Forgot your password?
typodupeerror
Spam Your Rights Online

Lessig On Bounties For Spamhunters 317

Posted by timothy
from the pay-pal dept.
An anonymous reader submits: "Digital rights (as in yours, not the RIAA's) guru Lawrence Lessig comes up with a Swiftian idea of how to fight spammers -- $10,000 for the first ubergeek to hunt the offender down. The column is at CIO Insight. Wonder if it'll reach its audience there."
This discussion has been archived. No new comments can be posted.

Lessig On Bounties For Spamhunters

Comments Filter:
  • How much... (Score:5, Funny)

    by T3kno (51315) on Tuesday September 24, 2002 @07:18PM (#4323411) Homepage
    How much would I get if I blew up the building that housed hotmail.com?
    • Does my family get paid compensation if I get gunned down while searching?

      This is big business...with only slightly more positive moral compunctions than drugs.
    • Re:How much... (Score:5, Informative)

      by Tackhead (54550) on Tuesday September 24, 2002 @07:33PM (#4323521)
      > How much would I get if I blew up the building that housed hotmail.com?

      Nothing. The spam doesn't come from Hotmail. Spammers forge hotmail.com dropboxes into the headers, but typically spam through dedicated machines hosted by spam-friendly providers.

      If someone were to go apeshit with a SuperSoaker full of saline solution in ELI.NET's or Level3's datacenter, for instance, your load of inbound spam would probably decrease substantially.

      There are some "ISPs" allegedly in Mexico and Brazil (but hosted via US-based backbones) that are no more than spammer fronts.

      • The spam doesn't come from Hotmail

        Some of it does. Hotmail likes to send its users MSN spam about once a month.
      • The spam doesn't come from Hotmail

        Is this true? I thought it was commonly known that if you create a hotmail account with a suitably obscure name xyxxaqqf2, and use it for nothing, and don't give out the address, you will receive spam (even after turning on hotmail's spam filters).

        This is either caused by MS allowing or sending the spam, or selling the addresses of all accounts (which is just as bad).

        Anyone know the true lowdown on this?


        • Is this true? I thought it was commonly known that if you create a hotmail account with a suitably obscure name xyxxaqqf2, and use it for nothing, and don't give out the address, you will receive spam (even after turning on hotmail's spam filters).

          When you sign up, the service will ask if you would like to be listed in the directory. Say no.

          -a
      • Hey, I'd pay if someone caused (and then demonstrated responsibility) the complete thermal annihilation of Level3's HQ.

        Or Qwest. A Qwest customer used Qwest's network to commit fraud, trespass, harassment and denial of service. Qwest's response was to give him a *WARNING*. Qwest openly tolerates criminal activity from their customers (Which shouldn't be surprising as Qwest has demonstratably engage in criminal activity in the past).
    • Probably 20 years to life in prison.
    • Hotmail is not the problem. They are just a very popular email domain that spammers use to fake.

      The real hotmail agressively fights spammers. I know, because I look at the unfiltered spam I receive (for submission to SpamCop and my private blacklist). Rarely do I get spam from hotmail IP addresses.

    • by nizo (81281)
      I couldn't tell from the article, do I have to bring the whole body in to collect, or is the head sufficient?
  • well, it's a start (Score:4, Interesting)

    by Em Emalb (452530) <[moc.liamg] [ta] [blameme]> on Tuesday September 24, 2002 @07:18PM (#4323413) Homepage Journal
    but it will only catch the stupid ones. The "smarter" ones, and I use the term loosely, will endure.
    • What I don't understand is why everyone always talk about it being impossible to catch the "smart" spammers. These people aren't sending this shit out for fun. Yeah, they forge headers, return addresses, & so forth. But why does that matter?

      If they're sending these damn things out for commercial gain, at some point they have to get your money. They either have a website (which can be tracked down via the hosting ISP, DNS entries, shit - traceroute the bitch & call the next people upstream), or an address, or a phone number. That should get all of the stateside jackasses. Even the ones who host overseas can have the hurt put on them. They have to take credit cards or paypal or something. That means a paper trail & it means that Discover Card or Visa or whoever can lock them out.

      All that leaves is chain mail (which is stupid, but sent by your buddies that you can tell to fuck off) and people after bank account info (such as Nigerian princes).

      Honestly, why is it claimed to be so hard for spammers to be tracked down? For the average joe, yeah, it's hard. For those enforcing anti-spam laws it should be relatively easy (if a little tedious) to nab the majority. Can someone explain this?
    • Not just the smarter one, but also the spammers from every other country. Looking at my Junk box, I'd say that 90% is from Korea, 5% Russia, and the rest is unknown. In other words, yipee skipee.
  • by PD (9577) <slashdotlinux@pdrap.org> on Tuesday September 24, 2002 @07:20PM (#4323427) Homepage Journal
    The first one to find a spammer gets to name it. Well, maybe not such a good idea after all...
  • I've been thinking the same thing, but applied to my Provincial Government. Start up a pool, a buck per citizen. Whoever removes Gordon Campbell, our current, fascist prick-in-office, takes the pot.

    I'm pretty sure there'd be enough donations to make it well worth someone's time...
  • by PD (9577) <slashdotlinux@pdrap.org> on Tuesday September 24, 2002 @07:22PM (#4323444) Homepage Journal
    For a period of one month, all filters on spam and spam hunting should be suspended. Part of the problem is that anti-spam activities are masking the true magnitude of the problem. A wake-up call is needed. When people realize just how much spam is being sent out, the villagers will take to the streets with pitchforks and torches.
    • by taernim (557097) on Tuesday September 24, 2002 @07:49PM (#4323634) Homepage
      In a related story:

      tired of spam?
      we am sure you are too! my government has agreed to pay the sum of $34,004,267 to help you fight these spam persons. yes, it sounds much too good. but yes, this is truth. if you would like to join the fight, we only need your bank routing number and complete address. we will soon win by helping you help us help you.

