PDA

View Full Version : OT - Submision on antispam legislation - comments please



aronking
16-06-2004, 01:07 PM
Submissions are being requested on the Anti-spam legislation proposed by this Parliament.

I intend to make a submission and would welcome input from PF1 members. There are two aspects to be covered Ė a proposal and examples as to how it is to work.

There are a few areas that I would like to address:

1. Filtering. How feasible would it be for ISP's to reject any emails coming from another ISP?

An example is that a spammer uses an ISP to send its messages. While a spammer is able to "spoof" an email address, can the spammer also "spoof" the metadata that accompanies the email?

If the metadata is secure in its identification protocol (ie the true ISP is still identified), then the receiving ISP can block all traffic that emanates from that spamming ISP, and it will only be a matter of time before ISP's take the responsibility (or sue) those spammers that use their servers. If an ISP is not aggressive enough to do this, customerswill change to one that is. Even if a handful of receiving ISPs do this, the "offending" ISP would have to resort to action or its own customers would object to legitimate emails not getting through.

At present, there isn't enough of an incentive for ISP's to crack down on spammers - maybe this will change their "incentive" levels.

The incorporation of the ability for ISPís to block such traffic would need to include an immunity to the NZ ISP's for the effect of such filtering or blocking of traffic.

2. Jurisdiction. Presently, anti-spam legislation would only cover the spammers operating from within one's borders, and in some cases where mail is received into one's borders. While the legislation can deal with the spammers within one's borders (including a spammer who lives in Mt Eden), prosecution of spammers that are based overseas becomes an inter-jurisdictional problem.

I propose that the legislation has a provision that would allow reciprocal jurisdiction with countries that pass similar anti-spam legislation overseas (subject to agreement between the corresponding governments).

An example. Say both the Australian and NZ governments grant reciprocity to the anti-spam legislation. Then the NZ spammer can be prosecuted in NZ for spam sent to an Australian address, using the Australian legislation or the NZ legislation.

This would have the effect of the prosecutions being on the higher (or tougher) legislation. That way, if our NZ Parliament passes tougher legislation, it would not be watered down by the other countries loopholes.

This would not be too onerous as the objective to spammers would be - abide by NZ laws if you wish to send spam locally and the other countries laws if you wish to spam there. There would be no excuse for any spammers from pleading ignorance (read excuse) that they were unaware of the foreign legislation.

Obviously, there would be jurisdictional issues but if our legislation can make such a start, other countries may be apt to follow our lead. NZ would thus be claiming the high ground in attacking this problem.

The net effect (I would hope) would be that, over time, there would be a white list of countries, from which persons can have a greater reliance that spam would not originate (and users can lower the spam detection software from these sources) and a grey or black list, from which persons can apply anti-spam software aggressively or even ban completely.

What is the effect on legitimate email senders from the black lists? They can always obtain email addresses from while list countries and continue as normal. They would obviously be subject to being sued if they spam (I am sure the ISP's would find a way to do this before they allow any such customers to sign up).

Note that the ISPís would not be liable for any prosecution; the only effect is a commercial one, their traffic would be banned. If they do not comply, they would lose their customers very quickly. This is far more efficient than a lengthy prosecution process.


Any comments on the above would be appreciated.

I am sure that there would be a number of other areas that can be addressed and I welcome suggestions.

Please note that at this stage, please address the issues and not attack the technicalities (at least not at this stage). I am seeking areas to explore further for the submission.

Cheers

PS Apologies for the lengthy post.

robo
16-06-2004, 06:21 PM
You know, people never make submissions and sometimes they should.
However, it costs to go to Wellington and hang around to say things to a committee in person. I think submissions in writing are acceptable, however.
I think it is a worthy endeavour. When are submissions due and how can people find out about how to submit?
robo.

kiki
16-06-2004, 06:40 PM
What I'd like to know is how to block the stupid trademe automailer spam that informs me my account is in debt and that I need to pay money. Spams me at least twice a week :|

Murray P
16-06-2004, 08:31 PM
Kiki, this is an oldie but a goody and should work just about every time. Pay the account or cash it up ;)

Aaron, I imagine that if you blocked entire ISP's email traffic the attempted cure would be worse than the problem. Can you see businesses standing for their email being halted because some low life has spammed someone else. It simply has the potential to do enormous damage before any action to rectify the problem could be forced out of the victims. Yes, ISP's can victims in this too.

I think the jurisdiction/sovereignty issues need to be addressed but that is going to take an age. All it will take is a few of non supporting countries and some servers to bring it down. IMO the best we can do is get legislation in place to stop the perp's here and support international initiatives. Some R&D funds, perhaps via a levy, would not go amiss either. We also have to wary that any legislation enacted does not impinge on the overall freedom and function of the internet or can not be twisted to that use.

Making a submission is a very good idea, however you think it should be dealt with.

Cheers Murray P

mikebartnz
16-06-2004, 09:26 PM
From what I understand it hasn't made much difference in the USA. The whole protocol needs changing so no spoofing can happen in the first place.

agent
16-06-2004, 10:12 PM
> if you blocked entire ISP's email traffic the attempted cure would be worse than the problem

Upon my first reading of the applicable section in aronking's post, I had thought that it meant block all mail coming into their SMTP servers, which is an obvious move which most ISPs have already made, but is still spoofable.

However, blocking traffic from whole ISPs would be like shutting down the North Western motorway because a few people go over the speed limit. And I honestly don't think that there is a significant number of people who send spam in New Zealand.

Also, I don't really want to be paying a levy just because some evil sods in our country are sending spam.

Something to take into consideration in your submission is to suggest that people who send spam can be prosecuted even if no one who receives their spam is involved - so an informant could dob in a spammer, or they could be caught by analysis of outgoing traffic from their account. Which leads on to: ISPs should be required to monitor outgoing email traffic - would this mean they could catch people who are sending spam by the volume being sent?

You've got to take into consideration peope whose computers have been turned into zombies, and that they shouldn't be prosecuted. And perhaps running an open-relay mail server should be illegal (for obvious reasons). Oh, and maybe using overseas SMTP servers to send mail should be blocked at the ISP level (and be mandatory to impose), thus meaning that it is easier to find people sending spam from our country. This last item could have implications on multi-national corporations, who could potentially be exempt from this.

aronking
18-06-2004, 11:47 AM
Thanks very much for the comments. It has been helpful.

On the "spoofing" issue, is the metadata on the address from where the emails are being sent "spoofable"? Basically, I would like to find out if there is a foolproof way of identifying the source of the traffic.

On the blocking of the ISP's, if my receiving ISP banned traffic from a source that very rarely has spam sent from (ie that sending ISP being duped by a rogue customer), I would not envisage my ISP banning that sending ISP. In reality, I would expect that with commercial pressures of ensuring emails do get through, it would be only the ISP's that are "willfully" careless that would eventually be banned. At the moment, as I understand it, a receiving ISP has very limited options to ban incoming emails. While this option is not envisaged to be a compulsory act it is to allow the ISP's from being able to use it if they so desire.

I take the point that if it is done in all cases (including minor instances) it can cause havoc!

Of course, none of the above would work if the metadata can be spoofed - so any comments on that would be helpful.

Jurisdiction is an issue and I will leave it to the experts in Government to sort it out. I, for one, support granting interjurisdictional prosecution in this case (and maybe others, like terrorism, but this is not the forum to discuss this latter item).

Thanks also to the very informed and calm manner in which the discussion has proceeded. On contentious issues, other threads degrade to a low level very quickly with hardened views by some. The objective is to try to make it easier to rid ourselves of what some consider a scourge on e-communication.

Robo, written submissions are possible at this stage and a trip to Wellington may not be required. However, when it does reach the select committee stage, maybe a PF1 reader in Wellington could support our democratic process by going there. I will post the date, site, address etc for submissions to be sent to.

Agent, thanks for your comments on a dobber - that would be a classic example to include in the submission.

Mike, I agree that the US legislation is severely deficient in many respects. Some have commented that in the US legislation now gives protection to spammers as it is an "opt-out" scheme rather than an "opt-in" scheme as is the case in Australia. The US regulatory body has already commented that an "opt-out" list is not practical so we need to ensure that our legislation does not go this way.

In the submission that I propose, it would be an "opt-in" process with no sharing of email addresses - ie no implied opt-in if you enter a contest.

