January 1, 2003  ·  Lessig

A kind-hearted email and a nice analysis of spam have given me an idea:

First the analysis: Philip Jacob has a great piece about spam and RBLs. The essay not only identifies the many problems with RBLs, but it nicely maps a mix of strategies that could be considered in their place. But, alas, missing from the list is one I’ve pushed: A law requiring simple labeling, and a bounty for anyone who tracks down spammers violating the law.

Then I got an email from a kind soul warning me about my work�”do you know how powerful your enemies are?” this person asked. No, I thought, I don’t, but let’s see. If I’ve got such powerful enemies, then I’ve got a good way to do some good.

Here goes: So (a) if a law like the one I propose is passed on a national level, and (b) it does not substantially reduce the level of spam, then (c) I will resign my job. I get to decide whether (a) is true; Declan can decide whether (b) is true. If (a) and (b) are both true, then I’ll do (c) at the end of the following academic year.

So: Is there anyone else advancing a spam solution who would offer this kind of warranty?

  • http://whospams.net Rich Persaud

    Philip Howard marked up the Jacob article.

    BondedSender will collect a $100K bond from bulk mailers. Upon violation, the bond will be paid out on a sliding scale to “non-profit” anti-spam organizations. Related to your (b).

  • http://www.docuverse.com/blog/donpark Don Park

    In South Korea, there is a law similar to your own proposal that require spams to be labeled as such in the subject line. I have not heard whether this is working or not. All I know is that I am located in the US and am still receiving lots of Korean spam without any labeling. Apparently, the law has holes or are not being enforced. Perhaps an international law that forbids spams from crossing national borders is needed. Maybe once a year, Spammer Hunting Season is called for. At this point, I have blocked all Korean mail except for a few e-mail address known to me.

  • http://www.agblog.com Danny Silverman

    I’m sure that you are aware of the California anti-spam laws, and the lucrative small claims court careers they have spawned. Any word on the effectiveness of these besides simply pissing off a few more “legitimate” spammers? I don’t really see RBLs as flawed, but that argument has been made above. Until I write an entry on my proposal to solve all the world’s problems through PGP, I guess I’ll have to leave it at that. And are you sure you want to trust Declan? His record seems…spotty. ;)

  • http://www.unicom.com/ Chip

    Larry, I think one would find this a “great piece” only if they start with a predisposition towards blocking lists. It actually is a rather poor critique. I’m somewhat sorry it is getting so much attention.

    I’ve posted my response to the essay. And for the record, I have been critical of DNSBLs on occasion.

  • http://www.unicom.com/ Chip

    … blah … make that predisposition against.

    Lack of a PREVIEW button is cruel and unusual! :)

  • http://joi.ito.com/ Joi Ito

    I agree with Don that the international aspect is important. Although Larry will still win his bet since even just in the US, it will significantly REDUCE spam.

  • Lessig

    true enough, I’ve had these views about RBLs for a long time, so that might well color my views of others. But is there a better piece out there about RBLs?

  • Lessig

    Vixie is a hero no doubt. But my argument is not with RBLs in the abstract. If vigilantees are all we can have, then god bless the vigilantee. My point is that if a better system (cheaper, placing the burden on the right party, minimizing its effect on speech) is available, we should opt for that over the RBLs. In my view, label+bounties is a better system.

    A very useful exchange with Aaron made another point clear to me. There are of course other proposals out there beyond RBLs. One effectively charges the emailer for email sent. (There are many versions; the basic point is that the sender must buy my reading time). I’ve got problems with that proposal, but it is not inconsistent with the label+bounty proposal. Indeed, the label+bounty proposal would increase the incentives for it to be developed: Under label+bounty, A sender of UCE would be required to label it with an ADV:. Most would configure their systems to trash mail with ADV: on it. But then senders of ADV mail would have a strong incentive to buy a way into my inbox. Adopting a token architecture (sending credits with the email) would be one way to do that. If UCE came with money attached, then some would be more willing to let it through.

    Finally, please don’t take my writing about this proposal to be the assertion that this idea is original to me. Originality is for artists. I’m a lawyer. Finding ways to make other peoples’ ideas work is my business.

