|
Confessions of a Spam King
September 28, 2003
By JACK HITT
1. MEET THE SPAMMER
''Click here,'' says my spamming mentor. Hovering over my chair, he points to
the computer screen. ''Now click on that file of e-mail addresses there.'' I
have been invited by a master for an education in spamming, the practice of
blasting millions of unsolicited e-mail messages into the Internet in order to
advertise everything from loans with easy terms to women of easy virtue.
''Let's go online and download some software,'' says my guide. His name is
Richard Colbert. On the Rokso, or Register of Known Spam Operations (a kind of
Most Wanted List for the Internet posted on an antispam Web site called
spamhaus.org), Colbert is described plainly: ''Nonstop scam spammer, kicked off
so many hosts and I.S.P.s'' -- or Internet service providers -- ''it's hard to
count.''
Dressed in blue shorts and a purple T-shirt, Colbert, 31, has blondish hair
stuffed under a baseball cap, a prominent diamond earring and a mild twang that
betrays his Atlanta origin. He lights up a Monarch menthol as he shows me his
computer room, an intimate homemade space built off the side of an aging
two-tone mobile home -- robin's-egg blue and white -- which sits among hundreds
of Airstreams and Miami Deco single-wides in the Sunset Colony Mobile Home Park
in Fort Lauderdale, Fla.
Colbert claims that he's now on a sabbatical from spamming, but he's watching
current events and weighing a return.
During this interlude, he has agreed to help me learn how the avalanche of
solicitations I receive winds up in my online mailbox every day. Who are these
guys? Who hires them? How do they get legitimate e-mail addresses? And finally,
can federal legislation currently under consideration actually stop them?
First off, Colbert doesn't think about spam the way I do (or, most probably, the
way you do). He likes to call it ''bulk e-mailing,'' for starters. And he
considers it just one of the many exciting new markets available on the
Internet. He's the kind of guy who is always interrupting himself to tell you
about some smart economic angle he has figured out, some new edge.
''These shorts are Dockers,'' he says, pointing at the clothes he has on. ''And
I got them off eBay. Shirt? Tommy Hilfiger. EBay. Shoes? Nikes. EBay.''
Colbert and I dig around on the Internet until, under his direction, I find a
piece of software that allows for mass e-mailing. These are common and legal,
used legitimately by professional archaeologists, say, or chess enthusiasts to
form an online group and conduct chats or exchange information.
Right away there's a problem. The software we've selected requires registration
or payment. But Colbert says he once used this very piece of software, slightly
altered, when he worked with some other spammers who live nearby. So he snatches
his phone and calls a neighbor for support. A minute later, we are back in
business. It turns out that an unusually large number of spammers live in this
area, the stretch of beaches north of Miami that old-timers loosely call Boca
and new-timers know as a staging ground for the smarmier characters in Carl
Hiaasen's novels.
According to Steve Linford, who maintains the Rokso list, there's a good reason
that so many spammers wind up on Spam Beach: ''Boca Raton is where they used to
run those pump-and-dump investment scams and where the telemarketing sweatshops
are.'' The phone scammers and infomercial wannabes of the 80's and 90's -- who
themselves supplanted the land speculators who established Florida's earliest
cities upon shifting sand and sinking swamps -- have been pushed aside by the
new boys on the block, the bulk e-mailers of the Internet.
2. A SPAMMING PRIMER
How does a spammer obtain a million working e-mail addresses? Most simply, there
are lists you can buy off the Internet. But there are also other, cheaper, ways.
A ''dictionary attack,'' Colbert instructs, is when you blast reams of
computer-generated potential e-mail names (Arnie1@hotmail.com, Arnie2@hotmail.com,
Arnie3@hotmail.com . . .) and see which ones take. Another good tool is called a
spider, a software program that can crawl through Web pages, looking for that
telltale symbol: @. Then it simply records everything to the left and right of
it, and bingo, it has a good e-mail address. (A good method for avoiding spam,
then, is to always type your e-mail address on the Web this way: Arnie at
hotmail.com or ArnieREMOVETHIS@hotmail.com. Humans can look at either and figure
out what to do; software -- so far -- is helpless.)
Sitting at Richard's computer, I set out to launch my first spam. I append a
file of e-mail addresses to the software along with my cover letter -- my spam.
To keep everything vaguely legal, my spam is nothing more than a cheerful
holiday greeting, at the end of which is a link to bowieltd.com, one of
Colbert's Web sites.
The software starts firing, and my notes ricochet through cyberspace. The
software monitors which e-mails are returned and tabulates their status. When an
''out of the office'' auto-reply comes back on one e-mail message, Colbert says:
''Oh, we love those. They confirm that the address is active.'' Within six
minutes, on a single computer, running through a regular phone line, I have
fired off 1,000 e-mail messages.
Which is one of the attractive things about spam for spammers. You don't have to
leave your mobile home to do it. There's no door-to-door soliciting for clients,
no annual conferences to attend. The business is all neatly contained on your
desktop. For instance, how does a spammer find clients willing to hire him?
He spams.
Colbert used to find clients by trolling through AOL's member directory. Many of
AOL's 35 million members fill out helpful ''online profiles'' when they join,
listing their interests and activities. Colbert used those profiles to turn AOL
into a rich and easy source of contacts. He would limit his search by typing in
''business opportunity'' or ''multilevel marketing'' in order to find the sort
of small-time sales folks who might be receptive to his offer, then he would
spam them all with his pitch.
''I might get 100 responses from 100,000 e-mails,'' Colbert says. He would write
back personally to those, asking for the text of the ad they wanted to spam out
and relaying his pricing structure: $300 to send out 100,000 messages or $900
for a million. From the 100 people who would agree to hear his personal pitch,
he would usually land between two and five contracts. Although this might seem
like a pitiful response rate -- one-five-hundredth of one percent is ruinous in
any other market -- this one search for spam clients could yield Colbert as much
as $14,000.
Colbert describes how he would set his computers for ''send'' with millions of
e-mail messages queued up, then go to sleep and let the machinery make the money
for him. ''I used to have nine computers bound over five DSL lines on a 10 meg
pipe feeding 500K per second per computer,'' Colbert says. ''That's a million
e-mails an hour per computer, nine million an hour on a good day.''
His clients were usually small-scale entrepreneurs or Web-site hosts who worked
the margins of the online economy: herbal supplements and cut-rate financial
services. Sometimes he would be hired to spam for larger, more reputable,
companies -- not that he would name any for me. But he did admit that he would
try to use the ''cleanest'' lists possible in those cases, to keep down the
tsunami of complaints that a company typically receives with each spam blast.
Payment to Colbert was strictly old-school. ''I didn't ever take credit cards,''
he says. He would insist on being paid by money order or check. He explains the
risk of credit card payment: ''If the clients didn't get the response they
wanted, they'd frequently charge back the fee.''
The majority of spammers are paid a flat fee, Colbert says, and those fees have
been dropping. Only five years ago, the top tier of spammers was building
''online marketing'' companies and selling them for astonishing sums, in the
millions of dollars. In those heady days, spam enjoyed the same inflated
finances as tech stocks. But even after the bubble burst, spam was handsomely
profitable. ''I cleared $130,000 in 10 months,'' Colbert says, ''the best money
I've ever made.'' As more players enter the market, though, the profits are
thinning. ''These days I've seen spam offered as low as $25 for a million
addresses,'' Colbert grouses. ''There's still money in it, but it's a lot more
work for a lot less.''
3. THE NEW NEW SPAM
Ever since the Federal Trade Commission earlier this year held a spam conference
-- which brought together spam recipients, Congress, antispammers and the
spammers themselves -- a metaphysical question has emerged: Is there such a
thing as good spam versus bad?
Colbert thinks so, and his reasoning has led him to a solution that he predicts
will make everyone happy. He recently wrote a letter to both of his senators
outlining his thoughts. He said that the only way to stop the ''bad'' spamming
-- the scams, the deceptive links, the anonymous porn mailings -- is to sanction
a legitimate form of commercial spam with established standards. These might
include accurate and functional ''from'' lines, so that when you click ''reply''
to a piece of commercial e-mail you would actually be able to contact the person
who sent it. (''From'' lines on most spam e-mail messages are frauds, routed
through various computers in order to give the spammer a cloak of invisibility.)
Also, each legitimate spam would have a real, working ''remove'' link, so that
it would be easy for the recipient to take himself off spammers' lists. Then,
according to Colbert's plan, legitimate spammers could drum up business, and
spam cops would spend their time tracking the real outlaws.
Another spammer I spoke with, Bill Waggoner, who operates out of Spam Beach West
(aka Las Vegas), drew the same distinction. ''Spam is scam,'' said the part-time
heavy-metal musician and shortwave talk-radio host who was, according to Rokso,
''one of the Top 10 spammers in the world.'' He claims that all his bulk e-mail
is ''clean,'' meaning that each one has a good ''return'' address, contains a
working ''remove'' link and sells legitimate goods and services. I couldn't
resist pointing out to Waggoner that he has publicly admitted that he pushes an
herbal penis-enlargement pill.
''That's not fraud,'' he said. ''If it was fraud, the company wouldn't make any
money.'' When I tried to pursue this suddenly slippery definition of fraud, he
quickly added, defensively, ''The only sex product I sell is the
penis-enlargement pill.''
This debate about good and evil isn't going on just among spammers; it is also
currently under way in Congress. Some kind of spam law will probably emerge from
Washington in the next year. And it will be the first test of populist digital
legislation in Congress since the creation of the Internet.
In the weeks leading up to the August recess, the spam fight in the House got
pretty intense. There are two main competing bills, which basically track the
two strands of this emerging philosophical argument. The leading one, written by
Representative Richard M. Burr, Republican of North Carolina, and sponsored by
two influential Republican representatives, F. James Sensenbrenner Jr. of
Wisconsin and Billy Tauzin of Louisiana, more or less codifies Colbert and
Waggoner's view.
As first written, the Burr bill was meant to outlaw only fraudulent spam, in
order to protect commerce on the Internet. ''From our point of view, we are
trying to retain e-mail as a legitimate form of commercial activity,'' one Burr
staff member said. ''If you want to sell a product, you should be able to do
that with e-mail.''
But the public debate on spam is changing fast. Within a few weeks, the momentum
moved away from the power brokers like Sensenbrenner and Tauzin and toward less
known representatives whose proposals are tougher -- mainly Heather A. Wilson, a
Republican from New Mexico, and Gene Green, a Democrat from Texas.
''The Burr bill approaches the problem from the point of view of commerce,''
Wilson observed delicately. ''We approach it from a consumer perspective.''
A core debate regarding spam turns on how you are allowed to say no to spam -- a
debate that boils down to the phrases ''opt in'' and ''opt out.'' ''Opt in'' is
the toughest; it requires that all bulk e-mailers get your permission before
sending any spam. ''Opt out'' allows spammers to flood your mailbox all they
want, as long as each individual e-mail message contains a link permitting you
to stop all future spams from that one business. This summer, the ''opt out''
provision was the one favored by most members of Congress because it gave
marketers and business the greatest leeway. But as the representatives sped
toward their summer recess and the levels of spam in their constituents'
in-boxes spiked to record-high levels, it suddenly seemed like ''opt out'' was
no longer acceptable.
''We are at a tipping point,'' Wilson confessed. ''We may have to get more
radical in our solution.''
But according to Colbert, the tipping point for spam will always be just around
the corner because spammers are so good at figuring out the potential use (or
abuse) of each new technological innovation. Colbert seems to enjoy recounting
the many ways he made the tiniest changes in the system work for him.
''I was thrown off more BellSouth accounts than half the state of Florida,''
Colbert says. His name was known, and he was a marked and wanted man. But he
found a way around the heat. ''Do you remember when American Express came out
with temporary credit cards?'' he recalls happily. ''You could go to the 7-11
convenience store and buy a $25 credit card -- sort of like you buy a $25 phone
card, only it was good for just $25 worth of credit.''
