There is no use to attempt to find legal fixes for massive spam and other flooding attacks. The spam sources will simply move out of U.S. and will start loading international circuits with their crap. I.e. the legal cure will only make spam even more annoying, but won't stop anybody. Why won't we concentrate on doing technical solutions? Fortunately, it is relatively easy to get rid of the flooding attacks by reducing their effectiveness to nothing. The solution is source address filtering at edges, to relieve attackers from the benefit of forged source addresses, and reverse lookup authentication in MTAs -- just do not accept any mail coming from an invalid source address, or source address not corresponding to what is in Sender, Reply-To or From field. That will arguably break some setups (for example, when outgoing mail leaves hosts directly, but return mail comes thru a centralized server); but that can be fixed. That scheme is obviously not bullet-proof, but neither are locks on the doors. They do deter crime, though. BTW, the e-mail sender address authentication would also do wonders for non-flooding variety of spammers -- getting tons of angry mail from the targets of the spam does have some effect. Also, it gives ISPs ability to identify abusers, and create a black list of people not to have any business with, and a legitimate reason to refuse service to them. There's a historical precedent in doing source address authentication which initially broke service for a lot of peple, but ultimately made Internet a saner place -- the FTP archive at UUNET at some time started requiring that reverse DNS lookups should provide correct names. Oops -- nobody with broken reverse zones could access it. Now, the question is how to make people to actually implement it. I guess the big providers should consider it in their best interest -- or they'll eventually get politicians and lawyers on their heads. --vadim