|< Day Day Up >|| |
Spammer X is a composite character created from the hundreds of individuals I’ve met in the IT security field. Some wear white hats, some wear black hats, and many have moved between the two over time. It is not a portrait of a single individual, and any similarities are unintentional.
I am 22 years old.
I live in an apartment in the city with my girlfriend.
I am an agnostic and follow no faith.
My likes include music, running, and computers.
I am a reformed spammer.
Yes, in my spare time I sent 10 to 20 million spam e-mails a week. In fact, there’s a strong likelihood that you have received at least one spam e-mail from me. I was not the first spammer nor will I be the last. I am one of many, a small part in the faceless and anonymous community known as spammers.
I am sure you hate the idea of me, and loathe the e-mail you’ve received from me and my kind. The e-mails that constantly ask you to “extend your manlihood,” or invite you to a new, crude pornographic site, which then invade and litter your in-box, becoming a chore to remove simply because of the sheer volume you receive.
This is my story, my chance to tell the world how I became who I am and why, and to shed light on the whole subject of e-mail spam. I’ll take you inside the Spam Cartel, deep inside the life of a spammer, showing real examples and techniques used to send spam, including how e-mail addresses are obtained. I want you to understand how a spammer works and why I chose to work in one of the most hated industries in the world.
Climb inside my head and get ready for the true story inside the world of spam.
It all started when I was six years old. My father had just bought a new BBC microcomputer and he and my sister showed me how to load and play games. At that age I found typing difficult, but enjoyed watching the screen. The simple line graphics amazed me. That was a turning point in my life. From that moment on, I was never the same. The fact of the matter was that I loved computers, and they quickly became a huge part of my day-to-day activity.
My father also became a keen computer addict, and was always bringing home new computers for me to play with. Consequently, my childhood developed alongside the newest technologies from BBC, to Amiga, to PC. I learned much from them, but the next huge turning point for me was in 1994, when we had a 486 and 28.8 modem connected to the Internet. At 14 I was connected to millions of other users and computers all over the world. Until this point, computers had just been about games and fun, but this gave it an entirely new dimension.
Apart from pornography and talking to new friends, I was given access to a wealth of knowledge. I became hooked, staying up until 4:00 or 5:00 a.m surfing the Internet, reading everything I could find, and filling my head with millions of random facts. Although my parents occasionally banned me from the Internet for visiting “adult” Web sites, I always claimed that some random popup brought me to the site.
At this time in my life I was not overly social. Teenage years had begun to creep up and I became somewhat of an introverted “nerd” type who spent most of his time inside, always on the computer. My pale white skin was a clear indication of this. As for school, I barely passed any courses, but somehow managed to scrape through with a C+ average. I hated school; all the rules and constraints seemed to strangle me. I just wanted to be left alone with my computer in my own world. I spent most of my days at school mentally adrift, except in French class where I met another computer enthusiast. We spent every lesson in the back of the class talking about new games and throwing paper airplanes, generally uninterested in what was going on.
I also began a small business selling floppy disks of computer games and pornography to friends. This business replaced the classic childhood paperboy job; heck, I made more money than my friends did on their paper routes.
My English teacher bought Doom II from me for $20.00, and as none of my friends were on the Internet, they all easily paid $10.00 to $20.00 each for a disk filled with pornography or the latest computer game.
Some days my sole reason for going to school was to collect money. I would walk out with up to $200.00 stuffed in my pockets. I was 14, very resourceful, and equally cutthroat, but my parents had little idea of my money making scheme, although they once caught me copying a floppy disk full of questionable filenames. I blamed a computer virus for my mistake, claiming the disk must have been made by some kind of virus because “I sure as hell didn’t download these files.” My parents grudgingly believed my story, likely thinking I was just a curious teen, as I doubt they would have ever suspected me of selling pornography to my friends at school.