Armed with a dozen of these cards, Colbert would go to the BellSouth Web site
and create numerous e-mail accounts from which to send spam, each account with a
fictitious name and address. Since the credit card couldn't be connected to him
in any way, he could spam away until BellSouth finally got around to canceling
that particular account. ''They were great, totally untraceable,'' he says of
the credit cards. ''They don't sell them anymore. I think it's because of me.''
More recently, spammers have figured out how to send unwanted text messages to
cellphones. And new wireless, or ''wi-fi,'' technology, Colbert tells me, is
providing spammers with another potential cloak of invisibility.
4. IS THERE AN ANSWER?
So what does a spammer like Richard Colbert fear? Going to jail or going broke?
There's a difference, and in that difference is the key to the debate about
stopping spam. Despite our ferociously partisan times, the Republicans and
Democrats agree on this one thing: prosecuting spam should be the domain of a
big Homeland Security-style federal bureaucracy. The only question is, Should it
be the Federal Trade Commission or some other agency?
Most of the antispammers prefer a solution known as ''private right of action,''
which would permit consumers to hunt down spammers and sue them for small
damages, say $500, in a state district court -- just enough, goes the theory, to
ruin the slim profit margin on spamming. Also known as distributive justice,
it's the same idea that worked to stop junk faxes a decade ago: ''death by a
thousand paper cuts,'' as Ted Gavin, treasurer of SpamCon, an antispam group,
likes to call it.
The debate is an old one. Which deters better? A widespread campaign of
harassing a lot of midlevel operatives or highly visible arrests of a few
kingpins? Washington politicians tend to prefer the latter, because they bring
immediate television coverage. In recent testimony before Congress, Orson
Swindle, an F.T.C. commissioner, stated this position plainly: ''We need a
couple of good hangings here.''
Despite the threat of the noose, spammers yawn at the law-enforcement approach,
according to Colbert, for the simple reason that the police are slow and a
digital trail goes cold very fast. Most I.S.P.'s record the digital trail of
each e-mail message that passes through its system, but these ''mail server logs
2/3'' as they are called, are routinely overwritten and erased. ''You have about
12 hours to track a person on the Internet before the trail goes dead,'' Colbert
says. ''Law enforcement is too slow.''
The antispammers, on the other hand, pose a different threat. ''A little known
secret about antispammers is that many of them are fairly renowned hackers,''
Colbert says. ''They track spammers in ways that the F.T.C. can't.''
But the distributive-justice approach is all but dead in Congress, at least in
part because of the Republicans' deep antipathy for trial lawyers. ''It's not on
the table,'' said a Democratic staff member on the Commerce Committee.
Wilson told me that private right of action was not such a bad idea and was
interesting to talk about in an intellectual way. ''But I also want to get a
bill passed in the House,'' she confessed.
Back in Colbert's mobile home, I ask my spammer guru if he is feeling nervous,
now that Congress is in the market for a few high-profile public hangings.
Doesn't he fear that Orson Swindle might soon have him in an orange jumpsuit and
shackles, doing a prime-time perp walk? ''Congress is full of idiots,'' he notes
succinctly. Colbert says he doesn't believe that a strategy of going after a few
kingpins will accomplish anything. Politicians will gain some publicity, but in
the process, he argues, they will drive smaller operators further underground.
''Spammers will just use even more deceptive practices to keep from getting shut
down,'' he says.
So is he getting back in business? Colbert remains cagey with a direct answer,
but then sidles over to a file cabinet. He pulls out a CD and twirls it among
his fingertips. ''This CD has 200 million e-mail addresses on it,'' he tells me,
sounding like a man eager to once again hit ''send.'' I ask him about his old
system -- the nine hard drives bound together with a superfast connection speed
that could pump out millions of e-mail messages in an hour -- and whether the
coming laws make him too nervous to spend money rebuilding his infrastructure.
Colbert seems amused by my assumptions regarding his expenses. As the late
afternoon sky turns Boca gold, he fires up another menthol and takes a big,
noirish puff. He points under his desk to a recent arrival, a second hard drive,
precisely what he would need to begin a new network.
''It's a Dell Pentium 233,'' he says. ''I got it for $15, plus $23.95
shipping.'' A cloud of smoke fills the side room of the single-wide.
''EBay,'' he says with a smile.
|