Warning: Look Out for the eBay Scam:
"The trick message arrived with a very official looking header featuring eBay's logo. It was signed 'Thank you, Accounts Management.' The text read: 'Dear eBay Member, We at eBay are sorry to inform you that we are having problems with the billing information of your account. We would appreciate it if you would visit our website, eBay Billing Center, and fill out the proper information that we are needing to keep you as an eBay member.' The 'eBay Billing Center' referenced was a link to a Web page asking for a credit card number, a social security number, and more. The message also contained an 'ebay.com' suffix, just as a real message from an eBay employee might."
As is often true in spoof messages and phishing efforts, the trick e-mail contained telltale signs that it did not come from eBay. The subject line of the message read "eBay Member Billing Information Uptade" with the word "update" misspelled. The text string "fill out the proper information that we are needing" also had suspicious syntax.…
http://www.pcmag.com/article2/0,4149,1402431,00.asp
Friday, December 05, 2003
News: Antispammers again targeted by worm:
"Antispam organizations are the target of a new Internet worm outbreak that tries to knock them offline with a crippling data barrage, computer security experts said Tuesday.
Virus experts believe the worm, W32/Mimail-L, is the work of a vengeful spam e-mail peddler bent on paralyzing organizations that try to deal with spam, the torrents of get-rich-quick schemes and body-enhancement deals that clog in-boxes daily.
'It's the third Mimail variation to come after us, except this one is trying to do more,' said Steve Linford, founder of The Spamhaus Project, a British-based group that singles out spammers. Spamhaus was hit by Mimail late Monday. "
According to anti-virus and spam-filtering company Sophos Plc, the Mimail-L program comes as an attachment to an e-mail purporting to be from a woman named Wendy who details an erotic encounter and then offers naked photographs.
Clicking on the attachment activates the virus. Once triggered, the worm forwards itself to other e-mail users.
The worm can also turn the affected PC into a "zombie," which can then be remotely commanded to bombard one of a select group of targets, such as Spamhaus, with a disabling blizzard of data--a so-called denial-of-service attack.
In a new twist, a follow-up e-mail is sent to the infected user stating that an order for a CD containing images of child pornography will be delivered to their postal address.
To stop the order, the e-mail advises, they should respond to what appears to be an e-mail address for billing complaints, but which is actually an e-mail for one of the eight targets.…
http://zdnet.com.com/2100-1105_2-5112997.html
"Antispam organizations are the target of a new Internet worm outbreak that tries to knock them offline with a crippling data barrage, computer security experts said Tuesday.
Virus experts believe the worm, W32/Mimail-L, is the work of a vengeful spam e-mail peddler bent on paralyzing organizations that try to deal with spam, the torrents of get-rich-quick schemes and body-enhancement deals that clog in-boxes daily.
'It's the third Mimail variation to come after us, except this one is trying to do more,' said Steve Linford, founder of The Spamhaus Project, a British-based group that singles out spammers. Spamhaus was hit by Mimail late Monday. "
According to anti-virus and spam-filtering company Sophos Plc, the Mimail-L program comes as an attachment to an e-mail purporting to be from a woman named Wendy who details an erotic encounter and then offers naked photographs.
Clicking on the attachment activates the virus. Once triggered, the worm forwards itself to other e-mail users.
The worm can also turn the affected PC into a "zombie," which can then be remotely commanded to bombard one of a select group of targets, such as Spamhaus, with a disabling blizzard of data--a so-called denial-of-service attack.
In a new twist, a follow-up e-mail is sent to the infected user stating that an order for a CD containing images of child pornography will be delivered to their postal address.
To stop the order, the e-mail advises, they should respond to what appears to be an e-mail address for billing complaints, but which is actually an e-mail for one of the eight targets.…
http://zdnet.com.com/2100-1105_2-5112997.html
Wednesday, December 03, 2003
'Critical' IE Security Warning Released:
"A Chinese security researcher has warned of five serious vulnerabilities in Microsoft's (Quote, Chart) Internet Explorer browser, warning that a successful exploit could lead to system takeover.
Liu Die Yu released details of the flaws on the Bugtraq mailing list and issued a warning that the vulnerabilities could lead to system access, exposure of sensitive information, cross site scripting and security bypass.
