...did it take them so long to work this out! A chain is only as strong as its weakest link!
Why did it take so long?
Because of the consequences - if you use this technique to block spam it's then a very small step to say "we can block child porn by making Visa, Mastercard and Amex" liable for taking the payments.
Simple. And probably effective. But US politicians get money from these three and since money means re-election and re-election is more important to them than stopping child porn etc etc.
This is already being done on a regular basis
The relevant framework has already been put in place to deal with "unfair competition" to local gambling by offshore companies. It has been used exactly for what you describe and the expansion on what it is being used for will only increase over time.
Frankly, using it to fight SPAM is probably a good thing.
Let's face it - there is no anonymity from the moment any electronic payment is involved. It is traceable regardless through how many intermediaries it goes through.
Reduce spam in three steps.
1) Follow the money.
2) SEAL team 6
3) NO PROFIT! (for the spammers).
You can then add the following steps:
4) Release video from step #2 as Pay Per View.
Seriously: follow the money. Pressure the folks moving the money to stop. If they don't, find where the money leaves your country, and bring pressure to bear there (e.g. US identifies that US company FOO is handing the money to Elbonian company BAR - US says to FOO "You will stop yourself, or we will stop you.")
Likewise, follow the packets to the "bullet proof" hosts. Identify their local peering host, apply pressure. (e.g. "OK AT&T, you are the US peering point for Elbonian Bullet Proof Hosting, LLC. You stop the spam from flowing through you, OR we stop it for you.")
Find the politicians who get 'contributions' from US peering point hosts and tell them: 'You vote for these peering point take-down measures or we will, er, ........' Oh :(
Don't need to tell the politicians anything.
Just tell the American people who the execs are that allow this sort of thing, and we'll find out just how "bullet proof" they really are.
Stopping spam in two less easy steps
1. All mail client producers (including webmail outfits) must update their software to REJECT HTML/rich email. Let's be honest, nobody really needs to be able to send email in fluffy pink comic sans. This almost completely neuters phishing (sure, you can try the old http://firstname.lastname@example.org trick, but it's a lot harder to dupe people when you can't hide behind <a> tags). This also makes it harder for image spammers (popular with the pharmaspam crowd) to get their image looked at.
2. Encourage the widespread use of public key crypto. Educate people to use it. have all mail clients refuse to accept mail that hasn't been both encrypted AND signed. MUA providers should have their tools mark mail signed by a key that is not in your WoT as untrusted so that the user gets a visual cue to approach with caution. When you sign up for a service, you should receive their public key and they should be able to receive yours (either by direct submission from you, or from a public keyserver). This would freeze spammers out by making it less likely that their mail would ever get read. This might even get rid of those annoying boilerplates about "misdelivered email" -- if it's been encrypted with YOUR public key, then it stands to reason that YOU are the intended recipient, right?
Okay, so there might still be some spam, but it's unlikely to be profitable and should be much more manageable (unless the spammers find new ways to be sneaky).
If you want some extra homework, consider deeper architectural changes to how email works, such as DJB's IM2000.
Do you have email addresses for these payment processors so I can tell my spam trap to redirect everything to them?
These "researches" must be really stupid to think credit card companies will ban these processors. They make millions from fees.
In almost all jurisdictions, there is a crime of knowingly assisting someone in a criminal enterprise. Its called Aiding and Abetting in mine.
Mostly, they use the excuse that that they didnt know. However, if they *do* find out, they generally turn off the taps immediately, because if they didnt, it would leave them open to charges of money laundering. Which generally results in executive prison time.
& thats where the governments (ok probably only the Danish out of the 3 countries mentioned) & the court of public opinion come into play.
If a bank knows that its going to be seen as being a safe haven for processing fraudulent transactions, it knows its likely to lose local customers who will see it as being at risk of being shut down or penalised by the local authorities, then its going to change its behaviour. Well the Danish one anyway (and maybe the Nevis one, not sure).
The Azerbijiani one is probably not going to change its behaviour based on public opinion but if western authorities know which bank it is, it would not be very difficult for countries to place bans on transactions with that particular bank, if it continues to accept payments. If the US where to place a blanket ban on American banks making transactions with the Azerbijiani bank then that shuts that avenue and also shuts down a large swathe of that banks income. Probably will just see the spammers change to some other dodgy bank but if the ban remains even after the spammers have left, the continuous hit to profits will make banks more wary of accepting these transactions in the first place...
The article really needs to name and shame the banks involved... If only so our danish friends can no which bank to change their business away from....
90% of email messages were spam last year and only 75% this year - that's a huge improvement. Stating the figures that way does a disservice really; 90% means that for every useful message sent there were 9 spams. If just 75% of email sent is spam now, that equates to only 3 spams per useful message. Are we really only getting a third of the spam we did last year ?
Ripley had it right...
Nuke 'em from orbit. It's the only way to be sure.
The title is required, and must contain letters and/or digits.
This approach has been so bloody obvious for so bloody long that there has to be at least one, probably many, nefarious reasons why it hasn't been done in the past and why it will continue to be hasn't being done in the future.
"Its called Aiding and Abetting"
And if law enforcement requests information about the account holder through the proper channels and the credit card processor declines to provide whatever information it has, then that would also presumably constitute "aiding and abetting". You can aid and abet by witholding information as well as by providing a service.
Shutting the account down isn't the goal, catching the criminals is. Shutting the accounts down would only mean they set up a new account with different details.
But co-operation probably depends whether these credit card processors also serve legitimate businesses as well as the spammers. If they're set up mainly for processing dubious transactions, I suspect they will try very hard to pretend not to know who their customers are.
Credit card companies aren't much better than the spammers!
In the UK, the majority of banks and financial organisations couldn't give a toss about complying with one's legal right not to have their personal data processed for direct marketing. They believe that they have a God-given right to promote their products to their customers so they're no better than spammers.
Secion 11 (DPA98) the bastards I say! But only if they're a genuine company and only if they're UK-based.