[ISN] Spam wars play out across Internet

From: InfoSec News (isn@private)
Date: Mon Dec 15 2003 - 03:17:24 PST

  • Next message: InfoSec News: "[ISN] [infowarrior] - Article: Tech Muckraking, the PC Way"

    Forwarded from: William Knowles <wk@private>
    
    http://www.ajc.com/business/content/business/1203/14spammain.html
    
    By BILL HUSTED and ANN HARDIE 
    The Atlanta Journal-Constitution
    12/14/03 
    
    In the small Louisiana city of Slidell, Flo Fox feeds the hungry by 
    day but spams by night.
    
    The graying grandmother in a "What Would Jesus Do?" T-shirt proudly 
    recalls stretching two turkey carcasses into enough gumbo to feed 100 
    of the city's poor.
    
    To keep from joining their ranks, she spams. Fox lays out $1,000 a 
    month for the kind of high-speed Internet connection that businesses 
    and some small Internet service providers use.
    
    She harnesses that power all night using a couple of shopworn 
    computers in her home, spitting out millions of junk e-mails for 
    merchandise ranging from land in Belize to blessed coins.
    
    Fox doesn't own the stuff she sells, but gets paid to pitch it for 
    people who do. These days, she says, she barely gets by, but that's 
    better than nothing. "We're in the computer age," says Fox. "This lets 
    the little guy compete."
    
    In a Snellville bedroom, another grandmother fires up her computer. 
    Awaiting Ardie Brackett, 70, a small woman with big pink bifocals, are 
    114 e-mails. All but a handful are from folks she doesn't know and 
    doesn't want to hear from. Some want her to grow bigger breasts; 
    others offer to enlarge an organ she doesn't have. Some send lurid 
    images of sexual depravity.
    
    Brackett banishes her 8- and 10-year-old grandchildren -- whom she 
    watches after school -- to the living room while she deletes the 
    "yucky" stuff.
    
    Five hundred miles and worlds apart, these two forces of cybernature 
    work at cross-purposes -- Flo Fox churning out spam as fast as she 
    can, Ardie Brackett deleting it as quickly as her slim index finger 
    and mouse will move. The scene is being played out on countless 
    computers across the globe.
    
    More than half of all e-mail traffic this year is junk, experts say, 
    up from 8 percent just two years ago. That's 15 billion spam messages 
    crisscrossing the Internet daily, or 25 spam e-mails a day for every 
    person online in the world.
    
    Many of the 117 million Americans logged on are losing faith in 
    e-mail, which is hands down the Internet's most popular application. 
    More than half of e-mail users trust it less because of spam, while 
    one in four uses it less, according to a recent study by the Pew 
    Internet and American Life Project.
    
    Americans are doing their best against the rising torrent flooding 
    their in boxes. About three-fourths of e-mail users now avoid giving 
    out their addresses, the Pew study found. Most favor Brackett's means 
    of dealing with spam: the delete key. Some are resorting to old lines 
    of communication: the telephone and U.S. Postal Service.
    
    Yet the spam keeps coming. Its volume is growing 15 percent to 20 
    percent a month, limited only by the speed of computers and the 
    creativity of spammers, whose messages have evolved from ink toner ads 
    to dead-on impersonations of eBay and Best Buy designed to steal 
    credit card numbers. If something doesn't give, experts say, nine of 
    10 e-mails will be spam a year from now.
    
    "There is a very real threat that the e-mail function is going to rot 
    before our very eyes," says Nicholas Graham, a spokesman for America 
    Online, the country's largest Internet provider. AOL estimates that 80 
    percent of the mail coming into its network is spam. Like most 
    providers, AOL filters out most of the junk before it reaches 
    subscriber in boxes. But much spam still gets through.
    
    Plenty of people are trying to stop the deluge. Some efforts may be 
    making matters worse.
    
    Internet service providers, bombarded by spam on one side and angry 
    subscribers on the other, are spending hundreds of millions of dollars 
    to improve their spam-blocking technology. They are taking spammers to 
    court and even joining forces with their competitors to stop spam.
    
    Many private companies filter spam before it reaches employees' in 
    boxes, but the cost of doing that is enormous. U.S. businesses spend 
    an estimated $10 billion a year managing spam.
    
    Last week, the U.S. House of Representatives gave final approval to 
    anti-spam legislation that authorizes the creation of a "do not spam" 
    registry and imposes tough penalties for fraudulent e-mail. But some 
    consumer groups say the bill -- which President Bush is expected to 
    sign into law Tuesday -- will just give spammers a license to operate. 
    Regulating what spammers can't do legitimizes anything else, they 
    argue.
    
    For now the anti-spam forces are making the lives of many spammers 
    harder, putting some into bankruptcy, some behind bars. Three Arizona 
    spammers recently prosecuted for conning victims out of more than $75 
    million for organ enhancement pills are scheduled to be sentenced this 
    week.
    
    While a few spammers have made fortunes, industry experts say most, 
    like Fox, are small operators earning a modest income.
    
    Together they could drown e-mail.
    
    "Can e-mail be saved?" asked AOL's Graham. "The answer is yes. But 
    time is running out."
    
    
    Easy to start up
    
    Fox is one of the thousands of faces behind the countless junk 
    e-mails.
    
    She lives 30 miles from New Orleans in Slidell, a city of 26,000. 
    Shuttered stores fill a large outlet mall near I-10. For sale signs 
    have popped up in yards like mushrooms.
    
    Fox shares her small one-story house with her two grown children, a 
    young grandson, and her husband, Bruce Connelly.
    
    Inside, a big-screen TV blares cartoons and the 2-year-old is 
    everywhere. The walls are covered with paintings of Jesus, the Virgin 
    Mary and assorted saints. A devout Catholic, Fox works through her 
    church to feed the hungry and volunteers at a senior citizen center 
    once a week.
    
    But when the neighbors' windows are dark, the lights stay on until all 
    hours as Fox's computers invade millions of unsuspecting in boxes.
    
    A convergence of factors lies behind the spam boom of the past few 
    years. Computers have gotten faster and Internet access cheaper. 
    Anyone with a little technical know-how and $1,000 for a computer and 
    some e-mail addresses can become a spammer -- and with jobs hard to 
    come by, many do.
    
    Fox and Connelly began by hawking a religious newsletter for a client 
    in 1996 after failing to make a go of a more conventional computer 
    business.
    
    Freedom from regular office hours allows them to work around their 
    escalating health problems: his heart condition, her bad back and 
    migraines. Fox often wears a headband, convinced that the pressure 
    eases her headaches.
    
    A reclusive but talkative woman, Fox characterizes herself as a small 
    fish in a sea of big-time spammers. The several million spams she 
    sends out each night are nothing compared with the hundreds of 
    millions a big operator might manage.
    
    Some spammers own the stuff they peddle. In contrast, Fox is the 
    high-tech equivalent of a hired gun.
    
    Typically a marketer is tipped to Fox's business by word of mouth and 
    a deal is done on the telephone. Fox then taps into her list of 40 
    million e-mail addresses -- 1,500 times more names than Slidell has 
    people -- for possible targets. She is paid based on how many 
    prospective buyers she delivers to the marketer. Until recently she 
    made a good living spamming, she says, pulling in $4,000 in a good 
    week, $2,000 in a slow week. Some weeks produce no income.
    
    A list of e-mail addresses is a spammer's stock in trade, far more 
    valuable than hardware. In the beginning Fox used software programs 
    that harvested e-mail addresses by searching Web sites and chat rooms 
    for the @ symbol, vacuuming up names and domains. The harvesting 
    software costs about $50 and is highly efficient.
    
    
    Valuable addresses
    
    In an effort to determine how easy it is to harvest e-mail addresses, 
    Federal Trade Commission investigators recently placed 250 e-mail 
    addresses on Internet locations, including Web pages, news groups, 
    chat rooms and online directories. After six weeks, the addresses had 
    received 3,349 spams. It took just nine minutes for one address, 
    posted in a chat room, to get junk e-mail.
    
    Addresses can come cheap -- a CD of 1 million names can cost as little 
    as $25. A compilation of e-mail addresses of those who have purchased 
    items offered in spam -- known as the "suckers list" -- costs more. On 
    occasion Fox will pay several thousand dollars for 1 million premium 
    names.
    
    These days she accumulates new addresses mostly by trading portions of 
    her list with other spammers, many of whom use automated programs that 
    generate almost every conceivable name, then attach them to large 
    domains such as AOL, EarthLink and other big Internet providers.
    
    Fox knows spamming is a risky way to make a living. She was once 
    stiffed $7,000, she says, by a client whose spam promised recipients a 
    48 percent return on a $5,000 investment. After she delivered 400 
    prospects who showed interest in the deal, the client disappeared with 
    federal investigators on his trail. "It's easy to rip people off you 
    have never even seen," Fox says.
    
    The same is often said of spammers. But Fox and Connelly have their 
    limits. They don't peddle Viagra, breast enlargement pills or smut, 
    they say. "When I defend what we do, I talk about free speech," says 
    Connelly, a rugged man with silver hair and a full beard. "When it 
    comes to porn, I don't care about [the pornographers'] free speech."
    
    As Fox sees it, she is no different from those who barrage mailboxes 
    with catalogs from Lands' End or Pottery Barn.
    
    
    All about volume
    
    In most ways, however, spam is nothing like junk mail. It doesn't 
    require a printing press or paper by the truckload. Spammers pay next 
    to nothing to spread their messages.
    
    With catalogs, merchants pay shipping costs. With e-mail, Internet 
    companies and their subscribers bear most of the freight. For that 
    reason, spammers don't bother to target potential customers by 
    demographics or interests -- as is common with direct mail -- but 
    flood as many in boxes as possible. It's nothing to them if some of 
    the ads for Viagra land in "her" in box and the hot flash remedies in 
    "his." Because their cost of doing business is so low, they don't have 
    to sell much to turn a profit.
    
    A company embarking on a traditional direct mail campaign may need a 2 
    percent response rate to make money. But a spammer may get by with one 
    in a million. On a good day, Fox and Connelly get a response rate of 
    one-quarter of 1 percent.
    
