It’s tough being an average-Joe spammer these days. Divorced and in his 40s, Mike has two kids to help support, a skyrocketing home heating bill, and a mortgage. And spamming just isn’t paying the bills like it used to.
In the heyday of his spamming career, from 1997 to 2000, profiting from sending out unsolicited bulk email was easy, Mike says. In an average month he made US$40,000 (NZ$57,828) pelting millions of inboxes with spam. Now, he complains, spam filters have become too effective and block most of his email. Also, he adds, spamming for a living has become increasingly risky, as evidenced by recent arrests of spammers and fines imposed on them. He himself is currently being sued by a large ISP for using illegal methods for sending spam, he says.
“Spamming becomes a little more unprofitable and a little more high-risk every day,” says Mike, who agreed to be interviewed on condition his real name be withheld. “I don’t know why I still do it.”
In fact, spam is no longer Mike’s sole, or even principal, source of income. He now works in construction and devotes only 20 hours a week at night to spam.
And, because of the lawsuit, Mike has changed the nature of his activities. He makes US$500 a week by selling lists of IP addresses for compromised computers, called zombie PCs — systems that have been hijacked by a hacker so that they can be used to send spam. The people who own these computers (which can be in homes or businesses) have no idea their PCs are being used for such purposes. By routing junk email through these PCs, spammers can hide their identity and can also save money on the bandwidth required to send large volumes of email.
Mike either buys the lists of compromised PCs from hackers and fellow spammers, or he gets them free from sites run by spammers, such as the Russian-based FreeProxy.ru. Once he gets a list, he checks the validity and quality of the addresses, weeding out those that don’t respond or that have been put on spam blacklists. He then sells the “cleaned” lists of zombie PCs to other spammers.
Mike is one of the thousands of spammers in the world who make up the majority of junk email purveyors. “There are only a few dozen spammers worldwide that are making 90% of the spam profits,” he says. “The rest of the bulk emailers are people like me.”
After I found Mike through a website where spammers meet and share tips, he agreed to a phone interview. Here is an edited transcript of that conversation.
Don’t you think what you do is wrong?
I don’t care what people think. If nobody was really interested in spam and never bought anything that was advertised to them, spam would go away. But people are interested in spam. As long as people buy things advertised in spam then people like me will send bulk email. Are we really that different from so-called legitimate bulk emailers? I don’t think there is a whole lot of difference.
Why don’t you send bulk email legally? The Controlling the Assault of Non-Solicited Pornography and Marketing Act [the US federal law regulating unsolicited bulk email] allows you to do so.
You are correct. CAN-SPAM created a lot of opportunity for spammers. However, playing by the rules is too risky and it’s bad for business. Here is what I mean.
The only way spammers can sneak by an ISP’s anti-spam filter these days is by tricking spam filters. The techniques to trick anti-spam filters are illegal, according to CAN-SPAM — not to mention a growing number of state anti-spam laws. To get past spam filters you can’t play by the rules.
Those illegal spammers who try to go legit are finding themselves in court for violating different anti-spam laws. CAN-SPAM was great because there was one law to abide by for sending bulk email. Now ISPs and states are coming after us. If you want to be sure you don’t end up in court, don’t let them find you.Are anti-spam laws and better filters working to stop spammers?
Yes. Today, big ISPs block email from suspicious sources. They filter out spam based on email addresses, words, links in the email, pictures, or anything. For people like me it’s just not worth it any more. However, this forces a lot of spammers to send more spam.
In the old days you could earn, say, US$1,000 by sending out 20,000 spam messages. Today, to earn US$1,000, you have to send out two million spam messages or more.
The better filters get, the more determined we will get. It’s not as if spammers really want to break the law. It’s just that we are looking for any edge possible to get past the filter. Right now we are targeting smaller ISPs that don’t have a lot to spend on good spam filters.
So why spam, if it’s getting riskier and less profitable?
Good question. For me, it’s what I know how to do. And I just would hate to give up. It’s like admitting defeat. But I am planning on quitting this spring.
How did you make money when you were actually sending out spam?
For me it was mortgage and debt consolidation leads. For every person that called a mortgage broker based on my email I would earn between US$22 and US$26. Dating sites would pay me US$2 for every trial membership I brought them and US$15 for anyone who joined.
What does the future of spam look like for Average-Joe spammers?
Not good. The capital investment in computers and software required to make it worth the risk is enormous. A lot of people younger than me are spamming.
But, for a lot of people like myself, it’s no longer easy money. We are throwing in the towel.
So you are seeing a changing of the spam guard, so to speak?
Here is the deal. Spammers make money through advertising. And spammers today are diverse. They work with adware; they control botnets of computers; they are virus writers. Today’s spammers don’t just want to sell you Viagra; they want to trick you to into handing over your credit card number, or infect your system and turn it into a zombie.
Will spam ever go away?
Spam will never go away. Filters may get better and more spammers may get arrested, but there will always be spammers. We adapt. I don’t know what the next great spamming technique will be. But I can promise you spammers are working on it right now.
As I said before, so long as people click on spam and buy things advertised in their inboxes spam will exist.