"I can't give you the file, period," I replied.
Dr. Fatburn finally relented. The next day, while I was away from my computer, I received an instant message from him.
"Just so you know," he said, "I am going in a different direction for marketing my Thinkmeds.com website. I will not ask you for the file anymore. I will also not waste my time trying to find Amazing's files on the Net. I got better things to do with my time."
[8] In November 2003, an anonymous person contacted me over AOL Instant Messenger and offered me a dozen photos he said an acquaintance had stolen from Hawke's PC. The photos included images of Hawke standing in his North Smithfield, Rhode Island, driveway, as well as "screen grabs" of Bournival's computer while it was sending spam. Also included was an image of a fake State of Indiana driver's license, which pictured Hawke's face above the name Michael Girdley.
Rise of the Spam Zombies
One Saturday night in mid-June of 2003, Spamhaus.org was staggered by unusually heavy visitor traffic. But this was no weekend rush by Internet users to review the latest Rokso listings. When Spamhaus director Steve Linford checked the site's log files from his control center in London, he discovered that hundreds of computers from all over the Internet were simultaneously bombarding one of Spamhaus's web servers with bogus requests for data. Spamhaus was under what computer experts call a distributed denial-of-service (DDOS) attack. Using special DDOS programs, attackers were trying to cripple Spamhaus with packets of data, rendering the site unusable by legitimate visitors.
Linford quickly fended off the attackers by adjusting the firewall that guarded the edge of Spamhaus's network. Spamhaus had been victimized by DDOS attacks in the past, and Linford might have headed off to bed without giving the matter further thought. But as he scanned the list of Internet protocol (IP) addresses of the computers trying to "packet" Spamhaus, he noticed something odd. Almost all of them were home PCs connected to the Internet via broadband Internet service providers such as Verizon, Comcast, Cox Communications, and Bell South.
For Linford, one of his worst fears was coming true. Since January, computer security experts had been tracking the gradual spread of SoBig, a new breed of computer virus. Once installed on a PC with a cable modem or DSL line, the software had two malicious purposes. SoBig was designed to turn the infected computer into a remotely controlled "zombie" participant in DDOS attacks. SoBig's other purpose was to allow the PC to serve as a spam-sending proxy, through which a spammer could send junk emails with anonymity. In nearly all cases, the owners of the infected systems would have no idea their computers were being used by the virus.
It wasn't clear whether spammers were responsible for the creation of SoBig. But they certainly stood to benefit from it. With an ever expanding network of thousands of hijacked proxies for sending spam, junk emailers could evade anti-spammers and the operators of spam-blocking services. Meanwhile, SoBig's DDOS feature could be used to mire the blocklist sites with bogus network traffic.
Throughout the summer of 2003, Spamhaus and other anti-spam sites, including Spews and the SpamCop spam-reporting service, were repeatedly hit by DDOS attacks from zombies infected with SoBig or related viruses, including one named Fizzer. Meanwhile, the percentage of spam originating from virus-infected computers was soaring. According to spam-tracking services, nearly 70 percent of junk email was entering the Internet through broadband PCs compromised by SoBig and similar malicious software.
To Linford and other veteran Internet technicians, the rise of spam zombies was part of a distressing trend: the acceptance by hackers of spamming as a lucrative profession.
"Once upon a time, hackers hated spammers," wrote Linford in an August 2003 posting to Nanae. "All the real hackers detest spam and the losers who send it. But lately things have changed...hackers now see spamming and scamming as 'kewl,'" he wrote. As an example, Linford pointed to "Styro" and "Foam," the hacker aliases of two New Orleans teenagers. In their member profiles at SpamSoft.biz, an online forum for spammers, the teens listed as their interests "spamming, scamming, and cracking" (the latter is slang for breaking into web sites without authorization). While an earlier generation of hackers had altruistically used their technical skills to help drive scam artists and spammers out of business, this new breed of computer whiz seemed to Linford both mercenary and morally challenged.
