A Weblog About Topics and Issues Discussed in the Book Spam Kings by Brian McWilliams

� July 2005 | Main | September 2005 �

August 30, 2005

Gmail accounts and spammers

Google's Gmail service is still in beta but the company has opened up Gmail to all-comers as of August 29. Which naturally raises the issue of whether spammers will try to sign up for lots of accounts and use them to send spam.

In the past, spammers have used what they call "internal mailers" or "netmailers" to target users of webmail systems like Yahoo and Hotmail via accounts on those systems. Spammers also use these accounts to take advantage of their "whitelisted" status with other networks; there have been occasions when huge blasts of spam emanate from services such as Hotmail. And, of course, spammers like to have lots of Webmail addresses as drop-boxes for their domain registrations, opt-out systems, ordering, etc.

Google has some tricks for preventing spammers from signing up for thousands of Gmail accounts. First, there's a "captcha" image on the sign-up page, to separate the humans from the sign-up robots. Second, when you sign up, Google sends you a unique activation code -- via SMS text message -- to a cellphone number you provide. You must use this code and the phone number to open a new account.

This extra hurdle is likely to make spammers look elsewhere for mass quantities of webmail addresses. But there's still one thing about Gmail that may tempt spammers.

Gmail does not include the sender's Internet protocol (IP) address in outgoing email message headers. The only IP stamped on the email is Google's own (e.g., rproxy.gmail.com, 64.233.170.193). (This is reportedly still an issue with some Hotmail accounts, too.) Fingers crossed that Gmail has some other secret weapons to prevent spammers from abusing their anonymity.

Posted by Brian at 5:13 PM | Comments (2)

August 28, 2005

Rizler pleads not guilty

ankle braceletAs I expected, former spam-king (turned online drug-lord) Christopher Smith ("Rizler") has pleaded NOT guilty Friday to the slew of charges against him, which include conspiracy to distribute controlled substances, wire fraud, selling misbranded drugs and money laundering.

Smith will await trial in a halfway house and must wear an electronic monitoring device -- the same kind of ankle bracelet sported by Martha Stewart. (Prosecutors had wanted Smith jailed instead, to prevent another fugitive incident.)

The trial may not take place for months. Smith's attorney says he needs to conduct hundreds of interviews to prepare a defense. Meanwhile, the prosecution will be sifting through evidence and compiling its case.

Among the evidence listed in court records is a boatload of computer files and other data seized from Internet service providers who sold web hosting to Smith. For example, a server (IP address 216.127.66.111) confiscated from Everyones Internet, Inc. of Houston, Texas; and three servers (IP addresses 69.93.204.68, 69.93.243.74, and 69.93.142.170) confiscated from The Planet Internet Services of Dallas.

Also seized via search warrants was data from Ohio-based Jumpline.com, which hosted numerous Smith drug sites, including rxorderfill.com (IP 66.84.51.222), digihealthcorp.net (IP 66.84.51.222), supremeproductsltd.com (IP 66.84.51.222), digihealthcorp.com (IP 66.84.10.71), samedaypayday.com (IP 66.84.10.71), licensedrx.com (IP 66.84.10.71), receiverx.com (IP 66.84.10.71), and netmeds.com.

While the government is looking to tighten the screws against Smith, they won't be going after his friend and fellow spammer Harry Creaghan after all. On July 13, the warrant for Creaghan's arrest was revoked and contempt charges against him were dropped.

Posted by Brian at 10:21 PM

August 24, 2005

Drug dealer Rizler indicted

Christopher Smith A federal grand jury laid charges on Minnesota spam king Christopher Smith ("Rizler") today.

Smith, 25, was charged with conspiracy to distribute controlled substances, wire fraud, selling misbranded drugs, and money laundering.

The charges stem from an illegal Internet pharmacy business run by Smith that was shut down by the feds in May.

Smith was arrested this morning at his home in Prior Lake, Minnesota and is being held without bond.

