Click Trajectories: End-to-End
Analysis of the spam value chain
Kirill Levchenko , Andreas Pitsillidis , Neha Chachra , Brandon Enright ,
Tristan Halvorson , Chris Kanich , He Liu , Damon McCoy , Geoffrey M.
Voelker , Stefan Savage Dept. of CSEE University of California, San Diego
M. Felegyhazi
Budapest University of Technology and Economics
Chris Grier
Dept. of CSEE
University of California, Berkeley
Christian Kreibich , Nicholas Weaver , Vern Paxson
International Computer Science Institute Berkeley , CA
Presented by Xinruo Zhang
04/04/2012
Outline
Introduction
 Implementation
 Analysis for a particular example
 Data collection method
 Contribution
 Weakness & improvement

Introduction

Spam-based advertising to us
◦ Think of it merely as junk that jamming inbox

To spammer
◦ Think it is a multi-million business

Spam value chain (aka Spam ecosystem)
◦ botnet, domain, name server, web server,
hosting or proxy service acquired
Introduction (cont’d)

Three categories of spam-advertised
products
◦ Illegal pharmaceuticals, replica luxury goods
and counterfeit software
◦ Nearly 95% of spam-advertised emails
contains these three popular products
Implementation

How modern spam works?
◦ Advertising, Click Support and Realization

Advertising
◦ Includes all activities focused on attracting
potential customers to pay attention to what
the spammers want to sell
◦ The most evolved part of the spam ecosystem,
particularly, the delivery of email spam
Implementation

Click Support
◦ In this stage, having delivered their
advertisement, a spammer entice the receiver
into clicking an embedded URL with their
best effort.
◦ Redirection sites, Domains, Name servers,
Webs servers, and affiliate programs
Implementation

Click Support
◦ Redirection sites: redirect to additional URLs.
Because some spammers directly advertise a
URL embedded in email and thus they would
encounter various of defensive measures to
interfere their activities.
Implementation

Click Support
◦ Domain: typically, a spammer may purchase
domains directly from a registrar, however, in
real life, they frequently purchase from reseller.
◦ Name server: any registered domain in turn
have supporting name server infrastructure.
Get infrastructure either by themselves or by
third party.
Implementation

Click Support
◦ Stores and Affiliate programs
 Today spammers work as affiliates of an online
store, earns a commission
 The affiliate program provides all technique and
materials
 Furthermore, affiliate programs even take
responsibility for payment and fulfillment service
Implementation

Realization
◦ have brought the customers to an advertised
site, the seller realizes the latent value by
acquiring the customer’s payment
◦ it contains two processes: Payment service
and Fulfillment service
Implementation

Payment service
◦ Standard credit card payment
 In order to get the most value
◦ Issuing bank
 Customer’s bank
◦ Acquiring bank
 Merchant’s bank
◦ Card association network
 Visa or MasterCard
Implementation

Fulfillment
◦ Fulfill an order in return for customer’s
payment
◦ Shipping issue
 Suppliers will offer direct shipping service so
affiliate program can avoid warehousing
 Virtual products can be got via internet download
Practical Example
Data Collection Method
Data Collection Method
Contribution
Lack a solid understanding of the spambased enterprise’s full structure before
 And most anti-spam interventions focus
on only one facet of the overall spam
value chain
 authors present a whole analysis for spam
ecosystem with large-scale practical study

Weakness & Improvement

lack of legal and ethical concerns
◦ For some issue concerns the ethics of any
implicit harm caused by criminal supplier

only have one medium – email spam
◦ Consider twitter spam, other social network
spam