What happens if you respond to spam?

While doing some spam research a couple of years ago, we did a series of test purchases from spam e-mails.

We bought pills, software, cigarettes, et cetera. We were a bit surprised that almost all of the orders went through and actually delivered goods. Sure, the Windows CD we got was a poor clone and the Rolex was obviously fake, but at least they sent us something.

We were carefully watching the credit card accounts we created for our tests but we never saw any fraudulent use of them.

The most surprising outcome from this test was that we didn’t see more spam to the e-mail addresses we used to order the goods.

Via Eapen Thampy, the link is here and they cite a new study on spam (pdf), which is interesting throughout.  How does the financial side work?

One of the most interesting details in the study is this: almost all spam sales worldwide are handled by just three banks.

The banks? They were:

•  DnB NOR (a Norwegian bank)
•  St. Kitts-Nevis-Anguilla National Bank (in the Caribbean)
•  Azerigazbank (from Azerbaijan)


Talk about irony, I still haven't received anything from three genuine websites I ordered from over a month ago. Might be time to take a look in my junk folder

The sample size could have used some enlarging.

Just 3 banks? Sounds like an under-tapped financial sector.

I've always wondered why going after the banks wouldn't stop spam. And now see there are only three of them! Another reason not to trust supposed experts.

The spammers might just move to different banks.

Although playing whack-a-mole with banks is surely a lot easier.

Until they start accepting bitcoins. Uh oh!

I'm one of the 15 authors of this paper.

Rahul: Actually, it says that "these guys are scum, and not worth much money, so hardly anybody wants to deal with them". In fact, DnB NOR has already terminated the offenders. "We bought a bank this winter which had a customer engaged in spam activity. This company is no longer one of our customers." https://twitter.com/#!/dnbnor_hjelp/status/73305600066461696

rh: We only buy over the counter stuff for legal reasons. When we tested a sample of generic Zyrtec, the active ingredient was correct and in the correct quantity, BUT this says nothing about all the "inert" ingredients which may matter. AND their prices are actually rather high for all but the Viagra etc...

Burn them! Burn them to the ground!

This is what flash mobs are for.

really interesting, if banks have rules to minimize money laundering....something similar can be done about payments for counterfeit products (spam advertising)

I never thought about the idea of just using a prepaid Visa Card to make these transactions. At the very least, that would limit you to simply losing your money if they ripped you off.

Actually, most prepaid cards (the kind you buy anonymously at the supermarket) don't work. Due to recent federal regulations, normal prepaid card's can't be used for card-not-present transactions to non-US destinations (to prevent money laundering).

We used special corporate prepaid cards which, because they are tied to actual identities, can be used for such transactions.

How about paypal?

Hey, it all works out. One bank for Latin American smugglers. One bank for Russian mobsters. One for European hackers.

I bet all the Triads in Hong Kong see spam as too low in marginal value to devote much time to.

This shows which they last very much lengthier and thus saving you income which could otherwise are actually utilized to purchase new ones.

@Nicholas Weaver: Have you tried inquiring the banks to learn about the volume of the transactions?

Not that way, but wait for our upcoming Usenix Security paper: "Show Me the Money: Characterizing Spam-advertised Revenue"

We have a pretty good handle on the size of the business as well as what people select to purchase.

For the sake of accuracy, the bank accused of processing payments to spammers is DnB NORD and not its parent company DnB NOR.

For those familiar with the Latvian banking system, it comes as no surprise that a legitimate bank in Latvia would be processing spam payments. Latvian banks are generally reliable but have poor internal controls. If you are conducting some sort of illicit activity anywhere in Europe, Latvia is a great place to bank, because your money will not get stolen and no one will ask too many questions. Perhaps this is best illustrated by the current turmoil in the country over the parliament's selection of a former banker as successor to the current president. The current president has been at loggerheads with the parliament over its attempts to block a corruption investigation into a number of current and former MPs. The solution that the parliament came up with was to replace the president with someone who would not ask too many questions. In Latvia as everywhere else, the right man for such a job is a banker.

Comments for this post are closed