[ISN] Former spammer: 'I know I'm going to hell'

From: InfoSec News (alerts@private)
Date: Wed Jul 18 2007 - 22:30:57 PDT


By Jeremy Kirk
July 18, 2007 
IDG News Service

"Ed," a retired spammer, built a considerable fortune sending e-mails 
that promoted pills, porn and casinos. At the peak of his power, Ed says 
he pulled in $10,000 to $15,000 a week, storing the money in $20 bills 
in stacks of boxes.

It was a life of greed and excess, one that preyed especially on 
vulnerable people hoping to score drugs or win money gambling on the 
Internet. From when he was expelled from high school at 17 until he quit 
his spam career at 22, Ed -- who does not reveal his full name but 
sometimes goes by Spammer-X -- was part of an electronic underworld 
profiting from the Internet via unsolicited commercial e-mails.

"Yes, I know I'm going to hell," said Ed, who spoke in London today at 
an event hosted by IronPort Systems Inc., a security vendor owned by 
Cisco Systems Inc. "I'm actually a really nice guy. Trust me."

Quick-witted and affable, and sporting an earring, there was a time when 
Ed wasn't so nice. He sent spam to recovering gambling addicts enticing 
them to gambling Web sites. He used the e-mail addresses of people known 
to have bought anti-anxiety medication or antidepressants and targeted 
them with pharmaceutical spam.

In short, Ed said he was "basically what people hate about the 

He spent 10 hours a day, seven days a week studying how to send spam and 
avoid filtering technologies in security software designed to weed out 
garbage e-mail. Most spam filters are effective 99% of the time. Ed 
aimed for that remaining window, using tricks such as including slightly 
different images in his spam, which can fool filters into thinking the 
e-mail is legitimate.

"The better I got at spam, the more money I made," Ed said.

He would start a spam run by finding an online merchant who wanted to 
sell a product. Then he'd acquire a list of e-mail addresses, another 
commodity that has spawned its own market in the world of spam. He'd 
also set up a domain name, included a link in a spam message that, if 
clicked, would redirect the recipient to the merchant's Web site, 
enabling Ed to get credit for the referral.

The spam would then be sent from a network of hacker-controlled 
computers, called botnets. Those machines are often consumer PCs 
infected with malicious software that a hacker can control. Ed would 
"rent" time on those computers from another group of hackers who 
specialized in creating botnets.

If one of the spam recipients bought something, Ed would get a 
percentage of the sale. For pharmaceuticals, the commission was around 
50%, he said.

Response rates to spam tend to be a fraction of 1%. Ed said he once got 
a 30% response rate for a campaign. The product? A niche type of adult 
entertainment: photos of fully clothed women popping balloons.

To track the money, merchants set up a "referral sales page" where 
spammers can see how much they make from a spam run. Ed would log in 
frequently, watching the money increase. He was paid into electronic 
payment transfer accounts, such as e-gold or PayPal, or into his debit 
card account, which he could cash out in $20 bills.

That was a problem when the cash became voluminous. He says he made 
$480,000 in his last year of spamming. But the lifestyle of being a 
spammer was taking a toll. In essence, he had no life.

It's hard to go into a bar and explain your job to a woman by saying, "I 
advertise penis enlargement pills online," Ed said. "It doesn't go down 
very well."

He rationalized his actions by saying spamming is not like robbing 
someone, although the lurid impact of spam was clear. Some 9 million 
Americans have some dependence on prescription drugs, Ed said, and he 
noticed that the same people were buying different drugs each month. 
"These were addicts," he said.

In addition, he said, "the product is always counterfeit to some degree. 
If you're lucky, sometimes it's a diluted version of the real thing." 
Viagra is cut with amphetamines, and homemade pills are common from 
sketchy labs in countries such as China, India and Fiji, Ed said.

So Ed got out of the business. He has written a book, Inside the Spam 
Cartel: Trade Secrets from the Dark Side [1] (Syngress, 2004), which he 
said has drawn interest among law enforcement officials eager to learn 
more about the spam business, which he predicted will only get worse.

As broadband speeds increase, spammers will increasingly try to market 
goods by making voice-over-IP calls or sending out videos, Ed said. The 
ultimate unsolvable problem is users who continue to buy products 
marketed by spammers, making the industry possible.

"I think in 10 years, we'll still get spam," Ed said. "Be prepared to be 

[1] http://www.amazon.com/exec/obidos/ASIN/1932266860/c4iorg

Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com

This archive was generated by hypermail 2.1.3 : Wed Jul 18 2007 - 22:37:22 PDT