Two of Smith's accomplices -- including a doctor in New Jersey and an accountant in New York -- were also indicted.

The AP recently published a story with more background on the case.

Besides millions in cash and cars, Smith owned a couple nice houses, including this one in Burnsville, MN -- all of which were seized by the feds.

Smith will be arraigned Friday, which means he'll have to tell the court whether he's guilty or not. Based on his previous bizarre behavior in this case, I wouldn't be surprised in Smith pleads not guilty to all of the charges. (AP photo)

Posted by Brian at 10:34 PM | Comments (4)

August 22, 2005

Spamware vendor in AOL's back yard

lightspeed marketing logoShould there be a law against selling software that aids and abets spammers?

Some of the most common programs for sending spam have their roots in Russia. For example, Send-Safe and Dark Mailer. But Light Speed Marketing Inc. (aka LightSpeed Marketing Corporation), a developer of popular spamware, is headquartered in Centreville, Virginia -- just 12 miles from AOL's headquarters in Dulles!

Light Speed's web site is currently sanitized of any incriminating information. But this archived copy of the site from 2000 gives you some idea what they were selling. The company started being more discrete after it was kicked off several Internet service providers and gained a listing in ROSKO, the Spamhaus.org Register of Known Spam Operations.

Today, information about the company's full line of spamware is available by email. Here's what Dave Patton, the president of Light Speed, has to say about some of the products:

Nexus mailer ($12,000):

- "Do you want to get rid of Spam Cop complainers and the like? Answer: You need Nexus!"

- MX Lock technology. "The technology locates registered mail servers that blocked or unblocked proxies alike can utilize to send your mail."

- "AUTOMATIC DOMAIN BLACK LISTING DETECTION AND REMOVAL"

- "Message Noise" - "This noise will not be seen by the end user, it is only seen by the message filters. This is a very powerful feature and makes foot printing the message impossible."

- Remote Module - "The remote module can be password protected and minimized to the tray and the icon is set to look like something harmless. Therefore, someone looking at the machine will not be able to detect the remote."

- Features "WORD MORPHING." Automatically changes words like Viagra to Vi$agra or Mortgage to Mortg%age.

etc.

ProxyScanner ($2,000)

- "New ultra fast stealth scanning technology that is literally over 100 times as fast as any previous Lightspeed scanning product. This scanning technology is much less detectable also."

- HONEYPOT Spam Trap detection. "Normal Proxies do not add anything to the EMAIL headers before they deliver the email. Honeypots on the other hand add your IP address, your Resolved Name, or both to the EMAIL headers before they deliver the email. This is obviously a nightmare for the bulk mailer."

etc.

Cybershark - Advanced Superfast CGI based mailer ($10,000)

- "Sends email from 3rd party UNIX or LINUX based servers."
- "No trace of the mailer is ever left on the site."
- "This is truly a walk away mailer, start it off and go to the beach."

etc.

Address Miner Platinum ($3,000)

- "Now anyone can collect addresses anonymously"
- "Checks each domain to verify that addresses can be collected from the domain."
- "All Addresses collected are 100% Verified"

etc.

Those prices may look quite steep, but according to its PayPal record, Light Speed has over 190 Verified Buyers since 2000.

Light Speed's software purchase agreement mentions that the use of the above products may cause the spammer to lose his Internet account and receive "unwanted, vulgar replies" to his spams. But neither that document or the company's license agreement points out that using the products probably also constitutes a violation of state and federal laws in the USA.

Which brings us to our Kazaa-like question: should it be a crime to sell software that enables users to commit crimes?

UPDATE: I have just been informed that under the Virginia Computer Crimes Act, in effect since 1999, selling Nexus and similar header-forging and IP-cloaking spamware programs is illegal. The law says someone is guilty of a Class 1 misdemeanor if he or she sells software that is "primarily designed or produced for the purpose of facilitating or enabling the falsification of electronic mail transmission information or other routing information."

