Case Analysis:
-1- The case for this chapter is split in two to stress an important point. In studying spamming, one must consider both:
- the dry technical side, illustrated by the sobig virus story, and
- the human factor, so well personified by brazen Scott Richter
Downplaying one aspect or the other, by natural inclination or pure ignorance, would only help to perpetuate the phenomenon.
-2- Overlooking its technical jargon, one can find two important lessons in the sobig virus story.
- dynamic evolution: it is the familiar battle of ever more powerful guns and ever more resistant armor. The professional spammer must be prepared to seize opportunities quickly and mutate his or her methods constantly to stay ahead of security. Conversely security specialists must remain aware that their game is defensive by principle and that the dark side enjoys the advantage of the initiative
- convergence of hacking and spamming : hackers used to be free spirits, obsessed by the technical challenge, while spammers were the latest incarnation of boiler room scam artists. No more. Spamming is now big business, organized by slightly twisted entrepreneurs who know how to combine the technical expertise of hackers and the marketing power of the Internet.
According to law enforcement sources, organized crime has already started to acquire or push aside these entrepreneurs (source Michael Cohn) and, following globalization, operates from overseas (source Michael Cohn).
-3- The map used in presenting the lawsuit against Scott Richter brings another key to understand how spamming works: obfuscation by multiplying the intermediaries, in a multi state pattern at the minimum, preferably worldwide. In the instance, the network was four layer deep, from Synergy 6 (New-York) to OptInRealBig.com (Nevada) operated by Scott Richter (Colorado) to Delta Seven Communications (Texas and Washington State) to compromised machines (worldwide).
Once a spamming infrastructure is in place, it is easy to share with partners, allegedly the case for the other five defendants from Florida, California and Ontario (Canada). Notice that the information given does not indicate whether the sharing was the result of some business relationship or the result of an independent detection of a compromised computer, most likely as an open proxy.
Depending on the perspective, the use of affiliates and partners is seen to be either a source of problems, when dealing with compliance issues (see previous chapters on healthcare and protection), or a precious trump, when hiding from detection.
-4- It is highly probable that Scott Richter did not seek to be blacklisted by the SpamHaus Project and sued by Microsoft with the help of the New York State Attorney General. But once under the spot light, he certainly lived up to his reputation as King of Spam.
Self-justification is an important part of the psyche of any shady character. And it is useful to listen to Richter's position because good self-justification is always anchored in reality:
- "I do not spam": indeed spam can and has been given many definitions, allowing shady actors to add their own, self-serving interpretation to the list
- "anti-spam organizations spam": right on again if you have a good tolerance for spin and a liking for irony. SPEWS, an anti-spam anonymous organization with a wide audience, acts as prosecutor, judge and jury without possibility of appeal and does decline to provide an address for spammers to "opt-out" of their target list
- "we are CAN-SPAM compliant": actually Scott Richter misread the law which, at least, bans the deceptive spamming practices which are the only reason for his complex layered network
- "we're not doing anything that Fortune 500 companies don't do": I can bear witness that otherwise reputable organizations do interpret almost any contact as an opt-in for their newsletter, Internet Service Providers (ISP's) being the first culprits. Some will explicitly bundle an opt-in with their services, leaving no choice to their clients besides a later opt-out. While this behavior is nothing but legalized spamming, they do not, however, engage in deception.
- "companies need that service, and companies need that business": that is perfectly true, spammers operate strictly for profit and would stop immediately if they lacked business
One may think that it is good enough to nail Scott Richter on CAN-SPAM compliance. But ignoring the other four points would provide spammers enough justification to forge ahead with a clear conscience.
-5- Cutting through self-serving public relation banter, one quickly discern the sole motivation: money.
- Scott Richter's company, OptinRealBig, had about $20M revenues in 2004 (source: Brian McWilliams) and, legal entanglement aside, must have been highly profitable.
- "a spammer can often expect to receive anywhere from a 25 percent to a 50 percent commission on any sales of a product that result from a spam campaign (source: Tom Zeller (New York Times), January 2005, quoting Richi Jennings)
It is important to notice that the products and services sold through spam campaigns are not illegal in themselves. While some commentators consider those who respond as victims, it is impossible to agree with them without extending the victim status to all those who respond to direct marketing sollicitations. This actually cloud the real issue: the cost of spam-based marketing is borne neither by the customers nor by the marketers, but by aggravated third parties. This is just another example of an economic system which allocates benefits and costs to separate entities, a sure recipe for catastrophic behavior. When, as in the case of spam, a collectivity is the party bearing the costs without receiving the benefits, this situation has been called "The Tragedy of the Commons" by Garret Hardin.
