End-to-End Analysis of the Spam Value Chain
Spam-based advertising is a business. While it has
engendered both widespread antipathy and a
multi-billion dollar anti-spam industry, it continues
to exist because it fuels a profitable enterprise. We
lack, however, a solid understanding of this
enterprise's full structure, and thus most anti-spam
interventions focus on only one facet of the overall
spam value chain (e.g., spam filtering, URL
blacklisting, site takedown).
In this project, our colleagues
and our team at ICSI
conduct a holistic analysis that quantifies the full
set of resources employed to monetize spam email
— including naming, hosting, payment and
fulfillment — using extensive measurements of
three months of diverse spam data, broad crawling of
naming and hosting infrastructures, and over 100
purchases from spam-advertised sites. We relate these
resources to the organizations who administer them and
then use this data to characterize the relative
prospects for defensive interventions at each link in
the spam value chain. (Click for larger version. If
you would like to use the diagram elsewhere, I would
appreciate a quick note — thanks.)
We provide the first strong evidence of payment
bottlenecks in the spam value chain: 95% of
spam-advertised pharmaceutical, replica and software
products are monetized using merchant services from
just a handful of banks. For details, take a look
For a more in-depth analysis of spam conversion in one
particular botnet, take a look at our earlier
- Study Sees Credit Cards as a "Choke Point" for Spam, New York Times, 19 May 2011.
- Anatomy of a Spam Viagra Purchase , Technology Review, 20 May 2011.
- Researchers: Kill spam e-mails by choking off scammers' cash, Consumer Reports, 20 May 2011.
- Forscher wollen Händlern das Spam-Geschäft vermiesen, Spiegel Online, 21 May 2011.
- Spam-Bekämpfung soll bei Banken ansetzen, Heise Online, 22 May 2011.
- Secret to Stopping Spam: Follow the Money, Scientific American, 23 May 2011.
- Spammers and Their Bankers, New York Times, Editorial, 28 May 2011.
- Spam as a Business, Bruce Schneier, 9 June 2011.
- What's the Harm If I Get What I Pay For?, Messaging News, 16 June 2011.
material from Azerigazbank (AG Bank), the Azerbaijani bank
that handled payment of over 60% of our purchases.
Click Trajectories: End-to-End Analysis of the Spam Value Chain
K. Levchenko, A. Pitsillidis, N. Chachra, B. Enright, M. Felegyhazi, C. Grier, T. Halvorson, C. Kanich, C. Kreibich, H. Liu, D. McCoy, N. Weaver, V. Paxson, G. M. Voelker, and Stefan Savage. IEEE Symposium on Security and Privacy, 2011, Oakland, USA.
Spamalytics: An Empirical Analysis of Spam Marketing Conversion
C. Kanich, C. Kreibich, K. Levchenko, B. Enright, G. Voelker, V. Paxson, and S. Savage. 15th ACM Conference on Computer and Communications Security (CCS), 27-31 October 2008, Alexandria, VA.