A Weblog About Topics and Issues Discussed in the Book Spam Kings by Brian McWilliams

� May 2005 | Main | July 2005 �

June 30, 2005

Unsubscribe spoof hits publisher

Subscribers to an email newsletter from Reed Information's Broadcasting & Cable got a scare this morning.

A message arrived apparently from the company warning of a "serious security breach in its email publishing system. It is quite possible that if you remain subscribed to this list your personal information will be exposed to criminal use."

The message suggested recipients click a link, hosted at broadcastingcable.com, to unsubscribe.

Broadcasting & Cable publisher Chuck Bolkcom promptly sent out a message to the list, assuring customers that B&C "has not suffered any security breach and subscribers' personal information is not at any risk."

The notice was also posted on the B&C web site.

So maybe B&C didn't suffer a security breach. But somewhere along the line the security of the B&C mailing list was compromised.

The headers of the spoofed message reveal it originated from mta.email.reedbusiness.com, which has an IP address of That IP belongs to DoubleClick, which apparently handles outbound email for Reed Business and other companies via FloNetwork, an email marketing firm it acquired in 2001.

So, was B&C's Bolkcom suggesting that something fishy happened at DoubleClick's end?

Then again, maybe it was an inside job -- a disgruntled B&C employee? In any case, B&C says it "intends to pursue appropriate criminal charges and other legal remedies against the perpetrator of this malicious act."

Posted by Brian at 1:14 PM

June 28, 2005

Rizler's case now criminal

A U.S. District Court judge in Minnesota has ordered that an arrest warrant be issued for fugitive Christopher William Smith ("Rizler").

Judge Michael J. Davis ordered that U.S. Marshals arrest Smith so that he can face criminal contempt charges. A hearing has been scheduled for July 6 in the U.S. Courthouse in Minneapolis.

According to an FBI affidavit, Smith fled to the Dominican Republic last month in part so that he could escape facing criminal charges.

US Marshalls office in Santo Domingo We shall see how that strategy works out.

UPDATE: Do you suppose Smith knows that the U.S. Marhsals Service has a field office in Santo Domingo (pictured)?

Posted by Brian at 4:53 PM | Comments (4)

Drug spam kings on the lam

Chris Why is so hard to control the spam problem through laws? Maybe its because some spammers are outlaws, pure and simple.

Consider this new twist in the case of two die-hard spam kings who have illegally fled the country to launch a new Internet pharmacy business.

On June 24, the U.S. Attorney's office in Minnesota filed a motion asking a federal court to hold Christopher William Smith, a Minnesota spammer and online pharmacy operator, along with an associate, Florida spammer Creaghan Harry, in civil contempt of court.

According to court papers, Smith (aka Rizler) used an illegal or fake passport to leave the country in late May, shortly after a May 20 court-ordered shutdown of his company, Xpress Pharmacy Direct. (Judging by this anonymously created site, Smith was quite handy at creating fake documents.)

Smith is now believed to be in the Dominican Republic setting up a new online pharmacy. Authorities allege that Smith has managed to illegally tap into some of the more than $18 million in court-frozen bank funds and other assets to finance the operation.

The government claims that Harry is a long-term friend and associate of Smith and served as a groomsman at his wedding. Over a four-month period in late 2004, Harry received more than $2 million in commissions from Smith for drug sales generated by Harry's Dominican Republic-based telemarketing call center, according to the feds.

Prosecutors say that Harry is now operating at least one of Smith's online drugstores (mypillsrefills.com) shut down by the court order. Harry is also telemarketing to former Xpress Pharmacy Direct customers, likely using a database of 100,000 customer records provided by Smith in violation of a May 15 temporary restraining order.

Harry's company goes by names including "American's Best," "Med Sources," and "Online Pharmacy" and he uses the toll-free number 800-487-6217.

Harry recently settled a human growth hormone (HGH) spamming case with the Federal Trade Commission. Under the deal, Harry agreed not to make false or misleading statements in sales over the Internet.

In early June, Smith tried to have $300,000 in cash FedEx'ed to him from former employees, but the money was intercepted by federal authorities. Prosecutors believe Smith has arranged to have large sums of cash hand delivered to him in the Dominican Republic by various individuals, including his girlfriend.

Smith's accountant, Bruce Lieberman, allegedly has been trying to set up new credit card merchant accounts for Smith. Lieberman, a resident of New York, is also named as a defendant in the government's motion for a contempt ruling.

One legal expert said Smith's brazen flouting of the May 20 decree could backfire.

"Now, the judge and the government are highly motivated to find him and all of his money, not just the stray pennies lying around in US banks," said the lawyer, who asked not to be identified.

Posted by Brian at 11:58 AM | Comments (7)

June 23, 2005

SpyKiller shut down over bogus claims

sk_screencap.gifThe Federal Trade Commission has busted another spyware company. A Houston, Texas firm called Swanksoft aka TrustSoft and its owner Danilo Ladendorf have been hit with a stipulated preliminary injunction order issued by a U.S. District Court judge.

The FTC alleges that a trial version of the company's SpyKiller program fraudulently claimed to find spyware that wasn't really on users' PCs. The false positives were designed to goad users into "unlocking" the program so that it could remove the phantom spyware, according to the FTC.

The company also operated an affiliate marketing program called KillerCash that relied on spamming and deceptive ads, says the FTC. Here's a nasty pop-up window (animated GIF), served from the KillerCash.com site, that apparently was used by affiliates to trick people into thinking they were infected with spyware. And here's another.

The company has removed SpyKiller from its site, but promises on an online message board that a new version is coming in July. (The deceptive version of SpyKiller is still available at Download.com.)

SwankSoft apparently got started in 1999 with a product called HistoryKill, which download.com generously awarded a 5-star rating. (SpyKiller got a 1-star rating from Adware Report.)

The FTC is seeking a permanent ban on the defendants' deceptive claims and will ask the court to order consumer redress.

Last month, the agency also shut down a company that made a rogue spyware application.

Posted by Brian at 6:20 PM | Comments (1)

June 22, 2005

AOL also an abuse@ renegade

OK, so Microsoft isn't the only 800-pound gorilla that's stopped offering an industry-standard abuse@domain alias for reporting spam.

Around March of 2000, America Online abandoned abuse@aol.com as its spam reporting address and replaced it with TOSEmail1@aol.com. According to AOL, it made the changes "in order to serve the Internet community with increased efficiency and speed."

(For some reason, AOL decided it was efficient and speedy to stick with abuse@compuserve.com and abuse@CS.com.)

Not exactly RFC 2142-compliant, but at least AOL enables you to report spam via email. By contrast, Microsoft.com now insists that you use a general purpose web form.

Fortunately, the companies atop the Spamhaus list of the biggest spam havens all seem to maintain the standard abuse@domain alias. (Whether they take action on spam reports sent there is another matter.)

When in doubt, you can always query the Abuse.net contact database to look up the spam reporting address for a domain. Then again, Abuse.net is still erroneously showing abuse@microsoft.com and abuse@aol.com as valid contacts.

UPDATE: John Levine of Abuse.net informs me that, contrary to the AOL Postmaster Info page hyperlinked above, AOL's postmaster is quite happy to receive spam reports at abuse@aol.com.

As for Microsoft's retirement of abuse@microsoft.com, John says, "Since 99.9% of MS spam comes from Hotmail, and the other 0.1% comes from Listbuilder, both of which have their own abuse addresses, it hardly matters."

Posted by Brian at 9:50 PM | Comments (1)

June 21, 2005

Microsoft retiring abuse@microsoft.com

Reporting spam is a thankless job. But the Internet's founders nonetheless wanted to encourage the practice. So, in a protocol known as RFC 2142, they dictated that domain holders must create a mailbox named abuse@domain.com.

The idea was to facilitate reports of spam or other network abuse, without requiring Internet users to search for contact addresses or otherwise jump through hoops.

In a rather shocking violation of Internet etiquette, Microsoft has decided to stop accepting mail to abuse@microsoft.com. Messages to that address currently generate the following auto-reply:

Thank you for contacting Microsoft. Your e-mail will be handled by a Customer Service Representative within approximately 24 hours.Please note that the e-mail address you have contacted, "abuse@microsoft.com" will be retired on April 29, 2005. In the future, please visit http://www.microsoft.com/contactus to contact Microsoft.

OK, so maybe Microsoft has devised a better, if non-standard way to report spam coming from its networks. Wrong. The Contact Us page at Microsoft.com contains no information on the subject of reporting abuse whatsoever.

Ironically, a section of Microsoft's site devoted to email fraud and phishing still recommends that Internet users report suspicious messages to abuse@microsoft.com.

Microsoft's move has landed it on a blacklist maintained at RFC-Ignorant.org, a site that calls itself a "clearinghouse for sites who think that the rules of the internet don't apply to them."

A detailed discussion of why "abuse@domain" accounts are essential is available here.

UPDATE: The aliases abuse@hotmail.com and abuse@msn.com are apparently not scheduled for retirement.

Posted by Brian at 10:30 AM | Comments (2)

June 16, 2005

Bulletproof spam domains from Australia

primus.jpg Levon Gillespie ... spam lawsuit defendant, spam hoster, SpamForum.biz operator, ROKSO denizen ... and ICANN accredited domain name registrar?

Well, not exactly. Seems that U.S.-based Gillespie has signed up as a reseller for PlanetDomain, a division of Autralia's Primus Telecom.

Gillespie recently introduced his latest "bulletproof" enterprise, cheapBPdomains.com, in an email to fellow spammers. He promised that "bulk email marketing domains" registered through his site "won't be pulled for your marketing efforts."

I wonder if he's offering a service-level agreement to back that promise. Maybe he's feeling confident because there's no mention of spam or unsolicited commercial email in Primus' re-seller agreement. Then again, there have been lots of complaints about his hosting company, cheapBPhosting.com, not being real bulletproof.

Guess that explains why Gillespie is using Primus to host his new domain registration site?

Anyway, moments after he announced the new business last week, the IP address for Gillespie's cheapBPdomains.com ( ) was placed on the Spamhaus Block List (SBL).

The collateral damage? 192 sites share that same blacklisted IP, many of them owned by Primus, including PlanetDomain.com.

Posted by Brian at 11:21 PM | Comments (4)

Spam Kings in Japanese

SK-japan.jpgO'Reilly Media has just published a Japanese edition of Spam Kings.

Check out the cover ... I got a chuckle from the "Spy versus Spy" motif.

Japan is not home to any major spam kings, but the country does have several Internet service providers with spammy reputations. And Internet users in Japan certainly receive a heavy bolus of junk email -- much of it in English.

It's gotten so bad that the Japanese government finally is starting to crack down on domestic spam operations.

If you read Japanese, or are curious what Spam Kings looks like in Japanese, the preface is available for download.

Posted by Brian at 9:48 AM

June 15, 2005

Did HGH spammer get off too easy?

Some people seem to believe that lawyers for Florida spam king Creaghan Harry (aka Carl Henderson) outfoxed the Federal Trade Commission.

But I think Mr. Harry's spam days are done, as a result of the FTC's July 2004 lawsuit.

The settlement announced today between the FTC and the Boca Raton spammer requires him to pay $485,000 as redress for the estimated $5.97-million in consumer injury he caused. Operating as Hitech Marketing, Scientific Life Nutrition, and Rejuvenation Health Corp., Harry spammed herbal supplements touted to contain human growth hormone (HGH).

Thanks to a provision in Florida law that spammers and other criminals love, Harry, 37, gets to keep his $2.4-million, 6,000-square-foot mansion at 4430 Tranquility Drive in Boca. (Harry still has a $1,651,000 mortgage on the place.)

There are reports that the former New Jersey resident hid a lot of his money in banks in places like Latvia. All the FTC could scrounge up was about $270,000 in various U.S. banks. Harry has promised to pay the remaining $215,000 within six months.

Here's why I believe Harry's settlement is no cake walk.

Under the deal, he has agreed to several years of "compliance reporting" with the FTC. That means his businesses, which had been operating in the shadows, are now an open book to the government. For the next six years, he has to make all his business records (including employee records, customer lists, sales and profit data, etc.) available to the feds.

It's going to be awful hard to run a fraud under that kind of scrutiny.

Posted by Brian at 11:08 PM | Comments (15)

June 5, 2005

New chapter in Sex.com saga

You thought the tortured saga of the Sex.com domain was over?

Looks like there's a new chapter. Someone slipped a fake news story about Gary Kremen, the owner of Sex.com, over the PR Web newswire on Saturday.

The faux story reports that Kremen has been arrested for "child molestation and possession of heroin."

The same piece also was spammed to numerous Internet discussion groups in recent days. The Usenet version appeared on newsgroups including alt.music.pink-floyd, misc.invest.stocks, soc.culture.jewish, and misc.writing.screenplays.

Last Thursday, the hoaxster also managed to sneak a copy of the faux news article past the editor of the TELECOM Digest OnLine (comp.dcom.telecom).

The bogus story bears some resemblance to an actual news report, and even includes a phony quote from Kremen, in which he denies the charges but admits to a drug problem.

Telltale signs that the Usenet version of the article is a hoax: it doesn't reveal where it was originally published, let alone provide an URL to the original source. What's more, the author, "Nancy Howard," posted it to Usenet using an open proxy.

I e-mailed Kremen to ask him whether he suspected Stephen Cohen was behind the hoax. Cohen was the man who battled Kremen over Sex.com.

Kremen's reply: "Very likely."

Kremen added that incident showed "how online technology allows anyone to broadcast anything with no filters!"

Posted by Brian at 11:12 PM

Weblog authors are solely responsible for the content and accuracy of their weblogs, including opinions they express,
and O’Reilly Media, Inc., disclaims any and all liability for that content, its accuracy, and opinions it may contain.

All trademarks and registered trademarks appearing on spamkings.oreilly.com are the property of their respective owners.

O'Reilly Home | Privacy Policy

© 2004 O'Reilly Media, Inc.
For assistance with this site, email: