Seeking a solution to the spam scourge, the Federal Trade Commission has turned to frontier justice of the Old West. In a report issued Thursday, the FTC explores whether bounties might aid in the enforcement of last year's Can-Spam Act.
The report, prepared as required by the spam law, takes a cautious approach. It warns of the difficulties of enlisting the public as spam fighters.
The major hurdles cited are locating the spammer, gathering evidence that will stand up in court, and implementing a reward program that offers enough money to justify the risks involved without creating burdensome administrative costs.
Provided those difficulties can be dealt with, the FTC offers a cautious endorsement of the idea, saying that a reward system "might improve the effectiveness of Can-Spam enforcement."
According to Allen Hile, an assistant director in the Division of Marketing Practices at the FTC, federal bounty programs have met with mixed success.
A companion report on the FTC's site, prepared by Marsha Ferziger Nagorsky, director of internal communications and a lecturer in law at the University of Chicago Law School, notes that the IRS bounty program has done particularly well.
"In the first 30 years of the program, more than 17,000 informants snitched for the IRS, collectively earning over $35.1 million," she writes. "The IRS benefits as well; it recovered more than $2.1 billion in unpaid taxes during those 30 years because of the program."
A reward program run by the Securities and Exchange Commission to nab inside traders has proven less effective, with only three bounties awarded in the decade it has been in existence.
The FTC report suggests that owing to the difficulties of accurately tracing spam messages, insiders represent those most likely to identify spam senders. The difficulty thus becomes making the reward more lucrative than the crime.
"The calculus has to be enough so that people come forward," says Hile, who adds that a bounty program won't become a reality without funding.
A second companion report on the FTC site, prepared by Dan Boneh, an associate professor in computer science at Stanford University, explores the problems with tracking spammers. In his conclusion, Boneh briefly mentions future anti-spam technologies that may have an impact on spammer identification, including Microsoft's Sender ID E-mail authentication scheme and Yahoo Inc.'s DomainKeys.
"At this point, it is not clear whether these technologies will eventually be deployed, nor is it known how they will affect spammer's [sic] behavior," he writes.
What is clear is that authentication isn't getting easier. America Online said Thursday that, in light of the open-source community's rejection of Sender ID, it would no longer fully deploy Sender ID. While AOL will publish Sender ID records for outbound mail, it will only check inbound mail for SPF records.
"AOL remains committed to testing authentication technology in the real-world environment of large-scale ISPs," the company said in a statement. "SPF is the 'low-hanging fruit' in the authentication debate and, given the momentum and common ground with the SPF protocol, is the logical first step in the journey to combat spam."
AOL notes that it started publishing SPF records in December and that with its support and advocacy, more than 100,000 domains now publish SPF records.
Avner Amram, executive VP of anti-spam company Commtouch Inc., says the majority of domains publishing SPF records belong to spammers.