Researchers at UCSD have published a study of scam hosting practices [PDF,844K] and come to the conclusion that 94% of all spams ultimately reference websites that are hosted by no more than one server each. The authors suggest that more aggressive take-downs of spam-related servers could have an impact on spammer operations.
The paper is a detailed and meticulous piece of work, and it's worth a read. Some of the facts in the paper are surprising: for instance, almost 60% of scam sites detected turn out to be hosted in the United States, while China — long seen as the location of choice for what spammers like to think of as 'bulletproof hosting' — hosts a little more than 7%. More than half of the sites studied remained accessible for at least a week.
The preference of spammers for fixed servers — rather than botnet-hosting — doesn't really come as a surprise. Experience has shown that botnets are a lousy way to host websites, with poor response times and high unavailability. It stands to reason that spammers need a more stable 'storefront' where they can advertise their products and take credit cards.
News sites covering the report are upbeat about the implications of the study, with some hinting that the conclusions might prove the 'Achilles' heel' for spam. That seems overoptimistic to me, for a number of reasons.
First, not all spam needs a 'storefront'. Overt scams such as advance fee fraud, prize pitch scams (an advance fee fraud variant) and money transfer scams can all be serviced via email. Thanks to the efforts of Hotmail, Yahoo, Gmail and other webmail providers, there is an inexhaustible supply of free, untraceable email addresses available to scammers, so smacking down spam sites won't make much of a dent in their operations.
Stock spam doesn't require any point of contact at all: all the spammer needs to do is to is get the stock symbol they're interested in promoting under the eyes of at least one person gullible enough to buy the stock. We've even seen stock spam that consisted of nothing more than an image containing the symbol name, although that particular experiment was fairly short-lived, suggesting that it probably didn't work too well.
Other common types of spam, such as pharmacy spam, penis enlargements, fake watches and so-called 'OEM' software, are more dependent on a website. While they could be serviced using simply an email address or even a 1-800 number, the take-up is likely to be smaller. It seems reasonable to believe that the existence of a website makes some buyers think — wrongly, of course — that they are dealing with a legitimate business. A business that could only be contacted via email or phone would look more dubious, and might give some buyers pause. Alternatives, such as using free webhosting services like Geocities or GooglePages, are also unsatisfactory and potentially prone to takedowns.
But can we expect takedowns to happen? 60% of spam sites are US-hosted, and we expect US hosting companies to be more responsive than unaccountable and often uncontactable Chinese hosts — yet half of those sites can expect to remain up for a week or more. That doesn't say much for our chances of getting spam sites knocked off line on request. That part isn't working now, and it's not clear why it should work in the future.
There are reasons why taking down spam sites is not a priority for a hosting business. The first and most obvious is that kicking a spammer off your network means losing a paying customer. For a hosting company to want to do that, there have to be strong incentives, or strong penalties for not doing so. But the penalties, such as they are, are fairly diffuse. A hosting service that hosts mail servers for a spammer does face penalties: if spam comes from their netblocks, their IP ranges will be blacklisted and mail belonging to their legitimate customers won't be delivered. That gets their attention, so hosting companies that host spammer mail servers are relatively few and far between. But there's nothing analogous that I'm aware of in the case of spamsite hosting. There are no widely-used mechanisms that will cut some hosting company out of the network because its netblocks are infested with spamvertized websites. The worst they have to fear is some generalized muttering about the company being 'spam-friendly', and most of that muttering will never be heard by anyone outside the closed circle of anti-spam zealots.
Fighting spammers is resource-intensive. Getting involved in a game of whack-a-mole with spammers is not a paying proposition for a hosting business. It sucks up time and energy that might be more profitably spent providing support for legitimate customers, and the balance of effort favors the spammer. If a hosting company takes an hour to investigate and close down a spammer and a spammer takes five minutes to create a new account, the battle is lost from the outset. Granted, there's some advantage to a 'zero-tolerance' policy: if the hosting company shows itself spam-hostile, the spammers will move on to easier targets. But that's a difficult decision to justify when you have customers crying for support on the other line.
Then there's the question of justification. If I send a hosting company a heads-up to let them know they have spammers in the house, they have to decide whether my report deserves to be acted on. Maybe I'm a well-meaning idiot who doesn't understand how the Internet works and is fingering the wrong site. Maybe I'm a malicious troll or a dishonest businessman who's trying to get a rival's site closed down. Maybe I'm a zealot on a crusade to stamp out porn or my political or religious enemies. No hosting company wants to terminate a legitimate domain based on an anonymous report from a crook or a crank. So the investigation takes longer, the hosting company has to look for corroboration — perhaps even by setting up their own spamtraps — and the end result is more work and a lot of unkilled domains.
Those hosting companies that do kill spammer domains are to be admired and supported. We should remember, however, that it's an activity that brings little reward and a great deal of overhead. Moreover, there are plenty of avenues open to spammers to blur the identification of their domains or complicate the task of removal. An aggressive takedown policy may simply ratchet up the arms race another notch.
Claiming that we have discovered the "Achilles' Heel" of the spam business is naive. Knowing that spammers rely on relatively-fixed websites is only useful if you can guarantee that these sites will be found and killed, and experience has shown that that simply doesn't happen. So should we just give up the fight? Not yet: there are still a few things that can be done.
As Internet users, we can try to give hosting companies an incentive to kill spammer sites. I'm uncomfortable suggesting that companies whose networks become infested with spammers should be null-routed, not only because I think that's unlikely to happen but also because of the collective punishment aspect. Spammers have no consciences; they'll cheerfully put their sites up alongside honest websites, counting on the outcry from the innocent bystanders to keep the routes open for them. What we can do, however, is recognize the providers that go the extra mile to keep their networks clean. Let's praise them publicly and give them our business when we can. Similarly, let's take our business away from those who don't care, and let them know why.
For the companies that do choose to take the fight to the spammers, the key is reaction time. If it takes two days to process a spam report and kill a domain, you've lost. The spammer has had two days of business out of the domain and that's probably all they need. So you need to streamline the process. You need to proactively detect spam sites on your networks. Running your own set of spamtraps with tools to reliably pick out spamvertized URLs, flag the domains on your network and forward them to a tech with his hand on the kill button is one approach. Close the loop enough and you reach a point where the spammer is sending the signal to terminate his own domains.
Other proactive methods could use heuristics to look for warning signs. The nameservers used for a domain, the registrar it was registered with, the content of the website and patterns in filenames or directory structure can all be potential indicators that are sufficient for you to add the domain to a watchlist. If an abuse report comes in that mentions a watched domain, you don't leave it sitting in the queue for two days. Fast track it, and burn the sucker down before he draws breath.
Set up peering arrangements with other hosting companies. If your tools pick up spamvertized sites on someone else's network, let them know about it and ask that they do the same for you. Share information about patterns that reliably predict abuse.
Lastly, open-source your spam killing operations. When you get abuse reports, take a note of the senders who appear to be reliable and meticulous. When you find someone who's regularly giving you good information, offer them a hotline that they can use to report spam in a structured format that you can act on. Build up a pool of trusted spam reporters: when they concur that a site is spammy, nuke it. And once you've built your pool, cultivate them: give them feedback, give them credit, and even think about giving back small bonuses in the form of cash or services. Remember how much you're saving by not having to hire another tech and show your volunteers some love.
I don't believe that the discovery that spam relies so heavily on 'fixed' websites will change much, unless hosting companies are willing to terminate spammers. As I've explained, there are plenty of reasons why they might not be. But if they are, there are practical things that they can do. The payoff may not be immediately obvious, but if enough providers get on board, we will all benefit: thinking globally and acting locally is just sound policy.