Tracking Spam: One Man's Adventure

by Chris Josephes

Mark Wade wrote a firsthand account on tracking a purchase that was originally solicited from a SPAM email.

There are a couple of points where the article is vague on technical details, but I'm probably not the intended audience. I found the article to be informative, but it also left me with more questions.

First, I wanted more details on the domain registrations that were encountered along the way. Are the domains still active, or are they on administrative hold? I'm wondering if spammers pay for domains with stolen credit cards, knowing they may only have a couple of days to use it; or if they keep a cache of domains that they cycle through, and just move the site contents from domain to domain.

Second, the article mentions that somewhere along the chain of purchasing his item that a SSL certificate was encountered. A trusted SSL certificate is going to be a little harder for a spammer to get compared to a domain name. Remember, the whole point of SSL certificates are to make Internet commerce safe, and to give consumers confidence with a system of verifiable trust. Unless, the cert is free, payment for a certificate is up front; and the certificate itself should have accurate owner information. The author never mentions who the signing authority was, nor did he mention whether or not there were any signing errors.

Third, he mentions a tracking log of the package, but does not reveal which shipping company it was. Since the package never arrived, I'm left wondering whether the entire log was a fake. Usually, a shipping company cannot provide tracking information for a package that goes through other shippers. For example, a tracking number for something shipped via Canada Post isn't too helpful once the parcel is handed off to the US Postal System for its final delivery. The log shown in the article mentions multiple hops in China, and multiple hops in Virginia. Was the comment about the package being lost in the USPS a real loss by the post office, or sarcastic wit?

Compromising hosts to send spam is pretty easy; but setting up an actual commerce website to handle transactions risks more exposure. If a spammer really wants to make money this way, there has to be a path leading from the victim to the criminal.

At the same time, there are other companies involved in the purchasing process that create more leads. Domain registrars, web hosting providers, certificate providers, shippers, and credit card processors. As a consumer, it would be more interesting to me to know which of these vendors have more extensive track records of dealing with spammers. Are these companies being duped, or are they more swayed by easy money compared to building consumer confidence?

The original title of Mr. Wade's article was "Following the SPAM", and in that regard he seems to have done a good job. As a follow-up, I would recommend a more detailed investigation, and to repeat the advice once given to Woodward and Bernstein: "Follow The Money."

4 Comments

Saint Aardvark
2007-10-29 06:12:54
Thanks for the pointer to the article -- interesting stuff.


At my last job, we needed to get an SSL certificate. I was anticipating a lot of hoops to jump through to prove our bona fides...notarized copy of a business license, or at least a letter from the CEO on letterhead. Instead, I think we got an email with a verification number, and a few minutes later we got a phone call on the contact number we'd listed, with a machine at the other end, and we had to type in the verification number. After that (and after the credit card charge went through), we got our cert. It was all very underwhelming.

Chris Josephes
2007-10-29 06:23:37
Instead, I think we got an email with a verification number, and a few minutes later we got a phone call on the contact number...


Ten years ago, I thought that would have been a cool process. Tying an email address to a phone number is a pretty good step, but cell phones have become as disposable as HotMail accounts nowadays.


The last time I bought a SSL certificate was about four years ago, but it was a pretty detailed process. There needed to be some effort of coordination between the business owner, and the site hosting company. I haven't had a recent reason to purchase any certificate upgrades lately.


Dave
2007-10-29 15:19:53
I have ppurchased SSL certs with the same process but the email address had to be at the same domain that the cert was for, or at least the email of the contact listed in the whois for the domain the cert was for.


Some cert authorities also provide some sort of promise that the business is legit and won't rip you off but the actual cert doesn't differ. There's no practical reason to go down that path.


I was frustrated with Mark's efforts as well. It started so well and then just finished before any resolution had be reached. In the end, I have a little more information than I did but I have so many more questions that are unanswered.

Chris Josephes
2007-10-29 18:17:20
I have ppurchased SSL certs with the same process but the email address had to be at the same domain that the cert was for, or at least the email of the contact listed in the whois for the domain the cert was for.


The last vague process I remembered always involved a process that included faxing (or mailing) a company's letterhead. Back then 95% of the certificates I dealt with were from Verisign.


I'll consider the process an honest effort (I'd even say the same for the phone verification scheme), but I'm not sure if I'd say it's a diligent effort. And once that certificate gets issued, it's good up until the expiration day. There's no easy way for the CA to put the genie back in the bottle. Well, there are revocation lists, but they don't seem to be used to often in the wild.