Customer Reviews

Inside the SPAM Cartel: By Spammer-X

5 star:		(10)
4 star:		(2)
3 star:		(2)
2 star:		(1)
1 star:		(1)

 

 

Reading 'Inside the Spam Cartel' (ITSC) is like watching a racing car crash; you're horrified to see it happen, but you can't take your eyes off it. ITSC exposes spam from the point of view of the 'enemy' -- a spammer who claims 'you need to be ruthless in this industry if you want to make any money at it' (p. 132). This book is an absolute must-read for anyone trying to combat spam, especially policy makers who think passing laws with clever names makes any difference.

ITSC's value derives from the authenticity of the author(s). I suspect that a lead author may have received assistance from contributors, all of whom are spammers, or in one case, a 'reformed-spammer-cum-system-administrator' (p. 320). Some parts of the book hint at a British author (see references to 'parliament' and 'headmasters') while others hint at a New Yorker (see stories of conversing with passers-by in the city, or buying expensive goods on 5th Avenue). ITSC pulls no punches and gives enough detail to make any semi-technically savvy user a future spammer. Just as the Anonymous author of 1997's 'Maximum Security' brought 'hacking' to the masses, Spammer-X brings spamming to a world that only sees spam in in-boxes, not the method by which spam is sent.

I found ITSC's discussion of tools and techniques enlightening. Readers will learn about programs to generate and transmit spam. They are advisted to host images at overseas 'bullet-proof' Web hosts. Spammer-X explains how to manipulate message content for maximum effect, how to receive referrals fees from sites selling products, and how to collect payment via sometimes shady means. The spam case studies in ch 11 were excellent, and the charts showing 'revenue vs. products sold' in ch 6 showed the author(s) treat spamming as a true business.

The only flaws I found involved rough copy-editing and reporting a bogus story involving RFID chips in US $20 bills. I was disturbed to hear spammers defend their need to break into servers to steal/trade/sell email addresses. I was also appalled by their practice of turning innocent home users into bot net participants and spam proxy servers as part of 'the perfect spam' (ch 11). Spamming of that sort is not an 'art form' which transmits 'masterpieces' (p. 369); it is the end result of illegal and destructive intrusions that prey on weaker elements of digital society. Marketing is fine; unauthorized access is wrong.

The author(s) barely mention the best way to mitigate spam (probably because it will work): changing the financial equation. Once users charge senders before accepting their mail (and then refunding legitimate senders), spamming will be too expensive. Until that micro-payment infrastructure is in place, I recommend we all read and heed Spammer-X's fascinating work.

In order to fight an enemy, you have to understand him. And in order to fight spam, you need to understand the mindset of the spammer. To do that, pick up a copy of Inside the SPAM Cartel by Spammer-X (Syngress).

Chapter List: Inside the Head of a Spammer; How Spam Works; Sending Spam; Your E-mail: Digital Gold; Creating the Message and Getting It Read; Spam Filters: Detection and Evasion; Spam Filters: Advanced Detection and Evasion; Phishing and Scam Spam; Spam and the Law; Analyzing Spam; The Real Cost of Spam; Statistics of Spam; The Future of Spam; FAQs of Spam; Closing Comments; Combating Spam with Exchange Server and Outlook; Index

This book is written from the first-person perspective of a spammer, and goes into great detail about the mentality and technology of spamming. Whether Spammer-X is a real person or not is irrelevant. The information is excellent and will definitely aid anyone who is responsible for combatting spam in an organization. He covers everything from how spammers make their money, how they hide their tracks, what technology they use to send out the mailings, and what techniques are used to prevent the money from being tracked. If you're trying to figure out where a spam email originates from, you'll learn how to read the headers to deduce what's real and what's not. It's definitely interesting to read about the whole spam process from a "spammer friendly" perspective. The argument could be made that this is a handbook on how to become a spammer, but it's also important to know what the "enemy" is up against. I think it has much more value in that way.

My only complaint with the book is that the editing process of the writing must have broken down somewhere here. There are a number of typos and grammatical errors in the book. If the book wasn't so interesting and useful, I'd probably mark it down a notch for that. But the value of the material can't be overlooked, so I'll award it the top rating on Amazon... 5 stars.

While I consider myself somewhat competent on the geek scale, this book was quite an eye opener as to how much I didn't realize went on from a technical standpoint. I'm reminded of that saying (I'm sure you heard it as a kid as well) that goes something like, "if you'd just focus that energy toward something constructive..." There is enough information in the book to get you started in the spam business, but I wouldn't worry about a new rash of spam as a result of this book. I doubt any of this couldn't be discovered googling around the internet.

