Mark Wade wrote a firsthand account on tracking a purchase that was originally solicited from a SPAM email.
There are a couple of points where the article is vague on technical details, but I’m probably not the intended audience. I found the article to be informative, but it also left me with more questions.
First, I wanted more details on the domain registrations that were encountered along the way. Are the domains still active, or are they on administrative hold? I’m wondering if spammers pay for domains with stolen credit cards, knowing they may only have a couple of days to use it; or if they keep a cache of domains that they cycle through, and just move the site contents from domain to domain.
Second, the article mentions that somewhere along the chain of purchasing his item that a SSL certificate was encountered. A trusted SSL certificate is going to be a little harder for a spammer to get compared to a domain name. Remember, the whole point of SSL certificates are to make Internet commerce safe, and to give consumers confidence with a system of verifiable trust. Unless, the cert is free, payment for a certificate is up front; and the certificate itself should have accurate owner information. The author never mentions who the signing authority was, nor did he mention whether or not there were any signing errors.
Third, he mentions a tracking log of the package, but does not reveal which shipping company it was. Since the package never arrived, I’m left wondering whether the entire log was a fake. Usually, a shipping company cannot provide tracking information for a package that goes through other shippers. For example, a tracking number for something shipped via Canada Post isn’t too helpful once the parcel is handed off to the US Postal System for its final delivery. The log shown in the article mentions multiple hops in China, and multiple hops in Virginia. Was the comment about the package being lost in the USPS a real loss by the post office, or sarcastic wit?
Compromising hosts to send spam is pretty easy; but setting up an actual commerce website to handle transactions risks more exposure. If a spammer really wants to make money this way, there has to be a path leading from the victim to the criminal.
At the same time, there are other companies involved in the purchasing process that create more leads. Domain registrars, web hosting providers, certificate providers, shippers, and credit card processors. As a consumer, it would be more interesting to me to know which of these vendors have more extensive track records of dealing with spammers. Are these companies being duped, or are they more swayed by easy money compared to building consumer confidence?
The original title of Mr. Wade’s article was “Following the SPAM”, and in that regard he seems to have done a good job. As a follow-up, I would recommend a more detailed investigation, and to repeat the advice once given to Woodward and Bernstein: “Follow The Money.”