Researchers believe they have found a way to cripple the spam ecosystem and reduce the incentive for spammers to send out high volumes of unsolicited email in search of high economic returns.
In a paper delivered at the USENIX Security 2007 conference in Boston, researchers at the University of California, San Diego (UCSD) said that while spammers use vastly powerful, distributed delivery networks to pump out junk email, it's quite another story for the internet scams that form the real heart of the spam mechanism.
Such scams, such as selling pharmaceutical products over a website, are typically hosted on a single website, the researchers found. What's more, a single site might host several scams and might also act as a spam relay.
"The engine that drives this arms race is not spam itself - which is simply a means to an end - but the various money-making 'scams' (legal or illegal) that extract value from internet users," said the report, which was authored by David Anderson, Chris Fleizach, Stefan Savage and Geoffrey Voelker of UCSD's Collaborative Center for Internet Epidemiology and Defenses.
Spam might seem ever-present - it makes up more than 80 percent of all email, according to some estimates - but in fact junk email is organised into particular campaigns, the study found.
A given campaign tends to begin with just a day or two of heavy spamming, but the ads point to a scam-hosting site that tends to be online for at least a week, the researchers said.
"The availability of scam infrastructure is critical to spam profitability - a single takedown of a scam server or a spammer redirect can curtail the earning potential of an entire spam campaign," the report said.
The researchers used a UCSD-developed technique called 'spamscatter' to analyse emails and follow links to their eventual destination server, including any redirection mechanisms put in place.
"The underlying principle is that each scam is, by necessity, identified in the link structure of associated spams," the report said.
The researchers were able to identify individual scams by clustering scam servers whose rendered web pages are graphically similar, using a technique they called 'image shingling'.
Using a real-time spam feed of about 150,000 emails per day the study identified more than 2,000 distinct scams hosted across more than 7,000 distinct servers.
While spam servers are widely diffused, scam servers tended to be based in the US, the study found.
Since scams and spam are of necessity linked together, the results suggested that spam might be combated by attacking its economic lifeblood.
"Individual machines are commonly used to host multiple scams, and occasionally serve as spam relays as well," the study said. "This practice provides a potentially convenient single point for network-based interdiction either via IP blacklisting or network filtering."