An example, if one enters a contest or requests information, before any unsolicited mail can be sent, the person (read subscriber) would have to categorically agree to receive emails (either by going to another page or clicking an AGREE button). That consent would be only for THAT service and the address cannot be shared "by reputable partners who have products that may interest you" (read we can sell your address to anyone else). Further, any unsubscription to any service specifically is not to allow the party to "sell" or transfer the email address to any other party.

The above is another area to be covered in the submission - thanks for the prompt Mike.

Agent, thanks for your comments about computers being made into zombies. We are all apt to be hit by this if we are not careful. A question, should we impose a liability that all users should be liable for some punishment where they are willfully negligent in not keeping machines safe at a basic level (ie with free firewalls and anti-virus)? Otherwise, the spammers may be able to get away. In the submission, I would propose a higher level of redress from spammers who resort to this measure (but comments on the minimum standard for users would be helpful).

Cheers

robsonde
18-06-2004, 01:34 PM
could we have law that means that all ISPs in NZ will spam filter email that leaves there network as well as filtering email that comes in to there network.

at the moment most ISPs spam filter all in comming email and this has helped the end user of NZ but will not stop an NZ user spaming the world.

argus
18-06-2004, 04:03 PM
Written submissions are certainly acceptable; this one isn't even a "submission" in a strict Parliamentary sense (as we don't have a first-reading Bill yet); it's a response to a "discussion paper" - a much earlier stage.

In a surprising piece of state-of-the art thinking, the officials responsible for this stage have even undertaken to accept submissions by email! The address is spamsubmissions@med.govt.nz. The discussion paper and other advice on submissions can be read (fearsomely hypertexted) and downloaded in one piece (Yay!) as a PDF (boo!)* at www.med.govt.nz/pbt/infotech/spam/discussion/index.html

And I don't think an offer to come to Wellington and "speak to your submission" would be entertained at this stage.

Meanwhile, for "real" submissions (post-first reading), it's still 20 copies on flat pieces of dead tree :-( Parliament seems incapable of receiving or copying them in digital form.

* One of the several things I have against PDFs is that I haven't found a way to highlight the bits that in my eyes are important. Word documents (and presumably documents in other word-processor formats) let you do the highlighter-pen thing in a brilliant range of colours.

Someone had a mildly amusing piece going the rounds about one of the greatest dangers of the internet being the endemic presence of evil "PDFfiles". I can't help but agree (tho' I appreciate many would consider it in bad taste).

Closing date for responses to the spam paper is June 30.

Argus

I see (looking this up on the IDG database) that IDG has at least one article on "spim". Could be spam from a public relations company.

argus
18-06-2004, 04:08 PM
Sorry; should have read the piece. "Spim" is spam via IM (instant messaging).

Apologies for impugning IDG's proofreaders.

Argus

argus
12-07-2004, 12:50 PM
I notice from this week's "Computerworld" that the latest unwanted substance is SPIT - spam via internet telephony.

Argus

mister harbies
12-07-2004, 02:05 PM
Perhaps we could have a spam blacklist. How this would work is I would pay say $5 for each email I want on the blacklist. Spammer will need to abide by this blacklist and would not be allowed to email those on the blacklist. The $5 per email would be used to enforce this.

How we can enforce this might be to employ a new police section devoted to the cause, court fees etc.

Those who breach the blacklist would also be fined say minimum of $2,000 per email and bar them from using an electronic device (including calculators and TV remotes) for 5 years as a maximum.

If an email comes from a spammer, I would email the offending email to the spam police and they will follow up.

This could work.


Mister Harbies

whiskeytangofoxtrot
12-07-2004, 02:11 PM
> * One of the several things I have against PDFs is
> that I haven't found a way to highlight the bits that
> in my eyes are important. Word documents (and
> presumably documents in other word-processor formats)
> let you do the highlighter-pen thing in a brilliant
> range of colours.

*yawn* but everyone can afford Word, and of course it's a world wide standard </sarcasm>

argus
12-07-2004, 04:02 PM
> *yawn* but everyone can afford Word, and of course it's a world wide
> standard </sarcasm>

I wouldn't disagree with any of that (sarcastically interpeted); I am well aware Word is proprietary and (fairly) expensive.

ALL I was saying is that .pdf documents cannot be highlighted and I like to be able to highlight my documents.

The workaround is to cut and paste the needed extracts into a separate document, but it's not as easy to work with.