Yu also released proof-of-concept exploits on the popular mailing list, noting that the flaws affect Internet Explorer versions 5.0, 5.5 and 6.0."
Independent security consultant Secunia has rated the flaws 'Extremely Critical' and urged IE users to disable Active Scripting as a workaround until Microsoft issues a fix.
The flaws related to a redirection feature in the browser using the "mhtml:" URI handler. The researcher warned that it could be exploited to bypass a security check in Internet Explorer which normally blocks web pages in the "Internet" zone from parsing local files.
Yu said the redirection feature could also be exploited to download and execute a malicious file on a user's system. Successful exploitation requires that script code can be executed in the "MyComputer" zone, he explained.
The security alert also included a cross-site scripting vulnerability that could allow a malicious attacker to execute script code in the security zone associated with another Web page if it contains a subframe.
A variant of a previously fixed flaw can still be exploited to hijack a user's clicks and perform certain actions without the user's knowledge, the researcher explained.
Microsoft late Wednesday confirmed it was investigating Lu's warnings. "We have not been made aware of any active exploits of the reported vulnerabilities or customer impact at this time, but we are aggressively investigating the public reports," said Stephen Toulouse, Security Program Manager, Microsoft Security Response Center.
Toulouse told internetnews.com Microsoft would take the "appropriate action to protect our customers" and hinted that a fix could come via an out-of-cycle patch, depending on the seriousness of its findings.
He said Microsoft was concerned that Lu's warnings were not disclosed responsibly, potentially putting computer users at risk. "We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests, by helping to ensure that customers receive comprehensive, high-quality patches for security vulnerabilities with no exposure to malicious attackers while the patch is being developed," Toulouse declared.
In the interim, Toulouse is recommending that IE users install the cumulative patch issued earlier this month (MS03-048).…
http://www.internetnews.com/dev-news/print.php/3114171
"A Chinese security researcher has warned of five serious vulnerabilities in Microsoft's (Quote, Chart) Internet Explorer browser, warning that a successful exploit could lead to system takeover.
Liu Die Yu released details of the flaws on the Bugtraq mailing list and issued a warning that the vulnerabilities could lead to system access, exposure of sensitive information, cross site scripting and security bypass.
Yu also released proof-of-concept exploits on the popular mailing list, noting that the flaws affect Internet Explorer versions 5.0, 5.5 and 6.0."
Independent security consultant Secunia has rated the flaws 'Extremely Critical' and urged IE users to disable Active Scripting as a workaround until Microsoft issues a fix.
The flaws related to a redirection feature in the browser using the "mhtml:" URI handler. The researcher warned that it could be exploited to bypass a security check in Internet Explorer which normally blocks web pages in the "Internet" zone from parsing local files.
Yu said the redirection feature could also be exploited to download and execute a malicious file on a user's system. Successful exploitation requires that script code can be executed in the "MyComputer" zone, he explained.
The security alert also included a cross-site scripting vulnerability that could allow a malicious attacker to execute script code in the security zone associated with another Web page if it contains a subframe.
A variant of a previously fixed flaw can still be exploited to hijack a user's clicks and perform certain actions without the user's knowledge, the researcher explained.
Microsoft late Wednesday confirmed it was investigating Lu's warnings. "We have not been made aware of any active exploits of the reported vulnerabilities or customer impact at this time, but we are aggressively investigating the public reports," said Stephen Toulouse, Security Program Manager, Microsoft Security Response Center.
Toulouse told internetnews.com Microsoft would take the "appropriate action to protect our customers" and hinted that a fix could come via an out-of-cycle patch, depending on the seriousness of its findings.
He said Microsoft was concerned that Lu's warnings were not disclosed responsibly, potentially putting computer users at risk. "We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests, by helping to ensure that customers receive comprehensive, high-quality patches for security vulnerabilities with no exposure to malicious attackers while the patch is being developed," Toulouse declared.
In the interim, Toulouse is recommending that IE users install the cumulative patch issued earlier this month (MS03-048).…
http://www.internetnews.com/dev-news/print.php/3114171
Tuesday, December 02, 2003
Webmasters Wary of Latest Google Tweaks:
"Some sites have fallen from high rankings to the nether reaches, while others have gained better slots. While such shifts are nothing new, this time around some observers say it appears that Google is trying to penalize sites using the most aggressive search-engine-optimization techniques with keywords and links to rank well on Google results. "
The problem is that along with these abusers of search engine optimization, many more innocent sites have fallen as well, said Barry Lloyd, CEO of Clogher, Ireland-based search-engine marketing company Microchannel Technologies Ltd.
"It's gone from a Google love fest to some of the most vitriolic attacks I've ever heard," he said of the reaction to the latest tweaks. "My genuine belief is that there's been too much collateral damage. A lot of people not deliberately gaming the system have been affected."
Google, as a matter of policy, does not discuss changes to its search engine algorithm. A spokesman said that the Mountain View, Calif., regularly tweaks its algorithms to improve the relevancy of search results.
"This is why it is common to see movement in the ranking of sites on Google search results pages," he said.
It remains to be seen to what extent the common user of Google has noticed the shifting positions of sites in search results. Search-engine marketers and optimizers readily admit that they watch the results with hawk eyes, noticing the slightest shifts in rank.
To Danny Sullivan, editor of SearchEngineWatch.com, the current spat of debate filling Webmaster and search-engine message boards is part of the regular cycle of complaints that follows a Google change. Quantifying whether the latest shifting is producing better or worse results is difficult since the results vary depending on the search query.
"If your job is to optimize a site for a particular term, then you know intimately what site comes up for that term," Sullivan said. "For a typical Google user, they probably won't notice anything."
Along with link tricks, some sites and search-engine optimizers have created doorway pages. The pages are designed specifically for search engine spiders indexing Web pages and are optimized to match coveted keywords. They are often invisible to actual users or appear as a quick introductory page that leads into the main site.
"(Google) had to come up with a way of overcoming the gaming of their algorithm because it was becoming so corrupted," Lloyd said.
In the course of combating techniques what Google and others consider search-engine spam, Google's algorithm changes also appear to have caught other sites in the crosshairs, Lloyd said. The changes appear to be affecting the rank of commercial-oriented search terms the most, ones where over-optimization is often common, and to be hurting sites that use a given keyword term frequently in the site or in the domain, Lloyd said.
At the same time, Lloyd and others have noticed that the results for some search terms seem more focused on directory listings or non-commercial sites rather than commercial sites. On one example, Lloyd tried searching for "Web design Calgary," expecting to find Web design companies in Calgary, Canada. Instead the first result was the site for the Calgary Flames hockey team.
More than anything, the most recent brouhaha over Google algorithm changes points to the danger of relying too heavily on search-result positioning for one's business, experts say.…
http://www.eweek.com/print_article/0,3048,a=113607,00.asp
"Some sites have fallen from high rankings to the nether reaches, while others have gained better slots. While such shifts are nothing new, this time around some observers say it appears that Google is trying to penalize sites using the most aggressive search-engine-optimization techniques with keywords and links to rank well on Google results. "
The problem is that along with these abusers of search engine optimization, many more innocent sites have fallen as well, said Barry Lloyd, CEO of Clogher, Ireland-based search-engine marketing company Microchannel Technologies Ltd.
"It's gone from a Google love fest to some of the most vitriolic attacks I've ever heard," he said of the reaction to the latest tweaks. "My genuine belief is that there's been too much collateral damage. A lot of people not deliberately gaming the system have been affected."
Google, as a matter of policy, does not discuss changes to its search engine algorithm. A spokesman said that the Mountain View, Calif., regularly tweaks its algorithms to improve the relevancy of search results.
"This is why it is common to see movement in the ranking of sites on Google search results pages," he said.
It remains to be seen to what extent the common user of Google has noticed the shifting positions of sites in search results. Search-engine marketers and optimizers readily admit that they watch the results with hawk eyes, noticing the slightest shifts in rank.
To Danny Sullivan, editor of SearchEngineWatch.com, the current spat of debate filling Webmaster and search-engine message boards is part of the regular cycle of complaints that follows a Google change. Quantifying whether the latest shifting is producing better or worse results is difficult since the results vary depending on the search query.
"If your job is to optimize a site for a particular term, then you know intimately what site comes up for that term," Sullivan said. "For a typical Google user, they probably won't notice anything."
Along with link tricks, some sites and search-engine optimizers have created doorway pages. The pages are designed specifically for search engine spiders indexing Web pages and are optimized to match coveted keywords. They are often invisible to actual users or appear as a quick introductory page that leads into the main site.
"(Google) had to come up with a way of overcoming the gaming of their algorithm because it was becoming so corrupted," Lloyd said.
In the course of combating techniques what Google and others consider search-engine spam, Google's algorithm changes also appear to have caught other sites in the crosshairs, Lloyd said. The changes appear to be affecting the rank of commercial-oriented search terms the most, ones where over-optimization is often common, and to be hurting sites that use a given keyword term frequently in the site or in the domain, Lloyd said.
At the same time, Lloyd and others have noticed that the results for some search terms seem more focused on directory listings or non-commercial sites rather than commercial sites. On one example, Lloyd tried searching for "Web design Calgary," expecting to find Web design companies in Calgary, Canada. Instead the first result was the site for the Calgary Flames hockey team.
More than anything, the most recent brouhaha over Google algorithm changes points to the danger of relying too heavily on search-result positioning for one's business, experts say.…
http://www.eweek.com/print_article/0,3048,a=113607,00.asp
News: Flaw in Linux kernel allows attack:
"The Debian Project warned on Monday that a flaw in the Linux kernel helped attackers compromise four of the open-source software project's development servers.
During several intrusions Nov. 19, the flaw enabled an attacker who already had access to a server to remove the limitations that protected the system from everyday users. The technique is known as a privilege escalation.
Members of the development team found the flaw in September and fixed the latest version of the core Linux software, or kernel. The fix came a bit late, however. The latest version of the kernel, 2.4.23, was released Friday, eight days after the Debian breach."
The unknown attacker compromised at least four servers. The systems--known as Master, Murphy, Gluck and Klecker--had maintained the open-source project's bug tracking system, source code database, mailing lists, Web site and security patches.
The attacker gained access to one of the systems by compromising a developer's computer and installing a program to sniff out the characters typed on the developer's keyboard, according to a postmortem analysis the team published Friday. When the programmer logged into the klecker system, the attacker recorded his password.
Using the September flaw, the attacker gained owner privileges on Klecker. This is frequently referred to as "owning" the system. The flaw--in a part of the kernel that manages memory--allows only users that already have access to the system to raise their privileges. Such flaws are less critical than vulnerabilities that give an outside attacker access to a server and so are fixed less quickly.
The attacks have been the latest leveled at open-source software. In early November, an attacker attempted to corrupt the Linux kernel with a coding error that would have created a flaw similar to the one that affected the Debian Project. A year ago, malicious attackers placed spyware into a popular open-source tool, Tcpdump. Several other known attacks have also been executed against other open-source projects.
http://zdnet.com.com/2100-1104_2-5112427.html
"The Debian Project warned on Monday that a flaw in the Linux kernel helped attackers compromise four of the open-source software project's development servers.
During several intrusions Nov. 19, the flaw enabled an attacker who already had access to a server to remove the limitations that protected the system from everyday users. The technique is known as a privilege escalation.
Members of the development team found the flaw in September and fixed the latest version of the core Linux software, or kernel. The fix came a bit late, however. The latest version of the kernel, 2.4.23, was released Friday, eight days after the Debian breach."
The unknown attacker compromised at least four servers. The systems--known as Master, Murphy, Gluck and Klecker--had maintained the open-source project's bug tracking system, source code database, mailing lists, Web site and security patches.
The attacker gained access to one of the systems by compromising a developer's computer and installing a program to sniff out the characters typed on the developer's keyboard, according to a postmortem analysis the team published Friday. When the programmer logged into the klecker system, the attacker recorded his password.
Using the September flaw, the attacker gained owner privileges on Klecker. This is frequently referred to as "owning" the system. The flaw--in a part of the kernel that manages memory--allows only users that already have access to the system to raise their privileges. Such flaws are less critical than vulnerabilities that give an outside attacker access to a server and so are fixed less quickly.
The attacks have been the latest leveled at open-source software. In early November, an attacker attempted to corrupt the Linux kernel with a coding error that would have created a flaw similar to the one that affected the Debian Project. A year ago, malicious attackers placed spyware into a popular open-source tool, Tcpdump. Several other known attacks have also been executed against other open-source projects.
http://zdnet.com.com/2100-1104_2-5112427.html
Economy & Business: I.R.S. Set to Resolve Disputes Online:
"The I.R.S. is testing a system called Electronic Account Resolution with a handful of tax professionals. Lawyers, accountants and enrolled agents - a kind of preparer who is authorized to represent taxpayers before the I.R.S. - will be able to use the system; they can go online now to register. But individuals and other paid preparers will not have access.
James Leimbach, an enrolled agent in Panama City, Fla., who is one of the testers, is enthusiastic. 'Through a simple three-step process,' Mr. Leimbach said, 'I will be able to electronically access my client's tax records and then resolve problems.'
Under the present nonelectronic system, tax professionals must show the agency a power of attorney from the taxpayer before the I.R.S. will talk to them. While I.R.S. clerks will sometimes accept a faxed form, getting approval to represent a client can take days."
With the new system, a taxpayer fills out the power of attorney form and gives it to the tax adviser. Then the adviser logs on to an I.R.S. computer, using a secure Internet connection, punching in the client's adjusted gross income from any of the three previous years, the year of the return and the taxpayer's birth date. The taxpayer also gives a self-selected personal identification number.
"You get disclosure authorization almost instantly," Mr. Leimbach said. Immediately, a request can be made for the taxpayer's records, known as a transcript.
"Typically, getting a transcript took 5 to 10 days when ordered through the mail," he said. "With the new system, I will be able to pull transcripts up electronically."
Such speedy gathering of information and problem resolution - in contrast to hours or days of work - should hold down the fees taxpayers pay their advisers.
At first, the system can be used to resolve simple problems, like tracing payments, tracking refunds and entering into installment agreements to pay taxes.
The agency has not begun to work on more complex problems, like proposals to settle a tax debt for less than the full amount…
http://www.nytimes.com/2003/12/01/business/01taxx.html
"The I.R.S. is testing a system called Electronic Account Resolution with a handful of tax professionals. Lawyers, accountants and enrolled agents - a kind of preparer who is authorized to represent taxpayers before the I.R.S. - will be able to use the system; they can go online now to register. But individuals and other paid preparers will not have access.
James Leimbach, an enrolled agent in Panama City, Fla., who is one of the testers, is enthusiastic. 'Through a simple three-step process,' Mr. Leimbach said, 'I will be able to electronically access my client's tax records and then resolve problems.'
Under the present nonelectronic system, tax professionals must show the agency a power of attorney from the taxpayer before the I.R.S. will talk to them. While I.R.S. clerks will sometimes accept a faxed form, getting approval to represent a client can take days."
With the new system, a taxpayer fills out the power of attorney form and gives it to the tax adviser. Then the adviser logs on to an I.R.S. computer, using a secure Internet connection, punching in the client's adjusted gross income from any of the three previous years, the year of the return and the taxpayer's birth date. The taxpayer also gives a self-selected personal identification number.
"You get disclosure authorization almost instantly," Mr. Leimbach said. Immediately, a request can be made for the taxpayer's records, known as a transcript.
"Typically, getting a transcript took 5 to 10 days when ordered through the mail," he said. "With the new system, I will be able to pull transcripts up electronically."
Such speedy gathering of information and problem resolution - in contrast to hours or days of work - should hold down the fees taxpayers pay their advisers.
At first, the system can be used to resolve simple problems, like tracing payments, tracking refunds and entering into installment agreements to pay taxes.
The agency has not begun to work on more complex problems, like proposals to settle a tax debt for less than the full amount…
http://www.nytimes.com/2003/12/01/business/01taxx.html
News: Sobig lingers despite shutdown date:
"Sobig is still rampaging around the Internet, two months after the virus was supposed to have terminated itself. "
E-mail security firm MessageLabs said Friday that Sobig was the third most active virus in November, with some 264,000 copies being detected by its e-mail virus-scanning servers.
Although this activity is well below the virus's peak, it is still surprising as Sobig--like several other members of the Sobig family--contained a built-in shutdown date that was supposed to prevent it propagating after Sept. 10. Sobig.F's continued proliferation is due to a combination of factors, including the successful efforts that prevented it wreaking even more havoc and the fact that many PCs are set to the wrong date, according to MessageLabs.
http://zdnet.com.com/2100-1104_2-5112207.html
"Sobig is still rampaging around the Internet, two months after the virus was supposed to have terminated itself. "
E-mail security firm MessageLabs said Friday that Sobig was the third most active virus in November, with some 264,000 copies being detected by its e-mail virus-scanning servers.
Although this activity is well below the virus's peak, it is still surprising as Sobig--like several other members of the Sobig family--contained a built-in shutdown date that was supposed to prevent it propagating after Sept. 10. Sobig.F's continued proliferation is due to a combination of factors, including the successful efforts that prevented it wreaking even more havoc and the fact that many PCs are set to the wrong date, according to MessageLabs.
http://zdnet.com.com/2100-1104_2-5112207.html
Score one for the spammers: CAN SPAM bill to become law - TechUpdate - ZDNet:
"For the umpteenth time: Anti-spam laws are a bad idea as long as they're written by those out of touch with the underpinnings of Internet e-mail. For example, writing into law anything that ventures down the path of 'opting out' (short-hand for 'optioning out,' deselecting, or unsubscribing yourself from membership in a mailing list) --- which CAN SPAM does --- creates a virtually unenforceable law since there are a million and one reasons (most of which would not be due to negligence on behalf of mailing list operators) that an opt-out mechanism may not work at some given point in time. Before opt-out language can be included in a law, there needs to exist an opt-out standard under the guise of what I call a relationship termination protocol over which dissimilar email clients and servers can interoperate. "
Perhaps you think I'm on the lunatic fringe, an ultraconservative who refuses to see the good in legislation that clearly has the welfare of the spam-afflicted in mind? OK ignore me. But don't ignore the following warning, reported in a recent CNET News.com story about the CAN SPAM bill, that was sent from the National Association of Attorneys General to Congress: "The bill creates so many loopholes, exceptions, and high standards of proof, that it provides minimal consumer protections and creates too many burdens for effective enforcement...We respectfully request that you not move forward."
Lack of enforceability has been my main point all along and it's refreshing to see the very folks chartered with upholding the CAN SPAM bill saying to Congress "Hey, you're all off your rockers if you move forward with this law." Still not convinced? Assuming that the law's effectiveness is dependent on the fact that all evil spammers fall within its jurisdiction (a very bad assumption considering the mounting tide of spam from China and South Korea), then you, as a concerned Netizen, should consider its definition of spam. To the relief of e-mail marketers everywhere, spam will not be the first unsolicited commercial email you get from someone you consider to be a spammer. It's one of the subsequent ones. That's right. It's the second, third, fourth, or later one and it is only such if, after receiving the first one, you issued an objection according to a method the sender, not you, says you are permitted to do so (the vaulted "opt-out" for which no standard method exists and no auditable test for proven functionality has been created).
Are you getting ill yet?
Despite the fact that the Attorneys General will be reluctant to expend the resources necessary to prosecute given the loopholes it envisions, Senators Burns and Wyden cited the financial implications in their declarations of victory. Sen. Ron Wyden, D-Ore., said that "when this bill takes effect, the big-time spammers who up until now have faced virtually no penalties will suddenly be at risk of criminal prosecution, (Federal Trade Commission) prosecution and million-dollar lawsuits." Sen. Conrad Burns, R-Mont., said: "In cases where e-mail marketers don't comply with the CAN-SPAM bill, the penalties are very severe...Spammers are actually on the hook for (per e-mail) damages, with a cap of $2 million."
Newsflash. The big time spammers --- at least the ones who are intentionally sidestepping all sense of Internet decorum in order to invade the sanctity of your inbox --- have about a hundred dollars in their checking accounts--collectively. It was only about six months ago, at the now infamous Federal Trade Commission three-day workshop on spam, that we heard from several Attorneys General and Internet Service Providers about how their investments in certain investigations, indictments, prosecutions, and lawsuits were disproportionate to the final outcome: one or two bad apples (out of an ocean-sized apple orchard) with little or no money to their names shut down. My inbox didn't notice. Did yours? Despite efforts to publicly draw, quarter, flog, and hang the offenders, the rest of the orchard didn't appear to flinch. It may have yawned, though. We'll never know. They're a secretive bunch. It's not like they have offices on Madison Avenue.
http://techupdate.zdnet.com/techupdate/stories/main/Score_one_for_the_spammers.html
"For the umpteenth time: Anti-spam laws are a bad idea as long as they're written by those out of touch with the underpinnings of Internet e-mail. For example, writing into law anything that ventures down the path of 'opting out' (short-hand for 'optioning out,' deselecting, or unsubscribing yourself from membership in a mailing list) --- which CAN SPAM does --- creates a virtually unenforceable law since there are a million and one reasons (most of which would not be due to negligence on behalf of mailing list operators) that an opt-out mechanism may not work at some given point in time. Before opt-out language can be included in a law, there needs to exist an opt-out standard under the guise of what I call a relationship termination protocol over which dissimilar email clients and servers can interoperate. "
Perhaps you think I'm on the lunatic fringe, an ultraconservative who refuses to see the good in legislation that clearly has the welfare of the spam-afflicted in mind? OK ignore me. But don't ignore the following warning, reported in a recent CNET News.com story about the CAN SPAM bill, that was sent from the National Association of Attorneys General to Congress: "The bill creates so many loopholes, exceptions, and high standards of proof, that it provides minimal consumer protections and creates too many burdens for effective enforcement...We respectfully request that you not move forward."
Lack of enforceability has been my main point all along and it's refreshing to see the very folks chartered with upholding the CAN SPAM bill saying to Congress "Hey, you're all off your rockers if you move forward with this law." Still not convinced? Assuming that the law's effectiveness is dependent on the fact that all evil spammers fall within its jurisdiction (a very bad assumption considering the mounting tide of spam from China and South Korea), then you, as a concerned Netizen, should consider its definition of spam. To the relief of e-mail marketers everywhere, spam will not be the first unsolicited commercial email you get from someone you consider to be a spammer. It's one of the subsequent ones. That's right. It's the second, third, fourth, or later one and it is only such if, after receiving the first one, you issued an objection according to a method the sender, not you, says you are permitted to do so (the vaulted "opt-out" for which no standard method exists and no auditable test for proven functionality has been created).
Are you getting ill yet?
Despite the fact that the Attorneys General will be reluctant to expend the resources necessary to prosecute given the loopholes it envisions, Senators Burns and Wyden cited the financial implications in their declarations of victory. Sen. Ron Wyden, D-Ore., said that "when this bill takes effect, the big-time spammers who up until now have faced virtually no penalties will suddenly be at risk of criminal prosecution, (Federal Trade Commission) prosecution and million-dollar lawsuits." Sen. Conrad Burns, R-Mont., said: "In cases where e-mail marketers don't comply with the CAN-SPAM bill, the penalties are very severe...Spammers are actually on the hook for (per e-mail) damages, with a cap of $2 million."
Newsflash. The big time spammers --- at least the ones who are intentionally sidestepping all sense of Internet decorum in order to invade the sanctity of your inbox --- have about a hundred dollars in their checking accounts--collectively. It was only about six months ago, at the now infamous Federal Trade Commission three-day workshop on spam, that we heard from several Attorneys General and Internet Service Providers about how their investments in certain investigations, indictments, prosecutions, and lawsuits were disproportionate to the final outcome: one or two bad apples (out of an ocean-sized apple orchard) with little or no money to their names shut down. My inbox didn't notice. Did yours? Despite efforts to publicly draw, quarter, flog, and hang the offenders, the rest of the orchard didn't appear to flinch. It may have yawned, though. We'll never know. They're a secretive bunch. It's not like they have offices on Madison Avenue.
http://techupdate.zdnet.com/techupdate/stories/main/Score_one_for_the_spammers.html
Subscribe to:
Posts (Atom)
Posts
