Do-Not-Email Registries?

prgrmr writes "Wired has an article about Colorodo and Missouri's latest legislative proposals to deal with spam and with spammers. There appears to be actual consumer-protective teeth in these bills which mirror the telephone 'do not call' lists. A nice example of a government perpetuating a working concept instead of trying inventing new ways to break things."

Accident

[Big Mark]

Whatever happens, you'll still get the email equivalent of the following:

*phone rings*
"Excuse me, sir, are you interested in..."
"I thought I was on a fucking do-not-call list!"
"Sorry sir, you are, it was an accident. Sorry sir."

Direct marketing is here to piss the hell out of us for a long time yet.

-Mark

Out of Country Spam

[PepperedApple]

It seems like this would only protect us from spam by legitamate countries in America. I can just imagine trying to sue the fly-by-night spams I recieve, many of which I don't think are from this country.

I don't know how much this list will help.

Might work if....

[www.sorehands.com]

It might work if it had some of the following provisions:

• Trap names on the list so that the states' sttorney general's office may go after them.
• Statutory penalties for violations.
• Liability for companies that hire spammers.
• The ability to block domains, not just individual users.

The difference is...

[Anonymous Coward]

Accountability. The telephone companies have a limited number of telephone accounts, and they have a rough idea of who owns each one, where calls are coming from, etc, etc. And, most importantly, it's very easy for them to track down offenders and terminate connections. Spammers, though, don't face exactly that same problem. Jumping to a new vulnerable server is MUCH easier than getting a new telephone line. I wouldn't be surprised to see illegal spammers using these lists as a source for their spamming.

Why this won't work

[possible]

I don't think this will work. Do not call lists (for telephone spam) work fairly well because it's rather easy for the government and/or utilities to investigate who is violating a DNC list. This is made even easier by the fact that phone/fax spam from abroad is almost non-existent in the USA.

With email, it is far more difficult to stop. First, the jurisdictional issues. Second, it is trivial for an email spammer to hide his identity -- there are plenty of open relays to bounce through.

I already receive spam for "500,000 opt-in email addresses on CD!" -- when do-not-email lists are in place, I'm sure I will be getting adverts for "500,000 do-not-email addresses on CD!". And nobody will be able to stop them.

Thank you DMA

[bpfinn]

Nevertheless, Congress has failed to pass any of the 19 national antispam bills introduced since 1999, thanks in part to lobbying efforts of the business community.

No antispam bill has passed because the DMA wanted to reserve the right for their members to spam you.

There are people AGAINST this, and not spammers!

[Ayanami Rei]

I don't get it.

They (CAUCE [cauce.org]) complain that it shifts the burden onto the consumer to be a member of the opt-out list (which is free, and easy to get into). The complain that we are treating the symptoms and not the cause.

Bull. It costs the spammers money to even SEE the lists, and they face $500+ penalties if they don't check and mail first. Hence, this is a real financial deterrent (at least in those states). This artificially raises the transaction costs, which gets at the cause (that is, email is cheap and free).

Instead, CAUCE wants it to be like junk fax laws wherein no one can send you email without having established "a business relationship" with the recipient. I see too many ways of twisting this around in court that would prevent legitimate email from being sent to people when your first contact with them would be through that medium. It would scare people away from just sending email notes because they won't know how it'll be interpreted at the other end. I can envision paranoid use policies sprouting up in IT departments all over our fair land. Nooo!!!!

What is unclear is whether both the spammer and the spammee (sp ?) have to be in the same state (or in states with similar laws) for this to be effective. In that case, all the spammers will just base their operations in Florida where half the GDP comes from MLM and other scams.

Will it work for email coming from overseas?

[corebreech]

No?

So what good is it?

Appalling risks of unintended consequences

[billstewart]

There are so many things that can go wrong with a list like that if you don't implement it carefully. First of all, it'll be downloaded by Korean-proxy-abusing spammers and spammed anyway, from outside the states' jurisdictions. ("Buy Our Spam Prevention Software Now!") And SPAMMERS ALWAYS LIE. You'll start seeing spam about "This Email Isn't Spam, and by not using the State Spam-Blocking-List, you've given us permission to contact you about our AmAAAAZING Spam-Free Offers!"

