Lessig On Bounties For Spamhunters

An anonymous reader submits: "Digital rights (as in yours, not the RIAA's) guru Lawrence Lessig comes up with a Swiftian idea of how to fight spammers -- $10,000 for the first ubergeek to hunt the offender down. The column is at CIO Insight. Wonder if it'll reach its audience there."

This problem cannot be solved!

[FreeLinux]

The thing is that SPAM works! If it wasn't profitable no one would bother with it but, it is profitable. Highly profitable! So long as people keep buying from spammers spam will continue to infest the internet.

Just like the Nigerian money scam, so long as people continue to fall for it, it will continue to circulate. Blacklists and other technology solutions will never be able to keep out all the spam. Legislation will never be effective against it. The only way to make it die is for people to stop buying from it and so far, it seems that there are far too many people who are insecure about their penis size for the spam to stop.

One small flaw...

[nautical9]

The one thing we know about the vast majority of spammers is that they are in business to make money. And the only way to get money from the sap who received the spam is to provide a simple way for the sap to link back to the spammer. If there's a way to buy something from the spammer, there's a way to charge the spammer if you catch him.

So, Company ABC doesn't like the competition of Company XYZ. Company ABC makes up a dummy spam email advertsing Company XYZ's products and spams a few million addresses (with an easy-to-find return address for XYZ). Company XYZ, unable to prove that they are innocent, pays the $10k.

I assume Lessig's scenario would have to use a guilty-until-proven-innocent scheme, as it would be as ineffectual as the rest of the laws/anti-spam filters if it were the other way around. To prove someone guilty of spamming, you'd need logs and other evidence from their computers - not easy to get without search-and-ceisure permits. Anything less than that is too easy to duplicate from a malicious hacker's perspective.

As annoying as spam

[letxa2000]

The site that article is from is as annoying as spam itself. You go to read the article and you get a banner ad to the right that occasionally "grows" to occupy 1/4th of your screen. You click "next" and you get a pop-up banner.

Sites like these shouldn't be linked to by Slashdot.

it's a stretch to claim that spam is a right

[keithmoore]

I don't think that spam is a right any more than driving around in a loudspeaker-laden truck that is playing incessant advertisements in the middle of the night is a right. and I don't think that spammers have any more right to privacy than others who disturb the peace or engage in petty theft. the public has a greater interest in having the names of accused be in the public record than in keeping their names secret. (this actually helps discourage false accusations by the government)

having said that, it's also clear that having a way to identify the source of a potential spam would create serious privacy concerns - what's to stop that method from being used to identify the source of any email? nor does "identifying the spammer" seem to be as useful as "marginalizing the spammer" - i.e. making sure that spammers are likely to have to pay so dearly that it's not profitable for them. strictly speaking, we may not need to identify them to achieve this result.

so what we really need is a way to marginalize real spammers without sacrificing others' privacy rights in the process.

RBL bad?

[phriedom]

I don't understand his objection to the RBL. It has checks and balances. It is democratic. Use of the RBL is volentary. It doesn't involve expensive court actions or investigations paid for by taxpayers. It takes no direct action. But if you don't play nice, then others may choose not to play with you. If you don't self-police, others stop listening. Its quite a stretch to say that "restricts the freedom of email" and that it has not "done anything except make e-mailing more difficult." The RBL sure hasn't made my emailing more difficult or restricted my freedom.

I think good laws would add to the effectiveness of the RBL, don't get me wrong. But to hear the spammers tell it, the RBL has made their cost of business much higher, so I wouldn't say it is a detriment.

Re:One small flaw...

[plierhead]

I don't think he's proposing a "guilty until proven innocent" thing. The $10K is just the bounty paid to the bounty hunter. The miscreants could still get their asses kicked with the fully weighted boot of the law, so all the normal discovery, court proceedings, etc. would still apply. If Company ABC maliciously created spam pretending to be from Company ABC, then Company ABC would be committing a very serious felony that could earn their execs gaol time. Very unlikely they could persuade the geeks to take part.

A bigger problem I see is some kind of sense of proportion. Most businesses perform some kind of cold calling. Seems to me like if you sell, say, emergency powergenerators, and you send personalized email to the three businesses in your town who might be potential customers, thats a lot different from sending 2M "enlarge your penis" mails to a database of emails you bought off some other spamming mofo.

Re:uhh, missing something here

[Anonymous Coward]

There are 2 options here:

1- "recover the actual monetary loss suffered by that provider by reason of that violation"

2- "fifty dollars ($50) for each electronic mail message initiated or delivered in violation of this section, up to a maximum of twenty-five thousand dollars ($25,000) per day"

There is no maximum on the first option. If they have greater than $25,000 in damages, thats what they collect.

Re:This problem cannot be solved!

[jon787]

It is profitable only because it is so cheap to do. If a spammer sends out 1 million messages and 1 person buys something he is making a profit!

Re:uhh, missing something here

[Alsee]

($50) for each electronic mail message initiated or delivered in violation of this section, up to a maximum of twenty-five thousand dollars ($25,000) per day

That part of the law is severely broken. They hit the $25,000 cap after the first 500 spams per day. The bigger spammers send MILLIONS of spams per day. At 1 millions spams per day the fine is 2.5 cents per spam, and at 10 millions spams per day the fine is one-fourth of a cent.

As they can crank up the volume of spam the fine approaches zero. The fine becomes an acceptable cost of doing bussiness.

Before anyone replies to point out the phrase "whichever amount is greater", that phrase reffers to proving "actual monetary loss suffered" which aint gonna happen.

-

What an asshole

[Gruturo]

Once added to the list, there is no way to appeal the blocking or to fight such policies

This is bullshit, and he knows it, but he has to exaggerate and distort the truth in order to highlight his fashionable Bounty idea.
I inadvertedly ran an open relay and quickly ended up on Ordb [ordb.org], and rightfully, I might add. My mail server logs had this nice explanation given in the error message from other servers, complete with a helpful link explaining how to fix and get delisted (fix your server, resubmit its IP for checking, get automatically removed).

3 hours and a sendmail.cf later I was back with the good guys, and had this nice warm feeling :-)

this question's already been answered

[Anonymous Coward]

but not yet in the cyberworld. Whatever happened to "My right to swing my arm ends where the other man's nose begins" (it's paraphrased, sorry, and I hope not terribly mangled).

honestly, the question is valid, but I think the answer is that actually spam itself is an invation of privacy.

On the one hand, isn't it safe to assume that the spammer got my e-mail address through a breach of my privacy?

Re:This problem cannot be solved!

[fermion]

Many of these proposals are good, however they require the cooperation of the same ISP who are currently cutting deals with spammers to increase their falling revenue. Likewise, cutting off open relays is also a good idea, but the whiners come back and complain that they did nothing wrong.

The fact is I get junk mail, phone calls, and email. These cost me almost no money directly. It costs the phone company, post office, and ISP money. The phone company and post office are remunerated through charging higher fees. I assume, due to the lack of concern from ISPs that they are also remunerated for their costs.

Don't believe me, let's look at the facts. I get a spam message with a forged Hotmail or Yahoo address. I send a note to this effect. I receive a reply saying that the address if forged and there is nothing they can do. I look up the address of the spammers site and send a note to everyone all the up to NetSol or RIPE. I invariably get a not back saying that the registrars are only responsible for the registration and not the content.

As always, the truth is found by following the money. If spam was a real money losing issue, such as music piracy, the industry would be all over it. However, all we get are public relation solutions such as spam filter and denial or responsibility. I think the truth is obvious. There is way too much money to be made with spam on all levels to let it go.

RBL NOT VOLUNTARY

[Anonymous Coward]

The RBL has made life difficult for many companies. Once you are on their list it is difficult, sometimes impossible to get off.

In these days of high turnover in data centers, it is not uncommon to get an address that is on the list from someone else's abuse. Not to mention the fact that the RBL in particular has been known to make mistakes about what an "open relay" is - for a while every postfix installation was labeled as an open relay, simply because that software would "accept" relay messages, but then immediately trash them.

Furthermore, the RBL is NOT voluntary for the end user. Clueless sysadmins make the choice and rarely inform the users.

Ask any CEO, salesperson or small business man and they will tell you that they'd rather get 1000 spams a day than potentially miss one legitimate customer email.