Posted by Brian at 3:39 PM | Comments (14)

August 18, 2005

Bulletproof spammer under attack

levon gillespieIt's not exactly major news when a web site for spammers goes offline. Usually it's the result of an Internet service provider responding to complaints from anti-spammers. (Such scuffles between spammers and "antis" are chronicled in Spam Kings.)

But this time, the recent disappearance of SpamForum.biz and Cheapbulletproof.com, along with more than a dozen other sites connected to Levon Gillespie, seems to be the work of spammer infighting.

You may recall that Gillespie is the spammer who owes Microsoft $1.4M from a 2004 spam lawsuit. (Gillespie is currently ranked the world's 10th-largest spammer by Spamhaus.org)

The summer didn't get off to an auspicious start for the 22-year-old Gillespie. He was arrested in Los Angeles in June for drunk driving and possession of marijuana. Sources say that Gillespie, a former resident of Tustin, California, has since moved to Florida.

Then, earlier this month, an anonymous person told me over AIM that he had hacked into many of Gillespie's accounts, including his Hotmail, AIM, and domain accounts. As proof, the attacker provided several screen shots of what appeared to be Gillespie's domain reseller account at PlanetDomain.com.

The attacker, apparently a disgruntled former business associate, said he was targeting Gillespie in retaliation for a $1,000 debt that Gillespie failed to pay.

Visitors to Gillespie's SpamForum.biz site today encounter the message, "This account has been suspended."

At least twenty other domains controlled by Gillespie have also gone offline. Besides two sites for his "bulletproof" hosting business -- Cheapbulletproof.com and Cheapbphosting.com -- the domain Ganshost.com was also an apparent victim of the attack. That's the corporate site of Amir Gans, an Israeli spammer recently sued by Microsoft. (Gans, who has publicly denied being a spammer, appears to be a customer of Gillespie's domain registration service.)

Also hit was Revolutionmailer.com, the home page of a spamware program that bears a striking resemblance to a program called Send-Safe. Other domains that bit the dust include Internetecash.biz, the home of a comission-based spam affiliate program, as well as virbatingsextoys.com and pornauthority.net.

It's not clear whether some of these sites may have been shut down by the registrar or the hosting provider. But the contact email address on many of the domains -- which was recently changed to haha@haha.com -- suggests the mystery hacker may be to blame.

Posted by Brian at 12:24 PM | Comments (17)

August 17, 2005

Smathers sentenced

Jason SmathersThe former AOL employee who stole the online services' member database and sold it to spammers has been sentenced to 15 months in prison.

A contrite Jason Smathers reportedly said in a letter to the court, "Cyberspace is a new and strange place. I was good at navigating in that frontier and I became an outlaw.

Restitution is still to be decided by U.S. District Court Judge Alvin Hellerstein. AOL claims it lost $400,000 as a result of Smather's crime. The judge has suggested a more appropriate figure is $84,000.

The judge seemed to miss one key point. Smathers' actions basically opened the spam floodgates at AOL for years to come. Once those addresses are circulating in the spammer underground, you can't get them back. It's like trying to put toothpaste back into the tube.

Spam Kings readers know that Davis Hawke and Brad Bournival were among the spammers who purchased copies of the AOL database. (Hawke also attempted to sell the data to other spammers.) Bournival went on to play a key role as an informant in the government's case.

Smathers will report to the minimum-security prison in Pensacola. Florida to begin his sentence on September 19. Pensacola Federal Prison Camp

The facility, which has reportedly been referred to as a Club Fed, features "a great exercise room, and boasts bocce ball and pool tables," according to one report.

But it's still pretty Spartan, according to one account: "Inmates must wear institutional green pants and numbered shirts and work boots. They share communal toilets and showers. Their three meals a day consist of food that costs the government $2.60 a day per inmate."

Posted by Brian at 2:57 PM

August 16, 2005

Blue Frog and the blurry hash

Blue Security logo

I'm all in favor of creative solutions to the spam problem, but I have some serious concerns about the privacy protection features in an anti-spam system from Blue Security.

