INTERNET ENFORCERS: Dr. Paul Judge, chief technical officer at CipherTrust, a network security firm, heads up the company's crack spam-fighting force.

By the most recent estimate, spam accounts for slightly more than 60 percent of all e-mail messages, triple the rate of only a year ago. That’s despite the efforts of Internet service providers to filter it out; despite ever-stricter state laws against spamming; and despite aggressive counter-attacks by anti-spam vigilantes. The reason for this, of course, is the fact that spam is the least expensive marketing ploy in history, which has obvious appeal for those with a something-for-nothing outlook.

“Anybody with a $500 computer, $100 worth of e-mail software and an Internet connection can reach a million people,” says Pete Wellborn, an anti-spam attorney for EarthLink.

Wellborn, who seems to enjoy his nom de guerre, “Spammer Hammer,” knows whereof he speaks. In May, he won the company a $16 million civil judgment against Howard Carmack, aka “The Buffalo Spammer.” Carmack, a 36-year-old ex-high school jock who still lived with his mother, is accused of sending out 825 million hunks o’ spam from his home computer before the ISP managed to track him down.

In the year that EarthLink spent trying to identify him, Carmack managed to elude his pursuers by allegedly splicing into a neighbor’s phone line; bouncing his messages across several continents to hide their source; using fake names; stealing strangers’ online identities; and exploiting friends and family members alike.

For instance, when EarthLink investigators located the spammer’s phone number, it led them to an answering machine in a Buffalo, NY, personal-care home apartment occupied by Carmack’s mentally disabled brother.

Usually, being hit with a multimillion lawsuit produces what Wellborn calls the “Oh, shit! factor,” but not with Carmack. Even after finally being served, he continued to send out millions of e-mails hawking such must-haves as cable de-scramblers and “herbal sexual stimulants,” Wellborn says. The spammer now also faces felony identity-theft charges under New York state law that could net him seven years behind bars.

EarthLink, the country’s third-largest ISP, has also been the most aggressive when it comes to nailing spammers. Wellborn explains that, contrary to popular belief, an ISP’s network is private property, which means it can set its own rules of conduct among users, such as “no unsolicited advertising.”

To send spam to EarthLink subscribers in violation of its user agreement is the legal equivalent of unlawful trespassing, he says. If that sounds far-fetched, then consider Wellborn’s string of court victories: a $2 million civil judgment against the self-proclaimed “King of Spam,” Californian Sanford Wallace, in 1998. Last year, he won a $25 million judgment against a Tennessee man who sent out more than 1 billion unsolicited e-mails, many containing viruses he used to manipulate his victims’ computers.

That particular spammer had allegedly earned at least $3 million, in addition to costing EarthLink an estimated $1 million, if you use the accepted formula that every million e-mails carries $1,000 in bandwidth costs.

But Carmack was no high-flying e-commerce mogul. Quite the contrary; he was a work-a-day spammer-for-hire who apparently was more than willing to annoy the entire US population three times over for about what you’d earn flipping burgers at McDonald’s.

One “herbal remedy” retailer who hired Carmack to handle his marketing told authorities that out of 10 million e-mails sent, he made 20 sales, netting a less-than-grand total of $300.

So what’s the point of all that effort and risk when there’s so little to be gained?

“Every spammer thinks he’s going to be the one who’s gonna grab the brass ring,” Wellborn says dismissively.

And yet, because of e-mail’s low overhead, there is a great deal of money to be made by e-marketers who manage to evade ISP lawsuits, fraud charges and spam filters. Mostly, it’s being made by companies or individuals, like Carmack, hired to send spam for other companies. Or by e-mail retailers with a knack for knowing what appeals to online impulse buyers — i.e., porn sites. Or by modern-day snake-oil salesmen whose products — real or imaginary — would have been advertised a decade ago in the back pages of sleazy men’s magazines.

Referred to coyly by the Federal Trade Commission as “organ enlargement offers,” these ubiquitous e-mails seem targeted at guys whose brain power is directly proportional to the size of their johnsons. Which means there are plenty of suckers out there.

