Information Security News: Spam wars play out across Internet

[InfoSec News <isn () c4i org>]

Forwarded from: William Knowles <wk () c4i org>

http://www.ajc.com/business/content/business/1203/14spammain.html

By BILL HUSTED and ANN HARDIE 
The Atlanta Journal-Constitution
12/14/03 

In the small Louisiana city of Slidell, Flo Fox feeds the hungry by 
day but spams by night.

The graying grandmother in a "What Would Jesus Do?" T-shirt proudly 
recalls stretching two turkey carcasses into enough gumbo to feed 100 
of the city's poor.

To keep from joining their ranks, she spams. Fox lays out $1,000 a 
month for the kind of high-speed Internet connection that businesses 
and some small Internet service providers use.

She harnesses that power all night using a couple of shopworn 
computers in her home, spitting out millions of junk e-mails for 
merchandise ranging from land in Belize to blessed coins.

Fox doesn't own the stuff she sells, but gets paid to pitch it for 
people who do. These days, she says, she barely gets by, but that's 
better than nothing. "We're in the computer age," says Fox. "This lets 
the little guy compete."

In a Snellville bedroom, another grandmother fires up her computer. 
Awaiting Ardie Brackett, 70, a small woman with big pink bifocals, are 
114 e-mails. All but a handful are from folks she doesn't know and 
doesn't want to hear from. Some want her to grow bigger breasts; 
others offer to enlarge an organ she doesn't have. Some send lurid 
images of sexual depravity.

Brackett banishes her 8- and 10-year-old grandchildren -- whom she 
watches after school -- to the living room while she deletes the 
"yucky" stuff.

Five hundred miles and worlds apart, these two forces of cybernature 
work at cross-purposes -- Flo Fox churning out spam as fast as she 
can, Ardie Brackett deleting it as quickly as her slim index finger 
and mouse will move. The scene is being played out on countless 
computers across the globe.

More than half of all e-mail traffic this year is junk, experts say, 
up from 8 percent just two years ago. That's 15 billion spam messages 
crisscrossing the Internet daily, or 25 spam e-mails a day for every 
person online in the world.

Many of the 117 million Americans logged on are losing faith in 
e-mail, which is hands down the Internet's most popular application. 
More than half of e-mail users trust it less because of spam, while 
one in four uses it less, according to a recent study by the Pew 
Internet and American Life Project.

Americans are doing their best against the rising torrent flooding 
their in boxes. About three-fourths of e-mail users now avoid giving 
out their addresses, the Pew study found. Most favor Brackett's means 
of dealing with spam: the delete key. Some are resorting to old lines 
of communication: the telephone and U.S. Postal Service.

Yet the spam keeps coming. Its volume is growing 15 percent to 20 
percent a month, limited only by the speed of computers and the 
creativity of spammers, whose messages have evolved from ink toner ads 
to dead-on impersonations of eBay and Best Buy designed to steal 
credit card numbers. If something doesn't give, experts say, nine of 
10 e-mails will be spam a year from now.

"There is a very real threat that the e-mail function is going to rot 
before our very eyes," says Nicholas Graham, a spokesman for America 
Online, the country's largest Internet provider. AOL estimates that 80 
percent of the mail coming into its network is spam. Like most 
providers, AOL filters out most of the junk before it reaches 
subscriber in boxes. But much spam still gets through.

Plenty of people are trying to stop the deluge. Some efforts may be 
making matters worse.

Internet service providers, bombarded by spam on one side and angry 
subscribers on the other, are spending hundreds of millions of dollars 
to improve their spam-blocking technology. They are taking spammers to 
court and even joining forces with their competitors to stop spam.

Many private companies filter spam before it reaches employees' in 
boxes, but the cost of doing that is enormous. U.S. businesses spend 
an estimated $10 billion a year managing spam.

Last week, the U.S. House of Representatives gave final approval to 
anti-spam legislation that authorizes the creation of a "do not spam" 
registry and imposes tough penalties for fraudulent e-mail. But some 
consumer groups say the bill -- which President Bush is expected to 
sign into law Tuesday -- will just give spammers a license to operate. 
Regulating what spammers can't do legitimizes anything else, they 
argue.

For now the anti-spam forces are making the lives of many spammers 
harder, putting some into bankruptcy, some behind bars. Three Arizona 
spammers recently prosecuted for conning victims out of more than $75 
million for organ enhancement pills are scheduled to be sentenced this 
week.

While a few spammers have made fortunes, industry experts say most, 
like Fox, are small operators earning a modest income.

Together they could drown e-mail.

"Can e-mail be saved?" asked AOL's Graham. "The answer is yes. But 
time is running out."


Easy to start up

Fox is one of the thousands of faces behind the countless junk 
e-mails.

