A group of researchers from the University of California at San Diego (UCSD) offered up what they felt was a new and unique way to target spammers at the recent USENIX Security 2007 conference in Boston. As it turns out, their idea isn’t so new.
Spam most often takes the form of a sales pitch, selling everything from erectile dysfunction medication to penny stocks. Most of these spam messages include a link to follow to purchase whatever is being sold. And since P.T. Barnum was right, enough people follow the links to keep the spammers in business.
The researchers from UCSD’s creatively-titled Collaborative Center for Internet Epidemiology and Defenses, noted that while spam is often sent by bots
“The availability of scam infrastructure is critical to spam profitability — a single takedown of a scam server or a spammer redirect can curtail the earning potential of an entire spam campaign,” the report said.
The researchers developed a technique called “spamscatter,” which analyzes spam mail and follows the links to their destination server, including any redirection mechanisms put in place. It’s not uncommon for people to be sent to a Yahoo Pages site, for instance, since people would inherently trust Yahoo.
Using a real-time spam feed of about 150,000 e-mails per day the study identified more than 2,000 distinct scams hosted across more than 7,000 distinct servers.
Great idea. But it’s already being done, points out Matthew Prince, CEO of Unspam, which is engaged in its own spam stomping projects by chasing after the sources. The largest project is called SURBL, or Spam URI Realtime Blocklists.
SURBL identifies the sites that spammers are sent to, and shares its list with other mail filter sites and also offers plug-ins to e-mail servers so Exchange and other servers can block e-mail based on the SURBL list.
“This is a powerful technology people have been working on for some time. I think this is a very good way of thinking about the spam problem because you want to focus on the narrowest points in the funnel of the spam chain,” said Prince. “While there are a lot of servers sending mail out, there are fewer servers actually hosting the pages they are trying to get people to go to.”
But this is not a complete solution to the problem, as few solutions in the war against spam are, he added. The more sophisticated spammers are using compromised servers to host pages and send the spam, which makes things more complicated. Pump and dump spam often don’t have a link so it’s trace the source on those, and other spam puts the link in an image, so there is no URL to follow.