Second, if you don't verify the information carefully, at minimum with double-opt-in and some kind of Turing test (e.g."type the number from the gif into this box"), there'll be all sorts of abuse, signing up people who don't want to be there, automated h4X0r b0ts trying to kill everybody in the state, random crap like that. Do you trust your average state government to implement something like that right? (If you answered "yes", and live in California or New Jersey, you obviously don't bother reading headlines about state government computer project debacles, and if you live somewhere else, your local government is just as stupid by I haven't been paying attention to them :-)

Third, there are ways to provide some privacy protection while still maintaining a blocking list. For instance, instead of keeping a database of addresses that pass the double-opt-in test, publish a list of harder-to-abuse hashes of the addresses:

Salt, Hash(emailaddress, salt)

Fourth, this doesn't always mix well with newer tagged-format addresses ("username+tag1@example.com") or domain or subdomain addresses ("anything@mydomain-example.com" or "anything@username.fastmail.fm") unless the rules are tediously explicit and accurate for how to use them. These kinds of addresses let you give every recipient a unique address, which your email programs can filter on to discard stuff that's obviously abuse and sort stuff that's from real people.

$10? Come on....

[WotPeed]

One of the proposed laws gives the consumer $10 for successfully sueing a spammer. Gimme a break, who's got the time to go to court for $10? Another of the proposed laws awarded the spamee $5000 (or was it $2000?) if they had registered on the no-spam list but gets spammed anyway. That would certainly be more of a deterrant, but it doesn't address the problem of finding the spammer to begin with. While it's good to see someone trying to do something about the problem, this ain't it.

It's not a working concept though.

[More Karma Than God]

The spammers will just hide thier tracks using servers outside the US in safe havens for shady activities.

Practically speaking I'd like to see international law recognize that those profiting from spam (the people who are actually taking the money for the products) are responsable for the spam even if the spam cannot be traced directly back to them. Fines with teeth would be needed for enforcement.

stop the spammers with a central email list

[ses4j]

Legislation introduced in Colorado and Missouri would create a central database of residents who don't want to receive unsolicited e-mail...

Great, we'll stop the spammers by building a huge central repository of working email addresses, and then give access to the lists to spammers worldwide. How could THAT backfire?

scott

This sounds good, but...

[cdf123]

As the article points out, there are a lot of issues that need to be addressed. Not all spamers are in the US. A large amount of spam is forged. And the Colorado law sounds like it will draw in fakes that are just out for money, and thus, waist the courts time. And whats in place to protect those lists? What if they get hacked? Now we have illegal spam from forged addresses comming from outside our jurisdiction causing conjestion in our courts from gready people out to make a buck.

I think they need a new plan... Untill someone gets an international plan set, it will be difficult to crack down on any spam. I'll stick to my filters, thanks.

Great idea..

[Trevalyx]

Bad execution. This is a great idea in theory, but you look at reality and it falls through. Look at where the Do- Not- Call lists are now: In court. Besides, how many spammers are really worried about the legality of their spam, so long as it GETS to you. Many of them have virtual immunity, as they may send the command to mail from their base here in the US, but the actual e-mail is sent from servers outside the United States.
When it comes down to it, there's only one way to defeat spammers: Not buying into their advertising. Unfortunately, far too many people don't understand what a bad idea it is to actually pay attention to Spam.
What does this mean? We, my friends, need to find an alternative method to fight Spam. My guess? We do it by being just as annoying to the spammers as they are to us. There are any number of ways to do this, but what it comes down to is, use good spam intercepting software, and junk mail accounts. MS can afford the space, why not make them use it?

Re:Accident

[Anonymous Coward]

Ah, but in Missouri, the conversation goes like this: *phone rings*
"Excuse me, sir, are you interested in..."
"I thought I was on a fucking do-not-call list!"
"Sorry sir, you are, it was an accident. Sorry sir."
*click*
*beep-beep-boop-beep*
Hello, Attorney General? I've got some more revenue for you here."

It works.

Finally, but...

[sethadam1]

Sounds like a great idea...but....

with a forged packet headers, open relays, and a global internet not subject to any one state or country's laws..is this in any way enforceable?

What about overseas spam?

[Kelerain]

The do-not-call lists work well because overseas calls are prohibitvely expensive for telemarketers. Not so for spammers. This will require some over seas assistance. But perhaps the fees will outweigh the payoffs, and it will all work out in the end? I can only hope. It should cut down on domestic spam however. Now to get it implemeted in my state (Oregon).

Do Not Mail versus Do Not Call (extensions)

[Skapare]

With a Do Not Call list, one single entry covers all my phone extensions. Since the teleslimers will be comparing only the basic phone number, and not the number with its extension, against the list, by simply having my number without any extension in the list, a proper lookup will match and they can skip that number. None of my extensions will be called.

The issue is how to do this for email addresses. Many mail servers allow for "extensions" by having a certain special character such as "-" or "+" or "." followed by an "extension". By simply having the email account of the part before the separator, you automatically have every possible extension. Some people call this tagged email. And example would be jsmith-foobar@example.net [mailto] where only jsmith@example.net [mailto] would be in the list.

