At 9:34 PM -0600 4/7/03, Vernon Schryver wrote:
> The email addresses they provide go to free web mail sites.
The web addresses they go to go to IP addresses, or to free-website
sites, or to real sites that have an open-redirect, or to real domain
names that are hosted on some web server in China and have whois
information that doesn't point me to a real company. Or in those
cases were it might, it means calling some random phone number in a
country on the other side of the world.
Which of those cannot be traced? For example you might pass them a
credit card number and then serve papers on the credit card factor
that tries to collect. In an anti-junk fax mailing list, I've seen
Okay. Let me try and say this in less words.
A junk fax or junk pre-recorded phone message can be traced, using
information provided by a clueless user, in half an hour.
A junk email message can be traced, using information provided in a
timely fashion by a clueful user, over a period of anywhere from half
an hour to several days, possibly using throwaway email addresses,
credit cards and court orders.
I do not consider those two things equivalent. Nor do I consider the
second to fit the normal definition of an "identifiable" source.
use shells and screens. If you somehow force them to buy Verisign
certs, they'll use false names, brokers, and middle men like Domains
by Proxy. The only effective way to identify spammers will always be
variations of "follow the money."
Nor did I claim otherwise. I'm simply taking issue with your claim
that it is easy to identify who is sending most spam.
> There's identifiable, and there's *usefully* identifiable. I don't
buy the claim that this identifies the advertiser in any real sense.
And this is one of the more trackable pieces of spam in my inbox.
I agree, it is not usefully identifiable to people who are not motivated
by something more than a single $500-$1500 fee.
For the simple reason that it takes more than $500 to $1500 to track
down the sender with a sufficient level of proof to receive the
payment.
> Yup. This one was clearly identified as coming from an open
proxy in Brazil.
Again, a spammer's IP address (or any conceivable crypto authentication)
is about useful as the telephone number in a TCPA case. In many
In theory yes. In practice that does not seem to be the case. None
of the cases I've reported to the FCC showed any indication of using
fake caller-id or somehow hiding the 800 numbers they provided. I
don't have a large enough data sample of phone and fax violations,
but I strongly suspect that majority are not hidden, whereas the
majority of spam *does* attempt to hide where it comes from.
Oh, whoops. I just realized where that argument was going. Okay,
forget it. I forgot that you disagree with that.
> I know. I've provided the FCC with a number of complaints for junk
> faxes and phone calls. They even follow up to every report with a
> letter containing a printout of several pages on their web site.
Until the Colorado do-not-call law went into effect in July, 2002,
and my junk faxes abruptly stopped, I had trained the FCC letter
Unfortunately most of my complaints have been for unsolicited
pre-recorded calls. Which means manually describing the things.
(Unless you can point me at a place where I can submit an audio file!)
> Whoa. Backup. Those junk faxes and phone calls; they had a contact
> phone number in them. I fed that number to the FCC, they look it up,
now they have a name and address. ...
Do they really? Don't some 1-900 phone system outfits shield their real
customers?
Perhaps. I've never seen/heard junk faxes/calls with 900 numbers.
It's all been traceable 800 numbers.
No one technical (in the TCP/IP or SMTP sense) is needed to follow a
credit card number. On the other hand, the identification in the 21st
Century junk faxes consisted of a 1-900 phone number. Could you have
done anything with that? I couldn't.
No. But I can give the FCC a 900 number and they can do it.
There is nothing I can give the FCC from a spam message that provides
a similar level of traceability. At a minimum it means following the
links in the spam and actually entering a credit card number. What
consumer is going to do that? And if they don't, what are the odds
that the site will still be there by the time the FCC looks at it.
Never mind the effort and time required to do it, whether done by the
consumer of the FCC.
The two are not comparable.
So does spam. Your grandmother could print the whole spam with
headers and treat it as I treated 21st Century's junk faxes.
See all of the above comments. And add to it that spam reports from
non-techies seldom have the full headers.
That is not true if you normalize the difficulties for both to the
common person. A 21st Century junk fax had no identification except
1-900 numbers. I don't know about you, but for me it's "several orders
of magnitude" easier to chase SMTP headers and IP addresses than to
convert a 1-900 number into an address for sending papers for small
claims court.
Yes. But we aren't talking about you and me. We're talking about
the average user. The 900 number is sufficient identification to
hand off the problem. The email headers are not.
There's another lesson in the TCPA and junk faxes that is waiting to
be learned by those who are not stuck on peddling authentication snake
I'd appreciate it if you'd back off from your vendetta against
authentication for a second and address the issue at hand. "Is spam
identifiable?" I claim that it is not identifiable at anywhere near
the level of fax and phone spam, and therefore the laws that work for
junk faxes (namely, bounties) are not likely to work for spam. You
claim otherwise.
--
Kee Hinckley
http://www.messagefire.com/ Junk-Free Email Filtering
http://commons.somewhere.com/buzz/ Writings on Technology and Society
I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg