Slashdot Mirror
Can A Bounty System Cure Spam?
dankinit writes "The FTC is considering a proposal made popular by Lawrence Lessig which would offer a bounty to people who help catch spammers. The proposal looks to harness the power of volunteers online who might want a piece of the multimillion dollar fines spammers could incur. Spamhaus founder Steve Linford doesn't like the idea though, explaining '...the FTC already has so much information on their identities that to get anymore would be useless.'"
Because some spammer might propose more money + no spam in exchange of their safety...
Trolling using another account since 2005.
We know who is spamming us. Afterall, the spam message needs some sort of e-mail address or web address so that the fools can respond, so you just have to follow the money trail to get back to the spammer.
The problem is that the worst these people are setting themselves up outside of US jurisdiction, so that FTC and company just can't get to them. Any spammer who doesn't is excessively stupid. There's nothing that the US courts can take from them... and I just don't think offering 20% of $0 is going to do much anyway.
Bottom line is that this plan doesn't connect. As much as spam annoys us, the US Government just can't do anything about it because it's a worldwide problem. On the Internet, if one jurisdiction doesn't like what you're doing, you just need to find another who will accept you.
"I want them alive... no disintegration." Oh to be a bounty hunter...
404
Can A Bounty System Cure Spam?
Depends, will the FTC hand out Boba Fett type bounting hunting uniforms? I wouldn't mind starting a collection of Spammers In Carbonite on my walls.
Outdoor digital photography, mostly in New Engl
Just answer a few simple questions and we'll send you this FREE spammer catcher software!
think about it: spammers start trying to catch each other for the bounty, and then they form these massive spamming groups (read gangs) that join up to get the bounty on other spammers...then you end up with a smaller group of REALLY powerful spammers...i gotta stop playing Mafia...
Can A Bounty System Cure Spam?
Unlikely. But, if the law actually get's off it's ass and actually hands out fines, spammers might be more inclined to stick the equivalent of "this is spam" (the opt-out message, etc.), which could make filtering more effective.
Perhaps we should be fining the ISPs who happily let spam-servers loose on their network?
"It would promote vigilantism on the Net and it probably would not catch any bad guys," said Louis Mastria, spokesman for the Direct Mail Association
There are plenty of technically-skilled knowledgable people out there who might otherwise not have bothered, but who could probably track a few people down.
'the FCC has so much information on their identities that to get anymore would be useless.'
We don't care whether they're known or not. We just want to bankrupt them and get the money we have lost* due to spam.
--
* Most end-users don't lose money, but the amount of stress and anger caused to me by spam has probably shortened my lifespan, and can you put a price on that?
We would need an organized way of combining suits against spammers. Otherwise, those millions of individual suits would clog the courts. A bounty system is the perfect solution. People who collect information on their spammers would organize and report that information to a centralized organization which would handle the actual law suits. Then this organization could pick its targets by employing a pseudo-random, RIAA-style method of picking out random spammers with a boatload of complaints. Any money won would be distributed evenly to those who provided reports on the spammer.
Unfortunately, there's no such thing as a world judical system. We have extradition and cooperation with the places that want the same from us... but there are also places where they just don't care about us.
The world is not united in supporting us in everything we do, and when we falsely assume that we get ourselves into a deeper problem.
They should all be locked up with men who have enlarged their penises, used viagra, and are looking for a meaningful relationship.
But we could go a long way towards eliminating Spam if the right people would grow some backbone and do the right thing.
1. Cut off Spam from the Zombies.
Cable and DSL companies should block all port 25 traffic coming from their customers. If you want to send e-mail, you should have to use use their SMTP servers. Running your own mail-server is against their TOS in many cases, anyway.
In all fairness, however, this could be handled on a case by case basis. If you are such a macho techno-geek that you really really really really just absolutely HAVE TO run your own mail server, you should have to ask them for persmission first and enter into some sort of agreement that you will not be part of the Spam problem.
2. Cut off the Zombies.
Any cable/DSL customers spewing out large volumes of e-mail (without permission to run a mail server) get a nasty letter, telling them that their service has been terminated until they secure their computer.
3. Follow the money. Follow the money.
Spammers have to make money, somebody has to get paid. They aren't doing this for the fun of it. Trace the money trail back to the people who get paid for the herbal viagra and penis enlargement pills. It isn't easy, but it can be done. If you follow the money, and apply EXISTING laws, such as:
* Child Pornography Statute 18 U.S.C. 2252
* Electronic Communications Privacy Act 18 U.S.C. 2701-2711
* Economic Espionage and Protection of Trade Secrets Law Pub. L. No. 104-294
* Computer Fraud and Abuse Act 18 U.S.C. 1030
* Foreign Intelligence Surveillance Act 50 U.S.C. 1801-1811
* Transportation of Obscene Matter for Sale or Distribution 18 U.S.C. 1465
* Federal Wire Fraud Act 18 U.S.C. 1343
you can shut down the Spammers.
Such a system has a fundamental problem: it will motivate people to act purely out of greed, with no further interest in helping to avoid spam. They will therefore concentrate on reporting "easy targets" and perhaps even report people who aren't actually spammers and can't prove it. The whole idea is rather cynical and smells of defeatism (the law won't help => hire bounty hunters acting outside of the law).
"I love my job, but I hate talking to people like you" (Freddie Mercury)
The classic "You've won, come pick up your prize at..." scheme is a great way for police to get a ton of people who are wanted for various reasons to all show up in one place where they can seal the exits and arrest them all at once.
However, that kind of thing only appeals to the deadbeat dad type who doesn't have tons of money and decided that they could just skip paying child support to make ends meet... if the person is so rich to not need or want an extra TV, the bait just won't be appealing. Spammers are that well off...
.. in a great sci-fi book "Labyrinth of Reflections" by Sergey Lukianenko. Unfortunately, it hasn't been translated into English (yet), so I can't post a link ...
In the book, there's a funny bit about cyberworld residents meeting in a town hall by the Statue of a Last Spammer... built when the last spammer was exterminated by the bounty hunters. Being wise enough, the governments still decided to keep the bounty in effect AFTER the last spammer was caught.
Personally, I think this is crazy enough that it could work. Imagine the unlimited energies of 16 year olds who spend their days glued to the computer, chatting on IRC, cracking porn site passwords, doing various small-scale mischief and playing Counterstrike, directed towards catching spammers. All I can say is, that would be a BAD time to be a spammer.
There was a story on /. a while ago about mortgage spam. The large mortgage vendors (many of them legitimate banks) were the ones that responded when some mortgage spam was answered.
It seems that those institutions were paying for leads and they didn't really care where the leads came from.
So, do you fine the guy who sent the spam or the company that contacts you after you answer the spam?
If you only fine the guy, there will be another to take his place (and, as you noted, they will move outside of US jurisdiction).
Can a bank that never before sent you any email be fined for contacting you if you send someone an email saying you're interested in a mortgage? Until that starts happening, nothing is going to happen to the spam level.
Follow the money.
This article advocates a
( ) technical ( ) legislative ( ) market-based (X) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
(X) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
(X) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
(X) Microsoft will not put up with it
(X) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
(X) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
(X) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(X) Asshats
(X) Jurisdictional problems
(X) Unpopularity of weird new taxes
(X) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
(X) Extreme profitability of spam
(X) Joe jobs and/or identity theft
(X) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
(X) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook
and the following philosophical objections may also apply:
( ) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
(X) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
(X) Incompatiblity with open source or open source licenses
(X) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
(X) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
( ) Sorry dude, but I don't think it would work.
(X) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, l0ser! I'm going to find out where you live and burn your
house down!
...it worked like current bounty systems.
The police issue warrants for bail jumpers.
Bounty hunters get $$$ for bringing them in.
With a spam bounty system, it could work like this:
The feds put up 'info wanted' notices for specific spammers. It would eliminate the objections people have of vigilantes going after innocent legitimate marketers. The feds would be asking for information about specific spammers, much like the FBI's most wanted list.
You call in leads, the feds prosecute, you get $$$.
The idea here being that there are often people out on the internet who are far more skilled or have far better connections than law enforcement, in tracking down miscreants.
There are likely a lot more net-skilled individuals out there than there are law enforcement officials with good net skills.
Why not put that talent to use, a bounty is great incentive (besides the satisfaction of putting spammers out of business).
Pretty simple.
They live in the USA, they are american citizens. They just spam using servers in china to try to hide the true origin.
Very few spammers actually bother to move outside US borders. And even then, unless they officially renounce their citizenship, they are still US citizens and can still be deported + prosecuted -- no matter where in the world they may be.
The US courts can sieze their assets. Their house, their cars, their computers, etc. Ever wonder what all those government auctions are? Most of them are auctioning off siezed property from criminals. There is serious $$ there.
So yes, there's plenty the US courts can take from them, unless they're living underneath a bridge in a cardboard box.
Finally, a poster that sees it right (or at least my way...:).
Spamming and spamvertised business have become enmeshed in the otherwise legitmate economy (either through banking, ISPs, list brokering or trickle-down to middlemen like mortgage intermediaries).
Why isn't the FTC leaning on those people? Or at least publicizing their involvement in spam, even if it is indirect?
Furthermore, given the prima faciae fraudulent and/or illegal nature of spamvertised businesses and products, why isn't the FBI starting RICO investigations against these third parties whose implicit cooperation is necessary for spammers to do business at all? RICO has serious penalties and can be used to "bundle" miscellaneous state and federal law violations that would otherwise be unprosecutable or not worth prosecuting individually.
There's too much of this "it's all overseas" mantra and "we can't do anything about it." I say bullshit -- there's a money trail to follow and a bunch of people who would rather not be the target of a Federal racketeering indictment who live right here in the USA.
No, I'm asking this question, because AFAIK there's a multi-million USD bounty on their heads today. Yet they're still hiding.
Until the spamming problem is causing buildings to collapse, this FTC bounty system is not going to do anything. And even supposing that the mountain of junk we receive causes computer to be so heavy they start to crack the concrete, it's not because there's a bounty that the capture and conviction becomes easy.
At least not until long-range individually targeted viruses are feasible and bounties are paid for DNA samples of spammers. And if that happens, methinks spam will not be our biggest concern.
Why aren't the companies that sell the products being punished?
They should be much easier to track down and they are the ones hiring companies to do the naughty work for them.
Keep the Classic Slashdot.
Your agruments seem great on the surface but further examination reveals flaws:
point 1)
I agree with the idea behind port 25 issues: having ppl who must run their own mail server get permission in advance does *sound* good. However, legitimate/responsible users who ask for permission in advance will, by definition, have alerted the ISP they are running a server and then be charged more for it. This will not be seen as fair when you consider they may, in fact, be using less bandwidth than the average on-line gamer or true zombies of which you speak. This also speaks nothing to overseas ISPs beyond enforcement and ISPs that don't give a fsuck.
my point here is that legitimate users should *not* have to pay extra (literally) on the account of spammers.
point 2)
shutting down zombies sounds great, but without effective automation it won't be effective because it will be too expensive and further raise the operating costs of ISPs beyond what they are already losing in lost bandwidth. How would you have the ISP distinguish legitimate mail traffic from spam without looking at every email? You could simply measure the volume of mail, but again, legitimate mail users would be cut off or would have to pay more.
I suppose if you dont care about legitimate mail servers from home paying (a lot) more this could work well, but only for mail from ISPs that actually care, and it only takes a few that don't (or pretend to but don't) to ruin this idea while still leaving ISPs free to charge legitimate users more in the name of abuse they cannot truly curtail; I don't like the idea of internet mail becoming corporatized than it alreday is.
Again, overseas/unenforcable spam and its ending money trail will continue. We can try to get financial insitutions to be more responsible with these transactions, but that assumes way to much in the way of co-operation. Most will give lip service and do little or nothing about it because of the costs invloved in curtailing it and lost revenue by someone else picking up the shady sales portal business.
point 3)
existing laws and standards of enformcement are fine for those within the bounds of enforcement, but there are so many who are not that we would not be prudent to expect much out of them.
Human behavior is always the weakest link in every security chain. Towards this end, our efforts would be better spent on education and good bayesian filters.
In short, don't you really think these relatively simple solutions you have proposed would have alreday been applied if they'd work so well? Typically, our world is far more complex than simple solutions allow for.
.
uR iGn0ranc3, Their Power
I agree. There is a money trail, and that is the problem. Somewhere in back someone has to be spending some of those profits in kickbacks for protection.
The spam is illegal. The products are fraudulent. The trail exists. Nothing is done.
Why?
Because your politicians never actually read their own email, so they don't have to deal with it.
Start printing the spam and sending it in to Congress, making use of the free postage when contacting your representative, and keep doing that for a few months.
Flood them with paper as you are flooded with spam, and I guarantee they'll finally get off their asses and do something about the problem instead of just lip-service laws with no enforcement.
I do not fail; I succeed at finding out what does not work.
Implementing a bounty system is just a dumb idea. Do cops offer rewards to help them catch common criminals? No, because a system that does so would just flood the phone lines with false leads. Same here. As Steve Linford (who probably knows a lot more about the subject than Lawrence Lessig) said in the article, the problem isn't that the FTC doesn't have enough information on spammers. I think keeping your inbox clean is enough of a motivation for most people to report spam.
I read a book by Lessig once. Internet visionary my ass. The man clearly had no clue what he was talking about.
BTW, just a nitpick, the article refers several times to the "CAN-Spam" law. Such a law does not exist. The "CAN-SPAM" law, on the other hand does. The entire thing is the acronym (Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003), not just the CAN.
Mathematics is made of 50 percent formulas, 50 percent proofs, and 50 percent imagination.
To 10 of your closest friends and recieve money from Microsoft and the FTC!! It really works!! I know you got email like this before, but this one is the real thing!
boycott slashdot February 10th - 17th check out: altSlashdot.org