      (Check out this article [slashdot.org] if you somehow miss the irony...)
    • No. For a period of one month, the Government needs to cease and desist anti-spam filters, and Bush needs to read his own email.

      After the 908'th offer for viagra, he'll either cave and buy it (and then hire an intern) or get pissed off and do something about it.

      Stopping the filters on the accounts of people who know about Spam isn't going to do a goddamned thing. WE're already pissed off by it. It's the gov't officials whose email is pre-filtered, sanitized, and delivered for their viewing pleasure, who need to experience the deluge.

      Better yet- remove their filters, and put their email addresses on the internet. Someplace like Slashdot.

      -Sara
  • by I Am The Owl (531076) on Tuesday September 24, 2002 @07:23PM (#4323445) Homepage Journal
    Why the sudden turn around in Slashdot rhetoric?

    I can see the sense in promoting our rights to privacy online, as michael and timothy (bless them) are wont to do, but then we see a sudden reversal. Sure, I guess it's a real pain when spammers send hundreds of unwanted messages over the Internet every day, but is offering a bounty to rob them of their right to privacy really the answer? This is just the government turning citizen against fellow citizen in a foul ploy to get us to turn in our rights to online privacy. Let's look at what's happened so far:

    • Spammers send spam
    • Geek gets pissed, deletes spam
    Now that isn't that terrible, is it? Do we really need to go out and promote a database state and tie together all a person's Constitutionally private information into one big heap of spying and ratting out? I dislike spam as much as the next man, but I draw the line at violating others' online rights. It's a line nobody should be willing to cross.
    • in normal human interaction i get to see who i'm talking to. no one has the right to one-way communication between private parties.

      there might be some concern about communications between a private person and a person acting on behalf of the government, but then again that's not what we're talking about.

      to put it more directly: you've dressed up mr. strawman all cute-n-cuddly but ya know what? he's still a fucking bundle of straw. piss off.
    • by keithmoore (106078) on Tuesday September 24, 2002 @07:34PM (#4323535) Homepage
      I don't think that spam is a right any more than driving around in a loudspeaker-laden truck that is playing incessant advertisements in the middle of the night is a right. and I don't think that spammers have any more right to privacy than others who disturb the peace or engage in petty theft. the public has a greater interest in having the names of accused be in the public record than in keeping their names secret. (this actually helps discourage false accusations by the government)

      having said that, it's also clear that having a way to identify the source of a potential spam would create serious privacy concerns - what's to stop that method from being used to identify the source of any email? nor does "identifying the spammer" seem to be as useful as "marginalizing the spammer" - i.e. making sure that spammers are likely to have to pay so dearly that it's not profitable for them. strictly speaking, we may not need to identify them to achieve this result.

      so what we really need is a way to marginalize real spammers without sacrificing others' privacy rights in the process.

      • having a way to identify the source of a potential spam would create serious privacy concerns - what's to stop that method from being used to identify the source of any email?
        Note that the article itself has an answer to that:
        The one thing we know about the vast majority of spammers is that they are in business to make money. And the only way to get money from the sap who received the spam is to provide a simple way for the sap to link back to the spammer. If there's a way to buy something from the spammer, there's a way to charge the spammer if you catch him.
    • What about my rights to not have my inbox clogged up with offers for inkjets and penis enlargements. 10 spams a day is an annoyance, but my university account gets 50-60+ a day if i turn off the spam filters. So now not only do i have to configure my spam filters on my mail server and waste CPU time and disk space, (I know that they're small, but my mail server is a P/166 that i got for $30, so every bit counts) but I have to figure out which ones of the few that get through are legit and which ones aren't.

      It wasn't so bad before, with spammers being blatent, but now that they are using more under-handed by disguising their addresses and subjects to look legit. Do you know how many times I've opened an e-mail that has a subject as just "hi" or "a quick question" and having some really disgusting porn pop up [goatse.cx] on my computer.

      In short, a spammer does have a right to free speech, but that right ends where my right to not be harrassed begins. (yes, i know that the right to not be harrassed isn't a constitutionally protected right)

      • Do you know how many times I've opened an e-mail that has a subject as just "hi" or "a quick question" and having some really disgusting porn pop up [goatse.cx] on my computer.

        I run Eudora 1.5.1 to avoid HTML and nasty javascript payloads like that. That maybe taking things a little far, but I like having a mail client that doesn't spread worms, and is able to hold an inbox of 8000 messages without crashing. On another note, I really need to take some vacation time and get through that backlog of e-mail...

        Oh, and if you have shell access to your mail account, and procmail capability, consider installing Spamassassin. It catches 95% of the spam that comes my way, with maybe a .5% false positive (both of which are easily adjusted by adding and subtracting names and domains from the user-configurable whitelist/blacklists.)
    • by Anonymous Coward
      "I can see the sense in promoting our rights to privacy online"


      1. Advertisers have no such right. They are legally obligated to both identify theselves and to truthfully describe the product they are selling

      2. Violators of the rights of others have no such right. Both the government and the individuals violated have the right to use such information to seek a remedy.


      Spammers gave up their right to privacy when they used my e-mail account (which I, not they, pay for) without my express permission. At the very least, as the rightful owner of the account and all e-mails therein, I should be free to distribute and use the information I have on spammers as I see fit.

      "Spammer sends spam, Geek gets pissed, deletes spam Now that isn't that terrible, is it?"

      Geek owns e-mail account. Geek pays for upkeep of e-mail server, be it directly or indirectly. Geek works for a living to pay for these luxuries. Spammers use other peopless property without either permission or compensation for personal gain.

      Yes, it is that terrible

      "I draw the line at violating others' online rights"

      Huh? Do you work for a spammer or something?

