The internet "annoy" law - issues analysed

This appeared on 11 January. The article contains some helpful analyses against constitutional issues for you guys in the US.

<snip>

Q: If the "intent to annoy" law already was on the books for phone calls and hasn't been a problem, why should I be concerned?

There are two reasons. First, criminalizing anonymous annoying phone calls is a lot different from criminalizing anonymous annoyances on the Internet. Phone calls are a one-to-one communication to a specific person; blog posts generally are not.

Second, it's worrisome that the U.S. Congress chose to expand the scope of the existing law to the Internet. Instead, they should have limited it to comply with the First Amendment.

</snip>

http://news.com.com/FAQ%2BThe%2Bnew%2Bannoy%2Blaw%2Bexplained/2100-1028_3-6025396.html

I'm no lawyer so that's just a guess.

Trouble is, it's dead easy to spoof e-mail headers and hide the source IP. There are proggies that can do it which render tracking software more or less useless. Spoofing techniques also make it pointless to open up the header in order to try analysing the route back to source - it can be done manually too. That's why the "Out of Office" utility in Outlook is unable to deliver the Out of Office message back to the sender of a spammer e-mail.

A real pisser.

Edit - slight clarification

The way SMTP (simple mail transport protocol) works is that each step along the way headers are added. Unless the spam came directly to you from the spammer's system (which is highly unlikely) you can trace back the e-mail to its source SMTP server. The problem is many SMTP servers are totally unprotected and thus anyone can bounce mail from them.

It is not impossible for these servers to be made secure enough that the SMTP server can only be accessed by local or trusted sources. This would mean it would be possible to trace an email all the way back to its source without doing anything more than changing the config of the SMTP server.

For example:

The spammer's machine creates a spoofed email and uploads it to an SMTP server. That SMTP server recognises the connection as coming from a local indentifiable source. The SMTP server then appends its own header (usually a timestamp with the SMTP server's name) and passes it on to another SMTP server, which does the same, recognising the SMTP server as a trusted identifiable source and adds its own header.

So the mail gets to your mailbox with a string of attached SMTP server headers that the spammer had no control over. By tracing back to the first SMTP server, then matching the message with the server logs, the source can be identified.

The only thing stopping this from happaning right now is that many of those SMTP servers do not care where email comes from, so if you trace it back to the first SMTP server it may not know where the email orginated.

However, thanks to spam most major ISP's are making sure their SMTP servers are tracking where mail comes from, and thanks to services like spamcop those that aren't are quickly being identified and quarantined.

But guess what - as spam slowly becomes impossible, so does truly anonymous email. Sooner or later every email will have a return to sender attached to it that no-one can spoof without admin access to the orginating SMTP server, and then THAT server becomes the suspect. Anonymous email is just about a thing of the past.