Some unidentified anti-spammers decided to fight back against the hacker-spammers by releasing a Trojan horse program of their own. Starting in August of 2003, junk emailers began receiving messages forged to appear as if they were from a spammer known for selling college diplomas. The messages offered a free technique for removing "honey pots" (otherwise known as spam traps) from spam mailing lists. Interested spammers were invited to view an online multimedia demonstration of the software. But the web page listed for the video was actually booby-trapped. If viewed using a not fully updated version of Microsoft's Internet Explorer, the page would silently install a program named honey2.exe on the victim's computer. The code contained a variant of SubSeven, an infamous program designed to allow the target PC to be remotely controlled by an attacker.[9]
It wasn't clear whether any junk emailers fell for the trick. Some quickly recognized the Trojan horse video for what it was and published warnings in SpecialHam.com, a new online forum for spammers. But what was obvious was that the war between spammers and antis had escalated.[10]
Meanwhile, the army of spam zombies continued to grow. As viruses claimed increasing numbers of home computers, spammers discovered a new way to put the infected systems to work. Instead of simply deploying them to send junk email or launch attacks against blacklist sites, spammers were using the compromised PCs to host their web sites. In September, ads for "invisible, bullet-proof" hosting began to appear at SpecialHam.com and other spam sites. For $1,500 per month, one Poland-based group was offering to protect sites from the network-sleuthing tools spam opponents used to identify the Internet protocol address of a site. The group claimed to control nearly half a million "Trojaned" computers, most of them home PCs connected to cable modems or DSL lines. The hacked systems contained special software developed by the Poles that routed traffic between Internet users and customers' web sites via thousands of the hijacked computers. The constantly rotating intermediary systems confounded tools such as traceroute (a utility used to track the path between a user's computer and a remote system), effectively masking the true location of the web site.
By September, incessant DDOS attacks on two smaller blacklist sites, Monkeys.com and Osirusoft.com, forced their operators to announce the permanent shutdown of their services. The Spews site was also frequently unreachable due to the DDOS attacks. But the service continued to function, thanks to Internet users who independently published mirror copies of the Spews "zone files" containing the list of blacklisted IP addresses.
Desperate to identify the source of the attacks, Linford tried to cajole spammers into ratting out the perpetrators. In exchange for information, he offered a form of probation to several junk emailers listed on Rokso. If they turned over evidence that led to the arrest of the attackers, Linford was willing to loosen the rules for the spammers' removal from Rokso.
But some junk emailers misinterpreted Linford's offer. In September, an anonymous person posted a message to Nanae, accusing Linford of trying to blackmail spammers. According to the author, Linford had threatened to keep him on Rokso permanently if he didn't give up information about a suspected source of the attacks. The unidentified spammer included in his note an excerpt of email from Linford.
"You forget who's holding the cards here," Linford had written to the spammer. "We will keep you blocked for years."
In a reply on Nanae, Linford pointed out that the anonymous newsgroup message had been posted from an account owned by Bernie Johnson, a Michigan bulk emailer with connections to spam king Alan Ralsky. Linford revealed that he had been discussing the attacks with Johnson and confirmed that he had offered a deal in exchange for i
nformation.
"I've given the same deal to a number of former spammers who today run legitimate hosting businesses and have never been heard of spamming or hosting spammers again. It's called parole for good behavior, a concept enforcement authorities the world over use every day," said Linford.
But Linford's efforts failed to unmask the attackers. And in November, a new virus, specifically designed to knock Spamhaus off the Internet, was spotted. Known as Mimail E, the virus contained code that automatically caused an infected PC to begin attacking Spamhaus.org in order to make it unreachable. But it had no effect on the Spamhaus Block List (SBL), which was actually hosted on over thirty servers located around the world.
