[ISN] REVIEW: "Inside the Spam Cartel", Spammer-X

From: InfoSec News (isn@private)
Date: Wed Mar 02 2005 - 09:23:21 PST


Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rslade@private>

BKINSPCA.RVW   20041224

"Inside the Spam Cartel", Spammer-X, 2004, 1-932266-86-0,
U$49.95/C$72.95
%A   Spammer-X
%C   800 Hingham Street, Rockland, MA   02370
%D   2004
%G   1-932266-86-0
%I   Syngress Media, Inc.
%O   U$49.95/C$72.95 781-681-5151 fax: 781-681-3585 www.syngress.com
%O  http://www.amazon.com/exec/obidos/ASIN/1932266860/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/1932266860/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1932266860/robsladesin03-20
%O   tl a rl 1 tc 2 ta 2 tv 1 wq 2
%P   413 p.
%T   "Inside the Spam Cartel: Trade Secrets from the Dark Side"

Chapter one is supposed to be a bio of Spammer-X, and gives us the
stereotypical blackhat life story.  A business model of using spam to
generate referrals to porn sites is presented in chapter two.  Rough
ideas of spamming techniques are outlined in chapter three, although
it is rather short on details.  (What details are given are quite
suspect: SOCKS is not a mail server, but a type of circuit-level proxy
firewall.)  Chapter four lists various means of harvesting addresses,
but concentrates on a) buying them, and b) random address
verification.  (Which doesn't provide much help to users in terms of
suggestions for avoiding getting on spam lists.)  Advertising tricks
are balanced against some anti-blacklisting tips in chapter five. 
Interestingly, there is some talk of botnets, but not the SMTP (Simple
Mail Transfer Protocol server) carrying viruses.  (More technical
goofs: Rich Text Format is hardly a Microsoft only technology.) 
Chapter six looks at various means of payment over the Internet which,
for those of paranoid mindset, has some possibly useful points to make
about dangers of different forms of online commerce.

Chapter seven starts to present some information that may have some
general value, as it reviews various types of spam filtering (and
filter evasion) techniques.  A more advanced examination is in chapter
eight.  Scams are listed in chapter nine, with a concentration on
phishing and 419/advance fee frauds.  The author is rather careless
with the facts: phishing is initially described as any type of scam
(although the text later contradicts itself by redefining the term as
related only to banks), Nigeria does have a law against advance fee
fraud, and it's Lagos, not Logos.  Chapter ten runs through the
provisions of the US CAN-SPAM act, and notes how spam can be legal. 
The material on the analysis of spam, in chapter eleven, initially has
some helpful tips, but the later parts of the chapter grow vague.

In chapter twelve, Spammer-X points out that the estimated costs of
spam are wildly inflated, but his own numbers are biased very low, not
counting the costs of maintaining filters, the loss of messages,
difficulties in contacting people, spam to mailing lists, and even the
problem of bounced messages which is raised in the following chapter. 
The statistics of spam listed in chapter thirteen are generally of
little use.  The most interesting data, on yearly trends, is
incorrectly described in the text (switching the numbers for virus and
spam) and says that spam is down over the Christmas period, which is
not supported by the numbers themselves.  (This is rather ironic: I
reviewed the book over Christmas, and can attest to the fact that
there was no drop in the numbers of spam on my accounts.)

Chapter fourteen makes some rather far-fetched predictions about the
future of spam.  The questions in chapter fifteen's FAQ (Frequently
Asked Questions list) seem to be simply random rather than
significant.  Spammer-X closes, in chapter sixteen, by telling us that
he has given us an unbiased look at spam, and that spam is good.

The promotional blurb on the cover implies that you may hate
Spammer-X, but still need to know what he says.  It also states that
this is a "Must Read" for security professionals and law enforcement
personnel.  Forget it.  The notes on anti-blacklisting tips and
techniques for harvesting email, at least those given in the book, are
going to be of very little help in either avoiding spam, or in
tracking down the perpetrators.  It may, of course, be that not all
spamming techniques are provided here, and that knowledge of some of
them would help system administrators or those who want to track down
spammers--but that still means the text is of extremely limited
usefulness.  The title is also rather misleading: the author (if,
indeed, there is a single author and not a committee) presents us with
one particular look at spamming activity.  If there is a spam cartel
"he" is definitely not in it.  The work has some points of interest,
but it isn't going to help anybody very much.  (Including,
fortunately, potential spammers.)

copyright Robert M. Slade, 2004   BKINSPCA.RVW   20041224


======================  (quote inserted randomly by Pegasus Mailer)
rslade@private      slade@private      rslade@private
Doubtless you are the people, and wisdom will die with you!  But
I have a mind as well as you; I am not inferior to you.  Who does
not know all these things?                              - Job 12:2,3
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade




_________________________________________
Bellua Cyber Security Asia 2005 -
http://www.bellua.com/bcs2005



This archive was generated by hypermail 2.1.3 : Wed Mar 02 2005 - 10:01:59 PST