Lessig On Bounties For Spamhunters

An anonymous reader submits: "Digital rights (as in yours, not the RIAA's) guru Lawrence Lessig comes up with a Swiftian idea of how to fight spammers -- $10,000 for the first ubergeek to hunt the offender down. The column is at CIO Insight. Wonder if it'll reach its audience there."

How much...

[T3kno]

How much would I get if I blew up the building that housed hotmail.com?

Re:How much...

[Tackhead]

> How much would I get if I blew up the building that housed hotmail.com?

Nothing. The spam doesn't come from Hotmail. Spammers forge hotmail.com dropboxes into the headers, but typically spam through dedicated machines hosted by spam-friendly providers.

If someone were to go apeshit with a SuperSoaker full of saline solution in ELI.NET's or Level3's datacenter, for instance, your load of inbound spam would probably decrease substantially.

There are some "ISPs" allegedly in Mexico and Brazil (but hosted via US-based backbones) that are no more than spammer fronts.

Re:How much...

[Doppler00]

Probably 20 years to life in prison.

Re:How much...

[nizo]

I couldn't tell from the article, do I have to bring the whole body in to collect, or is the head sufficient?

Re:How much...

[fliplap]

Translation: I got owned by some 10 year old with netbus who stole my geocities password and replaced pictures of my wife with pictures of tranvestites.

well, it's a start

[Em+Emalb]

but it will only catch the stupid ones. The "smarter" ones, and I use the term loosely, will endure.

Re:well, it's a start

[Vinum]

Hmm... that kind of gave me a crazy idea.. but I am sure a lot of these spammers are also into credit card fraud. A corporation like VISA could collect spam and use a dummy credit card number that would validate normally... except that instead of them getting a check with money at the end of the month... the companies ability to clear cards through visa would be revoked. Furthermore, if the government would just make spam a freaking crime... this would be a nice way to bust the people doing this stuff..

Because face it, most of these spammers are located in America even if they are going through Chinese relays and such.

I am sure someone will reply to this and give me 10 reasons why this will never work. But either way, its fun for discussion. :)

Take a lesson from astronomy

[PD]

The first one to find a spammer gets to name it. Well, maybe not such a good idea after all...

The opposite is needed

[PD]

For a period of one month, all filters on spam and spam hunting should be suspended. Part of the problem is that anti-spam activities are masking the true magnitude of the problem. A wake-up call is needed. When people realize just how much spam is being sent out, the villagers will take to the streets with pitchforks and torches.

Re:The opposite is needed

[taernim]

In a related story:

tired of spam?
we am sure you are too! my government has agreed to pay the sum of $34,004,267 to help you fight these spam persons. yes, it sounds much too good. but yes, this is truth. if you would like to join the fight, we only need your bank routing number and complete address. we will soon win by helping you help us help you.

(Check out this article if you somehow miss the irony...)

Privacy implications are dire

[I+Am+The+Owl]

Why the sudden turn around in Slashdot rhetoric?

I can see the sense in promoting our rights to privacy online, as michael and timothy (bless them) are wont to do, but then we see a sudden reversal. Sure, I guess it's a real pain when spammers send hundreds of unwanted messages over the Internet every day, but is offering a bounty to rob them of their right to privacy really the answer? This is just the government turning citizen against fellow citizen in a foul ploy to get us to turn in our rights to online privacy. Let's look at what's happened so far:

• Spammers send spam
• Geek gets pissed, deletes spam

Now that isn't that terrible, is it? Do we really need to go out and promote a database state and tie together all a person's Constitutionally private information into one big heap of spying and ratting out? I dislike spam as much as the next man, but I draw the line at violating others' online rights. It's a line nobody should be willing to cross.

Re:Privacy implications are dire

[Lord_Slepnir]

What about my rights to not have my inbox clogged up with offers for inkjets and penis enlargements. 10 spams a day is an annoyance, but my university account gets 50-60+ a day if i turn off the spam filters. So now not only do i have to configure my spam filters on my mail server and waste CPU time and disk space, (I know that they're small, but my mail server is a P/166 that i got for $30, so every bit counts) but I have to figure out which ones of the few that get through are legit and which ones aren't.

It wasn't so bad before, with spammers being blatent, but now that they are using more under-handed by disguising their addresses and subjects to look legit. Do you know how many times I've opened an e-mail that has a subject as just "hi" or "a quick question" and having some really disgusting porn pop up on my computer.

In short, a spammer does have a right to free speech, but that right ends where my right to not be harrassed begins. (yes, i know that the right to not be harrassed isn't a constitutionally protected right)

uhh, missing something here

[Telastyn]

from the article:

But at least with the spam problem, there is a much simpler solution that, so far, Congress has failed to see. Imagine a law that had two parts--a labeling part and a bounty part. Part A says that any unsolicited commercial e-mail must include in its subject line the tag [ADV:]. Part B says that the first person to track down a spammer violating the labeling requirement will, upon providing proof to the Federal Trade Commission, be entitled to $10,000 to be paid by the spammer.

From California Spam law:

(g) In the case of e-mail that consists of unsolicited advertising material for the lease, sale, rental, gift offer, or other disposition of any realty, goods, services, or extension of credit, the subject line of each and every message shall include "ADV:" as the first four characters. If these messages contain information that consists of unsolicited advertising material for the lease, sale, rental, gift offer, or other disposition of any realty, goods, services, or extension of credit, that may only be viewed, purchased, rented, leased, or held in possession by an individual 18 years of age and older, the subject line of each and every message shall include "ADV:ADLT" as the first eight characters.

and

(f) (1) In addition to any other action available under law, any electronic mail service provider whose policy on unsolicited electronic mail advertisements is violated as provided in this section may bring a civil action to recover the actual monetary loss suffered by that provider by reason of that violation, or liquidated damages of fifty dollars ($50) for each electronic mail message initiated or delivered in violation of this section, up to a maximum of twenty-five thousand dollars ($25,000) per day, whichever amount is greater.

Very similar...

Re:uhh, missing something here

[Alsee]

($50) for each electronic mail message initiated or delivered in violation of this section, up to a maximum of twenty-five thousand dollars ($25,000) per day

That part of the law is severely broken. They hit the $25,000 cap after the first 500 spams per day. The bigger spammers send MILLIONS of spams per day. At 1 millions spams per day the fine is 2.5 cents per spam, and at 10 millions spams per day the fine is one-fourth of a cent.

As they can crank up the volume of spam the fine approaches zero. The fine becomes an acceptable cost of doing bussiness.

Before anyone replies to point out the phrase "whichever amount is greater", that phrase reffers to proving "actual monetary loss suffered" which aint gonna happen.

-

First Caught Spammer

[DarkHelmet]

I have a bunch of female friends that forward letters endlessly to the point that they're no longer my friends. I'd love to put one of their heads on a stick and turn them in for 10k. Do they count? :)

This problem cannot be solved!

[FreeLinux]

The thing is that SPAM works! If it wasn't profitable no one would bother with it but, it is profitable. Highly profitable! So long as people keep buying from spammers spam will continue to infest the internet.

Just like the Nigerian money scam, so long as people continue to fall for it, it will continue to circulate. Blacklists and other technology solutions will never be able to keep out all the spam. Legislation will never be effective against it. The only way to make it die is for people to stop buying from it and so far, it seems that there are far too many people who are insecure about their penis size for the spam to stop.

Re:This problem cannot be solved!

[Alsee]

The problem with spam is that the cost is basicly zero per-message. $X to send Y pieces of spam, X divided by Y works out to zero point zero cents per spam.

The only way to make it die is for people to stop buying from it

Not possible. Spam works at a response rate of 1 in 10,000. The general population contains a far higher rate of mental illness, senility, and retardation, not to mention just plain gullibility and stupidity.

To to missquote something P.T. Barnum never said,
The internet: a million suckers log on every minute.

It seems to me that the only solution will come by a switch over to a new E-mail system that can link a non negligible co$t to all E-mail, or just to offending E-mail. This could be done with crypographicly signed "stamps".

Would you be willing to attach 2 cents to each E-mail where the recipient of the mail gets the money? Send mail to your friend and he gets 2 cents, he send you mail and you get the 2 cents back.

The other proposal I saw has much more expensive stamps, from 32 cents up to a few dollars. In that plan you you can keep re-using your stamps unless the recipient "redeems" the stamp. The idea is that it is generally "rude" to redeem a stamp. If you get legitimate mail from a friend or stranger you do nothing and it costs the sender nothing, if you get spam or otherwise offensive mail you click a button to redeem the stamp and the sender is out the money.

-

it's a stretch to claim that spam is a right

[keithmoore]

I don't think that spam is a right any more than driving around in a loudspeaker-laden truck that is playing incessant advertisements in the middle of the night is a right. and I don't think that spammers have any more right to privacy than others who disturb the peace or engage in petty theft. the public has a greater interest in having the names of accused be in the public record than in keeping their names secret. (this actually helps discourage false accusations by the government)

having said that, it's also clear that having a way to identify the source of a potential spam would create serious privacy concerns - what's to stop that method from being used to identify the source of any email? nor does "identifying the spammer" seem to be as useful as "marginalizing the spammer" - i.e. making sure that spammers are likely to have to pay so dearly that it's not profitable for them. strictly speaking, we may not need to identify them to achieve this result.

so what we really need is a way to marginalize real spammers without sacrificing others' privacy rights in the process.

RBL bad?

[phriedom]

I don't understand his objection to the RBL. It has checks and balances. It is democratic. Use of the RBL is volentary. It doesn't involve expensive court actions or investigations paid for by taxpayers. It takes no direct action. But if you don't play nice, then others may choose not to play with you. If you don't self-police, others stop listening. Its quite a stretch to say that "restricts the freedom of email" and that it has not "done anything except make e-mailing more difficult." The RBL sure hasn't made my emailing more difficult or restricted my freedom.

I think good laws would add to the effectiveness of the RBL, don't get me wrong. But to hear the spammers tell it, the RBL has made their cost of business much higher, so I wouldn't say it is a detriment.

Here's MY deal.

[unicron]

"Alright. I'll kindnap him for 50, deprogram him for 50, and I'll kill him for 100!"

"No, just the first 2!"

"Alright, I'll throw in the killin' for free."

What an asshole

[Gruturo]

Once added to the list, there is no way to appeal the blocking or to fight such policies

This is bullshit, and he knows it, but he has to exaggerate and distort the truth in order to highlight his fashionable Bounty idea.
I inadvertedly ran an open relay and quickly ended up on Ordb, and rightfully, I might add. My mail server logs had this nice explanation given in the error message from other servers, complete with a helpful link explaining how to fix and get delisted (fix your server, resubmit its IP for checking, get automatically removed).

3 hours and a sendmail.cf later I was back with the good guys, and had this nice warm feeling :-)

Re:What an asshole

[hysterion]

Once added to the list, there is no way to appeal the blocking or to fight such policies

This is bullshit, and he knows it, but he has to exaggerate and distort the truth in order to highlight his fashionable Bounty idea. I inadvertedly ran an open relay and quickly ended up on Ordb [ordb.org],

This is out-of-context, selective quoting, and you know it, since right after this he continues with: ``Sometimes, the spam vigilantes offer people a way to appeal, but not always. Spews.org, for example, blocks without any appeal allowed.'' So,

• He does nuance his assertions. You `exaggerate and distort' them.
• He's talking about Spews.org, not Ordb.org.

Ferguson vs. Friendfinder

[Animats]

There is an attorney trying to collect using California's anti-spam law. The case has been all the way to the California Supreme Court, and is now back at the trial court level. This case has been going on for over two years now, and the plaintiff hasn't collected yet. But they will.

Lessig needs someone to whack him with a cluestick

[silentbozo]

Read the article. The 10k bounty for not labeling spam as spam isn't what you should be paying attention to. It's his attack on volunteer efforts to block spam relays, whom he calls "spam vigilantes", in the worst sense of the word. Essentially, he says that efforts to blackhole servers (presumably, because the admin of that server also needs to be whacked repeatedly with a cluestick) do more harm than good, and that we should just use filtering.

The 10k bounty is supposed to convince spammers to label their spam so we can effectively filter it.

Finished laughing? Let's dissect his thinking, shall we? He says we can handle spam just by making sure the spammers label it. This is the thinking behind a lot of bad legislation - it legitimizes it, instead of eradicating it. Second of all, he implies that vigilantism can work with government (finding spammers who don't comply with the ADV: rule) to fix what vigilantism by itself (blacklists) cannot do. Well, blacklists are meant to eliminate spammer havens - and we have plenty of anti-spam people hunting spammers as it is, FOR FREE. What the hell does he think 10k is going to do, if all the bounty-hunter does is turn the spammer's info over to the government? I mean, the FTC doesn't do much to the existing fax-spammers who are in violation of federal law. (The fax.com lawsuit was filed by a private individual, the FTC just levies paltry fines.) Or worse, what is the US government gonna do to foreign spammers who don't comply with our "label law"?

Essentially, Lessig says we should discard our current system of blocklists and anti-spam tech, in favor of simple client-side filters and a federal mandate to label spam, with a bounty to catch anyone who fails to label their spam. The threat is so feeble, and the undeserved side-effects so beneficial, I'm sure that spammers will love this idea.

Re:True

[AndroidCat]

Umm, that's not a good idea. Just who are you going to reply to? Spammers tend to forge headers for a reason. If the spam "payload" was a URL link in the body rather than a dropbox in the From or Return-Path, you've just sent an unsolicited email to whoever the spammer wanted to abuse. (Also known as a "joe-job".)

It's about consent, not content!

[Erik+Fish]

So much for "Lawrence Lessig: Superlawyer". Doesn't he realize that by the time his little idea gets passed into law it will have morphed into the Direct Marketing Association's wet dream?! Even the original is a law that fully legitamizes spam! Does anyone think that the $10k fine will make it through? Even if the figure itself is still around there's no chance of anything resembling teeth being left in it!

So what if it forces a majority of the spammers into using the [ADV] tag in their Subject headers? What is that going to accomplish? Yes, most ISPs will instantly block anything with [ADV] in the subject header but the spammers will still be using bandwidth to bounce endless waves of spam off of your filters in an attempt to get at the remaining mail servers which don't filter for one reason or another!

Beyond that, an [ADV] flag is content. As the subject of this post points out: The fight against spam needs to be firmly grounded in a lack of consent -- not the slippery slope which any argument based on content quickly becomes!

It's not enough money

[herbierobinson]

It can't be just the first one. It has to be a bounty to everyone who tracks the spammer down and take them to court. Otherwise, it just wouldn't pay to do it. A better scheme:

1. Allow anyone to take spammers to small claims court for around $2K.

2. Make the person selling whatever is advertised in the spam be responsible for unless they are willing to file a criminal complaint against the spammer.

3. Explicitly make is illegal to advertise someone else's product without authorization (it's probably already illegal...). This is to enable #2.

4. If an ISP cannot identify the spammer, the ISP must pay the fine. This may already be the case, but making is explicit would help.

Just my 2 cents

[grahamsz]

Brings a whole new meaning to that phrase