Consider the case of C.P. Direct, a Scottsdale, AZ, company busted last year for credit-card fraud and making outlandish medical claims for various herbal products. C.P. offered pills for enlarging the penis and breasts, growing taller, avoiding baldness and even making the customer a better golfer.

Not surprisingly, an estimated 90 percent of the company’s revenues came from Longitude, its penis-enlargement pill that was said to work by expanding the “soft tissue” around blood vessels.

What is surprising — and depressing — is the fact that C.P. Direct raked in at least $74 million in sales in the two years before it was shut down. US Customs officials estimate that as many as 500,000 under-endowed men had responded to the company’s ads.

It should shock only the gullible that, no matter what its specific, guaranteed effects were supposed to be, every herbal product the company sold was made from exactly the same combination of worthless ingredients.

While pills are the most common penis-enlargement product touted through spam, they are far from your only opportunity to flush money down the crapper.

There’s likely e-mail on its way to you right now that will link to websites where you can shop for such atrocities as the “BIB Hanger,” which, according to the spiel, “takes the discomfort out of hanging heavy weights from the penis.” Darn, and Father’s Day has already passed.

Then there’s the Dr. Joel Kaplan Penis Pump, which comes in a basic hand-pump model for $100 on up to the $600 flagship set-up that presumably lights you a cigarette after each workout.

If you need help deciding which PE scam may be right for you, you’ll want to consult www.penisenlargementmagazine.com — sort of a cut-rate, dick-obsessed J.D. Powers — which claims its reviewers exhaustively test and rate each system.

How’d They Find Me?
A common question among the spammed is, “How did they get my e-mail address?” Ah, that was the easy part.

One of the many possibilities is that the spammer unleashed an “e-mail harvesting” program that trawls the Internet to find corporate e-mail directories, “blogs and newsgroups, capturing any string of characters with an “@” in the middle.

Addresses can also be generated from scratch using a “dictionary attack,” a program that pairs up common names with the bigger Internet domains in hopes of hitting a few live targets. Examples: jsmith@aol.com, ksmith@aol.com, lsmith@aol.com, and so on.

If the spammer really wants to reach people whose addresses might not otherwise appear online, he’ll employ an “alphabet attack,” an astoundingly inefficient approach that creates countless addresses by lumping together random sequences of letters and numbers. Examples: ahkdy1@msn.com, ahkdy2@msn.com, ad infinitum.

But, more likely, he’ll simply buy a CD-ROM containing millions of e-mail addresses from some other sleazeball who’s already done all the work, says EarthLink attorney Wellborn.

In fact, the spam industry was jump-started in earnest by the bursting of the dot-com bubble, as many failed companies were ordered to sell off their customer e-mail lists as part of their bankruptcy settlements.

There are literally hundreds of online vendors selling address lists, as well as bulk mailing software and “how-to” starter kits for wannabe spammers. Wellborn is currently looking into avenues for suing these spam-enablers.

Once a would-be bulk-mailer has his computer, his spamware and his Internet connection in place, then the real challenge begins: the high-stakes cat-and-mouse game with the ISPs.

There are thousands of ISPs scattered across the globe — and nearly all of them have an “acceptable use policy” that prohibits unsolicited bulk e-mail. So, if a spammer is dumb enough to send out messages with a return address of his own hotmail.com account, he’ll find his service switched off before he can say, “HERBAL VIAGRA.”

To avoid being identified as spammers, they’ll scour the Net to find unprotected mail servers — known as “open relays” — that can be hijacked into sending out spam for them. It’s not uncommon for a particularly stinky piece of spam to have bounced between half-a-dozen open relays and as many continents on its way to your inbox.

A true guerilla spammer will nearly always insert a false return e-mail address in the “from” line of any bulk mail he sends. Called “spoofing,” it’s another method for hiding his identity from ISPs. Just as important, it’s a way to avoid the inconvenience of dealing with the hundreds of thousands of undeliverable e-mails that would otherwise be bounced back to his server.

But fooling the ISP is only part of the struggle. Any prolific spammer also must contend with the growing anti-spam community, which includes dozens of websites, newsgroups and individual hackers who have been known to reroute bulk e-mail back to the spammer’s address or even post the e-merchant’s home telephone number online in retaliation to being spammed.

A spammer knows he’s hit the big time when he earns his own listing in Spamhaus, a London-based online anti-spam clearinghouse that maintains one of the more authoritative “black lists” of confirmed spam-senders.

Winding up on a black list can make it very difficult for an e-marketer to find an ISP that will touch him. Although independent, Spamhaus has become powerful enough within Internet circles to threaten some of the smaller ISPs with black listing unless they drop their spamming customers.

But why should Internet vigilantes be responsible for policing e-mail? Isn’t that what laws are for? Well, so far, Congress has yet to pass any laws regarding spam — which may be a good thing.

For instance, critics of the proposed CAN-SPAM Act say the bill would do more harm than good. By simply requiring that all unsolicited e-mail include an “opt-out” button, it would effectively legalize spam, undercutting any state or private efforts to ban it.

Others, such as dot-com pioneer Brad Templeton, say that any attempt to regulate spam is a waste of time when you’re talking about guys offering drugs without prescriptions.

“Half the people who are spamming are already selling fraudulent products and illegal con schemes,” he says.

In other words, if you outlaw spam, only outlaws will send it.

Hormones and Filters
Blame it on HBO, but the hot techno-gadget being hawked in e-mail inboxes this year is the cable de-scrambler. It certainly stands to reason. Since much of America already believes new music should be free, why shouldn’t Sex and the City, as well?

Trouble is, these black boxes don’t actually, like, work. That is, unless your cable carrier still offers analog cable, which is going the way of the slide rule. Even if your carrier does offer analog cable, using the boxes without paying for the service is, believe it or not, illegal. Although a major record label is unlikely to spend its time hunting you down for swiping songs off a Napster knockoff, your local cable company has grown used to nailing frat boys for splicing into their lines, so it’s not likely to cut you any slack if it finds out you’ve been stealing Pay-Per-View.

Another popular spam offering right now is human growth hormone, often advertised under the headings “Lose weight while you sleep” or “Regain your youth.”

Actually, there’s a kernel of truth amid the crapola. Since 1990, the medical community has debated the ability of human growth hormone to reverse some of the effects of aging, such as loss of muscle mass and fading energy. Some studies have shown that, combined with sex hormone replacement, growth hormones can help patients lose weight and increase stamina without exercise.

Growth hormone, however, has nothing to do with the junk that spammers are peddling. Actual hormone therapy costs thousands of dollars at pricey clinics; it doesn’t come in plastic jugs through the mail and it doesn’t sell for $49.99 for a one-month trial supply.

It’s ironic that, in the world of spam, pornographers have proven to have the most integrity. More often than not, the subject lines for their messages tell you exactly what you’ll find inside. And when you hit the link, you’re sent straight to a porn site, as promised. And if you offer up your credit card, you get what you pay for. No bait, no switch.

Which makes sense, when you consider that sex is still the Internet’s big money-maker. It’s estimated that one-third of all Internet content revenue comes from such sites as “Horny college girls” and “Trannie-a-gogo!” Covering his tracks will do a spammer little good if his e-mail never reaches its intended targets. For that to happen, he must navigate a minefield of spam filters at work within the ISP’s mail servers, the e-mail software, even individual PCs.

Keep in mind that, no matter how pathetically spammy an e-mail might appear at first glance, you wouldn’t be looking at it now if it hadn’t managed to trick the system into thinking it was a legitimate message.

This is where Dr. Paul Judge comes in. As chief technical officer for CipherTrust, an Alpharetta, GA-based network security firm, it’s Judge’s job to figure out how to block spam in transit so we never see it.

Besides the annoyance factor, defeating spam is an urgent goal, he says, because of the very real hardware costs that the average Netizen isn’t aware of until his next rate increase for monthly Internet service.

“If spam accounts for half of all e-mail, then the networks have to double bandwidth and server capacity just to handle the extra volume,” he explains.

Judge’s team is always on the lookout for new spam detection and filtering programs that can be installed on CipherTrust’s main product, IronMail, a hardware server he estimates is used by about 15 percent of the country’s Fortune 500 companies.

IronMail also combats viruses and network attacks by hackers, and has been used by clients to catch employees who were sending company secrets to competitors, as well as wise guys who were running side businesses out of their cubes. Yet Judge concedes that spam is the most constant and insidious problem.

He also serves as chairman for the Anti-Spam Research Group, an arm of the Internet Research Task Force, one of the foremost independent Internet industry think tanks. Which pretty much makes the 26-year-old Judge a big wheel in geekdom.

Of the various spam-filtering programs, the most basic is a rule-based filter, which weeds out mail that has selected spammy words and phrases in the subject line, such as “wild teen sluts,” “low-priced,” “toner cartridges” and that old standby, “wild teen sluts prefer our low-priced toner cartridges.”

The way around this pitfall, spammers have found, is to misspell key words, add hyphens or use an unrelated phrase in the subject box, such as “hi there.”

A somewhat more sophisticated filter is one used by Brightmail, a company contracted to screen out spam for EarthLink — which calls the service “the Spaminator” — and several other large ISPs.

Brightmail sets up thousands of decoy e-mail addresses and fake open relays that are intended to attract spam much like shit draws flies. As soon as spam hits a bogus inbox, the program scans it and then proceeds to eradicate any duplicate e-mails.

The spammer antidote to Brightmail, however, are the strings of random characters that often appear in the subject line: “Hot granny-grabbing action! vvgh3y7kxwq.” Using a program that adds different characters to each e-mail, spammers have found they often can foil the filter.

Last year saw the introduction of the most effective anti-spam filter so far, a type of program based upon the complex probability theories of Thomas Bayes, an 18th-century British mathematician who created a new branch of algebra that is the basis of many modern-day Internet search engines.

The advantage of a Bayesian filter is that the program gets progressively “smarter” over time, according to its creator, MIT-educated hotshot hacker Paul Graham.

To get the program started, you need two inbox trash cans — one to dispose of legitimate e-mail and the other to get rid of spam. The filter analyzes each e-mail, picking out the 15 most “statistically significant” words in order to compare the occurrence of spammy words (i.e., “orgy,” “refinancing,” “prescriptions”) against those of unspammy words (i.e., “Kafkaesque,” “hypotenuse.”)

The filter starts from scratch but should be almost totally effective within three or four days, says Graham, who sounds like a well-read surfer dude.

“If you write a Bayesian filter program that doesn’t screen out at least 99 percent of the spam, you’ll be laughed at by the other programmers,” he says.

By contrast, Brightmail’s effectiveness as a spam-blocker is estimated at around only 70 percent. “All they end up filtering out is spam by people who don’t know what they’re doing,” Graham says.

Graham, who is semi-retired after signing a lucrative programming deal with Yahoo! a few years back, would like nothing better than to be known as the man who killed spam — and he thinks it could happen.

“Contrary to popular belief, sending spam isn’t free,” he says. “Spammers do have a profit margin and if you can cut it down to almost nothing, it won’t be worth their time.”

For instance, he says, the cost of sending out 1 million e-mails is approximately $200, for which a spammer might earn $500 in commissions — a profit of $300. But if a spammer is forced to send out 2 million e-mails in order to make the same $500, eventually he’ll go into a different line of work — or, better yet, starve.

The bad news is, of course, that spammers study every new anti-spam program to try to learn how to beat it, Judge says. Already we’re seeing spam that includes sequences of non-spammy words that are invisible to the recipient, but can be read by the filter. It will be another year or so before the long-term effectiveness of the Bayesian system can be determined, he says.

In the meantime, EarthLink recently introduced its newest product, Spam Blocker. Termed a “challenge-response” system, it automatically responds to e-mail from every new sender, requesting that he copy a three-character series into a box before his message will be delivered. The trick is that the characters are contained in an image that cannot be read by a computer program, ensuring that your mail actually comes from a real person.

Blame It On Boca Raton
Do you recall a time when, still un-jaded by the sight of your e-mail inbox clogged with anti-aging offers and wicked deals on toner ink, you wondered, “Where does all this crap come from?”

Well, here’s your answer — and it should be no big surprise: It comes from South Florida. Specifically, from Boca Raton, home of the penny-stock swindle and the boiler-room sales pitch.

For as long as anyone can remember, this sunny, ocean-front town just south of Palm Beach has been a haven for racketeers big and small, with miles of offices housing shady telemarketers and fly-by-night brokerage firms. Even some of the area’s Fortune-500 big shots have proven themselves as crooked as a dog’s hind leg, the most recent examples being Tyco International and its prison-bound CEO Dennis Kozlowski.

In short, Boca Raton has incubated such a pervasive culture of fraud that the local Chamber of Commerce would do well to offer bonding services and discounted flights to non-extraditable destinations.

And yet, for all its long history as a mecca for con artists, cheats and petty chiselers, Boca’s reputation has never before taken the beating it’s getting now, thanks to its newest distinction as spam capital of the world.

According to Spamhaus, of the world’s 150 most prolific spammers, Boca Raton is home to at least 40. But why Boca?

Theories for this phenomenon vary. One partial explanation is that the city lies along a segment of the Internet “backbone,” the bundle of cables that form the actual infrastructure of the information superhighway. This enables spammers to send huge wads of e-mail more cheaply and efficiently.

While it’s true that plenty of cities sit atop the Internet backbone, Boca is located in the Sunshine State, which, in addition to its warm weather, has the most liberal bankruptcy laws in the nation. Florida has long been a magnet for the shady set because of legal loopholes that allow crooks to shield their ill-gotten fortunes from seizure.

One Boca denizen who isn’t shy about discussing spam is Mark Felstein, a spotlight-hungry attorney who’s taken on the thankless role of de facto spokesperson for the bulk e-mail industry.

During the course of our conversation, he defends e-mail marketing in a rambling monologue that’s difficult to follow because of its many logistical pirouettes.

The problem, Felstein begins, is that e-marketing has been given a black eye because a few bad apples break the rules by using open relays, fake subject lines, bogus return e-mail addresses and non-functioning opt-out links.

When I point out that it’s actually the rarest of spam that doesn’t employ at least one of the deceptive practices he just described, he shifts gears.

“I don’t know why so many people have a problem with bulk e-mail,” he says, adding that if folks are getting spam at the office, “maybe these employees should be working instead of surfing the Web.”

Then he offers his theory that public antipathy toward spam has been exaggerated by an anti-spam industry with a vested interest in painting bulk e-mail to seem like it’s some kind of serious problem.

“The people who are making a big deal about this are trying to sell something,” he explains, somehow managing to keep a straight face.

Felstein made news in Internet circles earlier this year by filing a lawsuit against Spamhaus and its stateside counterpart, the Spam Prevention Early Warning System, better known as SPEWS. The suit accuses the spam blacklist sites of libel, invasion of privacy and of attempting to “maliciously interfere with the business of the plaintiffs,” who include several Boca-based e-marketers.

Felstein previously has sued various ISPs for denial of services for shutting out his spam-sending clients, but he concedes that those suits were busts because his clients invariably went broke before their cases got to court.

This time, however, he feels certain he will be able to teach a lesson to Spamhaus and other “self-appointed vigilante groups” that are making life tough for Internet entrepreneurs who are just trying to make a living.

Besides, he says, it’s not like spam is so awful; if you don’t want it, it’s easy enough to delete it or opt-out.

“Maybe some ISP like MSN has to spend a few bucks it didn’t plan on,” Felstein says, “but no one’s getting hurt by bulk e-mail.”

This article appears in Jul 16-22, 2003.

Leave a comment

Your email address will not be published. Required fields are marked *