By 15 I was fully immersed in everything the Internet had to offer. My father, seeing my love for computers, had bought me my own and had a second phone line installed for Internet usage. With that, I doubt my parents really saw me from age 15 until about 17. My days were spent solely online. I left the house only if it was absolutely necessary, unwilling to venture too far away from my virtual world. Ten to twelve hours a day I spent typing away, and began learning programming languages starting with Visual Basic, C, ASM, and later C++.
I also began to experiment with the illegal side of the Internet. By now I was dabbling in hacking and network security as a side hobby. My school grades had not increased since I was 13, and for a personal chemistry project, I experimented with brewing beer, eventually producing gallons of strong ale. That didn’t help my situation, as I began skipping school and drinking a lot with my girlfriend and other friends. I didn’t see anything to gain by being at school; I was learning more on the Internet. My teachers often told me that I would never go anywhere, but this didn’t inspire me to learn. I gave up caring about my education and figured I could teach myself anything I needed to know.
I was definitely an angry teenager and would often perform a denial of service attack on my high school’s gateway, removing their Internet access at critical times during school hours. I enjoyed outsmarting the information technology (IT) technicians; it gave me a real kick to know that although I failed all of my classes I knew enough to take down their firewall. Friends of mine would call me up at home (when I should have been at school) to tell me they had to spend an hour in the library researching some new project on the Internet, and then ask me if I could “remove” the Internet for them so they didn’t have to do the work. Sure enough, without failure I could drop the school’s Internet access in a matter of minutes. The IT technicians there would have hated me if they knew I was the one responsible for the chaos.
I left high school at 17, keen to go work in the IT field. Although going to a university would have been nice and now I regret not going, my grades were far too poor; the only subject I excelled in was Computer Science where I scored 98 percent for my final mark (this surprised me a little since I never really went to class). I had no real qualifications or certifications, little clue about the real world, and a naive attitude that I could do almost anything. Strangely, I did not find getting work too hard and was soon working in a PC support role at one of the countries largest .com’s.
I moved out of my parent’s home and rented an apartment in the city within walking distance to work. This opened up a whole city for me to play in. For a 17-year-old renegade hacker this was too good to be true. My job was great and my knowledge grew leaps and bounds. Everyday I learned something new, and every night I hacked a new network or service. After two years of working, I was the Senior Systems Administrator running 35 Linux servers, and a very adept hacker in my spare time. This is where spamming met my life; until this point I had never given it any thought.
I had always liked money, and always wanted to find ways to make more of it. Ever since my childhood business, I had known money was not hard to come by if you found the right product for the right person. Spam just seemed too foreign to me. I didn’t hate the idea of spamming, it was more I didn’t know how to get into it. As it turned out, spam found me in the form of an old friend who knew of my skills behind a keyboard (“Peter”). Peter asked if I would like to make $500.00 cash. I replied, “Sure,” although I had no clue what was involved. He asked me to break into a certain porn site’s database. I instantly thought “credit cards” and felt a little timid about helping. Credit card fraud wasn’t for me. I was shocked when he told me he only wanted the e-mail address of every subscribed member.
“Why?,” I asked curiously.
To this I was greeted with, “Don’t worry, just get it for me.” I saw little evil in getting the e-mail addresses and figured he couldn’t do too much damage with them, so I accepted the deal.
It took about two days before I found and exploited a small flaw in the porn site’s network. I used this to slowly work my way into the central database server. I had always enjoyed hacking; I enjoyed that it took me back to my high school days, the feeling of outsmarting a “security” professional. In my opinion, it’s better than any drug.
“Select e-mail from members;” I typed into the SQL client.
With that, pages and pages of e-mail addresses began to pour over the screen at great velocity. I captured all the addresses (around 800,000 in all) and sent him the list along with my PayPal account for payment. A day later, $500.00 showed up in my account with an e-mail thanking me for my hard work.
“Damn that was easy,” I thought.