    "You could be selling dirt," says Jon Praed, a Virginia lawyer who has 
    sued hundreds of spammers on behalf of Internet companies. "If one 
    person out of a million, a billion, a trillion -- you pick the number 
    -- is going to buy it, you send out however many e-mails you need."
    
    To circumvent U.S. Internet companies, spammers may ricochet their 
    e-mail through less secure networks in China, South Korea or South 
    America before the junk winds up in in boxes from Georgia to 
    California. They share or sell information on how to crack various 
    systems.
    
    Spammers can conduct business with virtual anonymity because portions 
    of e-mail are easily forged. A recent study by the Federal Trade 
    Commission found that two-thirds of 1,000 e-mails sampled were likely 
    to contain false information, often including the sender's identity. 
    The federal legislation imposes criminal and civil penalties for 
    faking the "from" line.
    
    While anonymity protects spammers, it may also appeal to customers who 
    would never buy the products in a store.
    
    In May the owners of C.P. Direct, based in Scottsdale, Ariz., admitted 
    to bilking 420,000 consumers in two years for supplements that did not 
    do what they promised -- enlarge penises by 3 to 5 inches, increase 
    bustlines two to three cup sizes and elevate stature 3 to 4 inches.
    
    The company bought supplements for $2.50 per bottle, then marketed 
    them through spam and other media for $59.95. "These people preyed on 
    the insecurities of society," says Desi Rubalcaba, the Arizona 
    assistant attorney general who prosecuted the case.
    
    The con artists pleaded guilty to fraud and money laundering and 
    agreed to pay restitution. But a spokeswoman for the attorney general 
    said not many victims had claimed refunds.
    
    The big moneymakers often are hard-core pornographers and peddlers of 
    organ enhancement products.
    
    Praed says big-time spammers fit a profile he compiled over years of 
    suing them: They have never been as successful at another profession. 
    They drive fast cars, travel and squander their riches. "They are 
    hackers gone bad," Praed says, "or crooks gone geek."
    
    The founder of the Anti-Spam Research Group, Paul Judge, suspects 
    spammers have infiltrated the group. "I'm sure they download our white 
    papers and study the technology," says Judge, whose nonprofit 
    consortium includes technologists, Internet providers and software 
    makers.
    
    
    'Just like racketeering'
    
    Fox's days of carefree spamming are past, and so is the good money. 
    She worries that bankruptcy is just around the corner and blames the 
    Internet companies -- who have become more adept at filtering out 
    spam.
    
    Fox and Connelly see Internet providers who market their goods and 
    services as spammers themselves. "This is just like racketeering," Fox 
    says. "It's the big guy squeezing the little guy out."
    
    To get around the filters, Fox at times has turned to another Slidell 
    resident, Ronnie Scelson, aka the Cajun King of Spam. Scelson isn't 
    Cajun. But he is a cocky showman who has boasted of blasting as many 
    as 180 million e-mails onto the Internet in a single day.
    
    Last spring the high school dropout stunned the Senate Commerce 
    Committee with testimony that he had cracked sophisticated spam 
    filters in 24 hours. It was Fox who taught Scelson how to spam. In 
    return, he has shared his technological bag of tricks.
    
    "He has helped keep us running," Fox says.
    
    To keep their business going, Fox and Connelly have established 
    Internet accounts in countries where spam isn't controlled, though 
    they won't say where. These accounts cost 10 times as much as U.S. 
    providers charge, Connelly says, but they are necessary to keep the 
    spam flowing. "You're not going to stop it," Connelly says. "Most of 
    us go offshore now. You have to hide where you are."
    
    Chances are Ardie Brackett has heard from Fox or Scelson at some 
    point.
    
    
    'I'm on the clean joke list'
    
    Until four years ago, Brackett relied on a stencil, a ditto machine 
    and the U.S. mail to send weekly updates to relatives from Hawaii to 
    Boston. A cousin suggested setting up a family e-mail group.
    
    Now her updates move with the push of a computer key. She receives 
    photos of her great-niece, reports on the antics of her 1-year-old 
    grandchild, and her cousin's jokes. "He has two lists," she says. "I'm 
    on the clean joke list."
    
    But Brackett gets the filthiest spam. "When I first started getting 
    the junky stuff," she says, "I sent them back an e-mail saying, 'I 
    don't want it.' It seems like the spam got worse."
    
    It probably did. Brackett's response gave spammers a way to verify her 
    address as "a live one." Once an address is deemed active, it can end 
    up on a CD, sold and resold.
    
    Brackett has no plans to return to the ditto machine, but her 
    experiences with spam have made her a more cautious Internet user.
    
    "Spam is something I deal with," Brackett says, noting, "If something 
    comes along, Satan is going to find a way to use it." 
    
    And so, as she prepares to deal with the latest batch in her in box, 
    Flo Fox gets ready to blast out another couple of million spams.
    
    
     
    *==============================================================*
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    ----------------------------------------------------------------
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ================================================================
    Help C4I.org with a donation: http://www.c4i.org/contribute.html
    *==============================================================*
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Dec 15 2003 - 06:05:41 PST