  • http://www.marinos.com.gr Marinos Papadopoulos

    Regarding the legality of and legitimate use of blacklists within the framework of European Commission’s Directives on the protection of individuals with regard to the processing of personal data, you may read Working Document on Blacklists [MARKT/11118/02/EN/final/WP65] (available through http://europa.eu.int/comm/internal_market/en/dataprot/wpdocs/)

  • http://www.agblog.com Danny Silverman

    Information on current spam laws (in 26 US states!) along with federal/international laws or in-progress: http://www.spamlaws.com

  • Lessig

    Re enforcement: Yes, that’s the whole point of the bounty system. The reason WA state is not terribly effective is the mechanism for enforcement. The idea (which is essentially the same as the hunter’s license on Slashdot) would increase the number of enforcers significantly. Again, you need only increase the enforcement enough to make it so Spam Doesn’t Pay. Obviuosly right now, it does.

    Apparently Kansas (thanks Seth) has a law close to this. But its weakness (in addition to it being limited to email sent from KS to people you know are in KS) is that it relies on the ordinary court system to enforce. Here’s the point: Our court system is broken. That doesn’t mean we should give up the law. But we should find a better way to enforce it. If you increase the probability that a spammer has to pay, you increase the probability that it won’t make sense to spam without a label.

  • http://www.whirlycott.com/phil/ whirlycott

    I can support this idea. I’m not yet sure if it will work, but I don’t see it having any downsides. Some comments:

    * If American spammers are suddenly required to tag all their emails, traditional economics would tell us that this just creates an incentive for them to move outside the US and spam into the US from there. Or, it encourages American spammers send all their UCE to other countries instead of to Americans.

    * This is an implementation detail, but I would also require an “X-uce-message: True” header for multilingual reasons.

    * I would suggest some ideas for what will constitute “proof” for bounty hunters a bit more to avoid witch hunting.

    * What about attacking the supply side of the spam industry by making some kind of disincentive for businesses who sell via spam? Spammers don’t spam just for the sake of spamming. They do it for businesses that want to sell things. If you put pressure on those businesses to clean up their act, it may help. Or they may just move offshore, too ;)

    phil.

  • http://www.ogre.ca/radio/ Ken Keller

    Way to go Phil!

    By attacking the companies sponsoring spammers you get away from any of the whack-a-mole issues that arise when playing with the actual spammers.

    Somebody has to perform the myriad operations offered. Somebody has to ship the various drugs being offered. They are far more vulnerable to regulation than people who by ‘profession’ evade tracking.

    Many of the national or ultranational problems go away since the third party (i.e. the spammers) becomes trivial. It doesn’t matter whether a spammer can find an open relay or not. It doesn’t matter whether he can hide himself or not. It doesn’t matter what country he works from.

    For the most part, all of the mechanisms that already govern and regulate most trade are already in place. They just need to be tweaked.

  • Paul Gowder

    I think the real question is — suppose you do quit your job — what will you do then? Something even more dramatic, one hopes!

    -Paul

  • http://www.tallent.us/ Richard Tallent

    I agree with others that this idea will not work because it has no effect on non-US spammers (Nigeria anyone?). My proposal:

    • Would-be contacts send a message to your email address.
    • Your email reader *transparently* reads the message and either grants immediate access (via trust servers that can employ heuristics or people-trust networks) or adds the sender to a queue (a la ICQ) for you to allow or ban.
    • Upon grant of trust, the email program *transparently* sends the sender a token (GUID or encrypted data packet) that must be included in all future email headers to get through (and must come from the same sender address).
    • Allow the user to quickly ban the sender in the future if they abuse their privileges (e.g., web stores who send spam after the user makes a single order).

    If the plug-in architecture of common email readers (Outlook, OE, AOL Mail, Notes) were exploited to implement such a system by various open-source or commercial efforts, we’d quickly see the spam trade grind to a halt. Make it easy enough for grandma to install and use and you’ve got an instant hit. Add encryption (using PGP-type keys instead of simple tokens) and corporate users everywhere would join the bandwagon quickly.

    I’m not the first to come up with this idea, but I haven’t seen anyone take it to the point of being a real product.

  • toby Cornish

    I have never understood why the issue of designing laws to regulate spam is such a difficult one.

    All email has headers; simply require all spam to carry a header identifying it as unsolicited. Failure to carry the header or failure to use the “unsolicited mail” value in the header field would be a violation of the law requiring it. Then just filter mail on the header. This wouldn’t stop “rogue” spam, but suddenly the “Spam Kings” of the US (and the traditional businesses that are increasingly exploiting unsolicited email) are in violation unless they cooperate by using this relatively foolproof, unobtrusive mechanism for marking the mail they send as unsolicited. If an individual really wants the spam, they can simply check a box labelled “Accept Spam” in his/her email client.

    The introduction of standardized header fields to identify the nature of the message or perhaps even requiring a federal license number to even perform bulk mailing in the US could finally draw a line to separate the grey regions of spam into definitive black and white. While this won’t deter all the spammers, at least it provides a transparent, easily implemented mechanism for dispersing the legal smokescreen that currently surrounded unsolicited e-mail.

  • Anonymous

    “Vixie is a hero no doubt.”

    er.

    you’re talking about paul vixie, right?
    he’s a demi-something, alright. more like a demi-fascist.

    do you read mailing lists where he posts? or see the things he’s done by his own sense of entitlement?

    yerk.

  • http://www.barbieslapp.com Bill Silverstein

    Even if you have the requirement for an ADV: or similar indicator in the header, it does not cure the problem. You still take server space and bandwidth.

    In any law, we must include the company that hired the spammer to be joinly liable.

  • http://www.jogger-egg.com/ kbob

    So: Is there anyone else advancing a spam solution who would offer this kind of warranty?

    Lots of people. They’ve quit their jobs, formed startups,
    and are building some kind of anti-spam systems
    that they think will pay them back.

  • Tom Cross

    Most spam is sent through the abuse of open relays, formmail scripts, and the outright compromise of systems. Why would these people bother to comply with a little labelling law when they are already committing computer fraud and abuse?

    Start by enforcing the laws we already have. Put people in prison for relay abuse. Charge companies whose products are advertised using illegal means. Coordinate internationally. The cost associated with sending emails in bulk is very low. The reason spammers commit computer fraud is to avoid RBLs. Changing your IP everyday gets expensive. If there was a real risk associated with compromising the security of systems on the net, then the spam problem would subside without the need for additional legislation. The reason is that the spammers would be forced out into the daylight on IPs they actually own. The RBLs could actually work with less risk of blocks on innocent systems.

    This brings up an important (and interesting) point. Interstate and international law enforcement are designed to deal with important cases. The internet allows people to commit “petty” crimes across jurisdictions. Each incident is minor, but they become a serious problem when there are thousands of them a day. Of course, the internet also greatly reduces the cost of international coordination between local law enforcement organizations. Ultimately, I think there will be a need for people who deal with petty misdemeanors on an international level. The tools are there. The only barrier that remains is cultural.

  • http://mynamessquishedtogether.com Zach Fine

    Hi Larry, I applaud your proposed anti-spam legislation, and would love to see it in action. But I wonder what would make this legislation more effective than the apparently useless federal anti-junk-fax laws.

    Since hooking up my fax machine a little over a month ago, I’ve received at least one and sometimes two faxes per day from a notorious company called fax.com. According to info at junkfax.org, fax.com sends 2-3 million junk faxes per day, have been fined by the FCC, successfully sued by the State of Washington, and have had several judgments decided against them, but they’re still in business and are turning a huge profit. According to junkfax.org,”Fax.com doesn’t comply with judgments, doesn’t show up and court, claims not to have kept records of what went out, does not comply with discovery requests until sanctioned by a judge, and has been ordered numerous time to preserve evidence”.

    If established federal law can’t stop a company that, since its founding in 1998 has been flagrantly flouting their violations of the law (they were fined for junk faxing the fcc offices in 2001), then I don’t know why a federal law would be effective in shutting down spammers regardless how diligent the internet bounty hunters are at tracking them down.

    Thanks for your time, and good luck.

  • Brian

    AS I understand it, the proposal is that unsolicited email would have to carry an ADV in the subject.
    What is “unsolicited”?

    Most of the spam that I get claims that I opted-in.
    As a ‘legitimate’ (????) example. I had some spam from ATT. After much to and fro with their Privacy department, they claimed that “Our investigation indicates you consented to receive marketing emails at http://www.Doyouwant2win.com
    It may be that Doyouwant2win or the 100′s/1000′ of similar outfits that contribute to my daily 100+ spams would produce a log that proported to show the address being submitted to their websites. – But, by who/what?
    An opt-in confirmation request would head off a huge volume of spam, but these outfits , the DMA, etc. are dead set against confirmed (i.e. provable) opt-in.

    SO:
    What is your legal definition of “unsolicited” in relation to the proposed law?

  • ernunnos

    Congratulations! You’ve just reinvented the Telephone Consumer Protection Act, which has been completely ineffective at stopping junk faxes. Next time, try reinventing an idea that worked.

  • http://www.gcitro.net/ Gil Citro

    Here’s an analogy illustrating why I think spam bounties would not be an efficient way of controlling spam. Let’s say that instead of spam, we’re trying to control gun violence. One proposed solution is to invent a device that deflects all bullets, without blocking useful objects of similar size and shape, and is so small that it can be carried on a keychain. Another proposed solution is to require anyone who fires a gun to give warning, so that the victim can duck, and to offer a bounty to anyone who finds someone who shoots a gun without warning.

    I see two problems with the bounty solution. First, it’s a waste of resources. Nobody who shoots a gun is going to give warning, they are going to try to hide. The better they are at hiding, the more resourceful the bounty hunters will have to be. Those resourceful people could have been doing something more useful if the problem could have been solved another way. Second, the bounty hunters are going to try to make their jobs easier by laying traps for the gun shooters. They will set up cameras and microphones to make it more difficult to shoot guns anonymously. As a result, everyone will give up some privacy. Also, it’s not a perfect system, some gun shooters will succeed in hiding.

    The problem with the bullet deflector solution is nobody knows how to do it, just as nobody so far knows a perfect way to deflect spam, however in the case of spam I think it’s possible to come very close. The problem with RBLs is that they’re taken as perfect indicators when they’re not, but they are pretty good indicators. The contents of the message is also a good indicator. Given a spam message, most people can tell you with near 100% accuracy that it’s spam. It’s difficult to get a computer to be as accurate, but it’s not impossible to get it to be reasonably accurate. Another good indicator would be whether the message is signed. Since most messages that most people send are not anonymous, there’s no reason for them not to be signed in a way that incontrovertibly establishes the identity of the sender. You can send unsigned email if you want to, but if everyone else is signing their messages, unsigned messages will start to stand out as suspicious.

    Given these three indicators, origin, contents, and signature, a nearly perfect spam filter would work as follows. If the message is signed, it’s not spam. If the message is unsigned, and it either comes from a blacklisted relay or sounds like spam, it’s probably spam, and the user can specify what should be done with it based on how much spam they want to avoid and how much real mail they are willing to lose. Senders would be able to ensure their message would get through by signing them, and recipients would be able to ensure receiving all messages sent to them by quickly scanning segregated suspected spam for false positives. The system would only have to be effective enough to make spam unprofitable. If 99% of spam can be blocked, the successful spammer who was making $1,000,000/year will only be making $10,000/year and will give up.

    I do hope Professor Lessig won’t lose his job over this though, unless it’s to fill a vacancy on the Supreme Court, so that we won’t have to sit around for six months wondering if anyone on the court gets it.

  • http://www.adisi.ch Claude Almansi

    As to the definition of “unsollicited” – there’s the basic one at Hotmail: e-mail by anyone not in your address book, and these e-mails go straight into the junkmail.

    It’s crude but it works. Of course, there’s the chance that some people you don’t know yet ae sending you interesting things: but you can rescue these e-mails before deleting junk mail content, then add the sender to the addess book.

    Re labelling? Does spam really need labelling? Someone mentioned Nigeria before: aren’t tehy easily recognizable for what they are?

    all the best

  • http://k.lenz.name/LB Karl-Friedrich Lenz

    We already have the labeling requirement in Europe since the Information Society Directive of July 2000:

    Article 7
    Unsolicited commercial communication
    1. In addition to other requirements established by Community law, Member States which permit unsolicited commercial communication by electronic mail shall ensure that such commercial communication by a service provider established in their territory shall be identifiable clearly and unambiguously as such as soon as it is received by the recipient.

  • Sean

    Sorry if this has been posted already but I don’t have the time to read all the comments right now.

    Passing a law requiring advertisements to be labeled won’t cut down on spam any way that I see. Just because it is labeled doesn’t mean that I asked for it to be sent to me. If I’m missing something here, feel free to make me feel stupid.

  • Brian

    Perhaps some of you have not been exposed to the reality of ‘solicited’ unsolicited email.
    I get daily volumes of spam from outfits that claim that the spammed addresses opted in to mailings. These are from undisguised bulk emailing operations on major US ISPs.
    The chain of ‘affiliates’, ‘marketing partners’, etc generally end up at an operation that claims the address was submitted to their website on a given date.

    Faced with legal threats, these people will claim that they ‘subscribed’ the address in good faith, and that each email gave an opt-out option. They would claim that their marking-partner / affiliate warranted that the email was a genuine opt-in.
    The website claiming the original address submission could probably manufacture some log proporting to show an event of the address being submitted (by someone unknown).

    The point of the rather long-winded bit above is that these people’s land-sharks would claim that any laws affecting ‘unsolicited’ email did not apply to them, since all their emails were ‘solicited’.

    The proposed labelling law under discussion here would have no effect on these high-volume operations.

    It might have an effect if the law also insisted that an ‘opt-in’ really meant an ‘opt-in’ which had to be confirmed via an exchange of emails with the address concerned (or at least via an email in response to a confirmation query.) A bulk emailer that could not produce a record of the affirmative confirmation response from an address would have to be open to penalty for each such address on their lists.

    The chances of such a ‘confirmed opt-in’ condition ever becoming enshrined in law are slim to non-existent.

    SO:
    Never mind the Hotmail defininition of ‘unsolicited’. Never mind that a European Directive mentions clear identification - by the sender - of ‘unsolicited’ email.

    What exactly is the legal requirement for proof that an email is not unsolicited?
    What is Professor Lessig’s legal definition of ‘unsolicited’?

    The whole concept of a labelling law is asinine anyway.
    By definition it allows anybody to spew as much as they like, chewing other people’s resources, as long as they label their spewage.

  • http://www.marinos.com.gr Marinos Papadopoulos

    In the undesirable case that you quit your job, please, consider of the desirable case to find a job in Greece.

    On the eve of the 2004 Olympic Games, and regarding the provisions of Law in Greece on the protection of individuals from unsolicited commercial communication, two laws may be used to protect against spamming: the provisions of Law 2472/1997 (G.G. #(1) 84/2000 & 109A/2001) on the protection of individuals with regard to the collection and processing of personal data and on the free movement of such data [hereinafter, L.2472/97] and the provisions of Law 2251/1994 (G.G. # A 191/16.Nov.1994) on the protection of consumers [hereinafter, L.2251/94].

    More specifically,

    In Greece, the protection of individuals from unsolicited commercial communication may come through the provisions of L.2472/97 on the protection of individuals with regard to the collection and processing of personal data and on the free movement of such data (2). Upon L.2472/97, which is the transposition in Greece of EC Directive 95/46/EC (24.Oct.95), it is worth noting the following:
    1. According to article 2(a) of L.2472/97, an individual�s email address is considered personal data.
    2. According to article 2(i) of L.2472/97, data controller may be individual or legal entity, public or private entity, to whom personal data are given.
    3. According to article 4�1(a) of L.2472/97, the collection of personal data for the purpose of direct marketing / advertising is legitimate provided that:
    –a.The data subject has given his free and unambiguous consent according to the provisions of article 2(ia) and article 5�1 of L.2472/97.–or–
    –b.The data subject has not given his consent according to the provisions of article 2(ia) and article 5�1 of L.2472/97, but, according to article 5�2 of L.2472/97, the collection and processing of personal data:
    —-i.Is absolutely necessary for the legitimate interest of the data controller–and–
    —-ii.The legitimate interest of the data controller is more important than the interest of the data subject–and–
    —-iii.The interest of the data subject is not violated to the point that the said data collection and processing are illegal–and–
    —-iv.The data collection and processing are not actions contrary to the founding principles of freedom of individuals.
    4. For article 5�2 of L.2472/97 to take effect�i.e. for the collection and processing of personal data without the unambiguous consent of the data subject�it is required that:
    –a.Data are collected from public lists (e.g. public telephone lists) and data are included in the public lists with the consent of the data subject.–or–
    –b.Data are collected from resources available to the public provided that data controller collected said data from said resources legitimately.–or–
    –c.Data subject made his/her personal data publicly available for purposes similar to those of the data controller.–and–
    –d.Data controller consulted the Hellenic Data Protection Authority register of article 19�4(d) of L.2472/97 wherein individuals submit their registration if they do not wish their personal data to be used for direct marketing / advertising purposes, and did not make any use of personal data of individuals registered in said register.–and–
    –e.Data controller is limited to data processing regarding only the necessary personal data for certain purposes of direct marketing / advertising.–and–
    –f.Data collection and processing is limited to the purposes of direct marketing / advertising and is not contrary to good morals.
    5. According to article 13�3 of L.2472/97, the data subject may claim his/her objection to data collection and processing regarding himself/herself. The data subject�s said objection should be in print and according to the process described in article 13�3 of L.2472/97.

    In addition, the protection of individuals from unsolicited commercial communication may come in Greece through the provisions of L.2551/94 on the protection of consumers (3). Upon L.2551/94, it is worth noting the following:
    1. According to article 9�10 of L.2251/94, any direct to the consumer commercial communication through telephone, facsimile, electronic mail, automatic or electronic means of communication, is legitimate only when the consumer offers his/her consent for said commercial communication.
    2. According to article 14�6 of L.2251/94, any use of communication means must not be an action against the privacy of an individual consumer. Subject to consumer�s consent, the use of communication means such as telephone, facsimile, electronic mail address or any other electronic communication means may be used for the purpose of commercial communication.

    Aside from the provisions of L.2472/97 and L.2551/94, hardly any other law could be used regarding the protection of individuals from unsolicited commercial communication. Directive 2000/31/EC (8.Jun.00) has yet to be transposed in national law in Greece. Thus, there is no national opt-out list, too�as is the case currently in most Member States of the European Union.

    _______________
    Notes:
    (1) G.G. # stands for Government Gazette Number. Government Gazette is issued by the National Printing Office of the Hellenic Republic.
    (2) See Hellenic Data Protection Authority, Conditions for the lawful processing of personal data regarding the purposes of direct marketing / advertising and the ascertainment of credibility. Decision # 050/20.Jan.2000.
    (3) See Hellenic Data Protection Authority, ibid. Decision # 050/20.Jan.2000.

  • http://www.tedweinstein.com Ted Weinstein

    A law “requiring simple labeling” of an email communication is a blatant violation of the First Amendment. How about if we leave the realm of wishful thinking and use all this assembled brainpower to think of some real solutions…?

  • Daniel Mah

    Prof. Lessig is on to something – spammers do what they do because they get paid. So if we want to reduce the volume of spam on the ‘net, we have to “follow the money” to discover who ultimately funds spam.

    As a number of posted comments have suggested, the legal controls on SPAM (let’s say a “simple labelling requirement,” but it could be something else) must be enforceable against the companies whose products and services are marketed via electronic mail. This should make anti-spam laws easier to enforce. If we make the sellers pay a substantial penalty for non-compliance and force them to disgorge gross revenues from e-mail related sales, there will be incentives to ensure that their e-mail marketing campaigns are conducted properly.

    Think of it as demand management for SPAM….

  • Anonymous

    Why is everyone looking for complicated solutions to spam (including non-solutions that would grant spammers immunity if they label their garbage “ADV” or “ADULTADV”) when there is a simple solution available?

    There is already a law against bulk unsolicited commercial faxes. Why can’t the idiots in Congress and/or the state legislatures simply extend that well-established law to include bulk unsolicited commercial emails?

  • Anonymous

    Why is everyone looking for complicated solutions to spam (including non-solutions that would grant spammers immunity if they label their garbage “ADV” or “ADULTADV”) when there is a simple solution available?

    There is already a law against bulk unsolicited commercial faxes. Why can’t the idiots in Congress and/or the state legislatures simply extend that well-established law to include bulk unsolicited commercial emails?

  • http://n/a Travis Pugh

    I hate to try to totally redefine the problem, but spammers exploit the current relay filtering (by netblock) system to send their messages out. Accepting relay from local subnets seems to be current practice at virtually all ISPs.

    If we were to short-circuit that, perhaps by using SMTP auth and an X.509 certificate for the client instead of accepting relay from a block of IP addresses, the single most exploited method of sending spam would be shut down.

