If you want to stop spam then going after the banks and payment processors that enable their lucrative trade may be your best bet, according to research performed by a team from the University of California-San Diego, the University of California-Berkeley, and the Budapest University of Technology and Economics. After examining millions of spam e-mails and spam Web sites—and making over 100 purchases from the sites advertised by the spammers—the research team found that just three banks were used to clear more than 95 percent of spam funds.

Follow the money

Rather than focus on filtering spam at mail gateways and taking down botnets responsible for sending countless billions of junk e-mails, the researchers decided to focus on the heart of the problem: money. Spammers send spam because sending spam makes them money. That money comes from the online purchases of the products the spam advertises: drugs, counterfeit software, and knock-off merchandise.

By examining the entire chain from spam receipt to delivery of goods, the researchers found that in spite of the huge diversity in spams received—which poses a substantial problem for filters—and the vast number of URLs and domains used to direct people to the shady online vendors, there weren't that many ways for money to get into the spammers' hands. The spammers themselves generally serve only as advertisers, separate from the affiliate networks that provide online storefronts to manufacturers and distributors. The affiliate networks provide all the relevant technology to the manufacturers: shopping carts, analytics, and billing systems. The cut the spammers take is significant, typically 30-50 percent.

The researchers visited the URLs spammers sent them, following their redirects until they reached an actual online store. Almost one billion URLs were received in spam, but these led to just 45 different affiliate networks. The researchers made 120 purchases from the different affiliate networks to track the actual money. 76 payments were authorized by the credit card networks, and of those, 56 payments completed. 49 products were actually delivered.

Find the bottlenecks

At every part of the process, bottlenecks, where the behind-the-scenes infrastructure was much less diverse than the spam itself, were identified. The Rustock botnet, for example, was responsible for about a third of all spam sent globally, with the result that killing just one botnet caused a substantial drop in global spam levels. However, there are many other botnets able to take its place, which makes it hard to defeat spam by going after botnets alone. Affiliate programs were relatively few, with just 45 identified, but efforts to take these down have proven difficult in the past.

Web hosting and domain registration also showed up as significant bottlenecks, with more than 60 percent of spam domain registrations dependent on five registrars, and 50 percent of DNS and Web hosting spread across a few dozen hosts. However, these bottlenecks also prove difficult to seal off; though many hosts and registrars want nothing to do with spam operations, there are many hundreds of companies offering such services, and the cost of switching to a new host or registrar if often minimal. Even if some hosts can be taken down, the spammers will switch.

However, when it comes to banking, the bottlenecks are far more severe, and switching is far more difficult. One bank alone was used to settle more than 60 percent of all transactions, and the top three banks—Azerigazbank in Azerbaijan, St Kitts & Nevis Anguilla National Bank in St Kitts &Nevis, and Norwegian-owned DnB Nord in Latvia—together accounted for more than 95 percent of all money paid to spam vendors. The implication is that many banks simply won't deal with spam outfits. Even when switching does occur, it's disruptive, with payment processors typically introducing delays of days or weeks for due diligence to be performed.

The Latvian bank's Norwegian owners say that the spam customers were inherited when they bought the bank, and claim that they have terminated their relationship with the spam affiliate programs.

Taking down botnets is good from a computer security perspective, but the long-term impact it has on spam is low. Going after hosts and registrars shows a similar story; it can be done, and has a short-term effect, but it's easy for the spammers to find alternative arrangements and bounce back.

But where those efforts have had only short-term success, work against the banking bottleneck may well prove more fruitful. If dealing with the handful of banks were made impossible—for example, if Western banks refused to settle certain kinds of credit card transactions with banks known to be spam-friendly, an approach already used in the US to block access to online gambling sites—it would severely diminish the ability for the spam vendors to get paid, sucking the cash out of the spam business. And given the time and complexity of setting up new merchant agreements, this might be one area where the good guys can move faster than the spammers. Killing spam won't be easy, but going after the money could be our best bet for an end to the junk mail menace.