----- Original Message -----
From: "Mark Shewmaker" <mark(_at_)primefactor(_dot_)com>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Friday, October 01, 2004 3:43 AM
Subject: Re: 2822 Header Analysis [Re: [spf-discuss] The pretty name]
On Fri, 2004-10-01 at 02:30, Hector Santos wrote:
A spammer who claimed they were "CANSPAM compliant" sued the company
for malpractice, tort and for breaking user-vendor contracts thus
violating
CANSPAM and certain provisions of US ECPA
Can you explain more clearly exactly how SA could be violating can-spam?
Simple.
The argument can be made is SA is breaking user-vendor contracts. Before
CANSPAM, there was nothing within the Federal Laws and guidelines that give
Direct Marketers the privy to do business using user-vendor contracts.
Early lawsuits were based on mal-practice which were thrown out of court.
Now there is a Federal Law in the books.
Why do you think the Direct Marketers quickly endorsed the bill? It gives
them the right to do business, and if you going to break what could be
considered a Legal transaction, you better have a good reason for doing so
because they now have legal grounds to stand on.
Of course, this is based on the idea if SA is automatically doing the job of
rejection without USER knowledge. If the USER specifically wanted to reject
it, I doubt the spammer can claim damage. However, I don't believe that is
the situation in this SA lawsuit.
If can-spam says to a spammer "You may do X if you have made sure of Y
and the end recipient has not done Z; else we can press charges", what
does that have to do with the ISP or their mail filtering code at all?
I don't quite get your analogy or question, but its all about running a
business properly.
I saw nothing in the act that implied that it would restrict the end ISP
in any way. (Although I saw enough horrible, illegal, and also
amazingly vague nonsense in it that I can only hope the whole law is
thrown out in court.)
First, what it implies is that ISP can still use the US ECPA provisions for
providing "system policies" that declares the expected operations of the
system. Again, that does not change the responsibiliity a system has if
indeed it does accept the message.
Second, won't happen (kill the law). IMO, IMO, it is a good and fair law.
The problem isn't CANSPAM. IMO, the problem was th IETF failing to heed the
model and framework it offered. CANSPAM says:
- Don't lie about the return address
- Don't lie about the topic subject
and in addition it says:
- You must follow the Internet standard as defined by the IETF.
Now. CANSPAM gaven the IETF 18 months to define what this internet standard
will be. It was an opportunity to introduce a revamping of the system with
a new strong technical specifications in order to meet the "functional
specifications" modeled in CANSPAM. In order words, new technology in order
to allow software systems to automate the process of:
a) Validating the Return Address,
b) Validation the Topic Subject.
Spammers quickly endorsed the bill and licked their chops because they were
fully aware the current technology did not offer the above and the chances
of new systems happening would be low or slow to come. Where there is
current efforts for performing A, performing B required a PAYLOAD
transaction to check the subject line unless a new ESMTP command like TOPIC
was offered to help the SMTP server reject the mail based on user acceptable
TOPIC references at the 2821 level. This is not a big deal, but it does
push the idea of perpetuating the payload concept if you wish to support the
TOPIC mandate.
Spammers understand that the "sweet" part of the fruit is getting systems to
accept the PAYLOAD. They are afraid of 2821 level rejection because CURRENT
laws allow it to happen. That is what the CANSPAM provision for ISP says
that you eluded too. However, once the PAYLOAD is accepted, you don't have
the US ECPA behind you any more, but against you. You have to either
delivery or bounce it. Period.
The advent of the spam/spoof problem (known to exist and documented since
1987) increased the pressure to reject mail without bouncing it. Obvious
legitimate real world concerns. However, this increases the risk for
product liability issues. You have nothing to hide behind except to use the
US ECPA itself that the spammer was harming your system. Once thing is for
sure. Malicious spammers will not complain about your rejections. However,
"harm" the wrong or "legitimate" person, you are now open to ligitation. I
can't say it any more clearer.
I especially saw nothing linking the fed's presumed future use of
canspam's definition in prosecuting spammers, with any requirement that
anyone else must *also* use or even consider canspam's definition, such
as ISP's when they set up mail filters for end recipients.
If you see such a link somewhere, please help me see it too.
If I understand your point, you are suggesting the possibility for an ISP
to claim he does now follow Federal Law? Thus if the ISP itself is not
CAMSPAM compliant, then CAMSPAM related suits can not used against them?
If so, this is like saying I don't believe in Federal Income and FICA Taxes,
thus do not have to pay my federal taxes. :-)
Look this is all case history. Do the research yourself. For small
systems, you can probably do all you want to mail with no repercussions.
But a bigger commercial operation has responsibilities to adhere to.
Sincerely,
Hector Santos, CTO
Santronics Software, Inc.
http://www.santronics.com
305-431-2846 Cell
305-248-3204 Office