Slashdot Mirror
A New Approach To Reducing Spam: Go After Credit Processors
WrongSizeGlass writes "A team of computer scientists at two University of California campuses has been looking deeply into the nature of spam, and they think found a 'choke point' [PDF] that could greatly reduce the flow of spam. It turned out that 95 percent of the credit card transactions for the spam-advertised drugs and herbal remedies they bought were handled by just three financial companies — one based in Azerbaijan, one in Denmark and one in Nevis, in the West Indies. If a handful of companies like these refused to authorize online credit card payments to the merchants, 'you'd cut off the money that supports the entire spam enterprise,' said one of the scientists."
Frequent Slashdot contributor (and author of a book on Digital Cash) Peter Wayner wonders if "the way to get a business shut down is to send out a couple billion spam messages in its name."
So, they will just open new credit card processors, or worse yet, start spamming random websites to get them shut down? Great way to take your competitor down.
Indicating there are still other companies willing to process these transactions. The spammers will just switch to them if the 'big 3' refuse to do business with them.
I've never understood why not, when a computer can generate millions of spam ads for viagra, that another computer cannot generate millions of (fake) orders for the viagra.
Gently reply
Like they wouldn't go to another provider... much like they do now if they get shut down.
The study identified 3 top payment-processors for spam sites. Surely these processors aren't the weak link; their business model is to process payments for spammers. You can't simply ask them not to process spam payments - there is a financial disincentive for them to do so.
We could move one rung up the ladder, and ask Visa and Mastercard not to authorize any paments to these top-3 processors. However, we've just "widened" the narrowest point, plus, these companies have a financial incentive to grin and pass the buck. Maybe less so; I'd be interested in the number of consumers who later try to contest these payments, but I'm willing to bet that dealing with fraction of unhappy customers now is less expensive than the net amount the credit cards pull in while processing these shady payments. Otherwise, Visa would have done something by now.
If a handful of companies like these refused to authorize online credit card payments to the merchants
You suggest that as if this specific activity was not these people's business model. A credit processor in Azerbaijan doesn't just one day decide to start processing spam purchases, they open their business specifically for that purpose. Good luck getting them to switch business models just because you want them to.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
This approach is already being used against the "evil pirates", but they haven't even gotten started on the spammers. Getting their priorities straight: they go after the teenagers sharing music first instead of the real criminals sending out phishing emails, viruses and shit like that. FTW.
1) Post the names of these payment processing companies and their mail servers.
2) Link how these processing companies are responsible for attacks on the Pirate Party and Anonymous.
3) ??????
4) Profit
Not that I think that handling credit card payments for spammers is a good thing, but are these middlemen actually violating any laws that would justify shutting them down?
I'm one of the MANY coauthors of this paper. Myself or others will try to answer questions in this thread.
Test your net with Netalyzr
Your post advocates a
( ) technical ( ) legislative (X) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
(X) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
(X) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(X) Asshats
(X) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
(X) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
(X) Extreme stupidity on the part of people who do business with spammers
(X) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook
and the following philosophical objections may also apply:
( ) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
(X) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
(X) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
(X) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!
I am officially gone from
Or you might find that when you cut off a head of the Hydra two grow to replace it.
The PDF mentions more than 3 different banks. None of them are Danish.
The other article says that all transactions goes though one of tree financial companies. And one of these are based in Denmark.
Can someone clarify this inconsistency for me ?
( And you guessed right. I am from Denmark. )
So that was what was rotten in state of Denmark!
It's a great idea to go after payment processors. I bet it could stop a lot of spam.
But there's a lot more spam besides the ones that try to sell you something quasi-legitimately. Going after payment processors won't do anything to stop phishing attacks, lottery scams, Nigerian scammers, porn ads, wacko conspiracy theorists or questionable "newsletter" subscriptions. Also, the big spam rings will take advantage of dumb spammers who don't realize they'll get cut off for spamming. Unfortunately, there is no shortage of dumb spammers.
Glancing at my traps, I would guess that about one in five of the spams would be affected by cracking down on payment processors.
Who you gonna call? The internet police. You just got back traced.
I've been saying for years that the only way to stop spam is to go after the money that keeps it going. I have the comment history here to back that up, as well.
However, whoever wrote this summary got one thing wrong at the end. A "Joe Job" - sending out fake spam to smear someone you dislike - is useless. I've seen plenty of them in the past, and the result is questionable at best. People who dislike spam won't see it, and those who buy spamvertised products will just be confused by it.
Regardless, I'm glad to see that more people are realizing that indeed spam is an economic problem, that needs to be solved with economic solutions. No amount of filtering or homicide will bring about an end to spam; only economic actions will.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
Like they wouldn't go to another provider... much like they do now if they get shut down.
Of course they would. However, th key issue is the cost structure on each side. For us to discover the identify of the new bank being used takes a few minutes (seconds if we had direct access to VisaNet) and negligible cost (I just need to authorize a purchase from the site). There is no technical reason I'm aware of that you couldn't implement an issuer blacklist at similar time scales if you wanted to (I can think of lots of reasons it might not be a good idea to automate this, but the main point is that the time scale is short). Compare that to how much time and cost you think it takes to find a new bank willing to accept high-risk merchants. Its certainly doable, there area number of such banks, but its orders of magnitude more time.
Oh, the beautiful gloss of greality!
Are these three credit card processors in cahoots with the spammers? Or are they being used only because they are cheap? How much of these three processors' business is derived from spam (95% of spam transactions doesn't mean the same thing as 95% of these processors business is derived from spam).
What, legally, can one do to prevent other payment processors from picking up the slack? Legitimate business is legal and, as a payment processor, how do I know the transaction originated from spam? Why should I play cop?
If these three outfits handle 95% of the spam-originated transactions, this still might be a small part of their non-spam volume. What legal justification do you have for leaning on them and harming the legitimate part (majority) of their business? If they are cheap processors, it is probably because they don't exert too much effort chasing iffy clients around. Crack down on them, or impose additional customer quality checks and you'll harm them and many honest but low margin vendors. But the Visa/MasterCard/Amex ogliopoly will love you.
Have gnu, will travel.
1234567812345678
Oh, and the CVN is 900
If I thought my hard drive was failing, I'd buy a new hard drive, not software to fix a worn hardware problem. I don't get it.
They already refuse to process payments to Wikileaks.
Actually, the law says that spam (defined as unsolicited bulk commercial emails) is a legal and legitimate form of advertising as long as you meet certain rules like not providing false headers and offering an opt-out. Google CAN-SPAM Act. It's analogous to unsolicited credit offers you get in the mail.
Law breaking doesn't occur unless the spammer is taking control of botnets, spoofing headers, or intentionally trying to defraud recipients with counterfeit/illegal products, phishing scams, etc. All common occurrences, I'll admit, but not all unsolicited bulk email falls into this category. People apply the term 'spam' too loosely.
Indicating there are still other companies willing to process these transactions. The spammers will just switch to them if the 'big 3' refuse to do business with them.
Look deeper. The only thing this proves is there are still that many gullible idiots out there who will gladly swipe a credit card for magic penis enlarging cream.
It really is sad when spam can't die due to lack of profitability.
Seems like killing 3 credit card processors like this would be well within the reach of an outfit like anonymous... if they're really up to fight the good cause.
Just how the anti money laundering act section of the patriot act chased billions out of the country, so will any of these other measures. Tax havens exist and will never be removed unless a global police state is enforced.
Nigerian scams exist because banks give out money before the check clears, very easy to change that law/regulation/business practice.
Credit card scams hurt credit card companies, they have plenty of resources to not allow these scams to take place. If I try to purchase items overseas I get a call from my credit card company checking to see if it was legitimate first. Obviously this extra cost isn't worth the very small amount stolen in scams, or other credit card companies would follow suit.
Hasn't Gmail more or less made the problem obsolete? Or am I supposed to shed a tear for people who willfully refuse to use freely-available tools that already do the job they're struggling with?
MSIE: The world's most standards-complaint web browser.
The truth is that the CC companies don't care if the transactions are fraudulent or not, as long as they get their fees. The reason they don't and never will shut down spammers is because they make plenty of money off them.
I don't know, I've always thought having them branded with 5 inch letters, then drawn, quartered, and left naked by the roadside was a pretty good way to get them to stop spamming. :-)
People are taking an enormous risk purchasing these products. So make the risks seem so high they justs wont do it.
1. They never got what they ordered.
2. They got sugar pills.
3. They got mislabeled pharma that fucked them up. Heart meds, psychotropics
4. They got their card defrauded.
5. It got sent to their next door neighbor
6. They got something instead that was really illegal and they got arrested, lost their job, etc.
7. It was a mega-dose and they had to go to emergency. And then had to explain it.
At the very least, there should be a real report as to what these things are and if they are dangerous.
Perhaps the spammers can switch to bitcoin to stay safe...
oops, DEVGRU, after them. The guys should be rested and ready by now.
Posted anonymously as I want to keep my job and my nick as much separated as possible.
I work for a company that distributes both Visa and MasterCard.
We have a department that tries to find fraud and it is a moving situation all the time. We even try to be pro-active and contact cardholders or sometimes even block them without contacting.
e.g. we know that the card can't be physically in New York and in Sydney. This is easy for stolen cards. Internet payment is another situation. Transactions are done almost immediately and we only see the merchant and not so much the bank behind it.
Although I am not working on the fraud-prevention department, I am sure they will be interested in at least looking at the possibility to work together. So where could I send an email to from my work address to get more information to give to the fraud department?
With my Three Geeks, Three Lawyers post.
What is this? Hollywood? "Spam mafia, we have to cut the supply". Bullshit story. Ruined my morning
Why was it so easy to stop Wikileaks from receiving credit card payments, but it is so hard to stop spammers from received credit card payments?
I think you and your friend have found the last game in town and your trying to hit them where it hurts, their wallets. Its bold.
Linux fixes all the cracked Windows.
Being Danish, I was curious about the reference to Denmark in this post. Although the linked article mentions Denmark,I cannot find any mention of Denmark in the PDF from the actual study!? :-(
Am I missing it? If so, please point me in the right direction. If not, then my home country is being unfairly associated with spam (of the email sort)
I actually read the paper, and nowhere did it mention Denmark. The closest came to was one German bank, and a few Latvian ones.
handled by just three financial companies â" one based in Azerbaijan, one in Denmark and one in Nevis, in the West Indies
Please point more specific to where the Danish company is identified, because I can not find the word Denmark in the PDF paper, but I can find both Nevis and Azerbaijan.
In the original article, or in the NYTimes version I read, the number of email per order was something like 12.8 million email So, if you charged even 0.001 penny per email, you would completly shut downn spam. Since email goes thru the web, which has ISPs and routers and so forth, I really don't see an implementation problem
More like 170 ms. (Gotta allow for processing time plus the wait for the acknowledgement to get back to the gov't or it'd be more like 60 ms.)
10 years ago I heard "we are out of business, mastercard stopped processing for online casinos" from a friend. Then Visa followed, then "alternative" and "high risk" processors pop up. Sure it will make it a little harder for them, and the weak will fall, but the big ones stay, There are also legit stores who use affiliates, who are a competitive bunch. Some of them wealthy, some of them tech savvy. They will click the crap out of competitor's ads (with bots they buy, hire or develop, and they will sometimes use unapproved promo techniques. Most affiliate agreements state, that if you spam you will be left unpaid and kicked from the program. Some even disallow legit opt-in mailing. If you had an affiliate that generated let's say 10% of the revenue alone, or even more, would you look in the other direction if it turned out, that he sometimes spams a little bit....
On the other hand: I hate my email because it is impossible to filter stuff well: even google fails at it and puts my legit mails as spam while leaving completely random crap in.d
that if I want to profit from spam with no risk, then I should open a credit-card processing center in lower Buttfukkistan. Hmm... Interesting idea.
Please do not read this sig. Thank you.