] Under Yahoo's new architecture, a system sending an
] e-mail message would embed a secure, private key in a
] message header. The receiving system would check the
] Internet's Domain Name System for the public key
] registered to the sending domain.

Yahoo Spam PKI

] E-mail list manager OptInBig found that the federal
] legislation is good for business. "Our January bookings
] skyrocketed after the passage of the Can Spam Act," said
] CEO Scott Richter, because its marketer clients no longer
] have to worry about California's strict law, which
] Federal law would supersede.

So, one the one hand, legitimate marketers are instantly freed of all of the state level regulations controlling SPAM, which is clearly to their economic benefit. Congressmen also have a story for their district about what they are "doing" about the problem. At the same time we also pre-emptively ban any business the cypherpunks ever thought of.

What I'm getting at there is that there are plenty of economic motivations to pass this law that really have nothing to do with actually stepping up enforcement against open relay abusers and porn spammers. I think this means its even less likely that they are actually going to start enforcing once this is on the books. I think this is likely to be a wash, with no actual enforcement at all. Just like all the other ones... Time will tell...

The truth about CAN SPAM

I sent this to Dave Farber in response to a post on Interesting People, but he never forwarded it on...

] I am at a total loss to see how one enforces this
] a world wide Internet. Seems to me that it forces
] the off shore of the spam industry. and does little
] to eliminate spam. Australia says 75% of their spam
] comes from China. How would this law help us again?

Although this law offers no solution to this problem that I can see, I might offer that there may be a need to enable local law enforcement agencies, who are tasked with dealing with small crimes and misdemeanors, to coordinate internationally at some point. Currently only serious cases of national importance can be raised to the level of international cooperation. If people can commit small crimes with impunity across borders then spam may only be the first popular example. A large number of small crimes can add up to a lot of money. Certainly we have the technology to enable more broad coordination between local law enforcement agencies. Will we have the need?

]] Anonymous advertising is an oxymoron. The point of ads
]] is to get people to buy stuff, so only makers or vendors
]] of the stuff that's advertised have an interest in doing
]] so, and if they can't find you, they can't to buy from you.
]] I suppose this would make "astroturf" fake grass-roots
]] campaigns harder, but I can't get too upset about that.

While I agree with John Levine's reading of the act, I think there are exceptions to this rule, which people on the Cypherpunks list have written about at length. This law does not just ban anonymous advertising. It bans any sort of anonymous business transaction via email. This means that it preemptively bans businesses which might operate behind anonymous remailers.

For example, one might imagine a time capsule service which accepts an anonymous ecash payment along with a document, and agrees to store it for a set amount of time. Once that time is up, the document is forwarded to a set email address. The service is run behind remailers so that once a document has been placed in the time capsule it cannot be removed until the time requested at the outset. This is just an example. Such a business would be illegal under this law, as it would need to send anonymous transactional email messages.

A more down to earth idea that has been explored in the past is the notion that individuals participating in an ebay style online auction might be able to rely on reputation systems rather then identification to establish trust, and engage in commerce, without compromising their personal privacy.

In short, the idea that there can be no legitimate anonymous business transaction is an over simplification. There is a question to ask here about whether we want to have a society in which people can engage in business without being traceable (which is currently possible, and always has been possible, with cash) or whether we wish to have the security associated with knowing that the police can always locate anyone we have ever done business with.

I don't wish to express any firm conclusion about this question. I
think there are interesting arguments on both sides. In any event, this has little at all to do with spam. I think it ought to be a separate policy discussion. Unfortunately, I think its too late now to do anything about it. Hopefully the courts will have the wisdom to see that such things were not envisioned by the people who crafted this act.

] Falsifying e-mail header information or using either a
] mail server or open relay to "deceive or mislead
] recipients" about the origin of a commercial e-mail
] message. Also outlawed is registering for "5 or more"
] e-mail accounts or "2 or more domain names" with false
] information and using them to send commercial e-mail
] messages. Penalties include up to three years in prison
] for a first offense.

Most of the provisions of the new anti-spam law are reasonable in that they target the sort of behavior that most of us have a problem with. It remains to be seen if the government will effectively enforce this legislation. I honestly doubt it as I remain fairly convinced that abuse of open relays is already illegal, but I've heard it argued that prosecutions under existing law have failed. We'll see...

Of note, however, is a certain section of the law which does not just target bulk commercial email, but targets ALL anonymous commercial email including transactional messages.

What that means is that it is basically illegal to run an ecash based service behind anonymous remailers because you are not allowed to send transactional messages to your customers through the remailer network.

In short, the U.S. Congress just banned nearly all effective forms of data haven under the auspices of protecting you from spam.

This, I must say, I oppose.

