Study May Shed Light On How To Stop Spam
MICHELE NORRIS, host:
From NPR News, this is ALL THINGS CONSIDERED. I'm Michele Norris.
ROBERT SIEGEL, host:
And I'm Robert Siegel.
Now, a new approach to combating online junk mail, better known as spam -follow the money. You may recall the words of Microsoft Chairman Bill Gates: Two years from now, spam will be solved. He said that in 2004. And today, the typical online mailbox is still packed with it. It's estimated that 90 percent of email traffic is spam, and there doesn't seem to be any technical solution out there that's up to the job of controlling it.
So, some University of California computer scientist and pioneers of the new field of spam-olytics have taken a different approach: receiving spam, buying things that being sold via spam, studying the system of spam, and looking for the most vulnerable potential chokepoints. And the news is they seem to have found some.
Stefan Savage is a professor of computer science and engineering at the University of California, San Diego. Welcome to the program.
Professor STEFAN SAVAGE (Computer Science/Engineering, UCSD): Thank you very much, pleasure to be here.
SIEGEL: And first, tell us about the scope of your work here. How much spam did you and your colleagues actually consume?
Prof. SAVAGE: We looked at about a billion unique spam messages over the course of three months and then followed all of the links contained therein and visited the websites that were advertising projects.
SIEGEL: And actually bought stuff?
Prof. SAVAGE: That's right.
SIEGEL: And then when you analyzed all of these transactions, what did you find?
Prof. SAVAGE: Well, we looked at all of the individual pieces of what we call the value chain. That is, that everything from the domain name and the links, all the way through the sites hosting the goods being advertised, the webpage through payment processing and fulfillment.
And what we found is that at most stages of this pipeline, it's very hard to do anything effective because there are so many alternatives and it's so easy to switch. The single biggest exception, however, is in the case of payment processing and merchant bank services.
SIEGEL: Banking, you found that a very small number of banks account for a very large share of the spam business.
Prof. SAVAGE: That's absolutely right. Ninety-five percent run through just a handful of banks.
SIEGEL: A handful, meaning?
Prof. SAVAGE: Three: One in Azerbaijan, one in Saint Kitts and Nevis, and another - previously they were using one in Latvia, now it appears to be in Russia.
SIEGEL: And is there obvious recourse to these banks or these countries to get them to stop doing it?
Prof. SAVAGE: The sale of these goods is illegal in the United States. These are typically counterfeit pharmaceuticals or luxury products, such as Rolex watches. It is not necessarily illegal in jurisdictions in which these banks operate. And so, trying to go after these banks individually will both be slow, and may be met with some skepticism on their part.
The alternative is to look at this from a domestic standpoint, because ultimately the money that funds this activity is U.S. money. And the banks that issue credit cards - Chase, Bank of America, and so forth - were simply to refuse to honor transactions with those particular foreign banks for these particular class of services, it would demonetize the entire activity.
SIEGEL: And which was your view here? That it just happens that there are three banks eager to do this trade? Or that if you blocked transactions of this sort being paid by American banks for spam, to those three banks, that three more banks in three different countries would step in and do the work?
Prof. SAVAGE: There are far more than three more banks that would be happy to step in and do the work. And this is the challenge of going after the banks themselves - that shame is a very slow process.
However, on the issuing side, they can respond very quickly. I can discover the new bank is being used within a minute by placing a transaction and seeing what bank is used. Whereas for the bad guys, finding a new bank and getting them signed up through Visa and so forth can take, you know, four, five, six days.
So it's one of those rare cases where the defender actually has a huge time advantage, if they choose to take this approach.
SIEGEL: Professor Savage, thank you very much for talking with us.
Prof. SAVAGE: Thank you, my pleasure.
SIEGEL: That's Stefan Savage, professor of computer science and engineering at the University of California, San Diego.
NPR transcripts are created on a rush deadline by a contractor for NPR, and accuracy and availability may vary. This text may not be in its final form and may be updated or revised in the future. Please be aware that the authoritative record of NPR's programming is the audio.