Can you explain why the authorities of law and order are unable
to find and stop the phishing crooks? Surely there must be an
address that can finally be tracked back to them? Or by
“responding” to them and following the steps of the reply to see
where it finally ends up?
I can feel your frustration. Seems like with all this technology we
should be able to do something about the spammers and scammers of the
Apparently it’s not that easy.
I certainly won’t claim to have the answer as to why it’s so
difficult, but I can certainly throw out some ideas.
Become a Patron of Ask Leo! and go ad-free!
Remember first that spamming (and phishing) are so prevalent because they
work. Enough people buy from spammers and fall prey to phishers that it’s
worth their time and effort to blast the planet with their garbage.
So, why can’t we stop them?
Follow the Email Trail
Your idea is a good one, in concept. In theory one should be
able to back-track email to where it came from and then prosecute, or at
least block, that source.
And, in fact, the blocking part of that is done quite frequently. There
are already “black lists” of IP addresses which have been known to send
spam. Email providers can sign up to use those black list to reject any
or all email that originates from those servers.
There are two problems: false positives, and bot nets.
These blacklists are usually managed by volunteers, and often folks we
might consider vigilantes. As a result the process to get on the
list is easy: look like a spammer. The process to get off such a
list is often non-existent. So if a spammer stops using a given IP
address because it’s been blacklisted, and that IP address is then
assigned to someone else – someone legitimate – they may “inherit” being on
that blacklist. And there’s nothing that they can do about it.
This happens so often that most major ISPs don’t bother with blacklists,
or only use a very small, tightly controlled list.
Botnets render the whole blacklist concept moot anyway. Botnets are the
estimated hundreds of thousands of user machines that are infected with
what amounts to a virus. That virus is really a remote-controlled program
that can send mail. A machine infected with this type of virus becomes a
“zombie”, or a bot in a huge network of bots that are at the beck and call
of a spammer.
When a spammer sends out an instruction to all these machines to send
spam, the email that results looks like it came from that machine. That
machine, aside from being infected with this virus, has no
relationship to the spammer. Email might be traced back to the machine,
but it’ll be some innocent victim who failed to keep his or her
anti-virus up to date. That’s as far as you can get.
Follow the Money Trail
When someone purchases through spam, there’s a transaction of money
involved. Theoretically you could follow the money and eventually arrive
at the person who’s responsible for the spam.
The problem here is mostly that the companies doing the spamming are not
the same as the companies doing the selling. So while you might be able
to go after the so called on-line pharmacy, they technically haven’t done
anything wrong. Their “advertising company” (typically a shady one) may
have resorted to spam, but the company directly benefiting from the spam
can claim the had no idea and that it was out of their control.
There are periodic moves to increase that liability, but there are
unfortunate ramifications for that kind of “pass through” liability that
can also adversely affect legitimate businesses if not enacted properly.
as annoying but an inevitable cost of life on the internet.”
Who has Jurisdiction?
One of the biggest obstacles to tracking down spammers, phishers, and
scammers is that they’re most often not even in the same country as you
are. For example while I live in the United States, much of the spam I
get traces, either via the email trail or the money trail, to locations
overseas. The U.S. government can’t do much about that other than
request that the authorities in those other countries crack down. But
spammers and scammers quickly determine which countries are the least
likely to follow through on that, and that’s where they’ll base their
Even within the United States things often get complicated with cases of
fraud; how it’s handled and by whom depends on whether the event crossed
But consider the infamous Nigerian scam that’s been around for ages. I’m
sure that the government of Nigeria is well aware of the issue. And
perhaps they even help on occasion. But ultimately I have to believe that
they have other priorities that they consider much more important than
people in other countries getting scammed. They may well see it as
our problem for not being more educated and falling for these
things in the first place.
And whether we agree or disagree with ’em, it’s really not our place to
set another countries priorities. (Political comments on this article
will not be accepted, it’s too big a can of worms. Whether we do or
don’t, should or shouldn’t, we rarely have control over another country’s
spam and scam law enforcement.)
Who has Expertise?
Depending on your jurisdiction, the law enforcement agencies who would be
responsible for tracking down spams and scams may simply not have the
technical expertise to use the technology to track down these crooks.
While we may hope that many of law enforcement’s brightest are on the
case, the fact is that if there are individuals capable of this kind of
computer forensics you might well find them working on other more
focused and concrete cases.
And if they don’t have the expertise, they may not have the means or
budget to hire it. Much like the third world countries we so often blame
for spam, even within our own country the resources available for this
task may simply not exist.
Who has Time?
In that same vein, any law enforcement operation simply must prioritize.
To grossly oversimplify, if the choice comes down to catching a murderer
or catching a spammer, you can guess where the emphasis will be put.
Agencies are overwhelmed with the tasks they must already be responsible
for. Coming to them with “what are you doing about spam?” isn’t going to
get much of a response, even if they do have the technical expertise to
even understand the ramifications of the complaint.
So is all hope lost?
You might think so. And in fact many people now appear to accept spam,
phishing and assorted scams as annoying but an inevitable cost of life on
But I believe that there’s hope.
I’m a strong believer in education. Spam works because people buy from
spammers. The more people that understand that and stop it, the less
lucrative spamming will be. Phishing works because people don’t
understand it and don’t take appropriate precautions. The more people
that understand that the less lucrative phishing will become.
I’m also a big believer in technological solutions. There are ways to
alter the email system to stop spam. The problem is political more than
technical, and requires getting a lot of people to agree on and them
implement a solution. I have hope. It’ll take a long time, but I have
I’m also hopeful that law enforcement will be able to make some strategic
progress. Even today, as this article is written, there’s a current news
story about a so called “king of
spam” being arrested. This is a case of an individual being a big
enough problem to warrent the authorities attention, who then used a
combination of the tracking techniques above and others to finally get