Don't put me down as a Word champion just because I point to one feature about it that I like.

I could change to any OS and word processing application I (or you) like; it would still not let me highlight .pdfs. That is a disadvantage of this widely-adopted standard.

Talk to someone who's blind and you'll discover .pdfs have much more important disadvantages like not working with a lot of assistive technology; which blights some people's IT-using lives far more than not being able to highlight influences mine.

Just because .pdf is a standard doesn't stop it being an inconvenient standard in some respects.

Stop ywaning and try suggesting a solution.

Argus

kiki
12-07-2004, 04:22 PM
You realise that you cannot highlight text in PDFs because it's supposed to be a copy proof document to stop people plagiarising it and so on. If you can highlight, then you can copy it much more easily than writing it out word for word!

R2x1
13-07-2004, 01:05 AM
I rather fear letting the gov't touch anything useful, It seems that the one forwarding the spam is not always aware of being a zombie, and we can't mandate a level of user ability with firewalls etc.

I do feel however that the person to whom you must reply for this spam to achieve it's aims should be a little easier to locate- or how could we order the anatomical enhancers? They could be obliged to pay a 50 cent fee for each received e-mail that someone complains of- and the returns sent off to charities or whatever. Every time you get a spam message, send it on to your favourite charity who can mass sue the originators.

A little off the main OT, but why do people have trouble highlighting PDF's ?
I have no trouble with this, (but getting the highlighter off the monitor is hard.)
R2

agent
13-07-2004, 01:30 AM
Argus, on the cover CD that comes with APC (Australian Personal Computer) for the month of July is a product called "Solid Converter PDF 1.0".

I haven't installed it, because I don't use Microsoft Office, nor do I have a need for it, but the statement on the CD package reads "it delivers content directly from PDFs into Microsoft Word". As far as I can discern, it is the full software, not lacking in any functionality.

Perhaps you might like to try it?

metla
13-07-2004, 01:43 AM
ISP's can see what comps are broadcasting virus's and funneling spam,they can and sometimes do disconnect them.

They should make it a rule.

Mirddes
13-07-2004, 10:55 AM
i personaly like the USA's CAN-SPAM act.
the spammers get fined load of money and stuff
but i think... that some of that goes to the person who turned them in for not having the correct subject line, meaning you couldnt filter them out
learnt that from the late TechTv, **weeps**

somebody
13-07-2004, 11:24 AM
That will cause problems such as me paying $5 to blacklist a long-time enemy, just for personal reasons. As most spam originates outside NZ, and use randomly generated spoofed email addresses, such a law would not help.

mister harbies
13-07-2004, 11:31 AM
Yes, but the spam police would look at the email and decide whether it is actually spam before they take any action.

And the $5 pays for your personal email account to be on the blacklist, not the email you wish to avoid. So for an example, I have two email accounts, I would pay $10 to be on the blacklist, so spammers can not send emails to my two accounts.

Those who do will be punished.

Its like those "no circulars" on the letterboxes.

Mister Harbies

somebody
13-07-2004, 11:44 AM
But that opens up the whole privacy debate. Why don't the spam police screen everyone's emails to see if they're spam, instead of waiting for you to complain? Why shouldn't your ISP have a panel of people reading all the emails you send and receive to make sure that it isn't spam? While they're doing that, why don't they also filter out any anti-Government emails?

As far as putting yourself on the blacklist, how will you stop a spammer in Europe, America, Africa or Asia from sending you spam? They couldn't care less about what blacklist exists, because they have the technology to spoof all the addresses etc. to make them invisible, and they know that they're untouchable by NZ officials.

My neighbour has a "Strictly No Junk Mail" sign on his letterbox - yet he still gets junkmail (a lot of it), and the people distributing the junkmail don't get punished - because it's impractical, and they couldn't care less. Enforcing the blacklist will be so intensive on human resources, it would cost $billions to run every year, as well as a huge capital investment in equipment to keep one step ahead of the spammers. And even so, it would only catch a few NZ spammers, and not address the huge issue of overseas spammers, where the list of them will just build up and build up, as the NZ police has no permission to arrest and prosecute in other countries.

agent
13-07-2004, 07:08 PM
Since our retired politicians get a tax-payer funded world trip every year, how about we send them off to pay visits to spammers from overseas country each year.

