Stopping spam is an almost futile effort if the focus continues to be on spam filtering and botnet takedown, according to a research team from the University of California, San Diego, the University of California, Berkeley, The International Computer Science Institute and Budapest University. These measures are simply like cutting the head off of a hydra monster, because spammers quickly find ways to replace lost resources.
Instead, combating the in-box clogging, and frequently malware-laden, messages spammers deliver should be done by cutting off the spammer's payment processors so they can't get their money, the researchers conclude. The research, titled Click Trajectories: End-to-End Analysis of the Spam Value Chain, was presented this week at the IEEE Symposium on Security and Privacy 2011 in Oakland, California. The researchers looked at the ecosystem of a spam operation by setting up a network to receive spam and examine the supply chain involved.
"It is the banking component of the spam value chain that is both the least studied and, we believe, the most critical," researchers state in the paper. "Without an effective mechanism to transfer consumer payments, it would be difficult to finance the rest of the spam ecosystem."
The research notes that only a small number of banks are willing to knowingly process what the industry calls "high-risk" transactions. In fact, just three banks, which are located in Azerbaijan, Denmark and the Caribbean island of Nevis, provided the payment servicing for over 95 percent of the spam-advertised goods in the study. The researchers even went as far as to purchase spam-advertised goods in order to find out who the payment processors are. Finding a way to stifle the operations of a payment processor would be a much more disruptive action than domain blocking, the researchers note.
"The replacement cost for new banks is high, both in setup fees and more importantly in time and overhead," the paper states. "Acquiring a legitimate merchant account directly with a bank requires coordination with the bank, with the card association, with a payment processor and typically involves a great deal of due diligence and delay."
The onus to stop payments would ultimately be on Western banks, the researchers conclude.
"If U.S. issuing banks (i.e.,banks that provide credit cards to U.S. consumers) were to refuse to settle certain transactions (e.g., card-not-present transactions for a subset of Merchant Category Codes) with the banks identified as supporting spam-advertised goods, then the underlying enterprise would be dramatically demonetized. Furthermore, it appears plausible that such a "financial blacklist" could be updated very quickly (driven by modest numbers of undercover buys, as in our study) and far more rapidly than the turn-around time to acquire new banking resources --a rare asymmetry favoring the anti-spam community. "