    Granted, getting enough service providers on board to implement such a system is next to impossible, but this seems to be another situation where there’s a perfectly good technical solution to the problem that will die on the vine due to ISP resistance.

    cheers.

    -travis

  • http://www.info-world.com/spam.diagnosis David Pinnegar

    Hi!

    Many people have criticised those who criticise DNSBL systems. From my own experience http://www.info-world.com/spam.diagnosis it is apparent that DNSBL is leading to the breakdown of communications. It is also totally unnecessary – yes unnecessary. I run a modified version of SpamAssassin on my client’s server which rejects 99.99% of all spam and false positives are less than 0.1%. Please email me and I will give you the details of the dumping box where users of the system can check up occasionally just to make sure.

    Whilst labelling of emails from DNS blacklisted addresses has a potentially useful function, DNS blocking should be made illegal. Those responsible for the blacklists make mistakes and often the effects cause inconvenience to many thousands of people.

    Suddenly without warning, I was unable to receive communications from Spain and my clients there had to resort to opening up hotmail accounts and sending by snailmail. DNS blocking is wholly unnecessary, causes enormous disruption, inconvenience and loss of time and is only used by lazy and stupid ISPs who cannot be bothered to apply the existing free software technology with a little intelligence.

    Yours sincerely

    David Pinnegar BSc ARCS

  • http://www.flint.com Paul Flint

    Dear Mr. Lessig,

    Excellent Blog.

    I have chosen to use the EMACS editor for the first time to create this post. Please forgive any typos or misspellings that arize from this choice.

    Forgive my simple minded approach to this problem, but could you not arrange to meter outbound SMTP Traffic and begin message taxing after a specific message threashold had been reached?

    Simple threashold models might include:

    Domain Based Example:

    Outbound Message Threashold Per IP.
    .gov = unlimited
    .mil = unlimited
    .net = 1000 messages/day
    .com = 500 messages/day
    .org = 500 messages/day
    .biz = 500 messages/da
    Non registered IPs = 100 messages/day

    Obviously, graduated or other non-class putative models would need to be considered.

    I do not believe that there would be a technology barrier. The business case would make ISPs responsible for payment of the duty to the government. A quick look at the U.S. Constitution seems to indicate Congress could empower say, the Post Office to collect and enforce this duty, possibly with and incentive commission to the ISP.

    In my own perverse way, I sort of like spam, thus controlling it through economic (Kensyan) methods seems to me to be the best way out. If you want to get to my eyeballs, you got to pay somebody. This could keep the Post Office from raising my letter rate (na).

    Kindest Regards,

    Paul Flint

  • James Day

    It appears that some can’t see the way to make this effective. Here’s one way:

    o Have a DNS spam list which equests forwarding of all email which is from the blacklisted source IP address.

    o Scan all email forwarded and consolidate all of it which matches the spam which prompted the listing.

    o Law time. Get the money. Make sure that the law punishes those advertising and allows seizing funds held by money transfer systems.

    o Distribute 50% of the proceeds to every person who reported the spam in response to the DNS listing.

    o Consolidate payments as required so people see real money for passing on real spam.

    The key technical componnents for this already exist. Time for the law to enable it.

    Junk faxing is less amenable to this technical/legal solution because it’s not trivially easy to consolidate junk fax reports. It is trivial to consolidate spam reports.

  • Fritz

    Companies SPAM because it is free. In Economics it is called the Problem of the Commons. In Boston it let to severe overgrazing by sheep on the Commons. It is the same on the Internet.

    For me it is frustrating because my political satire emails are lost in a sea of SPAM. Now that we have a law against SPAM people sometimes take the position that it is illegal for me to send them satire without permission.

    Yet Senator McCain recently observed that email and talk radio are good for democracy. This is an idea that I agree with, even though talk radio is repugnant to my ear.

    Make corporations pay a mill for each email, and see how quick they stop.

  • http://www.jdlh.palo-alto.ca.us Jim DeLaHunt

    In the main blog, Lessig writes “…missing from the list is the one I’ve pushed…”, and with that links to an article of his at CIO Insight.com. That link didn’t work for me. Here’s the link at which I found his column, Code Breaking: A Bounty on Spammers:
    http://www.cioinsight.com/article2/0,1397,1458130,00.asp.