Those hundreds of spams led me to write a couple articles in the summer of 2003 about Amazing Internet's amazing profits and the company's colorful co-founder, former neo-Nazi leader Davis Wolfgang Hawke.

My research eventually grew into my book Spam Kings, which was published by O'Reilly in October 2004. Around the same time, I launched this blog dedicated to the book and to news in the world of kingpin spammers.

I've enjoyed the past 18 months of trading notes about the spam scene. But due to the demands of a new (non-spam-related) job, I'm going to have to pull back from blogging and probably won't be posting any further updates. I'm also likely to disable comments and trackbacks, since I won't have time to clean up after the blog spammers.

Contrary to what some spammers might think, I never saw myself as an anti-spammer. My role was just to chronicle the spam scene, which I see as a fascinating intersection of entrepreneurism, crime, technology, and vigilantism. As a heavy user of the Internet, however, I admit that I'm rooting for the day when crooks, frauds, and freeloaders run out of ways to abuse the system.

Three years used to seem like an eon in Internet time. But as I look back to that summer of 2003, I am amazed at how little of substance has changed in the spam scene.

Hawke and his company are gone, and I no longer receive as many HGH or "make penis fast" spams. But in their place are new spam operations touting penny stocks, Hoodia, replica watches, and mortgages. More email in-boxes are protected by spam filters, and more anti-spam lawsuits have been filed and won. But despite such progress, my spam folders are still filling up with hundreds of spams each day, and many of the same names are on the Spamhaus list of the world's biggest spammers.

I blush to admit that when I sent the final Spam Kings manuscript off to O'Reilly in August of 2004, I worried somewhat that the book might be obsolete before it came back from the printers. Looking back, I realize that was just the naive fretting of a first-time author. As I wrote in the book's introduction, "Study the rise and fall of one spammer, Davis Wolfgang Hawke, and you will learn all you need to know about the intractability of the junk email problem."

I hope you've enjoyed this blog. My special thanks to Spam Kings readers.

But what's up with all the outbound spam from apparently uncompromised Barracudas? According to the product site, the appliance "prevents spamming" and "includes all the features needed to eliminate your outbound spam." Yet there are numerous reports of spam messages containing the "Scanned: by Barracuda Spam Firewall" header.

Some recent drug spams are apparently coming from webmail providers including Frys.com and some public libraries, such as one in Maryland. There have also been recent 419 scam-spams from a Barracuda-protected mail server run by Liberty USA.

Maybe these are all cases of operator error or Barracudas being misconfigured. The product does have a reputation for some annoying default features, including one known affectionately as backscatter. In any case, makes you wonder whether a bad guy with remote access to a Barracuda could do much additional damage.

Notice of the proposed settlement was emailed to some Verizon subscribers over the weekend. Information is also available online at emailblockingsettlement.com.

The lawsuit stems from Verizon's anti-spam strategy of briefly blocking all email from large swaths of IP addresses, effectively cordoning off entire countries from emailing Verizon customers.

Under the proposed deal, Verizon has revised its blocking policy but reserves the right to implement blacklisting "as long as a serious threat remains."

Verizon got kicked around pretty hard last year over this practice. I was a bit surprised that such a big ISP was resorting to such unselective blockades, which are used quite frequently by administrators of smaller email systems. But I'm a little baffled when Internet users blame their ISPs for trying too hard to protect them from spam.

To be sure, Verizon certainly isn't perfect in blocking incoming spam. But unlike some other big US providers, they're not on the Spamhaus list of the world's worst spam havens for facilitating outbound spam. In fact, the ISP currently has only nine listings on the Spamhaus block list, compared to 217 for MCI. So, in my book, the Abuse team at Verizon seems to be getting the job done.

I also continue to be amazed at the ire I see directed at ISPs, including even free webmail providers like Gmail, for misdirecting legitimate emails into users' spam folders (aka "false positives"). Folks, the delivery of email, especially of the free kind, isn't guaranteed. Blame the spammers, not ISPs, when you find yourself caught in the crossfire of the spam wars.

