Selling the tools used by spammers is easy money, at least until you get caught. Just ask Adam Sweaney, a man charged with computer fraud who took the stand at the sentencing hearing in Seattle for Robert Soloway, the so-called spam king.
Sweaney said he earned about US$2,500 a month for a couple of years selling botnets that could be used for a variety of activities including sending spam e-mails. He didn't even write them himself, but he traded or bought them in online forums, he said.
Sweaney didn't sell a massive volume to a wide variety of people -- a typical week might involve selling three or four botnets to any of his six regular customers, he said. He also sold millions of e-mail addresses to spammers, including one who, unfortunately for Sweaney, was an undercover U.S. Federal Bureau of Investigation agent.
Testimony from Sweaney and others during the sentencing hearing for Soloway, the man notorious for the volume of spam that he facilitated, offered an inside look at the big business of online fraud. While antispam efforts implemented by ISPs (Internet service providers) may have shut out the small-time spammers, the more sophisticated players remain, and they have developed tools to make their efforts easier.
From the stand on Monday, investigators revealed some of the techniques that Soloway allegedly used to send out massive amounts of e-mail. After the government seized Soloway's servers from GoDaddy, a hosting company, investigators found files with as many as 10 million e-mail addresses on each server, according to Thomas Ervin, an engineer at the Mitre Corporation, a company the government hired to help investigate the case.
They also found Dark Mailer software on each server. Dark Mailer is a program that users can set up to automatically send out mass e-mails, drawing from databases to fill in the to, from, subject and body fields of the e-mail message. It also can spoof the header information, making it difficult to trace where the mail came from.
When Ervin began examining the Dark Mailer programs on the servers, they were set to send out 500 messages at a time, with the text body of the message rotated every five minutes.
Soloway ran a company called Newport Internet Marketing. He advertised a mass e-mail service that purported to send messages to an opt-in list of addresses, but he didn't have such a permission-based list. He also sold software that he said would let customers manage their own e-mail campaigns, but it often didn't work. Prosecutors allege that during a three-year period Soloway earned about $1 million.
The level of technical professionalism in Soloway's spam business backs up testimony from Brian Sullivan, an AOL executive. When spam first became a problem, lots of people got into it, viewing bulk e-mailing as essentially free marketing, Sullivan said. "But as we increased the hurdles, a lot of the weekend spammers have gone away. What was left was the professionals, people looking to make a business out of this," he said.
The volume of spam that a single ISP handles is staggering. AOL sends 700 million pieces of e-mail a day to its 60 million active AOL e-mail users, Sullivan said. Of those e-mails, on a bad day as many as 30 percent can end up in spam folders, he said.
Still, in perhaps an indication of how good the spammers have become, Sullivan said he couldn't point to a single piece of evidence that AOL had ever sent or intercepted a spam e-mail from Soloway or the program he sold.
Over 400 complaints have been filed about Newport Internet Marketing to various organizations, including the Better Business Bureau, the U.S. Federal Trade Commission and the U.S. Attorney General, said Kenneth Schmutz, a special agent in the FBI's computer crime squad who opened the investigation on Soloway.
One such victim was Thomas Miller, who runs a nonprofit, nondenominational religious organization that counsels death row inmates and helps jobless and hungry people in Ohio. Newport Internet Marketing offered to run a free e-mail campaign for Miller, who was looking to raise money for his organization. Instead, Miller's Web site was ultimately shut down by his hosting company after the company found that large amounts of spam e-mail were being sent from his account, purportedly by Soloway.
Miller estimates he lost $12,000 to $24,000 throughout the debacle while he scrambled to get a new site up and lost potential donations because he was without the site. He said he testified at the hearings because it was the right thing to do, but he doesn't have high expectations. "I don't believe I'll ever get anything," he said.
Miller and the others spoke on the second and not yet final day of sentencing hearings for Soloway, who pled guilty to federal charges of fraud and tax evasion for his role in sending or facilitating the sending of untold number of spam e-mail. While it's unusual for a sentencing hearing to be scheduled for two days, this one will last even longer, since all the witnesses did not have time to take the stand by the end of the day Monday. The final day of hearings should be July 22, when the judge will most likely hand down a sentence. The government is asking for a sentence 14 years in prison and has said it will ask for a separate restitution hearing to determine how much money, if any, Soloway should pay victims.
Soloway has already lost civil cases filed by Microsoft and another ISP in Oklahoma. He was ordered to pay Microsoft $7.8 million and the Oklahoma ISP $10 million, although he has yet to begin paying either.