A rather large collaborative work from the people who brought you Spamalytics was presented this week at the IEEE Symposium on Security and Privacy (known in the field simply as Oakland). The paper represents a new direction in academic research on the spam problem: following the value chain of the products advertised in spam back to the people selling them. This is a refreshing viewpoint in software security and network abuse research: you can fight the problem with technical means, in an ever-escalating arms race of Bayesian filtering, glitchy graphics, fast-flux DNS and bot blacklisting. Or you can recognize that the problem is with the people behind the scams, and see what can be done about their motivation: the money. After all, there wouldn’t be money to pay for all that shiny black-hat kit without people buying cut-rate Viagra in the first place.
A key finding of the paper is that going after heavy hitters in trying to take down spam yields better results for name servers (where the top 10 name server ASs cover about 65% of spam names) than for site hosting (top 10: 45%), and still better for takedown at the registrar level (top 10: 80%). However, with 95% of all credit-card payments for spammed products clearing through just three merchant banks, it appears that the comparative complexity of takedown at this level might be offset by the asymmetric ease of dealing with so few targets. Of course, we then face the spectre of chasing the spammers from bank to bank, but we presume there is a relatively sophisticated monitoring and enforcement apparatus in place for doing this, as well; the US Department of Justice has had some success shutting down offshore gambling in part through following the banking footprint of the gambling operators.
Somewhat unusually for research into Internet misuse, the work has attracted press attention. The New York Times’ John Markoff, for one, has a decent summary with quotes from the lead author here, resisting in the main the popular science press’ tendency to sell everything as a solution to something. The blogosphere has picked up on it, too. Notably, one of the authors demonstrates the more practical reality of the work in a comment on MetaFilter: “Had you told me when I came to grad school in computer science that I would be buying drugs, carrying burner phones and answering phone calls as names like ‘Sanjoy Sanchez,’ I probably would not have believed you.”
Research, as it turns out, isn’t all submission deadlines and LaTeX trickery.