Oh, and Kohn, Swift & Graf, the attorneys for the class, have asked for $1,400,000 for handling the Verizon case.

While the 'Yaa Allah" message may produce a chuckle from some western, non-Muslim readers, that's apparently not who was targeted by the email. Seems likely this is an effort to whip up a reaction similar to last September's furor over the Mohammed cartoons.

The titles of the four films, said to be produced by an unnamed independent studio in California, are "Hardcore Islam," "Spring Break In Mecca," "Islam Rated XXX," and "Medina Ghetto Hoochie Mama."

The email claims that sexual repression and violence are linked. It quotes a Martin P. Klaus, the (imaginary) producer and director of the films, as saying that "sexually active men have much better, and more positive, things to do than hack off heads, blow people up, and generally try to (expletive) things up. If Muslim men would take off the dresses and bomb belts, rip the veils and panties off their women, then take a little dip in the Zamzam, the world would be a more peaceful place.”

The author of the email didn't identify himself, and the return address on the message was an account at an anonymous email service. But the email headers show it was sent from a computer named "jprodan" using a Pacific Bell DSL line in the Los Angeles area. The message was routed through a mail server operated by etrafficers.com, a mortgage leads site that has been listed on the SPEWS blacklist.

Based on that header information, I'd have to conclude that Joe Prodan, who runs Polaris Lending Group in Irvine, CA, is probably involved.

Smith (shown here in an undated drivers license photo) is now locked up at the Oak Park Heights (OPH) facility in Stillwater, one of a handful of super maximum ("supermax") security prisons in the USA.

OPH houses "some of America's most dangerous prisoners," according to the publisher of a 2004 book, The Big House, which describes life inside the OPH correctional facility.

Authorities said Smith is likely to remain at OPH until his trial, which is scheduled for October. A number of former employees and business associates are expected to testify against Smith, who is accused of running an illegal online pharmacy.

Although Smith is now under the same roof as violent, "worst of the worse" offenders, authorities said he is unlikely to have any dealings with them. OPH was designed to minimize prisoner contact with other humans, including prison staff. Inmates at OPH are reportedly only allowed out of their cells for one hour per day, unless they agree to participate in a job or education program.

Following Smith's attempt at witness tampering during his earlier stay at the Sherburne County Jail in Elk River, authorities at Oak Park Heights aren't taking any chances. A note in his prison file warns guards to be wary and states that Smith is "sophisticated," especially regarding medications.

Prison life may already be taking a toll on Rizler, who's been jailed since August, 2005. According to sources in Minneapolis, Smith earned the nickname "Crybaby" as a result of some emotional moments while at Sherburne County Jail.

Smith's assignment to the big house is tinged with irony, according to insiders who say Smith ran Xpress Pharmacy Direct, his illegal drug business in Burnsville, almost as if it were a prison. Employees were required to pass through metal detectors on their way in and out of the building, and were prohibited from using cell phones while in the office. Surveillance cameras kept an eye on employees in the building's hallways. At one point, Smith even discussed installing cell-phone jamming technology to prevent unauthorized employee communications.

Besides an extended stay in prison, Smith is also facing a large financial judgment from America Online. Last January, Smith was ordered to pay AOL $5.6 million for spamming its members in 2003.

Smith's incarceration at a supermax prison is the latest example of harsh legal repercussions against spammers. In April 2005, Jeremy Jaynes was sentenced to nine years in prison. The conviction is currently under appeal. This past January, a court ordered an obscure spammer to pay $11.2 billion in damages to a small Iowa ISP.

Due to a schedule conflict, I wasn't able to attend this year. Anyone care to post a mini-review?

According to a WCCO-TV report out of Minnesota, Smith was indicted yesterday for threatening to kill a prosecution witness in his upcoming trial over illegally operating an online drug store and other charges.

Seems Smith phoned a friend from Sherburne County Jail earlier this month and allegedly discussed plans to intimidate a witness and even have the witness or his/her family killed, to prevent the witness from testifying against him.

Apparently Smith didn't know the jail was monitoring and recording all calls made by Smith to numbers not linked with his defense attorney.

At his arraignment today, Smith pleaded not guilty.