Except they won't be taking part in any sort of political debate, it'll more be scare tactics on behalf of the half-dozen accompanying ex-bouncers, who'll deliver a firm message that "people in New Zealand don't like receiving your spam, if you know what I mean", with a wink, a nudge, and a wallop for good measure.

;)

andrew93
13-07-2004, 08:22 PM
Or the spammers could be tied down and forced to listen to one of our politicians for half an hour - oh the agony!

But insofar as defeating spammers goes, we can all write effective legislation but the bigger issue will be enforcment. As identified previously, how can this be done? I don't have the answer but I like the idea of massive disincentives - i.e. fines in the orders of multi-million dollars to hit the spammers where is hurts. But then you don't want to catch the wrong people through identity theft and there should be some allowances for instances such as companies sending out regular e-mail circulars to clients etc.

I recently used a tactic on the first piece of spam (I got 5 or 6 in one hour) that hit my personal e-mail address - I used online tcp/ip tools to id the spammer and which ISP it came through. I then sent an appropriately worded legalese e-letter to both the company and ISP warning them that I am self-employed, my time was my constraint and if they chose to use it up by my reading their spam mail then I would invoice each of them US$500 per letter (being my supposed minimum charge), any further spam would be acceptance of my conditions and invoices would flow. It took them less than 8 hours to turn off the spam tap and I haven't been hit since.

agent
13-07-2004, 09:10 PM
May I ask just how you knew that the IP address it resolved to wasn't a zombified PC belonging to an innocent, if not somewhat ignorant and precarious, individual?

andrew93
14-07-2004, 01:16 AM
A good point but the name of the tcp/ip owner was a pretty close match to name of the business (some Californian internet marketing company) that was peddling rubbish via e-mail spam so I took a punt, didn't get flamed, the spam stopped, maybe the company was reputable, and I guess they weren't using another identity. I'll never know if I did get it right but the symptoms say I got it right cos the spam stopped just like turning off a tap - although it is still a good point and I shall be a little more circumspect if it ever happens again.

agent
14-07-2004, 12:51 PM
Oh, right, I didn't think about that sort of instance :8}

I should probably do a few traces on the next few items of spam that I get though; I used to do it occaisonally, but never ended up anywhere useful.

To me, it sounds like you stumbled across a company that didn't do spamming very well, as in using public proxies, hijacked servers, etc.

mister harbies
14-07-2004, 01:40 PM
$5 from each person would create lots of revenue. Say there are 2 million email addresses in New Zealand and half of them will want to be on the blacklist. That is $5 million dollars every year. Of course there will also be other sources of income.

And spam has to be traceable. Afterall, they are advertising something. If it can not be traced, how the help do I buy what they are advertising. I am aware that advertisers may be employing spammers to do this work and the advertiser would be traced rather than the actual spammer.

There has to be a link between the advertiser and the spammer.

And about the international problem, well.... make a submission to UN or whatever and make it INTERNATIONAL LAW.


I actually like Bill Gates' idea about the computer having to do a mathmatical calculation for each email sent. This would drag down spammers' computers considering they email by the thousands or millions. This would have no effect or very little effect on the home users, but might affect those businesses who have mailing lists and electronic newsletters.


Mister Harbies

agent
14-07-2004, 04:38 PM
I personally don't like any of Bill Gate's ideas for stopping spam. I haven't freshly read up on them, but my initial thought on hearing them was that they were ridiculous and absolutely unnecessary.

It is unlikely that a small mathematical calculation will have a major effect on spammers - it will mean that they are more likely to make use of zombie computers that have been taken over by trojan horses. All the spammer would need to do is send one email to a zombie, which then uses a list of email addresses (or randomly creates them) and sends off heaps of emails.

Another major downside to his plans is that it would require additions to either the standards used to send email, or every single email program. Honestly, will the mathematical calculation be initiated on the client side, or the server side? Either way, you'll most likely end up with many "rogue" applications that do not conform to what Bill Gates wants.

I came up with this idea last night, and I haven't thought it through at all, but I believe it is better than anything Bill Gates has turned out. Why don't we just make it so that every email address has a GPG key. There are a number of things you could do after this, one of them being that emails without a valid GPG signature (checked by servers from a global database of public keys) are discarded, or all emails that aren't from people on your contact list are discarded, with the added bonus that this would also mean spam appearing to be from people on your contact list could be discarded - it would contain neither a valid GPG signature nor encryption.

