A Weblog About Topics and Issues Discussed in the Book Spam Kings by Brian McWilliams

� October 2005 | Main | December 2005 �

November 28, 2005

FTC fudges spam filter study

The U.S. Federal Trade Commission just announced the results of a study of spam filters and address harvesting. Unfortunately, the agency's research sheds little new insight into the spam problem.

To test the effectiveness of spam filtering, the FTC created dozens of spam trap email accounts at each of three different (and unnamed) Internet service providers. Two of the ISPs offered spam filtering; the third didn't.

After two weeks, the email accounts at the ISP without spam filters received 2,129 junk emails. The accounts at the two filtered ISPs netted a total of just 469 and 95 spams. According to the study, the two ISPs with spam filters respectively blocked 78% and 96% of spam messages.

Interesting numbers, but when you look a little closer, things don't add up.

For some reason, the FTC report doesn't mention whether the filtered accounts had spam folders. (To my knowledge, the spam filters employed by most big webmail providers don't just delete all spam; they shunt suspicious stuff in to a special junk folder.)

Instead, the FTC researchers make a rather tenuous extrapolation, apparently in the dark about how much spam was rejected by the ISPs mail server or landed in each account's spam folder. According to the report,

FTC staff was able to calculate the percentage of spam messages blocked by the two ISPs’ spam filters by comparing the number of messages received in each of the Unfiltered Addresses to the number of messages received in Filtered ISP 1 and in Filtered ISP 2.

In other words, the FTC assumed each ISP received exactly the same amount of spam, and used the unfiltered ISP as a control. That's a pretty big assumption -- a fact the FTC seemed to acknowledge in a footnote to the report:

We assumed that spammers who harvested the addresses were not biased in favor or against a particular ISP when sending spam. It is possible, however, that the number of spam messages sent to the Unfiltered Addresses differed from the number of messages sent to Filtered ISP 1 or Filtered ISP 2.

It's common knowledge that many spammers, frustrated by spam filters, are currently targeting smaller ISPs that don't offer spam filtering to their users. Had its researchers paid more attention to methodology, the FTC might have shed some interesting new quantitative light on this phenomenon. Unfortunately, this is a missed opportunity.

The FTC report also examined how spammers harvest email addresses from web sites and Usenet. The agency found that unprotected, published FTC spam-trap addresses quickly began receiving spam. But this information has been already been gleaned by much more methodical researchers.

Posted by Brian at 11:53 PM

November 22, 2005

Russians, not Ralsky, now rule the spam world

ralskyLooks like the FBI's September raid on spam king Alan Ralsky may have knocked him off his throne.

Ralsky has lost his long-held #1 position atop the Spamhaus list of the world's top spammers. Although downgraded this week to #4, Ralsky probably could have reconstituted his spam operation despite having computers and other items confiscated by the feds. But according to Spamhaus records, the anti-spam group hasn't detected any major new spamming from Ralsky since September.

So far, the FBI raid hasn't resulted in legal charges against Ralsky. Ralsky's lawyer reportedly has said his client was complying with state and federal spam laws.

Meanwhile, Russian fugitive Leo Kuvayev is the new king of spam kings. In fact, four of the top seven spammers worldwide are in Russia, according to Spamhaus.

Is Moscow becoming the new Boca? Sure looks that way, despite the fact that U.S. networks are still the source of most of the spam in the world.

Posted by Brian at 2:40 PM

November 19, 2005

Another house that spam built

marin house in weston, FLAnti-spammers love to make little discoveries like this. Kimberly W. Marin, wife of spam king Eddy Marin, is selling one of their homes in Florida. She's asking $735,000 for the 5-bedroom, 3,300-square-foot place in Weston, FL.

According to one Internet posting, Eddy's name used to be on the deed, but he actually lives at a different house, the location of which is a "well-kept secret."

The Marins, who make their appearance in Chapter 7 of Spam Kings, are no longer on the Spamhaus Top 10 list. But Spamhaus claims Marin's operation was among several big spam outfits raided by the FBI earlier this year. He's also allegedly linked to a Boca Raton company that was recently busted for stock spam fraud.

Posted by Brian at 11:45 AM | Comments (1)

November 10, 2005

Unmasking a John Doe spammer

John DoeEver noticed that Microsoft seems to sue a lot of spammers named "John Doe"?

It's actually just a standard legal tactic companies use when they want to file a lawsuit against unidentified individuals. The goal is to unmask the defendants by serving discovery on Internet service providers, domain registrars, online payment processors, etc. With any luck, Microsoft (or whoever's doing the suing) eventually amends its lawsuit to name the spammers.