While I hate spam as much as the next guy, I was surprised to find myself agreeing with some of the "pro-spam" points brought up in this book. (Don't worry, I quickly gave myself a few lashings...) There is also quite a bit of discussion about the CAN-SPAM act that effectively makes it pointless - especially for a "legit" spammer. (Yep, spam can be legit.)

Spam Cartel was very educational and gave me plenty of ideas as to how to keep my own spam filters up to speed. I also find myself examining the spam that does get through and understanding why. Knowledge is power - and this book is full of information. However, it does seem to get a little repetitive at time and the title is a bit of a misnomer - I would have gone with "Confessions of a Spammer" or something cliché like that. :)

First up, let me say that the writing style is a little rough, and the book was not well proof read. But the anonymous author gives a piercing inside look at many aspects of spamming. He explains how there is a specialisation of skills. Some have a product (like fake Viagra) to sell. Others clandestinely acquire lists of email addresses (of you and me). While some actually craft messages to evade the ever-smarter antispam filters used by ISPs and individuals. The author is in the latter group of spammers.

He gives a fascinating technical description of his skills. While include finding open relays to inject spam into the Internet. We see how this is a dynamic process, as such relays are often then fingered as spam sources, necessitating their sysadmins to close the openness.

There are unsettling insights as to the vulnerability of many web sites to being unwitting open relays. An excellent example is an HTML web page that lets the reader fill a form. If you press the submit button, your browser then sends the data you wrote to an address at that web site. So what? Well, sometimes that address is hardwired into the static web page, as [eg] report@website.com. This lets him write a simple script to mimic the page, but change the recipient to an arbitrary address!! In other words, he can shovel his spam to everyone on his mailing list, while hiding his trail. Complaints from recipients will go to that web site.

His method is disquietingly easy to do, for someone of moderate skill. Worse, he shows how to search for such vulnerable pages by using Google to find pages that are likely to be forms. He then goes to the Google results, until he finds those he can use. He claims this often works. Probably so.

If you are a sysadmin who is installing or maintaining antispam filters, you should probably get several recent books on those. And I have reviewed many of those. But also get this book. None of those explain the problem from his side of the fence, and explain it this well.

I do a lot of incident response and antivirus work. While my initial response when a new virus or worm outbreak slams my network is to go into emergency response mode and be more than a little frustrated about giving up my nights or weekends to chase down malware, I often sit back when the dust has settled and admire the creativity and engineering genius that goes into some of the malware.

Spammer X, the author of this book, talks about spam in a similar fashion. It is a dirty, sneaky business, but when you stop to look at the engineering and ingenuity that goes into collecting addresses and distributing the spam it is almost awe inspiring. It would be nice if such programming genius and creative thinking were put to better use, but it is genius nonetheless.

This is one of the best books I have seen about spam. Rather than simply talking about bayesian filters or other blocking technologies or concepts, this book goes into detail about the business side of spam and how they get around your blocking and filters.

It may be a little disheartening to think you can't stop it, but it reads like a novel and it is very enlightening. I highly recommend this book, especially to admins trying to stop spam.

(...)

I hate spam and when i was given this book for xmas i was shy about reading it. However Spammer X does more than rabble on about the woes of spam, or how much money he makes from it.
I really could not put the book down, i finished it and wanted more. The spam cartel is simply amazing and it has opened my eyes to alot of filter evasion methods used to defeat my spam filters!

I also read (and reviewed) spam kings, but i felt very empty when i finished the book and really didnt want anymore.. Spam Cartel nicely filled that gap :)

I was very curious if 'spammer x' was a real person or not and did a bit of google searching.. And i think he is a real person, as the author did a radio interview with geekspeak.org late last year. Sounds very, very much like a real person.
[...]

The Vikings from Monty Python's Flying Circus love SPAM so much, that the mere mention of the word has them break out in song, singing "Spam! Lovely spam! Lovely spam!". For e-mail users, there are not many who would give the same response. We get it. We despise it. We wonder how many times we will get the same messages over and over again. But do we truly understand the machinations behind the scenes of the SPAM industry? It is this fundamental question that drives "Inside the SPAM Cartel: Trade Secrets From The Dark Side" (Spammer X, Jeffrey Posluns, Technical Editor, Syngress Press, 2004, 413 Pages). Written by an insider, the book provides detailed information and background but at times falters because of some very strongly stated opinions and facts that are just plain incorrect, as well as a very significant omission.