In a press release today, the U.S. Attorney's office didn't specify which witness was targeted by Rizler. Check out some of the comments from former employees at the bottom of this earlier posting about the case, and you'll see there's plenty of animosity to go around.

Conspiring to tamper with a witness and endeavoring to obstruct justice both can draw penalties of up to twenty years, according to a report by the AP.

Smith has been jailed since last September, when he violated the terms of his release.

Smith had previously pleaded not guilty to charges including conspiracy to distribute controlled substances, wire fraud, selling misbranded drugs and money laundering.

The latest build (803) of the Send-Safe Mailer v2.20b includes an option designed to prevent spammers from sending messages to any of the 245,000-plus e-mail addresses registered with the Blue Security "Do Not Intrude" registry.

The feature, which can be accessed from the program's Advanced tab, is turned off by default. When enabled, the feature automatically kicks in each time a spammer fires off a spam run. Send-Safe Mailer appears to check to see that it has the latest copy of the encrypted Blue Security remove list. If necessary, it downloads an updated version and checks it against the spammer's mailing list. (Shown below is a brief snippet of a log file produced when I tested the feature.)

Send-Safe apparently integrated Blue's technology using a software development kit (SDK) offered by Blue Security at its web site.

The integration of Blue Security's remove lists into Send-Safe might not be optimal yet. When I tried sending myself a test spam at an address protected by Blue Security, the Send-Safe program didn't alert me or otherwise notify me that the address was in the remove list. Then again, the email address didn't appear in the program's log of successfully sent message IDs, nor did I ever receive the test message.

So far, Send-Safe hasn't made a lot of noise about integrating the Blue Security remove list. The Send-Safe User's Guide contains only this brief explanation of the new feature: "Use Blue Security Remove List: Use this to avoid sending mails to the antis on Blue Security's Remove List."

But Blue Security is happily crowing about the news. On the company's blog today, CEO Eran Reshef said, "This remarkable and inspiring event we have witnessed displays the power of our community. Many `experts' claimed spammers will never leave our members alone and we know we will prove them wrong."

My take: the integration into Send-Safe could indeed be a big break for users of the free Blue Security service. Many spammers I've talked to seem put off by the complexity of manually downloading and using the service's remove-list tools. Send-Safe now makes that task totally automated. If other big spamware developers (Dark Mailer, Nexus, etc.) figure out a way to integrate the Blue remove lists, life will get even better for Blue members.

Prior to this development, Blue Security was seen by many spammers as purely antagonistic, since the service is designed to post complaints in the order forms of sites advertised in spams received by Blue Security members. Now, Send-Safe has given Blue a stamp of legitimacy from the spam world.

On the other hand, I doubt this integration will do much to improve Blue Security's standing among some leading anti-spammers. The whole notion of remove lists is anathema to ardent supporters of opt-in email. Blue Security, they might argue, is ultimately just providing a free list-washing service to spammers.

AutoTrader.com is an Atlanta, Georgia-based company that calls itself "the internet's leading auto classifieds marketplace." Its investors include the venture capital firm Kleiner Perkins Caufield & Byers.

Was the used car site branching out into Viagra and Xanax? Nah. A closer look revealed that some clever spammer had just figured out a way to bypass AOL's URL blocklist.

When you're a spammer for a well known drug site, it can be pretty hard to get your messages past such blocklists, which contain the addresses of known "spammy" websites. Emails containing links to any of the listed URLs can cause spam filters to shunt emails off to the spam folder. But not if the URL is cleverly camoflaged.

The URL in the meds spam looked something like this (I've added line wraps):

http://adserving.autotrader.com/event.ng/
Type=click&FlightID=202867&AdID=318547
&TargetID=

Following the "TargetID" was a series of characters containing the URL of the spammed web site, but scrambled using Base-64 encoding. As a result, the spammy part of the address was "invisible" to AOL's filters (and to most users). Yet each time someone clicked on the link, the Autotrader.com site would automatically re-direct the surfer to the web address encoded in the URL -- in this case, a drug store called Comfort RX.

There's a legitimate use for the re-direct feature at the Autotrader.com home page. The site sports a bunch of banner ads, which, if clicked, send you to the advertisers' sites (while a ca-ching sounds in AutoTrader.com's accounts receivable department).

There's at least one other re-direct at the site, but I haven't seen any evidence of spammers abusing it. Unless admins have gotten around to fixing it, clicking the link below should demonstrate how that URL will flip you to FBI.gov:

http://autotrader.com/redirect/redirector_link.jsp?to_url=http://www.fbi.gov

This isn't the first time spammers have exploited such open re-directs at mainstream sites. Last year, pill spammers worked a similar vulnerability at ZDNet.com.

I imagine some spammers have a script that scours the Internet looking for sites with open re-directors. Others probably just use Google. Either way, re-directs are just another item in the devious spam king's bag of tricks.

Rumors of the Florida spammer's relocation started last October, when someone anonymously posted a report of Battles' move to Kiwiland to the Nanae newsgroup.

If Battles had planned to turn over a new leaf in New Zealand, those hopes began to unravel when he made the mistake of spamming a New Zealand-based anti-spammer (sample here) earlier this month. The message was part of a small spam run advertising broadband wireless from Wired Country Direct, a unit of Compass Communications.

Following the March 3 spam incident, Computerworld published a story this week in which Battles, who now resides in Auckland, denied he was the same person reviled by anti-spammers.

Battles, who regularly tangled online with anti-spammers in the past, has returned to the Nanae newsgroup. Yesterday he blamed participants for getting him fired from Compass, where he worked as a territory sales manager.

"Well, done making me look bad, what an effort on your part. Happy that I lost my job? Well hopefully I can find something better," he wrote.

Let's hope that by "something better" he means a position that doesn't involve spamming.

The tipster informed me that Merwin had branched out from pill spamming and now is into online loan sharking. The source claimed the lucrative business enabled Merwin to purchase "a $400,000 Ferrari, over 20 houses, including precontruction houses, a $150,000 Porsche, a 7 series BMW, a 60 foot boat, a multi million dollar home, a business jet, and the list goes on."

At the time, a Boca Raton paper had just published an article noting that Merwin lived in a $2.5M home at 777 Marine Drive, along with his current wife, whom neighbors identified as Rachel.

That house in the tony Blue Inlet subdivision, it turns out, is a key bit of corroboration that Merwin may indeed have moved into Internet credit services. But I never would have connected the dots if it weren't for Sean E. Brooks.

Recently, I blogged that Brooks (aka m3rk) was believed by spammers to have acted as a confidential informant for the U.S. Secret Service. Rumors swirled last month that Brooks snitched on the recently arrested "g00dfellas" spammers Adam Vitale and Todd Moeller.

While researching Brooks, I noticed that he once listed his address as 10939 Bal Harbor Drive in Boca Raton. A check of Palm Beach County property records shows that Debora (Brooks) Merwin and George (Anthony) Merwin were co-owners of the five bedroom home at that address until 2003.

Lots of possible Peyton Place scenarios seem possible here. (George married Debora, who had a son, Sean, by a previous marriage. George introduced Sean to the world of spam entrepreneurship. George and Debora were later divorced and George married Rachel. Etc.)

After mulling over these possibilities, I belatedly got around to checking the property records for the Merwin's palace at 777 Marine. Turns out the deed actually belongs to a Chantilly, Virginia company called Tres Hombres LLC, which bought the house in January 2005 from a Kathy (Merwin) Devivo.

Why would an alleged multimillionaire like Merwin be living in a house owned by someone else -- unless perhaps George is one of the hombres?

Tres Hombres LLC is run by a Lonnie D. Gaddy III, who is also chief operating officer for a financial services company in Virginia called Universal Debit & Credit (UDCC), with Carlos Gavidia as CEO/President.

Tres Hombres and UDCC share the same 3901 Centerview Drive address in Chantilly as several other firms -- all apparently connected to Gaddy. The firms include Quick Process, LLC and Prove-It Partners, LLC, which provide "no turndown" credit cards as well as short-term loans, and an apparently defunct merchant fraud protection service.

