Want to stop junk email? Block payments to spammers, says study

A team of researchers examined the spam supply chain and finds cutting off payments for spammed goods will be the most effective way to stop the overwhelming influx of nuisance emails

. What's this?

By , Senior Editor

May 25, 2011CSO

Stopping spam is an almost futile effort if the focus continues to be on spam filtering and botnet takedown, according to a research team from the University of California, San Diego, the University of California, Berkeley, The International Computer Science Institute and Budapest University. These measures are simply like cutting the head off of a hydra monster, because spammers quickly find ways to replace lost resources.

Instead, combating the in-box clogging, and frequently malware-laden, messages spammers deliver should be done by cutting off the spammer's payment processors so they can't get their money, the researchers conclude. The research, titled Click Trajectories: End-to-End Analysis of the Spam Value Chain, was presented this week at the IEEE Symposium on Security and Privacy 2011 in Oakland, California. The researchers looked at the ecosystem of a spam operation by setting up a network to receive spam and examine the supply chain involved.


{ See also: 5 tips to avoid getting phished}


"It is the banking component of the spam value chain that is both the least studied and, we believe, the most critical," researchers state in the paper. "Without an effective mechanism to transfer consumer payments, it would be difficult to finance the rest of the spam ecosystem."

The research notes that only a small number of banks are willing to knowingly process what the industry calls "high-risk" transactions. In fact, just three banks, which are located in Azerbaijan, Denmark and the Caribbean island of Nevis, provided the payment servicing for over 95 percent of the spam-advertised goods in the study. The researchers even went as far as to purchase spam-advertised goods in order to find out who the payment processors are. Finding a way to stifle the operations of a payment processor would be a much more disruptive action than domain blocking, the researchers note.

"The replacement cost for new banks is high, both in setup fees and more importantly in time and overhead," the paper states. "Acquiring a legitimate merchant account directly with a bank requires coordination with the bank, with the card association, with a payment processor and typically involves a great deal of due diligence and delay."

The onus to stop payments would ultimately be on Western banks, the researchers conclude.

"If U.S. issuing banks (i.e.,banks that provide credit cards to U.S. consumers) were to refuse to settle certain transactions (e.g., card-not-present transactions for a subset of Merchant Category Codes) with the banks identified as supporting spam-advertised goods, then the underlying enterprise would be dramatically demonetized. Furthermore, it appears plausible that such a "financial blacklist" could be updated very quickly (driven by modest numbers of undercover buys, as in our study) and far more rapidly than the turn-around time to acquire new banking resources —a rare asymmetry favoring the anti-spam community. "

Read more about data protection in CSOonline's Data Protection section.

Other stories by Joan Goodchild

What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
RESOURCE CENTER