The use of spam for confidence scams such as phishing (see chapter I-1 on ID theft) is of course a special case. There the goal is not to sell anything but to steal either money, confidential data or both from respondents who are indeed victims. If identified, these spammers will be prosecuted in priority for the latter, more serious offense.
-6- Would be spammers should consider Scott Richter's fate as par for the trade. Truly professional criminals understand that jail terms are a less desirable but very real aspect of their occupation. Similarly being hunted by watchdog organizations such as SPEWS or the SpamHaus Project, blacklisted by ISP's and at the receiving end of lawsuits must be taken as unavoidable by spammers.
Facing this danger, spammers can choose between three courses of action:
- a short, limited activity, in the hope that the resulting reaction will arrive after the benefits have been reaped and transferred out of reach
- a prolonged activity, based on the ability of mutating organization as well as techniques to stay ahead of the chase, making sure that publicity attaches only to discardable components
- a temporary, frenetic activity based on an explicit exit strategy, which exploits anticipated public discovery to maximum advantage and convert it into free advertising for a subsequent, legal business
Scott Richter may have been forced into the latter by circumstances rather than choice, turning OptinRealBig into a legitimate Internet-based direct marketing business at optinbig.com. And it remains to be seen how successfull his new business will be. But, in an interview in the Financial Times (The executive who has made the most of facing the music, July 2005), Wayne Rosso essentially boasts of having followed this strategy as he launched Mashboxx after turning Grokster's legal troubles into a cause celebre (see chapter IV-3 on copying). And shouldn't the sales of Skype for a base price of $2.6B be partly attributed to the legal adventures of KaZaA and its founders, Niklas Zennstroem and Janus Friis ?
While one may consider such a successfull exit strategy as rewarding crime, one may also wonder if the transformation of shady economic models into legitimate ones is not preferable to the forecasted alternative, descent into organized crime.
General Comments:
-1- We pointed out in the case analysis above that spam is not a well defined notion. One is referred to the SpamHaus Project for a discussion and the Wikipedia encyclopedia for further analysis.
Both the SpamHaus Project and the author of the Wikipedia article define spam as unsollicited bulk email. According to this definition, the CAN-SPAM Act (see chapter II-2 on marketing) can be interpreted as legalizing spam. Quoting EPIC, CAN-SPAM finds unsollicited commercial messages legal as long as they "include notice that the message is an advertisement or solicitation, an opt-out notice, and a valid postal address of the sender".
One must realize the definition of spam depends entirely on the author's perspective. By considering that unsollicited email is not spam when it is not sent in bulk, the SpamHaus Project implicitly takes the position of ISP's. By legalizing unsollicited bulk email when it is sent under deceptive practices, Congress implicitly takes the position of businesses. In this context Scott Richter's declaration "I do not spam, others do" can be seen as reflecting the position of spammers.
The position of the individual user ought to receive more recognition: for us, a commercial message should be considered spam whenever an individual receiver determines it is unwanted. In so doing we adopt the definition of CAN-SPAM (see chapter II-2 on marketing) for commercial messages so that bills, clearly unwanted by the receiver, are not deemed to be spam since they are transactional rather than commercial.
Indeed for the individual user, the fact that a spurious message has been sent in bulk is meaningless: it is still spam even if no duplicate has been sent. On the other hand the fact that a advertisement, e.g. for specific pharmaceutical drugs, has been unsollicited is irrelevant: if the receiver is interested, it is not spam.
The issue behind our definition is how to ascertain the receiver's interest in advance of sending each message. Only a genuine opt in can provide it, which begs the question of how to get opt in from a prospective receiver without solliciting it from him or her in the first place. Such a catch 22 situation explains why US businesses prevailed on Congress to settle for opt out as well as the practice of "bundled opt in" by otherwise reputable companies in Europe.
-2- When a company collects genuine, individual opt in consents from its customers and prospects, it engages in reputable, Internet-based direct marketing. This activity does not constitute spamming by any definition and is therefore outside of the scope of this chapter.
-3- As explained above, it is possible to spam while staying within the law. This approach is especially useful for established businesses which seek to get repeat sales from one time customers, whether concerning an upgrade, a replacement or simply another product, related or not.
Legal spamming consists of two steps:
- email address collection
- bulk email sending
The first step itself may take different forms, of decreasing reputability.
- run a user registration page within a web site, collecting user opt in at the same time
- use an internal customer database
- buy address lists from a list broker
- trawl the Internet for addresses
It is then advisable to contact one's ISP to make sure one abides by its so-called "acceptable use policy" (AUP). Remember that many ISP's claim to reject "unsollicited bulk email" and the less reputable the address collection, the more likely an ISP will object.
From an individual point of view, the crucial step is also the first one: how has his or her address been collected? The two most reputable methods to collect addresses are each subject to a stretch by organizations which allow them to run legal spam through the strictest AUP:
- the first stretch is to interpret the presence of a name in any internal database as a proof of an established customer relationship, a legal substitute for a formal opt in (see chapter II-2 on marketing)
While obviously all past interactions do not represent a currently desirable relationship for the receiver, this practice is general and goes a long way to explain why Amazon.com adamantly refuses to purge its databases of names even upon request (see the case of chapter II-3 on safeharbor).
.
- the second is to bundle opt in, an useful option for European companies.
Here is an example, courtesy of voyages-SNCF, the online travel agency of the French railroad company.
If you try to order a ticket or make a reservation, you will get to a page which includes the following checkbox:
"By ticking this box I acknowledge having read the SNCF Conditions of sale and I accept them."
Under the heading "Applicable Law", the corresponding page further specifies:
"Voyages-sncf.com may contact you with information on their new products and update you on offers which may be of particular interest to you. If you object to this, check box.
In order to use our services, you acknowledge that you have read our Terms and Conditions of use and sale."
However Voyages-SNCF deftly omits the checkbox by which you may object to being contacted in the future while processing the checkbox by which one accepts its terms. This stretch forces you to either refuse the service entirely or give your consent to receive spam until you opt out of the messages. Bundled opt in is no better than the opt out option required by the CAN-SPAM Act.
-4- Companies with insufficient bargaining power might find difficult to stretch address collecting scheme without running afoul of AUP's. If the company keeps within the law but falls under the ISP's definition of spam, its activity constitutes a grey area which we dub semi-legal spamming.
Like legal spamming, it is based on email address collection and bulk email sending. But both steps present significant differences.
- Since the spammer intends to stretch AUP's with no regard to their breaking points, the goal will justify any means used to collect email addresses. However it is good practice to always pretend having gotten an opt in from the receivers. For example claim that consent to receive mail from the spammer is given:
- as soon as the email address is published on an Internet accessible page
- each time the email address is submitted to an organization, no matter the reason
List brokers are especially boosted by this argument and may run sites specially designed to gather addresses against some enticing promises: free content, free email account, games, sweepstakes... Notice that such a rationalization is really a stretch of bundled opt in, itself a stretch of opt in.
.
- Bulk email sending must be prepared with the knowledge that the ISP may object, terminate the corresponding account and, since the spammer does not engage in deception at this stage, make it difficult for the spammer to reopen a new account. To mitigate the risks, one may:
- use the services of the more spam-friendly ISP's, according to their formal AUP's and the degree to which they enforce them
- establish service with another, back up ISP, in anticipation to account termination by the current ISP
- legally separate the beneficiary of the spam campaign from the implementor of the campaign, to make the implementor a discardable entity
- establish another, back up corporate identity for campaign implementation, in anticipation for a rising tide of opt out requests by receivers, addressed to the current implementor
Once the beneficiary and the implementor of spam campaigns have been clearly separated, it is a small step to let the implementor, whether it is still controlled or simply outsourced, implement an illegal spamming scheme.
-5- The problem with legal and semi legal spamming is that a whole industry has been created to allow ISP's to "filter out" spam based on its provenance and content. As a consequence abiding by the CAN-SPAM law exposes spammers to these blunt filters which generate as many false positives as there are interested receivers, an extreme case of the trade off mentioned in chapter I-2 on credit fraud. The next step is consequently to break the law and resort to deceptive practices to hide both provenance and content.
By ignoring all scruples, an illegal spam campaign turns the above extreme trade off upside down: as long as a few interested receivers can be found to make it profitable, the campaign will gladly blanket the world wide web with false negatives.
-6- The reader may get the impression that, as long as spam is not a means to a more criminal end, the whole issue boils down to some academic dispute on how to implement pattern recognition and that spamming is just a matter of degree, rather than of principle: everyone spams to some extent and defines spammers are those who happen to spam more.
Such an impression is accurate. As long as costs and benefits are borne by distinct economic agents, Internet mail promotes escalation, in the instance towards saturation by noise. Arbitrary charges which would deter spammers but would not correspond to actual costs are not a good solution for competitive pressure among agents, whether individuals, organizations or countries, will always erode such disguised tax schemes.
We suggest that the solution lies in reversing the way email works. Rather than being based on sending, with all the run away consequences of its vanishing cost, a stable email service should be centered on filtering. Receivers would set up their own, individual filters in order to receive mail but instead of acting after the fact, in pattern recognition mode, these filters would be downloaded and processed at their own cost by each potential sender, in declarative mode, in order to receive permission to send and reach each individual receiver's mailbox. In this perspective service is not for transport but for genuine, personalized, permission marketing.
This approach would solve the three major issues we have encountered in our analysis of spam:
- to replace bulk mailing by bulk filtering, a commercial sender would require an implementation combining both a true cost and a true value
- opt in would result from receiving and satisfying the individual filter ahead of sending a message, solving the catch 22 situation of obtaining opt in without solliciting it in the first place
- the incentive to cheat in order to send email to receivers known to be uninterested would be rather low since the same filters would automatically deliver a much higher yield target
Solutions:
Neither legal nor semi-legal spamming require complex solutions. As illustrated by the first half of the case, illegal spamming based on deception is much more involved. The following "solution" on how to engage in illegal spamming is not intented to make it easier to spam but to explain how it is done for better prevention.
While part of this knowledge may seem to have dual use, one is reminded that true professional spammers shy from widely known public knowledge, easily marshalled against them by security experts. The real danger comes from security experts who reveal previously unknown security flaws before the corresponding fix has been widely distributed. David Perry, director of education for Trend Micro, is quoted by Matt Richtel (New York Times, August 2005) as saying:"the authors of Zotob, on learning of the vulnerability [from Microsoft], had apparently created an effective worm in only a few days". The necessity to warn users to fix a flaw and the inherent delay before they follow through obviously creates another catch 22 situation which exposes the Internet to new "day zero" exploits from highly reactive hackers.
Illegal spamming still follows the two-step pattern of gathering addresses and send bulk email to them. The whole process is much more involved however in view of the technologies used to avoid detection.
Gathering Addresses
Modern illegal spamming is based on the tools perfected by hackers to remotely penetrate computers, get access to the data stored there and harness them into attacking yet more computers via the Internet. Such capabilities can be used in gathering addresses, beyond more benign methods previously described:
- either directly, by reporting the content of address books, address directories and address-containing files back to the attacker
- or indirectly, by automatically forwarding the payload to those addresses on behalf of the attacker
Directory attacks, in which a spammer generates exhaustive lists of possible names, such as John-Doe@target.com, Peter-Doe@target.com... can also yield real addresses:
- either indirectly, by delivering the payload to those addresses which are in actual use
- or directly, by tricking the receivers into sending a response, e.g. to be taken from the distribution list, the opt out option being twisted into phishing
Large companies make for attractive targets as they harbor extensive address lists from online customers and prospects and present a higher chance of success to directory attacks.
It is also possible to pay an insider for the information. In August 2005 a former AOL employee was sentenced to 15 months in jail for selling 92 millions of AOL email addresses to a spammer for $28,000.
Hiding provenance
The principle is easy: one hides return addresses and other routing information manipulated by mail standards by controlling the software implementing the standards, or simply steal Internet user identities.
In practice one may:
- run the anonymizing software on the premises, but this is insufficient as the IP used can be tracked down
- use an anonymizing service, but most advertised services take the protection of individual rights as their mission and are likely to be rather intolerant to spammers
- use known open relays or open proxies to provide the same service, but their IP addresses are likely to be blocked for that very reason
- find unknown open relays or open proxies before their IP addresses are spotted and black-listed
- capture insufficiently protected computers through their Internet connection and install an open proxy program on them
- capture email accounts by getting the corresponding password from innocent victims of a phishing attack on ISP's users
The latter three possibilities are the most current.
Worms are used to find exposed computers, using random IP searching and systematic port scanning, and infiltrate them. Whenever the worm succeeds, it installs a trojan which will allow the spamming ring to turn the computer into a so-called zombie, either for propagating the worm further or for address collection or as an open proxy.
In actual practive, one chains several anonymizing steps together to increase the difficulty of tracking a mail back to the original sender.
The latter use of phishing feeds a vicious circle by which spam is used for phishing and phishing for sending more spam
Hiding Content
Again the principle is easy. Filters are based on keyword matching, either on the title or the body of the message. One needs only to avoid trigger words or expressions.
One may use one of two ways:
- imaginative misspelling, another example of the inherent difficulty of text processing already encountered in chapters I-2 on credit fraud (misspelled last names), I-3 on ambush marketing (domain name variants) and II-2 on marketing (list scrubbing)
Where the filter sees gibberish, the receiver will see the brand name of some pharmaceutical product.
