Study Finds Spam's Achilles Heel

Researchers at the University of California, San Diego (UCSD) said this week they've discovered a critical weakness in the spam ecosystem that could be used to help cut off the promise of economic returns fuelling the huge growth in spam levels.

In a paper delivered at the USENIX Security 2007 conference in Boston, the UCSD researchers said that while spammers use vastly powerful, distributed delivery networks to pump out junk e-mail, it's quite another story for the internet scams that form the real heart of the spam mechanism.

Such scams, for instance selling pharmaceutical products over a website, are typically hosted on a single website, the researchers found. What's more, a single site might host several scams and might also act as a spam relay.

"The engine that drives this arms race is not spam itself - which is simply a means to an end - but the various money-making 'scams' (legal or illegal) that extract value from internet users," said the report, which was authored by David Anderson, Chris Fleizach, Stefan Savage and Geoffrey Voelker of UCSD's Collaborative Center for Internet Epidemiology and Defenses.

Spam might seem ever-present -- it makes up more than 80 percent of all e-mail, according to some estimates -- but in fact junk e-mail is organized into particular campaigns, the study found.

A given campaign tends to begin with just a day or two of heavy spamming, but the ads point to a scam-hosting site that tends to be online for at least a week, the researchers said.

"The availability of scam infrastructure is critical to spam profitability - a single takedown of a scam server or a spammer redirect can curtail the earning potential of an entire spam campaign," the report said.

The researchers used a UCSD-developed technique called "spamscatter" to analyze e-mails and follow links to their eventual destination server, including any redirection mechanisms put in place.

"The underlying principle is that each scam is, by necessity, identified in the link structure of associated spams," the report said.

The researchers were able to identify individual scams by clustering scam servers whose rendered web pages are graphically similar, using a technique they called "image shingling".

Using a real-time spam feed of about 150,000 e-mails per day the study identified more than 2,000 distinct scams hosted across more than 7,000 distinct servers.

While spam servers are widely diffused, scam servers tended to be based in the US, the study found.

Since scams and spam are of necessity linked together, the results suggested that spam might be combated by attacking its economic lifeblood.

"Individual machines are commonly used to host multiple scams, and occasionally serve as spam relays as well," the study said. "This practice provides a potentially convenient single point for network-based interdiction either via IP blacklisting or network filtering."