A successor virus that appeared in December 2003 had a more significant impact. Mimail F targeted several anti-spam sites, including Spamhaus.org and Spews.org, with a denial-of-service attack. The new code also orchestrated a massive Joe-job on the blocklist services. PCs infected with Mimail F sent a flood of emails that were forged to appear as though they were from Spamhaus.org. The messages informed recipients that Spamhaus.org would be charging their credit cards $22.95 "on a weekly basis," and that a "free pack of child porn CDs is already on the way to your billing address." The spoofed emails also invited Internet users to visit Spamhaus.org, Spews.org, SpamCop.net, and a few other sites to view "all types of underage porn."
For days, irate users swamped Spamhaus with complaints about the spam. Linford did his best to explain that a virus, and not Spamhaus, had generated the messages. He referred the annoyed spam recipients to the web sites of anti-virus software companies, where they could find more information about Mimail. Still, the gripes continued to pour in.
Some gullible recipients even took to posting messages on Usenet newsgroups, warning others not to visit Spamhaus.org or the other sites listed in the solicitation.
"What on earth can we do about these people?" wrote one apparently confused Internet user, referring to Spamhaus. "They're probably just harvesting for email addresses, but who knows? Any ideas as to how to rid the Internet of these types would be appreciated."
To rid the Internet of spam zombies, many spam opponents called upon cable and DSL providers to be more proactive and to take steps such as removing infected customer PCs from their networks. Some ISPs, such as Cox, earned the approval of anti-spammers when they began blocking their users from sending email through mail servers outside the ISP's network. But Comcast, the biggest cable-Internet provider in the U.S., seemed paralyzed by the zombie problem and delayed taking action that would have stopped zombie PCs from sending spam through third-party mail servers. This led some anti-spammers to call for the blacklisting of millions of addresses assigned to Comcast.
As a stopgap measure, in December 2003, Linford began making plans to create a new Spamhaus blacklist. The Exploits Block List (XBL) would contain a constantly updated database of "proxy" computers that had been hacked, infected, or otherwise misconfigured to allow spammers to commandeer them. Spamhaus would gather the data from two existing third-party blacklists and make the XBL available for free to mail server operators.
Linford knew the XBL wouldn't eliminate the problem of spam zombies. But he felt it was spam opponents' best defense against the constantly growing arsenal controlled by spammer-hackers.
* * *
[9] A spammer named Richard Cunningham, who used the alias Dollar, published a warning about the Trojan horse program at SpecialHam.com on August 15, 2003.
[10] As junk emailers increasingly banded together to do battle with spam opponents, membership to clubs such as SpecialHam.com surged in mid-2003. One such organization, a new, members-only site named TheBulkClub.com, caught my attention in the end of August 2003. A sign-up page stated that, for a twenty-dollar monthly fee, Bulk Club subscribers could get access to a variety of how-to articles, a members' message board area, and a system for uploading mailing lists for trade with other members.
I decided to contact Shiksaa over ICQ and ask whether she knew anything about the site. She told me she hadn't investigated the Bulk Club yet. But moments later, she messaged me again.
"Hey Brian," she said. Then Shiksaa sent me a link to an internal file accidentally left exposed at TheBulkClub.com. The file contained a log of file transfers made by the site's operators over the past month. It was the same type of file she had previously dug up at web sites operated by Davis Hawke and other junk emailers.
"Dumb spammers," she said.
I looked at the address of the file transfer protocol (FTP) log a moment and then decided to try a trick I had seen Shiksaa use in the past. If the Bulk Club's operators had misconfigured their site, truncating the address after the final backslash ("/") would enable me to view all the files in the directory containing the FTP log. Sure enough, when I tried the shortened address in my web browser, it displayed a list of dozens of other files at the site.
I sent a message to Shiksaa, telling her that the site's directories could be "trolled."
"Yes, I know," came her immediate response. "Spammers are so much fun."
After she signed off, I spent a few moments examining the files left exposed at the site. I found a document that contained a list of anti-spam organizations including Spamhaus and Spews. There was also an article entitled "How To Spoof," and there were summaries of various state spam regulations. Also available to members were seventeen articles on the topic of harvesting email addresses from web pages and discussion groups.
But the most interesting document was a list of the Bulk Club's members. Nearly 450 people had joined the spam club since it launched in February. According to the list, some 150 were "active" members. Among them was Damon Decrescenzo, one of the operators of Rockin Time Holdings, a Florida junk emailer sued by Microsoft the previous June. Also a member was Jon Thau, the head of Cyberworks, a longtime Rokso-listed spam operation. But one name especially caught my eye. John Milton, one of the aliases used by Davis Hawke, was listed as a Bulk Club member.
A few days later, I published an article about the Bulk Club at Wired News. The piece, "A Support Group for Spammers," quoted the site's operator, a man from Akron, Ohio, named Drew Auman, who said the club was dedicated to promoting "responsible" business practices. According to Auman, the site had recently been knocked offline by hackers. The impact to his business, he claimed, was extreme. "Members who enjoy conversing with fellow members are unable to get access, and potential members cannot learn about us," said Auman.
Within days, Auman was added to the Spamhaus Rokso list. But it hardly mattered. Soon, the Bulk Club was back online, this time hosted on a new server in India.
Jason Vale Held in Contempt
In the criminal contempt case of U.S. v. Jason Vale, defense attorney Jason Vale called his first and only witness: himself.
After being sworn in that morning of July 17, 2003, the former Laetrile spammer took the stand and began telling jurors the amazing story of how he had beaten cancer by eating apricot seeds. Vale started by explaining how, at the age of fifteen, he had felt something growing in his back.[11]
Judge John Gleeson of New York's Eastern District Court stopped Vale right there. The judge instructed the jury that the case before them was not about the benefits or disadvantages of cancer treatments. What was at issue, he said, was whether Vale had violated the April 2000 injunction prohibiting him from selling any form of Laetrile, also known as B17.
"It doesn't matter to the charge of criminal contempt whether B17 is a good thing or a bad thing. A person has to comply with the injunction," said Judge Gleeson.
Vale cautiously returned to his story. He told about how in 1996 he started selling apricot seeds and a video called "All About Cancer" over the Internet. And then he discovered how to send spam.
"I emailed to the whole world. I said the answer to cancer is 'no,' and I kept emailing out," he told the courtroom. "But then some people who got the spams started to complain. They forwarded the emails to the F.D.A....There is a whole politica
l group out there that doesn't like spamming, but I was on a mission. I didn't care. Plus, I learned the technique of emailing out. It might be annoying to someone to press delete when they get the spamming, but the answer to cancer was 'no.'"
Vale tried to quickly sum up how he had gotten into his current legal predicament. But it was hard to condense several years into a neat, coherent story. He rambled on for a few minutes about the mixed legal advice he had received and about the ambiguity of the law. At one point he apologized for slurring his words and explained that he had broken his teeth as a child.
"You are just talking too fast. You sound fine," said the judge.
A week before the trial, Judge Gleeson had tried to persuade Vale, who had no legal training, not to handle the case "pro se," as his own defense lawyer. In a July 10 hearing, the judge had told Vale such trials almost always result in convictions.
But Vale had lost faith in the expensive lawyers he had retained earlier in the case, so he had dismissed them. Vale arranged to have an attorney advise him in the courtroom. However, Vale's "standby" counsel was not allowed to examine witnesses or make statements to the jury. Also at the defense table with Vale was a lawyer from the Legal Aid office. Vale told the judge he was shocked to learn that she hadn't even heard of the federal DSEA (Dietary Supplement Education Act). How, he wondered, could she possibly be of any assistance?
Judge Gleeson said that the fact that Vale's Legal Aid counsel wasn't familiar with some acronym was a "horrible" reason for him to "expose" himself by representing himself. "But, sir," the judge had said, "if that is your choice, I will let you do it."[12]
At the start of the trial, the government began its case with a review of the facts. Assistant U.S. Attorney Charles Kleinberg told the jury how, after Judge Gleeson had issued the preliminary injunction against Vale in April 2000, Vale hadn't actually stopped selling Laetrile.
Spam Kings Page 25