On 10 Feb 2004, Franck Martin wrote: > > If he subscribes himself, then we have his e-mail address and then his > provider and may be an IP and time, so we could track him down in the > real world and may be sue him... So instead of using his own email address, the abuser sends a virus to a bunch of people, and when they get infected, the infected "send" the spam, and then we just track down an infected user, and disinfect them. There's more, see below. As I've said for some time, most of the junk we are getting is currently from viruses run by abusers, not from genuine spammers. Now the statistics are starting to show this. I just saw some stats on the top 95 real spammers that show that most are complying with the new federal anti-spam law, and that over half (56%) are fully compliant. Yet, checking my own inbox, I find very little spam that is compliant, or even partially compliant. Apparently, most of the "spam" doesn't come from real spammers. Some might say "so what? it doesn't matter whether the abusers really want to sell products/services/scams etc". Actually, it does matter. When you realign your anti-spam efforts from control of business to control of techno-terrorists, the problem is quite a bit different, and you can see also that things like signing and other things aren't going to work. Now we have the criminal law tools needed to go after the abusers: That is road to stopping spam. You don't need to sue anyone--you need to prosecute them for criminal violations of the can-spam act, and criminal violations of the Computer Fraud and Abuse Act (for virus infection). Criminal investigations have a much easier time of getting the information that is needed to identify and prosecute the criminals. I don't expect that this is going to net spammers. I expect it will net anti-spam radicals seeking to annoy people into a ban on spam. Here's why: A careful review of the history of the spam wars shows that the radicals have been conducting the abuse from the time of the Internet E-Mail Marketing Council (IEMMC). The IEMMC was formed in May of 1997 between Cyberpromotions and AGIS and some others. Its goal was to encourage voluntary spam labeling and opt-out lists, and to work out a compromise on spam between the advertising and technical community. It truly infuriated anti-spam radicals. In August 1997, Cyberpromo's web site was hacked, and files and email were deleted. AGIS then came under a large Denial of Service attack, and finally succumbed and disconnected Cyberpromo and withdrew from the IEMMC, in September, 1997. When the IEMMC collapsed the radicals probably thought their abuse tactics were effective, and were probably encouraged to continue their abusive behavior. One might say this is ancient history, but in fact, the IEMMC position on spam was practically legislated in the CAN-SPAM act, with the caveat for criminal violations. Its also interesting in light of the attacks on Cyberpromo and AGIS. These attacks are typically associated with groups of script kiddies. Vixie has subsequently reported that he is in contact with the "script-kiddies" and that they are mostly anti-spam. Being anti-spam is not the same a being anti-mailbombing, which is the script-kiddie term for their fake spamming. What the CAN-SPAM act did was revive the ideas of the IEMMC, and in doing so, it changed genuine spammer behavior so that genuine spammers can be distinguished from that of the radicals/abusers. Now it is just a matter to use the criminal provisions to track down the abusers, and punish them. What does this mean? For one thing, it means that we will be able to use criminal investigations to identify the abusers. I expect that these are essentially the same radicals who were attacking cyberpromo with DOS attacks in 1997; that have been filling email boxes with spam and fake opt-out links since 1997 in the hope of motivating people to demand the spam be banned; that have released many viruses that send spam. But it will be interesting in any case. Importantly, it will eventually stop the abuse. Criminal complaints can also be issued against individuals outside of the United States with good effect. It is much more difficult to exercise a civil suit internationally. The second thing it means is that you can forget trying to create technical solutions to spam. Not only can't such schemes succeed in preventing techno-terrorism for reasons drawn from information theory as previously explained, but they are now unnecessary. --Dean