A spammer spills it all

Starting spammer S. Pammer had sent spam for almost exactly four months; his last run was already some time ago. In a rather agreeable conversation in the middle of the night, S. Pammer relayed his side of the story. The conversation covers nearly all aspects of his spamming activities: his motivation, how the spam was sent and his web site hosted, the quality of his address files and his actual profits.

Conversation in the night

The following facts are taken from that conversation, and give us a more detailed insight into the economy of spamming. I know that Rule #1 usually applies, but I have no reason to distrust the facts as presented by S. Pammer: he himself is too naive, his story too detailed, and most of all: his story is too consistent.

Due to my promise to S. Pammer that I would not disclose his name in this report, some facts have been anonymised. S. Pammer is of course not his real name, nor does he sell canned meat. Besides, his identity isn't relevant (there are more small spammers who operate in this manner): the real meat is in the numbers and methods involved. And the numbers and methods are truthfully reported.

Translation by Karin Spaink (original text in dutch). Research in coörperation with two fellow anti-spammers.

His motivation

As with almost all spammers, money was the main motivation. Slightly over half a year ago, S. Pammer received spam advertising canned meat. When his order arrived, he saw the name of the supplier on the tin. When he checked the web site of that supplier, he noticed that the cost price amounted to circa a fifth of the price he had paid to the spammer. Reckoning that he could make a quick buck this way, S. Pammer started his own, comparable web site.

He also copied the idea to spam for the product from his competitor. If it worked for the original spammer, why wouldn't it work for him?

Technique

In the beginning: the first 1,5 month

S. Pammer starts by using his dial-up account with Planet Internet. He uses the program Mailbomber to send his spam. In retrospect, it's a stupid program: it can't do much and it keeps the traceability of the run high because it doesn't cloak the IP from which the spam is sent. The web site is hosted with (anonymised Dutch provider) AnonISP.

Because both Planet Internet and AnonISP act after the second spam run, S. Pammer needs to investigate other options. He decides upon a cheap dial-up with ISD Holland. AnonISP insists on removing the web site, not because spamming is against their general conditions (it's not), but because the mail bombs of S. Pammers competitor would endanger their continuity (connectivity!) When it dawns upon him that no Dutch provider will host his site permanently, S. Pammer diverts his site to a hosting company in Hungary that he has heard of.

S. Pammer also sends spam via the network of the Rotterdam Erasmus University, where he runs Mailbomber in the background. In this way, he sends two runs from his university account. The university does not take measures, neither during nor after the run.

Exploring new options: a month without spam

Because the cheap dial-up accounts cost money (keeping the connection up overnight costs 10 euro per night) and the sending of the runs takes too much time, S. Pammer starts exploring other methods for sending spam and hosting his site. He notices that his colleagues use open proxies, but has no clue what they are, and that web sites are hosted 'bullet proof' in China. During a whole month he refrains from spamming and takes that time to investigate new options.

Open proxies and bullet proof hosting, the last 1,5 month

 

Within three months of his first spamrun S. Pammer discovers send-safe.com (Spamhaus record). After payment, that site allows him to send his spam via open proxies in a very simple way. For USD 50 excluding VAT he buys his first 400,000 credits; one credit equals the sending of one spam mail. Because they have a special offer running that month, send-safe.com doubles his credits for free, which enables him to send no less than 800,000 spams for 50 dollars.

The system is rather straightforward. The spammer needs to log in via a program that he can download from send-safe.com's site (send-safe.com's screenshots and local copy). He can then prepare the text which is to be sent and upload his address files. The program then fetches a list of open proxies from send-safe.com's servers (the connection to send-safe.com is https, the spammer can see which proxies are abused). The open proxies offered aren't very fresh, most of them are non-functional or blocked on mailservers right away.

After these preparations, the spam can be sent. The program supplied will set up a connection, routing the spammer to an open proxy server and from there to the mail server where the spam is to be sent. If that mail server accepts the connection, the spam mail will be sent and a credit will be deducted from the spammer's account. If the mail server does not accept the connection because the IP of the open proxy is blacklisted, the e-mail will not be sent and no credit wil be deducted.

In this way, S. Pammer sents out spams for eleven days. In the table on the right hand side you can see the number of credits that have been deducted by send-safe.com, the numbers come from the webpage you get to see when being logged in as a member at send-safe.com. Reseach shows only credits are deducted when an e-mail is actually is accepted by the target mailserver, these numbers are a pretty accurate indication of the number of spams sent.

For hosting his site, he contacts Patrick Platenkamp after having seen that he is hosting his spamvertised sites in hina. Platenkamp refers him to worldsoftwarehouse.co.uk, via whom one can get bullet proof hosting in China for 125 euro per month (USD 149; you can freely chose which currency you want to use). The DNS is done by worldsoftwarehouse.co.uk and S. Pammer can upload his files via FTP to the server in China. During the month that he sent his spam, S. Pammer's site has never been closed down.

The address files

 

Originally, S. Pammer harvested his own addresses, nicking them manually from web sites.

To get more addresses, he buys a CD with 4,000,000 addresses for 300 euro. The CD is sold by co-spammer Ronald van der Wal. S. Pammer does not make this decision lightly: 300 euros is a tough investment for somebody who has no job to speak of.

The CD is delivered with a sloppy bill and for that reason S. Pammer decides to not pay it, reasoning that he will get a reminder if their administration is not as sloppy as he assumes. Instead, he receives a letter from debt-collecting agency No Risk BV (see also here). With the collection costs added, the CD cost him 388 euros.

The contents of the Ronald van de Wal CD are very similar to the one sold by Patrick de Bruin that I analysed earlier. Of all the addresses listed, only 56% is syntactically correct. S. Pammer told me that 60% of the addresses were unusable (due to systax errors) and that of the remaining addresses circa a fourth bounced, due to mailboxes being full or out of use. Chances are that S. Pammer's estimate is slightly distorted. Based on my own previous investigations, my conjecture is that the CD has less invalid addresses but that more bounces ensue – which, by the way, leads to the same net result.

Spam economy

 

The only reason to start spamming is money. That is S. Pammer's motive too. The timing of his last spamrun is not only based on the commercially viable date; another reason is that his housemates are on vacation. That decreases the annoyance of annoying phone calls.

Sending the last series of spamruns took five days. S. Pammer thinks that this spam has been sent to 200,000 to 250,000 addresses; the other 400,000 turned out to not work. The address base used consisted of circa 52 files containing 10,000 addresses each, retrieved from the Van der Wal CD, supplemented by the working addresses destilled from previous runs. Of that supplement, only 10% works this time. Based on my own calculations, he has sent 272,455 spams in five days time.

The body of the spam contains a link to linkcounter.be. This allows S. Pammer to make a proper estimate of the number of times that the spam mail has actually been looked at (people opening it in their e-mail program). The last day of his spam run created 26.000 link counts op. 488 people actually visited the spamvertized site, and 20 to 30 ordered. This particular run dis not give rise to many complaints by e-mail; however, more and more nasty telephone calls result.

Most orders seem to have been made on impulse: they are done during or immediately after the spam run. The maximum amount of orders per run is circa 30. The competing spammer, from whom S. Pammer copied the idea and who sells a similar product, has previously stated that he could haul in circa 40 orders per 5000 spam mails; based on the current evidence, that seems pretty far-fetched.

Customers can pay their bill in two ways. They can either put money directly into S. Pammer's bank account or pay cash on delivery. Only a few people prefer the latter method (probably because that costs another 9.50 euros extra). Of all customers who order after a run, five to ten percent pay cash on delivery. Returning customers or customers who have found the web site through other means, usually pay via the bank. Of those who order via the site and select direct payment, a fourth apparently have second thoughts: they never pay. Customers who order five tins at once do not have to pay postage fee. On average, customers order two or three tins at a time.

The tins of meat are bought at a Dutch importer, who in turn buys them from a Belgium importer who buys them in the former Sovjet Union. The Dutch importer charges 2,31 euro per tin, excluding VAT and postage. Postage depends on the size of his order. Generally, S. Pammer pays 2.95 euro per tin, all costs included. His house mate helps him to pack orders, at the price of 50 cents per tin.

S. Pammer pays tax, too. Currently, he is awaiting the proper forms.

When he stops his spamming activities, he has 600 tins in stock. He expects to sell them in the near future, mostly to old customers. His current stock is the main reason why he does not want to remove his web site, although he will abstain from spamvertizing it in the future.

His estimated net profit after five months and 25 days of spamruns is between 2,000 and 3,000 euros. I guess the profit in fact is much lower considering the profit calculated (see table) – a "profit" without calculating many hours of labour.