- image-based content, a twist on a method often practiced by ISP's themselves to deter bulk mailers.
before delivering a message, the ISP may issue a challenge containing a unique number hidden in an image field and request the sender to report this number, thus defeating automatic bulk mailing
in the following example , the alleged sender "Brittany" hides the payload in a gif file attachment, which will be ignored by the filter, while using a thoroughly anodyne text for the benefit of the filter.
Keeping Spamming at Arm-length
Since the spammer uses deception to hide its identity, the user must of necessity be prompted to contact a real web site to place an order.
If the activity at this web site is not criminal in itself, as phishing would be, it makes a lot of sense to keep this quite visible beacon above all suspicion while avoiding unnecessary proximity to the law.
Assuming the legal side of the operation has thus established deniability relative to the dark side of the operation, there is still no guarantee blacklisting or worse from anti-spam vigilantes will not occur. In all cases one must plan for a short site life. We will never know if Brittany was a scam or just a spam. While the underlying site, peachhealth.info was registered in Korea to someone with an address in Croatia, it disappeared exactly a week after I received Brittany's spam.
Keeping one step ahead of Anti-spam forces
Let summarize here the different obstacles which await the would be spammer (see the SpamHaus Project):
- list of known spammers, definitely to be avoided if the information is accurate unless one is safely out of reach of the law
- list of IP's suspected of facilitating spam, a drag on resources even when the corresponding resource is a zombie computer since it still has to be replaced
- spam traps, a variant on the honeypot concept, whereby a computer is set up as an open proxy while severely guarded to prevent damaging usage while gathering information on those who have discovered it.
Tools available:
Note that classifying tools between offense and defense is misleading because of the dual nature of knowledge.
for offense
Legal spamming may involve little more than moral stretches, using existing web sites, customer data bases and ordinary email but scale consideration calls for using bulk mail software (see this Google search) or bulk mail services (see this Google search).
Semi legal spamming exists in a grey zone where one encounters Internet list brokers (see this Google search), Internet direct marketing specialists (see this Google search and bulk mail services (see above).
Rather than bearing a judgment on a profession as a whole one should size up companies and rather than sizing up a specific company on principle, one should concentrate on their clients and current campaigns. Actual practice is what distinguishes between a genuine direct marketing operation, a legal spammer and a semi legal one.
Illegal spamming can benefit from anonymizing software (see this Google search) and proxy software (see this Google search).
However the best results will come from using experienced operators (see the SpamHaus Project top spammer list). Remember that such operators are best approach in discrete dark rooms over the Internet. Remember also that each time the URL of one such convenient meeting place is made public, it looses its value immediately. And remember also that, if you can find a dark room, anti-spammers vigilantes and law enforcement agents have probably found it too, which makes for interesting interactions.
Hard core entrepreneurs may want to bypass the expense of third parties and build his or her own spamming network. There are two good sources of knowledge available:
- libraries of known pests (virus, worm, trojan) gathered by security software companies (see chapter III-1 on protection)
- security warnings relative to software flaws from leading office software manufacturers and security software companies
By hiring disgruntled employees or recent ex-employees from those companies, one may gain an insider's view on organisms which, like in nature, may provide the basis for new, more potent mutations.
for defense
A number of defensive tools are mirror images of what precedes. Anti-spammers seek to hire former hackers (source Jennifer Leclaire in TechnewsWorld, August 2005) and all Internet users can benefit from anti-virus software (see chapter III-1 on protection) .
More specialized tools include:
- alert services of current spam waves (see for example the SenderBase Network)
- data bases of known sources of spam aka DNSBL. Repeating the list of resources given in the chapter cover page:
- specialized honeypots mimicking an open proxy (see proxypots by Ryan Barnett)
- spam filters (see Wikipedia list of mail filtering software)
- secure email systems (see this Google search)
A last word must be said on the possibility raised at the end of our "General Comments" to create a "filter-base email service".
tEC, the Electronic Confident, by ePrio Inc., has already been described in chapter II-2 on marketing as a solution for sending personalized emails which requires neither opt in nor opt out. By design no mail is sent from an individual sender to an individual receiver unless the sender is pre-approved by the relevant filter as declared by the receiver and downloaded by the sender. tEC is therefore one implementation of this solution to spamming.
a link to an organisation, public or private, does not represent an endorsement and no compensation has been received nor sollicited by the author for its inclusion.
|