'Spam Kings' Author Shares Insights, Spam-Prevention Tips

Another day at work and your inbox is filled with exciting opportunities: you've won the Euro-Asian African Sweepstakes; a chance to order prescription drugs for free; get in on a business that lets you earn $12,000 a week online; and, of course, make a quick mil by helping out a former dictator who's down-on-his-luck.

You're not alone. This year, five trillion spam messages will flow into users' mailboxes; America Online blocks over a billion message a day and any AOL user can tell you they're not catching it all.

So who are these people, why do they do it, and can't somebody do something to stop them? Those are questions Brian McWilliams set out to answer in a new book, "Spam Kings: The Real Story Behind the High-Rolling Hucksters Pushing Porn, Pills, and %*@)# Enlargements." McWilliams tells the stories of some of the Internet's most hard-core spammers and the equally hard-core spam hunters seeking to expose them.

TechSoup: Tell me a little bit about your book and why you decided to write it.

Brian McWilliams: In May 2003, I got over one hundred spams for "male enhancement" pills from the same company, all over the course of two weeks. I traced the messages to a firm in nearby Manchester, New Hampshire. I started researching Davis Hawke, the owner of the company and a former neo-Nazi who's also an expert chess player, and wrote an article about him for Salon.com. He was such a complex and intriguing character -- one who challenges the stereotype of the spammer as a lowbrow -- that I thought he would make a great case study for a book about spammers.

TS: Who is your favorite character in the book and what can we learn from him or her?

BMcW: I'd have to say Susan "Shiksaa" Gunn, the book's heroine. She starts off as a "newbie" Internet user but becomes a fearsome force to spammers. She's an expert at peeling away their layers of anonymity. She knows a lot of technical tricks and has great research chops, but she also disarms spammers with her social skills. And she doesn't sweet-talk them into giving up information. She's a tough cookie, and it's a good thing. She's been the target of a lot of retaliation from spammers.

Most Internet users don't want to put time and effort into fighting spam. But if they want to play a small part in helping people like Shiksaa, they should sign up for the free Spamcop.net service. It's an automated system that helps you file complaints about spam. (AOL's "Report Spam" button does pretty much the same thing.)

TS: Who is the most successful spammer and why?

BMcW: Probably Michigan-based Alan Ralsky. He's been spamming for years and has managed to survive a 2001 lawsuit from Verizon and lots of bad publicity. He's not a techie, but he has a crew of people working for him to devise ways to send spam without detection -- and without getting sued again.

Scott Richter of Colorado is a close second. Like Ralsky, he's perennially on the Spamhaus list of the Top 10 Spammers. Richter, too, has deflected lawsuits, and even filed some of his own against anti-spammers. Unlike Ralsky, Richter specializes in "opt-in" lists of people who supposedly agreed to receive e-mail ads. He operates more openly and at times seems to crave media attention.

TS: What's the most effective way to fight spam?

BMcW: On the micro level (protecting an individual's e-mail inbox), technology is the best weapon. With the one-two punch of a blacklist-based filter (such as Spamhaus Project) and a content-filter like Spamnix (for Eudora users) or one of the many filters for Outlook, you can shrug off most of the spam before it hits your inbox.

On the macro level (reducing the total volume of spam on the Internet), I think we need to continue hitting spam on many fronts. If technology such as spam filters were in more widespread use, the economics of spamming would be much less attractive. Lawsuits are probably a net financial loss to the ISPs who file them, but they do help drive some spammers out of business. Architectural work, such as tightening up the overly trusting protocols behind e-mail, holds a lot of promise. A better Federal law in the United States would do a lot. But we won't be able to significantly reduce spam as long as there are people who buy from spammers.

TS: Will anti-spam legislation work to cut down or prevent spam?

BMcW: Depends on the law, of course. In Australia, a new "opt-in" law has apparently made a big dent in spam. But here in the United States, the "opt-out" law gives every spammer the right to spam you at least once and hasn't slowed the flow at all. I'd like to see Congress try again and pass a tougher anti-spam law in 2005. CAN-SPAM obviously didn't go far enough.

TechSoup: I'll ask this question -- even though Shiksaa does in the book -- why do spammers spam?

BMcW: Around where I live (in the New Hampshire seacoast region), there are a lot of people who like to fish off bridges over the tidal rivers. It's very low overhead: you don't need a boat. And it's such a feeling of good fortune to be able to throw a line in the water, watch the cars pass by, and moments later, land a big fish. I think spamming comes from the same primal impulse. But spamming is akin to throwing a million lines in the water all at once, and, in the process, making it nearly impossible for traffic to cross the bridge.

Spammers are so tenacious because they know there are people who want to buy from them. Many have told me that they wouldn't have to resort to all the tricks to conceal their identities if anti-spammers wouldn't try to stand between them and their customers.

TS: What, in your research, was the most surprising thing you learned about spammers?

BMcW: As I delved into the lives of the dozen or so spammers in "Spam Kings," I was surprised to learn that spammers are actually a very diverse bunch: Men and women, young and old, urban and rural, college educated and high-school dropouts. What they seem to have in common is a very lazy, anti-social approach to entrepreneurship.

TS: How many spam e-mails do you receive in a given day?

BMcW: I've been using the same e-mail address since 1997, and it gets around 300 spams per day. My ISP offers filtering based on the Spamhaus Project blacklists (lists of IP addresses for known spammers), and about two-thirds of my incoming spam gets filtered into a special spam folder at the ISP before I download it to my PC. I use a second level of filtering (Spamnix) to block most of the rest of the spam. When everything is working right, only one or two messages slip past these filters every day.

TS: What types of spam scams do people most often fall for?

BMcW: Phishing spams (fraudulent e-mails and Web sites designed to fool recipients into revealing personal financial data) are, on a percentage basis, much more successful. Experts say five percent of recipients fall for the scams, versus less than one percent for garden-variety spams for porn, pills, etc.

Phishing scams seem to catch gullible people most often if they use logos from the spoofed financial institution, and if they steer clear of suspicious grammar problems. Phishers also use a lot of technical tricks to hide the true Web address of the site listed in their spams.

Spamvertized products seem to appeal most to people who are what I call "furtive shoppers." They want anonymous, convenient access to contraband and illicit products, such as painkillers without prescriptions, fake Rolex watches, raunchy porn, and "college diplomas." Then again, I am always amazed at the number of people who appear to respond to spams for low-interest mortgages. People willingly give up information including social security numbers to sites run by spammers, all in hopes of saving some money.

TS: Which ISPs are the best or worst in terms of spam?

BMcW: As far as the consumer ISPs go, all the big ones are now offering spam filtering to their customers. The problem is these big ISPs, such as AOL, are also the most common targets of "dictionary" and "brute-force" attacks, in which spammers try to guess their way into e-mail inboxes. So, in some respects, you're better off with a smaller ISP that also has spam filtering.

On the business and hosting side, MCI is the most spammer-friendly ISP, according to statistics from Spamhaus.org. Despite policies that state they prohibit spam being sent from their networks, MCI provides service to a number of spammers profiled in "Spam Kings."

Read the first chapter of "Spam Kings" (PDF) and visit O'Reily's online catalog to order a copy of the book.