Blue Security has created what it calls a Do Not Intrude Registry -- an encrypted database of email addresses of Internet users who've signed up to use the free service.

Blue Security's system was launched despite (or perhaps because of) a June 2004 decision by the Federal Trade Commission not to implement a national do-not-email registry. (A team of eminent computer scientists advised the FTC that such databases present serious practical and technical problems.)

Under the Blue Security system, spammers are supposed to scrub their mailing lists using a free program provided by Blue Security. Doing so produces a list of "protected" email addresses -- presumably those of Blug Frog users who are on both the spammer's list and the Blue Security list of users who've asked to have their emails protected by the service.

If a spammer sends junk email to any of those addresses and fails to heed warnings, the system is designed to retaliate by flooding the spammer's online order forms with complaints (a concept Blue Security calls "revenue loss induction.")

The ethics of such fight-abuse-with-abuse retaliation are a worthy topic of debate in their own right. But my concerns resulted when I decided to test out Blue Security's list-cleaning system.

I tried running the cleaner against a list composed of spammer email addresses. To my surprise, a large number of the addresses appeared in the "protected" list created by Blue Security's list-cleaning program.

Next, I tried cleaning a mailing list I obtained from spammers. Before running the Blue Security program, I "munged" some of the addresses, changing the letter "i" to the letter "y". Hence, addresses ending in earthlink.net became earthlynk.net; adelphia.net became adelphya.net; ucdavis.edu became ucdavys.edu, etc.

Again, several of these non-existent addresses showed up in the list of those "protected" by Blue Security.

I asked Blue Security for an explanation. The company's marketing director said that the system is designed to generate some "fake entries" in an effort to protect the privacy of users. The company calls this approach "blurry hashing," a concept it explains in more detail in this whitepaper .

I leave it up to better minds to decide whether Blue Security's technology is an elegant solution to the problems that befuddled the FTC's expert panel (which included Professors Ed Felten, Avi Rubin, and Matthew Bishop).

But I can say that this built in "noise" in Blue Security's list-cleaning registry is going to give it an air of unreliability with spammers. As the company's white paper explains:

When a spammer notices that an e-mail address has been deleted from his list, he has no way of knowing if it was filtered because it was a legitimate user's e-mail address or if it matched one of the random entries in the blurry hashed Registry.

Blue Security says there is a 1/5000 probability that an address will be considered protected even though it is not in the registry. My tests suggest the probability is much greater -- more like 1/1000. So, if a spammer "cleans" a list of 10M addresses using the system, 10,000 will be erroneously flagged as protected.

Is it reasonable to expect spammers to use the Blue Security registry when the removal system isn't completely accurate?

Posted by Brian at 12:23 PM | Comments (9)

August 13, 2005

"Reformed" Richter still blacklisted

richter-johnston-sm.jpgBy now, everyone knows that former spam king Scott Richter is reformed and no longer sends junk email to people who don't want it. But apparently the news hasn't yet made it to Irkutsk, the tongue-in-cheek home of the mysterious Spews.org blacklist.

Huge swaths of Internet protocol (IP) addresses owned and operated by Richter and his company OptInRealBig.com (listed here and here) remain on the Spews blacklist, even after Richter has settled his lawsuit from Microsoft and been removed from the Spamhaus roster of the world's biggest spammers.

As a result, any Internet service provider or email administrator who subscribes to the free Spews list will automatically reject any emails sent from the blacklisted IP addresses.

Among the Richter's IP addresses on the Spews blacklist is 69.6.27.4, which is used by Richter's two primary corporate sites, Optinbig.com and Optinrealbig.com.

Another IP address on the block list is 69.6.27.20 , which is the home of EasyCream.com, a "cellulite removal cream." Richter's Netfuncards.com site, at IP address 69.6.2.162, is also on the Spews blacklist.

Also blacklisted is IP address 69.6.27.3, home of Richter's cpaempire.com -- an email marketing affiliate program.

So who's right ... the anonymous operators of Spews, which was first launched in 2001, or Spamhaus?

Spamhaus said it removed Richter after his company's spams failed to land in Spamhaus' network of honeypot email addresses for several months.

But a review of OptinBig's privacy policy may persuade some people that Richter's company is far from squeaky clean.

When you sign up to use a "free" OptinBig service like Netfuncards.com, you are also agreeing to allow Optin to add your address to any of its many mailing lists. According to the policy, you'll also be subject to web beacons (aka web bugs) and tracking cookies. What's more, you agree to have your personal data sold or transferred to Richter's partners.

Now, it's easy to unsubscribe from OptIn mailings at the address unsubscribe@optinbig.com, but that doesn't get you off Optin's partners' lists. Once it has sold or traded away your personal information, Optin provides no assistance in protecting the privacy of that information.

The listing at Spews has to rankle Richter. As detailed in chapter 7 of Spam Kings, Richter was furious when initially added to Spews in December 2001. At one point, Richter seemed to make it his mission to try to unmask the operators of Spews. Some believe he was involved in a failed 2003 lawsuit against a number of anti-spammers -- litigation that apparently was designed to force the spam fighters into revealing who was behind Spews.

Some also have claimed that Richter was also involved in publishing photos of the condominium owned by Susan Gunn, a spamfighter who went by the nickname Shiksaa (who's also the heroine of Spam Kings), along with other personal information about her. The goal, they say, was to intimidate her into divulging information about Spews.

Hang on, it's not just Spews that's still blacklisting Richter. The venerable MAPS blacklist also has several blocks of Richter IPs blacklisted, which are detailed here.

Posted by Brian at 12:04 AM | Comments (2)

August 10, 2005

The mixed message from spam lawsuits

An editorial today says that Microsoft's recent $7-million settlement with spam king Scott Richter "sends a signal to email marketers."

Sure it does. Unfortunately, the outcome of that litigation, along with the AOL spammer's gold sweepstakes, arguably sends the wrong message -- to spammers, anyway.

To be sure, it's good for Microsoft and AOL to show vigilance about keeping spam out of member in-boxes. AOL in particular can use the sweepstakes stunt to draw attention to its measurable success in the spam wars. And Microsoft definitely deserves credit for its courtroom persistence against the crafty Richter legal team.

But when you parade a stack of gold bars, coins, and a loaded Hummer H2 in front of a spammer, it's like waving red meat in the face of a Rottweiler.

Hard core spammers today know that the business is full of risks. They are not especially deterred by news of multi-million dollar settlements or spammer booty giveaways. If anything, these developments simply confirm to them that spam is a potentially rewarding, if dangerous, profession.

From a spammer's perspective, even the most celebrated spam litigations often have ambiguous outcomes. Microsoft originally claimed that Richter caused $50 million in damages. In the end, Microsoft came away with a $7 million settlement. That's better than the settlement obtained by New York Attorney General Eliot Spitzer, who managed to take only $50,000 from Richter. Yet Richter's company OptInRealBig reportedly makes several million dollars per month.

My guess is that Scott Richter and his lawyer father Steve calculated that the $7M settlement was a reasonable price to pay for all the widespread (and ultimately positive) media OptinRealBig has received in recent days about its transformation into a law-abiding business.

As for AOL's giveaway of Brad Bournival's SUV and cash, AOL says "it "serves as a message to anyone thinking of making a living sending spam to AOL members: AOL will find you and sue you. And AOL will do everything it can to make sure its members end up with any money you made as a spammer."

No doubt about it -- AOL knows how to hunt down and sue even the most stealthy spammers. But let's do the math. The total value of the Bournival sweepstakes is around $140,000. As I reported in Spam Kings, Bournival's company Amazing Internet Products was raking in at least that much every week during the summer of 2003. Sure, AOL may have cleaned out Bournival's stash. But it still hasn't caught up to his partner Davis Hawke, who owes AOL $12.8 million from an anti-spam judgment.

