The next time you can't sleep and can't summon the energy to do something more useful, try this simple experiment: go to social news site Digg, go to the Upcoming Stories section, and count the number of stories that have obviously been submitted by companies promoting their own websites. For a bonus, count the number of stories each has submitted.

What you'll probably find is that the Upcoming Stories section is alive with spam. Currently, for instance, the Upcoming index contains dozens of stories from sites such as hotelnaukri.com, mybangaloreproperty.com, z4z.us, contentlog.com, and vipflux.com (to name only five) that are clearly being hurled at Digg as fast as the spammer's ratware permits. Add to the named domains the usual smorgasbord of blogspot.com spam blogs and AdSense farms, and you might wonder how anything worthwhile ever comes out of Digg.

The impressive thing about Digg is how well it copes with the onslaught. For all the stories about Digg spam, only a fraction of the incoming flood actually reaches the front page. Some combination of voluntary spam-reporting and Digg's implementation of the vote to promote pattern takes care of it all and serves up a buffet of stories which, if not to everyone's taste, at least seem to reflect the core interests of the Digg community.

Digg spam attempts are an instance of a more general trend, which can be summarized as If you build it, they will spam. Any successful Internet application will attract spammers trying to claw out their share of focused attention. For a while, there was quite a crop of porn spammers on del.icio.us, injecting ads for their sites into unlikely categories such as 'webdesign'. Every few days, someone with something to sell tries to auto-follow the entire twitter.com population in the hope that the ... is now following you notifications will encourage users to look at their website. On Myspace, I get weekly invitations from young ladies who want to be my special friend. A research paper about Facebook messaging estimates that 43% of Facebook messages are spam (which compares well with the state of email, now calculated to be 95% spam). And so on and so forth.

Some applications, such as Digg, have built-in mechanisms that allow them to cope well. Others, such as Usenet, don't, and end up getting spammed to the point of near-unusability. Many, such as email, exist in a kind of in-between state where spam is kept at arm's length by deploying more and more sophisticated countermeasures. The spammers never quite succeed in destroying the application, but spam remains a constant low-level irritation, like a lingering infection.

There's no shortage of proposed final ultimate solutions to the spam problem, many of which involve throwing out large numbers of desirable babies in order to drain tiny amounts of bathwater. Most of them also prove on inspection to be neither final, ultimate or indeed solutions. I won't add to the list but I will offer one hypothesis, which is that part of the reason spam is as bad as it is is because the Internet is poor in accountability mechanisms. Bad behavior seldom leads to any kind of punishment.

Justin Sullivan famously sang:

I believe in justice. I believe in vengeance.
I believe in getting the bastards, getting the bastards.

Occasional recent CAN-SPAM successes aside, we haven't had much luck in getting the bastards where spammers are concerned.

As I write this Digg's Upcoming pages are full of links to vipflux.com. There's every reason to believe that the owners of the site or someone who they hired to promote them is at work knowingly and systematically spamming Digg. That's anti-social behavior — degrading the usefulness of a shared resource for private profit — and it's hard not to feel that abuse of this kind shouldn't go unpunished.

But it's a safe bet that it won't. Digg allows you to mark posts as spam, which can lead to them being hidden from other users. But that's not punishment. At best, it frustrates the spammer's attempts to seed Digg with their adverts today. Even if Digg invokes the ultimate sanction, which is to ban a site from being submitted, the spammer can try again tomorrow with a new domain name. It's often been said that the reason email spam is so prevalent is because it costs nearly nothing to send. In the same way, there are nearly no costs attached to attempted spam. You make the attempt. If you succeed, you profit. If you don't, you shrug and try again. There's no penalty for spamming.

It's tempting to suggest that someone who systematically and knowingly tries to exploit other people's resources the way the Digg spammers do should forfeit the right of equal access to the free and open Internet. They should, so to speak, be banned from every decent club in town. They should become Internet pariahs. But in practice, in most cases, they don't.

Some mechanisms of this kind exist but they are limited. Having your IP space added to a blacklist or your domain listed in McAfee's SiteAdvisor is, to some degree, punitive. Your reputation has taken a hit in response to your bad behavior and to judge by some of the messages I get when I add someone's domain to my database, getting listed certainly feels like punishment. But initiatives of this kind are typically embryonic and uncoordinated.

Digg's auto-immune system and email filters defend against spammers in the same way that burglar alarms, security lights and stout locks on windows and doors defend against burglars. They aim to block the attempt so that the burglar gives up. But in the real world (as opposed to, say, the fantasies of A.E. van Vogt) we acknowledge that perfect defenses don't exist. Accordingly, society mandates prison sentences for burglars, whether to deter them by imposing a cost or simply to take them out of circulation.

Even on the Internet, we can't hope for a 'perfect' defense. At best, we might be able to achieve 'very good', and the shortfall is enough to encourage the spammers to redouble their efforts in order to 'sneak one through'. So there does seem to be scope for solutions that address the other side of the issue by using punitive measures to raise the costs of attempting to send spam.

Attempts to raise costs are not a new idea. Non-punitive cost-raising schemes such as email postage have been mooted and, usually, abandoned as unworkable. More specifically punitive responses, such as termination of domains used in spam, also impose a small cost on the spammer. The problem with such schemes, however, is that they impose a bigger cost on the entities responsible for implementing them — the ISP or registrar. A spammer can shrug off the loss of a $10 domain and be back in business half an hour later; the ISP has to pay the cost of manning an abuse desk and investigating the reports that come in. Reacting to abuse generates no revenue, so it's no wonder that spam reports seldom seem to get much of a response.

The question is, what kind of punitive measures are both practical to implement and effective in imposing a non-trivial penalty for bad behavior? And could we come up with something that not only works but can't be subverted or misdirected to attack the innocent? In other words, do we have any real way of getting the bastards, or should we just concentrate our efforts on building better burglar alarms and deadbolts?