In the late 1990s Robert Soloway made US$20,000 a day as a spammer. He drove fancy cars. He wore Armani clothes. He was, by all accounts, one of the most successful spammers on the planet. But if he were starting out today, he’d find some other line of work.
In 2011, spamming just won’t pay the bills. “It’s not something financially feasible for anyone to even consider,” said Soloway, who was released from the Federal Correctional Institution in Sheridan, Oregon a few months ago, after serving almost four in prison for spamming.
For a time, his business was good. He spammed people to advertise his company, Newport Internet Marketing, which in turn offered a full range of spamming services for the unscrupulous marketer. $195, for example, would buy a 15-day spam run targeting 2 million addresses. Those with more cash could pay $495 and the Spam King, as federal prosecutors called him, would hit 20 million in-boxes.
But Soloway now says that even before federal agents arrested him four years ago, spam was a losing proposition. In 2007, “when I had 10 years of experience and knew every possible way to send out spam,” he was still losing money, he said.
His problem? Spam filters had become too good. In 1997 Soloway was making his $20,000 a day with just one Earthlink account and a single mail server. Ten years later, he had hundreds, perhaps thousands of accounts, computers and Internet domains which he used to play an increasingly complex game of cat-and-mouse with the anti-spam crusaders trying to shut him down. When he finally stopped, he was making just $20 per day. “That should tell you how effective the anti-spam community has become,” he said.
With each passing year, the reports of criminal activity on the Internet seem to get more disturbing. Distributed denial of service attacks knock entire nations offline; criminal gangs make off with hundreds of millions of dollars using stolen bank card data, a nation’s nuclear ambitions are thwarted by a new type of computer worm.
But lately a ray of light has cut through all the gloom. Spam — the Internet’s original sin — dropped for the first time ever at the end of 2010. In September, Cisco Cisco Systems’ IronPort group was tracking 300 billion spam messages per day. By April, the volume had shrunk to 34 billion per day, a remarkable decline. “The largest spam-sending botnets are being shut down and a lot of the big pharmaceutical spam has disappeared,” said Nilesh Bhandari, a product manager with Cisco.
Spam watchers say a handful of high-profile arrests at the end of 2010 put a dent in the business, but there may be a bigger issue: E-mail spamming, at least in its traditional form, may not be as profitable as it once was.
“You don’t see a lot of new blood coming to the table,” said Joe Stewart, a researcher with Dell’s SecureWorks group. Every year or two Stewart takes a look at the top spamming botnets on the Internet. He analyzes spam messages and tracks down the networks of hacked computers responsible for sending them out.
This year, the news was that there was no news. Stewart didn’t find any new spam botnets. “Everything that is spamming today is pretty much what was spamming two years ago,” he said in February when he released his latest report.
There was a brief, halcyon day when the Internet, or rather its precursor, the Arpanet, was spam-free. But then a Digital Equipment Corporation marketer named Gary Thuerk decided to let a few hundred Arpanet users know about his new DecSystem-20 mainframes, and it was downhill from there. When consumers flocked to the Internet in the mid 1990s — Soloway’s glory days — the open online culture provided a breeding ground for fraudsters, and soon the vast majority of all messages on the Internet was unsolicited commercial e-mail.
Until recently, spammers were in an ugly war of attrition. As spam filters got better and better, spammers bumped up the volume of messages they pumped out. If a fraction of one per cent of a million messages get through, that’s not profitable. Make that a billion messages and the money starts to add up. But it now seems as though this war of escalation has subsided; not because the spammers have given up, but because the game is changing.
U.S.-based spammers have all but disappeared, scared off by prison sentences handed down to the likes of Soloway under the 2004 CAN Spam act. Even overseas there has been progress. In the past year a series of spam-spewing botnets — Waledac, Pushdo, and most recently Rustock — have been taken offline thanks to the efforts of law enforcement and private security researchers. And in October 2010, an affiliate marketing website called Spammit closed its doors. It was used by spammers pushing online pharmaceuticals, and was a major source of income for many spammers.
That’s taken a big dent out of spam, but the nature of the business has evolved. Once a source of irritating commercial marketing messages, unsolicited mass emails are increasingly being used by scammers and criminal hackers to ply their trade.