My curiosity had gotten the better of me, though. I really wanted to know what he was doing with this list of e-mails, so I added two of my own e-mail addresses into the list before I gave it to him. Both accounts were freshly set up at free e-mail providers. A few days later, I went back and checked those e-mail accounts; to my shock, they each had 25 new spam e-mails. Both accounts were identical, with the messages sent within seconds of each other. He was obviously a spammer, and I had just supplied him with a new list of potential customers. It made sense, but I failed to see why he kept his intentions so quiet. As long as he paid me I didn’t really care what he used the e-mails for.
But I wanted to find out more, and sent Peter an e-mail asking him about spam. Once he saw that I was not part of the “anti-spam” campaign, he opened up and began telling me how he was sending the spam, who for, and some of the tricks of the trade. Peter was sending the e-mails through a few hundred open SOCKS proxy servers and was spamming for other porn sites. He said that e-mails of pornography users usually give good returns because you have a semi-targeted user base: Send perverts perverted content; it made sense.
I liked his attitude as well. He did not really care about the people he was sending spam to; he needed the money and had found a semi-legal way to get it. In my opinion, spam was much better than stealing credit cards or robbing people on the street. I didn’t force anyone to buy the products I spammed; they did it of their own free will. The trick was controlling or directing that will through marketing.
A few days later, Peter told me that over 120 people signed up for the various porn sites. One-hundred and twenty out of 800,000 didn’t seem like much to me, but with each signup making around $50.00, I soon saw the profit in it. He sent the e-mails in Hypertext Markup Language (HTML) format and used his own cable modem to host the pictures that he linked to the spam. Thus, the “potential customer” was greeted with an alluring picture and a link to “Want more?” to entice them to the main site where they would hopefully buy a subscription. It all seemed so easy and I was very keen to try it. I figured if he could do it, so could I!
And so it began.
My first spam run was exciting; I used the same list I had sold to Peter and a few insecure SOCKS proxy servers I found on the web.
The e-mail was just a standard HTML page with no pictures, a random title, and a link saying something like, “Keen to see hot lesbians having fun?” The link went to the site I was promoting with my “referral” ID on the end of the URL:
<HTML> <head> <title> Have you seen the apple ax91231? </title> </head> <a href=http://www.lesbianpornsite.com/?wc12111> Keen to see hot lesbians having fun? </a> </HTML>
I can’t even remember the program I used to send the spam; I think it was some poorly written Russian application. I remember it took over 10 hours to send the e-mails as they slowly chunked through the open proxy servers I had found. The proxy servers were mostly in Asia, Japan, Korea, and China, as I figured a non-English speaking country was my best bet.
It seemed that by that point everyone on the list I e-mailed was sick of spam and, more importantly, sick of buying pornography, since I only received one signup out of 800,000 e-mails. I suspect spam filters also played a part in dropping a large majority of the spam during my novice approach. Words such as “hot lesbians” and my simple HTML style with only one link would cause it to be flagged as spam, not to mention the questionable host in Asia it came from.
But that’s how it played out. I never really had any idea of what I was doing; I just threw myself in and began doing it. Over the next two years, I sent a lot of spam and learned a lot of new tricks. I figured out how spam filters work and how to get an e-mail through them. I also studied the psychology behind spam; how to make someone really want to buy your product and not just delete the e-mail. Most importantly, I learned how to obtain fresh contacts to send spam to. My background in hacking and programming helped greatly, as I was soon breaking into many large corporations and stealing their customer list or newsletter subscriber list.
By this time, spam had begun to make me some serious money. It was common for a one-million e-mail spam run to make me $3,000.00 or more. In spam terms this isn’t much; I have heard of spammers making tens of thousands of dollars a week. But for me, working one to two hours a day on spam was more than enough. I still had a day job, so between my two incomes I was doing well for myself.
I began taking my girlfriend out to dinner to classy restaurants, buying myself new computer gadgets and overseas trips, and generally indulging in things that before were out of my price range. I loved having money and being able to order the most expensive bottle of wine on the menu or walk into a store and say “that one” without even glancing at the price tag.