      Stop trying to sugar-coat this issue with words like "free speech" and "on-line privacy." Spam boils down to the even more basic right of property ownership. The First Amendment doesn't say you can spraypaint your speech on somebody else's wall. The Fourth Amendment doesn't prevent Blockbuster Video from requiring you to identify yourself before renting you their movies.

      When you start violating other peoples' rights, including property rights, you "lose" many of your own. The owner of the property has the right to seek compensation from the violator and the government exists to help them. Suddenly, seizures like putting a lien on a spammer's car become "reasonable" in the eyes of the courts.

      The only person's rights who have been violated are my own. If anything, the Fourth Amendment is on my side, guaranteeing my right to track down and bill/sue the spammers for using my personal effects unreasonably.
    • Right to privacy? Hunh? Spam is one of two things

      1) Fraudulent
      2) A Legitimate commercial offer

      How do you extend a PERSONAL right of privacy to either of the above? If it's 1 it's illegal, and if it's 2 it's a business. Where's the personal privacy issue?
  • by Telastyn (206146) on Tuesday September 24, 2002 @07:25PM (#4323462)
    from the article:

    But at least with the spam problem, there is a much simpler solution that, so far, Congress has failed to see. Imagine a law that had two parts--a labeling part and a bounty part. Part A says that any unsolicited commercial e-mail must include in its subject line the tag [ADV:]. Part B says that the first person to track down a spammer violating the labeling requirement will, upon providing proof to the Federal Trade Commission, be entitled to $10,000 to be paid by the spammer.


    From California Spam law:
    (g) In the case of e-mail that consists of unsolicited advertising material for the lease, sale, rental, gift offer, or other disposition of any realty, goods, services, or extension of credit, the subject line of each and every message shall include "ADV:" as the first four characters. If these messages contain information that consists of unsolicited advertising material for the lease, sale, rental, gift offer, or other disposition of any realty, goods, services, or extension of credit, that may only be viewed, purchased, rented, leased, or held in possession by an individual 18 years of age and older, the subject line of each and every message shall include "ADV:ADLT" as the first eight characters.


    and

    (f) (1) In addition to any other action available under law, any electronic mail service provider whose policy on unsolicited electronic mail advertisements is violated as provided in this section may bring a civil action to recover the actual monetary loss suffered by that provider by reason of that violation, or liquidated damages of fifty dollars ($50) for each electronic mail message initiated or delivered in violation of this section, up to a maximum of twenty-five thousand dollars ($25,000) per day, whichever amount is greater.


    Very similar...

    • by Alsee (515537) on Tuesday September 24, 2002 @08:05PM (#4323742) Homepage
      ($50) for each electronic mail message initiated or delivered in violation of this section, up to a maximum of twenty-five thousand dollars ($25,000) per day

      That part of the law is severely broken. They hit the $25,000 cap after the first 500 spams per day. The bigger spammers send MILLIONS of spams per day. At 1 millions spams per day the fine is 2.5 cents per spam, and at 10 millions spams per day the fine is one-fourth of a cent.

      As they can crank up the volume of spam the fine approaches zero. The fine becomes an acceptable cost of doing bussiness.

      Before anyone replies to point out the phrase "whichever amount is greater", that phrase reffers to proving "actual monetary loss suffered" which aint gonna happen.

      -
      • That part of the law is severely broken. They hit the $25,000 cap after the first 500 spams per day. The bigger spammers send MILLIONS of spams per day. At 1 millions spams per day the fine is 2.5 cents per spam, and at 10 millions spams per day the fine is one-fourth of a cent.

        IANAL, nor do I play on on /. . But I did notice that this is applicable to "any electronic mail service provider whose policy... is violated". Run your own mail server? Then you've got the right to seek civil damages. Unless you're getting in excess of 500 messages a day from a single source, you're not going to hit that cap. If the admin of every server the mail passed through sought damages the expenses mount up very quickly. And realistically $25K a day is going to pay for a shitload of bandwidth in receiving that spam. Now I'm just waiting for the 1) Receive spam post....

    • There is an attorney trying to collect using California's anti-spam law. [timothywalton.com] The case has been all the way to the California Supreme Court, and is now back at the trial court level. This case has been going on for over two years now, and the plaintiff hasn't collected yet. But they will.
    • Here is one ray of sunshine though. In the state of Oregon you sign up on the No Call List [ornocall.com] and
      "A telemarketer who unlawfully calls a telephone number on the 'No Call' List violates Oregon's Unlawful Trade Practices Act (ORS 646.605 - 646.656), and is subject to civil penalties of up to $25,000 per violation."

      After signing up, the number of unsolicited phone calls I get has dropped to zero.

  • by DarkHelmet (120004) <mark@nOspam.seventhcycle.net> on Tuesday September 24, 2002 @07:27PM (#4323476) Homepage
    I have a bunch of female friends that forward letters endlessly to the point that they're no longer my friends. I'd love to put one of their heads on a stick and turn them in for 10k. Do they count? :)
    • I filter emails looking for the character sequence FW in the subject. Gets `em every time.

    • You lie, you don't know any chicks. :)

      Triumph: Have you ever talked to a woman without first having to give your credit card number?
    • I have subject filters in sendmail that bounces any message with two or more of fwd: or fw:. I allow the single forward through because they are almost always legitimate.

      I installed the filters because of my two sisters and my mother. They simply refused to believe me when I told them to "stop sending me that shit!".

      Another filter I'm considering but haven't gotten around to writing is one that counts the number of recipients and bounces if it is over a threshold. You know those emails. Sent to 200 people you don't know and BCC was not used (followed up by several dozen reply-all's from more clueless idiots).

    • You've got to understand, women are, in general, stupid and gullible. Religious older women are at least doubly more so. They have no concept of reality, past what is told them, so when someone says that LSD has rat poison in it, or that someone woke up with their kidneys missing, they are likely to believe it. I mean, if they buy the stuff about a big imaginary old white guy that is all powerful and all good, other things are trivial in comparison.
  • by FreeLinux (555387) on Tuesday September 24, 2002 @07:28PM (#4323485)
    The thing is that SPAM works! If it wasn't profitable no one would bother with it but, it is profitable. Highly profitable! So long as people keep buying from spammers spam will continue to infest the internet.

    Just like the Nigerian money scam, so long as people continue to fall for it, it will continue to circulate. Blacklists and other technology solutions will never be able to keep out all the spam. Legislation will never be effective against it. The only way to make it die is for people to stop buying from it and so far, it seems that there are far too many people who are insecure about their penis size for the spam to stop.

    • It is profitable only because it is so cheap to do. If a spammer sends out 1 million messages and 1 person buys something he is making a profit!
    • by Alsee (515537) on Tuesday September 24, 2002 @09:04PM (#4324018) Homepage
      The problem with spam is that the cost is basicly zero per-message. $X to send Y pieces of spam, X divided by Y works out to zero point zero cents per spam.

      The only way to make it die is for people to stop buying from it

      Not possible. Spam works at a response rate of 1 in 10,000. The general population contains a far higher rate of mental illness, senility, and retardation, not to mention just plain gullibility and stupidity.

      To to missquote something P.T. Barnum never said, [historybuff.com]
      The internet: a million suckers log on every minute.

      It seems to me that the only solution will come by a switch over to a new E-mail system that can link a non negligible co$t to all E-mail, or just to offending E-mail. This could be done with crypographicly signed "stamps".

      Would you be willing to attach 2 cents to each E-mail where the recipient of the mail gets the money? Send mail to your friend and he gets 2 cents, he send you mail and you get the 2 cents back.

      The other proposal I saw has much more expensive stamps, from 32 cents up to a few dollars. In that plan you you can keep re-using your stamps unless the recipient "redeems" the stamp. The idea is that it is generally "rude" to redeem a stamp. If you get legitimate mail from a friend or stranger you do nothing and it costs the sender nothing, if you get spam or otherwise offensive mail you click a button to redeem the stamp and the sender is out the money.

      -
      • One solution i've heard was to make emails computationially expensive. Like, if my mailserver doesn't recognize your address, you have to factor the product of a few smallish primes before it will deliver the message. Something not too nasty, but hopefully big enough that you can't just have lookup tables. If you're sending a message to 10 people, it takes maybe a few seconds. If you're sending to thousands of people, it takes longer. You could even set preferences for how ugly you want the factorization to be: if the headers all match up, it's addressed to one person, and there's no html or images or links, make 'em factor 2*7*13. If the subject contains 'debt' or is in all caps, or there are removal instructions in the body, they have to factor something that's almost crypto-grade.
        Put in some work-arounds where someone can email a list admin for permission to mail the list, etc.
      • Many of these proposals are good, however they require the cooperation of the same ISP who are currently cutting deals with spammers to increase their falling revenue. Likewise, cutting off open relays is also a good idea, but the whiners come back and complain that they did nothing wrong.

        The fact is I get junk mail, phone calls, and email. These cost me almost no money directly. It costs the phone company, post office, and ISP money. The phone company and post office are remunerated through charging higher fees. I assume, due to the lack of concern from ISPs that they are also remunerated for their costs.

        Don't believe me, let's look at the facts. I get a spam message with a forged Hotmail or Yahoo address. I send a note to this effect. I receive a reply saying that the address if forged and there is nothing they can do. I look up the address of the spammers site and send a note to everyone all the up to NetSol or RIPE. I invariably get a not back saying that the registrars are only responsible for the registration and not the content.

        As always, the truth is found by following the money. If spam was a real money losing issue, such as music piracy, the industry would be all over it. However, all we get are public relation solutions such as spam filter and denial or responsibility. I think the truth is obvious. There is way too much money to be made with spam on all levels to let it go.

      • Forget money. Time is more expensive to a spammer. If the default on mail systems were set to only send one email every fifteen seconds for any given connection, it wouldn't affect normal users who just want to mail something to a dozen people, it might allow a sysadmin to stop someone from sending that really funny joke to "all@mybigcorp.com", and it would make spam prohibitive because a million-piece run would take over three months to send.

        That or the spammer would have to make a million connections to send a million mails in a short period of time. Someone would notice.
      • Brings a whole new meaning to that phrase
    • I have been recieving spam since mid-1996. On average, accross the past years and my many email accounts, I can estimate 75 pieces of spam per day (most through AOL and hotmail of course).

      6 years x 75 spams/day = somewhere on the order of 164000 pieces of spam received.

      Of all of those, I have purchased something based on a spam-ad exactly once. And that was a special offer (buy anything and we'll throw this in free) from a reputable retailer I was planning on purchasing from anyways. The spam didn't originate from the retailer but from an advertising/spamming service. When I made my purchase/order I stripped all the identifying information from the URL so that the spammer wouldn't get the commission anyways.

      Where's the profit?
  • Disgusting. (Score:2, Interesting)

    by Fat Casper (260409)
    I think I'm going to be sick.

    The author compares the bill that the RIAA bought to allow them to crack any box they want with the "spam vigilantes" that blacklist sites that don't obey "proper" e-mail etiquette and then by organizing automated boycotts of the sites on the list.

    His explanation of the bill is Through his bill, these vigilantes would be granted immunity from liability as they deployed tools to hack peer-to-peer systems that they "reasonably believe" violate copyright laws. He compares the two as unaccountable processes that wrongfully victimize people.

    He then proposes (drum roll) a law that spammers would have to follow, and a reward for geeks who catch them if they don't. Like they'll follow laws. Blacklisting servers is better; it slaps the stupid admins pretty hard for victimizing everyone else. It also slaps folks like that stupid "internet lawyer" and Bernie Schifman. There's a public good- actual, relevant punishment for offenders.

    • Not to mention that he missed one very important difference between hacking my system and blocklists.
      Choice.
      I don't have to subscribe to a blocklist. I can choose to accept all e-mail or to use the list and block the servers listed on it. Even on free e-mail sites, such as Yahoo!, I can turn the spam filter on or off, at my discresion. The filtering of e-mail through the use of block lists is a very good way of exercising my rights. Sure, you have the right to say what you want, but I don't have to listen to you.
      There is nothing being done, with blocklists, that prohibits, or detracts from free-speech. All it does is provide a ready-made filter that removes content which the subscriber does not want to hear.
      On the other hand, Lessing brings up the Berman bill. Which, as we all know, allows people to access your system, without your consent, or knowledge. And protects them from liability if they do any damage in the process. I don't have any choice in the matter, they decide they want to format my hard-drive, they can do it.
      The article is comparing two completly disseparate things. Apples and oranges, as the saying goes. A service that I can pay for if I want it, and a free license to DoS someone.
      Though, on a side note, if Berman's bill does pass, anyone up for starting a group that holds patents, and then goes around the net cracking un-protected systems and deleting the entire contents of people's hard-drives. Maybe start off poking around the RIAA's and MPAA's networks. Afterall, they might have had some of the copyrighted works on thier system, and we would not be held liable for losses or damages if Berman get's his way.

  • Does he want them dead or alive? Or maybe just their head?
  • One small flaw... (Score:5, Insightful)

    by nautical9 (469723) on Tuesday September 24, 2002 @07:33PM (#4323527) Homepage
    The one thing we know about the vast majority of spammers is that they are in business to make money. And the only way to get money from the sap who received the spam is to provide a simple way for the sap to link back to the spammer. If there's a way to buy something from the spammer, there's a way to charge the spammer if you catch him.

    So, Company ABC doesn't like the competition of Company XYZ. Company ABC makes up a dummy spam email advertsing Company XYZ's products and spams a few million addresses (with an easy-to-find return address for XYZ). Company XYZ, unable to prove that they are innocent, pays the $10k.

    I assume Lessig's scenario would have to use a guilty-until-proven-innocent scheme, as it would be as ineffectual as the rest of the laws/anti-spam filters if it were the other way around. To prove someone guilty of spamming, you'd need logs and other evidence from their computers - not easy to get without search-and-ceisure permits. Anything less than that is too easy to duplicate from a malicious hacker's perspective.

    • by plierhead (570797)
      I don't think he's proposing a "guilty until proven innocent" thing. The $10K is just the bounty paid to the bounty hunter. The miscreants could still get their asses kicked with the fully weighted boot of the law, so all the normal discovery, court proceedings, etc. would still apply. If Company ABC maliciously created spam pretending to be from Company ABC, then Company ABC would be committing a very serious felony that could earn their execs gaol time. Very unlikely they could persuade the geeks to take part.

      A bigger problem I see is some kind of sense of proportion. Most businesses perform some kind of cold calling. Seems to me like if you sell, say, emergency powergenerators, and you send personalized email to the three businesses in your town who might be potential customers, thats a lot different from sending 2M "enlarge your penis" mails to a database of emails you bought off some other spamming mofo.

      • A bigger problem I see is some kind of sense of proportion. Most businesses perform some kind of cold calling. Seems to me like if you sell, say, emergency powergenerators, and you send personalized email to the three businesses in your town who might be potential customers, thats a lot different
        I guess his point is that such advertisers would have no problem abiding by the rules and putting `[ADV:]' in their subject line. No?
  • by letxa2000 (215841) on Tuesday September 24, 2002 @07:33PM (#4323529)
    The site that article is from is as annoying as spam itself. You go to read the article and you get a banner ad to the right that occasionally "grows" to occupy 1/4th of your screen. You click "next" and you get a pop-up banner.

    Sites like these shouldn't be linked to by Slashdot.

    • The site that article is from is as annoying as spam itself. You go to read the article and you get a banner ad to the right that occasionally "grows" to occupy 1/4th of your screen. You click "next" and you get a pop-up banner.

      Sites like these shouldn't be linked to by Slashdot.


      God forbid that people on a site for nerds might just figure out how to turn that crap off.
  • The problem with tagging all commercial email with an identifier such as "ADV:" is that most recipients will simply create an email rule to auto-delete it and never even know it arrived.

    That's great for the recipients, but it does nothing to reduce the load on ISP servers; in fact, it may increase it as the advertisers will have to send out MORE mail to make sure at least somebody opens it.

    Also, such a solution does nothing to help legitimate advertisers, who need to know the demographics of who is actually reading their ad. If there is an easy way to filter, they may buy a list that is 90% middle class professional office workers, but they have no way of telling what mix actually read their ad. So they would never buy a service that operated under the "ADV" rules. Result: only the scam companies would ever send the mail.
    • It would reduce the load on my server. The regex filters in sendmail can be triggered before the body is read. All the spam headers a week still aren't even as big as just one of the bodies from marketing I bounce because of its size.

      I've got patches [abnormal.com] for sendmail that let you filter the message body as well but you have to let it in first but you can bounce the messages at the SMTP transport level.
      • The regex filters in sendmail can be triggered before the body is read.

        Is that allowed in the RFCs? I thought that once the DATA command was in progress, you couldn't interrupt it. So you'd probably have to take the data, anyhow unless you were willing to just drop the connection. And if you do that, the originating server is likely to just try again.

        Better just to accept the whole message and return a 5xx. Unless you want to cause trouble for the spammer, in which case you should just keep returning a 4xx and waste his bandwidth.
    • ...and if a fraction of the people (such as myself) who get that ADV e-mail set up an auto-reply ("Don't ever send me this shit again!"), the problem could get MUCH worse in terms of mail server loads...
      • Re:True (Score:3, Informative)

        by AndroidCat (229562)
        Umm, that's not a good idea. Just who are you going to reply to? Spammers tend to forge headers for a reason. If the spam "payload" was a URL link in the body rather than a dropbox in the From or Return-Path, you've just sent an unsolicited email to whoever the spammer wanted to abuse. (Also known as a "joe-job".)
    • The real point is that if everyone's deleting spam marked as ADV, then it becomes unprofitable. Guess what happens next? No spam.
    • The problem with tagging all commercial email with an identifier such as "ADV:" is that most recipients will simply create an email rule to auto-delete it and never even know it arrived.

      I go one step better. My sendmail server hangs up on the SMTP connection as soon as it finds ADV: in the subject line of an incoming message. They don't even get to finish unloading their message. As soon as it says ADV:, they're gone.

      That's great for the recipients, but it does nothing to reduce the load on ISP servers; in fact, it may increase it as the advertisers will have to send out MORE mail to make sure at least somebody opens it.

      More ISPs can do what I'm doing and hang-up as soon as they see ADV: in the subject.

      In the short term it doesn't solve the problem, but when absolutely no-one is reading spam then the response rate will drop to zero--at that point there will be no-one that WANTS to spam.

      Also, such a solution does nothing to help legitimate advertisers, who need to know the demographics of who is actually reading their ad.

      What is a "legitimate advertiser?" Anyone that is mailboming advertisements to me isn't legitimate regardless of whether they are selling penis cream or Norton products (seems to be the latest thing I've seen in spam) or discount airfares.

      If there is an easy way to filter, they may buy a list that is 90% middle class professional office workers, but they have no way of telling what mix actually read their ad.

      I also don't care if an advertiser "needs" to know if I read their advertisement. That's none of their business. They have no clue who reads their advertisements in a newspaper nor who hangs around during commercials on TVs... Why do they suddenly "need" to know if I click their email?

      So they would never buy a service that operated under the "ADV" rules

      Good! The idea isn't that the whole world does bombing runs with ADV:. The idea is that the ADV makes it so easy to filter that NO-ONE reads the spam and, in short order, spam as a method of advertising goes away.

      Result: only the scam companies would ever send the mail.

      Which is MOSTLY the case now. This is where the bounty comes in... If you get spam that isn't identified with ADV, the spammer has broken the law and under the law you're entitled to $10k from the spammer if you are the first to identify him. A few of those and the scam companies will stop sending spam because it's no longer a good business model. So "legitimate" companies don't spam because all their spam is filtered with ADV, and "illegal" spammers stop doing it because they'll be liable for $10k.

      Of course, the idea won't work. As others have said, it's too easy to frame an innocent person or company. Unless the spammer shows you his email log, how can you really "prove" he did it? You could just be making up the logfile that shows a conection from 192.110.121.99, or whatever.

      The problem is that most spam isn't prosecuted based on other violations of the law. Porn spam should be blatantly illegal since much of it goes directly to the inbox of minors. The owners of porn sites that spam should be sought out by the FBI and charged with corruption of minors. Most of the rest of the spam is fraudulent or deceptive in some way--it should be prosecuted by the FTC or FDA. The problem is they apparently don't have time, which is sad since it's currently one of the largest sources of blatant fraud operating in broad daylight, and so many of them would be open and shut cases. You just have to go get the perpetrator.

    • That's the idea of the law. The legal concept is that prohibiting somebody from e-mailing may raise constitutional issues, but insisting that they mark advertising as such is clearly permitted.

      It's not working very well, because of weak enforcement. That may change after a few cases are litigated. I do see a hundred or so "ADV:" messages in my trash can right now, placed there by a rule, so it's doing something. But only about 2% of incoming spam is being junked by that rule.

  • With Berman's proposal, the "vigilante" does the damage (DoS, etc.) before there is any proven wrongdoing. (What if a legit song happened to be labeled the same as a pirated one?)

    With Lessig's idea, the vigilante reports the wrongdoing and lets the proper authority take care of it. (A solution I like better. Imagine if there was an all out DoS war between the vigilantes, RIAA, MP3 traders, and all of us in between.)

    One can't help but wonder: if this works for spammers, why couldn't it work for MP3s?

    A bill like this is perilously close, if you ask me. If this works, the RIAA could start handing out $$$$ incentives for ratting out (illegal) MP3 traders.
  • I think is not a bad idea at all. The reward is high though, so I suspect a few people might find some way to abuse the system.

    But what if someone creates a site were you can put a bounty on a particular spam message and add to the pot on locating the spammer ( for legal action, of course ). I don't mean just finding originating network, but the real contact information of the individual or company responsible.

    So say you get a particular "work at home" message once a day. You can post your message on there and put $5 in the collection for finding the prick who's harassing you. If he/she is annoying you, chances are there are others who are being annoyed as well. If there is a match in the database, then your money is added to others.

    I am sure there are lots of capabable people out there, given $100 bucks to find a spammer *will* find them.

    This site could also be used to organize groups of people who would like to sue spammers. So instead of one person footing the bill, if your spammer is being sued, you can join the fun as well.

    • This is a really good idea.

      There are lots of us who want to stop this kinda shit, but have no idea where/how to start.

  • What would you do to automate the hunting-down-spammers process?

    Perhaps something you could put on your servers? Once certain thresholds and/or parameters are reached, you could have another program kick in that could track them down.

