Last week, the FTC rejected the idea of a national “do-not-e-mail” registry, and this week a coalition of ISPs released a set of technical guidelines to help in the fight against spam. Both these actions point the way toward the real solution. But first, a host of bad ideas needs to be canned.
The first bad idea is that laws alone can stop spam from oozing its way into users’ inboxes. For instance, Jordana Beebe from the San Diego-based Privacy Rights Clearinghouse recently said that “the real problem with spam is enforcement” and she lamented that few lawsuits have been filed against spammers.
But if Beebe and others in her camp had listened to what the FTC said, they would know that the enforcement problem doesn’t stem from a lack of will. It stems from the reality that it’s so easy for spammers to hide using fake addresses, open relays, and other tricks. The same goes for Jim Guest, president of Consumers Union.
He gave a nod to the issue of sender authentication but then said that “in order to fully combat the problem, the FTC also needs to devote sufficient resources to tracking down and prosecuting violators of the law.” This comment reveals an outdated mindset that the way to solve a problem is by throwing tons of money at it.
Too Easy for Spammers to Hide
The reason laws are ineffective against spam is the same reason why a “do-not-e-mail” registry would be ineffective — it’s too easy for spammers to hide. And when they are found, it’s difficult to impose American law if they don’t live in the United States.
When it came to the “do-not-e-mail” registry, one of the biggest proponents was unsurprisingly one of the companies that wanted to provide the FTC with registry services. This shameless lobbying of government for business highlights another idea that should be canned: relying solely on the advice of a company that wants to profit from law and regulation.
The FTC was correct in rejecting arguments from biased business people that so obviously clashed with the ideas of most experts in the field. The third bad idea to be avoided is government legislation of technology standards.
One of the reasons the FTC finds it difficult to track down clever spammers is that the Net’s design makes it easy for them to be anonymous. This led the FTC to conclude that one way to solve the problem of spam is to implement an e-mail authentication plan so that spammers can’t pretend to be someone they’re not.
Indeed, it’s an idea that a coalition of top ISPs endorsed this week under the banner of the Anti-Spam Technology Alliance (ASTA).
Microsoft, AOL, Yahoo and others are examining the possibility and have different ideas about the best method of authentication. But an authentication plan is not the only option and there’s a danger that when the FTC convenes its summit to discuss the issue in the fall that Congress will think it’s a good idea to legislate an authentication standard.
That would be a huge mistake, as there are so many options still waiting to be tested in the marketplace. Impatience and carelessness in working on this issue could deny consumers and business the best solution to the problem.
All too often, Silicon Valley finds itself in the position of explaining why legislating technical standards is a bad idea. Broadcast flags and Gmail are two other instances that come to mind here. Anyone involved in the technology sector knows that it’s extremely difficult to predict what technology is going to be the best. The ability to be flexible and responsive to the marketplace is what keeps the industry innovative and alive.
In their document released this week, the ASTA said that “solutions for handling spam are technically challenging and may take considerable time to implement. This is why we have chosen to pursue multiple approaches.” And even though they didn’t highlight it, one of the most promising approaches involves the basic concept of economics.
Forcing Senders To Pay
If a method can be implemented to force senders to attach a piece of currency to an e-mail, that would be a good way of preventing the current deluge of spam. There are at least two companies with serious methods of making this work: Vanquish and Goodmail Systems — and Goodmail is currently beta-testing its product with Yahoo.
There’s a wide range of potential solutions available to fight spam, and it would be incredibly shortsighted for government to preempt marketplace experiments and simply pick what it forecasts to be best.
Spam is without a doubt expensive and annoying, but it’s worth waiting for the nation’s technology innovators to discover the most effective solution using market forces. Ideas that rely on blindly throwing money at the problem, legislating tech standards or depending on a self-interested business lobby should be abandoned.
Sonia Arrison, a TechNewsWorld columnist, is director of Technology Studies at the California-based Pacific Research Institute.
"The first bad idea is that laws alone can stop spam from oozing its way into users’ inboxes."
It’s not the law that would be effective against spam, it’s the penalties provided in the law. (Not my main point.)
"One of the reasons the FTC finds it difficult to track down clever spammers is that the Net’s design makes it easy for them to be anonymous."
That’s untrue, although ASTA and others constantly make that claim. The net’s design makes it possible to trace the spam (sometimes with some work.) The truth is nobody much tries. Most spam today is sent by some form of abuse. That means packets of some type go into an ISP’s space to an IP address in that space and other packets come out (usually) from that same IP address to port 25 of the destination email servers,aimed at the intended spam recipients/victims. Tracking those incoming packets is trivial – if the ISPs would simply do it. Yes, often the packets will come from some other IP address being abused. Tracking can also be done from there. Sooner or later the packets trace back to the spammer. With the huge volume of spam there’s a corresponding huge volume of abuse packets. "Huge volume" means "easy to find." But somebody (the ISPs?) has to look. Ron Guilmette looked last year and got over 100 spammer accounts closed (he had no law-enforcement power) in under 3 months. We need more like him.
It should go without saying that the spam not sent by abuse is instantly trackable to its real source. That’s why the abuse is committed. That the abuse makes it harder to track the spammers doens’t mean it’s not possible – and it isn’t necessary to start with the spam and work back: simply watching for the abuse will work (does work) just fine.
If any reasonable number of ISPs were tracking any reasonable percentage (like 1%) of the abuse packets then the spammers would lose, disappear.
"That would be a huge mistake, as there are so many options still waiting to be tested in the marketplace."
Yes. See above. It is disgraceful that ISPs and experts such as those of ASTA (and ASRG) neglect simple, basic facts.
Speaking of ASTA, in February, 1999, RFC 2505 was issued. That’s the RFC that describes why and how email servers should be configured to not be open relays. That’s good, it’s wise for any email administrator to not run an open relay.
Why do I mention RFC 2505? Because it also says that securing systems against being open relays is NOT a way to combat spam. ASTA, 5 years later, is advising administrators to secure their systems (and specifically advocates securing against being open relays.) Again, it’s good to not run an open relay. That’s not the point. The point is that securing open relays is nearly useless to combat spam. By extension, all the securing methods are useless, as ASTA tacitly acknowledges, because ASTA admits it’s really working on another solution (a global revision of SMTP, the email protocol) and that they actually are putting their faith in that approach. Why they advise what they already know won’t work is anybody’s guess – but what they advocate isn’t useful at all in ending spam. Not at all.
As Arison says: "The FTC was correct in rejecting arguments from biased business people …" ASTA is made up of biased business people. They shouldn’t be automatically trusted, either.