Joe Stewart was poring over the complex computer code of a widespread new virus named “SoBig,” wondering what it was really designed to do. Then it hit him. This was not your typical attention-getting nuisance. The virus, he says, was actually designed to hack into home users’ computers and quietly use them to send out spam. In the secretive world of spammers, where dirty tricks are standard practice, this was the dirtiest trick yet.
Spammers live in a cat-and-mouse world, where survival means staying one step ahead of the people and technology that are giving chase.
The game began simply, long ago, with a single e-mailer sending out multiple messages from an account, which was shut down by the e-mail provider.
But the battle for spam is a war of escalation. To get their messages out, spammers have taken to more and more unsavory tactics; they bounce their e-mails around the world, break into insecure university computers and launch spam campaigns from there, even steal long-distance telephone service to sneak onto dial-up Internet accounts.
As a countermeasure, some in the anti-spam movement have taken to ignoring e-mail that comes from certain parts of the Internet, which foils most of the tactics described so far.
“You implement one new technology hurdle, that slows them down for days or weeks, but they eventually adapt,” said Ray Everett-Church, chief privacy officer for ePrivacy Group.
And now, this latest adaptation. The worlds of computer virus writers and spammers have merged, says Stewart. Trojan horses are being placed on home computers around the Internet, making them willing accomplices to spam campaigns. Hiding behind the IP address of a home computer is nearly the perfect disguise.
“It makes it very hard to trace back to the spammer,” Stewart said.
Spammers now hackers
Researchers say hundreds of thousands of vulnerable computers are being used to launch spam campaigns now. In fact, 70 percent of all spam is now sent this way, according to anti-spam firm Message Labs Inc. — and perhaps 6 to 7 billion spam messages are routed through hacked home computers.
“A lot of ex-hackers, the black hats, they go into spamming,” said computer security expert Joel de la Garza. “And they are making a lot of money from that.”
For some, the tactic is the stuff of science fiction. Earthlink spam fighter Mary Youngblood now spends a lot of her time calling innocent victims telling them their computer is being used for spam. Often, they just don’t believe her.
“Some people say, ‘You’re insane. My machine is fine. I haven’t gotten any complaints,’” she said. “We get lots of ‘experts’ that swear up and down, ‘No, no, you are completely wrong.’ ”
Most work at home
Youngblood’s abuse team of 12 is part of a close-knit network of spam fighters at all U.S. Internet service providers who play the cat in this contest. While hacking into vulnerable computers, called “open proxies,” is the latest trend in spam, it’s just one of the popular tools used by spammers to evade their pursuers. The spammers’ world is a constant search for bandwidth that won’t get turned off, e-mail software that helps them hide, and companies that really will pay them for selling Viagra or Iraqi Most Wanted cards or penis enhancement products.
But it’s not a world of high-tech genius million-dollar computer systems. Most spammers work at home, using jury-rigged networks and software they’ve cobbled together with help from other spammers they meet in secret “spam clubs.” On these member-only Web sites, targeted address lists are shared, illicit bandwidth is bought and sold, and bulk e-mail software is discussed. Much like the underground world of credit card thieves, it’s full of name-calling and accusations, and a constant, desperate search for reliable bandwidth.
10 million a day
One former spammer interviewed under condition of anonymity by MSNBC.com said he simply had four computers and two cable modems in his operation. With that setup, he said, he was able to send out 10 million e-mails a day.
“The computers were running all day, 24 hours a day,” he said. “You need to send about 500,000 an hour to make any money.”
In fact, some spammers have an even a simpler setup, which can be harder to track. When Earthlink sued to stop spammer Harold Carmack, he was just connecting to their systems using old-fashioned dial-up accounts. Youngblood, who led the investigation into Carmack, said dial-up lines can be the hardest to trace. Newer circuits have caller-ID-like technology called ANI that can reveal exactly where a local telephone call is placed when it dials a modem pool; older phone lines don’t. Carmack tried to evade Earthlink investigators by using local dial-up numbers from around the country. But he stumbled onto enough ANI-enabled lines that Earthlink was able to hunt him down.
Evading the hunt is the chief task for all spammers, and it’s harder than it sounds. Nearly all spam has two components — the initial e-mail, and a companion Web page. The e-mail drives traffic to the Web site, where spam recipients are asked to fill out a form or buy a product. Both components have to work; if either one is shut down, the spammer can’t get paid.
That’s why spammers pay hundreds, and sometimes thousands of dollars a month for what’s known as “bullet-proof hosts.” Such Web providers, with names like “Steel-Space,” promise their sites won’t get pulled down, even in the face of a deluge of complaints. Commonly advertised around the Internet as “bulk e-mail friendly Web hosting services,” many claim to operate offshore, far from U.S. legal subpoena power and the e-mail complaints of an English-speaking audience.
But other spammers contend that most of the dirty work is still done in the U.S. “There is no such thing (as an offshore server),” wrote one. “Offshore servers is a polite way of saying vulnerable, technologically challenged servers.”
Of course, distributing the spam e-mail itself is the first and most important step. For that, spammers turn to bulk e-mail software like Send-Safe, which allows them to fake the name listed in the “from” line.
Most e-mail addresses at this point come from e-mail harvesting programs, which search the Web like Google, culling the millions of e-mail addresses listed on Web pages or in Newsgroup posts. Spam clubs offer e-mail lists, too — some even claim to be targeted. One club viewed by MSNBC.com promised regularly updated lists in categories as narrow as “actors and actresses.”
E-mail lists are for sale, too: some sites promise to divulge as many as 30 million e-mail addresses for under $100.
And to streamline the process further, spammers can pay someone else to do their dirty work. For about $350, many sites claim to do the entire process for you, delivering 1 million e-mails to consumers they say have “opted in” and are looking for offers.
Confusion is the best tool
But perhaps the most powerful tool in the spammer’s arsenal is plausible deniability. Spam complaints are always met with a response that the consumer volunteered for e-mail offers at some point. Usually, a “marketing partner” or affiliate is blamed.
A former employee at an e-mail marketing company that claims to engage in only opt-in marketing campaigns revealed just how this works, under condition of anonymity.
When she worked there, people were constantly added to “opt-in” lists whether they opted in or not, she said. Frequently, marketers approached her firm with e-mail lists and spam campaign e-mails. Her company never asked where the e-mail addresses came from; it certainly didn’t require proof that the consumer had “opted in.” When complaints came, they pinned the problem on the partner. And remove requests were completely ignored, she said.
“I checked myself when I was working there to see how many people had my e-mail address. And I was on 15 lists. And I had never signed up for anything. It was disgusting,” she said. “They tell people they must have subscribed. But that’s just not true.”