Solving the spam problem

Last week, I read Ed Falk’s blog post on The Spam Diaries where he commented on a possible solution to the spam problem.  He himself was commenting on a study done by researchers out of the University of California where they discovered that credit card transactions for stuff bought in spamvertisements are handled by three companies: one in Azerbaijan, one in Denmark and one in the West Indies.  Presumably, if security experts and law enforcement went after these companies, spammers would have their financial supply cut off.  No money = no incentive to spam.

Most anti-spam experts believe that cutting off the financial chain is akin to disabling botnets.  After an initial disruption, spammers simply would move onto another credit card processing company similar to the way they rebuild their botnets.

It’s not quite that simple for the spammers.  For a spammer to rebuild their botnet, they have to send around new malware and compromise many tens of thousands of users.  The pool of available candidates is huge, in the millions.  In order to process their financial transactions, there’s a lot less people doing it.  How many companies in the world provide that service?

In malware and spam, the resources that spammers use are unknowing victims.  I’m going to give these credit card companies the benefit of the doubt and that they don’t know that their services are being used as a pivot point in online fraud.  The owners of the servers in the United States didn’t know that they were hosting C&C servers for the Rustock botnet, and most of the higher ups in Abbottabad didn’t know that bin Laden was in their backyard (I’m still using bin Laden to drive traffic to my site; still not working).  But as soon as they were informed, they suddenly became a lot more vigilant (like everyone else).

Getting the money out of their scamware is one of the major bottlenecks for spammers.  They can’t just transfer huge sums of money overseas because law enforcement agencies are looking for that sort of thing.  They would be detected.  Reducing the number of eligible bottlenecks for spammers makes it less cost effective to conduct spam.  So while they could always go somewhere else, the fact is that they have to get the money out somehow and if they can’t get the money out and it’s a pain to go elsewhere, maybe that could have an effect on the spam problem.

It’s entirely possible that the companies that are processing spam payments are not complicit, just inept.  They don’t know that they are assisting all this online fraud and have limited budgets with a paper thin IT staff that knows little about security.  If law enforcement came knocking on their door, they’d either straighten up and fly right quickly or else risk being shut down.  Getting shut down is bad for business.

Thus, while my compatriots are pessimistic that this latest piece of research is meaningful, I have a different view.  I think that if the financial chokepoints of spammers were cut off, they’d… hmm… would they really go away?

Now I’m not sure.

Comments

• Anonymous
  May 28, 2011
  I certainly think the research has been useful. If not to reduce the harm spammers do, then to give those fighting against spam a better idea of the way spammers work. Would you have guessed that almost always the spammers bother to send something? I certainly wouldn't. One of the three mentioned banks, the "Danish" one (which is actually the Latvian branch of Norwegian bank DnB Nord) already stopped working with their spamming customers.

• Anonymous
  May 30, 2011
  The comment has been removed

• Anonymous
  May 30, 2011
  I feel the most likely success would be through placing 'informants' ie. honeypots, which capture the spam early on, follow the trail, order the goods, and then shut down the bank that processes the cc transaction. If done immediately every spam run, they will get tired eventually. If they find out who is fishing for their physhing, of course, they could end up with Egor, sleeping with the fishies.

• Anonymous
  June 17, 2011
  Excellent idea... Am I the only one who thought of Clancy's clear and present danger? Don't just shut down their source, grab the money!