Would blacklisting banks stop spam? Consider these statistics: 14.5 billion spam emails are let loose every day; spam comprises a sizable chunk of all email; and spam will cost businesses over US $20 billion in 2011.
Besides that, the staying power of spam has fooled many. Bill Gates, for one. He said, back in 2004: "Two years from now, spam will be solved."
I’m told that business-wise, spam abides by the same rules afforded other methods of advertising. If it leads to sales and eventual profits, like oil, spam will flow.
If that’s true, people are buying spamvertized products. I mentioned this to my son. He provided some chilling insight: “Apparently, there’s a market and what we are doing now sucks. So, Dad, how do you plan on stopping it?”
I have no idea. Fortunately, a group of academics from the University of California Berkeley, the University of California San Diego, and Budapest University of Technology and Economics may have.
A major goal of their paper, "Click Trajectories: End-to-End Analysis of the Spam-Value Chain," is to "identify any 'bottlenecks' in the spam-value chain: Opportunities for disrupting monetization at a stage where the fewest alternatives are available to spammers."
Simple, yet entirely feasible: Follow the money.
The team’s first step is to divide the events involved in a spamvertised purchase into the following steps:
- Advertising: Activities focused on reaching potential customers and enticing them into clicking on a particular URL.
- Click support: Recipients who respond by clicking on a link or embedded URL.
- Realization: The transaction event between the customer and the seller/spammer or the party who hired the spammer.
Knowing what to look for, the team captured a bunch of spam. Next, the researchers made 100-plus purchases in three categories: pharma, replica (for example, fake watches), and software from spam-advertised sites unearthed in the captured data.
"We attempted to place multiple purchases from each major affiliate program or store 'brand' in our study and, where possible, we ordered the same 'types' of product from different sites to identify differences or similarities in supplier," the researchers said.
In all, there were 13 different suppliers. All but one of the pharmaceutical shipments came from India. Every one of the replica purchases came from China. There were no clear-cut trends when it came to software purchases.
One of the group's purchases, according to Professor Stefan Savage, was a response to spam email soliciting male-enhancement drugs, graciously delivered by the Grum botnet.
For this sale, the researcher’s Visa payment was accepted by a bank in Azerbaijan. Oddly enough, all the pharmaceutical purchases went through either the Azerbaijan bank, or a bank in Latvia. Something else was strange. Even though a total of 13 banks were mentioned in the credit card statements, just three banks stood out. They processed 95 percent of the transactions.
Could this be a bottleneck? Possibly. Of the three processes, realization shows the most potential for being the pinch point. "The payment tier is by far the most concentrated and valuable asset in the spam ecosystem, and one for which there may be a truly effective intervention through public-policy action in Western countries," the researchers said.
I understand the mention of changing public policy. Many things about spam are illegal, as Dr. Savage points out: "In the US, spam itself is illegal if not compliant with the CAN-SPAM act. Moreover, most spam is delivered via botnets, a violation of statutes in most countries."
Savage adds: "Most products we studied are illegal to sell in the US, because of issues surrounding intellectual property, selling without a license, and prescription drug regulations."
As for my son’s question, the research team discovering a heretofore unknown piece of the spam puzzle moves us closer to a solution.
— Michael Kassner is a writer and consultant specializing in information security.