Slashdot Mirror
Can A Bounty System Cure Spam?
dankinit writes "The FTC is considering a proposal made popular by Lawrence Lessig which would offer a bounty to people who help catch spammers. The proposal looks to harness the power of volunteers online who might want a piece of the multimillion dollar fines spammers could incur. Spamhaus founder Steve Linford doesn't like the idea though, explaining '...the FTC already has so much information on their identities that to get anymore would be useless.'"
We know who is spamming us. Afterall, the spam message needs some sort of e-mail address or web address so that the fools can respond, so you just have to follow the money trail to get back to the spammer.
The problem is that the worst these people are setting themselves up outside of US jurisdiction, so that FTC and company just can't get to them. Any spammer who doesn't is excessively stupid. There's nothing that the US courts can take from them... and I just don't think offering 20% of $0 is going to do much anyway.
Bottom line is that this plan doesn't connect. As much as spam annoys us, the US Government just can't do anything about it because it's a worldwide problem. On the Internet, if one jurisdiction doesn't like what you're doing, you just need to find another who will accept you.
Spam just needs to be made illegal in all countries and investigated like any other international crime (e.g. extrodition orders, sharing of information across borders, copperation on investigations).
Why we need a different mechnism for capturing these Spam criminals is beyond me.
----
Well, he says whats the point.. cause they already know enough about spammers.
.. but just felt i wanted to disect this either misquoted statement from Linford (which i wouldn't put past slashdot stories) or just narrowminded comment.
.. i have no intentions of reading more than the /. blurb on this one.
one reason. Information about people isn't guaranteed to be evidence that will hold up in court. So getting citizens to help with evidence against the spammers, from different sides than just teh FTC info gathering, helps any case that they would put up agains the Spammers.
Who knows if it will really work
and yes
Who makes you Sig?
Well, a few years ago, this would have been good, but more and more spammers seme to be shifting to using zombie PCs instead.
"Software is too expensive to build cheaply"
Did it work for the Drug Barons ?
Trolling using another account since 2005.
I vote to fine THEM too.
Bad example since there are real consumers for drugs in need of these products while there aren't that many spam consumers explicitly asking for spam and being ready to pay whatever they're asked just to get their daily dose of spam.
But we could go a long way towards eliminating Spam if the right people would grow some backbone and do the right thing.
1. Cut off Spam from the Zombies.
Cable and DSL companies should block all port 25 traffic coming from their customers. If you want to send e-mail, you should have to use use their SMTP servers. Running your own mail-server is against their TOS in many cases, anyway.
In all fairness, however, this could be handled on a case by case basis. If you are such a macho techno-geek that you really really really really just absolutely HAVE TO run your own mail server, you should have to ask them for persmission first and enter into some sort of agreement that you will not be part of the Spam problem.
2. Cut off the Zombies.
Any cable/DSL customers spewing out large volumes of e-mail (without permission to run a mail server) get a nasty letter, telling them that their service has been terminated until they secure their computer.
3. Follow the money. Follow the money.
Spammers have to make money, somebody has to get paid. They aren't doing this for the fun of it. Trace the money trail back to the people who get paid for the herbal viagra and penis enlargement pills. It isn't easy, but it can be done. If you follow the money, and apply EXISTING laws, such as:
* Child Pornography Statute 18 U.S.C. 2252
* Electronic Communications Privacy Act 18 U.S.C. 2701-2711
* Economic Espionage and Protection of Trade Secrets Law Pub. L. No. 104-294
* Computer Fraud and Abuse Act 18 U.S.C. 1030
* Foreign Intelligence Surveillance Act 50 U.S.C. 1801-1811
* Transportation of Obscene Matter for Sale or Distribution 18 U.S.C. 1465
* Federal Wire Fraud Act 18 U.S.C. 1343
you can shut down the Spammers.
Such a system has a fundamental problem: it will motivate people to act purely out of greed, with no further interest in helping to avoid spam. They will therefore concentrate on reporting "easy targets" and perhaps even report people who aren't actually spammers and can't prove it. The whole idea is rather cynical and smells of defeatism (the law won't help => hire bounty hunters acting outside of the law).
"I love my job, but I hate talking to people like you" (Freddie Mercury)
The classic "You've won, come pick up your prize at..." scheme is a great way for police to get a ton of people who are wanted for various reasons to all show up in one place where they can seal the exits and arrest them all at once.
However, that kind of thing only appeals to the deadbeat dad type who doesn't have tons of money and decided that they could just skip paying child support to make ends meet... if the person is so rich to not need or want an extra TV, the bait just won't be appealing. Spammers are that well off...
There was a story on /. a while ago about mortgage spam. The large mortgage vendors (many of them legitimate banks) were the ones that responded when some mortgage spam was answered.
It seems that those institutions were paying for leads and they didn't really care where the leads came from.
So, do you fine the guy who sent the spam or the company that contacts you after you answer the spam?
If you only fine the guy, there will be another to take his place (and, as you noted, they will move outside of US jurisdiction).
Can a bank that never before sent you any email be fined for contacting you if you send someone an email saying you're interested in a mortgage? Until that starts happening, nothing is going to happen to the spam level.
Follow the money.
I think there's some confusion on the part of a few posters here that needs to be cleared up.
The spammers aren't the companies that pay these guys to do it. The spammers are the people who actually queue up the messages and spit them out. Now, I know what you're thinking, the company being advertised is at fault, too. But still, there is an order that you gotta go through in order to get the right people.
After all, you don't go after the gun manufacturers for creating tools of self-defence just because unintended users end up killing people, right? The proper order is, the person who used it, the parents of the minor that used it, the retailer that sold the ammo, THEN the gun manufacturer, right?
Oh wait, nm. I guess the anti-gun sentiment amongst the public tends to skew the proper order you'd think this should be. But still, I'm the kind of person that is capable of hunting down spammers, but I simply don't do it because there is no incentive.
A monetary incetive might be lucrative, but I'd have to see the amount of money given. If it's too low, it's not worth my time. If it's too high, like the Microsoft reward offers for the Sasser and Blaster creators, then I know they aren't actually going to pay out.
Tracking down the spammers is not a problem. As I and many others have said, follow the money trail. I advocated setting up a credit card account and making purchases, then when the transaction is completed, the billing records will show who bought the goods, then prosecute them.
...and they all moved away
The problem with prosecuting individual spammers is that the Justice Department goes after big money criminals more agressively than small fry spammers. They are more interested in capturing the guy that embezzeled millions of dollars, rather than the guy that sent out millions of emails.
Alices Restaurant Updated:
There he was, sitting on the bench with all the bank robbers, embezzlers, serial killers,
"Whatcha in for, kid?"
"Sending 7 Million spam emails"
Pete Carr Owner Chatmag.com
I'm more concerned that a coalition of spammers might join forces to report "undesired" elements (i.e. anti-spammers) under a system like this, and that it gets misused for harassment.
Just like the tattle-tale system set up after 9/11 has been misused more than it's been useful, I predict the same thing would happen with this.
Regards,
--
*Art
No, I'm asking this question, because AFAIK there's a multi-million USD bounty on their heads today. Yet they're still hiding.
Until the spamming problem is causing buildings to collapse, this FTC bounty system is not going to do anything. And even supposing that the mountain of junk we receive causes computer to be so heavy they start to crack the concrete, it's not because there's a bounty that the capture and conviction becomes easy.
At least not until long-range individually targeted viruses are feasible and bounties are paid for DNA samples of spammers. And if that happens, methinks spam will not be our biggest concern.
Why aren't the companies that sell the products being punished?
They should be much easier to track down and they are the ones hiring companies to do the naughty work for them.
Keep the Classic Slashdot.
Usually the spammers are scamming both sides. They send out a round of spam to generate business, which says something along the lines of "promote your product to millions of people for only $2000". They think, wow what a bargain, and pay the spammer. The emails result in few if any responses and the marketing campaign is a failure. The business owner gets burned and learns a lesson, but as they say a new sucker is born every minute. Once the profitability of spam is gone and word has spread among online merchants that spam is a failure, only then will it go away.
Implementing a bounty system is just a dumb idea. Do cops offer rewards to help them catch common criminals? No, because a system that does so would just flood the phone lines with false leads. Same here. As Steve Linford (who probably knows a lot more about the subject than Lawrence Lessig) said in the article, the problem isn't that the FTC doesn't have enough information on spammers. I think keeping your inbox clean is enough of a motivation for most people to report spam.
I read a book by Lessig once. Internet visionary my ass. The man clearly had no clue what he was talking about.
BTW, just a nitpick, the article refers several times to the "CAN-Spam" law. Such a law does not exist. The "CAN-SPAM" law, on the other hand does. The entire thing is the acronym (Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003), not just the CAN.
Mathematics is made of 50 percent formulas, 50 percent proofs, and 50 percent imagination.
This is rather the problem that this technique aims to solve, I thought. Compensate directly the people with the skills to find spammers.
(X) It will stop spam for two weeks and then we'll be stuck with it
If there's always a reward, there will always be people working to try to collect it.
(X) Microsoft will not put up with it
Why would Microsoft be upset that someone is fighting spammers? They'd probably be pleased at the reduction in junk traffic through Hotmail.
(X) Laws expressly prohibiting it
If the FTC is considering it, then they probably have lawyers looking into this. Quite frankly, I'm more likely to believe the FTC than a /. IANAL.
(X) Unpopularity of weird new taxes
This isn't a weird new tax. This is a reward for providing information about a criminal. This is not a new concept.
(X) Public reluctance to accept weird new forms of money
You mean...cash?
(X) Extreme profitability of spam
This makes bounty hunting more lucrative. The fines (and corresponding bounties) can be larger.
(X) Countermeasures should not involve sabotage of public networks
This proposal involves turning over information to the relevant government agency (apparently, the FTC) so that they can pursue law enforcement action. This is not a vigilante approach, per se, in that the actual punishment isn't carried out by the bounty hunter.
(X) Incompatiblity with open source or open source licenses
I give up--you're going to have to explain this one. I'm pretty sure the GPL doesn't have a clause that prevents disclosure of incriminating details of spammers....
(X) Feel-good measures do nothing to solve the problem
It's not just a feel-good measure if the FTC actually pushes prosecutions based on this evidence. And the public will be motivated to push the FTC--we want our bounties!
(X) Killing them that way is not slow and painful enough
I agree, but I think taking their money through criminal prosecution, and using that money to fund further anti-spam action isn't such a bad start.
(X) This is a stupid idea, and you're a stupid person for suggesting it.
I guess this is where the (X) Asshats in part 2 come in. Is the proposal a panacea? Of course not. Is the proposal deserving of contemptuous rejection out of hand? Don't be a...stupid person.
~Idarubicin
The bounty system presupposes that there will be civil action taken against a spammer in the first place, and those that help will get a reward.
The problem is, we have hundreds of civil-oriented anti-spam laws on the books that are not being enforced or pursued. It is not economically viable to use the civil courts to attack the spamming industry. The main reason is that it's not cost-effective: good luck finding a lawyer who will take this case which will cost a lot of money and time up front with no guarantee of a pay off. Second, suing someone in civil court generally works when you can find these people and bring them into court, which is very problemmatic with spammers, but more importantly, it assumes the spammers have money in the first place, which is pretty doubtful. If spammers were really making lots of money, they'd be more visible than they are - all indications are that most of these people are transient scam artists with very little long-term equity in their posession. So the bottom line is that civil suits have never proven to make any difference in this field. Who's crazy enough to jump on this bandwagon? What has happened to people when they propose ideas that are based on premises that have shown to be consistently useless and ineffective?
There is an alternative, however, that could make anti-spam enforcement much more effective, and nip the problem in the bud. Visa/MC would give the FTC and their European counterparts "poisoned" credit card numbers to use on spammer sites. Any merchant account that attempts a transaction using such a number would be immediately frozen and its balance forfeited. A portion of the proceeds could be set aside to pay for Visa/MC's costs, giving them an incentive to participate.
You could even imagine a next step - since the spammers' clients would be known, you could fine them, since they are the ones who keep spammers in business in the first place.