Ding ding ding.

I realize there's usually less than six degrees of separation between any two spammers. That's especially true when you're dealing with bulk emailers in Boca Raton, Florida, the spam capital of the USA.

But who would have expected such a close connection between a kid rumored to be a confidential informant in a spam case, and an elusive Internet drugstore king turned loan shark?

The U.S. District Court for Northern California granted a summary judgment March 8 on behalf of Kennedy-Western University (KWU) in a lawsuit brought by Hypertouch, Inc. under the 2003 CAN-SPAM act.

According to the ruling, KWU did not violate the federal anti-spam law because the university didn't know that spammers it hired would violate the CAN-SPAM Act, nor did it consciously avoid such knowledge.

There's ample evidence that spams sent on behalf of KWU flagrantly flouted CAN-SPAM. But the court seemed convinced that "KWU actively seeks CAN-SPAM Act compliance from the marketing agencies that it hires." What's more, the court accepted KWU's argument that it wasn't aware that the spammers mailing on its behalf were breaking the law.

Yet it seems clear that KWU directly monitored the results of the illegal spammer's campaigns. Most spams on behalf of KWU contain customized URLs showing that KWU issued affiliate IDs to spammers to track traffic sent to the KWU site. For example the URL in this archived KWU spam references this page at KWU's web site, which includes the following HTML:

input type="hidden" name="COID" value="BCNTW"

Apparently this form data specifies the affiliate ID for Boca Networks, a Florida company blacklisted by Spamhaus. (Googling "kw.edu/ref/default.asp?COID=" produces lots of such affiliate IDs.)

KWU made its case in part thanks to a cadre of rather unusual expert witnesses. One such expert, Jason Rines, spent time himself on the Spamhaus Block List. In court filings, Rines suggested that Hypertouch owner Joe Wagner may have doctored the headers of emails he provided as proof of KWU's illegal spamming.

Despite its victory, KWU lost a small but significant tactical battle. The university's lawyers sought to show that Hypertouch isn't an Internet service provider and therefore had no standing to file lawsuits under CAN-SPAM. But the ruling said that Hypertouch, which has sued several spammers, qualifies as an ISP because it maintains its own email servers and provides accounts to users.

That aspect of the ruling is important because many spammers today are apparently hoping to dodge lawsuits by avoiding spamming big companies like AOL, Microsoft, and the like. It's common to see want ads on the SpecialHam.com spammers forum from bulk emailers looking for mailing lists containing "small domains."

But, on the whole, the ruling last week by U.S. District Court Judge Susan Illston is certain to create unhappiness among spam opponents.(You can read that headline above two ways.) Wagner says he plans to appeal and also will file a new lawsuit against KWU in California state court.

[Update 3/14: Joe Wagner writes to note that the district court's ruling puts plaintiffs who sue under CAN-SPAM in a Catch-22 situation. The judge ruled that Hypertouch failed to show that KWU "consciously avoided knowledge" that their hired spammers had or would violate the law. And yet KWU offered no evidence that it checked the headers of its spammers' emails, or made sure their domains were registered using correct information. "The judge's ruling makes no sense ... We are thus optimistic about the likelihood of success for our appeal," says Wagner.

Wagner also expressed outrage at the assertions by KWU's experts that Hypertouch may have doctored emails used as evidence. Wagner notes that copies of the same spams have been received and posted by other individuals in places such as the spam sightings newsgroup. "That's why it was so shocking [KWU would] make, under oath, the accusation that Hypertouch had perpetrated a fraud upon the court," says Wagner.]

Dear Glen, are you missing several gigs of data?

Lance James of Secure Science Corporation tells me that the files he recently found containing millions of customer records were named 1ibill.rar, 2ibill.rar, 3ibill.rar and 4ibill.rar. Naturally, Lance was under the impression that the data might have belonged to iBill, Inc.

The only Google hits I could find on those filenames were from a time in 2004 when you, Glen, were apparently looking for some programming help to import some files with those same names into a SQL database. ("We own the server so you will have full access," you wrote.)

