Helping people with computers... one answer at a time.
It seems like it should be easy to trace spam and phishing attempts to their origin. Sometimes it is, but it's often a very complex and costly process.
Can you explain why the authorities of law and order are unable to find and stop the phishing crooks? Surely there must be an address that can finally be tracked back to them? Or by "responding" to them and following the steps of the reply to see where it finally ends up?
I can feel your frustration. Seems like with all this technology we should be able to do something about the spammers and scammers of the world, right?
Apparently it's not that easy.
I certainly won't claim to have the answer as to why it's so difficult, but I can certainly throw out some ideas.
Remember first that spamming (and phishing) are so prevalent because they work. Enough people buy from spammers and fall prey to phishers that it's worth their time and effort to blast the planet with their garbage.
So, why can't we stop them?
Follow the Email Trail
Your idea is a good one, in concept. In theory one should be able to back-track email to where it came from and then prosecute, or at least block, that source.
And, in fact, the blocking part of that is done quite frequently. There are already "black lists" of IP addresses which have been known to send spam. Email providers can sign up to use those black list to reject any or all email that originates from those servers.
There are two problems: false positives, and bot nets.
These blacklists are usually managed by volunteers, and often folks we might consider vigilantes. As a result the process to get on the list is easy: look like a spammer. The process to get off such a list is often non-existent. So if a spammer stops using a given IP address because it's been blacklisted, and that IP address is then assigned to someone else - someone legitimate - they may "inherit" being on that blacklist. And there's nothing that they can do about it.
This happens so often that most major ISPs don't bother with blacklists, or only use a very small, tightly controlled list.
Botnets render the whole blacklist concept moot anyway. Botnets are the estimated hundreds of thousands of user machines that are infected with what amounts to a virus. That virus is really a remote-controlled program that can send mail. A machine infected with this type of virus becomes a "zombie", or a bot in a huge network of bots that are at the beck and call of a spammer.
When a spammer sends out an instruction to all these machines to send spam, the email that results looks like it came from that machine. That machine, aside from being infected with this virus, has no relationship to the spammer. Email might be traced back to the machine, but it'll be some innocent victim who failed to keep his or her anti-virus up to date. That's as far as you can get.
Follow the Money Trail
When someone purchases through spam, there's a transaction of money involved. Theoretically you could follow the money and eventually arrive at the person who's responsible for the spam.
The problem here is mostly that the companies doing the spamming are not the same as the companies doing the selling. So while you might be able to go after the so called on-line pharmacy, they technically haven't done anything wrong. Their "advertising company" (typically a shady one) may have resorted to spam, but the company directly benefiting from the spam can claim the had no idea and that it was out of their control.
There are periodic moves to increase that liability, but there are unfortunate ramifications for that kind of "pass through" liability that can also adversely affect legitimate businesses if not enacted properly.
Who has Jurisdiction?
One of the biggest obstacles to tracking down spammers, phishers, and scammers is that they're most often not even in the same country as you are. For example while I live in the United States, much of the spam I get traces, either via the email trail or the money trail, to locations overseas. The U.S. government can't do much about that other than request that the authorities in those other countries crack down. But spammers and scammers quickly determine which countries are the least likely to follow through on that, and that's where they'll base their operations from.
Even within the United States things often get complicated with cases of fraud; how it's handled and by whom depends on whether the event crossed state lines.
But consider the infamous Nigerian scam that's been around for ages. I'm sure that the government of Nigeria is well aware of the issue. And perhaps they even help on occasion. But ultimately I have to believe that they have other priorities that they consider much more important than people in other countries getting scammed. They may well see it as our problem for not being more educated and falling for these things in the first place.
And whether we agree or disagree with 'em, it's really not our place to set another countries priorities. (Political comments on this article will not be accepted, it's too big a can of worms. Whether we do or don't, should or shouldn't, we rarely have control over another country's spam and scam law enforcement.)
Who has Expertise?
Depending on your jurisdiction, the law enforcement agencies who would be responsible for tracking down spams and scams may simply not have the technical expertise to use the technology to track down these crooks. While we may hope that many of law enforcement's brightest are on the case, the fact is that if there are individuals capable of this kind of computer forensics you might well find them working on other more focused and concrete cases.
And if they don't have the expertise, they may not have the means or budget to hire it. Much like the third world countries we so often blame for spam, even within our own country the resources available for this task may simply not exist.
Who has Time?
In that same vein, any law enforcement operation simply must prioritize. To grossly oversimplify, if the choice comes down to catching a murderer or catching a spammer, you can guess where the emphasis will be put. Agencies are overwhelmed with the tasks they must already be responsible for. Coming to them with "what are you doing about spam?" isn't going to get much of a response, even if they do have the technical expertise to even understand the ramifications of the complaint.
So is all hope lost?
You might think so. And in fact many people now appear to accept spam, phishing and assorted scams as annoying but an inevitable cost of life on the internet.
But I believe that there's hope.
I'm a strong believer in education. Spam works because people buy from spammers. The more people that understand that and stop it, the less lucrative spamming will be. Phishing works because people don't understand it and don't take appropriate precautions. The more people that understand that the less lucrative phishing will become.
I'm also a big believer in technological solutions. There are ways to alter the email system to stop spam. The problem is political more than technical, and requires getting a lot of people to agree on and them implement a solution. I have hope. It'll take a long time, but I have hope.
I'm also hopeful that law enforcement will be able to make some strategic progress. Even today, as this article is written, there's a current news story about a so called "king of spam" being arrested. This is a case of an individual being a big enough problem to warrent the authorities attention, who then used a combination of the tracking techniques above and others to finally get their man.
Comments on this entry are closed.
If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.
If you don't find your answer, head out to http://askleo.com/ask to ask your question.