No longer is spam just a way to sell pornography or cheap pills. Spam messages are being used to install malicious software, and for a targeted form of spamming called spearphishing that has become a particularly effective hacker technique. A spearphishing attack opened the door to RSA security and helped hackers to compromise the security of RSA’s SecurID tokens.
Spammers may be getting more crafty, too.
“There has been a decline in what we’re getting in our traps, but what we’re seeing that’s out there is smarter spam,” said Gary Warner, director of research in computer forensics at the University of Alabama at Birmingham. Warner helped set up a massive database at the university that vacuums up as many as a million spam messages per day.
Take Feb. 14, for example; Valentine’s Day. Instead of the usual Viagra or Rolex spam, Warner saw a flood of messages advertising a legitimate florist — FTD. That’s a more targeted form of spam than what his team would typically have seen a couple of years ago. And the spammers were directing people to a legitimate Web site — FTD Flowers — making their money from Web marketing referral fees. If the spammers succeeded in reminding just a few absent-minded spouses to order flowers, they could make money
Another example of smart spam? Those strange emails that come from friends, telling you to visit an online pharmacy or watch a video. Criminals break into Hotmail or Gmail accounts and send messages to every one of the victims’ mail contacts before anyone realizes. This type of spam — sent between two people who know each other — is much more likely to evade filters.
Scammers have taken this game to Facebook, YouTube, and Twitter too. Sometimes they send @messages to their targets. Other times they hack into an account and use it to send out their messages. That’s what happened last week to “Shaun of the Dead” actor Simon Pegg’s Twitter account. It was used to spam out a Trojan horse program disguised as a screensaver to his 1.2 million followers.
The hunt for new ways to pump out unwanted messages is a natural evolution. Old fashioned e-mail isn’t the ubiquitous connector it once was. According to the Pew Center for Internet Life, young Internet users shy away from e-mail, preferring texts and instant messages. Pew’s December 2010 Generations report on Internet usage found that 70-year-olds are now more likely to use email than teenagers.
In an effort to reach these younger Internet users, scammers have turned to search engines too, poisoning search results by gaming Google or Bing.
“People are spending more time on Web properties than they were four or five years ago,” said Paul Judge, chief research officer at security appliance vendor Barracuda Networks. The result is that search engine results are becoming cluttered with blatantly commercial or useless pages, in much the same way that email boxes were flooded when spam first spiked about a decade ago.
Scammers know how search engines work, and they work hard to get their dodgy pages to pop up near the top of search results. They bombard online forums with links to their pages or hack into websites to add links — all in an effort to boost their Google ranking. For less than $100, crooked marketers can automatically add 10,000 links –typically from the comments section of blogs — to whatever webpage they want. This can quickly push a webpage to the top of Google or Bing’s results.
This doesn’t only lead to bad Web-searching. Sometimes it means that people get hacked. In fact, the number of malicious Web pages that use search engine optimization tricks to lure visitors nearly doubled between June and December last year, Judge said.
Even spammy Web pages that aren’t malicious, the ones slapped together with stolen or low-quality content, are becoming a problem. Earlier this year Google was forced to acknowledge a “slight uptick” in spam pages, and said it was trying new tricks to exclude unwanted pages from its results.
Spam is morphing. So while the spam boom that kicked off in the late 1990s may finally be abating, that doesn’t mean unwanted mass emails are going away. It’s still an effective way for scammers to quickly and cheaply connect with millions of people they don’t know, and convince them to buy something they don’t need or to go to a Web site they should really avoid.
On Monday, Cisco’s IronPort group tracked more than 45 billion spam messages. That means spam accounted for 86 percent of all the email on the Internet that day. In a recent report, Symantec pegged spam at 73 percent of all email. But both companies agree that it’s at its lowest levels in years.
Robert Soloway believes spam will never die, so long as email is free. But the barriers to entry are getting higher. According to the former Spam King, people will try it out, then once they realize how hard it is to make it big, most will move on to something else.
But those who have found a way to make money will be around for a long time, said Dell’s Stewart. They may be dinosaurs, but “they’re dinosaurs that are still making money,” he said. “I don’t think they’re going to quit.”