Michigan Enforces Do-Not-Email Registry Law

elanghe writes "The Michigan Attorney General filed suit against two companies sending adult-oriented email messages to the state's children, in violation of the Michigan Children's Protection Registry. A similar law in Utah is being challenged by the porn industry. While the FTC, influenced by the Direct Marketing Association, rejected the idea of a do-not-email registry, have these two states proven anti-spam laws like these — unlike CAN-SPAM — really have teeth?"

How does it work?

[telchine]

Does everyone in the world have to check these databases, or just if you're sending mail from inside of the US?

Re:The Love of Money

[thebdj]

What's there to challenge? A state makes a perfectly reasonable law that requires you to check an e-mail against a database of registered users who don't want that mail. Take some porn and go to your downtown local metropolis. Now hand out those pornographic pictures to everyone, young and old alike. See how long you can do that until you're arrested. Nobody challenges those laws, why the hell would anybody be able to challenge laws against people who randomly distribute lewd messages online? The least they can do is check if the person has registered not to receive them. Ohhh, that's right. Silly me, porn is a $10 billion dollar industry. They'll just throw money and lawyers at that problem to fix it.

Free speech? I do not see them slapping fines on people for unsolicited snail mail. And trust me, you can get a lot of that crap and getting addresses is really damn easy. Also, the article isn't clear about the Utah law. It could be using those nice, vague terms that make the law unenforceable and could even target e-mail that was solicited. Remember, people sometimes identify items as spam that really are not.

I'm sure that if you start hitting these companies with $10,000 fines per violation that they would pay attention to the list. And if they stole it, it's all the more fines.

The problem is that a lot of the real spam companies are outside the US. It is sort of hard to enforce US laws outside the US. If a spam company has no office, no location and no connection to the US, it will be hard to enforce. Also $10k per violation will be hard to uphold. If you charge that by millions of e-mails, companies will claim you are asking for unreasonable damages and the truth is you would. The damage caused per spam e-mail is minimal, and certainly not a $10k violation. This idea that the children are being hurt (the articles own words almost) is nothing more then a red herring.

I'm not sure how feasible that idea is, however. I would recommend just hitting the company that owns the last server to forward the e-mail. If they can't provide/prove another source from which the e-mail came, hit them with the $10,000 fine. I would wager that companies would be awful quick to clamp down their SMTP servers and keep records of where everything came from. Not only would this increase a company's security but it would reduce much of the spam you see that has a legitimate address from a careless company.

This only hurts ISPs. Watch the way an e-mail hops from router to router, point to point, on the "information super highway". Your statement almost screams, "I do not understand networks or the internet." This is unreasonable and puts blame on providers because of the actions of their users.

we should be thanking them...

[Mark19960]

Send these guys in Michigan a thank-you note for creating laws that have some bite.
Use Michigan as an example for your own politicians....

The feds cannot do it, they are too corrupt with big industry hanging dollar bills in their faces.
On the state level, its a little bit less corrupt and you actually have SOME chance of getting a
law against spam thru.

I just don't understand...

[MorderVonAllem]

...why everybody doesn't just whitelist. Sure some spam may get by but it removes 99% of it right off the bat. Everything that isn't on my whitelist isn't email I want in the first place.

Re:How does it work?

[porkmusket]

It works questionably, because no one HAS to use the database. There need to be clear and enforcable punishments for not using it in order to get people to use it. If a couple cases get attention and the spammers pay out, more suits could possible be filed, but obviously you'll have trouble suing some dude in Nigeria. Personally, as a victim of the whole Blue Security crap that ended up with a whole lot more spam after that DB was compromised, I am reluctant to sign up for these sorts of lists and would rather protect my inbox by being discrete about who I give email information to. It not's too much trouble to hit the 'junk' button on the mails that occassionally sneak past the filter in my opinion. However it's nice to see them trying. We suffered decades of phone abuse by solicitors before laws and structures were in place to prevent it, but that's still more of a domestic issue... doing the same thing with email is not going to be nearly as easy. At this point, I am not sure what can be done other than moving to challenge/response systems, which I plan on doing on my next email server.

Re:The Love of Money

[bhmit1]

More dangerous, he said, was the possibility that spammers might get hold of the list, which would provide them with a gold mine of valid e-mail addresses that would be used for more spam.

Then only distribute the registry as a set of hashes. Simply run a hash on the email you want to send to, and skip it if it matches a hash in the registry. This has the added benefit of making the spammers waste a little more cpu time before filling our inboxes.

I'm in Michigan

[Anonymous Coward]

At first when I saw this article I was thinking it was a good thing. I was even wondering if it could be extended to non-children.

But then I went and looked at the website ... as a potential business owner I have problems with it. It looks like I have to pay 7 tenths of a penny to check an email address. Let's say I have a list of 10,000 addresses, it is going to cost me $70 to check it? And that has to be done every month in case a new address matches.

And whose definition of obscene do we use?

And what child has a fax machine?

Re:The Love of Money

[Creepy]

bravo - I was going to post something much the same.

I think the only way enforcing a law like that would be to go after anybody in the US that is caught hiring offshore work for spam purposes. It would be hard to go after the pornographers unless they are the ones actually sending the spam because most of the time it's legal to create it where they are located. I seriously doubt that most porn mail originates in someplace like China or my spam box would be filled with Hot, Horny Asians just waiting for you - I'm pretty sure it's mostly outsourced from somebody in the US. I do get a few Russian, Asian, and Black e-mails like that, but 95% of them point to US sites tauting caucasian girls. Rarely do these get into my in-box (and if the filter catches them it blocks all links back to the site unless I release it to my inbox), but I sometimes lose legitimate mails like my Am-Ex bill (though I'm still messing with sensitivity settings)

Re:The Love of Money

[inviolet]

Then only distribute the registry as a set of hashes. Simply run a hash on the email you want to send to, and skip it if it matches a hash in the registry. This has the added benefit of making the spammers waste a little more cpu time before filling our inboxes.

Do you know where spammers get their CPU time?

Indeed, the future of the internet seems to be a war over computing cycles, in the same way that the snail world was (is) a war over energy. Well, the world mostly fights over real estate, but that is at heart a fight over two things: ease of access to energy, and living areas with low energy requirements.

In any case, they are fighting to pilfer CPU cycles, which are then directed towards the most profitable endeavor that spare distributed CPU cycles can be applied to: sending spam, blackmail DDOSing, etc. But that will change as more we'll-buy-your-CPU-cycles projects come online, SETI@home and BOINC being the pioneer of course. At that time, the owners of zombie networks may switch over from spamming to something more socially and fiscally constructive.

Sorry, I'm rambling. What were we talking about again? :)

Oh yeah, hashing the do-not-email list. How long could that thing take to get brute-forced? The entropy value of a typical email address is low: maybe 15 characters from a ~30-character charset? That doesn't seem like too hard of a thing to brute-force, if you're the owner of a big zombie network.

In fact I remember when somebody brute-forced the entire AOL userlist just by sending test pings to the AOL email server: AAAAAAA@AOL.COM, nope. AAAAAAB@AOL.com, nope. AAAAAAC@AOL.COM, nope.....