Anecdotal proof of how seriously AOL's sweepstakes is being taken by spammers: I talked to a couple spammers about it, and they didn't act worried that the same thing could happen to them. They just wanted to know how to enter the contest.

Posted by Brian at 10:52 AM

August 9, 2005

AOL Spammer's Gold Sweepstakes

AOL Hummer contestI had a feeling this might happen. America Online is giving away a pile of booty it seized from spam king Brad Bournival, including $20,000 in gold bars, a 2003 Hummer H2 and $75,000 in cash.

The AOL Spammer's Gold Sweepstakes runs from August 10 through August 19. According to the official rules, the Grand Prize is the Hummer (approximate retail value, $45,000) plus $20,000 in gold bars and $65,000 in cash. AOL is also giving away one daily cash prize of $1,000 to a entrants who answer a trivia question about online security and safety. (There's even a cheesy "Official AOL Spam Patrol" certificate for people who participate each day of the contest!) bournival.jpg

Spam Kings readers know that Bournival bought the yellow Hummer in 2003 with the profits he made selling penis enlargement pills. Both he and partner Davis Hawke were fond of gold; Hawke preferred to bury his in the woods. While Bournival settled the March 2004 lawsuit from AOL earlier this year, Hawke is still on the lam, facing a $12.8M judgment.

AOL members can enter the sweepstakes at AOL Keyword: Spammer's Sweepstakes. Unlike the last time AOL did this (giving away a Porsche Boxter confiscated from a spammer) non-members can also get in on the action.

According to AOL, on one day alone in January 2004, Bournival triggered more than 100,000 complaints from AOL members.

What's Bournival up to now that he's out of the spam trade? He recently won the New Hampshire chess championship. And he claims he's making a pile of money playing online poker.

Posted by Brian at 11:21 PM | Comments (14)

August 5, 2005

Dateline tracks down a porn spammer

Spunk Farm logoInteresting spam story on NBC's Dateline program this evening. Haven't seen a link to the video, but there's a text version of the report here.

The somewhat self-congratulatory "hidden camera investigation" chronicled how NBC tracked down a spam affiliate for a porn site called SpunkFarm.com. [Caution: that domain currently is a hornet's nest of pop-ups.)

NBC apparently was prompted to do the investigation after the affiliate, who turned out to be a man in Montreal named Jean Yves Cotes, sent some zoo spam to a woman in Texas who was offended.

Kudos to Dateline NBC and correspondent John Hockenberry for providing mainstream America with an appreciation of what anti-spammers encounter every day: spammers go to amazing lengths to hide their identities.

But I had the feeling that Dateline's crack research team was trying to make the hunt look harder than it actually was. (Granted, bringing your cameras on a salacious visit to a Las Vegas porn convention sure produces better prime-time TV than searching the copious clues on the news.admin.net-abuse.sightings newsgroup.)

Fact is, Dynamic Pipe (aka Webfinity aka Python Video aka Global Media), the outfit behind Spunkfarm, has been on the Spamhaus ROKSO list of the world's biggest spammers for at least two years. (Again, poring over the details of Dynamic Pipe's ROKSO record isn't nearly as sexy as a meeting in an alley in Toronto.)

As for Jean Yves Cotes, the affiliate who was sacrificially given up by Spunkfarm ... my guess is he's just a lazy guy trying to make a quick buck.

Posted by Brian at 11:29 PM

Weblog authors are solely responsible for the content and accuracy of their weblogs, including opinions they express,
and O’Reilly Media, Inc., disclaims any and all liability for that content, its accuracy, and opinions it may contain.

All trademarks and registered trademarks appearing on spamkings.oreilly.com are the property of their respective owners.

O'Reilly Home | Privacy Policy

© 2004 O'Reilly Media, Inc.
For assistance with this site, email: