Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Why can't we catch spammers and phishers?


Can you explain why the authorities of law and order are unable
to find and stop the phishing crooks? Surely there must be an
address that can finally be tracked back to them? Or by
“responding” to them and following the steps of the reply to see
where it finally ends up?

I can feel your frustration. Seems like with all this technology we
should be able to do something about the spammers and scammers of the
world, right?

Apparently it’s not that easy.

I certainly won’t claim to have the answer as to why it’s so
difficult, but I can certainly throw out some ideas.

Become a Patron of Ask Leo! and go ad-free!

Remember first that spamming (and phishing) are so prevalent because they
work. Enough people buy from spammers and fall prey to phishers that it’s
worth their time and effort to blast the planet with their garbage.

So, why can’t we stop them?

Follow the Email Trail

Your idea is a good one, in concept. In theory one should be
able to back-track email to where it came from and then prosecute, or at
least block, that source.

And, in fact, the blocking part of that is done quite frequently. There
are already “black lists” of IP addresses which have been known to send
spam. Email providers can sign up to use those black list to reject any
or all email that originates from those servers.

There are two problems: false positives, and bot nets.

These blacklists are usually managed by volunteers, and often folks we
might consider vigilantes. As a result the process to get on the
list is easy: look like a spammer. The process to get off such a
list is often non-existent. So if a spammer stops using a given IP
address because it’s been blacklisted, and that IP address is then
assigned to someone else – someone legitimate – they may “inherit” being on
that blacklist. And there’s nothing that they can do about it.

This happens so often that most major ISPs don’t bother with blacklists,
or only use a very small, tightly controlled list.

Botnets render the whole blacklist concept moot anyway. Botnets are the
estimated hundreds of thousands of user machines that are infected with
what amounts to a virus. That virus is really a remote-controlled program
that can send mail. A machine infected with this type of virus becomes a
zombie”, or a bot in a huge network of bots that are at the beck and call
of a spammer.

When a spammer sends out an instruction to all these machines to send
spam, the email that results looks like it came from that machine. That
machine, aside from being infected with this virus, has no
relationship to the spammer. Email might be traced back to the machine,
but it’ll be some innocent victim who failed to keep his or her
anti-virus up to date. That’s as far as you can get.

Follow the Money Trail

When someone purchases through spam, there’s a transaction of money
involved. Theoretically you could follow the money and eventually arrive
at the person who’s responsible for the spam.

The problem here is mostly that the companies doing the spamming are not
the same as the companies doing the selling. So while you might be able
to go after the so called on-line pharmacy, they technically haven’t done
anything wrong. Their “advertising company” (typically a shady one) may
have resorted to spam, but the company directly benefiting from the spam
can claim the had no idea and that it was out of their control.

There are periodic moves to increase that liability, but there are
unfortunate ramifications for that kind of “pass through” liability that
can also adversely affect legitimate businesses if not enacted properly.

“… many people now appear to accept spam, phishing and assorted scams
as annoying but an inevitable cost of life on the internet.”

Who has Jurisdiction?

One of the biggest obstacles to tracking down spammers, phishers, and
scammers is that they’re most often not even in the same country as you
are. For example while I live in the United States, much of the spam I
get traces, either via the email trail or the money trail, to locations
overseas. The U.S. government can’t do much about that other than
request that the authorities in those other countries crack down. But
spammers and scammers quickly determine which countries are the least
likely to follow through on that, and that’s where they’ll base their
operations from.

Even within the United States things often get complicated with cases of
fraud; how it’s handled and by whom depends on whether the event crossed
state lines.

But consider the infamous Nigerian scam that’s been around for ages. I’m
sure that the government of Nigeria is well aware of the issue. And
perhaps they even help on occasion. But ultimately I have to believe that
they have other priorities that they consider much more important than
people in other countries getting scammed. They may well see it as
our problem for not being more educated and falling for these
things in the first place.

And whether we agree or disagree with ’em, it’s really not our place to
set another countries priorities. (Political comments on this article
will not be accepted, it’s too big a can of worms. Whether we do or
don’t, should or shouldn’t, we rarely have control over another country’s
spam and scam law enforcement.)

Who has Expertise?

Depending on your jurisdiction, the law enforcement agencies who would be
responsible for tracking down spams and scams may simply not have the
technical expertise to use the technology to track down these crooks.
While we may hope that many of law enforcement’s brightest are on the
case, the fact is that if there are individuals capable of this kind of
computer forensics you might well find them working on other more
focused and concrete cases.

And if they don’t have the expertise, they may not have the means or
budget to hire it. Much like the third world countries we so often blame
for spam, even within our own country the resources available for this
task may simply not exist.

Who has Time?

In that same vein, any law enforcement operation simply must prioritize.
To grossly oversimplify, if the choice comes down to catching a murderer
or catching a spammer, you can guess where the emphasis will be put.
Agencies are overwhelmed with the tasks they must already be responsible
for. Coming to them with “what are you doing about spam?” isn’t going to
get much of a response, even if they do have the technical expertise to
even understand the ramifications of the complaint.

So is all hope lost?

You might think so. And in fact many people now appear to accept spam,
phishing and assorted scams as annoying but an inevitable cost of life on
the internet.

But I believe that there’s hope.

I’m a strong believer in education. Spam works because people buy from
spammers. The more people that understand that and stop it, the less
lucrative spamming will be. Phishing works because people don’t
understand it and don’t take appropriate precautions. The more people
that understand that the less lucrative phishing will become.

I’m also a big believer in technological solutions. There are ways to
alter the email system to stop spam. The problem is political more than
technical, and requires getting a lot of people to agree on and them
implement a solution. I have hope. It’ll take a long time, but I have

I’m also hopeful that law enforcement will be able to make some strategic
progress. Even today, as this article is written, there’s a current news
story about a so called “king of
spam” being arrested
. This is a case of an individual being a big
enough problem to warrent the authorities attention, who then used a
combination of the tracking techniques above and others to finally get
their man.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

6 comments on “Why can't we catch spammers and phishers?”

  1. They even have spamming in online video games now. In World Of Warcraft there is a spam message every 10 minutes asking you to buy stuff. ON A VIDEO GAME. Its getting out of hand

  2. I am frustrated by this too. I also find that somehow these spammers are getting all of my sub-email accounts. I had 162 messages the other day to a sub account I don’t even give out. How do they get all my sub accounts? Do you know? Txs

  3. Leo, this issue will never go away because the majority of users simply will not protect themselves properly. I open anything and everything at home and I don’t get spam or viruses. They are blocked. Period. Am I luck? No! Does it take a little effort to run and maintain 2 or 3 programs to achieve this? Yep! But I don’t spend any of my time whining and grieving over spam and viruses. At work where the fine IT department doesn’t share my ethic we have lots of spam. The people who are waiting for “someone” to fix the ills of the world have a really long wait.

  4. Thanx Leo and thank you Mr Newman, but may I say to all you guys who read good old Leo – not to forget you email husbandry…
    Keeping a clean house is what it’s all about…
    Do not buy from or through spammers…
    Send the spammers mail (usually unkown to you with an odd subject title) to your ISP’s spam box, and they will prevent it being sent out to anyone else…
    Watch your email and who you give/send it too…!
    but, I think above all, do not reply or send on those damn emails that appear to come from friends warning you about a virus, like “Invitation” for example and the Olympic torch or those other silly presentations with lovely scenes and warbling birds etc…
    These are sent out originally by the spammers and are tracked by them to harvest email addresses…
    So there you are receiving a mail that someone thinks you should get, with 20 or more email addresses on from your mate, and a further 20 or more email addresses from their previous mate and so-on…
    God, the spammers luv you…
    Nope! Straight into the bin and tell your friend kindly not to send’em any more…
    And if a few more thousand people do that then the spammers source goes right out of the window…
    Ha! out of the windows, ha! it’s the way I tell ’em…!
    anyway, you know what I mean – please don’t send them on…



Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.