[Asrg] Re: News Article - CONFESSIONS OF A FORMER SPAMMER - text included
2003-05-11 10:56:59
Take a look at this SlashDot story:
http://yro.slashdot.org/yro/03/05/11/1648253.shtml?tid=126&tid=111
which refers to this Oregonian article:
http://www.oregonlive.com/business/oregonian/index.ssf?/base/business/105256787116000.xml
Here is the text of the article:
---[snip]-----
CONFESSIONS OF A FORMER SPAMMER
05/11/03
JEFFREY KOSSEFF
You probably don't know Duncan Shiels, but if you have an e-mail account,
he may have sent you personal advice. Very personal advice.
VIAGRA, KICK START YOUR SEX LIFE NOW! . . . By clicking here, you can
instantly access hundreds of the nation's top insurance companies . . . It
enables people to burn more fat doing nothing.
Until late last year, Shiels was an e-mail spammer. The type demonized in
every nook of American society. A prodigious Internet marketer, who from
his Portland home sent up to 10 million unsolicited e-mail advertisements a
day for other companies.
He said he made as much as $1,000 a week -- and could have raked in a lot
more if he hadn't quit the business in October, six months after he
started. The path to spamming success requires expensive investments in
software and the agility to adjust to the technological warfare between
spammers and companies that try to block their messages. It also requires
the stamina to withstand daily hate mail and even death threats.
Shiels decided a spamming career wasn't worth the personal cost. But his
story, which he agreed to share with The Oregonian, shows the challenge
that consumer advocates and government leaders face as they try eradicate
spam. The Oregon House on Tuesday unanimously passed anti-spam legislation.
Most other states also have tackled the problem, but nobody seems to know
how to solve it.
As the war on spam trods along, public frustration grows.
Even after installing software to filter spam, many e-mail users must wade
through dozens of unwanted e-mail messages a day, which slows the
fast-paced communications that made the Internet rise to prominence. Ferris
Research estimates fighting and sorting through
spam will cost U.S. corporations $10 billion this year.
When lawmakers and companies fight spam, they're not up against teenage
hobbyists and pranksters. They face thousands of pros like Shiels, who have
high-tech tools and an immense network of knowledge that is difficult to
overcome.
"All the little punks in their garage who are trying it are not getting
anywhere," Shiels said. "The ones sending you all the stuff are the big
boys, the ones who do it for a living."
The fast-talking ex-spammer, at a sturdy 6 feet, doesn't resemble the
picture of an antisocial digital anarchist spamming from a dark basement.
That's the image painted by legislators, Internet companies and frustrated
e-mail users.
Duncan Shiels, 41, was raised in an upscale neighborhood in Portland's West
Hills. Wide glasses, light brown hair and a neatly trimmed goatee frame a
genial face. He left his hometown to become a Hollywood stuntman and then a
police officer before returning five years ago as a budding Internet
entrepreneur.
Entering a murky world In 1998, Shiels quit his patrol sergeant job at the
Adelanto Police Department in Southern California and moved back home to
Portland to start a full-time career in Web design, a hobby he had been
dabbling in for five years.
He said he succeeded early on, with a small business that employed two
other people. But Shiels saw business fall off in the past few years.
Prices plunged because "everybody became a Web designer."
By early last year, he needed a new source of cash. He noticed about 100
spam messages flooding his e-mail account each day. Instead of complaining
about it, he wanted to learn how the anonymous salespeople earn a living.
Someone is making money off this, he reasoned. Why shouldn't it be him?
He began a quest that would lead to a six-month career in spamming.
Shiels had never purchased anything advertised in a spam message, but he
knew that some people must.
"It's just another form of advertising," he explained, laughing. "Granted,
the stuff that's being sold, it's not very intriguing."
He'd heard enough complaints about spam from his friends, but he never
understood them. The junk mail his mail carrier delivers bothers him much
more, Shiels said.
"It costs money to be processed. And it's a waste of trees. It's intrusive
as hell because you have to go through all of it. People don't get mad
about that, and I don't understand why," he mused.
They do complain about spam.
Companies report that the average employee complains about spam to
corporate information technology departments at least once a year, said
Ferris Research, which tracks e-mail issues. Internet service providers
also say they receive more complaints about spam than anything else.
When Shiels told his family and friends he was pursuing a career in spam,
"they just laughed."
But Shiels has long been up for new career adventures.
A numbers game Consumer advocacy groups often define all unsolicited,
usually commercial e-mail as spam, a reference to the Monty Python skit in
which Vikings repeatedly and annoyingly shout "spam." But Shiels said the
underground industry balks at the stigmatic moniker. Those who send spam,
he said, refer to it as "bulk e-mail."
Like most serious bulk e-mailers, Shiels didn't immediately begin sending
advertisements. He researched the industry for five months before sending
his first e-mail message.
The learning process was tough. After weeks of online searches, Shiels
found the entry point -- online clubs for spammers. The Internet bulletin
boards, which charge membership fees, allow "bulk e-mail" entrepreneurs to
exchange information on clients who need people to send bulk ads via
e-mail, software that helps them send it and tips for getting spam around
filters (the enemy) and onto recipients' screens (the moneymaker).
As with most cases in the seedy world of bulk online advertising, many spam
clubs aren't "legitimate," Shiels said. But he found two that offered many
business leads and spamming tools.
"There's a lot of people in there that are generous to help you out and
give you information based on their experience," he said. "But you have to
probe it."
Shiels slowly gained the anonymous spamming gurus' trust.
He even spoke on the phone with some, though Shiels noted "they won't
usually give you their real name."
Many were software developers or, like him, longtime Web designers familiar
with the Internet's intricacies.
In the spam club, he encountered companies looking for people to send
e-mail about their products, including loans, insurance offers and the
prescription drug Viagra and similar products.
Many online pornography companies seek spammers, but Shiels said he didn't
even consider hawking porn.
"I didn't do any adult stuff because I don't believe in that," Shiels said.
"I have a 7-year-old boy."
The response rate is extremely low: One-tenth of a percentage point is
considered wildly successful, Shiels and spam experts agree. For spammers,
that's made up for by the ability to send millions of e-mails a day and the
relatively generous commissions.
Viagra distributors pay spammers per sale -- about $60 for every $150 order
-- while financial companies typically pay for every consumer who requests
more information -- as much as $12 for mortgage leads and as much as $5 for
insurance referrals, Shiels said.
"It's a numbers game," Shiels said.
With a few computers, that numbers game becomes easy to play. Shiels met
people in the spam club who had as many as 15 computers sending hundreds of
millions of messages a day, increasing their chances of snaring sales and
referral payouts.
The numbers game also explains the rapidly growing number of spam messages.
The University of Oregon's computing department said it blocks about 25,000
spam messages a day.
According to Jupiter Research, the average U.S. e-mail recipient received
669 spam messages in 2000. That figure, which includes home and business
accounts, surged to 2,278 last year, and Jupiter expects it to reach 2,551
this year.
Ready, set, spam Armed with swaths of information, Shiels purchased four
computers and two cable-modem connections, which soon were running above
full capacity with only about six hours of rest each day. But that was just
the beginning of the investments.
He spent about $10,000 on software to harvest e-mail addresses, to disguise
his online identity and to send millions of messages a day.
Shiels would not reveal the companies that make the proprietary software,
and he said they are difficult to track down. They only accepted payments
through wire transfers, Shiels said.
"I could tell you the name right now, and you wouldn't be able to find
them," he said.
Shiels described the complex technology that keeps spammers ahead of those
who try to stifle them, and The Oregonian verified his technical
explanations with experts from the University of Oregon; InboxCop.com, a
Portland company that makes spam filters; and spamhouse.org, one of the
nation's most prominent anti-spam Web sites.
Even those in the underground spamming world who say they abide by the law
desire complete anonymity. Anti-spam Web sites list information about
spammers, and vigilantes reportedly have threatened and harassed them.
Understanding Shiels' software is key to understanding why spam is so
difficult to fight.
His most basic program coordinates the four computers and enables them to
send thousands of e-mail messages a minute, culling e-mail addresses from
one database and sending them messages he designed.
But to send e-mail, he needed addresses of recipients. Another program
harvests e-mail addresses from Web sites. That's why people with e-mail
addresses listed on public Web pages will likely receive floods of spam.
Besides scanning Web pages for e-mail addresses, it also searches Internet
newsgroups -- public bulletin boards. And it automatically deletes
addresses that have such phrases as "info" and "service," those that likely
don't immediately bounce to an actual person. It also tests for unpublished
addresses by combining user names -- the portions of e-mail addresses
before the @ symbol -- with domain names of other addresses.
To get started, Shiels also paid colleagues from the spammer clubs for a
list of e-mail addresses. Ten million addresses cost about $1,200, he said.
"There are people in the industry that sell addresses and there are people
that send, and they're usually never combined because both are full-time
jobs," Shiels said.
He said he shot out as many as 10 million messages in one day, often
reusing addresses.
"The idea is it's just like a commercial," Shiels said. "You don't just
send it to one address once. You send it to one address five or six times.
Do commercials only come on once? You get the same crap in your e-mail more
than once. You have to bombard the person."
With the sending software installed and configured properly, Shiels never
even had to hit the "send" button. The computers automatically pulled
e-mail addresses from the Web and sent messages about 18 hours a day.
Because the hyperactivity caused a crash about every other day, Shiels
monitored the computers all day. But his larger job was staying in touch
with the companies that employed him and making sure his software was
updated enough to dodge spam filters.
Clogging the filters Spam filtering software is the most oft-used tool in
the fight against bulk e-mail. It creates blacklists of millions of e-mail
addresses that send spam, as well as the Internet addresses of the
computers where spam originates.
Just as in an arms war, though, professional spammers counterattack.
Even with the sending and harvesting software in place, Shiels shelled out
thousands more dollars for two other programs, which disguised him and
helped prevent filters from blocking his messages.
Without them, recipients easily could have reported Shiels to his Internet
service provider, which may have shut down his Internet connection. Even if
he stayed online, spam filters would quickly blacklist his Internet address.
One piece of software searched for and directed his computers to "open
proxies," unguarded computers that enabled anyone from the outside to send
mail through them. Often outside of the United States, open proxies made
Shiels anonymous, because the spam appeared to be originating in those
computers, even though it was only passing through.
Every piece of e-mail carries a header, which specifies the message's path,
from sender to recipient. When spammers use open proxies, the messages
appear to be originating from the off-shore computers, not from the spammers.
But filtering software companies have cataloged hundreds of thousands of
open proxies throughout the world and have created programs to block e-mail
that comes directly from them. So once Shiels masked his messages through
open proxies, he used another program to find "open relays," the messages'
last stop before reaching a recipient.
Relay servers exist on all e-mail systems, and they route messages to the
proper address within a company. But some insecure relays are left "open,"
enabling anyone from the outside to send messages through them to any other
outside address.
Companies soon shut down open relays, but so many exist that the software
rotates them quickly.
"I know this all sounds like you're hiding yourself and doing this
illegitimately, but the reason you have to do it is everybody tries to shut
you down," Shiels said.
And with such software programs, it became more difficult for filter
programs to block e-mail messages.
"You can talk about these people that come out with spam filters," Shiels
said. "They're going to come out with something that will limit it to a
degree, but then the bulk e-mailers are just going to counteract. It's a
war is what it is. That's why the software is so expensive."
Playing by the law Even amid the spam war, Shiels said, he went out of his
way to comply with the various antispam laws.
"Legal" spamming was more time consuming, he said, because it required him
to obey all requests to stop sending spam. But it didn't reduce the amount
of money he received.
At the end of each e-mail message, he included a link to an address
customers could e-mail if they want to be removed from the database. Some
state laws require such options.
Shiels maintained hundreds of e-mail accounts that received the removal
requests. Some spammers, he said, use the removal requests as proof that
those addresses reach real people and increase the spam. But Shiels entered
each address into his database for removal.
"It gets filtered down to finally where you'd have to get new e-mail
addresses," Shiels said.
And he also avoided sending misleading subject lines, a violation of some
states' laws, including the one being considered in Oregon. Some spammers
send messages with such titles as "Hey, I haven't heard from you in a
while," even though the message advertises Viagra or pornography. But
Shiels alluded to the product in every subject line. For example, a Viagra
e-mail would carry a title such as "Make her happy, she'll love you forever."
Shiels knew that if a subject line included the word "viagra," a filter
would quickly block the e-mail or the recipient wouldn't open it.
"I tried to be creative -- ads that related to the product without
divulging the product," Shiels said.
He designed many of the e-mail messages, drawing on his Web development
background, though some of the companies requested he send their templates.
His e-mail sending software cycled through about 30 subject lines and about
20 message designs for each product.
Lawmakers continue to pursue legislation that would make it more difficult
for spammers to do their jobs. But Shiels doesn't think they would have had
any effect on him.
The Oregon bill would prohibit spammers from forging their e-mail
addresses, which Shiels never did. It also would forbid deceptive subject
lines, which Shiels never used.
It does require spammers to begin subject lines with the "ADV:" code, but
Shiels doesn't think that law would be enforceable unless he had any way of
knowing the recipient is in Oregon. And critics say the law allows people
to sue spammers who don't use ADV: only for as much as $10, so some critics
say the law would bring little action.
Canning the spam Once the software was set up and he began to perfect his
game of dodge-the-filter, Shiels was making a comfortable living with spam,
though the work was tough.
"I would say it's the hardest thing I ever tried to do," Shiels said.
"Becoming a cop, that's instinctive. That's knowledge, and if you don't
have some of the natural instincts, you're not going to pull it off. But
this is an ever-changing evolutionary problem."
And he knew that if he added more computers and software, he could make
even more than $1,000 a week. Other members of the spam club told him that
they made upward of $10,000 a week, he said.
But he couldn't ignore the hundreds of daily e-mail messages that came into
his e-mail accounts. Unlike the ones he sent, these were quite personalized.
The messages were filled with expletives, and some even threatened his
life, he said. One man obtained his phone number and called, threatening
legal action about five times, Shiels said.
"There's people who sit in their basements and have nothing better to do
than get all upset about spam," Shiels said.
Still, he couldn't ignore them. In fact, they helped sway him out of the
business.
"I realized I didn't like to sell anything that nobody wants or needs or
despises," he said. "I started to realize people just hate this so much."
Shiels wanted to exit the spam world, and he discovered a perfect out.
A partner in his old Web development business also had dabbled in the
medical equipment sales business. Because of changes to some state laws,
defibrillator sales are on the rise.
So he created and began maintaining an e-commerce Web site,
www.defibworld.com, on which they sell the devices worldwide.
He realizes that he probably could spread the word of his site more quickly
by sending bulk e-mail, but he won't. Any spam mentioning his site, he
said, would result in complaints that would force his service provider to
shut it down. But he has other reasons for not using his spamming equipment.
"Bulk e-mail has the stigma of being trash," he said. "That I don't want to
associate with a legitimate business."
Jeffrey Kosseff: 503-294-7605; jeffkosseff(_at_)news(_dot_)oregonian(_dot_)com
Copyright 2003 Oregon Live. All Rights Reserved.
---[snip]----
---------------------------------------------------------------------------------------------------
Yakov Shafranovich / <research(_at_)solidmatrix(_dot_)com>
SolidMatrix Research, a division of SolidMatrix Technologies, Inc.
---------------------------------------------------------------------------------------------------
"One who watches the wind will never sow, and one who keeps his eyes on
the clouds will never reap" (Ecclesiastes 11:4)
---------------------------------------------------------------------------------------------------
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- [Asrg] Re: News Article - CONFESSIONS OF A FORMER SPAMMER - text included,
Yakov Shafranovich <=
|
|
|