To track down the origin of an e-mail, you must perform a whois/rwhois, nslookup/dig, forward/reverse DNS check, and traceroute on the IPs and domains of the mail servers in the full e-mail header. Spammers hide their identities by spoofing or obfuscating this info (hexadecimal IPs, fake reverse DNSes, deobfuscated URLs, redirect pages [often “throw away” pages on Anglefire or GeoCities], and JavaScript encoded relay pages). Spammers also change IP addresses and ISPs frequently, send smaller batches and single sends, falsify the sender's e-mail and server received: lines, add random characters, and exploit proxy servers and open relays. When you finally report the spammer to the appropriate abuse desk, the spammer has either been kicked off, changed ISPs, or (worse) is allowed to continue spamming.

While SpamCop automates spam tracking and reporting, spammers still have the upper hand. Users who don’t fully understand headers might send an e-mail to every address that SpamCop recommends, making admins of non-offending domains more likely to ignore SpamCop reports in the future. SpamCop can only submit open relays for testing and check to see if mail originated from blacklisted domains; it can’t actually prevent mail from coming from them in the future.

A well-thought out bounty system would:

• Encourage Spam Reporting: Users tend not to know how or where to report spam. Bounties could give end users get a monetary reward for tracking down spammers. Those who didn't have time could pass it off to someone else who'd properly follow up on it.
• Shift Cost on Spammers: It only takes 1 in 100,000 to reply for a spamming to pay off. End users (not spammers!) pay for spam in lost time, cost of buying spam filters, poor ISPs, or lost e-mail account. Making spammers pay the cost of catching them radically changes the economics of spam.
• Give Spammers Due process: accused spammers would get due process, rather than having vigilantes blacklist them, DDoS, or “pull a Ralsky” (oh, the irony!).
• Lessen Collateral Damage. If network admins felt that they had a way to properly shutdown spammers, perhaps they could then move beyond the RBLs that adversely affect legitimate users.
• Improve ISP response: If each spam report represented money to the ISP, continued hosting of spammers would be less appealing than collecting a bounty. Should the ISP not care about abuse on their networks, surely their network admins would. Many ISPs might even have potential spammers post bond before being allowed to send out mail..
• Alleviate Prosecutors’ Time. If end users and bounty hunters did all of the gumshoe work, then prosecutors’ time could be used more efficiently.
• Make the US Spammer Free: One benefit to forcing spammers to move to other spam-friendly jurisdictions (say, the Caribbean) is that we make sure that those in US jurisdiction don’t export spam. Network admins could set up filters giving priority to mail originating in the US and countries with decent anti-spam laws.

It’s not difficult to imagine the tools bounty hunters would create if bounties were legalized. Imagine hitting a "report spam" button on your e-mail client. Hitting that button would report the spam to a bounty hunter, who would then track down the spammer. Once the bounty hunter got the money, s/he'd credit your PayPal account. Some might create spam honeypots to track spam to specific hosts running e-mail harvesters. And others might even create bots that automatically respond to spammers. (Judging by real correspondence to Nigerian scammers, could these scammers even tell the difference between a scammee and, say, an ALICE or Eliza bot?) Spammers could find the market on their identities frightening close to their current market on our live e-mail addresses.

Techies would soon make a game of hunting down spammers, joining anti-spam clans and tallying up spam “frags.” (Not a stretch, considering how much time is spent on projects such as SETI, Distributed.net, The Nigerian Spam Scam Contest, and NoMoreAOLcds.com) Spammers, eager to make a quick buck, might even start entrapping and turning on each other. ISPs might consider giving free service to those who took the time to track down spammers.

A bounty system could fund a larger centralized spammer database, which might help improve some of the limitations of Stanford Law Professor Larry Lessig proposed $10,000 bounty on spammers (of which he has wagered his job). A centralized database would allow us to select those who did more than $10,000 worth of damage—those who use real e-mail addresses (possibly yours?) as their reply-to, repeat offenders, and those who willingly sell the e-mail addresses of those asking to be removed. Once we selected the worst offenders, we could prosecute them differently.

Simple things such as submitting class assignments, ordering groceries, writing checks, and paying bills via e-mail should not be exclusive to those who can afford good ISPs and/or client plugins. As e-mail becomes an integral part of our lives, it becomes increasingly imperative that we make available anti-spam solutions to everyone. Bounties point us in that direction, without catching legitimate users in the crossfire.

This editorial was written by Roger E. Rustad, Jr. (scubacudaNO&SPAMiname*com) Other GrepLaw contributors no doubt have very different opinions on the best way to fight spam.