For years, a team of computer scientists at two University of California campuses has been looking deeply into the nature of
spam, the billions of unwanted e-mail messages generated by networks of zombie computers controlled by the rogue programs called botnets. They even coined a term,
spamalytics, to describe their work.
Now they have concluded an experiment that is not for the faint of heart: for three months they set out to receive all the spam they could (no quarantines or filters need apply), then systematically made purchases from the Web sites advertised in the messages.
The hope, the scientists said, was to find a choke point that could greatly reduce the flow of spam. And
in a paper to be presented on Tuesday at the annual IEEE Symposium on Security and Privacy in Oakland, Calif., they will report that they think they have found it.
It turned out that 95 percent of the credit card transactions for the spam-advertised drugs and herbal remedies they bought were handled by just three financial companies one based in Azerbaijan, one in Denmark and one in Nevis, in the West Indies.
The researchers looked at nearly a billion messages and spent several thousand dollars on about 120 purchases. No single purchase was more than $277.
If a handful of companies like these refused to authorize online credit card payments to the merchants, youd cut off the money that supports the entire spam enterprise, said one of the scientists, Stefan Savage of the University of California, San Diego, who worked with colleagues at San Diego and Berkeley and at the
International Computer Science Institute.