How spam works, from end to end

"Click Trajectories: End-to-End Analysis of the Spam Value Chain" is a scholarly research paper reporting on a well-designed study of the way that spam works, from fast-flux DNS to bulletproof hosting to payment processing to order fulfillment. The researchers scraped mountains of spam websites, ordered their pills and fake software, and subjected it all to rigorous comparison and analysis. They were looking for spam ecosystem bottlenecks, places where interdicting one or two companies could have a major impact on spam.

After selecting an item to purchase and clicking on "Checkout", the storefront redirects the user to a payment portal served from (this time serving content via an IP address in Turkey), which accepts the user's shipping, email contact, and payment information, and provides an order confirmation number. Subsequent email confirms the order, provides an EMS tracking number, and includes a contact email for customer questions. The bank that issued the user's credit card transfers money to the acquiring bank, in this case the Azerigazbank Joint-Stock Investment Bank in Baku, Azerbaijan (BIN 404610). Ten days later the product arrives, blister-packaged, in a cushioned white envelope with postal markings indicating a supplier named PPW based in Chennai, India as its originator.

Click Trajectories: End-to-End Analysis of the Spam Value Chain (PDF)

(via MeFi)


  1. In most of the cases it seems like cutting the VISA -> Bank link will kill the whole ecosystem. Three of these obscure banks seem to account for a large majority of the cash flow. These are off-line (or at least off the general interNet) linkages and would take considerable (ie. expensive) effort to re-establish.

    1. Like infomercials, if spam didn’t -work- it wouldn’t exist and be so prevalent. The problem is the consumers. You either have to give them a better deal on what they want*, or convince them not to want it.

      * – e.g. if the consumers want cheaper pharmaceuticals, universal health care might take a bite out of that market. If the consumer wants illegal pharmaceuticals, increasing border scrutiny and penalties might take a bite out of that market.

      1. if spam didn’t -work- it wouldn’t exist and be so prevalent. The problem is the consumers.

        Spam doesn’t work. It sits around on welfare and bleeds hundreds of millions of dollars off of the ISPs and everyone else who runs an e-mail service: capacity for the 90% of e-mail that is spam plus the filtering costs; and the hundreds of millions of man-hours wasted dealing with it via deleting it and chasing down real e-mail lost in the filters. The “consumers” are the .0001% of the recipients that want magic pills for free and are stupid enough to respond to spam. The current education of consumers has a .999999 success rate. Spam is only financially feasible through massive theft of services so as to reduce advertising costs to zero.

        You’re confusing the products advertised with the method of advertising. If they were advertising working Immortality Pills being sold for just the shipping costs spam would still be objectionable.

        1. I think you missed the point “emmdeeaych” was making there. Spam does work, in the sense that the spammers can make money off of it. Otherwise they wouldn’t do it.

          1. I’m not so sure about that. I think it relies on the rule of the bigger sucker. It could just be a case of spam services convincing people that their services will bring them business. When they don’t deliver they just move on to the next sucker.

          2. thank you.

            also, @Nadreck, “and are stupid enough to respond to spam” is the part of the equation we can probably work on.

          3. to bad the last couple words of my comment got cut off, No insult intended Nadrek, my truncated comment was -not- meant as terse, I must have messed up the tag and lost the rest of the text.

            … “is the part of the equation we can work on” was the rest of that comment.

            And the anon commenter had my intent correct, I just gave two examples but insert any product you like and there;s a way to take the edge off the market by giving the customers better options, and educating them about how responding to spam is what makes their internet bill so high.

  2. I didn’t see anything about the really important question here. Is the Viagra knockoff effective? :)

  3. Excellent point @Nadreck.

    I would have thought the really important question here was why would the credit card monopolies *bother* shutting down these accounts when it’s not in their interest, as they lose the payment fees.

    I think the important question is really how much duty of care to their customers do online service providers have? If the credit card companies have a duty of care, who is to enforce them blocking transactions which breach this duty of care?

    In this I’d include blocking all transactions to bank accounts that have been *proven* (if such a thing is possible) to send spam in any sense.

    Presuming Visa and Mastercard are American companies, should not the American government be prosecuting both companies for breach of duty of care? If only for allowing clients to continue using their services when their activities can be clearly shown to breach the terms of contract.

    And how much money would this save the international economy compared to fighting piracy? Is spam a bigger industry than piracy?

  4. Comment spam, BTW, almost always has one or more of the following characteristics:

    ♥ It’s in the wrong language. We get spam in Irish. Seriously.
    ♥ It’s for something completely inappropriate for the forum where it’s been posted. We get tons of astrology-type spam.
    ♥ It’s posted anonymously, so it never sees the light of day. Or they register as CheapBatteries4U and go straight to the wood chipper before being seen.
    ♥ Spammers create a user profile with an ad in the bio section, or just drop a business name in the name section. Neither of which will ever be seen, because without commenting, there’s no way to publicly access a profile.

    Once you get past the boner pills, a lot of spam is for small businesses. Which means that Mister SEO Sleazeball wandered down Main Street in Pleasantville convincing EZ Garage Doors and Reliable Plumbing that they should pay him $2,500 to create an online presence to build their businesses. Or the real estate broker or the head of the local dentists’ association got talked into letting him speak at the monthly meeting, where he duped a few of them into participating in this newfangled internet thing.

    So, for a lot of them, the businesses that seem to be spamming us are actually the ones who are being victimized. Of course, a lot of our spammers are actually pushing themselves as SEO/Marketing consultants. It’s a real, live demo of their marketing tactics: take the client’s $2,500 and pay a spammer in Mumbai $5 to randomly bombard online forums.

    1. Its not precisely on target, but regarding comment spam – this has been my approach to comment spam on the forums at one website I run:

      When we get comment spam, I:

      1) add an entry to the hall of shame
      2) delete the user and all their content (which is normally
      just one post)
      3) email the address they used to register on the site to say “Thanks for your contribution to the SEO Hall of Shame” along with a URL. Recently, I’ve been including whatever drivel they posted
      4) Cc: a contact address (if I can find one) for the website they were SEO spamming for

      So far, I’ve had roughly 6 companies contact me, apologize and ask to be taken off the list. One even offered to pay to be removed. A couple have asked for copies of what was posted because that would let them track down precisely which SEO “operator” did the task, hence my new habit of including the text in the Thanks! email I send out.

      Its unfortunate that google doesn’t give much attention to pages that are just lists of links :) Someday when I get more time, I’ll find a more effective (i.e. in pagerank terms) way of presenting the list.

  5. Wow. I am impressed. Both by the study which was able to winkle out all of these details, and by the fact that a supply-chain built for obfuscation and avoidance of liability is able to function so efficiently. yay internet.

  6. I’m one of the many many authors of this paper…

    Nadreck: Exactly.

    Johnnyaction: The ordering was constrained by ethics and legality, thus the orders for pharmaceuticals consisted entirely of over the counter and/or herbal products, software was software that we had permission from the copyright holder etc… So we can’t say whether the mail-order “viagra” is any good.

    Antinous / Moderator: I’m sure some of us would love to look into comment spam, if someone would provide us a feed of it.

    But it is interesting that comment spam is worth real money, since I’ve seen on my own near-defunct blog attempts at comment spam that had to solve captchas, and captchas cost $.0025 or so each to solve.

    1. Thanks for the info!

      Deming would be proud of the JIT in use here.

      Have you considered tracking Facebook spam? I see that some of them use tracking services like who is among us. You can see a heatmap of where in the world people are falling for that particular click spam.

  7. Interesting study. A couple of points. 1: the shipper of the goods is not normally the manufacturer, rather a small local pharmacy who gets paid to fulfill the order. Normally, many multiple different small pharmacies from Multiple countries are used, and constantly change to avoid detection from customs and authorities. 2: it is really difficult to say that the actual affiliate program enterprise is actually located in Russia, rather, like all othr steps in this operation it’s location is obscured with russia being a good ‘front’. 3: the payment receiving enterprises are often small businesses that operate in the real world, normally small shops in countries outside g20 nations. As these are real business’s it makes it hard for visa etc to detect the ‘spam’ online purchases from regular transactions. Adding to this, visa etc are actually multiple organizations operating in many different territories and juristrictions, often in locations where this type of transaction is not defined at illegal. As such, there is no one universal ‘duty of care’. 4: if you want to add further detail to the whole process add the payment and communication flows between affiliate, affiliate program enterprise, payment receiver, dispatcher etc. You may find that there is extensive off-net communication involved. Perhaps try becoming an affiliate to gain further insight.
    Any way, just some thoughts. ;-)

    1. For a similar cash flow, I buy a medication that is not covered by my insurance, and as the maker is trying to get everyone to switch to the new (shinny fresh patents) version, it is even more expensive. The new version would cost me $11 a day, the old $22, or I can buy the old version (which I prefer anyways) on line in a generic Indian version for around $1.25 a day. I Western Union () the money to an island in the Pacific ocean, then the drugs are shipped from somewhere else. is a good place to fine places that sell, and are reputable.

      I’d hate to have my supply messed up by anti spam efforts.

  8. A guy I know was asking me to build a website for him for this exact thing, generic viagra, cialis etc. His friend apparently makes upwards of 50k per month doing this through suppliers in India with a homebase elsewhere in Asia (he’s American). It seems extremely shady. But I am interested in what johnnyaction says because it begs the question: does this stuff actually work? I’d imagine they’re just sugar pills and any effect you get off them (no pun intended) is placebo. But if they do work, would this then be “ethical”?

  9. They left out the channel that steals the user’s credit card number and sells them in bulk. That’s got to be some of the profit as well.

    1. I figured that was the whole value stream – just steal the card number and make fake charges. I was surprised to see in the report that they actually *received* the products they ordered.

      But then I realized that the spamming does cost some money, so if you have a fish who has responded, you want to get them to buy as much as possible. It’s like any marketing. There are people who probably re-buy for years from a company they only got spammed by once. I always wondered who responded to spam, but I guess if they are getting their pills/product/whatever, then they will just keep at it.

      I do think the report should include theft rates of the card number. If it did and I missed it, apologies.

  10. Wondering if there was an increase after you actually made a purchase? Is there such thing as a sucker list that people get placed on when they take the bait?

  11. imag, etc…: IIRC, there was very little theft rate on card #s. (I was involved in the data analysis and some crawling that ended up not being used in the final paper for space reason, not the purchasing, so this is from memory.)

    The initial trial was done with common gift cards, at least one of those got compromised. The later purchases was a distinct # per purchase, and I don’t recall if any of those got compromised.

    Remember, a stolen credit card number is worth very VERY little money: there are tons of ways to get them. And there are better sources, as if you can get the swipe track you can make fake cards (eg, compromise a point-of-sale system), but with just the # you can only do ‘card not present’ (aka mailorder) transactions.

    The real value for the spammer is in a full, “legitimate”, $100+ transaction.

    And on a $100+ transaction, if you as the spammer don’t deliver the goods, you get a chargeback and don’t get the money, and too many chargebacks and you lose your merchant account and can’t get any money at all.

    johnnyaction: I know others in our group have looked at twitter spam. The problem with facebook spam for us is getting feeds of it, if someone gives us feeds of spam someone here would probably look into it.

    anon: Several of the biggest programs are clearly run by russians. See Brian Krebs reporting on the subject.

    And these transactions are generally done with the proper merchant/payment type (card-not-present pharma, software, etc…): rejecting them by transaction type would limit disruption.

    E.G. Visa/US banks just reject pharma, software, etc transaction from the three big bad-guy processor banks, with occasional covert purchases to see if there are new bad-procesor banks or the bad-processor banks are allowing their merchants to lie about product type.

    Also, if a “legitimate” business acts to launder credit card processing for others (in clear violation of the merchant agreement), what’s the real harm in shutting down payment on them?

  12. I kinda miss the part where it ends with the spammers are rounded up and then get publicly hosed down with cat shit.

  13. Thank you for this study. I find the result remarkably like broadcast advertising.

    So long as the transaction results in bought goods delivered, it seems these are legal transactions, and therefore legal adverts. Unless laws change to outlaw broadcast advertising (television, radio, etc), I don’t see how these spam campaigns can be legally stopped.

    This leaves the recipient the task of filtering the content–equivalent to using DVRs on televisions, or recording radio broadcasts for later listening, allowing one to skip the adverts.

    Looking at this from another angle, if legislation becomes law, outlawing the use of recording devices on broadcast media (allowing one to skip adverts), I wonder how long it would take for someone to call for the outlawing of spam filters–at least on those spams not proven to be fraudulent?

  14. Dave Gilliam: “So long as the transaction results in bought goods delivered, it seems these are legal transactions, and therefore legal adverts.”

    The bulk of the transactions are illegal: It is illegal to sell prescription pharmaceuticals with no validation of prescription from a random pharmacy drop shipped from India (thus, eg, the big Google FTC settlement over Google adds for such pharmacies). It is illegal to sell pirated software. It is illegal to sell fake rolexes.

    The only stuff which IS legal to sell to the US in our basket of spam are the herbal “enlargement” and related products.

    So not only is the advertising DONE illegally (violates even the horribly weak US anti-spam statutes, and largely being sent using compromised hosts), but the products being sold ARE largely being sold illegally.

    1. It may be illegal in the US, but not necessarily in India or wherever. If no prescription is necessary to buy a drug in India (or Mexico, China or whereever) then it’s not illegal for the seller.
      The purchaser might be breaking US law if he is in the US but the seller is not breaking the law because he is not subject to US law.

  15. The result is absolutely nothing at all like broadcast advertising. The fact that something or other is delivered has nothing to do with the legality of the method of advertising. Spam is already totally illegal through the US’s CAN-SPAM law and the equivalent in just about every target nation.

    If spam was on TV there’d be 3 minutes of show, in 10 second blips, scattered through each 1/2 hour of programming and the rest would be advertising for Viagra. What good would your fast-forward button do then? This is already illegal through broadcast standards. Not to mention that the ads would all be inserted by people splicing into the cables between the studios and the antennas of the stations and paying the broadcasters nothing: which is already highly illegal. It is only a technical quirk of the interNet, the possibility of Spam filters by the carriers, that keep e-mail up and working at all; and that’s increasing becoming a losing battle even then.

    It’s also illegal to set up bots to call every Fax machine in the world and dump out advertising so that every Fax machine user has to hire someone to keep the paper hopper loaded 7/24 and then sort out out the 10% of the Faxes that are non-viagra related. It’s also illegal to set up bots that re-dial you until you listen to the whole spiel so that you can’t use your phone for outgoing calls to, say, the fire department or the hospital because the lines are jammed. Especially if the calls are routed through self-installed taps to the trunk lines by people who don’t pay the phone companies anything and the cell phone companies have to pay for a ten-fold increase in cell towers to handle the increased spammy traffic. However in both these cases the technical nature of the phone system makes it easy to track down and stop these activities; as opposed to the technical quirks that make it neigh impossible on the interNet.

    It would also be a bad thing if people broke into the letter carriers pickup boxes to insert flyers so that they didn’t have to pay postage. Especially if this required a ten-fold increase in mailmen to deliver it and dumpster sized mailboxes for each apartment to hold it. Not to mention that the flyers themselves are being run off by people breaking into printers’ shops at night to so that they are made at no cost to the advertiser.

    The cost of propagation in a broadcast system, such as TV or radio, is nothing and reception is optional. The cost of propagation in a packet delivery system – such as the post office, the phone lines, and the interNet – is high and reception is not optional.

    You’re confusing the products being advertised with the method of advertising. (Although, lets face it, if the products were any good at all they could afford to spend more than the effectively zero costs of spam advertising possible through massive service theft from the carriers.) If they were selling a true cure for cancer at cost spam would still be objectionable.

  16. If spam was on TV there’d be 3 minutes of show, in 10 second blips, scattered through each 1/2 hour of programming and the rest would be advertising for Viagra.

    Uhhh, have you seen TV recently? That sounds like a fairly reasonable description to me.

  17. I’ve always wondered who (if anyone) buys crap advertised in spam. Now I know, it is spam researchers.

  18. In most of the cases it seems like cutting the VISA -> Bank link will kill the whole ecosystem.

    It’s really not that easy, sadly. A lot of people have made that mistake in the past and gone after the “weak link” in spam, and mostly they’ve been successful, and it hasn’t accomplished anything for the same basic reason.

    Spammers take the path of least resistance. They are stupid and they do the easiest thing they can which actually works. (This is because you have to be an idiot to be a spammer.) In some parts of the system, there are many equally easy things which work; in others, a small number of alternatives are much easier than others (like this business with payment systems).

    The error is in assuming that spammers will always remain this stupid. To be precise: they exhibit the maximum amount of stupidity that still permits spam to function. If you shut down this easy path, then they will become fractionally more intelligent in their approach and take a less easy path. Take out these payment systems and they will use other, more traceable ones – and build enough indirection around them to get the money out without getting caught quickly enough.

  19. Very interesting, very well-researched…but quite useless.

    Perhaps if these researchers had actually spoken with people who have
    labored in the trenches against spammers for a few decades they would
    have realized that they have merely captured a snapshot of CURRENT
    spammer tactics; yesterday’s were different, tomorrow’s will be as well.
    Spammers have long since demonstrated considerably ability to adapt,
    and there is no reason to think they’ll lose it. And of course this
    includes their payment methodology: even shutting off ALL credit card
    transactions worldwide really wouldn’t bother them for long.

    Not to mention: a large number of spammers do just fine without the
    need for any money processing/laundering. (They always have; their
    goal isn’t profit, per se.

    This is just the latest in a long series of FUSSP (google it) proposals
    advanced by people with very little expertise in the field. It may
    safely be dismissed as a curiosity, no more. The researchers should
    of course be mortified to have their names on something so flimsy.

  20. I have a suspicion that there is a large part of the economics of spam that doesn’t depend on the sale being made. That is, there is a flow of money between the various elements of the spam network, and not all of that money comes from John Q. Naive-customer.

    I get that feeling because there are many spam messages in my inbox that have no way of ever making a sale.

    I also notice that in my frequent Google searches for obsolete electronic components, there is a large SEO-based presence ( etc.) that has no hope in hell of actually selling any parts to me.

    My assumption is that the affiliate market is operated in an MLM manner, much as Amway. That there is as much money made off rubes hoping to “make money on the Internet” as there are rubes buying “generic Viagra”.

    Am I wrong?

  21. I attended a lecture by a professor who specialized in they study of pollen grains. Pollen grains get everywhere, and by the specific ratio and kinds of the grains you find. You can effectively Geo tag things. He has done work finding the source of fake medications.
    Alot originate out of southern China near the Vietnam border.
    They then propagate through Vietnam and into Thailand.
    You can trace their movement, via the changes in holograms on various pack types. As the legit manufacturers change their packaging regularly.
    These fake medications can contain not only nothing, but harmful things. And weird stuff, such as Guano (fossilized bat shit).
    This stuff doesn’t just end up in foolish peoples mail boxes. It finds its ways into hospitals.
    You would need something like individual RFID’s for every pack, to try and combat it.

  22. rsk: Except for one thing: This class of spam MUST result in sales. I don’t care how it gets through filters, how it is delivered, etc. It MUST result in an exchange of money for it to be done.

    And if you are going to sell to the western nations, the ONLY way to do sales online requires a transfer of money through the credit card system, because thats the only thing supported by legitimate ecommerce.

    And for credit cards, setting up merchant accounts is slow, tedious, and involves significant restrictions to limit other forms of credit card fraud. And we showed that it is easy to trace how these payments flow by just making a few purchases.

    Yes, shutting down the credit-card payment channel can’t stop the 419 spam (to do that, you’d need to get Western Union to cooperate instead) or porn spam (since those are legal products).

    But unless WebMoney or something else like that caught on in the US/EU as a payment mechanism for normal ecommerce, this huge class of spam is inherently vulnerable to being attacked on the payment front.

  23. I work in the email/antispam industry. A former boss of mine used to work for a law firm that sued spammers. As part of her job, she would routinely purchase fraudulent pharmaceuticals from spammers and have them tested in the lab to find out what they contained.

    The results were all over the map. Some pills were virtually identical to the ones you get in the store (factories fake their nightly shut down and use black market ingredients to produce pills with the same machinery as is used for the real thing), and others are basically some crushed black market Viagra and sawdust or worse.

    The real problem with this stuff is that it will all work alright, but some if it will probably kill you in a couple of years and you’ll have no idea. (Remember the melamine in the pet food a few years ago? That stuff is really cheap filler. I bet that gets you hard.)

    One of the things that is so vile about this industry is that it takes advantage of male insecurities. If you have erectile dysfunction, GO TO A DOCTOR. I guarantee that any embarrassment you might feel is going to be better for you in the long term than what you might potentially get in a pill from the black market.

Comments are closed.