I have also learned a lot about other people from sending spam. For one, I found out just how much everyone hates spam and spammers. I once told a friend of mine over a few drinks that I had taken up sending spam and how well it was going. I tried not to sound too boastful and explained that I needed money as much as the next guy. My friend looked at me with scowling eyes and I could see his respect for me had noticeably diminished. He quickly changed the subject to avoid an inevitable argument about the logistics of spam. Ever since then he has acted distant and I hardly see him now. I think to him I became one of the many nameless, faceless spammers that littler his in-box.
My girlfriend often asked me if I would end my spamming career and the “dodgy” life that accompanied it. She tolerated and accepted me but did not approve of my actions. She worried that I would end up in jail one day. I told my father once that I was sending spam. He said he was greatly disappointed that I had decided to “use my intellect for such a low and worthless task. You could do so much more,” he said with a saddened voice.
Even with people in my life condemning my actions, I continued to send it simply because the money was amazing. I could make more per hour than any day job ever could. It seemed crazy to turn down a good thing. The world is, after all, money driven. Would you turn down a $1,500.00 per hour job that was dead easy? I really failled to understand why people hated spam and spammers so much, but let me explain how I saw it.
In an average day, I see maybe 50 pieces of spam. I see it when I walk down the street on billboards and signs. I see it when I turn on the TV, play a computer game, or check my e-mail. Spam is everywhere, but it doesn’t bother me. In many cases, I learn about new products, offers, or interesting TV shows. It’s passive and hurts no one (it’s not like anyone dies from spam). I do find it interesting though, that no one ever says how much they hate Coke or Pepsi for force feeding their brand name down everyone’s throat.
The general public only seems to hate the individuals who directly make money from spam. Is it jealously that can be directed toward a nameable person and not just some faceless corporation, or is it simply the fact that you treat your e-mail in-box as “private” and spam as an invasion of your privacy? If this is the case, isn’t your mind the most private thing you have? I am shocked whenever I play some new computer game to find that my character can heal himself by drinking a Coke! This is subliminal spam infiltrating the sanctity of your mind without your permission. Yet no one complains half as much about an e-mail that can be deleted in less than two seconds.
I think e-mail spam is as useful as the advertising on TV, radio, and billboards. It obviously has its place because so many people buy the products that are advertised in spam. It’s helping the companies who are trying to sell their products online. If spam was not needed and no one bought any products sold via spam, spammers wouldn’t send the spam. It seems ironic that within the general population that is unhappy with spam lie a large number of people making sure the next wave of spam is sent. My advice to you is this: if you want to stop spam, don’t buy products from spam e-mails!
A question I am asked fairly often is if I have any remorse or regret for sending so much junk into the Internet, adding to the already polluted online world. The answer is no. Every e-mail I have sent has been a legitimate offer for a product or service. No scams or rip offs; it’s the online equivalent of the “Home Shopping Network” on TV. The viewer decides if they would like to buy the product based on my selling technique. The products are legitimate no matter how crude or useless they seem.
I know this is not the case for all spam. A large percentage of spam originates from con artists and thieves trying to make a quick and crafty sale. During my time as a spammer I never supported such activity (so I guess I have some morals). However, I see nothing wrong with trying to sell a legitimate product to someone. The only aspects that could cause problems is that you didn’t want to hear from me, and don’t know how I got your e-mail address (which in some cases could be deemed illegal). That aside, I was just a marketer. I was no better or worse than the cheesy guy on TV selling Ginzu knifes and abdominal workout machines.
I do understand that spam costs a lot of people a lot of money. Every message I sent increased the demand on servers and bandwidth and requires more spam filtering to be installed. Most Internet Service Providers (ISPs) offer a “spam-guard” service where for $10.00 a month you can have 99 percent of spam filtered. I know I helped trigger the need for that $10.00 a month. I also helped initiate the system administrator’s need to have to work late maintaining spam filtration servers and the company having to pay more to increase their bandwidth capacity to deal with the spam. Recent statistics place the total cost of spam for corporations in the U.S alone at 8.9 billion dollars annually, while home users spend $255 million on spam prevention software a year.
But still, my mantra was set: send spam, make money, spend money.
|< Day Day Up >|| |