Hi, This is for the one or two of you that might be interested:
SECURITY PIPELINE NEWSLETTER Thursday, November 4, 2003 Elsewhere on the Internet, I gave a rather faint and unenthusiastic endorsement to the federal CAN-SPAM legislation, recently passed by both houses of U.S. Congress and expected to be signed into law by President Bush. I was never really wild about it. I thought it was a bad law, but better than nothing. I was so un-enthusiastic about my support that I actually headlined the piece, "CAN-SPAM Won't." The article mainly wasn't about what's right with the law -- it was about some of the things that are wrong with it. Still, readers wrote back to let me know that I was talking through my shorts even giving CAN-SPAM the grudging endorsement that I gave it. CAN-SPAM isn't better than nothing -- it's at best nothing, and it might even do more harm than good. Let me explain. The CAN-SPAM act has several requirements designed -- or so the bill says -- to limit spam. Senders are required to provide real, working unsubscribe instructions in the newsletter. Senders are prohibited from using misleading headers, including subject lines, to hide the source and contents of their messages. And the Federal Trade Commission is required to study the feasibility of setting up a "do not spam" list, similar to the existing do-not-call list for telemarketers. In my earlier article, I said that the requirement to provide unsubscribe instructions was useless because recipients would be overwhelmed by the need to unsubscribe one at a time from a flood of incoming spam. However, I was hopeful that the prohibition against misleading headers might at least make it practical for e-mail administrators to set up real, working blacklists, instead of the flawed blacklists we have today. And I was also hopeful that a do-not-spam list might work. Well, the readers let me know that I was making my assumptions based on a flawed understanding of how e-mail works. Reader Xavier Haurie explained: So how does this piece of legislation work when you TECHNICALLY can't verify the identity of the sender? What's really missing is an official body and funds to define and test a new standard for identifying email senders.... I don't doubt that you know that authentication is not a problem in the case of telemarketing because (1) telephone works by closing a circuit b/w 2 telephones with known numbers and (2) the telephone companies knows who owns and operates those phones. Whereas an email is like a glorified IP data packet, or a letter in the mail. It'll get delivered so long as postage is paid and the destination address is correct. In other words, forbidding senders from falsifying headers only works if you have some way of figuring out who sent the mail in the first place. Telemarketing can be regulated because authentication is built into the phone system -- you can't run a telemarketing operation without leaving some record of who you called and when you placed the call. Whereas it's trivially easy to send anonymous e-mail, and very difficult to prove who sent an e-mail. Even if a company -- say, Spacely Sprockets -- sends a spam message with its name and phone number attached to it, when the cops come to call all they have to do is deny sending it. "My enemies sent it to cause me to run afoul of the CAN-SPAM act. It was those dastardly villains at my competitors, Cogswell Cogs," they'll say, and the cops won't be able to prove differently. Likewise, a do-not-spam list would simply be a massive list of real, working e-mail addresses which the spammers would love to get their hands on. Also, the law does nothing to address the problem of overseas spammers. It does not allow for private action -- that is, if you receive a spam, you can't sue the spammer, you have to send a letter to your state attorney general and wait for THEM to sue. That's why CAN-SPAM is, at best, useless. At worst, CAN-SPAM is harmful. It would supersede more effective state legislation, such as a proposed law in California. Moreover, it wouldn't BAN spam, it would, on the contrary, LEGALIZE it -- marketers would know that, if they follow the guidelines of CAN-SPAM, they can send spam messages with impunity. As reader Haurie says, the real fix for spam is to replace or extend e-mail protocols so that senders can be authenticated. Sure, it's important to preserve anonymity on the Internet, to allow the Internet to be used for political dissent, psychological support groups, and for confidential medical research. But most of the time, we need to be able to identify who is trying to contact us. Those two goals are compatible -- and anonymity is, now, killing the Internet. P.S. Analysts Gartner today warned corporations that CAN-SPAM won't help slow down spam, but it will result in greater scrutiny of e-mail messages. URLs referenced in this item: CAN-SPAM Won't http://wagblog.internetweek.com/archives/000804.html Gartner To Corporations: Don't Rely On CAN-SPAM http://www.securitypipeline.com/news/showArticle.jhtml?articleId=16506458 Also: Do Not Bother With A Do Not Spam List http://www.securitypipeline.com/story/showArticle.jhtml?articleID=15500142 -- Mitch Wagner, Co-Editor, Security Pipeline http://www.securitypipeline.com/ [EMAIL PROTECTED] -- Assured Computing When you need to be sure. [EMAIL PROTECTED] www.assuredcomp.com Voice - 541-868-0331 FAX - 541-463-1627 Eugene, Oregon _______________________________________________ EuG-LUG mailing list [EMAIL PROTECTED] http://mailman.efn.org/cgi-bin/listinfo/eug-lug