House passes antispam bill - Bans all anonymous business on the internet

] Call it spam rage -- a Silicon Valley computer programmer
] has been arrested for threatening to torture and kill
] employees of the company he blames for bombarding his
] computer with Web ads promising to enlarge his penis.

Wired News: Man Arrested Over 'Spam Rage'

] The recent explosion of e-mail spam is beginning to take its toll on
] the Internet world. A new nationwide survey shows that 25
] percent of America's e-mail users say they are using
] e-mail less because of spam. Within that group, most say
] that spam has reduced their overall use of e-mail in a big way.

[IP] Interesting statistics about spam

] Telco giant AT&T (Quote, Chart) on Wednesday rushed to
] withdraw two notices sent to business partners and
] customers asking for the IP addresses of all outbound
] SMTP (define) servers because of a "human error" gaffe.

And I was so excited about this. Apparently it was nothing...

Human Error Leads to AT&T's Anti-Spam Gaffe

] This (imaginary) company has a simple business model. It
] operates a really big password-protected SMTP relay. It
] sends email from anybody to anybody for 1¢ ($0.01) each.
] You open an account with them, drop in say $10 and
] you've bought the rights to send 1,000 emails. Or you
] could set up a monthly billing with your credit card, or
] whatever. You can't send more than 100 emails in a day
] without an (email) exchange to verify that everything's
] all right.
]
] Every email that it sends it signs digitally. Then, you
] set up your email client to send all email that hasn't
] been signed by SMTP4All or one of its competitors (there
] couldn't be more than a couple of hundred) to the junk
] folder. Then you tell your friends to go and sign up with
] one of these guys if they want you to get their mail.

Comments? I don't like his answer for mailing lists... Need to rethink that part a little bit...

Another Whack at Spam

] In an apparent attempt to quelch the amount of incoming
] spam, AT&T has asked their customers, partners, and
] business clients to provide them with IP addresses of
] their mail servers.

AT&T goes whitelist. I almost memed this last night when it got posted to Nanog... I'm still on the fence about its importance.

1. I think that whitelisting is the way to solve the spam problem. IF we can enable white lists then in the beginning there will be hassles associated with approving new people onto the whitelist. Technology can replace those hassles with a computational burden, and eventually you reach a place where the internet seems as open as it is today, but there simply is no spam. Replacing the hassle of manual whitelist maintenance with a computational burden will not happen when the default response to the hassle is to not use whitelisting. Improvements will only be widely deployed in response to an existing system. There may be a bit of an arms race over authenticating the whitelist, but the spammers will loose that fight.

2. Almost all the commentary about this on Nanog and Slashdot has been negative. If people are unable to see the long term benefit of this they won't cut over, and we will be stuck with incomplete anti-spam solutions for ever. It will be interesting to see if AT&T's admins will win out over the negative feedback. If they do, this announcement could be the beginning of the end of spam.

3. The problem with authenticating mailservers is some day you are going to end up with legitimate customers on the same mailserver as a spammer. You need to be able to authenticate individual senders AND mailservers depending on the situation.

4. This whitelist system can obviously be applied as a censorship technology, particularly if there is some sort of whitelist sharing system controlled by a central authority. Ultimately, the best way to defend against that is to run the whitelist on your PC and not on a centralized mailserver.

Slashdot | AT&T Moves Toward Mail-Server Whitelist

] Four Internet pioneers discuss the sorry state of online
] communication today. The consensus: It's a real mess.

Farber, Templeton, Crocker, and Nielson on Spam.

I wrote my boss today and told him that I think Challenge Response is the future. Vipul's Razor is pretty cool and it might work out, but baring that, its going to be CR.

CR is not annoying. You only need to authenticate with someone once, and only when you first email them, and only when you email them first.
CR can be expanded to operate as a hash cash system when the spammers adapt to it.
As people only need to authenticate if they aren't already whitelisted, there is no COST associated with CR for mailing list operators, dotcom companies, and other legitimate bulk emailers.
CR never prevents an important legitimate message from reaching its destination.
CR kills spam dead. Spam can ultimately be completely prevented in a CR system.

Its just a matter of time. I setup a CR system... Setup more and more ways to populate the whitelist information. Meet people in person? Get their email from their pda via IR and then whitelist them... Share whitelist information with a network of friends... Eventually when the spammers start getting into the whitelists, make the challenge require a math problem be solved. Initially this will look like a PGP block in your email that you will have to cut and paste into a webpage. You will only have to do this once to talk to someone, and only if you've never talked to them before, and only if you initiate the conversation. Eventually your email client will handle it in the background... THAT is the moment where everything will be fixed. The process of authenticating you will BLEND back into the background and the internet will SEEM exactly as it is now, except there will be no spam.

THAT is the future of email and that is how we are going to get there. Go write perl.

Salon.com Technology | E-mail is broken