Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Outline Spammers' Business Ecosystem

Posted by timothy on from the is-that-enough-info-to-send-the-rebel-alliance? dept.

An anonymous reader writes A team of researchers at the UC Santa Barbara and RWTH Aachen presented new findings on the relationship of spam actors [abstract; full paper here] at the ACM Symposium on Information, Computer and Communications Security. This presents the first end-to-end analysis of the spam delivery ecosystem including: harvesters crawl the web and compile email lists, botmasters infect and operate botnets, and spammers rent botnets and buy email lists to run spam campaigns. Their results suggest that spammers develop a type of "customer loyalty"; spammers likely purchase preferred resources from actors that have "proven" themselves in the past. Previous work examined the market economy of the email address market in preparatory work: 1 million email addresses were offered on the examined forum for anywhere ranging between 20 and 40 Euros.

14 comments

  1. Correct link to the full paper by dskoll · · Score: 4, Informative

    The full link above does not work, but this one works for me

    1. Re:Correct link to the full paper by Anonymous Coward · · Score: 3, Informative

      The corrected link also didn't work for me, but I can fetch the PDF from this site (also linked above): https://dl.acm.org/citation.cf...

  2. I'm surprised by hubie · · Score: 1

    I'm surprised that spam is still a lucrative business model, and I'm surprised that spam is still relevant enough to garner the attention of researchers.

    1. Re:I'm surprised by gstoddart · · Score: 4, Insightful

      Any business model which relies on a mass campaign to get 1-2% response rate is quite likely to be a lucrative business model.

      All you need is a small percentage of people who will fall for this, and when you're sending out millions of messages, 1-2% is probably enough to pay pretty well.

      Hell, I recently saw a couple of spam messages for Viagra slip through spam filters ... and anybody who actually buys Viagra from a random email is asking to get screwed, only not in the way they hope.

      At my company, they do phishing/spam testing on a fairly regular basis. And it's astounding to me the number of people who actually fall for it. These people get sent for additional internet security training.

      When my parents first went on-line, I told them in no uncertain terms to never trust anything unless they were damned sure it was from someone they knew and trusted. And, if there was any doubt, don't ever do anything unless you can directly call the company with a published number.

      And they've told me on numerous occasions that advice has done well for them.

      Sadly, lots of people still fall for this crap, but if it didn't pay, nobody would be going through the effort.

      And don't get me started on the calls from the "Windows Service Provider" who want to do tech support for me. I've known a few people whose parents have fallen for that one.

      --
      Lost at C:>. Found at C.
    2. Re:I'm surprised by nine-times · · Score: 1

      I'm not sure why you're surprised at all. Spam is still a huge problem. You might be lucky enough that you don't get spam, but it's a relentless arms race, and it's intimately connected with the issue of viruses/malware. Of course it would have the attention of researchers.

    3. Re:I'm surprised by Jason+Levine · · Score: 3, Insightful

      The problem is that spam is inexpensive to send. Especially if you are using a bot net of infected computers so you utilize someone else's bandwidth. If you spend $100 to send out 1 million e-mails and get a 0.1% return rate at $1 per user, you make $900 per campaign.

      --
      My sci-fi novel, Ghost Thief, is now available from Amazon.com.
    4. Re:I'm surprised by flightmaker · · Score: 2

      Me too, especially when the tossers keep sending six messages the same in one day. They totally loose all feasibility. There's always somebody there though who's stupid enough to click the link otherwise we wouldn't all be suffering.

      We could probably put a good dent in illegal drug sales such as fake Viagra by randomly putting detection dogs in post delivery offices and prosecuting anybody caught ordering the crap.

    5. Re:I'm surprised by mlts · · Score: 3, Interesting

      Spam has shifted gears. Before, it was mainly advertising and "chop your dollar" scams. Now, I mainly see phishing attempts either to get people to give up data or to go to a site that would attempt a large number of exploits (even trying to offer bogus "securityscan.apk" files on Android.) This isn't surprising because getting a victim's computer on a botnet is far more lucrative for a spammer than actually getting them to buy some pills or fall for yet another 419 scam.

    6. Re:I'm surprised by tlhIngan · · Score: 2

      I'm surprised that spam is still a lucrative business model, and I'm surprised that spam is still relevant enough to garner the attention of researchers.

      Why isn't it? I mean, the people who send spam make money. The businesses selling the spammed product don't.

      Spammers generally sell their product as a package - say, 1M email addresses for $10 or whatever (generally not selling the list, but the service to email that list). Company needing marketing services buys that and a million emails get sent out. Doesn't matter if 99.99% of them are blocked instantly by filters, they sent 1M emails.

      And for the spammer, there are plenty of companies needing "marketing services" so it's basically just selling the same list over and over again.

      The act of spamming is disassociated from the marketing - the spammer doesn't care if their customer got a return on their dollar (because there are other people lined up for the same service)

      Of course, the other reason to spam is to spread malware, but then again the spammer doesn't care about content. They've already been paid.

    7. Re:I'm surprised by whoever57 · · Score: 1

      I'm surprised that spam is still a lucrative business model,

      Some years ago, there was a suggestion that the people paying for the spam campaigns were not making any money, but the botmasters were. How did this work? As long as there is a supply of suckers prepared to pay botmasters for spam campaigns ....

      --
      The real "Libtards" are the Libertarians!
    8. Re:I'm surprised by flappinbooger · · Score: 1

      The problem is that spam is inexpensive to send. Especially if you are using a bot net of infected computers so you utilize someone else's bandwidth. If you spend $100 to send out 1 million e-mails and get a 0.1% return rate at $1 per user, you make $900 per campaign.

      The math to show why spam still exists is really just that simple. Statistically it does pay.

      The emails can be purchased cheaply, botnet space is cheap, VPNs to hide your identity are cheap and effective, and the payoff is good.

      And since it is a relatively "harmless" thing to do, most spammers can probably sleep well at night.

      --
      Flappinbooger isn't my real name
  3. Used to mail a long time ago by rel4x · · Score: 2

    ...looks like not much has changed. Scamming was constant there, so you stuck with the people you knew.
    The very first thing you do is exchange a small list of well known people you've done business with - your references. When one matches up between your list and their list you contact them and ask how the experience went. If it was good, you move forward and don't change until you have a damn good reason to.

    It's not like there's a Yelp for spammer services, or even a normal review site. Everything is word of mouth.

    --

    Before you mod me funny, think, perhaps I was insightfully funny?
  4. Require a one cent "stamp" for each email ... by CaptainDork · · Score: 2

    I think every ISP needs to charge, say, one penny for each email sent. It's sorta like a "stamp." Spammers use emails as cheap marketing. Emails are free. There are no penalties for sending out millions of emails or one. The charge places email in the scope of commerce and, therefore, regulation. The originator will have to pony up to send a million emails. Regarding spam bots, today those are hard to detect and hard to identify. Someone, somewhere, will be getting a bill from an ISP for sending out a brazillion emails. Just as we are not liable for false charges on our credit cards in case of theft, we would have the same structure in place. What the charge DOES do, is bring to light that there IS a botnet, and fingers the infected machines, possibly providing the forensics for finding the perps. At a minimum, the bots will come down. Not all ISPs will want to participate and each country can opt in as they see fit. The gentle email recipient can also block those ISPs. My plan is a work in progress and is in need of tweaking, so your comments are welcome.

    --
    It little behooves the best of us to comment on the rest of us.
    1. Re:Require a one cent "stamp" for each email ... by Anonymous Coward · · Score: 0

      Wouldn't do shit to reduce spam. End user ISP's already monitor and close abusive accounts. There are already blacklists to block the most abusive users and bayasian filters thend to catch most of the rest of it.