, levels the difference between older and newer computers.

It all sounds like a good idea, said Paul Wood, chief analyst at e-mail security firm MessageLabs.

"One of the fundamental problems with spam is that it costs nothing to send, but has associated costs for the recipient which include loss of bandwidth, problems with usage, and lost productivity," he said.

"Microsoft's idea is to shift this cost burden from the recipient to the sender, which in itself seems like a reasonable sentiment."

But, he said, for such a scheme to be all-encompassing, there would have to be some provision for open standards, so that it is not proprietary to Microsoft.

Work for all

MSR is in talks with various people to put the system into a useful anti-spam product.

It could easily be built into e-mail software like Outlook, e-mail servers or web browsers, said Mr Wobber.

"For this scheme to work, it would want to be something all mail agents would want to do," explained Mr Wobber.

And because it is the receiver who sets the puzzle requirement, spammers will not have any advantage by using non-Microsoft products.

It is certainly not going to stop all spam for good, admitted Mr Wobber.

"I don't think any one spam scheme is a panacea, we have to use a wide variety of schemes to be successful in stopping spam."

"Spam is probably going to get worse before it gets better, and I really hope it does not get to a point that it deters people using e-mail."

Published: 2003/12/26 03:29:14 GMT

2003-12-17T00:17:00.000-05:00

Fact Sheet: President Bush Signs Anti-Spam Law
http://www.whitehouse.gov/news/releases/2003/12/20031216-4.html

FTC Chair Tim Muris Hosts Ask the White House.
Read the transcript here.

On December 16, 2003, President Bush signed into law the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM Act), which establishes a framework of administrative, civil, and criminal tools to help America's consumers, businesses, and families combat unsolicited commercial e-mail, known as spam.

The new law is a pro-consumer measure that allows consumers to choose to stop further unsolicited spam from a sender. It also provides a protection against spam containing unmarked sexually-oriented or pornographic material.

Background on Today's Presidential Action

Spam is a problem for Americans. E-mail is an extremely important and effective means of communications and is used by millions of Americans on a daily basis for personal and commercial purposes. Its convenience and efficiency, however, are increasingly threatened by the rise in spam. Spam currently accounts for over half of all e-mail traffic. Today, most spam is fraudulent or deceptive in nature. The growth in spam also imposes significant costs on Internet Service Providers (ISPs), businesses, and other organizations, since they can only handle a finite volume of e-mail without making further investments in their infrastructure.

The law provides a well-balanced approach that will help to address some of the harmful impacts of spam. The problems associated with spam cannot be solved by Federal legislation alone, but will require the development and adoption of new technologies. Nonetheless, the law will help address the problems associated with the rapid growth and abuse of spam. The new law establishes important "rules of the road" for civil enforcement by the Federal Trade Commission (FTC), other Federal agencies, State attorneys general, and ISPs to help curb spam. It also creates new criminal penalties to assist in deterring the most offensive forms of spam, including unmarked sexually-oriented messages and e-mails containing fraudulent headers. At the same time, the law caps statutory damages for civil violations in most cases. The law also provides greater certainty in interstate commerce for businesses that would otherwise face a wide diversity of state laws on spam.

The law builds upon the Administration's efforts to empower consumers with choices in the technology field. Under the law, consumers are provided with a choice not to receive any further unsolicited messages from a sender. Senders that do not honor a consumer's request are subject to civil penalties.

The law strengthens a cornerstone of the Administration's agenda to help protect children against pornography. The law makes spam containing unmarked sexually-oriented material a criminal offense. The labeling requirement gives parents a tool to protect their children from such messages. Under the law, senders of e-mail are required to place warning labels on messages containing sexually-oriented or pornographic material. If they knowingly violate this requirement, spammers are subject to fines or imprisonment.

The Administration supports the law's tools to help deter the harmful effects of deceptive and misleading spam. The law establishes both civil and criminal prohibitions to deter spammers from using false or misleading identification, and imposes penalties against spammers for these violations.
--------------------------------------------------------------------------------

2003-12-16T12:02:00.000-05:00

President Signs Legislation Aiming to Stem Flood of Spam
By THE ASSOCIATED PRESS

Filed at 11:07 a.m. ET

WASHINGTON (AP) -- President Bush signed legislation Tuesday meant to stem the flood of unwanted e-mail pitches, a problem he believes is hurting the economy.

``Spam, or unsolicited e-mails are annoying to consumers and costly to our economy,'' White House spokesman Scott McClellan said after Bush signed the bill. ``This will help address the problems associated with the rapid growth and abuse of spam by establishing a framework of technological, administrative civil and criminal tools, and by providing consumers with options to reduce the volume of unwanted e-mail.''

The bill was among seven Bush was signing during the day, measures that will also help needy families buy their first homes and give flight attendants lessons in self-defense.

In the Oval Office on Tuesday morning, Bush signed the so-called ``can spam'' legislation. Passed by Congress earlier this month, the measure outlaws the persistent techniques used by e-mailers who send tens of millions of messages each day to peddle their products and services.

The bill supplants anti-spam laws already passed in some states, including California. It also encourages the Federal Trade Commission to create a do-not-spam list of e-mail addresses and includes penalties for spammers of up to five years in prison in rare circumstances.

``Spam and unsolicited e-mails are annoying to consumers and are costly to U.S. business,'' Claire Buchan, deputy White House press secretary said. ``This legislation will help address the problems associated with the growth and abuse of spam.''

In the afternoon, the president was to go to the Department of Housing and Urban Development to sign the American Dream Downpayment Act. It is aimed at helping families that can afford monthly mortgage payments but not the initial costs associated with buying a house.

Three-fourths of non-minority Americans own their own homes, but less than half of blacks, Hispanics and other minorities are homeowners. Through grants to state and local governments, low-income families would receive an average of about $5,000 to be help cover downpayment and closing costs on a first home

2003-12-15T14:47:00.000-05:00

Spam slayers
Guardians of your in box fight on two fronts: In cyberspace, and in the courts
By BILL HUSTED and ANN HARDIE
The Atlanta Journal-Constitution

2003-12-11T14:10:00.000-05:00

Spam laws a hash, experts say
http://www.guardian.co.uk/online/spam/story/0,13427,1104923,00.html
by Jane Perrone and agencies
Thursday December 11, 2003

New European laws come into force today aimed at curbing the stream of unsolicited emails that chokes the inboxes of most internet users, but spam experts have condemned the measures as toothless and loophole-ridden.
The EU regulations make it a criminal offence to send unsolicited commercial emails or text messages unless the receiver has agreed in advance to receive them.

The government described the law as a "step in the right direction" in the fight against unsolicited emails. Net users may not notice a reduction in the number of junk mail messages they receive, however, as most spammers are located outside EU jurisdiction.

The Spamhaus Project, a global spam-fighting organisation, estimates that spam make up 60% of all email traffic on the western internet, with 90% of the junk emails received in the UK originate in the US.

"Britain's much anticipated anti-spam law has been rendered toothless and will now do very little if anything to stop spam in the UK," Spamhaus said in a press statement.

Spam expert Lindsay Marshall, a computing science lecturer at Newcastle University, also criticised the legislation.

"The problem is that almost all spam originates from outside Europe, particularly the USA, but this law applies only to the European Union. This law is the right idea in principle but to be honest, it will have no noticeable effect," he said.

Firms using tracking devices such as cookies on their websites will also have to tell users and provide an opportunity to reject them.

Businesses which have established relationships with their customers are exempt from the new laws, in an attempt to ensure that business-to-business e-marketing is not affected.

Spamhaus is also concerned about this exemption.

"Britain's firms will continue to suffer the onslaught of ever more spam, now from spammers claiming legality. The likely outcome of this is that addresses deemed to be "business" such as "sales@company.co.uk" will be rendered useless for anything but receiving adverts."

Companies or individuals that break the laws can be reported to the office of the information commissioner, which has powers to take them to court.

The penalties imposed by the EU Directive on Privacy and Electronic Communication have also been criticised by Spamhaus.

The law states that companies in the EU that continue to send spam will face fines and, in certain circumstances, can be sued by the recipients.

In the first instance, magistrates can levy fines of up to £5,000 - a sum Spamhaus described as a "mere slap on the wrist" for spammers who can net thousands of pounds a week from their activities. However the organisation can also be referred up to trial by jury, where there is no limit to fines.

2003-12-11T10:24:00.000-05:00

Canning Spam - The new anti-spam legislation is almost here. If we're lucky, it won't make matters worse.
by Katherine Mangu-Ward, The Weekly Standard [article here]
12/11/2003 12:00:00 AM

ANTI-SPAM LEGISLATION landed on the president's desk on Monday with a loud splat. It is a patchwork of the nice-sounding, completely useless bits from the different proposals, all rolled into one.

When politicians say "there is no silver bullet," it's a sure sign that the bill they're talking about is useless at best. And that's exactly what backers of anti-spam legislation have been saying for the last year as they hashed out a bill that was supposed to rid Americans of the spam clogging their inboxes.

But knowledge of politician-speak is not required to figure out that the CAN-SPAM Act of 2003 won't do much good. FTC Chairman Timothy Muris (who ought to know) said of the bill's central feature, the "Do Not Spam" registry: ''My advice to consumers would be: Don't waste the time and effort to sign up.''

Championed by Democrat Charles Schumer of New York, the registry is modeled on the extremely popular "Do Not Call" list. But email addresses don't work the same way as phone numbers. For one thing, there are a finite number of phone numbers (we know how many possible combinations exist and how many are in use) but there are an almost infinite number of possible email addresses, and no one knows how many exist now. This makes establishing a database a tricky exercise.

There's also the question of how to keep the database secure. If the list is accessible thorough the Internet, it's every spammer's dream--a government-maintained database of valid email addresses ripe for hacking.

Finally, there's the enforcement problem. The anonymity of the Internet is one of its charms. Anyone can create as many addresses as he wants and can use a different name for each one. Tracking down spammers is expensive and difficult--and a registry won't help.

Neither will the requirement that spammers include a physical address in their emails. Think about how annoyed you are when you open your inbox and find 20 unwanted email advertisements. Wouldn't you be tempted to take matters into your own hands if you found out your spammer lived right down the block? Spammers will not include their addresses as long as they feel secure that they will not get caught. And they won't get caught unless they identify themselves. In other words, they're safe. The worst spammers are already vulnerable under anti-fraud statues, but those laws haven't stopped them, and neither will new ones.

The mandatory inclusion of an opt-out link in every email is also self-defeating. The FTC found that 63 percent of email list removal requests are not honored. Internet users have learned not to trust opt-out links. And because the opt-out laws don't apply to international spammers (who make up an ever-increasing contingent, as they move overseas to further minimize the possibility of prosecution) many of the links will still be phony. They will serve only to confirm that the email address is working and elicit a flood of new emails.

The legislation sent to the president also contains a requirement that emails with "adult content" must be labeled in the subject line. An April report by the FTC found that only 2 percent of email in the states that currently requires labeling of commercial and pornographic emails adhered to the laws. There's no reason to think that there will be a change in this shockingly low compliance rate just because a national mandate exists.

Senator Ernest Hollings has vowed to ''ride herd'' on the FTC to come up with a plan for the registry. That sounds good on C-SPAN, but while the legislation authorizes a registry, it doesn't mandate one. And the FTC shows every sign of producing a comprehensive study six months from now that politely says "fat chance" to the registry and the rest of Congress's efforts to convince the public that they can stop spam.

Katherine Mangu-Ward is a reporter for The Weekly Standard.

2003-12-08T19:07:00.000-05:00

Posted 12/5/2003 8:07 PM
Yahoo proposes new Internet anti-spam structure
By Ben Berkowitz, Reuters
LOS ANGELES — Internet services company Yahoo Friday said it is working on technology to combat e-mail spam by changing the way the Internet works to require authentication of a message's sender.
Yahoo said its "Domain Keys" software, which it hopes to launch in 2004, will be made available freely to the developers of the Web's major open-source e-mail software and systems.

Spam — unwanted Internet e-mail, direct advertising, body part enlargement, and other commercial endeavors on the Web — has quickly become Web surfers' Public Enemy No. 1 as inboxes around the globe are clogged with hundreds of such messages daily.

Governments around the world are working on legislation to reduce spam, but in the interim a number of companies have stepped in with technology proposals designed to filter and block the electronic detritus.

Under Yahoo's new architecture, a system sending an e-mail message would embed a secure, private key in a message header. The receiving system would check the Internet's Domain Name System for the public key registered to the sending domain.

If the public key is able to decrypt the private key embedded in the message, then the e-mail is considered authentic and can be delivered. If not, then the message is assumed not to be an authentic one from the sender and is blocked.

"One of the core problems with spam is we don't know, Yahoo doesn't know, the user doesn't know ... if it really came from the party who it says it came from," Brad Garlinghouse, vice president for communication products at Yahoo, told Reuters. "What we're proposing here is to re-engineer the way the Internet works with regard to the authentication of e-mail."

While it might seem that Yahoo would need essentially all of the world's e-mail systems on board with Domain Keys for it to work, Garlinghouse said the technology would work if even a few major providers adopt it.

"If we can get only a small percentage of the industry to buy in, we think it can have a dent," he said.

Andrew Barrett, executive director of the SpamCon Foundation, an anti-spam organization, said Yahoo's sheer size in online e-mail would give the technology a boost.

"The fact that Yahoo, one of the four big players in the space, is making it happen gets it a long way there," he told Reuters. "It's a great tool to have in the toolbox."

Garlinghouse also argued that Yahoo's proposal should be attractive to other e-mail providers because it is free and comes with no special restrictions.

"You look at a lot of the proposals for spam management out there (and) they king-make," he said. "Are we trying to propose something that benefits us disproportionately? Not at all."

SpamCon's Barrett cautioned, though, that implementation would not be without its costs.

"It's a good approach for those that are willing to use it," he said. "Any kind of cryptographic solution is going to involve some computing overhead, and that's not cheap."

2003-12-03T04:58:00.000-05:00

Why the New Federal "CAN Spam" Law
Probably Won't Work
By ANITA RAMASASTRY
http://writ.news.findlaw.com/ramasastry/20031203.html
----
Wednesday, Dec. 03, 2003

Both the House and the Senate have now approved anti-spam legislation. ("Spam," of course, is unsolicited email.) First, the House approved an anti-spam bill, 392-5. Then, the Senate unanimously approved a version of that bill with minor technical changes, the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003, which is also referred to as the CAN Spam Act.

In early December, due to these changes, the House will have to vote once again on the CAN Spam Act, but it seems a foregone conclusion that it will pass. Moreover, it appears very likely that President Bush will sign the bill into law.

In theory, that's a good thing: Congress's findings noted that "[u]nsolicited commercial electronic mail is currently estimated to account for over half of all electronic mail traffic, up from an estimated 7 percent in 2001, and the volume continues to rise." At this point, there's little question that spam is a big, and growing, problem.

Indeed, some reports estimates that industry loses up to $10 billion a year in terms of lost productivity and investment in software and other resources to filter spam. And the Pew Internet & American Life Project recently reported that 70 percent of e-mail users say spam has made their online experience unpleasant or annoying.

Unfortunately, in practice, the new anti-spam law -- while well-intentioned -- may be ineffective. The sad news is that the new legislation is unlikely to achieve its goal of eliminating the bulk of the spam we receive.

The Specifics as to What the Anti-Spam Legislation Will Prohibit

To begin, the new law will not prohibit all spam.

Instead, it will require that spam be truthful, and it will provide the government with enforcement mechanisms to go after fraudulent or deceptive spammers. They would face fines of $250 for each e-mail pitch -- fines that could total up to $6 million for the most serious offenders.

It would also forbid senders of commercial e-mail from disguising themselves by using incorrect return e-mail addresses or misleading subject lines, and sets criminal penalties for those who do. (E-mail containing pornography would also have to be specially labeled in the subject line.)

In addition, it would prohibit "harvesting" email addresses. ("Harvesting" is the practice whereby spammers grab email addresses from Internet chat rooms, blogs and other sources without the permission of the website or its members/users.)

Who would enforce these provisions? The federal law does not allow individual e-mail users to sue spammers. Instead, the Federal Trade Commission (FTC), other federal agencies, Internet Service Providers , and state attorneys general can sue on behalf of Internet users.

In theory, these provisions should have a big impact. An FTC study conducted earlier this year found that two-thirds of spam contains a false claim. At most, according to the FTC, only 16.5 percent of spam is from legitimate advertisers peddling legal products.

What about that final 16.5 percent, though? Under the new law, consumers can choose to "opt out" of receiving it. Spammers will be required to provide an "opt out" mechanism within the email itself.

And ultimately, the FTC may be asked to establish a "Do Not Spam Registry" similar to the recently created federal "Do Not Call Registry." (If passed, the current bill would require the FTC to come back to Congress within six months with recommendations on how to set up such a registry.)

In theory, registering with a Do Not Spam Registry ought to mean that one will never be spammed again. By adding one's email address to a central directory, a consumer would theoretically notify all potential email marketers that he wished to receive no unsolicited commercial email.

In reality, however, that almost certainly won't be the case -- for several reasons.

Why the Anti-Spam Legislation May Well Be Ineffective

Why won't the spam law work?

First, much of the illegal or deceptive spam that we receive in the United States comes from overseas. (For example, many of us have received letters from purported relatives of Nigerian dictators -- part of a wave of fraudulent spam that is initiated from overseas.)

It will be difficult to find international spammers and to bring them to justice - even when we do know who they are, which is rare. Last week, the Nigerian government announced last week that it has set up a presidential panel to tackle economic crimes committed via the Internet, which is a step in the right direction. International measures will be necessary to truly eradicate fraudulent spam.

Second, even U.S.-based spammers will similarly be able to move their operations offshore and continue to operate from there.

Third, even if spammers stay within the U.S., it may be still hard to enforce the law against them. It is one thing to sue a spammer; getting him to pay a fine or judgment is quite another matter. Individuals or small businesses may not have the deep pockets to pay even if they are inclined to, which is unlikely.

Fourth, spammers may simply ignore the Do Not Spam registry -- as FTC Chairman Timothy Muris predicts.

A Downside of Federal Legislation: Sweeping Away State Anti-Spam Laws

In some states, the federal law may even make the spam situation worse. The new law expressly preempts existing state anti-spam laws - which often provide greater protections for consumers.

Thirty-five states currently have such laws. Unlike the federal law, many of these existing state laws allow individual email recipients to sue spammers directly -- whether or not the state attorney general agrees.

California's new law -- which was scheduled to go into effect on January 1, 2004 -- is an example of a state anti-spam law more restrictive than the new federal law. It would have banned even truthful spam, as long as it was unsolicited (unless it was from a business with which the customer had an existing relationship). It would have made not only spammers, but also the advertisers who use spammers' services, liable. The scope of the California law was controversial and provided an impetus for marketers to push for new federal legislation instead.

The Do Not Spam Registry May Be Subject to First Amendment Challenge

There's no First Amendment problem, of course, with restricting or penalizing lies or fraud. But what about restricting truthful commercial speech?

The First Amendment protects commercial speech. And the Do Not Spam Registry restricts commercial speech. (Indeed, it singles out unsolicited commercial emails - rather than unsolicited charitable or political email, which may be equally unwanted and annoying to some.)

As Michael Dorf has explained in a prior column for this site, the Do Not Call Registry has been subject to a similar legal challenge. Currently, its status is still unresolved. Thus, the fate of a similar do-not-spam registry is similarly an open question

In the End, The Best Solution Will Likely Be Technological, Not Legal

Ultimately, the real solution to spam, I believe, will be more likely technological than legal, or some combination of these two, and potential other, approaches.

Current technological solutions are only partial. As filters have improved, spammers have responded by sending even more mail to ensure that at least some gets through. Filtering and antivirus companies often seem one step behind the rapidly evolving methods of clever spammers. For instance, recently, messages masquerading as security notices from software companies -- and including viruses -- have managed to work their way through filters.

The best way to solve the intractable problem may be changing the very architecture of e-mail itself. Internet-standard-setting bodies are examining ways of revising the code for delivering email so that ISPs can check whether the origin of incoming e-mail has been faked. Such "spoofing" is a main reason spam goes undetected. Such changes would take years to be implemented and deployed by every network around the world.

In the short run, some technologists have recommended "challenge/response" systems as a solution. These systems allow users to send direct messages only to people who have the sender's email address in their address books. When you e-mail a stranger, the system sends back a puzzle/question to which only a human, not an automated spam program, can respond with a solution. Give the correct response, and the e-mail goes through; if not, it doesn't.

Such systems are not without critics, however. Some say they create additional email traffic - thus congesting networks further.

On a more basic level, every e-mail user can take basic steps to fight spam: Activate available spam filters. Never reply to spam, even in order to "unsubscribe," unless you are sure the sender is a legitimate business. Do not give out your primary email address too broadly, and review the privacy policies of websites where you register, to make sure they won't sell or circulate your email address to third parties. .

At this point, self-help may still be the best remedy for the headache caused by spam. And unfortunately, that will probably still be the case even after the federal "CAN Spam" law goes into effect.

2003-11-21T15:39:00.000-05:00

Congress Poised for Vote on Anti-Spam Bill
Declan McCullagh, Staff Writer, CNET News.com

Congress has reached an agreement on antispam legislation and could vote on it as early as Friday afternoon, a move that would end more than six years of failed attempts to enact a federal law restricting unsolicited commercial e-mail.

Negotiators from the U.S. Senate and House of Representatives said Friday that the legislation was a "historic" accomplishment with support from key Democrats and Republicans in both chambers. "For the first time during the Internet-era, American consumers will have the ability to say no to spam," House Energy and Commerce Committee Chairman Billy Tauzin, R-La., said in a statement.

A spokesman for Tauzin said "they should have it on the floor later today" in the House, adding that aides were working behind closed doors to finalize the bill and that complete details were not available.

The broad outline of the legislation, however, shows that it is a modest compromise and not as far-reaching as some antispam advocates had urged. It establishes a "do not spam" registry to be run by the Federal Trade Commission, makes it a crime punishable by up to five years in prison to send fraudulent spam, and imposes an "opt out" standard instead of a more stringent "opt in" requirement. Unsolicited bulk e-mail from nonprofit groups, politicians, and charities would not be regulated.

Still unclear is whether the bill would pre-empt more restrictive state laws such as one enacted in September by California. That law establishes an opt-in standard and is scheduled to take effect Jan. 1.

The compromise bill has the support of nearly every politician who has been active in the spam debate, including House Judiciary Committee Chairman James Sensenbrenner, R-Wis.; Energy and Commerce Committee ranking member John Dingell, D-Mich.; and Sens. John McCain, R-Ariz.; Conrad Burns, R-Mont.; Fritz Hollings, D-S.C.; and Ron Wyden, D-Ore.

The Senate approved its version of an antispam bill in October, but the House deadlocked between competing measures supported by Tauzin and Sensenbrenner. Partisan squabbling between Democrats and Republicans earlier in the year over who could claim credit for an antispam law also delayed the process.

2003-11-13T21:06:00.000-05:00

Note to self... read the following:

http://instapundit.com/lawrev/denningark.htm
http://instapundit.com/lawrev/denningwisc.htm

2003-11-05T15:33:00.000-05:00

From: Steve Linford nospam_linford@spamhaus.org
Subject: Spammers release virus to attack Spamhaus.org
Date: Sun, 02 Nov 2003 20:56:59 +0000

FOR IMMEDIATE RELEASE

Spammers release virus to attack Spamhaus.org.

A new virus released by spammers on Saturday 1st November is infecting computers worldwide, and this time the purpose of the virus is to attack www.spamhaus.org, www.spamcop.net and www.spews.org. The W32/Mimail-E virus is the latest in a string of viruses, each one released by spammers for the purpose of creating a vast worldwide zombie network of spam-sending machines and building an attack network consisting of hundreds of thousands of virus-infected zombie computers with which the spammers then attack anti-spam organizations.

W32/Mimail-E is designed to infect millions of computers causing them to each begin making overwhelming amounts of bogus requests to Spamhaus.org's web server, www.spamhaus.org, and also attacks the web servers of www.spamcop.net and www.spews.org. Spamhaus began coming under massive distributed Denial of Service (dDoS) attacks in July 2003, soon after the release of the SoBig.E virus and the Fizzer virus.

In June Spamhaus stated that spammers had now moved from simple spamming through open proxies to actually manufacturing and sending out viruses to create a network of spam proxies, infecting hundreds of thousands of mainly home-user machines on broadband (ADSL) lines. Fizzer (W32/Fizzer-A) in particular is a wide-spread worm which spreads by emailing itself to contacts in Microsoft Outlook and Windows address books. The purpose of Fizzer is to install a miniature web server (which the spammers then use to host "make-penis-fast" web sites on) and a DoS attack tool specifically for attacking anti-spam organizations. In August and September 4 anti-spam systems were forced into closure under overwhelming dDoS attacks that hit them for weeks at a time.

Spamhaus itself was subjected to the same intense dDoS attacks for 3 months but survived thanks to its large distributed network capable of absorbing attacks. Still, expecting more attacks, and with no intervention by Law Enforcement, in mid September we moved the Spamhaus web site behind an anti-dDoS device known as iSecure supplied by Melior CyberWarefare Defence (www.ddos.com) and can therefore now withstand the waves of dDoS attacks. Spamhaus does know the two groups of spammers and teenage crackers behind the dDoS attacks, and we know the same groups are involved in the creation and sending of the viruses. We know who and where they are and will be releasing our information on them in a week's time to focus press on them in order to speed up their apprehension.

Steve Linford
The Spamhaus Project
http://www.spamhaus.org

2003-11-05T14:43:00.000-05:00

ANTI-SPAM LAW GOES INTO FORCE IN EUROPE
Associated Press

European Union digital privacy rules came into force Friday requiring companies to get consent before sending e-mail, tracking personal data on Web sites or pinpointing callers' locations via satellite-linked mobile phones. The law steps up the global war on spam and "is a key tool to strengthen consumer confidence in the Internet and electronic communications," said EU Enterprise Commissioner Erkki Liikanen.

http://news.findlaw.com/ap/ht/1700/10-31-2003/20031031073002_15.html

2003-11-04T15:24:00.000-05:00

Press Release
Illegitimate email much higher than reported.
Santa Barbara, CA -October 29, 2003

Illegitimate email messaging over the Internet is currently greater than 90% according to Solid Oak Software, Inc. publishers of Alligate, a powerful anti-spam email gateway product. There are numerous recent reports that have indicated that spam accounts for 50-60% of all email traffic, however these figures are misleading according to Brian Milburn, president of Solid Oak.

"These numbers generally represent the percentage of spam that users actually receive in their mailboxes." says Milburn. "This does not account for the actual number of attempted message deliveries to invalid addresses, over quota mailboxes, and other undeliverable or undesirable mail."

Alligate works by acting as a gateway that accepts and analyzes all incoming email before it is forwarded to the real email server. It employs techniques to identify spammers with a minimum of wasted bandwidth. One technique used by Alligate is called "Adaptive Tarpitting". Alligate keeps a dynamic list of
recent spammers and when subsequent messages are received from the same source, intentional idle periods between commands are inserted to slow down the spammers throughput. The aggressiveness of this technique is automatically calculated based on the spammers prolificacy.

"A surprising number of spammers simply disconnect after a few seconds of idle activity. Very little data is exchanged, and this can save a considerable amount of bandwidth." Milburn says. "Alligate uses numerous methods at several points during the message receipt process including a highly advanced content
analysis engine that is remarkably accurate in detecting spam. Our goal is not only to eliminate spam, but to considerably reduce bandwidth consumption. Alligate can reduce SMTP bandwidth requirements by 40% or more."

In addition to Alligate, Solid Oak also publishes CYBERsitter, an award winning web filter with over 3,000,000 current users. Many of the Solid Oak's proprietary content management techniques used to identify objectionable web content were adapted for spam detection bringing almost nine years of content management experience to the anti-spam arena.

Alligate is a complete stand alone Windows based SMTP Gateway server. It supports any number of domains and destination servers on any platform. Alligate is designed to remove virtually all of the administration burden from system administrators.

More information:http://www.alligate.com

2003-10-31T13:10:00.000-05:00

New EU laws tackle spam
By Chris Morris, BBC Europe Correspondent

Story from BBC NEWS:
http://news.bbc.co.uk/go/pr/fr/-/2/hi/europe/3231861.stm

Digital privacy rules aimed at stemming the tide of e-mail "spam" have come into force across the European Union.
The new rules require companies to gain consent before sending e-mails and introduce a ban on the use of spam throughout the EU.

The unwanted junk e-mails, which are collectively known as spam, now make up more than half of all e-mail traffic.

The European Commission says they cost European business nearly $3bn in lost productivity last year alone. So what do you do about it? - You ban spam.

But of course it is not that simple. Most of the spam which hits Europe comes from abroad, particularly from the United States. [ed. note -- It's ironic that Europe argues most spam come from the U.S., while U.S. lawmakers argue most spam comes from outside the U.S. They both can't be right.]

International action

Concerted international action is needed. But there are signs that everyone is waking up to the scale of the problem. Last week a court in California issued a huge fine against one spamming company, and the United States Senate has approved a bill banning spam in the US.

It hopes the House of Representatives will soon follow suit.
None of this will be a quick fix, but it is certainly a start.

The new EU rules also limit the ability of companies to use files known as "cookies", to gain information about people who visit their websites.

It is up to each member state to decide how to punish companies and individuals who break the new rules.

"The law is a key tool to strengthen consumer confidence in the internet and electronic communications, which is a prerequisite for the success of e-commerce," said EU Enterprise Commissioner Erkki Liikanen.

Published: 2003/10/31 17:39:05 GMT
© BBC MMIII

2003-10-25T13:10:00.000-04:00

California wins anti-spam case

By Maggie Shiels
BBC correspondent in San Francisco

California has won a landmark judgement with its first anti-spam ruling after a court fined a marketing firm $2m for sending out millions of unsolicited e-mails telling people how to spam.
The state's attorney general, Bill Lockyer, brought the case against PW Marketing of Los Angeles County and its owners, Paul Willis and Claudia Griffin in 2002, under a 1998 state anti-spam law.

The law was strengthened last month to make it easier to sue spammers.

PW Marketing, Willis and Griffin were charged with sending out millions of e-mails, including advertising $39 guides on how to spam, along with long lists of e-mail addresses of California residents.

Computer tapping

Prosecutors said PW Marketing violated the 1998 anti-spam law because these unsolicited e-mails were sent without a free call number for recipients to phone to stop additional mailings.

They also failed to follow state requirements to include a valid return address.

The state attorney, Bill Lockyer, also said the owners illegally tapped into computer users' network connections so the company could send e-mails that could not be traced back to its source.

The judgement, which Mr Lockyer said will be the model for future spam injunctions, forbids PW Marketing from sending unsolicited commercial e-mails, accessing computers that belong to other people without their permission and disguising its identity by sending messages that appear to originate from a different address.

The injunction also forbids Willis and Griffin from owning or managing any business that advertises over the internet for 10 years.

After 1 January, the state's anti-spam laws will get tougher and will also allow private individuals to sue spammers and collect damages of up to $1,000 per e-mail.

2003-10-23T15:46:00.000-04:00

Senate Anti-Spam Bill Ups Ante for House Action
By Roy Mark, atNewYork.com
October 23, 2003
http://www.atnewyork.com/news/article.php/3097521

With Wednesday night's historic Senate vote to approve the first ever federal anti-spam legislation, the focus now turns to the House of Representatives in Congressional efforts to have a bill on President Bush's desk by the end of the year.

Competing bills in the House containing many of the same provisions of the Burns-Wyden legislation that sailed through the Senate on a 97-0 vote are currently bottled up in the Energy and Commerce Committee. [Read more here].

2003-10-23T10:18:00.000-04:00

Survey: Spam Is Starting to Hurt E-Mail, Erode People's Trust in the Internet World

WASHINGTON, Oct. 22 (AScribe Newswire) -- The recent explosion of e-mail spam is beginning to take its toll on the Internet world. A new nationwide survey shows that 25 percent of America's e-mail users say they are using e-mail less because of spam. Within that group, most say that spam has reduced their overall use of e-mail in a big way.
Further, more than half of e-mail users say that spam has made them less trusting of e-mail in general. One of their fears is that legitimate e-mails might be turned away by filters designed to stop spam. Another is that they'll simply miss incoming e-mail from friends, family, or colleagues amid the clutter of spam in their inboxes.
A new report entitled "Spam: Hurting e-mail and degrading the Internet environment," [report here, PDF; questionaire, here, PDF]by the Pew Internet & American Life Project, includes scores of stories gathered in a Web-survey by the Washington-based Telecommunications Research & Action Center about how spam has affected people's experience with e-mail and changed their views about the value of e-mail.

"People just love e-mail, and it really bothers them that spam is ruining such a good thing," said Deborah Fallows, Senior Research Fellow at the Pew Internet & American Life Project and author of the report. "People resent spam's intrusions; they are angered by its deceptions; and they are offended by much of the truly disgusting content."

Here are some other key figures from a national phone survey of 1,380 Internet users conducted by the Pew Internet Project in June. The survey has a margin of error of plus or minus three points:

75 percent of e-mail users are bothered that they can't stop the flow of spam, no matter what they do
70 percent of e-mail users say spam has made being online unpleasant or annoying.
55 percent of e-mail users say they get so many unwanted e-mail messages in their personal account that it's hard to get to the ones they want
30 percent of e-mail users are concerned that their filtering devices may block incoming e-mail that is important to them.

Despite their dismay, most Internet users keep the issue of spam in perspective. For them, spam takes its place next to life's other annoyances, like telemarketing
calls. Further, many users believe they know how to behave in a spam-saturated environment. The most popular way of dealing with spam is to simply click "delete." More than 2/3 have made a more aggressive move, clicking to "remove me" from future mailings, although many voice concern that doing so only leads to more spam.
And most e-mail users are judicious about guarding their e-mail addresses in hopes of avoiding spam. A minority employ their own filters, either in work or personal accounts.
At the same time, there is evidence in the survey that enough Americans respond to offers in unsolicited e-mail to sustain spam as a viable, lucrative endeavor. Some 7 percent of e-mailers - more than eight million people - report they have ordered a product or service that was offered in an unsolicited e-mail. Fully a third of e-mail users say they have clicked on a link in unsolicited commercial e-mail to get more information.
The report argues that Americans are somewhat fuzzy when it comes to defining spam, an issue of critical importance to legislators as they tackle anti-spam legislation in Congress. There is consensus that spam is "unsolicited commercial e-mail from a sender you don't know." However, messages with religious, political, or charity fundraising content are spam to some users, but not others. And users have varying answers about how businesses should interpret their prior relationship with customers. There is not a clear consensus among users about the circumstances under which they are "known" by a seller or "have a relationship with" a firm.

"The general findings are striking, but inside the data are even more disturbing details about the reactions women and parents have with pornographic spam," said Fallows. "Pornographers deserve a special place in hell as far as they are concerned."

The Pew Internet & American Life Project is a non-profit, non-partisan research organization funded by the Pew Charitable Trusts to examine the social impact of the Internet. The spam report is posted at http://www.pewinternet.org.

The Telecommunications Research & Action Center (TRAC) is a nonprofit organization that promotes the interests of residential telecommunications customers. Their stories cited in the report come from a compilation of more than 4,000 first-person narratives about spam that were solicited since September of 2002. As part of a campaign to fight unsolicited commercial e-mail, TRAC invited Internet users to submit stories about their personal experiences with spam.

-30-

2003-10-23T01:07:00.000-04:00

Senate Votes to Crack Down on Some Spam
By DAVID FIRESTONE and SAUL HANSELL

ASHINGTON, Oct. 22 — The Senate on Wednesday agreed to crack down on the torrent of unsolicited messages clogging the nation's e-mail inboxes, voting unanimously to outlaw the methods used by most spammers and to allow the creation of a national do-not-e-mail registry.

The action does not mean that advertisements for everything from painkillers and penis-enlargement pills to mortgages and weight-loss schemes will disappear from computers anytime soon. The House has barely begun to work on a matching bill, and even if the legislation becomes law next year, many experts have raised doubts about whether any federal action will be effective against renegade e-mailers.

But the 97-to-0 vote on Wednesday gives senators something to show the vast numbers of furious voters who have complained about the mountains of spam they encounter every morning. Many of the messages are pornographic or otherwise offensive, which increased the eagerness of lawmakers to find a way to reduce, if not eliminate, the volume of commercial e-mail.

"When this bill becomes law, big-time spamming in effect becomes an outlaw business," said Senator Ron Wyden, Democrat of Oregon and one of the chief sponsors of the bill.

The bill approved Wednesday would prohibit the use of false or deceptive headers on e-mail messages, which most spammers use to disguise their identities. All advertising messages would have to bear legitimate return addresses, as well as the abbreviation "ADV" or some similar indication of its content so that recipients could filter them away. Messages with sexual content would have to bear the equivalent of a warning label.

The bill also requires the Federal Trade Commission to begin planning a national registry of e-mail addresses of people who do not want to receive unsolicited commercial messages, similar in concept to the popular do-not-call list that was recently established to thwart telemarketers.

But the proposed registry, championed by Senator Charles E. Schumer, Democrat of New York, has produced widespread skepticism about its effectiveness, drawing a scathing comment not long ago from the chairman of the trade commission.

"If such a list were established, I'd advise customers not to waste their time and effort," Timothy Muris, the F.T.C. chairman, said in August. "Most spam is already so clearly illegitimate that the senders are no more likely to comply with new regulations than with the laws they now ignore."

But Mr. Schumer said Wednesday that Mr. Muris and others skeptical of his proposal were against any attempt to limit spam. "This is not a perfect solution," he said. "It's just the best solution we have. It will still be a lot better than what we have now."

The telephone registry requires telemarketers to compare their lists with the do-not-call list, and remove anyone who does not want to receive calls.

The spam registry, by contrast, would not be provided to spammers, who might consider it a gold mine of e-mail addresses to exploit. The technical means of making a do-not-spam list effective have not been worked out, and Mr. Schumer said the F.T.C. would have to come up with a way for e-mailers to submit their messages to the commission or another agency to be checked against the encrypted master list.

Assuming they could be caught, violators could be subject to fines of $10 per e-mail, up to $1.5 million for willful violations, and could be imprisoned for up to five years if the spam advertises a fraudulent scheme, child pornography or leads to identity theft. Those who send out more than 2,500 messages in any 24-hour period would be subject to three years in prison.

Lawmakers said they hoped the penalties would make spammers think twice before sending out millions of messages, and predicted that federal authorities would be able to track down many of the biggest and most offensive e-mailers.

Major e-mail marketers generally supported the bill — especially the provision that supersedes the growing patchwork of state antispamming laws — but they strongly objected to the do-not-spam registry.

"We think the do-not-e-mail list is a genuinely bad idea," said H. Robert Weintzen, the president of the Direct Marketing Association. He said such a list would not be respected by large spammers, but would restrict the use of e-mail by law-abiding companies. "It is simply unfair and would discriminate against the good guy and particularly the little guys," he said.

David Sorkin, an associate professor at the John Marshall Law School in Chicago and an expert on spam laws who favors banning nearly all unsolicited e-mail, objected to the bill and said it would have the opposite effect of the one intended.

"This bill legalizes spam that isn't fraudulent," he said, because it simply requires that the sender and the contents of commercial e-mail messages be accurately described. "There will be a lot more spam by legitimate marketers because they will be able to point to the federal law and say, `We are following all the rules.' "

But he said the registry had the potential to rectify that problem if the F.T.C. made it easy to use and allowed companies and Internet service providers to register entire blocks of names at once.

"If America Online could put every address at AOL.com in the registry, then you would have a law that could effectively ban spam."

That provision is not in the law, but Mr. Schumer said it was the Senate's intention that the commission allow entire domain names, like aol.com, to be blocked from spam through the registry.

To e-mail marketers, the most important part of the Senate bill was a provision that overrules most of the spam laws passed by states.

"I am thrilled beyond words," said Michael Mayor, president of Netcreations, a New York firm that assembles e-mail marketing lists. "Now we will have one standard for responsible e-mail instead of the 37 state laws we have now."

What is most significant, he said, is that the bill would overturn a California law, scheduled to take effect Jan. 1, that would ban all commercial e-mail sent to or from California that was not requested in advance. That would appear to ban the sort of marketing lists that Netcreations operates.

The Senate bill takes a different approach, hoping that spammers will not be able to withstand the combination of the registry and the requirement for legitimate return addresses and subject lines.

David Firestone reported from Washington; Saul Hansell from New York.

2003-10-23T00:11:00.000-04:00

Senate Votes for Tough Limits on Spam
By TED BRIDIS AP Technology Writer

WASHINGTON (AP) - The Senate agreed Wednesday to impose tough new limits on the irritating but lucrative business of e-mailing unwanted sales pitches to millions of people in the United States.

Internet users have complained about mailboxes clogged with offers for prescription drugs, cheap loans, herbal remedies and pornography.

The Senate voted 97-0 to approve the "Can Spam" bill. The measure outlaws the shadiest techniques used by many of the Internet's most prolific e-mailers, who pump out millions of unsolicited messages daily. Despite the vote, senators cautioned computer users not to expect an immediate end to overflowing inboxes.

"The odds of us defeating spam by legislation alone are extremely low, but that does not mean we should stand idly by and do nothing about it," said John McCain, R-Ariz., chairman of the Senate Commerce, Science and Transportation Committee.

The bill, sponsored by Sens. Conrad Burns, R-Mont., and Ron Wyden, D-Ore., prohibits senders of unsolicited commercial e-mail from disguising their identity by using a false return address or misleading subject line. The legislation also bans senders from harvesting addresses off Web sites and requires such e-mails to include a mechanism so recipients can indicate they do not want future mass-mailings.

The Bush administration supports the bill, although similar legislation has stalled in the House. Sens. John Edwards, D-N.C., John Kerry, D-Mass., and Daniel Inouye, D-Hawaii, missed the vote.

"Kingpin spammers who send out e-mail by the millions are threatening to drown the Internet in a sea of trash, and the American people want it stopped," Wyden said. Acknowledging problems with e-mails originating overseas, he urged other countries to approve similar limits.

Burns said time spent by consumers wading through unwanted messages and the costs to businesses and Internet providers delivering them were "escalating and wide-ranging." Under the bill, he said, "people will think twice before they send it, and that's the answer."

The bill also requires commercial e-mail senders to include their physical address, along with a clear notice that the message is an advertisement or sales pitch.

Violators could be sentenced for up to three years in prison under an amendment by Sens. Orrin Hatch, R-Utah, and Patrick Leahy, D-Vt., leaders of the Judiciary Committee. Their provision explicitly bans spammers from, among other practices, hacking into computers to use as surreptitious relay points to disguise the origin of unwanted e-mails.

Hatch said the bill cracks down on unwanted e-mails "without unnecessarily burdening legitimate electronic commerce." The bill was supported by some leading technology companies, such as Microsoft Corp. and America Online, a division of Time Warner Inc. Microsoft blocks roughly 2.4 billion unwanted e-mails daily from subscribers.

Technology companies have developed increasingly sophisticated software to filter unwanted e-mails, but legislation would give consumers one more tool to combat spam. The term was applied to unwanted e-mails after a 1970 Monty Python skit in which an exasperated restaurant customer is urged to order the canned meat product until she screams, "I don't want any Spam!"

One amendment, by Sen. Charles Schumer, D-N.Y., authorizes the Federal Trade Commission to establish a do-not-spam list, similar to the agency's popular do-not-call list of telephone numbers that marketers are supposed not to call. The Direct Marketing Association opposes that amendment and has described it as "a bad idea that is never going to work."

2003-10-10T10:55:00.000-04:00

Disgruntled Phillies Fan Arrested for E-Mail Spams
http://news.findlaw.com/sports/s/20031009/nlphilliesspamdc.html

SAN FRANCISCO (Reuters) - Federal officers arrested a disgruntled Philadelphia Phillies baseball fan in California on charges of hacking into computers and sending thousands of spam e-mails to sports writers at two Philadelphia newspapers, officials said on Wednesday.

Allan Eric Carlson, 39, was arrested on Tuesday at his home in the Los Angeles suburb of Glendale and charged with hacking, spoofing return addresses, launching spam attacks, and identity theft for using fake e-mail addresses, the U.S. Attorney's office said.

He was released on $25,000 bail and ordered not to use the Internet, Michael Levy, assistant U.S. Attorney in Philadelphia and chief of the computer crimes unit, said on Wednesday.

Carlson faces 471 years in prison and $117.25 million in fines, officials said.

He was arrested by the agents with the Federal Bureau of Investigation. Despite a competitive season, the Phillies failed to win a spot in Major League Baseball's championship playoffs.

The spam messages were critical of Phillies management and the media, including one e-mail that had a subject line reading, "Corrupt Philly Media Keeps Phils in Cellar," according to the indictment.

Carlson used fake return addresses, belonging to sports reporters at the Philadelphia Inquirer and the Philadelphia Daily News, the indictment said.

Because many of the e-mail addresses the spam was sent to were bad, they bounced back to the reporters' e-mail accounts, crippling the servers where they were stored, according to the indictment.

###

2003-09-28T20:16:00.000-04:00

Confessions of a Spam King
By JACK HITT, New Yorm Times Magazine, Sept. 28, 2003
http://www.nytimes.com/2003/09/28/magazine/28SPAMLT.html

1. MEET THE SPAMMER

''Click here,'' says my spamming mentor. Hovering over my chair, he points to the computer screen. ''Now click on that file of e-mail addresses there.'' I have been invited by a master for an education in spamming, the practice of blasting millions of unsolicited e-mail messages into the Internet in order to advertise everything from loans with easy terms to women of easy virtue.

''Let's go online and download some software,'' says my guide. His name is Richard Colbert. On the Rokso, or Register of Known Spam Operations (a kind of Most Wanted List for the Internet posted on an antispam Web site called spamhaus.org), Colbert is described plainly: ''Nonstop scam spammer, kicked off so many hosts and I.S.P.s'' -- or Internet service providers -- ''it's hard to count.''

Dressed in blue shorts and a purple T-shirt, Colbert, 31, has blondish hair stuffed under a baseball cap, a prominent diamond earring and a mild twang that betrays his Atlanta origin. He lights up a Monarch menthol as he shows me his computer room, an intimate homemade space built off the side of an aging two-tone mobile home -- robin's-egg blue and white -- which sits among hundreds of Airstreams and Miami Deco single-wides in the Sunset Colony Mobile Home Park in Fort Lauderdale, Fla.

Colbert claims that he's now on a sabbatical from spamming, but he's watching current events and weighing a return. During this interlude, he has agreed to help me learn how the avalanche of solicitations I receive winds up in my online mailbox every day. Who are these guys? Who hires them? How do they get legitimate e-mail addresses? And finally, can federal legislation currently under consideration actually stop them?

First off, Colbert doesn't think about spam the way I do (or, most probably, the way you do). He likes to call it ''bulk e-mailing,'' for starters. And he considers it just one of the many exciting new markets available on the Internet. He's the kind of guy who is always interrupting himself to tell you about some smart economic angle he has figured out, some new edge.

''These shorts are Dockers,'' he says, pointing at the clothes he has on. ''And I got them off eBay. Shirt? Tommy Hilfiger. EBay. Shoes? Nikes. EBay.''

Colbert and I dig around on the Internet until, under his direction, I find a piece of software that allows for mass e-mailing. These are common and legal, used legitimately by professional archaeologists, say, or chess enthusiasts to form an online group and conduct chats or exchange information.

Right away there's a problem. The software we've selected requires registration or payment. But Colbert says he once used this very piece of software, slightly altered, when he worked with some other spammers who live nearby. So he snatches his phone and calls a neighbor for support. A minute later, we are back in business. It turns out that an unusually large number of spammers live in this area, the stretch of beaches north of Miami that old-timers loosely call Boca and new-timers know as a staging ground for the smarmier characters in Carl Hiaasen's novels.

According to Steve Linford, who maintains the Rokso list, there's a good reason that so many spammers wind up on Spam Beach: ''Boca Raton is where they used to run those pump-and-dump investment scams and where the telemarketing sweatshops are.'' The phone scammers and infomercial wannabes of the 80's and 90's -- who themselves supplanted the land speculators who established Florida's earliest cities upon shifting sand and sinking swamps -- have been pushed aside by the new boys on the block, the bulk e-mailers of the Internet.

2. A SPAMMING PRIMER

How does a spammer obtain a million working e-mail addresses? Most simply, there are lists you can buy off the Internet. But there are also other, cheaper, ways. A ''dictionary attack,'' Colbert instructs, is when you blast reams of computer-generated potential e-mail names (Arnie1@hotmail.com, Arnie2@hotmail.com, Arnie3@hotmail.com . . .) and see which ones take. Another good tool is called a spider, a software program that can crawl through Web pages, looking for that telltale symbol: @. Then it simply records everything to the left and right of it, and bingo, it has a good e-mail address. (A good method for avoiding spam, then, is to always type your e-mail address on the Web this way: Arnie at hotmail.com or ArnieREMOVETHIS@hotmail.com. Humans can look at either and figure out what to do; software -- so far -- is helpless.)

Sitting at Richard's computer, I set out to launch my first spam. I append a file of e-mail addresses to the software along with my cover letter -- my spam. To keep everything vaguely legal, my spam is nothing more than a cheerful holiday greeting, at the end of which is a link to bowieltd.com, one of Colbert's Web sites.

The software starts firing, and my notes ricochet through cyberspace. The software monitors which e-mails are returned and tabulates their status. When an ''out of the office'' auto-reply comes back on one e-mail message, Colbert says: ''Oh, we love those. They confirm that the address is active.'' Within six minutes, on a single computer, running through a regular phone line, I have fired off 1,000 e-mail messages.

Which is one of the attractive things about spam for spammers. You don't have to leave your mobile home to do it. There's no door-to-door soliciting for clients, no annual conferences to attend. The business is all neatly contained on your desktop. For instance, how does a spammer find clients willing to hire him?

He spams.

Colbert used to find clients by trolling through AOL's member directory. Many of AOL's 35 million members fill out helpful ''online profiles'' when they join, listing their interests and activities. Colbert used those profiles to turn AOL into a rich and easy source of contacts. He would limit his search by typing in ''business opportunity'' or ''multilevel marketing'' in order to find the sort of small-time sales folks who might be receptive to his offer, then he would spam them all with his pitch.

''I might get 100 responses from 100,000 e-mails,'' Colbert says. He would write back personally to those, asking for the text of the ad they wanted to spam out and relaying his pricing structure: $300 to send out 100,000 messages or $900 for a million. From the 100 people who would agree to hear his personal pitch, he would usually land between two and five contracts. Although this might seem like a pitiful response rate -- one-five-hundredth of one percent is ruinous in any other market -- this one search for spam clients could yield Colbert as much as $14,000.

Colbert describes how he would set his computers for ''send'' with millions of e-mail messages queued up, then go to sleep and let the machinery make the money for him. ''I used to have nine computers bound over five DSL lines on a 10 meg pipe feeding 500K per second per computer,'' Colbert says. ''That's a million e-mails an hour per computer, nine million an hour on a good day.''

His clients were usually small-scale entrepreneurs or Web-site hosts who worked the margins of the online economy: herbal supplements and cut-rate financial services. Sometimes he would be hired to spam for larger, more reputable, companies -- not that he would name any for me. But he did admit that he would try to use the ''cleanest'' lists possible in those cases, to keep down the tsunami of complaints that a company typically receives with each spam blast.

Payment to Colbert was strictly old-school. ''I didn't ever take credit cards,'' he says. He would insist on being paid by money order or check. He explains the risk of credit card payment: ''If the clients didn't get the response they wanted, they'd frequently charge back the fee.''

The majority of spammers are paid a flat fee, Colbert says, and those fees have been dropping. Only five years ago, the top tier of spammers was building ''online marketing'' companies and selling them for astonishing sums, in the millions of dollars. In those heady days, spam enjoyed the same inflated finances as tech stocks. But even after the bubble burst, spam was handsomely profitable. ''I cleared $130,000 in 10 months,'' Colbert says, ''the best money I've ever made.'' As more players enter the market, though, the profits are thinning. ''These days I've seen spam offered as low as $25 for a million addresses,'' Colbert grouses. ''There's still money in it, but it's a lot more work for a lot less.''

3. THE NEW NEW SPAM

Ever since the Federal Trade Commission earlier this year held a spam conference -- which brought together spam recipients, Congress, antispammers and the spammers themselves -- a metaphysical question has emerged: Is there such a thing as good spam versus bad?

Colbert thinks so, and his reasoning has led him to a solution that he predicts will make everyone happy. He recently wrote a letter to both of his senators outlining his thoughts. He said that the only way to stop the ''bad'' spamming -- the scams, the deceptive links, the anonymous porn mailings -- is to sanction a legitimate form of commercial spam with established standards. These might include accurate and functional ''from'' lines, so that when you click ''reply'' to a piece of commercial e-mail you would actually be able to contact the person who sent it. (''From'' lines on most spam e-mail messages are frauds, routed through various computers in order to give the spammer a cloak of invisibility.) Also, each legitimate spam would have a real, working ''remove'' link, so that it would be easy for the recipient to take himself off spammers' lists. Then, according to Colbert's plan, legitimate spammers could drum up business, and spam cops would spend their time tracking the real outlaws.

Another spammer I spoke with, Bill Waggoner, who operates out of Spam Beach West (aka Las Vegas), drew the same distinction. ''Spam is scam,'' said the part-time heavy-metal musician and shortwave talk-radio host who was, according to Rokso, ''one of the Top 10 spammers in the world.'' He claims that all his bulk e-mail is ''clean,'' meaning that each one has a good ''return'' address, contains a working ''remove'' link and sells legitimate goods and services. I couldn't resist pointing out to Waggoner that he has publicly admitted that he pushes an herbal penis-enlargement pill.

''That's not fraud,'' he said. ''If it was fraud, the company wouldn't make any money.'' When I tried to pursue this suddenly slippery definition of fraud, he quickly added, defensively, ''The only sex product I sell is the penis-enlargement pill.''

This debate about good and evil isn't going on just among spammers; it is also currently under way in Congress. Some kind of spam law will probably emerge from Washington in the next year. And it will be the first test of populist digital legislation in Congress since the creation of the Internet.

In the weeks leading up to the August recess, the spam fight in the House got pretty intense. There are two main competing bills, which basically track the two strands of this emerging philosophical argument. The leading one, written by Representative Richard M. Burr, Republican of North Carolina, and sponsored by two influential Republican representatives, F. James Sensenbrenner Jr. of Wisconsin and Billy Tauzin of Louisiana, more or less codifies Colbert and Waggoner's view.

As first written, the Burr bill was meant to outlaw only fraudulent spam, in order to protect commerce on the Internet. ''From our point of view, we are trying to retain e-mail as a legitimate form of commercial activity,'' one Burr staff member said. ''If you want to sell a product, you should be able to do that with e-mail.''

But the public debate on spam is changing fast. Within a few weeks, the momentum moved away from the power brokers like Sensenbrenner and Tauzin and toward less known representatives whose proposals are tougher -- mainly Heather A. Wilson, a Republican from New Mexico, and Gene Green, a Democrat from Texas.

''The Burr bill approaches the problem from the point of view of commerce,'' Wilson observed delicately. ''We approach it from a consumer perspective.''

A core debate regarding spam turns on how you are allowed to say no to spam -- a debate that boils down to the phrases ''opt in'' and ''opt out.'' ''Opt in'' is the toughest; it requires that all bulk e-mailers get your permission before sending any spam. ''Opt out'' allows spammers to flood your mailbox all they want, as long as each individual e-mail message contains a link permitting you to stop all future spams from that one business. This summer, the ''opt out'' provision was the one favored by most members of Congress because it gave marketers and business the greatest leeway. But as the representatives sped toward their summer recess and the levels of spam in their constituents' in-boxes spiked to record-high levels, it suddenly seemed like ''opt out'' was no longer acceptable.

''We are at a tipping point,'' Wilson confessed. ''We may have to get more radical in our solution.''

But according to Colbert, the tipping point for spam will always be just around the corner because spammers are so good at figuring out the potential use (or abuse) of each new technological innovation. Colbert seems to enjoy recounting the many ways he made the tiniest changes in the system work for him.

''I was thrown off more BellSouth accounts than half the state of Florida,'' Colbert says. His name was known, and he was a marked and wanted man. But he found a way around the heat. ''Do you remember when American Express came out with temporary credit cards?'' he recalls happily. ''You could go to the 7-11 convenience store and buy a $25 credit card -- sort of like you buy a $25 phone card, only it was good for just $25 worth of credit.''

Armed with a dozen of these cards, Colbert would go to the BellSouth Web site and create numerous e-mail accounts from which to send spam, each account with a fictitious name and address. Since the credit card couldn't be connected to him in any way, he could spam away until BellSouth finally got around to canceling that particular account. ''They were great, totally untraceable,'' he says of the credit cards. ''They don't sell them anymore. I think it's because of me.''

More recently, spammers have figured out how to send unwanted text messages to cellphones. And new wireless, or ''wi-fi,'' technology, Colbert tells me, is providing spammers with another potential cloak of invisibility.

4. IS THERE AN ANSWER?

So what does a spammer like Richard Colbert fear? Going to jail or going broke? There's a difference, and in that difference is the key to the debate about stopping spam. Despite our ferociously partisan times, the Republicans and Democrats agree on this one thing: prosecuting spam should be the domain of a big Homeland Security-style federal bureaucracy. The only question is, Should it be the Federal Trade Commission or some other agency?

Most of the antispammers prefer a solution known as ''private right of action,'' which would permit consumers to hunt down spammers and sue them for small damages, say $500, in a state district court -- just enough, goes the theory, to ruin the slim profit margin on spamming. Also known as distributive justice, it's the same idea that worked to stop junk faxes a decade ago: ''death by a thousand paper cuts,'' as Ted Gavin, treasurer of SpamCon, an antispam group, likes to call it.

The debate is an old one. Which deters better? A widespread campaign of harassing a lot of midlevel operatives or highly visible arrests of a few kingpins? Washington politicians tend to prefer the latter, because they bring immediate television coverage. In recent testimony before Congress, Orson Swindle, an F.T.C. commissioner, stated this position plainly: ''We need a couple of good hangings here.''

Despite the threat of the noose, spammers yawn at the law-enforcement approach, according to Colbert, for the simple reason that the police are slow and a digital trail goes cold very fast. Most I.S.P.'s record the digital trail of each e-mail message that passes through its system, but these ''mail server logs 2/3'' as they are called, are routinely overwritten and erased. ''You have about 12 hours to track a person on the Internet before the trail goes dead,'' Colbert says. ''Law enforcement is too slow.''

The antispammers, on the other hand, pose a different threat. ''A little known secret about antispammers is that many of them are fairly renowned hackers,'' Colbert says. ''They track spammers in ways that the F.T.C. can't.''

But the distributive-justice approach is all but dead in Congress, at least in part because of the Republicans' deep antipathy for trial lawyers. ''It's not on the table,'' said a Democratic staff member on the Commerce Committee.

Wilson told me that private right of action was not such a bad idea and was interesting to talk about in an intellectual way. ''But I also want to get a bill passed in the House,'' she confessed.

Back in Colbert's mobile home, I ask my spammer guru if he is feeling nervous, now that Congress is in the market for a few high-profile public hangings. Doesn't he fear that Orson Swindle might soon have him in an orange jumpsuit and shackles, doing a prime-time perp walk? ''Congress is full of idiots,'' he notes succinctly. Colbert says he doesn't believe that a strategy of going after a few kingpins will accomplish anything. Politicians will gain some publicity, but in the process, he argues, they will drive smaller operators further underground. ''Spammers will just use even more deceptive practices to keep from getting shut down,'' he says.

So is he getting back in business? Colbert remains cagey with a direct answer, but then sidles over to a file cabinet. He pulls out a CD and twirls it among his fingertips. ''This CD has 200 million e-mail addresses on it,'' he tells me, sounding like a man eager to once again hit ''send.'' I ask him about his old system -- the nine hard drives bound together with a superfast connection speed that could pump out millions of e-mail messages in an hour -- and whether the coming laws make him too nervous to spend money rebuilding his infrastructure.

Colbert seems amused by my assumptions regarding his expenses. As the late afternoon sky turns Boca gold, he fires up another menthol and takes a big, noirish puff. He points under his desk to a recent arrival, a second hard drive, precisely what he would need to begin a new network.

''It's a Dell Pentium 233,'' he says. ''I got it for $15, plus $23.95 shipping.'' A cloud of smoke fills the side room of the single-wide.

''EBay,'' he says with a smile.

Jack Hitt is a contributing writer for the magazine.

2003-09-25T12:15:00.000-04:00

California spam law may face court challenge
By Declan McCullagh
Staff Writer, CNET News.com
http://news.com.com/2100-1024-5082049.html

When California Gov. Gray Davis signed one of the nation's most sweeping antispam laws this week, he didn't end a debate over how the proposal would affect businesses in the richest, most technology-savvy U.S. state.

Davis merely shifted it from the Sacramento statehouse--the scene of tense negotiations among antispam activists, direct marketers and technology companies--into the court system.

More so than any other state antispam law, the California measure is worded so broadly it is thought to be especially vulnerable to expected legal challenges, either from unapologetic spammers who claim it violates their constitutional rights or from legitimate businesses that claim it interferes with traditional marketing practices.

That's exactly the kind of lesson the Federal Trade Commission learned this week, after the Direct Marketing Association and telemarketers won a legal bid to nix the national "Do Not Call" list, just days before the Oct. 1 deadline for it to take effect.

A federal judge said Congress never authorized the FTC to set up the list in the first place. "Absent such a grant of authority in this case, the court finds the do-not-call provision to be invalid," wrote Lee West, the senior judge for the western district of Oklahoma.

California's law, which is scheduled to take effect on Jan. 1, 2004, could face similar vulnerabilities. Possible lines of attack include the First Amendment, which broadly prohibits restrictions on freedom of expression, and the constitution's ban on state laws that interfere with interstate commerce, known as the dormant commerce clause.

"Certainly the California antispam law is going to face some constitutional challenges," said Ray Everett-Church, a California attorney at the ePrivacy Group who follows spam laws. "The one that I'm looking to see first is the commerce clause challenge. The California law has a provision that says people may not send unsolicited commercial e-mail to California e-mail addresses. The legislation does not define a California e-mail address or how one determines what a California e-mail address is. That ambiguity is very likely to be the basis of a challenge."

Legal remedies not succeeding
Legal remedies to spam have proliferated in recent years, with some 36 states enacting laws seeking to restrain unbridled Internet marketers. In addition, new national laws have recently gained traction overseas, and may be gaining ground in the United States.

But those efforts have so far failed to stanch the flow of unwanted junk e-mail, which has ballooned over the years and now makes up about half of all e-mail traffic by some counts. The expense to business has spiraled upward along with the volume of junk. Spam will cost U.S. organizations more than $10 billion in 2003, according to research firm Ferris Partners, in a study quoted by California lawmakers in their introduction to Tuesday's law.

Increasingly tough measures, such as California's law, reflect the growing sense of crisis around the problem, which is rapidly diminishing the value of e-mail as a corporate communications tool. But local restrictions, even in as influential a state as California, may have only a limited effect on a global problem that may require technical solutions to make it harder for spammers to exploit the Internet's open architecture.

Calls for tougher legislation have been echoed by technologists seeking to address the underlying conditions that make it easy for spammers to hide and steal network resourcesin order to deliver their payloads. On the wish list: strong authentication for all e-mail messages and better controls over the Internet's Whois registry of domain name owners.

According to the California law, drafted by Kevin Murray, a Democratic state senator from Los Angeles, no person--inside or outside the state--may send any advertisement "in an unsolicited commercial e-mail advertisement to a California electronic mail address." Violators can be sued civilly for $1,000 per unwanted commercial e-mail received, either by an individual, their Internet service provider or the state attorney general.

This "opt-in" approach is far different from the traditional way that states have tried to restrict the growing tide of spam, which is clogging inboxes and--when combined with the recent re-emergence of e-mail worms--driving network administrators to distraction. Other states, and nearly all proposals in the U.S. Congress, take an "opt-out" approach or merely require that spam be labeled with a text string such as "ADV:".

The U.S. Supreme Court has said that commercial speech such as advertisements and marketing information receives less protection than "core" expression such as political speech. Because California's law is so restrictive, however, it bans unsolicited commercial communications sent through e-mail that would be perfectly acceptable if sent by way of the U.S. Postal Service.

A handful of other courts--including a California state judge--have suggested that antispam laws can run afoul of the commerce clause, but the U.S. Supreme Court has not taken a case that would clarify the situation. In 2001, the court declined to hear a constitutional challenge to a Washington state antispam law, one of the first measures to set standards for junk e-mailers and levy stiff fines for violators.

"It's all an interesting question in terms of how California will enforce a law against someone who otherwise has no jurisdictional ties to the state," Everett-Church said.

Congress may interfere
Another obstacle not just for California but for any of the dozens of states that have enacted antispam laws is an unusual one: the U.S. Congress. The federal government has never enacted a bill to limit unsolicited commercial e-mail, but most of the ones under consideration on Capitol Hill "pre-empt"--that is, override--state laws.

On Wednesday, the House Subcommittee on Commerce, Trade, and Consumer Protection approved one of the few bills that does not pre-empt state laws. The measure, called the International Consumer Protection Act, would turn the FTC's investigators into virtual spam cops, granting them the power to serve secret requests for subscriber information on Internet service providers, peruse FBI criminal databases and swap sensitive information with foreign law enforcement agencies.

The new powers would not be limited to fraudulent or deceptive unsolicited e-mail and are designed to be employed in other forms of investigations as well.

That kind of approach has its place, said Karl Jacob, CEO of antispam company Cloudmark, but in general technological solutions to the spam problem are more effective.

"We believe a lot of progress has been made in technological solutions to these problems," said Jacob, whose San Francisco-based company has raised $5.5 million in venture funding. "It's very hard to legislate what consumers want. A better way is to allow them to express their preferences through technology."

Jacob predicted that the California law "makes it very hard for marketers to comply," and will therefore encourage businesses to lobby for federal laws that override it and other state measures.

Kenneth Hirschman, general counsel of Digital Impact, an e-mail marketing company whose clients include Microsoft, Sony, MasterCard, Hewlett-Packard, Verizon Communications and Gap, said the California law would harm legitimate marketers. "In the long run, we don't expect this law to mean anything to (our clients)," Hirschman said. "But in the short term we expect it to create quite a nuisance to us and our clients."

That's because the law places the burden of proof on the sender of a commercial message, not the recipient, Hirschman said. "Legitimate companies will have to go to court again and again and again and defend these nuisance suits. They won't be guilty. But it's pretty annoying to have to prove that 500 times."

Federal legislation is probably necessary to pre-empt state laws that are too antibusiness, Hirschman said. "If you're going to have a private right of action, you need some kind of safe harbor or affirmative defense for legitimate businesses."

On Wednesday, embarrassed officials in Washington scrambled to react to the news that the "Do Not Call" list was on indefinite hold. Since President Bush highlighted the registry in a June ceremony on the south lawn of the White House, about 50 million Americans had submitted their phone numbers. Late in the day, the FTC asked for an emergency stay of the court order so that it could prepare an appeal, while the Direct Marketing Association released a statement saying it was "grateful" for the court's decision.

On Capitol Hill, the outcry was thoroughly bipartisan. Billy Tauzin, R-La., and John Dingell, D-Mich., the senior members of the House Energy and Commerce Committee, sent reporters a joint statement saying: "We were disappointed to learn that a federal district court has invalidated the Federal Trade Commission's national do-not-call registry. We are confident this ruling will be overturned."

Related News U.K. law mashes spam
September 19, 2003
http://news.com.com/2100-7349-5079099.html

Australian legislation cooks spammers September 18, 2003
http://news.com.com/2100-1028-5078685.html

Taking Microsoft to task on spam September 3, 2003
http://news.com.com/2008-1082-5070492.html

Spam fight divides on party lines July 9, 2003
http://news.com.com/2100-1028-1024385.html

Lawmakers debate antispam plan July 8, 2003
http://news.com.com/2100-1028-1023740.html

Michigan Senate passes antispam bill June 25, 2003
http://news.com.com/2100-1028-1021169.html

Get this story's "Big Picture"
http://news.com.com/2104-1024-5082049.html

2003-09-25T09:47:00.000-04:00

Calif. Enacts Toughest Anti-Spam Bill
By TOM CHORNEAU Associated Press Writer

SACRAMENTO, Calif. (AP) - California will prohibit Internet advertisers from sending unsolicited e-mails under the toughest law [original bill here] of its kind in the nation, providing for fines up to $1 million.

Gov. Gray Davis signed legislation Tuesday that targets not only the firms that package and send spam to consumers, but also the companies whose products and services are being advertised.

The measure covers all unsolicited commercial e-mail sent or received in California and imposes fines of up to $1 million per incident.

"There are no loopholes, no way of getting around it," said the bill's author, state Sen. Kevin Murray, a Democrat.

Washington state passed an anti-spam measure in 1998, but it didn't go as far. The Washington law provides civil penalties of $500 per message for bulk or commercial e-mail with misleading information in the subject line, invalid reply addresses or disguised paths of transmission.

A San Francisco-based marketing firm, Ferris Research, estimated that unwanted e-mails cost U.S. companies nearly $9 billion in 2002 in lost productivity, consumption of communication bandwidth and drain of technical support.

"California is sending a clear message to Internet spammers: we will not allow you to litter the information superhighway with e-mail trash," said Davis in a statement.

This week, California also became the first state to protect the privacy of drivers whose vehicles come with "black boxes," devices that store data on how a car is being driven in the seconds before a collision.

The law, signed by Davis on Monday, stipulates that car owners must be told their cars carry the recorders, and says the information can only be downloaded with consent from the driver, a court order or for medical or safety research.

The devices can record speed, the use of brakes and seatbelts, and the deployment of air bags. Unlike airplane black boxes, the devices don't gather voice recordings.

---
Editors: Juliana Barbassa contributed to this report.

---

On the Net:

http://www.sen.ca.gov/

To view identity theft study:
http://idtheftcenter.org/index.shtml

2003-09-24 08:17:17 GMT

2003-09-19T17:36:00.000-04:00

http://www.washingtonpost.com/wp-dyn/articles/A26599-2003Sep17.html

Self-Policing Added to Spam Bill
By Jonathan Krim
Washington Post Staff Writer
Thursday, September 18, 2003; Page E01

One of the primary bills in Congress to crack down on spam e-mail contains
a new provision that would shield bulk e-mailers from penalties if they
agree to police themselves, raising new questions about the extent to which
industry is influencing the legislation.

According to a revised draft of a bill being circulated to members of the
House Energy and Commerce Committee, bulk mailers could form a
self-regulatory group that would maintain anti-spam standards of conduct
similar to those in the bill. Any member of the organization -- which would
have to be approved by the Federal Trade Commission -- would be exempt from
legal penalties that otherwise would apply to nonmembers.

The idea of a self-governing organization has been supported by several of
the big Internet e-mail account providers, most particularly Microsoft
Corp. The theory is that the group would employ an independent third party
that could issue an electronic seal of approval for "legitimate" senders of
commercial e-mail, thereby making it easier for computer users to filter
out mail from unsavory or fraudulent spammers.

Microsoft has been working with America Online Inc., Yahoo Inc. and
EarthLink Inc., all of which market to their members, on such a system.

"It's certainly something we've pushed for," said Microsoft spokesman Sean
Sundwall, though he declined to say whether the company had any direct
conversations with the bill's sponsors. The direct-marketing industry
already has a similar program in place for its members. Representatives of
the Direct Marketing Association did not return calls for comment.

But some consumer groups, anti-spam organizations, state prosecutors and
legislators were taken aback by the idea of making it law by adding it to a
bill sponsored by Reps. Richard Burr (R-N.C.), W.J. "Billy" Tauzin (R-La.)
and F. James Sensenbrenner Jr. (R-Wis.).

"They are writing the law so that it places them where they think they
belong: above it," said Jason Catlett, head of Junkbusters Inc., an
anti-spam group

Ken Johnson, a Tauzin spokesman, responded that the self-regulation plan
improves the bill because it creates a grievance process for individual
consumers who might otherwise have trouble getting the attention of law
enforcement authorities when marketers are continuing to target them.

"The FTC does not have the resources to pursue individual, minor
complaints," Johnson said. The proposal establishes a complaint mechanism
that the self-policing group must follow.

The new provision is the latest twist for the bill, which is likely to be
the major piece of spam legislation to emerge from the House because of the
sponsors' powerful positions: Sensenbrenner is the chairman of the
Judiciary Committee; Tauzin, of the Energy and Commerce Committee.

Revelations in May that lobbyists from the marketing, retailing and
Internet provider industries played a key role in drafting the original
bill forced its sponsors to reshape it after it was criticized as being weak.

Since then, negotiations have been ongoing with legislators who want a
tougher bill, led in part by Rep. Heather A. Wilson (R-N.M.), who has a
competing bill that has the bipartisan co-sponsorship of 67 representatives.

Congressional negotiators had been finding some common ground, sources
said, adding a Wilson-backed provision that requires the labeling of
pornographic content in e-mail. But the inclusion of the self-regulation
idea has undermined that progress and put the bill in "purgatory,"
according to one congressional staffer.

"It's a step backward," said a Wilson spokesperson. "It continues to
protect spammers at the expense of consumers."

The bill requires bulk mailers to honor consumer requests to stop receiving
unsolicited e-mail and makes it illegal for spammers to disguise their
whereabouts. It also makes illegal the practice of electronic "harvesting"
of e-mail addresses, in which special software is used to find e-mail
addresses on Web pages, copy them and add them to bulk mailing lists.

Even before the addition of the self-regulation provision, anti-spam
activists said the bill was full of loopholes. Some consumer groups and
state lawmakers are especially concerned that the bill would supplant
stronger state anti-spam laws and prevent individual consumers from suing
spammers. Supporters argue that federal rules are the only way to ensure
that legitimate marketers have clear rules that don't change from state to
state.

In many respects, the House bill -- minus the self-regulation plan --
mirrors a Senate bill that has passed through committee, though it is
unclear when it will be considered by the full Senate. The bill, sponsored
by Conrad Burns (R-Mont.) and Ron Wyden (D-Ore.), is supported by the
marketing and Internet provider industries.

Another Senate bill, sponsored by Sen. Charles E. Schumer (D-N.Y.), would
create a national do-not-spam list similar to the recently instituted
do-not-call list for telemarketers. But the FTC so far has opposed the
idea, and no similar bill has been introduced in the House. [End].

2003-09-18T23:31:00.000-04:00

UK bans spam messages BBC News [full story here]
The UK has made spam a criminal offence to try to stop the flood of unsolicited messages. Under the new law, spammers could be fined £5,000 in a magistrates court or an unlimited penalty from a jury.

But they would not be sent to jail, according to the new measures introduced by Communications Minister Stephen Timms. Spam has become the bane of internet users, with junk messages making up more than half of all e-mails sent.

"It's crucial that people feel safe and have confidence in utilising electronic communication technologies," said Mr Timms.

"These regulations will help combat the global nuisance of unsolicited e-mails and texts by enshrining in law rights that give consumers more say over who can use their personal details. "

The measures take effect on 11 December and will be enforced by the Information Commissioner.

Under the new law, companies will have to get permission from an individual before they can send them an e-mail or text message.
But the regulations do not cover business e-mail addresses, despite some calls for a blanket ban on spam.

Jail in Italy

The British measures are not as drastic as Italian anti-spam laws. Earlier this month Italy imposed tough regulations to fine spammers up to 90,000 euros (£66,000) and impose a maximum prison term of three years.

EU legislation banning unwanted e-mail is due to come into force on 31 October, but correspondents say that, given the global nature of the internet, it may have little effect.

Most spam comes from the United States and Asia, and will be outside its reach.
The EU legislation leaves it to each member state how to enforce the legislation, as long as the enforcement is "effective".

The UK legislation also sets guidelines for the use of cookies, electronic tags that help websites keep track of visitors.

In future, people will be able to insist that sites do not store their personal information.

Story from BBC NEWS:
http://news.bbc.co.uk/go/pr/fr/-/2/hi/technology/3120628.stmPublished: 2003/09/18 15:35:34 GMT

2003-09-12T13:54:00.000-04:00

US - CI HOST v. AOL: C I Host has sued AOL for labeling C I Host as a spammer and for blocking its customers' IP addresses from reaching AOL subscribers for two weeks. A court has issued a temporary restraining order against AOL. See Star-Telegram.com .

2003-09-12T13:53:00.002-04:00

US - FEDERAL ELECTRONIC PRIVACY LAWS: An appeals court held that a lawyer's subpoena request was overly broad when it demanded discovery of all email that was received or sent by anyone in a company and such request violated federal privacy laws. See Opinion , Stored Communications Act , Computer Fraud and Abuse Act , News.com .

2003-09-12T13:53:00.001-04:00

CA - AMAZON v SPAMMERS: Amazon has published the Statement of Claim
recently filed in the Ontario Superior Court alleging that a Canadian spammer spoofed amazon.com e-mail addresses. See 1 September Alert .

2003-09-12T13:53:00.000-04:00

BR - BILL OF LAW REGULATING SPAMMING PRACTICE: On August 28, Senator Hélio Costa presented a Bill of Law against the practice of spamming in Brazil. According to this bill, companies would be able to send a spam message once and the message would disclose its subject matter and identify the sender's name and address. This bill would prohibit companies from resending the messages without prior and express consent of the recipient. Further, the bill would allow recipients to require ISPs to block the receipt of unauthorized messages. The ISPs would have to comply with the blocking request within 24 hours of receiving the request. The bill is currently under discussion at the Constitution and Justice Committee of the Brazilian Senate.

2003-09-12T13:52:00.003-04:00

EU - SPAM WORKSHOP: The Commission announced a workshop on unsolicited commercial communications to be held on October 16 2003. See Press Release

2003-09-12T13:52:00.002-04:00

NZ - ANTI- SPAM LAW: An InternetNZ white paper has warned that anti spam legislation should be carefully drafted to ensure that the problem is not exacerbated. See Computer World (22!opendocument>,80CC256D96001A6ED4!opendocument>) report.

2003-09-12T13:52:00.001-04:00

CN - SPAM: The ISC is taking actions to fight spam on the Internet. See interfax .

2003-09-12T13:52:00.000-04:00

** - SPAM LAWS: Following the success of anti-spam regulations in Korea, US legislators are considering similar laws. They may be problematic due to the constitutional right to free speech. See August 25 , July 7 Alerts and Washington Times .

2003-09-12T13:50:00.000-04:00

DAYTON MAN LOSES SPAM JUDGMENT

An article in the Dayton Daily News reports that a Washington state court issued a $250,000 judgment against a Dayton man accused of violating Washington's strict laws against unsolicited e-mail. Spammer Charles Childs stated that he sends approximately 15 million bulk e-mails per week. For full story, see: http://www.daytondailynews.com/localnews/content/localnews/daily/0912spamsuit.html

2003-08-28T22:51:00.000-04:00

EARTHLINK SUES 100 SENDERS OF JUNK E-MAIL
EarthLink, the third-largest Internet service provider, filed a federal lawsuit yesterday against 100 e-mail spammers — mostly based in Alabama and Canada — who reportedly sent millions of unwanted messages. EarthLink claims the Alabama spammers used stolen credit cards, identity theft and banking fraud to finance Internet accounts and send out more than 250 million unsolicited commercial e-mail messages. The spammers hid their identities by creating an elaborate chain of fake names and nonexistent companies, the lawsuit said. "Our investigation has been ongoing for a number of months, and this is a very tech-savvy spam ring which has made this a particularly challenging investigation," said Karen Cashion, lead lawyer for EarthLink's lawsuit. (AP)

2003-08-22T16:34:00.000-04:00

Marketers Say They Intend to Join Effort to Fight Spam
New York Times, By JOHN SCHWARTZ and JOHN MARKOFF

"A new player has joined the effort to protect computer users from spam: the folks who bring you junk mail.

The Direct Marketing Association, which represents about 4,700 companies that engage in marketing directly to consumers, has quietly begun working with federal law enforcement officials, regulators and Internet service providers to develop a high-technology group dedicated to helping shut down the most egregious users of bulk e-mail.

The intent will be "to identify significant spam operators who are violating existing laws, develop the cases and refer them to the appropriate state, federal or international prosecuting authorities," the direct marketing trade group said in a recruiting letter dated Aug. 8. [ed. note - see DMA publication "Tackling the Spam Issue"

The campaign, to be called Operation Slam Spam, is seeking a $65,000 "participation fee" from the association's members, according to the letter, which was signed by its chief executive, H. Robert Wientzen.

The move is an attempt to blunt efforts to prod Congress and the states into approving significantly tougher anti-spam laws. In comparison, the direct marketing group supports relatively mild legislation." [more]

2003-08-22T16:33:00.000-04:00

Texas anti-spam law takes effect Sept. 1
Houston, Chronicle - Associated Press

FORT WORTH -- "A state law designed to regulate and limit unwanted e-mail takes effect Sept. 1, but experts say the law will be hard to enforce and won't do much to slow the spread of spam.

Under the new law, it will be illegal in Texas to send unsolicited e-mail that uses misleading subject lines or offers unlabeled obscene material. The law also requires mass e-mailers to remove names from their lists within three days of being notified.

Unsolicited advertising must carry the note "ADV:" in its subject line, and messages with sexual material must say "ADV: Adult Advertisement." Backers of the law hope those notes will help Internet service providers and spam-filtering software remove spam before it gets to recipients.

Violators can be fined $10 for each mislabeled, unsolicited e-mail message, up to $25,000 per day.

"The bill has some teeth in it," said Tom Kelley, a spokesman for the Texas attorney general's office. "We will be taking action to open investigations and file civil and criminal enforcement actions to get compliance."

Texas joins 33 other states in passing legislation to curb unwanted e-mails, but it's unclear whether the laws will do much good, said Chip Rosenthal, director of EFF-Austin, a technology policy group.

"It creates a bit of a hammer for the Internet providers and the attorney general," Rosenthal told the Fort Worth Star-Telegram. "But it's really a disappointingly weak bill."

Rosenthal pointed out that senders of junk faxes can be fined up to $500 per fax in small claims court -- 50 times the penalty for a spam violation. He also said the law doesn't prohibit spam.

"I don't think people want their spam nicely labeled. I think they want it to stop," he said.

A study by the Federal Trade Commission found that two-thirds of spam messages made false claims and that 63 percent of those who requested removal from e-mail lists were not removed.

Unsolicited messages can clog the e-mail inboxes of computer users and carry computer viruses. The latest damaging virus, Sobig.f, was carried through an existing spam proxy network, said Steven Sundermeier, spokesman for antivirus software maker Central Command in Medina, Ohio. "

2003-08-20T16:16:00.000-04:00

Associated Press <http://online.wsj.com/article/0,,SB106130777912809100,00.html?mod=dart
Techtoday

WASHINGTON -- The Federal Communications Commission has delayed until 2005 a new rule requiring companies to obtain written permission before sending unsolicited faxes. [PDF FCC news release here, and PDF FCC order here.]

The new regulations originally were to take effect next Monday, but the commission earlier this week agreed to delay the starting date to Jan. 1, 2005. The FCC said the delay will give businesses more time to get signed approval forms from people to whom they want to send faxes, and will provide more time for the commission to respond to requests to reconsider the new rules.

Under current regulations, entities don't have to obtain written permission to fax unsolicited advertisements to individuals and companies that they already do business with. Such entities cannot fax unsolicited advertisements to anyone that they don't have a business relationship with, unless they first receive permission to do so.

The new fax rules were approved at the same time as the do-not-call list, which takes effect Oct. 1. More than 30 million Americans have signed the registry for blocking unsolicited telephone sales pitches.

2003-08-20T14:48:00.000-04:00

From SFNL - "Here's a well done review of POPFile and SpamBayes written by Kristian Eide, which apparently made serious rounds on the Linux circuit. If you're interested in nipping spam in the bud no matter what it takes, these two products are well worth your consideration. And you may be surprised by Kristian's conclusion about which of the two is better."

http://home.dataparty.no/kristian/reviews/bayesian/

2003-08-09T20:51:00.000-04:00

InfoWorld Articles about Spam... search here. And InfoWorld's July article, "Strategies for canning spam", here, and as one downloadable PDF, here.

2003-08-09T20:41:00.000-04:00

Should E-mail Be Free?
Dialogue: The scourge of spam is a "tragedy of the commons"
that could be largely solved by charging users per e-mail message
sent, says Technologyreview.com commentator Barry Shein. David
Crocker defends the "all you can eat" flat fee structure.
http://www.uptilt.com/ct.html?rtr=on&s=5fo,35a5,4rw,8k7d,38wr,gz2t,7f49

2003-07-30T10:42:00.000-04:00

Hormel Fights to Defend Spam Name

AUSTIN, Minn. (AP) -- Hormel Foods has a message for a Seattle software company: Stop, in the name of Spam!

The canned-meat company filed two legal challenges with the U.S. Patent and Trademark Office to try to stop SpamArrest from using the decades-old name Spam, for which it holds the trademark.

SpamArrest, which specializes in blocking junk e-mail or "spam," filed papers to trademark its corporate name early this year. Hormel then sent the company a warning to drop the word "Spam." SpamArrest refused.

"If you ask most people on the street, they're going to say junk e-mail as opposed to the luncheon meat as their first description of what spam is. I think they're overstepping their bounds," said Brian Cartmell, SpamArrest's chief executive.

Cartmell says his company's use of the word has nothing to do with Hormel's product, first produced in 1937. Hormel officials disagree, arguing that the company has carefully protected and invested in the brand name, and that the public could confuse the meat product with the technology company. It filed its challenges in late June.

Hormel acknowledges that its brand name has taken on new meaning, and it outlines on its Web site what it considers acceptable uses of the word.

It says it doesn't object when "spam" is used to describe unsolicited commercial e-mail, but it does object when pictures of its product are used in association with the e-mail term.

Douglas Wood, who practices intellectual property law in New York, estimates Hormel has only a 50-50 chance of prevailing. He points to a recent case involving Victoria's Secret and a male adult novelty shop called Victor's Secret. Victoria's Secret sued, using the trademark infringement argument. But Wood says ultimately the company lost in court.

"The court in that case was saying, even though they may have a famous mark, Victoria's Secret, and may have a particular association as soon as you hear it, Victor's Secret was not enough - the confusion or potential damage to their mark - to constitute infringement," Wood said.

The case will be heard by the Trademark Trial and Appeals Court in Washington, D.C., probably next year.
-
On the Net:
http://www.spam.com
http://www.spamarrest.com

2003-07-28T17:15:00.000-04:00

DIGIPORTAL’S CHALLENGE-RESPONSE ANTI-SPAM SOLUTION CHOICEMAIL ONE SUPPORTS VISUALLY-DISABLED COMPUTER USERS

Visually-Disabled Users Can Respond to Challenge/Response Anti-Spam systems

Orlando, FLA - July 28, 2003 - DigiPortal Software, Inc., a leading developer of information management tools designed to provide users with powerful solutions to combat information overload and inappropriate Internet content, today announced that its leading flagship anti-spam software solution ChoiceMail One, now offers a feature that will allow the visually-disabled community to respond to challenges generated by ChoiceMail One.
A major barrier for visually-disabled users on the Internet today is caused by a graphical code used to verify that there is a real user on the other end, rather than a type of automation doing the email verification. Graphics pose problems for blind computer users who may rely on screen reading technology, which is not able to decipher what the graphic says.

DigiPortal’s ChoiceMail One’s advanced features overcomes this barrier. When a ChoiceMail One user receives an email from an unknown sender and responds by sending a challenge back to the sender, it is necessary for the sender to verify their identity by typing in their name, a short description of why they want to communicate and to copy a graphic code to ensure the sender is a real person rather than a computer. DigiPortal has extended this very simple and quick process to the visually-disabled community, by adding a feature that allows blind users to access this code by downloading an audio wav file that reads the code aloud to them. They can then type this information into the box, allowing them to verify the code independently.

“I believe that challenge response anti-spam technology is a misunderstood technology,” said Dan Roy, a visually-disabled ChoiceMail One user. “For an average user who is trying to get email from a number of sources, their system works extremely well. I got incredibly tired of 75% of my email being junk mail; since I started using ChoiceMail One, my spam has disappeared.”

There are other companies who use the randomized graphical code for verification purposes, however, many have not done anything to accommodate blind users.

Dr. David Jameson, CTO & Founder of DigiPortal has had significant experience working with the visually disabled computing community while involved in a research project to build a state of the art system to allow that community to access computers. Along with Dr. James Thatcher who originally conceived of that project, they invented IBM’s Screen Reader product, which was released in 1987. Screen Reader allowed the visually-disabled user to have unprecedented access to their PC using a special keypad that was programmable in a language created by Jameson to make it easy for blind users to express actions needed in order to work on a PC productively.
PC users can download a free trial of ChoiceMail One by visiting the DigiPortal website at www.digiportal.com <http://www.digiportal.com>.

2003-07-28T13:57:00.000-04:00

MICROSOFT TARGETS CHARDON COMPANY IN SPAM INVESTIGATION

An article in the Cleveland Plain Dealer reports that Microsoft Corp. has subpoenaed the records of a Chardon Internet provider and its owner as part of 15 lawsuits against groups who distribute unwanted e-mail "spam." Microsoft contends that Isolate Networks of Chardon provides Internet access to a number of spammers, and wants Isolate to identify its clients.
For full story, see: http://www.cleveland.com/tech/plaindealer/index.ssf?/base/business/1059384914290121.xml

2003-07-24T15:51:00.000-04:00

Apology up front. I have to apologize for having slacked on posting here in the past week or so, but first I was away for a few days, and then seriously under the weather. But hopefully we can return to our regularly scheduled program, already in progress. . . .

A EC <http://www.europa.eu.int/comm/index_en.htm/t_NEW> official said that attempts to combat spam would be hampered if the U.S. fails to introduce an outright ban. See IDG <http://www.idg.net/ic_1326438_4914_1-5050.html>, ITWorld <http://www.itworld.com/Man/2695/030715banspam/>.

JP - ANTI-SPAM: NTT DoCoMo <http://www.nttdocomo.co.jp/english/index.shtml/t_NEW> is looking to act against spammers who use its I-mode mobile network. See June 23 Alert <http://www.bmck.com/elaw/DisplayAlertbyID.asp?AlertID=31636>, ITWorld <http://security.itworld.com/4774/030711imodespam/page_1.html>.

2003-07-22T12:13:00.000-04:00

Spam On Course to Be Over Half of All Email This Summer

Brightmail® Puts Forward Top Strategies to Stop Spam at UK Spam Summit

San Francisco, CA – July 1, 2003 – Brightmail, the world's leading anti-spam software company, has projected at least 1 in 2 of all emails that individuals and businesses receive will be spam by September 2003 or earlier, and a fifth of spam in the UK will be pornographic. Enrique Salem, Brightmail's CEO, made this forecast and suggested practical steps to stop spam when he joined other anti-spam experts giving evidence at the All Party Parliamentary Internet Group's (APIG) Spam Summit in Westminster, on 1st July 2003.

Brightmail sees and stops more spam than any other anti-spam company, filtering over 60 billion emails a month for spam on behalf of its Internet service provider and corporate business customers. In the last five years, Brightmail has recorded the incidence of spam attacks climbing from a few hundred a month to nearly 7.5 million in May 2003. Each of these single unique attacks can affect millions and millions of mailboxes anywhere on the Internet.

The volume of spam is rocketing. In April 2001, 7 percent of the email Brightmail checked was spam. As of June 2003, over 48 percent of all email traffic on the Internet is now spam. In its evidence to the APIG, Brightmail now forecasts that over 50 percent of email will be categorized as spam before the summer is over. Brightmail is already finding that some email users, such as high profile companies, are suffering from spam rates as high as 79 percent.

Spam email in the UK is rapidly becoming more offensive. In June 2003, over 20 percent of spam was pornographic. This is now the second largest UK spam category, following 34 percent of email spam that offers products for sale. In the U.S., 19% of spam fell into the Adult-content category in June.

Enrique Salem, CEO, Brightmail said: "Spam email volumes are growing exponentially, so our forecast of spam breaking the 50% barrier of total Internet email traffic this summer is a conservative one. While the volume of adult spam is disturbing, the largest category of unsolicited spam continues to come from illegitimate direct mail companies that offer products to email users who have not requested to be contacted.

"Fortunately, the outlook for email users is very positive. As the UK Spam Summit and similar events in the U.S. demonstrate, politicians and legislators are acknowledging the growing problem of unsolicited email spam attacks, and are looking for appropriate combinations of solutions to fight it," stated Salem.

Spam can be broadly defined as unsolicited bulk email sent over the Internet. Brightmail believes that the most effective solution for spam prevention is a combination of legislation, anti-spam technology, cooperation of legitimate direct email firms using best practices, the support of large Internet service providers, and allowing the individual user to decide what email they want blocked.

In the "Top Strategies to Stop Spam" recommendation that Enrique Salem presented to the APIG Spam Summit, he proposed the following:

1. Deployment of available technology solutions by ISPs and corporate enterprises to counteract unsolicited email marketing requires:
• multiple spam protection techniques
• the ability to identify legitimate direct email senders
• the ability to identify bulk email across the Internet

2. Prevent bulk direct mailers from sending unsolicited email by establishing tougher judicial and financial penalties against spammers. Global regulations should allow proactive detection of illicit spammers, making it more costly and risky for spammers to operate. The Internet industry and law enforcement agencies need to be empowered to make spammers accountable for their actions.

3. Global enterprises and ISPs need to provide email users with ongoing education to help protect them from spam attacks.

4. Develop guidelines that establish email best practices for legitimate email direct marketers to follow. For the protection of both email users and direct marketers, it will become important to be able to identify legitimate direct marketers. There will also need to be significant improvement in how direct marketers manage their mailing lists—as the Advertising Standards Association has done in the UK.

5. Finally, there needs to be a process established to enable the continual re-evaluation of policy and legislation to address the emergence of new forms of unsolicited bulk email marketing spam attacks.

2003-07-09T15:09:00.000-04:00

US - SPAMMERS TO REDRESS FRAUD VICTIMS: Spammers who engaged in fraud related to an envelop-stuffing work-at-home scheme have settled with the FTC <http://www.ftc.gov/> to pay $200,000 for customer redress and possibly imprisonment of up to 5 years. See FTC Press Release <http://www.ftc.gov/opa/2003/07/spammers.htm>.

2003-07-09T15:08:00.001-04:00

UK - SPAM SUMMIT: The APIG <http://www.apig.org.uk/> hosted a Spam Summit in the House of Commons <http://www.parliament.uk/about_commons/about_commons.cfm> to launch an investigation into the problem of unsolicited commercial e-mail. See Silicon <http://www.silicon.com/news/165-500001/1/4937.html?nl=20030702>.

2003-07-09T15:08:00.000-04:00

SG - ANTI-SPAM REVIEW: The IDA <http://www.ida.gov.sg/> is reviewing anti-spam measures. Currently, under the Computer Misuse Act <http://unpan1.un.org/intradoc/groups/public/documents/apcity/unpan002107.pd
f> hacking and emails that contain banned content or destroy computer
systems are illegal. See Asia One (<http://it.asia1.com.sg/newsdaily/news002_20030705.html>,<http://it.asia1.com.sg/newsdaily/news004_20030705.html>).

2003-07-09T15:07:00.000-04:00

KOREA - ANTI-SPAM MEASURES: Under new restrictions, spam messages sent both domestically and abroad must include "advertisement" or "Advertisement for Adults" in the title and a contact number to allow recipients to prevent further spam. See January 27 Alert <http://www.bmck.com/elaw/DisplayAlertbyID.asp?AlertID=28451> and Chosun <http://english.chosun.com/w21data/html/news/200307/200307030015.html>.

KOREA - SPAM: The FTC <http://www.ftc.go.kr/> declared that it will penalize companies that send spam mail to people who have made earlier reports against these companies. See Joins <http://joongangdaily.joins.com/200307/01/200307010128411209900090609061.htm
l>.

2003-07-09T15:06:00.000-04:00

AU - ANTI-SPAM LAWS: Australia, Europe and the US are considering drafting legislation that will render spamming a criminal offence punishable by fines and even imprisonment. See June 30 Alert <http://www.bmck.com/elaw/DisplayAlertbyID.asp?AlertID=31750> and Asia One <http://it.asia1.com.sg/newsdaily/news002_20030705.html>

2003-07-08T15:49:00.000-04:00

From: Karin Spaink
Organization: Marcab Inc.
Subject: Analyzing three days of spammers' incoming mail
Date: Mon, 7 Jul 2003 05:30:52 +0200

Declan,

On July 3 2003, cyberangels.nl was re-registered by Spamvrij.nl, a Dutch foundation fighting spam. Previously, the domain was owned by the company Cyberangels, who have been majorly involved in spamming. They felt forced to drop it when the ground under their feet got too hot. (The history of that affair is listed on our main page, www.cyberangels.nl.)

Since MX-records for cyberangels.nl now point to spamvrij.nl too, we get all their mail: bounces, spam complaints and what have you. Have a peek: what kind of mail does a major spammer receive in the course of three days? By now, we have a very precise answer: 6305 mails. Here is the breakdown of those mails.

1. Introduction: 6305 mails in (basically) three days
2. We received 5880 bounces and forwards
3. We received 12 spams for @cyberangels
4. We received 40 attempts to annoy Cyberangels
5. We received 371 complaints about Cyberangels
6. We received 2 business mails

The full analysis is available at
http://www.cyberangels.nl/evidence/mailfile.html
Karin Spaink
Spamvrij.nl board member

2003-07-02T13:44:00.000-04:00

FTC Spam Forum
April 30 - May 2, 2003

Federal Trade Commission
Conference Center
601 New Jersey Ave, NW
Washington, DC

Supplements to the Record
Abend, Josh C.
Altshcul, Michael
Americans for Technology Leadership (FTC Letter)
Americans for Technology Leadership (Tauzin Letter)
Askew, Ed
AT&T Wireless
Atkins, Steve
Becker, Francoise
Bigfoot Interactive
Block, Robert (5/7/03)
Block, Robert
Butz, Henry
Catlett, Jason
Dowgewicz, Paul
ePrivacy Group White Paper
Farran, Karen
Fellows, Paul
Fenley, John
Goodman, Robert
Hall, Robert J.
Halmu, Mitch
James, William R. (1)
James, William R. (2)
Klein, Joe
Lewis, Chris
Metchis & Singleton
Metz, Shumel
Raymond, Philip
Sasso, Charles
Sauver, Joe St
Schmidt, Ken
Smith, Steve
Steinhauser, Joe
Terriberry, Gil
Weiss, Cliff

2003-07-01T10:38:00.000-04:00

Dialogue: Can E-Mail Be Saved?

In round 2 of their online dialogue on the scourge of spam, ISP
maven Barry Shein and e-mail standards pioneer Dave
Crocker grapple with whether the cure may be as bad as the
disease. The onslaught of spam, says Shein, has made us
"desperate enough to begin considering draconian responses
analogous to boarding up all the windows in our home just to
feel safe.... We need to go after the spammers themselves and
stop cowering in the dark behind boarded-up windows." Crocker
cautions against rash measures: "In the process of making email
safe from spammers, we are in danger of making email
content-free," writes Crocker. "Perhaps we should slow down a
bit, and try to understand the problem, before we act so hastily."
http://www.uptilt.com/ct.html?rtr=on&s=5fo,2s8a,4rw,8k7d,38wr,gz2t,7f49

2003-06-30T17:21:00.000-04:00

AU - IPRIMUS BANS SPAMMER: iPrimus <http://www.iprimus.com.au/> has disconnected a serial spammer from its network. The spam originated from iPrimus almost immediately after the termination of the spammer's BigPond http://www.bigpond.com.au/> account. See Zdnet <http://www.zdnet.com.au/newstech/communications/story/0,2000048620,20275650
,00.htm>, June 23 Alert <http://www.bmck.com/elaw/DisplayAlertbyID.asp?AlertID=31599>. Meanwhile, the Victorian Department of Justice is currently investigating a complaint made against the alleged spammer, Ultimate Safe. See Zdnet ,00.htm> report.

AU - SPAM BILL: The IIA has met with federal politicians to debate details of proposed anti-spam legislation. At the forum, Bigpond announced it would tighten its acceptable use policy for spam and offer better anti-spam solutions. See SMH <http://www.smh.com.au/articles/2003/06/26/1056449347677.html>, Australian IT <http://australianit.news.com.au/articles/0,7204,6640683%5E15342%5E%5Enbv%5E
15306%2D15319,00.html>, June 23 Alert <http://www.bmck.com/elaw/DisplayAlertbyID.asp?AlertID=31599> reports.

TW - CALL FOR SPAM LEGISLATION: Chunghwa Telecom <http://www.cht.com.tw/> has called for anti-spam legislation. See Taipei Times <http://www.taipeitimes.com/News/biz/archives/2003/06/28/2003057233> report.

2003-06-30T17:16:00.000-04:00

AU - IPRIMUS BANS SPAMMER: iPrimus has disconnected a serial spammer from its network. The spam originated from iPrimus almost immediately after the termination of the spammer's BigPond account. See Zdnet ,00.htm>, June 23 Alert . Meanwhile, the Victorian Department of Justice is currently investigating a complaint made against the alleged spammer, Ultimate Safe. See Zdnet ,00.htm> report.

AU - SPAM BILL: The IIA has met with federal politicians to debate details of proposed anti-spam legislation. At the forum, Bigpond announced it would tighten its acceptable use policy for spam and offer better anti-spam solutions. See SMH , Australian IT 15306%2D15319,00.html>, June 23 Alert reports.

TW - CALL FOR SPAM LEGISLATION: Chunghwa Telecom has called for anti-spam legislation. See Taipei Times report.

2003-06-21T15:22:00.000-04:00

Dialogue: Can E-Mail Be Saved?

In round 2 of their online dialogue on the scourge of spam, ISP maven Barry Shein and e-mail standards pioneer Dave Crocker grapple with whether the cure may be as bad as the disease. The onslaught of spam, says Shein, has made us "desperate enough to begin considering draconian responses analogous to boarding up all the windows in our home just to feel safe.... We need to go after the spammers themselves and stop cowering in the dark behind boarded-up windows."

Crocker cautions against rash measures: "In the process of making email safe from spammers, we are in danger of making email
content-free," writes Crocker. "Perhaps we should slow down a bit, and try to understand the problem, before we act so hastily."
http://www.uptilt.com/ct.html?rtr=on&s=5fo,2s8a,4rw,8k7d,38wr,gz2t,7f49

2003-06-17T17:34:00.000-04:00

CAUCE, The Coalition Against Unsolicited Commercial Email, May 22, 2003
http://www.cauce.org

CAUCE joined a group of major consumer, privacy, and anti-spam organizations, in calling on Congress to abandon the current crop of pro-spam, anti-consumer legislative proposals that it's currently considering in that the measures being considered by Congress are too weak because they don't actually prohibit spamming (merely require an opt-out), and don't allow consumers to sue spammers.
CAUCE also released a separate statement calling on all Americans to let their representatives in the House and Senate know that none of the currently-pending legislation is adequate.

CAUCE is an ad hoc, all volunteer organization, created by Netizens to advocate for a legislative solution to the problem of UCE (a/k/a "spam").

2003-06-17T17:25:00.000-04:00

Microsoft Proposes Law on Junk E-Mail (Washington Post)
Hitting Spammers Where It Hurts (BusinessWeek)
3 E-Mail Providers Join Spam Fight (Washington Post)

2003-06-17T17:21:00.000-04:00

"Spam is at the top of our hit list for very good reasons: 45 percent of all e-mail is spam, 2.7 trillion spam messages are sent each year, 13 times the total of snail-mail delivered by our U.S. Postal Service. The average wired American is deluged by 2,200 spam messages each year, and that's after ISPs have filtered out an estimated 80 to 90 percent. Some say that number would increase fivefold in the near future. It is estimated that spam costs legitimate businesses some US $9 billion a year in the United States."<br>

Attorney General Christine Gregoire. General Gregoire is the chief law enforcement officer for the State of Washington. Her statement above was made during a Microsoft press conference on June 17, 2003, announcing new anti-spam legal action. (emphasis added).

2003-06-17T17:19:00.000-04:00

Microsoft Spam Litigation Case Fact Sheet June 17, 2003

The following is a summary of the allegations contained in the 15 antispam lawsuits filed by Microsoft Corp. on June 16 or 17, 2003, in the United States and the United Kingdom.

United States Case Summaries

United Kingdom Case Summaries

2003-06-16T14:39:00.001-04:00

NZ - SPAM DEBATE: Debate continues over who is responsible for tackling spam. ISP Wave Internet <http://www.wave.co.nz/>, has launched a spam-buster service. See Stuff <http://www.stuff.co.nz/stuff/0,2106,2537063a28,00.html>,

2003-06-16T14:39:00.000-04:00

KR - FURTHER MOVES TO COMBAT SPAM: MIC is considering <http://www.mic.go.kr/eng/etc/itnews_view.jsp?idx=2452> introducing an opt-in method of email regulation instead of the current opt-out method. If the opt-in method is introduced, all the promotional messages without prior user approval will be classified as illegal and subject to penalties. See Korea Herald <http://www.koreaherald.co.kr/SITE/data/html_dir/2003/06/07/200306070014.asp>, June 2 Alert
<http://www.bmck.com/elaw/DisplayAlertbyID.asp?AlertID=31035> reports.

2003-06-16T14:37:00.000-04:00

AU - SPAMMERS HIJACK IP ADDRESSES: The Asia-Pacific IP address registry, APNIC <http://www.apnic.net/index.html> has warned of IP address squatting and urged ISPs to verify IP addresses supplied by customers. The IIA <http://www.iia.net.au/> has flagged additions to its proposed code of conduct on spam and will consider guidelines for ISPs whose customers bring their own IP addresses. See Australian IT <http://australianit.news.com.au/articles/0,7204,6569382%5E15342%5E%5Enbv%5E
15306%2D15319,00.html> report.

HK - SPAM: The CITB <http://www.info.gov.hk/citb> responded to the Legislative Council's <http://www.legco.gov.hk/english/index.htm> queries regarding regulatory measures to tackle the problem posed by junk fax and e-mail spamming. See press release <http://www.info.gov.hk/itbb/english/press/pr11062003.htm>.

2003-06-12T10:35:00.000-04:00

From SpamAnti.net

New technique observed [ed. note - I've noticed this new techique in use, though as my e-mail program of choice does not display HTML it makes this sort of spam immediately noticeable.]
Apparently, there is a new technique used by spammers. It is becoming a little problem since the simplest keyword-based filters do not detect these messages as SPAM. The text is riddled with random HTML comments breaking all words in smaller parts while leaving the message still readable by Outlook Express users.

This should lead to a new evolution of counter-measures and filter programs.

2003-06-12T00:47:00.000-04:00

Children upset by spam e-mail

Four out of five children receive inappropriate spam e-mails touting online drugs, get-rich-quick schemes and porn, a survey has suggested. Internet security firm Symantec found that most children felt uncomfortable and offended by the junk messages.

For the study, Symantec asked 1,000 US youngsters between the ages of seven and 18 about their experiences with spam. [See Symantec Spam Watch Response Center, available at http://www.symantec.com/spamwatch/]

More than 80% of those interviewed received inappropriate spam on a daily basis, with half saying it made them feel uncomfortable and offended." [more]

2003-06-12T00:38:00.000-04:00

EC Privacy-directive (2002/58/EC) [pdf]
Overview of anti-spam legislation in Europe-at-large
Questionnaire
Belgian privacy-authority (in Dutch and French).

2003-06-12T00:33:00.000-04:00

EU QUESTIONNAIRE ON SPAM-BAN
http://www.teleactivities.net/ebusiness/articles/eu-spam.htm

Per 31 October 2003 spamming will be prohibited in all EU member states, but it is completely unclear what authority should supervise the spam-ban. The European Commission doesn't have a ready-made answer, and is currently asking privacy-authorities and telecommunications ministries what approach they prefer.

The new Privacy Directive prohibits the sending of unsolicited e-mail but doesn't regulate the practicalities of penalties, damage claims or prosecution of cross-border violations. To make matters even more complicated, the Directive leaves the level of privacy protection of legal persons up to member states. Therefore, in some countries all e-mail addresses will be protected, in other states the spam-ban is limited to natural persons. On top of that, the directive bans commercial spam, but does allow for a ban on all unsolicited electronic communications, including those for charity and political purposes.

Seven EU member states already have anti-spam legislation; Austria, Denmark, Germany, Finland, Greece, Italy and Spain. In Europe-at-large, spam is also banned in Hungary and Norway. Punishments differs widely. In Austria for example, spammers can be fined to a maximum of 36.330 Euro, while in Italy spammers risk prison sentence, next to the obligation to pay damages of 500 to 5000 euro per spammail. [more]

2003-06-12T00:30:00.000-04:00

Spam e-mails face ban demands Story from BBC NEWS:

http://news.bbc.co.uk/go/pr/fr/-/2/hi/uk_news/politics/2978980.stm

Published: 2003/06/10 15:13:25 GMT

The nuisance of unsolicited messages is threatening to suffocate the world e-mail system, said an MP.
Labour MP Paul Flynn made the claim as he called for the UK to ban the "parasite" of commercial junk e-mails.

"Spam" messages were overloading internet systems, deceiving people and randomly spreading pornography, he told the House of Commons on Tuesday. The Newport West MP was proposing a 10-minute rule bill which would change the consumer protection laws to bring in a ban.

The backbencher's bill stands no chance of becoming law itself but is designed to up the pressure on the government to act.

Meltdown fears

Mr Flynn said: "Unsolicited commercial e-mails are a pestilential nuisance that threatens to terminally swamp and suffocate the world e-mail system.

"That system is the biggest improvement in communications that the world has had since the invention of the telephone.

"Spam is now a multiplying giant parasite that threatens to destroy its host."
Mr Flynn, who has won parliamentary website of the year in the past, said MPs frequently returned from breaks away to find 600 new messages on their computers.

One MP had become so exasperated that he had thought about changing his web address to "tryanotherMP.com".

Mr Flynn joked: "The only person I have ever known who claims to have benefited from spam is a gentleman who says he bought every offer he had received to enhance his maleness and he now has a male appendage which is 43m long."

Pornography risks

But the problem was often much more sinister, with medicinal drugs offered without prescription offered in some messages. In an "odious" trend, three out of every 10 "spam" e-mails were pornographic, he said.

"These are sent out on an entirely random basis to vulnerable people and to children," he said.

Mr Flynn railed against the deceptions used by "spammers" who kept changing their methods in an effort to get through filters.

The "spam" menace risked closing the universal and open nature of e-mail, said the MP, with China already putting up an electronic wall to keep e-mails out.

With a group of MPs organising a "Spam Summit" in July, Mr Flynn said prosecutions could tackle the problem, as had happened with junk faxes.

Crackdown plans

His bill would make it a criminal offence to send e-mails without the consent of the recipient, as had already happened in Denmark.

Mr Flynn recounted how one anti-junk mail campaigner was predicting the problem could mean "meltdown" for the e-mail system in as little as six months. That remark prompted an aside from one backbencher, who was heard saying: "Good, the sooner the better." Governments are also getting involved in the fight against "spam". From October, a European Union directive will make unsolicited e-mails illegal across member states.

By October the UK is also looking to introduce strict new rules about how personal e-mail details are used to try to curb unwanted and unsolicited messages.

2003-05-29T12:27:00.000-04:00

Letter from Bill Gates to the U.S. Senate Commerce Committee Regarding Spam Hearings
Wednesday, May 21st, 2003
Dear Chairman McCain and Ranking Member Hollings:

Thank you for holding this important and timely hearing on spam. I greatly appreciate the leadership of both you and your Commerce Committee colleagues. I regret that we are unable to participate directly, but would like to take the opportunity to share Microsoft's perspective on this critical e-commerce and consumer issue.

The torrent of unwanted, unsolicited, often offensive and sometimes fraudulent email is eroding trust in technology, costing business billions of dollars a year, and decreasing our collective ability to realize technology's full potential. According to some industry estimates, spam now makes up more than 50 percent of all email. To make matters worse, spam often preys on less sophisticated email users, such as our children, posing a genuine threat to personal security and privacy and threatening the very utility of email as a viable communication tool. [more]

2003-05-29T12:17:00.000-04:00

AU - SPAM: The ACCC has joined with agencies in other countries to stop spam, targeting open relay mail servers.
Yahoo AU is calling for national legislation.

See Findlaw <http://www.findlaw.com.au/news/default.asp?task=read&id=14925&newstype=L&site=NE>,

Zdnet (<http://www.zdnet.com.au/newstech/ebusiness/story/0,2000048590,20274555,00.htm>,
<http://www.zdnet.com.au/newstech/communications/story/0,2000048620htm>,202
74675,00.htm>)

SMH <http://www.smh.com.au/articles/2003/05/20/1053196567752.html>,

Australian IT <http://australianit.news.com.au/articles/0,7204,6469939%5E15330%5E%5Enbv%5E
15306%2D15319,00.html>

2003-05-29T12:06:00.000-04:00

Alligate Stops Spam - Bites Back
Santa Barbara, CA -May 29, 2003

Solid Oak Software, Inc. has announced the release of it's latest product, Alligate, a full featured anti-spam gateway server for Windows platforms. A pioneer in Internet content management, Solid Oak has received numerous awards and international recognition over the past 8 years for CYBERsitter®, the leading personal web filtering and content management product. [more]

2003-05-25T15:07:00.000-04:00

New York Times, May 25, 2003
How to Unclog the Information Artery, by SAUL HANSELL
http://www.nytimes.com/2003/05/25/business/yourmoney/25SPAM.html?pagewanted=print&position=

"THE libertarian roots of the Internet run deep. It was the place where innovation trumped experience, where the little guy had as big a megaphone as the largest network, where the small business could reach a global market, where the public could regulate far better than any government.

No one imagined that the megaphone would become so loud or that it would speak so often of penis enlargement pills and opportunities for unusual financial transactions in Nigeria.

As the quantity of spam rises to drown out other e-mail, the libertarian is being replaced by the draconian. Regulate it, ban it, censor it, tax it, the cries rise up. Do something, anything, to keep it out of my mailbox.

Internet companies boast of their spam-fighting tools. There are, in fact, a wide range of proposals for taming spam. Some involve technological innovation or legislation; many involve both. "It is clear we must act,' Senator John McCain, Republican of Arizona, said last week at a hearing on spam before the Commerce Committee, which he heads. "For Congress's part, we should make no mistake. Unless we can effectively enforce the laws we write, those laws will have little meaning or deterrent effect on any would-be purveyor of spam."

Most of the bills in Congress are built around imposing penalties for sending deceptive e-mail, like a message from "jenny" with the subject of "About last night." Some also want to make it easy to spot spam, typically by requiring the label ADV in the subject line of commercial e-mail.

But what exactly is spam? Some say it is any e-mail you didn't ask for. But if that standard were applied to postal mail, entire industries like credit cards and catalogs would come to a halt. Those companies want to ensure that any crackdown on spam doesn't prevent them from moving their business into the electronic age.

So far, the bills in Congress say that it is enough to let e-mail recipients opt out and to give them an easy way to avoid future e-mail. Some states are considering a tougher standard, banning all e-mail to people who don't opt in, or request it.

Others are taking matters into their own hands. Volunteer spam fighters are creating lists of Internet addresses of spammers to boycott. And some Internet service providers are preparing to dig even deeper moats around people's in-boxes, blocking mail from anyone the recipient doesn't already know.

The biggest potential reductions in spam may come from some more radical ideas, like imposing a small fee, like a postage stamp, for sending e-mail. And much of the spam problem could be stopped if the recipient of an e-mail message could verify the identity of the sender. But checking ID's at the door, in effect, is quite a change for a system virtually hardwired for libertarian anonymity.

Everyone in the world of the Internet is thinking about spam. Following are excerpts from conversations with seven people who have some ideas for a solution:

HANS PETER BRONDMO
Senior vice president of Digital Impact, which sends e-mail on behalf of 115 companies, including Citibank and the Gap.

Q. You developed Project Lumos on behalf of a group of companies that send commercial e-mail. What is it?

A. Lumos is a blueprint for changing the code of the e-mail so the senders of e-mail will be accountable for what they send. The e-mail system has a bug. It does not have an ability to represent you securely as being who you say you are. That bug was fine for 15 years until a certain element started to abuse the system in order to broadcast e-mail.

Lumos has two parts. First, if you are going to be a high-volume sender of e-mail, you will have to get a digital certificate that verifies who you are. The certificate will be encrypted in the header of each e-mail. The recipient will decrypt the header and verify who the sender is. If you want to send a few hundred e-mails, and you want to do it anonymously, I have no problem with that. But if you want to send spam to 30 million people and have no one know what you are doing, that is an abuse of a public resource.

Second, your identity will be associated with a performance score that encapsulates your reputation. If you change your identity, you lose your reputation. The first standard is: Did the recipients like what they got? If I send an e-mail that generated a lot of complaints, I'll get dinged. The second is bounce activity. Spammers send a huge amount of e-mail that bounces back, entailing a great cost.

You will still be able to send spam from China. But if you don't get a certificate that verifies your identity, no one will deliver your mail.

Q. Why have a score rather than a set of standards that mailers must meet?

A. Your spam is my steak. Different shades of gray will be treated differently by different users and different I.S.P.'s. You may need a mailbox with a little more flexibility because of your job, or you may only want to get e-mail from the 100 people you know.

Q. Should companies be allowed to send e-mail to people who didn't request it?

A. Your e-mail is your identity, on the level with your name and phone number. The cost of e-mail is borne by the recipient, unlike with postal mail, where the cost is borne by the sender. Those are two reasons why I think unsolicited e-mail is not O.K.

STEVE LINFORD
The director of the Spamhaus Project.

Q. Spamhaus runs the biggest blacklist of spammers in the world. How does it work?

A. First of all, we don't call it a blacklist any more; we call it a block list. The term blacklist has McCarthy connotations. It has created the image of a bunch of vigilantes in an unruly mob out to punish people. That's not what we do.

We block addresses where a large amount of spam is coming from. We have created a bunch of spam traps — fictional e-mail addresses on Web sites that only a machine crawling the Web looking for addresses to harvest could find. We know that if we get e-mail to those addresses that it is 100 percent spam. So we will list the sender.

We also run Rokso [the Register of Known Spam Organizations], with 180 known spammers. All of their addresses are put on the Spamhaus Block List. In North America and Europe, 90 percent of the spam comes from the Rokso crowd. The S.B.L. fluctuates between one million and two million I.P. addresses. [An Internet protocol address is a unique identifier, much like a telephone number, assigned to each computer on the Internet.] We protect 140 million mailboxes.

We are completely nonprofit and voluntary. All the services we provide are free, and we don't ask for donations. I run an Internet service provider in Britain, and I have paid for all of our servers out of my own pocket. All of the others creating filters and block lists were making money. I didn't want anyone to say that since you were making money you were prolonging the problem.

Q. Some lists also block mail from users who are not sending spam, in order to put pressure on the Internet service providers that are host for the spammers. Do you do this?

A. I think innocent users should not be blocked. There are some very aggressive block lists that are the equivalent of a dragster going down a normal street.

But if a spammer keeps on spamming, and his I.S.P. knows he is spamming, we will treat the I.S.P. executives as spam supporters. And we will block the e-mail server used by the I.S.P.'s executives. That gets their attention.

Q. Will the legislation on spam in Congress help?
A. We think the Can Spam Act [the leading bill introduced in the Senate] is the "you can spam with it" act. It says that if you don't use a fraudulent address, and if you provide a way for users to get removed from your list, then it's O.K. to spam. If that law passes, the I.S.P.'s won't be able to terminate spammers if they spam with their real address. If that passes, then spam will explode and six months later, Congress will have to come back and ban unsolicited commercial e-mail.

Q. You consider any e-mail that you don't ask for to be spam. Why is it different from advertising you get in postal mail?

A. The problem with spam is it doesn't scale. It's not like junk that comes in your letter box, which is only as much as your postman can carry. Spam is the equivalent of a row of flatbed trucks that come down your street absolutely laden with junk for you and you have no way to divert it.

ESTHER DYSON
Editor of the technology newsletter Release 1.0.

Q. In your writing you have advocated self-regulation for the Internet. Do you think that will work for spam?A. Spam is not just one thing. And I don't want someone else to decide for me what spam is. One reason I don't like regulatory solutions is that I get a lot of mail from strange places overseas that I wouldn't want cut off. If something is fraudulent or illegal, the government should take care of that. I have always believed in markets because the incentives work .

The model I like is the set-your-own-price-to-receive-mail model. Each person decides whether it costs 50 cents or $1 or whatever to send him or her mail. You charge only for mail you don't already know that you want. The magic of it is, people can really define their own terms. You want to build a system that lets the person you met at a party try you once. In an ideal world, the people you charge drop away, and you only get mail from the people you know and want to hear from.

The sender needs to post a bond or have an account that can be billed. That will require a huge amount of data processing, but that is what technology is good for. This would only work if you have an unspoofable return address, so you know whom to bill. Unspoofable return addresses are something like Internet hygiene. I don't care if they are anonymous, but mail should come back to them, and someone should be liable for the traffic they cause.

Q. Companies like Microsoft and groups like TrustE are proposing self-regulatory approaches that would put seals of approval on mail from companies that promise not to send spam. Does this make sense?
A. The TrustE notion of certification for good mailers is basically a marketing scheme. It makes it harder for the little guy to survive. The big guys already have trust. I would hate to see a world where you could only receive mail from the 10 or 15 biggest companies.

Q. Aren't the volunteers' tracking down spammers a good use of the Internet's ability to mobilize communities?

A. The blacklists tend to be applied indiscriminately, and they are overbroad. They amount to some sort of community censorship.

Q. Do you think legislation can help?

A. Congress seems to be barking up the wrong tree. Legislation can stop people in the U.S. The legislation they have got is more likely to drive people offshore. What you want is a system run by the Internet service providers.

MICHAEL P. SHERMAN
The vice chairman of Crosstown Traders, a mail-order company with brands like Figi's.

Q. How is the backlash against spam affecting your catalog business?
A. Of course spam is a problem, but the honest guys aren't causing it. There is a huge overreaction. And if it continues, it will eliminate e-mail as a legitimate channel of commerce. Every e-mail we send is to a customer who has opted in. But one of our 200,000 customers reported that they were being spammed by us, and we were put on a blacklist. We had to find the self-appointed policeman and explain what we do.

We need a coordinated attack, working with the authorities to enforce the current laws. I am the past chairman of the Direct Marketing Association. We have developed four pillars for honest people to do this the right way. Honest subject lines, no fraudulent headers, identify the sender — including the physical address — and an opt-out mechanism that works. We support federal legislation based on these pillars.

We also have an idea called the "gold list," a seal of integrity that says if you see an e-mail with a gold seal, you know it is from a reputable company.

Q. What's wrong with the idea that people should have to "opt in" to get commercial e-mail?

A. Do you ask for advertising? Advertising introduces someone to a new idea. How are you going to do that? People aren't going to say, "I want something new today, so I want an e-mail from you."

IRA RUBINSTEIN
The associate general counsel of Microsoft.

Q. Microsoft has spent more than a half-billion dollars trying to build software to filter out spam. Why isn't that good enough?
A. There is no certain way to discriminate mail from legitimate senders from spam. And the problem now with aggressive filtering is you increase the rate of false positives [legitimate e-mail deleted as spam].

Our proposal is to allow commercial senders to participate in a self-regulatory program that would provide a seal if they followed a set of best practices. The filters would take participation in such a program as an input.

Q. You propose requiring bulk commercial e-mailers to use ADV in the subject line, unless they have gained the seal for following best practices. Many states already require unsolicited commercial e-mail to carry ADV in the subject line, but few spammers do so. Why would that be different with a federal law?

A. Clearly, the number of spammers who comply will be small. If they do, it will be possible to filter them out. But compliance will be high from legitimate senders who do not want to break the law. That will create a powerful incentive for legitimate commercial e-mailers to sign up for a seal. They won't want to label their e-mail ADV.

Q. What sort of commercial mail would be exempt from the ADV label? Would senders mail only to people who have opted in to receive it, or would they merely have to give recipients an opportunity to opt out of future mailings?

A. I don't think any single company can answer that. You need a regulatory process to help define the standard.

Q. Wouldn't this sort of whitelist approach favor big marketers that have the time and money to apply for the seal?

A. You clearly need a way to make this available to small- and medium-sized businesses. You could do that through a distributed form of certification.

Q. If a business receives such a seal of approval, would that guarantee that you, as an provider of e-mail, would deliver its messages?

A. No. The federal law should not be viewed as creating a right on the part of senders to have their mail delivered. That could interfere with filtering that is going on today.

GARRY BETTY
The chief executive of EarthLink, a large Internet service provider.

Q. You are introducing Spam Blocker, a service that uses a so-called challenge-response approach. Why?

A. We have been offering a spam filter for four or five years, and it basically blocks out 70 to 80 percent of the spam. But our spam traffic has increased on the order of 500 percent in the last 18 months. So when you have so much spam coming in, letting even 30 percent of it through is a lot. People get tired of it and frankly no matter what you think about free speech, some of it you don't want in your home.

Next week, we will introduce Spam Blocker, which augments what we have done with filtering. Users only see messages in their in-boxes from people in their address books. If you send me an e-mail for the first time, your message goes into my "suspect" mailbox. The system generates a message back to the sender, who is referred to a Web page, where it is necessary to fill in some information, including copying a number from an image that a machine could not read. Then I will see that you want to send me mail, and I can refuse or say O.K. Mail sent by automated e-mail generating programs will never get through.

Spam has become such a problem for the users that this is the best approach. The users can always look in the suspect mail folder to see if something hasn't gotten through that they want to read. We think this is the only solution that offers customers a 100 percent effective way to get rid of spam.

Q. You have also been very aggressive filing lawsuits against spammers. Why?

A. If you look at the spam we get, there is always a small group of people responsible for most of it. We have a group of 12 people in our security department and all they do is try to stop spam in progress. And we spend $1 million a year on legal fees to combat spam — in addition to the security people. The judgments we get not only stop them from spamming us; we have inserted in the order that they can't spam anybody.

ORSON SWINDLE
A member of the Federal Trade Commission.

Q. Who can solve the spam problem?

A. The industry has to lead. I have told the I.S.P.'s as bluntly as I know how that industry should be able to empower the consumer, home user, student and small business with an easy-to-use system so I don't have to see this stuff. I know they can do it because in my AOL 8.0 I can check a little box that will only show me e-mail from people in my address book. But by default, it is set to show me all e-mail.

I'm not sure the I.S.P.'s want to do more. They have relationships with their clients who want to advertise. If they empowered consumers to be in control of what comes into their e-mail boxes, guess what? The consumers would block all the advertisers' e-mail.

Q. Why are you skeptical that new laws will help?

A. Tougher penalties will not help us get the bad guys. At the Senate hearing this week, Brightmail [an antispam software company] said that 90 percent of spam is untraceable. If you can't get them, what good does a new law do? And if e-mail lies about your address, or your subject line is "regarding your order" or the content of your message is a scam, all of that is deception, and we already can go after you. But we still have to find you. Successful prosecution may be a deterrent, but I don't think so.

Q. What do you think of Senator Charles E. Schumer's proposal for the F.T.C. to run a do-not-spam list much like the new do-not-call list?

A. People love the do-not-call list, but a do-not-spam list won't work. The telephone industry is highly regulated, with a finite number of telemarketers. The Internet isn't regulated, and it has an infinite number of people who can send spam. "

2003-05-23T10:20:00.000-04:00

Stopping Spam: New Study Focuses on Anti-Spam Strategies
Addressing ISPs Troubles Will Ease Burden on Individuals
by Hiawatha Bray, Boston Globe

Washington, D.C., May 21, 2003-A new Competitive Enterprise Institute study on spam email surveys the effectiveness of current user-based countermeasures and laws and suggests additional strategies for stopping unwanted emails through legal and technical solutions to help Internet Service Providers (ISPs).

Spam is the consumer technology issue of the moment. Everyone agrees it is a problem, but there is little agreement on the best solution. And while far more public attention has been focused on how spam affects individual email users rather than ISPs and other large network administrators, the consumer-focused approach is only part of the solution. The consumer is the end of the spam's journey; its origins lie in the policies and technologies of networks.

"While there is naturally more public sympathy for end users deluged with emails for adult products and pyramid-marketing scams than for the headaches of ISPs, solving most of the ISPs' problems would probably also solve most of the problem for consumers," said Senior Policy Analyst and study co-author Solveig Singleton. "The converse is not true, however, meaning that legal and technical solutions with an emphasis on the perspective of ISPs are more likely to be effective for everyone."

The study, Spam: That Ill O' the ISP: A Reality Check for Legislators, assesses contractual, technical, and statutory solutions, noting that while there are some effective technical solutions to help consumers and businesses control spam, ISPs, the most seriously affected, have found only partial solutions. It also concludes that effective spam control will come only with innovations in enforcing laws or policies. Many of the provisions of proposed new laws thus far are too broad, but research on deterrence shows none would be helpful without relatively strict enforcement.

The study, Spam, That Ill O’ The ISP - A Reality Check for Legislators, written by Solveig Singleton and Hanah Metchis, is available online at http://www.cei.org/gencon/025,03482.cfm. [Full report in PDF format here.]

EXECUTIVE SUMMARY

Most public attention has been focused on how spam affects individual email users; less on its impact on ISPs and other administrators of large networks. But the consumer-focused approach is unlikely to solve the most serious aspects of the problem. The consumer is the end of spam’s journey; its origins lie in the policies and technologies of networks. Solving most of the problems for ISPs would probably also solve most of the problems for consumers, but the converse is not true. Therefore, this paper assesses spam and its legal and technical solutions with an emphasis on the perspective of ISPs.

We begin by navigating among several competing definitions of spam and outlining its most seriously problematic aspects for consumers, businesses, ISPs, and legitimate marketers. We go on to assess contractual, technical, and statutory solutions.

For end users, the best solutions are the new Bayesian content filters, which can be tailored to individual preferences.
ISPs, the most seriously affected, have limited and constrained the spam problem successfully using filters, litigation, and contractual solutions.
Spammers have been largely forced off of legitimate ISPs onto foreign relays and hijacked ISPs.
Many (not all) provisions of the new laws proposed thus far are too broad, but none would be helpful without vigorous enforcement.
Significantly stepped up enforcement levels would be necessary for any law to have a deterrent effect.

The study cites empirical research showing that laws have little deterrent effect unless there is a substantial probability that violators will be caught. Increasing the severity of penalties is ineffective if enforcement is ineffective. Many federal and state laws already apply to spam. While a few more carefully targeted laws might be justified, the most effective use of government resources would be increased enforcement. And it should be aimed at real bad actors, not legitimate businesses that have taken a misstep in posting a privacy policy or administering an email list.

2003-05-20T17:04:00.000-04:00

Unsuspecting Computer Users Relay Spam
By SAUL HANSELL, New York Times, May 20, 2003

"It first, it looked as if some students at the Flint Hills School, a prep academy in Oakton, Va., had found a lucrative alternative to an after-school job. Late last year, technicians at America Online traced a new torrent of spam, or unsolicited e-mail advertisements, to the school's computer network.

On further inquiry, though, AOL determined that the spammers were not enterprising students. Instead, a spam-flinging hacker — who still has not been found — had exploited a software vulnerability to use Flint Hills' computers to relay spam while hiding the e-mail's true origins.

It was not an isolated incident. The remote hijacking of the Flint Hills computer system is but one example among hundreds of thousands of a nefarious technique that has become the most common way for spammers to send billions of junk e-mail messages coursing through the global Internet each day.

As spam has proliferated — and with it the attempts by big Internet providers to block messages sent from the addresses of known spammers — many mass e-mailers have become more clever in avoiding the blockades by aggressively bouncing messages off the computers of unaware third parties.

In the last two years, more than 200,000 computers worldwide have been hijacked without the owners' knowledge and are currently being used to forward spam, according to AOL and other Internet service providers. And each day thousands of additional PC's are compromised at companies, institutions and — most commonly of all — homes with high-speed Internet connections shared by two or more computers.

Just last Thursday, 17 law enforcement agencies and the Federal Trade Commission issued a public warning [Open Relays - Close the Door on Spam] about some of the ways spammers now commandeer computers to evade detection. The officials translated the warning into 11 languages because many of the exploited computers are known to be in China, South Korea, Japan and other countries with heavy Internet use.

Mostly, the spammers are exploiting security holes in existing software, but increasingly they are covertly installing e-mail forwarding software, much like a computer virus. For some, hacking is no longer about pranks, but making a profit.
* * * *

Sometimes people do find that someone has been sending spam and using their e-mail address as the sender, but this does not mean that their computers were used. Nothing on the Internet verifies that an e-mail message was actually sent by the person listed in the "From" address, which is one reason fighting spam is so hard.

And spammers like to send e-mail that appears to be from their enemies or names chosen at random. The legitimate owners of those addresses are often left to clean out hundreds or thousands of complaints from their e-mailboxes.
When a computer receives an e-mail message, it does record a code number, called an Internet protocol address, that can be traced to the computer that is connecting to it. But often e-mail is passed from one machine to another and the identity of the original sender cannot be verified.

Indeed, the rapid rise in the number of spammers trying to hijack innocent computers is a direct result of their desire to hide their own Internet protocol addresses from spam blockers. Most commonly, they are taking advantage of a backdoor in much of the software that office users or people with high-speed connections at home often install to share an Internet link among several computers — or so-called proxy servers. Some other types of e-mail and Web surfing software, typically run by larger companies, can also be taken advantage of if security features are not properly set up.

Because it essentially enables one computer to masquerade as another, a proxy server is an ideal tool for anyone seeking to use the Internet anonymously. So proxy servers are used by people in some countries to visit Web sites blocked by government censors. They are also used by hackers trying to attack other machines. And they are perfect for spammers trying to avoid filters.

None of these uses would be possible if the owners of the proxy servers made sure to configure them for access only by authorized users. But whether from laziness or ignorance, many users of proxy servers leave them open to anyone on the Internet.

AnalogX Proxy, a free proxy-server program that has been downloaded by more than a million people, is automatically in the open state when it is first installed. Mark Thompson, the author of AnalogX, said he had rebuffed the requests of many antispam activists to distribute the software with the security features already activated because doing so would make it harder to set up.

Even so, Wirehub, a Dutch Internet service provider, says that 45,000 of the 150,000 open proxy servers it has identified as sending spam appear to be using AnalogX.

To find all these vulnerable machines, spammers and other hackers deploy computers that do nothing more than try to connect to millions of computers across the Internet, looking for open proxy servers to exploit.

Spammers and hackers trade or sell lists of open proxy servers on dozens of Web sites. And other sites sell software a would-be spammer can use to find new servers. In the last six months, an increasingly common trick has been for spammers to attach rogue e-mail-forwarding software to other e-mail messages or hide it in files that are meant to emulate songs on music sharing sites like KaZaA.

As with all such hacker contraptions, and much spam, it is difficult to figure out who is behind these programs. But there is some evidence that one of the major spam-sending programs, known as Jeem [info here], originated in Russia, which has been a fertile ground for both spammers and hackers.

Last October, Michael Tokarev [see <http://www.corpit.ru/mjt/software.html>], a Russian computer programmer active in the worldwide antispam effort, noticed a lot of spam in Russian that offerred bulk-mailing services. The messages were identical, but they came from many different computers. He investigated and found they were forwarded by a program, calling itself Jeem, that had not been seen before.

Mr. Tokarev said that in December, a Russian forum for spammers called Carderplanet.com contained a posting offering to sell the Internet addresses of open proxy servers, for $1 each, that appeared to be machines infected with Jeem. "Since the last week of December, several big U.S. spammers started to use those Jeems, too," Mr. Tokarev wrote in an instant message interview last week.

Machines infected with Jeem, which is especially hard to find because it keeps switching its identity on the computers it borrows, seem to be used these days mostly by spammers selling pornography, David Ritz, a volunteer spam fighter, said. Using a software monitoring tool he helps run, Mr. Ritz last week examined the messages sent to Internet news groups from just one home computer infected with Jeem. On one day last week, this computer sent 773 pornographic news postings with subjects like "Lolita paradise" and "N.U.D.E —— L,O,L,I,T,A,S."
* * * *
AOL, which has made fighting spam a central part of its marketing thrust, is taking what some see as radical action against open proxy servers. It will no longer accept any incoming e-mail sent directly from the computers of individual home users with high-speed service. This will not affect most home users because they typically do not run e-mail servers on their own computers but connect their e-mail programs to servers run by their Internet providers. But a handful of advanced users and small businesses do run their own e-mail servers connected to high-speed lines, and they no longer can send e-mail to AOL users.

Road Runner, the high-speed service of Time Warner cable, is taking a different approach. It is actively running the same sort of scanning program used by the spammers to find out whether any of its customers have open proxy servers. Those that do are asked to close them. Many other service providers shy away from such scanning because it appears to be an invasion of privacy." [entire article]

2003-05-19T12:29:00.000-04:00

AU - SPAM CAMPAIGN EXTENDED:
The IIA <http://www.iia.net.au/> extended <http://www.iia.net.au/news/030501.html> its national campaign against spam for a further three months. A free trial <http://www.iia.net.au/nospam/> can be downloaded.
See April 28 Alert .

2003-05-17T23:02:00.000-04:00

STREET SPAMMER IS SUED BY SEC By LAUREN BARACK
NY Post.
"May 13, 2003 -- There's one born every minute. A 20-year-old spammer who duped investors tricked by his amateurish messages out of $102,554 - then used the money for his living expenses - was sued by the Securities and Exchange Commission yesterday.

Smith sent more than 9 million messages and maintained Web sites rife with spelling errors that purported to be guaranteed by a fictitious "Canada Deposit Insurance Corporation," from May 2002 through February 2003. Although he asked for minimum investments of $500 to $2,000, he attracted just 29 investors.

Spam has become the "it" word among federal agencies and politicians eager to please consumers who have grown furious at the amount of unwanted advertising clogging in-boxes. Most Internet service providers offer spam-filtering software for their customers, but even they admit that spam is a game of technology one-upsmanship.

"Spam was a nuisance a year ago, but now it's a big problem," said Sen. Charles Schumer (D-N.Y.).

Schumer hopes to have a national bill that would create a no-spam list similar to New York State's no-call list, passed in the Senate this summer. The bill would call for a $5,000 fine for each day a spammer sends out unwanted e-mail, and allow for jail time if they refuse to stop.

The House Committee on Energy and Commerce (http://energycommerce.house.gov/) is expected to introduce its own spam bill as early as today.

Even Andy Rooney has gotten into the anti-advertising game, commenting on Sunday night's "60 Minutes" on the flurry of unsolicited ads consumers see every day." [more]

2003-05-16T15:07:00.000-04:00

Justice Department Cracks Down on Internet Crime
By THE ASSOCIATED PRESS, Filed at 11:28 a.m. ET

WASHINGTON (AP) -- The government touted dozens of its most important Internet investigations during 2003 in an attempt to demonstrate that the FBI and other agencies are tackling cybercrime seriously despite the ongoing war on terrorism.

The Justice Department dubbed the effort ``Operation E-con,'' a collection of separate investigations over the past five months that targeted investment scams, sales of stolen software, online banking fraud and even a purported Russian marriage service.

The Justice Department said more than 130 people have been charged with a variety of Internet crimes and scams, including identity theft and failing to deliver goods purchased online. Federal law enforcers planned a news conference Friday to announce the crackdown on Internet fraud, dubbed Operation E-Con. In a news release, officials said more than 90 investigations nationwide involved 89,000 victims and losses estimated of at least $176 million. The officials said about $17 million has been seized or recovered by investigators.

http://news.findlaw.com/ap/ht/1700/5-16-2003/20030516024500_5.html

Browse Computer Crime Laws & Cases - http://www.findlaw.com/01topics/10cyberspace/computercrimes/gov_laws.
html. [more]

2003-05-16T10:38:00.000-04:00

The entire Let's Fight Sp@m series: http://www.scotsnewsletter.com/best_of/fightspam.htm