Well, looks like Microsoft had such luck in a John Doe lawsuit it filed a year ago against some spammers pushing kits that supposedly train people to "Earn HUGE Profits On eBay.”

In October 2004, Microsoft sued "JOHN DOES 1-50 d/b/a Myauctionbiz.biz" in a U.S. District Court in Washington state. The lawsuit alleged that the spammers inundated MSN Hotmail users with illegal messages for the eBay kits.

Often these lawsuits can hit a brick wall, but in February 2005, Microsoft investigators identified San Diego, California resident Kevin Hertz as head of the Myauctionbiz.biz spam network. Hertz turned over a database including a list of his marketing affiliates and their corresponding affiliate identification numbers.

Last September, Microsoft deposed Hertz, who confirmed that his spammers were the ones who sent the deceptive emails to Hotmail.

Soon, Microsoft's investigators were able to identify the 38 or so affiliates responsible for most of the Myauctionbiz.biz spam sent to Hotmail. Microsoft then filed an amended complaint naming them on October 31, 2005.

The defendants include residents of around ten states and a couple of provinces in Canada.

MORE: Hertz appears to be connected to a San Diego company called Progressive Media Group, Ltd., but it's not named in the complaint. Someone named "Robert Hertz" at the same street address owns a block of IP addresses, including one that hosts a network of websites.

Posted by Brian at 12:31 PM | Comments (1)

November 9, 2005

Spam from Iraq

TigrisNet logoIt's not on the USAID list of accomplishments, but the Internet is booming in Iraq.

Fun fact: there are now around 20,000 Internet protocol (IP) addresses allocated to Iraq, according to one estimate

Wasn't too long ago (i.e., early March, 2003) that everyone in Baghdad was sharing a couple of IP addresses.

Unfortunately, not one of Iraq's shiny new Internet service providers -- or its legacy ISP, Uruklink -- has published an acceptable use policy governing the use of its networks.

Is it time to worry about Iraq becoming a major spam haven? I examine this issue in a new piece for O'Reilly Network: Spam from Iraq.

Posted by Brian at 6:00 PM | Comments (4)

November 3, 2005

Botmaster busted

resili3nt.jpgThe FBI arrested a 20-year-old "botmaster" this morning. James Ancheta of Downey, California was indicted for profiting from a large "botnet" or network of infected computers (bots) he operated.

According to the feds, Ancheta built his botnet by infecting thousands of computers with a variant of the rxbot Trojan horse.

From June 2004 to June 2005, Ancheta, who used the online nickname resili3nt, allegedly made about $60,000 in commissions by surreptitiously installing a modified adware program, known as a "clicker," on the infected PCs. The payments came from adware companies including Gammacash.com and Loudcash.com (now known as Zango), which pay a fee to affiliates for referring traffic or getting Internet users to install their adware.

According to the indictment, Ancheta at one point told an associate, "it's immoral, but the money makes it right." (Grab a copy of the indictment -- 52 pages, 2.5 Mb PDF -- here.)

Ancheta also allegedly made around $3,000 by renting out bots to spammers or people who wanted to perform denial-of-service attacks.

Ancheta used his earnings to purchase a 1993 BMW 325is. (His license plate was j4m3zzz.)

In an online profile, Ancheta listed his occupation as "advertising." For his website address, Ancheta provided SHK-SECURITY.NET. (The site isn't currently online, but an old version of the domain registration says the initials stand for Shadow Hackers Krew.)

According to the indictment, the FBI originally raided Ancheta in December 2004 and confiscated two computers. A former Ancheta associate told me this evening that the FBI arrested Ancheta today after telling him he could pick up his equipment at the FBI office.

Strangely, Gammacash continued to make commission payments to Ancheta's Wells Fargo bank account for several months after the December bust, including a deposit of nearly $8,000 in March.

According to the former associate, "every company like zango/loudcash knows the majority of there [sic] installs come from botnets."

The Department of Justice has called the case "the first prosecution of its kind in the nation."

Posted by Brian at 9:29 PM

Weblog authors are solely responsible for the content and accuracy of their weblogs, including opinions they express,
and O’Reilly Media, Inc., disclaims any and all liability for that content, its accuracy, and opinions it may contain.

All trademarks and registered trademarks appearing on spamkings.oreilly.com are the property of their respective owners.

O'Reilly Home | Privacy Policy

© 2004 O'Reilly Media, Inc.
For assistance with this site, email: