Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Spam The Almighty Buck The Internet IT

A New Approach To Reducing Spam: Go After Credit Processors 173

WrongSizeGlass writes "A team of computer scientists at two University of California campuses has been looking deeply into the nature of spam, and they think found a 'choke point' [PDF] that could greatly reduce the flow of spam. It turned out that 95 percent of the credit card transactions for the spam-advertised drugs and herbal remedies they bought were handled by just three financial companies — one based in Azerbaijan, one in Denmark and one in Nevis, in the West Indies. If a handful of companies like these refused to authorize online credit card payments to the merchants, 'you'd cut off the money that supports the entire spam enterprise,' said one of the scientists." Frequent Slashdot contributor (and author of a book on Digital Cash) Peter Wayner wonders if "the way to get a business shut down is to send out a couple billion spam messages in its name."
This discussion has been archived. No new comments can be posted.

A New Approach To Reducing Spam: Go After Credit Processors

Comments Filter:
  • So, they will just open new credit card processors, or worse yet, start spamming random websites to get them shut down? Great way to take your competitor down.
    • by spun ( 1352 )

      Well, the way I see it, we have two choices: make some laws and put some cops on the most effective beat we can; or we can accept that we will not regulate this area of human interaction and live with the consequences. On the gripping hand, there is always the avenue of educating the populace. My credit union has signs up for people to read while waiting in line laying out how to detect and avoid problems with online scams and spam.

      Regulate and you have the problem of regulatory expense and potential for ca

      • If your group gets branded 'spammers' unfairly, who do you appeal to, and how?

        The people themselves. Via unsolicited mass e-mailings.

    • by Fjandr ( 66656 )

      start spamming random websites to get them shut down

      Only if those websites also happened to use the same shady credit card processors. Which is not likely.

  • 95%? (Score:5, Informative)

    by superdave80 ( 1226592 ) on Friday May 20, 2011 @06:34PM (#36197322)
    Indicating there are still other companies willing to process these transactions. The spammers will just switch to them if the 'big 3' refuse to do business with them.
    • Re: (Score:2, Informative)

      by Anonymous Coward

      Indicating there are still other companies willing to process these transactions. The spammers will just switch to them if the 'big 3' refuse to do business with them.

      Which the article mentions and states that it would result in increased costs for the spammers.

      • by L0rdJedi ( 65690 )

        Only temporarily. Once a massive amount of transactions starts to go through the new payment processor, the payment processor will likely start offering lower prices to everyone which would end up driving the cost down.

    • Possibly because 95% of the spammers have tried other services but were only accepted by these three. If they were cut off by these three they might not be accepted by other vendors and their money would be cut off. Maybe the other 5% are just operating low volumes and under the radar.

    • Indicating there are still other companies willing to process these transactions. The spammers will just switch to them if the 'big 3' refuse to do business with them.

      Look deeper. The only thing this proves is there are still that many gullible idiots out there who will gladly swipe a credit card for magic penis enlarging cream.

      It really is sad when spam can't die due to lack of profitability.

    • This has been a strategy for a while now, look for ways of making the business of spamming more expensive. And there's all sorts of things that can be done, such as switching to a greylist, cleaning up malware infestations, shutting down ISPs that look the other way to spam complaints and other such things. The goal with that isn't so much to shut it down, but it's to make it so expensive that hopefully it will be less expensive to conduct email marketing legally.

  • Fight Fire with Fire (Score:5, Interesting)

    by retroworks ( 652802 ) on Friday May 20, 2011 @06:34PM (#36197326) Homepage Journal
    I've never understood why not, when a computer can generate millions of spam ads for viagra, that another computer cannot generate millions of (fake) orders for the viagra.
    • With what? Fake credit card numbers? They'll immediately be rejected by the system.
      • by FudRucker ( 866063 ) on Friday May 20, 2011 @06:43PM (#36197422)
        but not just one fake credit card number, send them billions or trillions of them, just flood their system to the point that the credit companies just throw in the towel and refuse to process products advertized by spammers, spam the spammers, give them a large heaping helping of their own medicine...
        • That's fine, as long as you filter MY credit card number out of your random number generator, thank you very much.

          • by bleble ( 2183476 ) on Friday May 20, 2011 @06:53PM (#36197526)

            That's fine, as long as you filter MY credit card number out of your random number generator, thank you very much.

            Sure! Just post your credit card number here and everyone promises to filter it!

          • by Anonymous Coward on Friday May 20, 2011 @06:58PM (#36197566)

            Next possible spam :

            Hi, we are a new anti-spam group generating random cc to bring down spammy sites. We want to ensure your card is not billed accidentally. Please send us your valid credit card number so that we can filter out yours.

            Thanks
            Anti spam group

          • That's fine, as long as you filter MY credit card number out of your random number generator, thank you very much.

            While I seem to recall that someone actually did this - randomly generated loads of credit card numbers for billing to a sex site, and hoped that most people would be to embarrassed to complain about a $9.95 charge for wierdsex.com; if credit card processors simply ignored bad cards and paid the good ones if you submit a massive amount of transactions there's o need for spamming. Criminals would simply push thousands of card numbers through since even if only 1% were good that's still potentially a lot of

        • by rickb928 ( 945187 ) on Friday May 20, 2011 @11:58PM (#36199536) Homepage Journal

          Don't bother. The processors have fraud detection systems that are sensistive to a few card numbers. Any processor tryng to spam the actual issuers will find out quickly it won't work.

          Really.

          But going after the few processors that serve the majority of spammers is not impossible. Perhaps better to answer the spam and buy stuff, then dispute the charges, and taint the spammers so much that the processors have to give up on them. And the spammers won't be able to just move to a new processor - they tend to share data on deadbeat 'merchants'.

          Except this doesn't work well enough to deal with the offshore poker houses. Better to get the spammers labeled as illegal. Card issuers hate that.

          Good luck. I'm not hopeful.

      • Do not ignore the obvious: DDoS. Try to get your server to process a few million requests per second. Can do that? Try a few billion. At some point, your expense to run the server gets out of hand.

        • With spammers you don't need to go that route. Because they typically have more capacity to send than to receive, routing one unsubscribe request per spam received is frequently enough to take down their website. Sort of a slashdotting of the site. And even if the site doesn't go down, it definitely cuts into their profits to have people not only not buying, but expending resources in their quest to not buy.

    • by Ruke ( 857276 )
      Where's the money in that?
    • Spammers with captchas? Inglip will approve.
    • by _KiTA_ ( 241027 ) on Friday May 20, 2011 @07:12PM (#36197708) Homepage

      I've never understood why not, when a computer can generate millions of spam ads for viagra, that another computer cannot generate millions of (fake) orders for the viagra.

      Because one is legal, the other is not.

      We worship Capitalism in the west, as much if not more so than freedom. While distasteful, spam is pure Capitalism -- people do it cause it works. Intentionally flooding the system with fake orders goes against the holy tenants of Capitalism, ergo, it would not only be illegal, it would be actually investigated. Rule #1 of America, you never get in the way of someone making money.

      (Rule #1.1 is "Unless someone making more money objects," of course.)

      • What makes you think that placing fraudulent advertisements is legal? At best they are inducing their customers to commit crimes.

    • It would congest servers and conventional anti-spam measures, a.k.a. a bigger fire.
    • Blue frog was having some luck doing something along those lines. Basically whenever a subscriber got an email from a spammer, they would send one unsubscribe request to the ISP for the whole group. If that failed, they would instruct the client to leave a generic opt out at the advertised website. And the total number of requests would typically overwhelm the server as most of the spammers were using botnets to send the spam, but only a small number of servers to actually take orders. Which was totally leg

      • I understand they gave up when certain spammer organisations told them to - "or else".

        The BlueFrog company (BlueSecurity) was DDoSed regularly, and spammers tried to do the same to BlueFrog members.

        I think the way it was shut down says more about its effectiveness. You can't run a spam business if you get 1 response for every spam email you send out, you just couldn't filter out the people who really did want herbal creams from those who sent in fakes.

        But again, it shows that the way to stop spam is at the

    • by eexaa ( 1252378 )

      Now you've invented that.

      Peace Through Superior DDoS Power!

    • The best way to fight spam is still to "steal back" the time the spammer has stolen from you. Just order a product with a wrong credit card number. Let the spammer take some time figuring it out. Then contact him, ask him some questions, etc... keep him on hold for some time. If everybody did that, then there would be no spamming at all.

      • Or better, place an order for an "erectile enhancement kit" you read about in your email, with your own credit card number. Use the credit card company's address as the shipping address. Then call the credit card company and declare that an unauthorized payment has been made, and make them roll back the transaction.

        • Or better, place an order for an "erectile enhancement kit" you read about in your email, with your own credit card number. Use the credit card company's address as the shipping address. Then call the credit card company and declare that an unauthorized payment has been made, and make them roll back the transaction.

          Isn't that fraud?

  • Like they wouldn't go to another provider... much like they do now if they get shut down.
  • by Ruke ( 857276 ) on Friday May 20, 2011 @06:40PM (#36197382)

    The study identified 3 top payment-processors for spam sites. Surely these processors aren't the weak link; their business model is to process payments for spammers. You can't simply ask them not to process spam payments - there is a financial disincentive for them to do so.

    We could move one rung up the ladder, and ask Visa and Mastercard not to authorize any paments to these top-3 processors. However, we've just "widened" the narrowest point, plus, these companies have a financial incentive to grin and pass the buck. Maybe less so; I'd be interested in the number of consumers who later try to contest these payments, but I'm willing to bet that dealing with fraction of unhappy customers now is less expensive than the net amount the credit cards pull in while processing these shady payments. Otherwise, Visa would have done something by now.

    • by bleble ( 2183476 )
      I don't even think the number of unhappy customers is that big. They do actually send the products you order. It's just the patent-holding pharmaceutical companies that are unhappy with people ordering cheaper drugs from 3rd world countries.
      • Unfortunately, that's typically not true. They do actually send products, but they're frequently tampered with and contain little if any of the ingredients promised. Which means that not only are the people paying money for less than what they were wanting, they might end up with dangerous drug interactions when the medication isn't what they think it is.

        Additionally because these firms don't employ doctors or pharmacists there's no way of knowing what sorts of dangerous side effects are going to be over lo

    • by Dahamma ( 304068 )

      Actually, moving up to the credit card companies would hugely narrow the bottleneck. You convince VISA, Mastercard, Discover, and Amex to adopt a policy of refusing transactions from any institution knowingly processing spammers' requests, and you're pretty much done. Convincing all of the random shady "banks" around the world to do the same would be a LOT harder (until they lose all credit card processing capability unless they comply!)

      I do agree that if they really cared, the problem would already be so

      • They already refuse to process payments to Wikileaks.

      • by plover ( 150551 ) *

        Actually, moving up to the credit card companies would hugely narrow the bottleneck. You convince VISA, Mastercard, Discover, and Amex to adopt a policy of refusing transactions from any institution knowingly processing spammers' requests, and you're pretty much done.

        Let me see if I understand this idea well enough to hear one side of the phone call.
        Us: "Hi, Visa, it's us, and we're fighting spam. Please shut off these following merchants who sell via spam."
        Us: "Why yes, we do believe you're correct in that they do $80,000,000.00 per year of business with you."
        Us: "Yes, we know you take 3% of that money in interchange fees."
        Us: "Well, no, we're not going to make up the $2,400,000.00 in lost revenue, we just want you to help us end spam."
        Us: "Um, because you care abou

        • by Dahamma ( 304068 ) on Saturday May 21, 2011 @12:24AM (#36199666)

          Yep, that's exactly what would happen when you ask them to voluntarily lose revenue for the sake of general goodwill.

          If, however, you make it illegal to knowingly process payments from a merchant using (already illegal) spam to generate sale (after proper notification from a government entity), that would be a different story.

          Here's how a similar process already works today:
          US govt: "Here's the merchant number of an organization that may or may not be funding terrorist organizations. Shut it down."
          [...approximately 2.5 seconds later...]
          VISA: "Done! Would you like us to destroy their credit rating and kidnap their dog as well?"

        • simple bank/credit card organisation gets its credit license taken away if they don't play ball - or have Sir Humphrey have a quiet word with the Banks CEO (or his wife) pointing out that if they don't play ball they wont get a K (a Knighthood) for services to industry when they retire.
      • Where? COngress, that s where!

        The problem is not solved because Congress is populated by spineless morons. As I have posted since t'Internet was Arpanet: if it looks like a duck and quacks like a duck, you need to stop voting for it!

  • by amicusNYCL ( 1538833 ) on Friday May 20, 2011 @06:41PM (#36197390)

    If a handful of companies like these refused to authorize online credit card payments to the merchants

    You suggest that as if this specific activity was not these people's business model. A credit processor in Azerbaijan doesn't just one day decide to start processing spam purchases, they open their business specifically for that purpose. Good luck getting them to switch business models just because you want them to.

    • by insecuritiez ( 606865 ) on Friday May 20, 2011 @07:07PM (#36197672)
      Yes it is the business model of these banks. However, they are processing through a credit network (Visa / Mastercard) and consumers credit cards are backed by an issuing bank (think Chase, Citibank, etc). Either the credit network or the issuing bank can prevent the transaction without the cooperation of the shady acquiring bank. In fact, there is a "Merchant Category Code" (food, entertainment, drug stores and pharmacies, etc) that the credit network requires be on each transaction and requires to be correct. The credit network or issuing banks don't have to stop all credit transactions to the offending acquiring banks, they can just stop drug stores and pharmacies transactions. You should read the paper.
  • Hilarious (Score:5, Insightful)

    by airfoobar ( 1853132 ) on Friday May 20, 2011 @06:42PM (#36197402)
    This approach is already being used against the "evil pirates", but they haven't even gotten started on the spammers. Getting their priorities straight: they go after the teenagers sharing music first instead of the real criminals sending out phishing emails, viruses and shit like that. FTW.
  • by nweaver ( 113078 ) on Friday May 20, 2011 @07:01PM (#36197592) Homepage

    I'm one of the MANY coauthors of this paper. Myself or others will try to answer questions in this thread.

  • Your post advocates a

    ( ) technical ( ) legislative (X) market-based ( ) vigilante

    approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

    ( ) Spammers can easily use it to harvest email addresses
    ( ) Mailing lists and other legitimate email uses would be affected
    (X) No one will be able to find the guy or collect the mone

    • ( ) You read the paper
      (X) You did not read the paper

      The paper specifically covers merchant relationships with acquiring banks and credit processing. Purchases were done to track the credit processing. It isn't possible to anonymously spoof that. Also, stopping the transactions is more legislative than market-based.

    • (X) No one will be able to find the guy or collect the money

      Visa international (the folks at visa.com) could easily work into their merchant contracts language forbidding such transactions
      they could then generate card numbers to accounts that don't exist but would processes
      they could then order things advertised via spam from honeypots setup
      they could then shut down the individual merchant, or processor, based on history

      they can be found.

      In fact, individual merchants can have their account discount rate ch

    • In the original article, or in the NYTimes version I read, the number of email per order was something like 12.8 million email So, if you charged even 0.001 penny per email, you would completly shut downn spam. Since email goes thru the web, which has ISPs and routers and so forth, I really don't see an implementation problem
    • sending email should be free
      why ? your assignement is to write a 500 word essay defending the proposition that email should () shouldnot (X) be free.
      I mean, why ?
  • It's a great idea to go after payment processors. I bet it could stop a lot of spam.

    But there's a lot more spam besides the ones that try to sell you something quasi-legitimately. Going after payment processors won't do anything to stop phishing attacks, lottery scams, Nigerian scammers, porn ads, wacko conspiracy theorists or questionable "newsletter" subscriptions. Also, the big spam rings will take advantage of dumb spammers who don't realize they'll get cut off for spamming. Unfortunately, there is

  • I've been saying for years that the only way to stop spam is to go after the money that keeps it going. I have the comment history here to back that up, as well.

    However, whoever wrote this summary got one thing wrong at the end. A "Joe Job" - sending out fake spam to smear someone you dislike - is useless. I've seen plenty of them in the past, and the result is questionable at best. People who dislike spam won't see it, and those who buy spamvertised products will just be confused by it.

    Regardle
    • However, whoever wrote this summary got one thing wrong at the end. A "Joe Job" - sending out fake spam to smear someone you dislike - is useless.

      I submitted the story but did not write the following:

      Frequent Slashdot contributor (and author of a book on Digital Cash) Peter Wayner wonders if "the way to get a business shut down is to send out a couple billion spam messages in its name."

      The above was added by the editor. The article and linked PDF are about cutting off the payment processing for those selling the "spammed" products in order to indirectly reduce the amount of spam. They are not about going after companies who send the spam (either under their own name or those of others).

    • by Lehk228 ( 705449 )
      Spam filters that bot respond with junk data to disrupt spam sites
  • by PPH ( 736903 )

    Are these three credit card processors in cahoots with the spammers? Or are they being used only because they are cheap? How much of these three processors' business is derived from spam (95% of spam transactions doesn't mean the same thing as 95% of these processors business is derived from spam).

    What, legally, can one do to prevent other payment processors from picking up the slack? Legitimate business is legal and, as a payment processor, how do I know the transaction originated from spam? Why should I

    • Their damn problem if they get cut off. By staging examples and publicizing them, other companies will stop working for spammers.

      A similar method is used against drug dealers in some countries - deal 15g of hard stuff, get an appointment with the hangman. And drug dealing is harder to catch than spam-based credit card processing.

      • by PPH ( 736903 )

        And drug dealing is harder to catch than spam-based credit card processing.

        I disagree. There is no way of identifying a legal commercial transaction as having originated from a spam message.

        We could demand that credit companies refuse to process any transaction from vendor that uses spam. But then I could put your company out of business by generating a bunch of spam pointing to your web site. And then have you blacklisted.

  • Hasn't Gmail more or less made the problem obsolete? Or am I supposed to shed a tear for people who willfully refuse to use freely-available tools that already do the job they're struggling with?

  • People are taking an enormous risk purchasing these products. So make the risks seem so high they justs wont do it.
    1. They never got what they ordered.
    2. They got sugar pills.
    3. They got mislabeled pharma that fucked them up. Heart meds, psychotropics
    4. They got their card defrauded.
    5. It got sent to their next door neighbor
    6. They got something instead that was really illegal and they got arrested, lost their job, etc.
    7. It was a mega-dose and they had to go to emergency. And then had t

  • handled by just three financial companies â" one based in Azerbaijan, one in Denmark and one in Nevis, in the West Indies

    Please point more specific to where the Danish company is identified, because I can not find the word Denmark in the PDF paper, but I can find both Nevis and Azerbaijan.

  • 10 years ago I heard "we are out of business, mastercard stopped processing for online casinos" from a friend. Then Visa followed, then "alternative" and "high risk" processors pop up. Sure it will make it a little harder for them, and the weak will fall, but the big ones stay, There are also legit stores who use affiliates, who are a competitive bunch. Some of them wealthy, some of them tech savvy. They will click the crap out of competitor's ads (with bots they buy, hire or develop, and they will sometim

    • Have you not seen the bilion dollar case the DOJ is going after Google with for selling pharma ppc adverts.
      • by dindi ( 78034 )

        No. Too much work, then family, then hobby project, then sleep then goto 1.

        Interesting, just googled it. But Google is a legit company anyway, they won't go to "high risk" processors to do fishy business that way.

        BTW google does not serve bootleg pharmacy ads for a looooong time, they had an approval program 5+ years ago to advertise pharmacies that require a real prescription, not some pillpusher fresh doctorate from the countryside, writing 1000+ from a basement.

        The real sad thing about this, is that the

  • that if I want to profit from spam with no risk, then I should open a credit-card processing center in lower Buttfukkistan. Hmm... Interesting idea.

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...