Re: [Asrg] How about we do something about spam?

[Douglas Otis <dotis at mail-abuse.org>]

On Jan 29, 2007, at 2:48 PM, Barry Shein wrote:

> On January 29, 2007 at 13:48 dotis at mail-abuse.org (Douglas Otis)  
> wrote:
> > The US Federal government allows bulk sending of unsolicited email.
>
> To be precise the "US Federal government" allows nothing  
> specifically in this realm. There are activities which are  
> expressly or by implication of law illegal or subject to regulatory  
> or civil limitations.

,---
|CAN-SPAM Act of 2003:
|SEC. 3. DEFINITIONS.
|(16) SENDER-
| (A) IN GENERAL- Except as provided in subparagraph (B),
| the term `sender', when used with respect to a commercial
| electronic mail message, means a person who initiates
| such a message and whose product, service, or Internet
| web site is advertised or promoted by the message.
|
| (B) SEPARATE LINES OF BUSINESS OR DIVISIONS- If an entity
| operates through separate lines of business or divisions
| and holds itself out to the recipient throughout the
| message as that particular line of business or division
| rather than as the entity of which such line of business
| or division is a part, then the line of business or the
| division shall be treated as the sender of such message
| for purposes of this Act.
|...
| (5) INCLUSION OF IDENTIFIER, OPT-OUT, AND PHYSICAL ADDRESS
| IN COMMERCIAL ELECTRONIC MAIL- (A) It is unlawful for any
| person to initiate the transmission of any commercial
| electronic mail message to a protected computer _unless_
| the message provides--
|   (i) clear and conspicuous identification that the message
|       is an advertisement or solicitation;
|  (ii) clear and conspicuous notice of the opportunity under
|       paragraph (3) to decline to receive further commercial
|       electronic mail messages from the sender; and
| (iii) a valid physical postal address of the sender.
'___

OPT-OUT allows 10 days before messages related to a line of business  
must stop.  Prior to receiving the OPT-OUT request, email-addresses  
can be exchanged with other entities.  Valid domain names, lines of  
businesses, and physical addresses can change every 10 days and  
remain within the guidelines of the CAN-SPAM act, even when each spam  
does obtain an OPT-OUT request.

This act is specifically allowing the bulk sending of unsolicited  
email and demands recipients to stop the abuse which may continue  
unabated for 10 days.  Following that point in time, a new entity can  
carry forward the abuse.

> If you know of a US law which says "you can send unsolicited  
> email", other than by implication of the absence of any express  
> prohibition, I would be interested in seeing a reference to that  
> law or similar.

The key word here is "unless".

> That said, much noxious email is sent via computers which have been  
> in effect "hijacked" by use of viruses, trojans and other malicious  
> software.

The same noxious email can be sent in bulk legally from non-hijacked  
computers.  It is hard to know which SMTP clients have been hijacked  
via malware.

> These are often called "zombie botnets", a commonplace term of art  
> which could be more precisely defined, and I referred to them  
> specifically in the email to which you are responding but you  
> elided that phrasing in your response.
>
> Creating or exploiting "zombie spambot" behavior is illegal in the  
> US and elsewhere, and has been occasionally prosecuted. The  
> problem, thus far, has been lack of enforcement.

It is much easier to detect when a computer is sending bulk  
unsolicited emails.  The problem is rather simple.  When it is legal  
to send bulk unsolicited bulk email, spamming fails to provide  
actionable evidence of a crime.

> > While this is spamming, US law permits it.   Providers with  
> > customers that are bulk sending unsolicited email must rely upon  
> > AUPs to be able to exclude this behavior.  Other countries ignore  
> > egregious behaviors that might also be seen as possible revenue  
> > sources.
>
> Such countries might exist, perhaps de facto, but their intention,  
> e.g., for the revenue sources, as you claim, versus a simple lack  
> of prioritization of enforcement activities is unclear.

When one country bombards another and calls the spam traffic legal,  
this may tend to diminish a level of cooperation in other areas.

