To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://www.silicon.com/research/specialreports/thespamreport/0,39025001,39124098,00.htm

Will 'bounty' scheme stop spammers?
FTC considers putting a price on their head...

By Will Sturgeon

Published: Friday 17 September 2004

The US Federal Trade Commission is considering offering bounties of as much as $250,000 on spammers in an attempt to bring more of them to justice.

The FTC has grown frustrated at the low number of convictions relating to the sending of unsolicited email and believes a bounty on the heads of the most prolific spammers may be the incentive informants need to provide concrete information on the identity and whereabouts of the elusive criminals.

The FTC claims the biggest hurdles to gaining convictions are tracing and identifying the spammers and proving their individual liability.

While detective work can often uncover circumstantial evidence the Commission believes it needs sworn testimony from insiders who will 'rat out' spammers for money.

Paul Wood, chief information security analyst at MessageLabs, confirmed that the identities of some of the world's most prolific spammers, those holed up in Boca Raton, Florida, are known but making prosecutions stick is almost impossible.

Spammers are highly proficient at covering their tracks through a variety of means such as the use of hijacked machines and open relays.

A report on the proposed scheme said: "It is sometimes possible to identify similarities in factual patterns found in spam messages, websites and header information. However, much of this sleuthing is based on intuition or other inadmissible perceptions."

"The Commission believes that, lacking subpoena power, cybersleuths cannot obtain and supply to the Commission admissible evidence of a spammer’s identity, whereabouts, or level of illegal activity. Insiders are the only parties privy to this information.

But making those insiders come forward is not easy - though sacks of cash would go someway to lessening the difficulties.

"How much cash would be enough to overcome potentially powerful disincentives that weigh against coming forward?" asked the report.

"These disincentives include fear of losing a lucrative stream of income, fear of incurring personal legal liability and fear of loss of anonymity, perhaps resulting in personal retaliation."

The closest reference point for the scheme is probably the $250,000 bounty which Microsoft put on the heads of the virus writers behind MyDoom and Sasser.

But MessageLabs' Wood isn't convinced the two can be compared, or that this initiative will achieve its goal.

"It sounds like a great idea in theory, but I don't think it will work in practice," said Wood.

"When Sven Jaschan was arrested for writing Sasser it was because he had been bragging to friends and boasting about it in chatrooms. The organised gangs behind much of the spam we see in our inboxes aren't boastful teenagers and they won't make those kinds of mistakes," said Wood.

To date the FTC has brought just 63 spam-related cases against individuals.