Spam comprises upward of 80 percent of incoming e-mail, despite monumental efforts by help desks and security software companies to defeat it. The reason spam volumes continue to grow is that such efforts are often misplaced and fail to hit spammers where it hurts. Instead of trying to shut down the hydralike tangle of Web servers that route spam to our in-boxes, a much more focused attack should be made to disable payment for the goods (Viagra pills, Bosley hair loss treatment, Space Bag storage, etc.) that spam is used to advertise, according to a team of researchers presenting their findings Tuesday at IEEE Symposium on Security and Privacy in Oakland, Calif.
"If you spend a bunch of money trying to plug some technical hole that has very little business impact on the bad guys, then the enterprise will continue," says Stefan Savage, an associate professor of computer science and engineering at the University of California, San Diego, (UCSD) and lead author on the study, "Click Trajectories: End-to-End Analysis of the Spam Value Chain."
When viewed as a supply-chain pipeline, it becomes clear there are many moving parts that enable a successful spam campaign. Most important to the vendor behind the deluge of unsolicited e-mails, however, is getting paid. The researchers determined that it is very difficult and disruptive for spammers to open a new account with a new bank if their current bank decides to stop authorizing or settling their customers' credit or debit card transactions. It can take days for a merchant behind a spam campaign to find a new bank, says Savage, also director of UCSD's Collaborative Center for Internet Epidemiology and Defenses.
Compare this with a more common approach to cut down spam—blocking spammers' Web addresses. "With domain names, where much effort is expended to shut down [Web sites] of companies selling goods via spam campaigns, the number of alternatives is just enormous," Savage says. "There are thousands of registrars they can buy domains from." The switching cost is very cheap and it takes only hours to acquire a new domain, so the impact on spammers is very small.
As part of their research, Savage and his team set up a dummy network to receive e-mail at various usernames and monitored inbound traffic for spam, focusing on the Web addresses embedded in unwanted e-mails. Those addresses clued the team onto the next step in the supply chain. "If you buy a lot of goods, you can look to see who's using the same suppliers," he adds. The researchers also learned a lot about spam campaign supply chains by actually buying hundreds of spam-advertised goods worth about $4,000 and then studying their own credit card statements, which provided transaction details that helped identify the banks collecting payments for spam-advertised goods.
Surprisingly, the researchers received most of the goods they ordered. "A lot of people think of this as something where they steal your money," Savage says. "In fact, that's not the case. When you make purchases, you get the product in return."
The researchers have provided their findings to regulatory agencies—including the U.S. Food and Drug Administration, Federal Trade Commission and Department of Justice—and various companies owning brands sold via spam, according to Savage. "In the end, with respect to any kind of political or regulatory intervention, that is not something we are in a position to lead," he adds. "I predict there will be nervousness about [our] approach, both from financial institutions who probably have a vested interest in not having a lot of regulatory forbearance in the payment field but as well on the civil liberties side where there are justifiable concerns about using global payments as a vehicle to enforce public policy."
Savage, who specializes in novel cyber-security research such as projects to determine whether car computers can be hacked and house keys can be copied using digital images, emphasizes that his team's goal has been to take a holistic view of spam, in particular the economics that drive it, rather than seeing it purely as a computer security problem. From here, it is up to policy-makers to determine whether the benefits of attacking spammers' income stream outweigh any political obstacles.
Image courtesy of Felix Möckel, via iStockphoto.com