> If you know of any country which has expressly stated in a policy,  
> memo, legislation, or other publicly memorialized statement what  
> you claim above I'm sure it would be edifying to this group.

There are several countries that offer an undesirable level of  
cooperation.  One such country is the USA.

> I personally know of no such document and as such where you claim  
> the lack of expressed intent, policy, or judgement as intentioned I  
> will claim that same silence as mere negligence and the intent as  
> quite the opposite.

Review the CAN-SPAM Act of 2003.

> Otherwise I have to assume your statement is a purely speculative  
> inference into the /mens rea/ of more than one nation (you use the  
> plural) whom you do not even list. Could you at least provide an  
> even partial list of these nations whose intentions you are  
> relating? Better would be the specifics you base your claims upon.

One should not point to others, when at least three fingers point  
back toward yourself.

> > Effective measures may require international agreements.
>
> This is a weak attempt to make the best the enemy of the good.

When talking about spam, it is hard to describe a law that permits  
spam as being even within the realm of being good.

> Nations, as a rule, have legal sovereignty over their own  
> citizenry. There is no need for international agreement to enforce  
> a nation's own laws on their own citizens.

The Internet requires a level of cooperation between different  
countries, as network related crime easily extends beyond geographic  
boundaries.

> If a citizen of a country is breaking that nations' laws, such as  
> fraud or electronic trespass, even if the act is not ultimately  
> within that nation, they would have legitimate claim to first  
> juridiction in any criminal, regulatory, or similar matter,  
> generally by exercise of long-arm statutes or limitations thereof.

We are not talking about what is illegal, but what is consider legal,  
but damaging.

> Where there might be exceptions they could be dealt with in the  
> future as a refinement of the proposed action. Thus, making the  
> best the enemy of the good.

What proposed action?  This is a problem of _no_ action.

> I reject the proposition that because there might be some case  
> which requires more broad and as yet non-existant powers to  
> prosecute that therefore we must not encourage the prosecution of  
> behaviors which easily fall within the current purview of each  
> nations' sovereignty.

Each country is not independent with respect to the Internet.  While  
each router falls within the purview of each owner, cooperation among  
owners must be sustained for the network to function.

> That, to repeat, is merely an attempt to make the best the enemy of  
> the good which is a highly undesireable goal.

I think you mean some ridiculous set of guidelines that prescribe how  
to send bulk unsolicited email is the enemy of practical  
protections.  There is no practical means to know whether a computer  
is spamming due to malware.  We both agree that BOTs have become a  
serious problem.  Ask good citizens via laws to stop spamming and  
focus attention on those that continue.

> > What rules should be adopted to improve behavior on the Internet?   
> > With spam establishing the principle, what is left remains a  
> > discussion of price.
>
> Lawful nations recognize a duty to enforce their laws, particularly  
> as they relate to their own citizenry's behavior. The mere  
> existance of unlawful nations does not argue against that point.

The principles of behavior are compromised when resources are abused  
for unfair, unsafe, and impractical promotion just to make a buck.

> There is nothing new or unusual about criminal fraud, trespass,  
> vandalism, or similar which may arguably cross international  
> boundaries whether it involves postal, telephony, telegraphy, wire  
> transfer, internet, or other means.

The subject line is about spam.  Trespassing and vandalism are  
clearly poorly considered by the CAN-SPAM Act of 2003.

> My suggestion was simply a suggestion that we produce a document  
> ultimately issued by the IETF urging more effective enforcement of  
> laws as they stand.

These laws must change.  One can not start with the premise that  
spamming is okay provided there is some method to opt-out.

> Whether further refinement would help is a separate matter and  
> unnecessary a priori, even if a desireable goal. Sufficient  
> unlawful behaviors enable "spam", such as zombie botnets, that it  
> would be progress to simply make a public request that the laws  
> (&c) prohibiting those behaviors be better enforced.

Knowing what is a due to malware and what is legal can not be  
determined as long as spamming remains legally sanctioned.

-Doug




_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg