Guest post: Gadi Evron is Security Architect for Afilias global registry services and recognized globally for his work and leadership in Internet security operations. He is the founder of the Zero-Day Emergency Response Team (ZERT), organizes and chairs worldwide conferences, working groups and task forces. He is considered an expert on corporate security and counterespionage, botnets, e-fraud and phishing.
Working in the Israeli city of Netanya, next door to our offices was a spam operation with roughly 30 employees. One day they weren't there anymore.
They were blog comment spammers, but officially were doing Search Engine Optimization or SEO. Instead of optimizing content, they posted illicit comments on many blogs with commercial or misleading messages leading to their clients' web sites, mainly for the purpose of increasing their clients' web sites visibility in search engines such as Google. They would do this using an illegal tool such as botnets, and make quite a bit of money.
The reason for their disappearance soon became clear; nearly all their clients were gone. A law was passed in the United States which addressed online gambling operations ("Unlawful Internet Gambling Enforcement Act" - UIGEA). As a result, the public gaming industry ceased accepting online wagers. More than that, UIGEA addressed processing payments to and from Internet gambling sites. In a day, most of US-based gambling web sites ceased to exist (others moved over-seas, although quite a bit of the world's credit processing is done by US firms). This effectively caused the death of numerous black hat SEO companies--comment spammers. Perhaps the UIGEA measure against processing of payments proved too difficult to overcome. Not being a lawyer I can't say exactly how UIGEA caused this death. No matter, US online gambling operations were effectively destroyed.
Spam decreased. The underlying cause for that was that the clients weren't there due to the inability to process payments because of the online Casinos law.
Not only black hat SEO companies suffered, many spam operations lost clients. There is nearly no more Casino spam in our mail inboxes. Isn't that grand?
Unrelated to Casinos, I sat down for dinner with local anti spam professionals in Toronto while visiting and a nice capable guy named Michael Ellis mentioned the following to me. The mortgages market in the United States underwent serious economic changes with the sub prime mortgage collapse. Suddenly, spammers lost even more clients when several major subprime mortgage lenders closed shop or filed for bankruptcy (some with fraudulent income reporting allegations hovering over them). Other large lenders such as Countrywide Financial and Citigroup suffered from drops in stock prices. We nearly never see any mortgage spam in our inboxes anymore. Isn't that grand?
Spam decreased. The underlying cause for that was that the clients weren't there. The underline cause for that was the mortgage business changed.
The first test case above has to do with legality. The second has to do with market tides. What both of these come down to is that when the economic drive behind spam is removed or, more to the point, the means by which payments can be made is not there, spam is no longer there. Finding new clients for spammers isn't incredibly easy as while spamming may not be as illegal in the US, as many of us would like it to be, and is illegal in the EU, Japan, etc. The activities that spam pushes are, in many cases, completely outside the boundaries of law with much heavier penalties.
While these illegal activities fuel spam, spam fuels illegal activities such as phishing and fraud to name just two, which, in turn, fuel the original illegal activities fuelling spam. It's a cycle.
What can we learn from this and how can we replicate these unintended consequences of success?
Looking at another type of spam known as "Canadian pharmacies" (or Pharma-spam), where US residents are tempted with cheaper drugs supposedly imported from Canada, it is once again an economic drive which in turn drives the business of spam.
The business even makes sense. It costs quite a bit to buy drugs inside the US, why not import it? Thing is, it is an underground operation which means that these drugs are not necessarily what they were advertised to be, causing an unnecessary health risk (and cost). Further, it causes the spammers and their clients to perpetrate fraud, as these sales are never reported, and, needless to say, taxes don't get paid.
Perhaps the next step policy makers should take is to work to change this economy, possibly by legalizing and regulating drug imports of this kind; but, I am far from an economic or legal expert. More to the point, they can make the act of processing funds for this type of operation illegal.
As an alternative, perhaps the health risk will cause insurance companies to research this and lobby for the same which does not seem likely as health research is a long process. I am unsure pharmacy spam is even on the insurance industry's risk radar yet. I am a born optimist, though.
As a third possible alternative, maybe the national pharmaceuticals will lobby for some new law, to protect their business. More specifically, they'd lobby for disallowing payment processing for this type of operation. Who can tell?
It seems that whenever a certain wide-audience requirement is very costly, or illegal, snake-oil fraudsters will pick it up and create an underground economy for it. It is possible our next step in fighting spam should be to research and list these underground economies taking advantage of people by the use of spam, and fight the underline cause, the clients who traffic and sell the illegal goods, playing the economic game.
Find the criminals who pay spammers, and don't pay taxes, then release studies on it, inform the correct lobbyists about it, or maybe write your congressman. Hey, it worked for jailing Al Capone.
I wonder what this type of thinking will lead us to when considering Viagra spam (which usually doesn't really sell Viagra, but rather alternatives), or woman trafficking (Russian wives, and similar). Nothing is ever a one-off silver bullet.
As to predicting what would hit us next, a downturn in the economy, less value in U.S. dollar, etc. has seemingly resulted in an increase of "make extra money now" and "find your dream job" types of spam. What would be the next big wave?
A long time ago I heard somebody say they asked a corporate take-over lawyer on how he'd take down spam. He said: Legalize and regulate it. It seems like he was right, just on a deeper level.