Sure, the ideas that could stem from everyone having a GPG key are just as susceptible to corruption, insecurity, and privacy concerns as any other, but we'd probably all be a little better off.

andrew93
14-07-2004, 05:19 PM
> I personally don't like any of Bill Gate's
> ideas for stopping spam.

:D

> I came up with this idea last night, and I haven't
> thought it through at all, but I believe it is better
> than anything Bill Gates has turned out. Why don't we
> just make it so that every email address has a GPG
> key. There are a number of things you could do after
> this, one of them being that emails without a valid
> GPG signature (checked by servers from a global
> database of public keys) are discarded, or all emails
> that aren't from people on your contact list are
> discarded, with the added bonus that this would also
> mean spam appearing to be from people on your contact
> list could be discarded - it would contain neither a
> valid GPG signature nor encryption.
>
> Sure, the ideas that could stem from everyone having
> a GPG key are just as susceptible to corruption,
> insecurity, and privacy concerns as any other, but
> we'd probably all be a little better off.

As I was reading one of your earlier posts just now, I also thought of the PGP key (I think it is PGP rather than GPG) and then I read your last post and you may be on to something here. Not only do they need a valid key for themselves (reported spammers lose their key and have to reapply), but they also need your public key which wouldn't be available as part of a list any spammer could just download - not sure how that would work for mere mortals but maybe you could retrieve one key at a time (as mere mortals would).

agent
14-07-2004, 06:00 PM
You're quite right, there is PGP (http://web.mit.edu/network/pgp.html), but there is also GPG (http://www.gnupg.org/).

GPG works in much the same way as PGP, and is compliant with OpenPGP. As stated on the GnuPG website, "GnuPG is a complete and free replacement for PGP", and as such, "it can be used without any restrictions".

I do believe there is an international version of PGP available (PGP cannot be exported from North America), but it is significantly easier to just get GPG.

And like I said, there are vulnerabilities any a lot of the ideas to stop spam that you could link with using GPG/PGP (or similar - technically the encryption of an email via GPG or PGP is a mathematical process, although it certainly wouldn't be a small one if you wrote long emails with massive attachments), such as the compromise of a database that contained every public key.

The thing is, if even only people in a small group of friends all got a GPG key, they could be free of spam simply by automatically deleting emails that cannot be decrypted or do not have a valid GPG signature. I'm struggling a bit to understand how GPG works (http://www.gnupg.org/(en)/documentation/faqs.html#q7.1), but I did understand it all last year, and I'm quite sure that it would be a viable method of giving spam one final kick in the rear end.

I bloody well hope no one comes along and spoils this all by telling of a major flaw in the base idealogy (that every email address requires a GPG key). However, if people could help to build up a variety of methods based on requiring a GPG/PGP key, that would be fantastic!

:D

Scouse
14-07-2004, 08:35 PM
Argus. Is this true? >Closing date for responses to the spam paper is June 30.

kiki
14-07-2004, 09:15 PM
> I do believe there is an international version of PGP available (PGP cannot be exported from North America), but it is significantly easier to just get GPG.

What do you mean "can't be exported"?

Anyone with a credit card can buy it online. I've done it myself.

kiki
14-07-2004, 09:17 PM
Also it looks like GPG is useless at the moment for Windows users, its in command line interface. No thanks.

agent
14-07-2004, 09:57 PM
Actually, there are a wide range of frontends (http://www.gnupg.org/(en)/related_software/frontends.html.en) for GPG.

And in the case of not being able to export PGP outside North American, I was referring to the PGP that is distributed by MIT, not PGP such as can be bought at www.pgpstore.com.

andrew93
14-07-2004, 10:03 PM
> > I do believe there is an international version of
> PGP available (PGP cannot be exported from North
> America), but it is significantly easier to just get
> GPG.
>
> What do you mean "can't be exported"?
>
> Anyone with a credit card can buy it online. I've
> done it myself.


There are 2 versions available - 128bit (I think) for the rest of the world and 256bit (double the other one anyway) for the U.S. - illegal to export the high end encryption outside of the US.