Where Does Spam Come From ?
>
Crazy giant study on spam where authors disable spam filters and bought everything offfered to them:
Abstract—Spam-based advertising is a business. While it has engendered both widespread antipathy and a multi-billion dollar anti-spam industry, it continues to exist because it fuels a profitable enterprise. We lack, however, a solid understanding of this enterprise’s full structure, and thus most anti-spam interventions focus on only one facet of the overall spam value chain (e.g., spam filtering, URL blacklisting, site takedown). In this paper we present a holistic analysis that quantifies the full set of resources employed to monetize spam email— including naming, hosting, payment and fulfillment—using extensive measurements of three months of diverse spam data, broad crawling of naming and hosting infrastructures, and over 100 purchases from spam-advertised sites. We relate these resources to the organizations who administer them and then use this data to characterize the relative prospects for defensive interventions at each link in the spam value chain. In particular, we provide the first strong evidence of payment bottlenecks in the spam value chain; 95% of spam-advertised pharmaceutical, replica and software products are monetized using merchant services from just a handful of banks.
>
Source:
Click Trajectories: End-to-End Analysis of the Spam Value Chain
Kirill Levchenko, Andreas Pitsillidis, Neha Chachra, Brandon Enright, Mark Felegyhazi, Chris Grier, Tristan Halvorson, Chris Kanich, Christian Kreibich, He Liu, Damon McCoy,
Nicholas Weaver, Vern Paxson, Geoffrey M. Voelker, Stefan Savage
UC San Diego, UC Berkeley, International Computer Science Institute, Laboratory of Cryptography and System Security (CrySyS), Berkeley, CA and Budapest University of Technology and Economics
Tweet
Facebook
Reddit
Digg this!
May 28th, 2011 at 7:41 pm
So, there is more to it than Boris spamming the globe from his Ukranian basement!
May 28th, 2011 at 9:15 pm
I’m one of the authors, feel free to ask me questions.
And yes, its more than Boris spamming from his basement: there are a lot of moving parts that all need to work to sell that, umm, pharmaceuticals over the Internet.
May 28th, 2011 at 10:45 pm
As I understand it, there were three banks that were financing the “spam” business because the payment transaction fees were lucrative. If these banks didn’t support the spammers, would their business dry up?
May 28th, 2011 at 11:02 pm
Most of the spam comes from Koy4goff. The Onion has been covering this for a few years.
http://www.youtube.com/watch?v=_f9oJikx0-I
May 28th, 2011 at 11:25 pm
Mower County, Minnesota.
May 28th, 2011 at 11:59 pm
Nick Weaver: Nice job! I’m glad the spam problem hasn’t yet come to my cell phone (knock on wood.) Though I bet interested parties would just love to crack that arena.
May 29th, 2011 at 1:34 am
Thanks to Barry for posting this and Nick et al for the study–especially your conclusion that domestic VISA/MC could put a big dent in the spam problem.
May 29th, 2011 at 6:38 am
I wonder what research there is on the psychology on the people who (not tricked) actually click.
May 29th, 2011 at 8:49 am
Spamming seems to be an unwanted invasion of sorts. How is it that it is acceptable practice? How is it that it is not illegal with significant punitive consequences?
May 29th, 2011 at 9:59 am
I got a computer generated “lower interest rate” call on my cell yesterday which is on the do not call registry, they’re coming at us from all directions!
May 29th, 2011 at 10:09 am
jbmoore61: Correct. 95% of the payments of our targeted purchases (we tried to buy from every major affiliate program after identifying the programs) cleared through just 3 banks.
One of those banks has stated that it has stopped already: https://twitter.com/#!/dnbnor_hjelp/status/73305600066461696 (in english)
http://www.facebook.com/DnBNOR/posts/229307870419535 (use google translate)
The spammers may find a replacement bank soon, but there are only so many banks out there who will deal with these types of customers: they are pretty high-risk for a bank to deal with.
lunartop: Look for our subsequent paper in Usenix Security for some of this. “Show Me the Money: Characterizing Spam-advertised Revenue.”
louiswi: It is clearly illegal on a bunch of fronts. The spam itself is illegal. The spam is sent by compromising peoples’ computers, which is even more illegal (in the hundred-thousand-felony-count indictment level).
The products being sold to US customers are being sold illegally (it may be legal elsewhere, but its not legal to ship any of their primary sales products into the the US.), and are not being shipped legally (the packages are often disguised and contents are not being declared for customs, because if it was, customs would destroy the shipments).
May 29th, 2011 at 12:00 pm
NWeaver, some one with magical force needs to get this intel into the spotlight, be it NPR, PBS, Brian Williams at NBC, etc. (If I was any good at smoke signals I’d do it.)
May 29th, 2011 at 12:31 pm
Tomahawk: Thats been happening.
The article got written up in the New York times ( http://www.nytimes.com/2011/05/20/technology/20spam.html ), its been covered on NPR ( http://www.npr.org/2011/05/26/136690513/study-may-shed-light-on-how-to-stop-spam ), a few local news programs (both radio and TV), people in our group happily responds to press contacts [1], its gotten onto the NY Times editorial page today ( http://www.nytimes.com/2011/05/29/opinion/29sun3.html ), etc.
[1] any press? Email nweaver at ICSI do Berkeley dot EDU and I’ll happily forward you on to who to talk to.
May 29th, 2011 at 12:36 pm
EXCELLENT!
When you mentioned above about one of the banks stopping already, I did notice a drop-off in my daily spam dose. I immediately wondered what was up? Now I know.
Thanks again!
May 29th, 2011 at 2:52 pm
Thank you for the reply!
There seems to be a software solution for this. I’m a novice in software so forgive me for being presumptuous on this.
My outlook for example has a button for “this is spam”. Why couldn’t there be automatic routing to some enforcement group for this function? Surely the ISP or other email software providers could incorporate such software. If I click the “this is spam” button, it should automatically go into a complaint file for prosecution. Am I too naive on this subject?
May 29th, 2011 at 6:21 pm
The banks seem geographically diverse enough that dealing with them is pretty much a whack-a-mole proposition. On the other hand, Banks are required to adhere to some very specific rules and regs from Visa, and my guess is that somewhere in that contgract there’s a provision to ddeal with these kinds of transactions. Anybody from Visa read this blog??
May 29th, 2011 at 7:11 pm
This is interesting work but it’s hardly a recipe for ending
all spam. Only a fraction of spam is advertising for direct
sales. There is spam containing malicious payloads, spam with
links trying to get users to visit sites that will infect their
PCs (“hey, look at this!), and many scams like phishing, Nigerian
princes, and London mugging victims, to name but a few. There
is even a percentage of spam that contains no payload, no links,
no advertising or any other coherent message — just gibberish.
Shutting down these banking outlets may curtail some spam, and
perhaps that should be done, but it’s just the low-hanging fruit.
Close these avenues and other payment vectors will be found.
The ultimate wellspring for spam is human greed and stupidity,
of which there is an apparently inexhustible supply.
The best thing about e-mail is that anyone, anywhere on the
planet, can send it to you. The worst thing about e-mail is
that anyone, anywhere on the planet, can send it to you.
@louiswi
Yes, you are naive.
I, as the owner of Curmudgeon Widgets, contract a bot-net to
send out millions of spam messages advertising Louiswi Widgets
with your correct web site & phone number. There’s even a
long-standing Internet meme for this: “joe job.”