Spam Slayer: Meet Average-Joe Spammer

ByTom Spring, PC World

— -- Tip of the MonthWatch Out for Holiday-Related Scams. Phishers love the holiday season because they view the boost in online shopping as an opportunity: The security firm AppRiver reports that spam volumes nearly double over the holidays. Be particularly on guard for e-mail messages that purport to come from your credit card company or your favorite online merchant.

It's tough being an average-Joe spammer these days. Divorced and in his 40s, Mike has two kids to help support, a skyrocketing home heating bill, and a mortgage. And spamming just isn't paying the bills like it used to.

In the heyday of his spamming career, from 1997 to 2000, profiting from sending out unsolicited bulk e-mail was easy, Mike says. On an average month he made $40,000 pelting millions of inboxes with spam. Now, he complains, spam filters have become too effective and block most of his e-mail. Also, he adds, spamming for a living has become increasingly risky, as evidenced by recent arrests of--and fines imposed on-spammers. He himself is currently being sued by a large ISP for using illegal methods for sending spam, he says.

"Spamming becomes a little more unprofitable and a little more high-risk every day," says Mike, who agreed to be interviewed on condition that his real name be withheld. "I don't know why I still do it."

In fact, spam is no longer Mike's sole, or even principal, source of income. He now works in construction by day and devotes only 20 hours a week at night to spam.

And because of the lawsuit, Mike has changed the nature of his activities. He makes $500 a week by selling lists of IP addresses for compromised computers, sometimes called zombie PCs--systems that have been hijacked by a hacker so that they can be used to send spam. The people who own these computers (which can be in homes or businesses) have no idea their PCs are being used for such purposes. By routing junk e-mail through these PCs, spammers can hide their identity and can also save money on the bandwidth required to send large volumes of e-mail.

Mike either buys the lists of compromised PCs from hackers and fellow spammers, or he gets them free from sites run by spammers, such as the Russian-based FreeProxy.RU. Once he gets a list, he checks the validity and quality of the addresses, weeding out those that don't respond or that have been put on spam blacklists. He then sells the "cleaned" lists of zombie PCs to other spammers.

Mike is one of the thousands of spammers in the world who make up the majority of junk e-mail purveyors. "There are only a few dozen spammers worldwide that are making 90 percent of the spam profits," he says. "The rest of the bulk e-mailers are people like me."

After I found Mike through a Web site where spammers meet and share tips, he agreed to a phone interview. Here is an edited transcript of that conversation.

Q: Don't you think what you do is wrong?

A: I don't care what people think. If nobody was really interested in spam and never bought anything that was advertised to them, spam would go away. But people are interested in spam. As long as people buy things advertised in spam then people like me will send bulk e-mail. Are we really that different from so-called legitimate bulk e-mailers? I don't think there is a whole lot of difference.

Q: Why don't you send bulk e-mail legally? The Controlling the Assault of Non-Solicited Pornography and Marketing Act [the federal law regulating unsolicited bulk e-mail] allows you to.

A: You are correct. CAN-SPAM created a lot of opportunity for spammers. However, playing by the rules is too risky, and it's bad for business. Here is what I mean.

The only way spammers can sneak by an ISP's anti-spam filter these days is by tricking spam filters. The techniques to trick anti-spam filters are illegal, according to CAN-SPAM--not to mention a growing number of state anti-spam laws. To get past spam filters you can't play by the rules.

Those illegal spammers who try to go legit are finding themselves in court for violating different anti-spam laws. CAN-SPAM was great because there was one law to abide by for sending bulk e-mail. Now ISPs and states are coming after us. If you want to be sure you don't end up in a court, don't let them find you.

Q: Are anti-spam laws and better filters working to stop spammers?

A: Yes. Today big ISPs block e-mail from suspicious sources. They filter out spam based on e-mail addresses, words, links in the e-mail, pictures, or anything. For people like me it's just not worth it anymore. However, this forces a lot of spammers to send more spam.

In the old days you could earn, say, $1000 by sending out 20,000 spam messages. Today, to earn $1000, you have to send out 2 million spam messages or more.

The better filters get, the more determined we will get. It's not as if spammers really want to break the law. It's just that we are looking for any edge possible to get past the filter. Right now we are targeting smaller ISPs that don't have a lot to spend on good spam filters.

Q: So why spam, if it's getting riskier and less profitable?

A: Good question. For me, it's what I know how to do. And I just would hate to give up. It's like admitting defeat. But I am planning on quitting this spring.

Q: How did you make money when you were actually sending out spam?

A: For me it was mortgage and debt consolidation leads. For every person that called a mortgage broker based on my e-mail I would earn between $22 and $26. Dating sites would pay me $2 for every trial membership I brought them, and $15 for anyone who joined.

Q: What does the future of spam look like for average-Joe spammers?

A: Not good. The capital investment in computers and software required to make it worth the risk is enormous. A lot of people younger than me are spamming. But for a lot of people like myself, it's no longer easy money. We are throwing in the towel.

Q: So you are seeing a changing of the spam guard, so to speak?

A: Here is the deal. Spammers make money through advertising. And spammers today are diverse. They work with adware; they control botnets of computers; they are virus writers. Today's spammers don't just want to sell you Viagra; they want to trick you to into handing over your credit card number, or infect your system and turn it into a zombie.

Q: Will spam ever go away?

A: Spam will never go away. Filters may get better and more spammers may get arrested, but there will always be spammers. We adapt. I don't know what the next great spamming technique will be. But I can promise you spammers are working on it right now.

As I said before, so long as people click on spam and buy things advertised in their inboxes, spam will exist.

ABC News Live

ABC News Live

24/7 coverage of breaking news and live events