She lives 30 miles from New Orleans in Slidell, a city of 26,000. 
Shuttered stores fill a large outlet mall near I-10. For sale signs 
have popped up in yards like mushrooms.

Fox shares her small one-story house with her two grown children, a 
young grandson, and her husband, Bruce Connelly.

Inside, a big-screen TV blares cartoons and the 2-year-old is 
everywhere. The walls are covered with paintings of Jesus, the Virgin 
Mary and assorted saints. A devout Catholic, Fox works through her 
church to feed the hungry and volunteers at a senior citizen center 
once a week.

But when the neighbors' windows are dark, the lights stay on until all 
hours as Fox's computers invade millions of unsuspecting in boxes.

A convergence of factors lies behind the spam boom of the past few 
years. Computers have gotten faster and Internet access cheaper. 
Anyone with a little technical know-how and $1,000 for a computer and 
some e-mail addresses can become a spammer -- and with jobs hard to 
come by, many do.

Fox and Connelly began by hawking a religious newsletter for a client 
in 1996 after failing to make a go of a more conventional computer 
business.

Freedom from regular office hours allows them to work around their 
escalating health problems: his heart condition, her bad back and 
migraines. Fox often wears a headband, convinced that the pressure 
eases her headaches.

A reclusive but talkative woman, Fox characterizes herself as a small 
fish in a sea of big-time spammers. The several million spams she 
sends out each night are nothing compared with the hundreds of 
millions a big operator might manage.

Some spammers own the stuff they peddle. In contrast, Fox is the 
high-tech equivalent of a hired gun.

Typically a marketer is tipped to Fox's business by word of mouth and 
a deal is done on the telephone. Fox then taps into her list of 40 
million e-mail addresses -- 1,500 times more names than Slidell has 
people -- for possible targets. She is paid based on how many 
prospective buyers she delivers to the marketer. Until recently she 
made a good living spamming, she says, pulling in $4,000 in a good 
week, $2,000 in a slow week. Some weeks produce no income.

A list of e-mail addresses is a spammer's stock in trade, far more 
valuable than hardware. In the beginning Fox used software programs 
that harvested e-mail addresses by searching Web sites and chat rooms 
for the @ symbol, vacuuming up names and domains. The harvesting 
software costs about $50 and is highly efficient.


Valuable addresses

In an effort to determine how easy it is to harvest e-mail addresses, 
Federal Trade Commission investigators recently placed 250 e-mail 
addresses on Internet locations, including Web pages, news groups, 
chat rooms and online directories. After six weeks, the addresses had 
received 3,349 spams. It took just nine minutes for one address, 
posted in a chat room, to get junk e-mail.

Addresses can come cheap -- a CD of 1 million names can cost as little 
as $25. A compilation of e-mail addresses of those who have purchased 
items offered in spam -- known as the "suckers list" -- costs more. On 
occasion Fox will pay several thousand dollars for 1 million premium 
names.

These days she accumulates new addresses mostly by trading portions of 
her list with other spammers, many of whom use automated programs that 
generate almost every conceivable name, then attach them to large 
domains such as AOL, EarthLink and other big Internet providers.

Fox knows spamming is a risky way to make a living. She was once 
stiffed $7,000, she says, by a client whose spam promised recipients a 
48 percent return on a $5,000 investment. After she delivered 400 
prospects who showed interest in the deal, the client disappeared with 
federal investigators on his trail. "It's easy to rip people off you 
have never even seen," Fox says.

The same is often said of spammers. But Fox and Connelly have their 
limits. They don't peddle Viagra, breast enlargement pills or smut, 
they say. "When I defend what we do, I talk about free speech," says 
Connelly, a rugged man with silver hair and a full beard. "When it 
comes to porn, I don't care about [the pornographers'] free speech."

As Fox sees it, she is no different from those who barrage mailboxes 
with catalogs from Lands' End or Pottery Barn.


All about volume

In most ways, however, spam is nothing like junk mail. It doesn't 
require a printing press or paper by the truckload. Spammers pay next 
to nothing to spread their messages.

With catalogs, merchants pay shipping costs. With e-mail, Internet 
companies and their subscribers bear most of the freight. For that 
reason, spammers don't bother to target potential customers by 
demographics or interests -- as is common with direct mail -- but 
flood as many in boxes as possible. It's nothing to them if some of 
the ads for Viagra land in "her" in box and the hot flash remedies in 
"his." Because their cost of doing business is so low, they don't have 
to sell much to turn a profit.

A company embarking on a traditional direct mail campaign may need a 2 
percent response rate to make money. But a spammer may get by with one 
in a million. On a good day, Fox and Connelly get a response rate of 
one-quarter of 1 percent.

"You could be selling dirt," says Jon Praed, a Virginia lawyer who has 
sued hundreds of spammers on behalf of Internet companies. "If one 
person out of a million, a billion, a trillion -- you pick the number 
-- is going to buy it, you send out however many e-mails you need."

To circumvent U.S. Internet companies, spammers may ricochet their 
e-mail through less secure networks in China, South Korea or South 
America before the junk winds up in in boxes from Georgia to 
California. They share or sell information on how to crack various 
systems.

Spammers can conduct business with virtual anonymity because portions 
of e-mail are easily forged. A recent study by the Federal Trade 
Commission found that two-thirds of 1,000 e-mails sampled were likely 
to contain false information, often including the sender's identity. 
The federal legislation imposes criminal and civil penalties for 
faking the "from" line.

While anonymity protects spammers, it may also appeal to customers who 
would never buy the products in a store.

In May the owners of C.P. Direct, based in Scottsdale, Ariz., admitted 
to bilking 420,000 consumers in two years for supplements that did not 
do what they promised -- enlarge penises by 3 to 5 inches, increase 
bustlines two to three cup sizes and elevate stature 3 to 4 inches.

The company bought supplements for $2.50 per bottle, then marketed 
them through spam and other media for $59.95. "These people preyed on 
the insecurities of society," says Desi Rubalcaba, the Arizona 
assistant attorney general who prosecuted the case.

The con artists pleaded guilty to fraud and money laundering and 
agreed to pay restitution. But a spokeswoman for the attorney general 
said not many victims had claimed refunds.

The big moneymakers often are hard-core pornographers and peddlers of 
organ enhancement products.

Praed says big-time spammers fit a profile he compiled over years of 
suing them: They have never been as successful at another profession. 
They drive fast cars, travel and squander their riches. "They are 
hackers gone bad," Praed says, "or crooks gone geek."

The founder of the Anti-Spam Research Group, Paul Judge, suspects 
spammers have infiltrated the group. "I'm sure they download our white 
papers and study the technology," says Judge, whose nonprofit 
consortium includes technologists, Internet providers and software 
makers.


'Just like racketeering'

Fox's days of carefree spamming are past, and so is the good money. 
She worries that bankruptcy is just around the corner and blames the 
Internet companies -- who have become more adept at filtering out 
spam.

Fox and Connelly see Internet providers who market their goods and 
services as spammers themselves. "This is just like racketeering," Fox 
says. "It's the big guy squeezing the little guy out."

To get around the filters, Fox at times has turned to another Slidell 
resident, Ronnie Scelson, aka the Cajun King of Spam. Scelson isn't 
Cajun. But he is a cocky showman who has boasted of blasting as many 
as 180 million e-mails onto the Internet in a single day.

Last spring the high school dropout stunned the Senate Commerce 
Committee with testimony that he had cracked sophisticated spam 
filters in 24 hours. It was Fox who taught Scelson how to spam. In 
return, he has shared his technological bag of tricks.

"He has helped keep us running," Fox says.

To keep their business going, Fox and Connelly have established 
Internet accounts in countries where spam isn't controlled, though 
they won't say where. These accounts cost 10 times as much as U.S. 
providers charge, Connelly says, but they are necessary to keep the 
spam flowing. "You're not going to stop it," Connelly says. "Most of 
us go offshore now. You have to hide where you are."

Chances are Ardie Brackett has heard from Fox or Scelson at some 
point.


'I'm on the clean joke list'

Until four years ago, Brackett relied on a stencil, a ditto machine 
and the U.S. mail to send weekly updates to relatives from Hawaii to 
Boston. A cousin suggested setting up a family e-mail group.

Now her updates move with the push of a computer key. She receives 
photos of her great-niece, reports on the antics of her 1-year-old 
grandchild, and her cousin's jokes. "He has two lists," she says. "I'm 
on the clean joke list."

But Brackett gets the filthiest spam. "When I first started getting 
the junky stuff," she says, "I sent them back an e-mail saying, 'I 
don't want it.' It seems like the spam got worse."

It probably did. Brackett's response gave spammers a way to verify her 
address as "a live one." Once an address is deemed active, it can end 
up on a CD, sold and resold.

Brackett has no plans to return to the ditto machine, but her 
experiences with spam have made her a more cautious Internet user.

"Spam is something I deal with," Brackett says, noting, "If something 
comes along, Satan is going to find a way to use it." 

And so, as she prepares to deal with the latest batch in her in box, 
Flo Fox gets ready to blast out another couple of million spams.


 
*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
----------------------------------------------------------------
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
================================================================
Help C4I.org with a donation: http://www.c4i.org/contribute.html
*==============================================================*



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.