US computer scientists today published research that reveals "striking differences" between the infrastructure used to distribute spam and the infrastructure used to host the online scams advertised in these unwanted email messages.

The boffins from University of California, San Diego (UCSD) Jacobs School of Engineering reported that, while hundreds or thousands of compromised computers may be used to relay spam to users, most scams are hosted by individual web servers.

The computer scientists studied a spam feed over the course of a week. They analysed spam-advertised web servers hosting online scams that either offer merchandise and services (including pharmaceuticals, luxury watches, mortgages) or use malicious means to defraud users (including phishing, spyware, rootkits). The researchers followed the URLs embedded in spam back to the hosting servers, probed the servers and analysed the web pages advertised in the spam.

Based on the analysis of over one million spam emails, 94 per cent of the scams advertised via embedded links are hosted on individual web servers, according to new peer-reviewed research to be presented at the USENIX Security 2007 conference in Boston on August 09, 2007.

“A given spam campaign may use thousands of mail relay agents to deliver its millions of messages, but only use a single server to handle requests from recipients who respond. A single takedown of a scam server or a spammer redirect can curtail the earning potential of an entire spam campaign,” wrote the UCSD computer scientists.

“The availability of scam infrastructure is critical to spam profitability. Our findings suggest that the current scam infrastructure is particularly vulnerable to common blocking techniques such as blacklisting,” said Geoff Voelker, a computer science and engineering professor at the UCSD Jacobs School involved in the study.

The computer scientists recorded the server locations and captured screenshots of the spam URL destination web pages. From these screen shots, they grouped the scams using a technique called “image shingling”.

This approach matches visually similar web pages based upon images rendered in a web browser rather than on HTML source, URL text, or spam email contents. Image shingling enables spamscatter to foil common scammer techniques for avoiding detection in which, for example, the scammers compose their websites entirely with images.

Using this approach, the computer scientists identified scams across servers and domains and reported on distributed and shared infrastructure, lifetime, stability, and location.

By clustering the web pages that were visually equivalent and integrating this information into the other data collected from the spam feed, the computer scientists determined that about 94 per cent of the scams advertised in spam emails with embedded URLs were hosted only a single web server.

Of the six per cent of scam servers that were distributed across multiple servers, a few used more than 10 IP addresses, and one scam used 45 servers.

“Scams might use multiple hosts for fault-tolerance, for resilience in anticipation of administrative takedown or blacklisting, for geographic distribution, or even for load balancing,” the authors wrote, noting that most scammers are not currently taking this precaution.