Cutting Down on Spam

Researchers find that the weakest link in the spam chain is the banking component

7 October 2011

spam Illustration: Gino Crescoli/iStockphoto

Despite e-mail filters, spam has become an often annoying part of our daily lives. Each day, many of us sift through a deluge of unwanted messages that find their way along with the good stuff into our inboxes. From advertisements for pharmaceuticals to discounted golf balls, the spam trail can seem endless. But what if there were a way to put a chokehold on all that junk mail? 


A group of researchers from the University of California, San Diego; University of California, Berkeley; and the International Computer Science Institute has found a way to do just that—by hitting spammers where it hurts most: their wallets. The team, which includes IEEE Member Stefan Savage, a professor of computer science and engineering at UC San Diego, has spent the past few years looking for what they call a “choke point” in the spam trail that could, once pressure was put there, greatly reduce the amount of spam we get. They presented the results of their study in May at the annual IEEE Symposium on Security and Privacy, in Oakland, Calif.


“Our goal was to map out the full ‘value chain’ of spam, which is the set of resources that are necessary for a spam e-mail to ultimately bring in money,” Savage says. “Our hope was to identify which parts of this value chain were the most constrained and might be good targets for intervention.” 


HOW SPAM WORKS
Before you can stop spam, it’s critical to understand what it is and how it works. “We may think of e-mail spam as a scourge—jamming our collective inboxes with tens of billions of unwanted messages each day—but to its generators it is a potent marketing channel that taps latent demand for a variety of products and services,” Savage and the researchers wrote in their paper “Click Trajectories: End-to-End Analysis of the Spam Value Chain." 


The spamming process itself is quite complicated, the researchers noted. “Each click on a spam-advertised link is in fact just the start of a long and complex trajectory, spanning a range of both technical and business components that together provide the necessary infrastructure needed to monetize a customer’s visit,” they wrote. “Botnet services must be secured, domains registered, name servers provisioned, and hosting or proxy services acquired.”


Who are the spammers behind all this work? They’re typically people who know how to write ads that hook would-be purchasers, Savage explains. Instead of selling products, they work for various groups known as affiliate programs. These groups make domains—which allow spammers to profit from a click on a link—available to the spammers. “The affiliate programs pay the spammers a commission (between 40 and 60 percent of a selling price), for each customer whose click-through on a spam link leads to a sale,” he says. “The affiliate programs provide the ‘storefronts,’ such as websites selling pharmaceuticals or Rolex watches, and handle payment processing and fulfillment.” Each affiliate program may have hundreds of spammers who spam through e-mail, blogs, search engines, and more.


GETTING TO THE ROOT

To find weaknesses in the so-called spam value chain, the team spent three months trying to receive as much spam as possible using spam feeds from a variety of resources like anti-spam companies and captive elements of botnets. They then made purchases from the websites advertised in the messages. After looking at almost one billion spam e-mails and spending several thousand dollars, the team found something surprising.


“There is a small set of banks that handle the credit card transactions for virtually all spam-advertised goods—in particular pharmaceuticals, luxury goods, and software,” Savage says. This was the choke point the researchers were looking for. 


“It is the banking component of the spam value chain that is both the least studied and, we believe, the most critical,” according to the study. They found that 95 percent of the credit card transactions were handled by only three financial companies, in Azerbaijan, Denmark, and Nevis, in the West Indies. If such companies refused to authorize online credit card payments to the merchants, this would put a chokehold on the money that supports the spam industry. 


And it would be relatively simple to do that, according to Savage. “Discovering which banks are used by a particular affiliate program is quick and cheap,” he says. “Thus, intervening at this tier of the value chain potentially provides a rare advantage for the good guys.” There are two ways of doing this. One would involve helping credit card companies to block spam transactions by identifying the merchant accounts used by spammers, and refuse to do business with them. Another way is to pressure the banks that issue credit cards, like Visa and Mastercard, to block transactions with the banks handling the spam transactions. 


NO TOTAL END IN SIGHT
So far, no organizations have taken action to prevent the choke-point banks from continuing to process the spam transactions. Even if they do, Savage doesn’t see an end to spam anytime soon. Among the reasons are that “we do not have a unified and consistent view of what should be called spam,” he says. “Does it mean unwanted commercial e-mail, mail that is not in compliance with particular laws (that vary by country), mail sent via botnets or other illegal means, or unwanted mail selling certain kinds of goods and services?”


However, e-mail spam may in the future receive less attention from spammers who will next zero in on increasingly popular methods of communication like social media and text messages, Savage predicts. Either way, spam is here to stay, in one shape or form or another.


“In the end, spam is all about advertising, which is not going to go away,” Savage told The Institute. “However, I think there are reasons to be optimistic. In the future, we’ll be able to keep certain kinds of spam from being successful at a large scale.” 


Learn More