On Wed, 21 Aug 2002, Gary E. Miller wrote: :Then how do you account for all the lawsuits? MAPS would love to hear :you say they have no legal problems. The CA and WA legislatures that :passed laws defineing and banning spam would love to hear you as well. The lawsuits were against the solution providers, not against the spammers. In the few cases where there were lawsuits against spammers, it was a civil suit, as there isn't an existing legislative solution that spans more than a few jurisdictions. California and Washington may seem like important jurisdictions, but not compared to .kr, .cn, .ru, .br, .mx, or even .ca. :I set up a lot of help desks, online shopping carts, etc. White lists :do not work in those roles. The mail is just too all over the place :and telling a boss that he is only losing a few orders or losing a :few customers due to a white list is not an option. I do IT secuirity incident response for about 60k people, 45k hosts, their AV gateways, IDS's and firewalls and I can assure you, spam is a security problem. Security as a discipline is uniquely positioned to articulate solutions to spam. Read the tmda.net site. Read the FAQ and the README files. Mail isn't lost, it is queued. See myprivacy.ca for an example of how it operates. The system works as follows: Sender sends message to recipient. Recipients MTA/MUA checks to see if they are a registered recipient. If yes, mail is delivered. If no, mail is queued, and a confirmation asking if they they are a legitimate corespondant is sent to the sender. The sender responds with the confirmation ticket, and is whitelisted. Queued mail is delivered. Now, the confirmation message will also include a policy stating that UCE, solicitations and all the other crap that people associate with spam are not to be sent to this address and by returning this message you accept this policy. It doesn't matter if even if someone comes up with a way to autorespond to this message, as if they violate the recipients policy, they are commiting unauthorized access, theft of services etc.. What TMDA-like systems do is escalate a problem that engineering and regular expressions do not have the adequate breadth to comprehensively express, and into a question of policy, where the conceptual and legal tools already exist. What this doesn't cover is everything that AV gateway filters do, but that's another story. :Policies do not define crimes, Common Law and Written Law do. There is a reason why there have to be notices that unauthorized access to systems is prohibited in /etc/motd in any government system you access. It is so that there is no legal ambiguity when someone gets caught hacking and the case shows up in court. Ask any CISA, CISSP, computer forensics specialist, or anyone else who deals professionaly in information security, and they will tell you, that if you don't have a policy, you will have trouble convincing anyone a crime has been committed. -- batz