Austin spam-fighter goes forth to battle the kings of e-trash
Some people play golf. Some like macramé. Austinite Dewey Coffman catches spammers. Humming away in his North Austin garage are 17 servers that catch and sort untold thousands of unsolicited e-mails each day. And when Texas Attorney General Greg Abbott filed suit against UT student and internationally notorious spammer Ryan Pitylak on Jan. 14, he largely had Coffman, and his bulging spam archives, to thank. "Through collaborative efforts like these," said Abbott, "we can more effectively fight the vast public menace of spam."
Collaborative is right, and necessary: Catching spammers is hard. That's where people like Coffman come in, private individuals who ride the cyber-range in search of those who would flood your inbox with offers of "He:rbalV:iag:ra" and "medications-4-Less." Coffman's online filtering appliances company, Net-Sieve Inc. (www.net-sieve.com), is like many others that sell anti-spam tools. But their vigilante work which includes running free "blocking lists" that enable Internet service providers to refuse to serve known spammers, or collecting spam as evidence for law enforcement officials is something they do for free, and even for fun. "There's a tight community around fighting spam," says Julian Haight, whose SpamCop site (www.spamcop.net) includes a free blocking list. "Everybody knows each other."
Blocking lists and filters are technological fixes that help keep cyber-society's collective head above the spammy seas. But as a new legal front is developing around the year-old federal CAN-SPAM Act of 2003, lone spam-fighters are playing a new role, by collecting and sorting the mountains of data required to build a legal case. As anyone with an e-mail address knows, there's a lot of spam out there. And according to CAN-SPAM, which went into effect Jan. 1, 2004, all that spam is legal unless: 1) It contains misleading information; 2) it does not identify itself as an advertisement nor include a valid physical address; and 3) it does not include ways people can "opt out" of receiving additional e-mail. Because of these limitations, many spam-fighters consider the law a disappointment. "According to CAN-SPAM, you can spam as much as you want. All you have to do is put the disclaimer at the bottom," said Haight. "It's kind of a joke."
Nevertheless, suits are being filed. Abbott's suit against Pitylak is filed under CAN-SPAM, as well as the Texas Electronic Mail Solicitation Act, and the Texas Deceptive Trade Practices Act. It paints a picture of a company misleadingly identifying itself as a purveyor of credit and mortgage services, while its real goal was to trick recipients into revealing personal information, which Pitylak and business partner Mark Trotter doing business under the company name LeadPlex then sold for up to $28 a pop. If Abbott wins, Pitylak and Trotter will face millions of dollars in fines.
Fishing for Phishers
The case against LeadPlex began like any spam case: by figuring out which spams were being sent by a few big fish. This isn't as easy as it sounds. Spammers try to make it look like their offers are coming from multiple sources LeadPlex sent out mail in more than 250 names, which the attorney general calls "shell companies" and Pitylak's lawyer calls "micro-brands." Finding the e-mails that LeadPlex had sent involved digging through databases of "trapped" spam received by e-mail addresses set up specifically for that purpose and looking for similarities, such as in the kinds of services offered, subject lines, routing information, look and feel, or even text searches on the bodies of the spam themselves. That's where Coffman came in.
Spam sleuths create "trap" accounts by simply inventing addresses and then waiting for spammers that use "dictionary attacks" programs that generate possible addresses out of thousands of different word combinations and then mailing to those addresses to see if they exist. In a creepy illustration of the power of such attacks, the trap accounts were never used after being created, yet the spam started showing up anyway.
Coffman regularly searched his trap e-mail accounts for LeadPlex messages, which he sent to Abbott's office. Microsoft also helped: Its spam bank from 100,000 "trap" e-mail accounts yielded 24,000 spams that also fit the LeadPlex model.
Once you have a collection of e-mails you believe have been sent by a single spam outfit, then you can start looking for the people behind the spam. That poses a different set of challenges. Pitylak, Coffman says, was fairly easy to catch once they connected the dots between the LeadPlex microbrands, because he included a valid physical address in the e-mails. (That's one of the ways he can argue he's in compliance with CAN-SPAM.) But many spammers do not include such physical addresses, so finding them can be a matter of "following the electrons" which gets harder every year. The latest way to elude detection is to send out spams containing viruses that install a hidden mail server program on other people's PCs, thereby turning them into a spam-spewing "zombies." Chasing spams to their source, then, can dead-end when one zombie leads to another, ad infinitum.
(Zombies aren't nearly the end of the weirdness in spam world. One wing of the spam business has turned virus-writing which folks used to undertake for little more than joy of saying "I crashed 100,000 computers!" into a money-making venture. In addition to zombie viruses, spammers have also released viruses that target anti-spam sites with millions of e-mails in "denial of service" attacks. One spammer sued a consumer who reported him to a blocking list, arguing that the consumer caused him financial harm. Haight has even heard of spammers extorting owners of money-making Web sites. "They'll say, 'I've got an army of zombies, and if you don't deposit $100,000 into my account, I'll shut you down,'" he said.)
Because of the constant innovation, things get easier if investigators find a way to follow the money, or the U.S. mail, rather than the electrons. "Once you've made the leap into the real world, you can use more traditional gumshoe investigation techniques," said Aaron Kornblum, an attorney for Microsoft, which also filed suit against Pitylak, in one of 89 spam suits the company has undertaken so far. Such techniques might be to buy whatever the spammer has to offer, and see who cashes the check. Or, you can follow a spam to the Web site that wants to sell, and see who hosts it. You can stake out post office boxes to which spam-related mail is sent.
The White Whale
But however the fight evolves, and however one feels about the teeth (or lack thereof) of CAN-SPAM, spam-fighters welcome any increase in enforcement. Spam has long been blamed for increasing Internet costs when ISPs have to handle more traffic, they need more staff, stronger computers, and more bandwidth, all of which cost money. But University of Ottawa law professor and spam expert Michael Geist says the dangers are becoming even more insidious as "phishing" (stealing personal information by sending spams that mimic those from legitimate financial institutions) facilitates identity theft.
"We've undergone a gradual evolution from mere annoyance to more criminal activity," he said. "There's no silver bullet. You need technology. You need consumer education. And you need enforcement. But while there is activity on all three fronts, it seems to me this has largely become an enforcement problem. It is going to take a significant effort to stop the spammers, and we're not yet seeing that."
But the case against LeadPlex is, in Texas, a start. Pitylak is not talking to the press, but his attorney, Lin Hughes, says that every last one of his bazillion-odd spams were legal: They were properly identified and gave consumers a way to opt out of receiving them. Coffman disagrees: he tried opting out, only to find that "three days later I stopped getting spam from the addresses that were spamming me, and started getting the same spam from new addresses."
When Coffman talks about Pitylak, he sounds ever-so-slightly like Captain Ahab talking about the white whale. He plans to sue the 22-year-old who was reported in a Chicago Tribune article to own a $450,000 house and a very fancy car under the Texas Electronic Mail and Solicitation Act. (The federal CAN-SPAM act does not allow individuals to sue.) "The fine is $10 apiece, and I've got 4,500 of them," said Coffman, who has also sued a spammer in Plano. "If Ryan wants to write me a check today for $45,000, I'll drop it."
But the spam vigilante insists he's not "obsessed" with tracking down spammers. "It's just a problem that needs to be solved," he says. "Somebody had to do something about it." These days he spends only an hour or two a day sorting e-mails. And, he says, he's already got a new target. "Right now I'm hot on the trail of another one in Austin," he said. "He's pretty easy to find. Is it Ryan working under a different name? That I don't know."