Many people even have their own vanity domain names, and regardless of what username is used before the @-sign character, they get the mail like the whole username were the extension.

For a registry to work, for at least those who are required to use it, it must meet at least these two requirements:

• Supports all user email addresses, including extensions
• Easy for the bulk mailers to compare their lists against
• The raw list itself must not be distributed

I looked at the registry [waisp.org] run by the Washington Association of Internet Service Providers [waisp.org] and found that the verification process [waisp.org] only works one at a time. This makes their registry virtually useless. Of course, distributing the addresses in the raw will be worse, as it will get in the hands of spammers out of the country, and everyone will just get more spam because now spammers will have a list of address that are even more likely to have someone reading. And some will be mass mailing to such a list just to destroy the effectiveness of registering.

One option is to distribute an SHA1 [openssl.org] checksum of each address. Then all that needs to be done on the mailer's end is to test each address by generating the checksum and looking that up in the database.

But even that has a risk, and I'm wondering if even that should be allowed. That risk is that spammers will run all their millions of email addresses through the process, and produce a subset of those who are registered, and then from out of the country ... they will spam the hell out of just those.

In the end I think the only real solution is for a law that establishes two distinct networks (same address assignment base, but disjoint routing), one where spamming is allowed, and one where it is entirely prohibited under threat of jail time (for the executives in the case of corporations, LLCs, etc). Each ISP can then choose to service one or the other or set up dual but separate facilities to serve both. Wanna bet which network most will choose?

Re:Why Legal and Not Technical Solutions

[MillionthMonkey]

I understand the problem with SPAM, but why a legal solution to a technical problem?

Because it's not a technical problem- it's a social problem that happens to involve technology. I suppose the phone company should come up with technical method to stop telemarketers as well, but the failure of technical solutions in solving the telemarketer problem was what prompted the creation of the do-not-call list. Technical solutions to spam have so far been a failure as well. The most you can hope for is a perpetual arms race.

It reminds me of the litgation induced from "deep linking," when in reality the web master simply needs to better configure his/her server.

That's a case of corporate idiots bursting onto the scene and applying political and legal pressure to destroy the protocols that made the web successful, because they want to shape it into something that favors their own myopic interests, and they think they can spend the money to get the courts to back them with a poorly reasoned decision. The fact that there's a technical solution to what they're whining about is convenient but irrelevant. Even if there weren't a technical solution to prevent deep linking, their case would be bankrupt.

Similarly there are technical solutions to this. If I'm on a "do-not-email" list, then why don't I configure my email client to only accept emails within my address book? Many email clients can do this filtering, even web based ones, so what's the problem? Effectively, this is what these people want and there's a solution so why the red tape?

Because we shouldn't have to resort to whitelists. I cannot compile a list of everyone in the world who isn't an asshole and who I might want to get email from. Maybe you never get mail except from six people, but some of us have to distribute our contact information.

Press 5 if you think technology serves you...

[SourceHammer]

So everytime I give out my email address to someone that I am willing to receive email from, I have to get their email address and enter it into my address book before I can receive their email. And if I have someone who I exchange email with and they change email addresses, we can no longer communicate via email.

Press 5 if you think that technology is improving the quality of your life.

I will do what I always do, change my email address when I start getting too much spam (through the filters.)

Re:Next step:

[Anonymous Coward]

I know what you mean,every time I get spam it says "we are sending this because you requested it from us or one of our affiliates..."blah,blah,blah.
?I DID??
Oh yeah,then theres the"To unsubscribe click here..."which translates to "To verify your e-mail address click here"

Am I the only person who thinks it makes more sense to have a "Call"or "E-mail"list instead of a "do not call"(or e-mail)Surely the number of people who want to be bothered would be much smaller than those who don't,so the cost of maintaning the list(s) would be considerably lower.Also,the companies making the calls or sending the E-Mails would be guaranteed that every call made would be to someone who will listen to or read the message.
Of course,the big business dollars will not allow that.

Laws need several things to work

[herbierobinson]

1. The per message fine has to be enough to make it worth pursuing. MO has the right idea: $5000 per message.

2. It has to allow for individual enforcement (i.e., small claims court). Law enforcement, frankly, should be frying bigger fish.

3. It should be a felony to promote anything with SPAM without permission of the entity being promoted.

4. In addition to the spammer, the fine should apply any entity being promoted by SPAM unless they are willing to file a criminal complaint against the spammer (for violating rule number 3). Note that filing a false criminal complaint is also very illegal; so, this would not be likely t be misused.