Study Sees Way to Win Spam Fight
By JOHN MARKOFF
Published: May 19, 2011
For years, a team of computer scientists at two University of California campuses has been looking deeply into the nature of spam, the billions of unwanted e-mail messages generated by networks of zombie computers controlled by the rogue programs called botnets. They even coined a term, ?spamalytics,? to describe their work.
Times Topic: Spam
Now they have concluded an experiment that is not for the faint of heart: for three months they set out to receive all the spam they could (no quarantines or filters need apply), then systematically made purchases from the Web sites advertised in the messages.
The hope, the scientists said, was to find a ?choke point? that could greatly reduce the flow of spam. And in a paper to be presented on Tuesday at the annual IEEE Symposium on Security and Privacy in Oakland, Calif., they will report that they think they have found it.
It turned out that 95 percent of the credit card transactions for the spam-advertised drugs and herbal remedies they bought were handled by just three financial companies ? one based in Azerbaijan, one in Denmark and one in Nevis, in the West Indies.
The researchers looked at nearly a billion messages and spent several thousand dollars on about 120 purchases. No single purchase was more than $277.
If a handful of companies like these refused to authorize online credit card payments to the merchants, ?you?d cut off the money that supports the entire spam enterprise,? said one of the scientists, Stefan Savage of the University of California, San Diego, who worked with colleagues at San Diego and Berkeley and at the International Computer Science Institute.
Visa, the largest credit card company, declined to comment. But Steve Kirsch, chief executive of Abaca Technology, an antispam company based in San Jose, Calif., said the findings held the potential for ?a very powerful deterrent? to spammers.
?If the credit card companies wanted to shut down the spammers, we can easily aid them in rapidly and unambiguously identifying the merchant accounts used by spammers,? he said.
Spam has proved notoriously difficult to defeat over the years, despite sophisticated filtering technologies and legal investigations and convictions. Seven years after the famous prediction by Bill Gates, then chairman of Microsoft, that spam would be eradicated in just two years, about 90 percent of all e-mail is spam.
An earlier study�undertaken by the scientists showed that a single commercial spam e-mail campaign generated three messages for every person on the planet. That same study revealed that to sell $100 worth of Viagra, a spam provider needed to send 12.5 million messages.
?In the end, spam is an advertising business,? Dr. Savage said in an interview. ?However, it only makes sense if you can find a way to take people?s money.
?This means credit cards. Credit cards are the only payment platform that is ubiquitously available to Western consumers and can be used for Internet commerce.?
Merchants must work with a bank that is authorized to handle the transactions, he said, but most banks already refuse to work with shady sellers. If the financial companies like those found in the study would follow suit, then spammers would have to find new banks ? and the cost of switching would be high. Moreover, it is difficult to mask high-risk transactions, making it relatively easy to maintain blacklists.
?It is the banking component of the spam value chain that is both the least studied and, we believe, the most critical,? the researchers write.
The computer scientists say that because the spam system relies on just a few banks and an even smaller number of credit card processors, the business is highly vulnerable to disruption by regulators and law enforcement agencies.
Moreover, legal pressure is increasing on other advertising channels used by online pharmacies. Last week Google reported in its quarterly financial statement that it had set aside $500 million to resolve a Justice Department criminal investigation into the company?s practice of accepting advertising from online pharmacies.
In their report, the University of California researchers looked at a campaign organized by a brand named Pharmacy Express, part of the Mailien marketing group, based in Russia.
On Oct. 27, 2010, for instance, a network of zombie computers called the Grum botnet delivered an e-mail with ?Viagra Official Site? in the subject line. Users who responded to the message were directed to a Web site that had been registered nine days earlier.
The Internet system that supported the Web site was spread around the globe: the domain registrar was in Russia, the server computer was in China, and a proxy server computer was in Brazil. When a purchase was made from the Web site, the shopper was redirected from a computer in Turkey to the Azerigazbank Joint-Stock Investment Bank in Baku, Azerbaijan. The drugs themselves were sent directly from a manufacturer in India.
The weak link in the system, the researchers noted, was that the Visa payment system handled the transaction between the customer?s bank in the United States and the bank in Azerbaijan.
Efforts to contact the Azerigazbank and the Mailien marketing group were unsuccessful.
By blocking the transactions at the point at which the consumer uses a credit card, it is possible to shift the burden of cost to the spammer.
?The defenders can, in principle, identify which banks the scammers are using far faster than they can get new banks,? Dr. Savage said, ?and for basically zero cost.?