You didn't put your real name on that GetaCoder site, but you used your nickname, Pre111. You've used that nick for years, even back when you had a Prodigy account in 1997. At SpecialHam.com, you used the member ID Pre111, but listed your real name as "Glen Mac."

You even used Pre111 in the URL of your no-prescription medz site, PharmMall, which you officially announced last year.

Glen, what's the deal? Could it be that online-marketers.net, the site where you sell mailing lists, was hacked? Or did that programmer you hired to import the data make off with a copy?

Was it really iBill data or not?

iBill officials say a cross-reference of email addresses in the cache, discovered on the Internet by security firms, shows that only three are iBill customers.

So who hemorrhaged all the customer data, if it's not iBill?

If authorities really want to find out, they can start by contacting a spam data-broker known as James Botkin.

As I reported last year, Botkin's company, then known as Optin Supply, Inc., has been offering huge databases for sale to spammers. Among the lists for sale by Botkin last year was one containing 11.9 million records described as "Full iBill Data with CC type."

A sample of the alleged iBill database offered by Botkin is still online, thanks to Archive.org. (Screen grab here.) Among the 1,048 sample records are a couple on people holding what are identified as "Dinner" cards. Presumably this means Diner's Club cards. If so, all of the nearly 12 million iBill records marketed by Botkin may not be from iBill either, since the payment company has told Wired News it doesn't accept Diner's Club cards.

So where do list brokers like Botkin get all this data? Many are apparently cutting deals with e-commerce sites and internet marketing firms for what they call "opt in" data. As I reported in my article last year, the records usually include home addresses, phone numbers, and an IP address corresponding to each list entry as evidence that the customer data was voluntarily provided by visitors to an online store or other web site.

Botkin continues to operates several sites, including onebedroomapartm.com and optinsearchdb.com, from which he sells huge collections of data. Botkin does most of his marketing via the SpecialHam.com spammers forum, where he currently uses the username bigmailmanbig.

Last month, someone started a new thread at SpecialHam.com with the subject "onebedroomapartm.com's list is BAD !!," to which forum regulars chimed in with comments like, "I cant belive you fell for this guy is data is complete usless garbage always has been always will be.. For years everyone has known it."

We may never know where the data reported on by Wired News came from. But my guess is that the big cache may simply be "opt in" data -- perhaps even from the same source that serves James Botkin.

The web posting essentially confirms the key details of Clason's recent plea agreement(PDF file). E.g., she managed porn websites from 1999 -2003 for James R. Schaffer, who operated a company called Diamond International. Schaffer also partnered with Jeffrey Kilbride. In January of 2004, Clason learned how to use a spam program capable of sending spam from a remote server in Amsterdam. Starting in April 2004, she sent millions of spams that included embedded pornographic images and used falsified "from" lines. AOL received over 600,000 complaints about the spams from January-June, 2004. Clason was paid around $30,000 for her work. Etc.

Clason even admits at her site to having taken "2 different anti-depressants to cope with this stress." (As a condition of her release in September 2005, Clason was ordered to refrain from using any alcohol, and ordered to receive alcohol counselling, as well as mental health treatment.)

What Clason doesn't address in her web posting is that, while she may have given up spamming, she's still in the porn business. As we pointed out yesterday, Clason still runs a number of porn gateway sites, including Hardcore-skank-porn.com, Broadbandblowjobs.com, and trailertrashvideos.com.

Clason also continues to recommend that her site visitors participate in a variety of dubious money-making programs, including high-yield investment programs. Clason even posted a graphic showing how much she made in one day via HYIPs, despite warnings from the Securities and Exchange Comission.

In a recent post about the conviction of a person for running a Ponzi scheme, Clason had this to say: "The stupid government should just stay out of our affairs. People know the risks, let them lose their money at their own discretion!!!"

Clason's former employer Schaffer has pleaded not guilty to all counts. His trial is set for May 2 in Phoenix. Kilbride's trial is scheduled for June 6.

Much of Clason's 16-page plea agreement is devoted to describing the requirements of her cooperation with prosecutors. Her June sentencing may be postponed, according to the document, "until such time as defendant's cooperation has been completed."