    A $10K reward would definitely get people working together in novel ways. Imagine if several ISPs/homeusers/businesses started working together to track these fuckers down.
  • RBL bad? (Score:4, Insightful)

    by phriedom (561200) on Tuesday September 24, 2002 @07:50PM (#4323640)
    I don't understand his objection to the RBL. It has checks and balances. It is democratic. Use of the RBL is volentary. It doesn't involve expensive court actions or investigations paid for by taxpayers. It takes no direct action. But if you don't play nice, then others may choose not to play with you. If you don't self-police, others stop listening. Its quite a stretch to say that "restricts the freedom of email" and that it has not "done anything except make e-mailing more difficult." The RBL sure hasn't made my emailing more difficult or restricted my freedom.

    I think good laws would add to the effectiveness of the RBL, don't get me wrong. But to hear the spammers tell it, the RBL has made their cost of business much higher, so I wouldn't say it is a detriment.
  • by unicron (20286) <{unicron} {at} {thcnet.net}> on Tuesday September 24, 2002 @08:08PM (#4323759) Homepage
    "Alright. I'll kindnap him for 50, deprogram him for 50, and I'll kill him for 100!"

    "No, just the first 2!"

    "Alright, I'll throw in the killin' for free."
  • What an asshole (Score:5, Insightful)

    by Gruturo (141223) on Tuesday September 24, 2002 @08:16PM (#4323809)
    Once added to the list, there is no way to appeal the blocking or to fight such policies

    This is bullshit, and he knows it, but he has to exaggerate and distort the truth in order to highlight his fashionable Bounty idea.
    I inadvertedly ran an open relay and quickly ended up on Ordb [ordb.org], and rightfully, I might add. My mail server logs had this nice explanation given in the error message from other servers, complete with a helpful link explaining how to fix and get delisted (fix your server, resubmit its IP for checking, get automatically removed).

    3 hours and a sendmail.cf later I was back with the good guys, and had this nice warm feeling :-)
    • Re:What an asshole (Score:4, Informative)

      by hysterion (231229) on Wednesday September 25, 2002 @12:25AM (#4325194) Homepage
      Once added to the list, there is no way to appeal the blocking or to fight such policies

      This is bullshit, and he knows it, but he has to exaggerate and distort the truth in order to highlight his fashionable Bounty idea. I inadvertedly ran an open relay and quickly ended up on Ordb [ordb.org],

      This is out-of-context, selective quoting, and you know it, since right after this he continues with: ``Sometimes, the spam vigilantes offer people a way to appeal, but not always. Spews.org, for example, blocks without any appeal allowed.'' So,
      • He does nuance his assertions. You `exaggerate and distort' them.
      • He's talking about Spews.org, not Ordb.org.
    • How do you get off of SPEWS once you're listed incorrectly? There's no quick straightforward way.
  • SPEWS does not "block with any appeal allowed".

    First of all, SPEWS doesn't block anything. SPEWS only provides the list of scumbags. Its users then decide what they do with the information. Some block Email, some flag Email for filtering by end users, some use the list as evidence of anti-spammer evils.

    Second of all, there is an appeal process. The spammer just needs to stop spamming.

    Thirdly, he seems to imply that it would be common to be listed in SPEWS by mistake. This is simply not true at all. Usually a spammer has to exhibit a pattern of abusive behavior to get listed. There appears to be a human process involved in getting listed by SPEWS, which seems to be very effective in weeding out mistakes and joe-jobs.

    Proletariat of the world, unite to kill spammers. The slower, the better. The more painful, the better. Remember, knees first, so they can't run away.
  • Growing a Spam Killing Community [webword.com] -- "The purpose of this article is to discuss how to eliminate spam through a community of spammer killers. Why take a passive role in spam elimination and why use up precious time and complex tools to track down one spammer? Instead, let's create a community of spammer hunters to track them down and wipe them out, using their own methods against them. Forget killing spam, let's kill the spammers."
  • by silentbozo (542534) on Tuesday September 24, 2002 @09:00PM (#4324003) Journal
    Read the article. The 10k bounty for not labeling spam as spam isn't what you should be paying attention to. It's his attack on volunteer efforts to block spam relays, whom he calls "spam vigilantes", in the worst sense of the word. Essentially, he says that efforts to blackhole servers (presumably, because the admin of that server also needs to be whacked repeatedly with a cluestick) do more harm than good, and that we should just use filtering.

    The 10k bounty is supposed to convince spammers to label their spam so we can effectively filter it.

    Finished laughing? Let's dissect his thinking, shall we? He says we can handle spam just by making sure the spammers label it. This is the thinking behind a lot of bad legislation - it legitimizes it, instead of eradicating it. Second of all, he implies that vigilantism can work with government (finding spammers who don't comply with the ADV: rule) to fix what vigilantism by itself (blacklists) cannot do. Well, blacklists are meant to eliminate spammer havens - and we have plenty of anti-spam people hunting spammers as it is, FOR FREE. What the hell does he think 10k is going to do, if all the bounty-hunter does is turn the spammer's info over to the government? I mean, the FTC doesn't do much to the existing fax-spammers who are in violation of federal law. (The fax.com lawsuit was filed by a private individual, the FTC just levies paltry fines.) Or worse, what is the US government gonna do to foreign spammers who don't comply with our "label law"?

    Essentially, Lessig says we should discard our current system of blocklists and anti-spam tech, in favor of simple client-side filters and a federal mandate to label spam, with a bounty to catch anyone who fails to label their spam. The threat is so feeble, and the undeserved side-effects so beneficial, I'm sure that spammers will love this idea.
  • It sounds like this effort will involve a tracing operation, digging in to find the systems, the software, and the people behind the spam.

    What will the reward be for implicating the spam-enabling software vendors? One in particular that comes to mind is Elcomsoft [mailutilities.com]. Will there be a $10K reward for dragging Dmitry's bizzness into court?

    (note, the 'Advanced Email Extractor' tool linked to above used to be a link right on the elcomsoft.com web page, but that alternative 'MailUtilites' web page still comes up as one of the top five links in Google when you search on 'elcomsoft.' I suspect they're hiding their association with the 'mail utilites' product line to get geek sympathy. Spread the word, they sell tools to the spammers!)
  • Paying bounties to get third parties to do the work in dealing with a nuisance can be a good idea. It kind of reminds me of the laws that deal with short swing trading. Short swing trading is when you buy or sell a stock that you recently bought or sold. Certain officers of public companies are not allowed to do short swing trading. I forget the exact rule, but basically, you can't change the direction you are going (buying or selling) more than once every several months (I think it is six months).


    So, for example, if Bill Gates sells some MS stock today, he can't buy MS stock tomorrow.


    The way the SEC enforces this is very clever. The law is that any shareholder of the company can sue to nail a short swing trader. If the suit is successful, the short swing trader has to turn over to the company any profit they made, AND they have to pay the attorney fees of the suing shareholder. The profits are calculated in the least favorable (to the short swing trader) way--find the highest selling price he got in the last six months, and the lowest buying price...match those shares up, and count the difference as profit. So, if you buy at 100, sell at 90, buy at 80, and sell at 70, you have really lost 20, but as far as the short swing laws go, you made 10 (the sell at 90 less the buy at 80), and so you have to pay 10.


    The final brilliant piece of the short swing law is that the shareholder who brings suit does NOT have to have been a shareholder at the time of the trading--they only have to be a shareholder at the time of the suit.


    Combine that with the winner getting attorney fees, and what happens is that attorneys check the public records, find dumb corporate officers who tried to sneak in some short swing trading, go out and buy a share of the company to get standing to sue, and sue.


    This has pretty much completely eliminated illegal short swing trading, with the SEC having to spend no money to track it down and enforce the law.

  • From the site
    They looked at the open and flexible system of e-mail that gave birth to much of the Net and decided that this system created too much freedom--at least for spammers.

    Block lists don't take any freedom from spammers. It never prevents them from sending all the e-mail they want. It's just that when it hits a server of someone that doesn't want to hear their speach, the "mute" button gets hit.

    Why spammers think that keeping their message out of my inbox is restricting freedom of speech, I'll never understand. Are they not my eyes, are they not my ears? Can I not decide what I'll use my time to read, to hear, to think about? So what if it's the greatest thing since round wheels. If I choose to close my mind to it, trying to sell me the goose that lays golden eggs isn't going to overcome my "buyers resistance".

    Not only are spammers stupid, they are persistantly stupid. In the Darwinan game of the Internet, they rank below the Doo-doo of the Do Do.

  • Of course my idea of "make them pay" is perhaps a bit different than the norm. I'm not talking about finding out who they are so they can face the swift hand justice, I'm more of the though of finding out who they so they can face teh swift baseball bats of Guido and Nunzio who, when they're done, break the spammers' fingers so they can no longer type out those emails telling me how easy it is to buy my Viagra.

    Hell, I'd be willing to contribute to a fund which promised such results. I want my mailbox back and I'm tired of coming up with new regular expressions to make the spam go away.
  • New "Crossing Jordan" episode: a man is found dead, shot twice. The only clue is a can of Spam jammed in his mouth, unopened...

    -- Terry
  • If I'm granted immunity in all cases where I am responsible for the death of a spammer, and I receive $10,000 for each such death of my own doing, count me in. But if it's just 'turn them in, wah wah wah', then I'll have to pass.
  • I've suggested before, and I still believe, that spam would greatly decrease if a few spammers were killed. If that's too harsh for you, how about slashing their tires, urinating on their lawn, or keying their car?

    Every time you find a spammer, you should anonymously publish their name, address, and phone number, so that they can be "dealt with". Yes, I'm serious.

  • Seeking redress?
    What a shame!
    Your faith is misplaced
    in the RBL.

    If we had their address,
    and a name,
    It would probably
    take care of itself...

    Or, a Limerick:

    Send Congress home -- no laws need be made.
    Save your money -- the price will be paid.
    No judges, no jury,
    have it done in a hurry,
    A real life black hole -- get a spade.
  • by Erik Fish (106896) on Wednesday September 25, 2002 @03:26AM (#4325769) Journal
    So much for "Lawrence Lessig: Superlawyer". Doesn't he realize that by the time his little idea gets passed into law it will have morphed into the Direct Marketing Association's wet dream?! Even the original is a law that fully legitamizes spam! Does anyone think that the $10k fine will make it through? Even if the figure itself is still around there's no chance of anything resembling teeth being left in it!

    So what if it forces a majority of the spammers into using the [ADV] tag in their Subject headers? What is that going to accomplish? Yes, most ISPs will instantly block anything with [ADV] in the subject header but the spammers will still be using bandwidth to bounce endless waves of spam off of your filters in an attempt to get at the remaining mail servers which don't filter for one reason or another!

    Beyond that, an [ADV] flag is content. As the subject of this post points out: The fight against spam needs to be firmly grounded in a lack of consent -- not the slippery slope which any argument based on content quickly becomes!

  • by herbierobinson (183222) on Wednesday September 25, 2002 @03:56AM (#4325842) Homepage
    It can't be just the first one. It has to be a bounty to everyone who tracks the spammer down and take them to court. Otherwise, it just wouldn't pay to do it. A better scheme:

    1. Allow anyone to take spammers to small claims court for around $2K.

    2. Make the person selling whatever is advertised in the spam be responsible for unless they are willing to file a criminal complaint against the spammer.

    3. Explicitly make is illegal to advertise someone else's product without authorization (it's probably already illegal...). This is to enable #2.

    4. If an ISP cannot identify the spammer, the ISP must pay the fine. This may already be the case, but making is explicit would help.

Aren't you glad you're not getting all the government you pay for now?

Working...