The book starts out strongly, as the author profiles the typical Spammer he is associated with and moves on to show that their is inherent trust among spammers. This trust, it seems, is based on necessity so that they can help each other make money. Money is part of a larger theme in this book because it is money that drives spammers and the content they deliver. Did you ever wonder why you see less and less pornography spam and increased amounts of messages for home mortgages? Because that is where the money is to be made.

The author makes a strong presentation throughout the book on how SPAM came to be from a simple but fatal flaw in SendMail, taking advantage of an Internet Architecture that was based on trust and not security, to the big money it is today. Consider that even if SPAM filters catch 99% of SPAM, the Spammers are still making money. Why? Because people are buying. The author not only gives an education on the many different types of SPAM, but shows you the tricks of the trade to bypass SPAM filters and get SPAM Messages read. You will also learn how to create a digital forensic trail to create a profile of a Spammer. You will also learn how they create profiles of you and your behaviours. You will also learn how the CAN-SPAM Act works, what is covered under the law, how to comply with the law and the huge legal loopholes that exist in the law that has Spammers scoffing at the law.

Yes the book is comprehensive, but suffers from what this reader considers to be some fatal flaws which take some of the sheen off of the credibility of the author and of the editorial vetting process of the publisher (note that this is not referring to the technical editing, but the editing to validate content. First, it is safe to assume that "Spammer X" is a citizen of a country in the British Commonwealth. How is this known? When you read in his book that the CAN-SPAM Act was passed by "Parliament", it is clear of the author's origin and his lack of knowledge of "big picture" issues. This is further compounded by the author's statement that CAN-SPAM will eventually become international law. This statement misses the point that there is no such thing as International Law that is binding on any country that chooses to ignore it.

The most egregious number that sticks out in this reader's mind comes from this quote in Chapter 10:

"With an estimated 273,706,064 Americans on the Internet...".

When this reader saw that number, some checking had to be done. Keep in mind that this book was written in 1994. According to the 2005 CIA World Factbook, last updated on June 30, 2005, the 2005 U.S. Population is estimated to be 295,734,134. That would mean the author is stating that 92.5% of Americans are on the Internet. This is very amazing when you consider that only 235,404,000 (and change) Americans are over the age of 14, and that only 260,000,000 live above the poverty line.

The reason that this concerns this reader is that if the author has played this fast and loose with these facts, and it was not caught in the editorial process, how can any of the other numbers in the book be trusted? It pains me to say this given my distrust of IT analyst firms, but how can an author who has played so fast and loose with numbers and facts be in a position to criticize anyone else's number?

Finally, I am disappointed that the author devotes a 29 page appendix and numerous references in the book on the anti-SPAM features of Microsoft Exchange, while totally ignoring the built in anti-SPAM features of Lotus Domino 6, which has over 100,000,000 users worldwide. Before writing this review, I asked the technical editor about this. He indicated that it was more than likely a reflection of the experience of the author(s), and that on at least two occasions he had made recommendations to include other products and service types as well. The author and Syngress did not do so, and it leaves this reader feeling a little empty.

Who Should Read This Book?

This book should be read by people interested in SPAM as a topic, information security managers, e-mail administrators, and educators.

The Scorecard

Because of the opinionated presentation, in some cases based on suspect facts and information, I am giving this book two ratings.

For readability, technical education and content: Birdie on short Par 4

For errors, mistakes of fact and opinions: Bogey on a Par 5 Reachable in 2 and playing downwind. The author should not have duck-hooked his drive into the trees.

This book is basically 'how to spam' for newbies; or 'how to analyze spam', if you prefer. In any case, it's for technical users. If you are looking for a novel, check "Spam Kings" instead.

Anyway, this book is written by a spammer, which (quite often) tries to justify himself as being a "legimate spammer" (meaning that he will send the stuff even if he knows it's overpriced, the spam was not opt-in, etc). This becomes quite annoying after a while, specially because he says "I don't care if you want to receive the spam or not; you are going to receive it". Thanks man.

As for a short advice on whether you should buy this book: If you are a hacker wanna be, or have an interest in security, it's a decent read.

Although Syngress apparently employed a Technical Editor (Jeffrey Posluns) and a Copy Editor (Judy Eby) in preparing this book, it's riddled with both technical and grammatical errors. For experienced email server administrators, Inside the Spam Cartel is an almost complete waste of time. Novices would learn a great deal from this book, but much of what they learned would be wrong. (For example, on p. 183 the author claims that a public key allows one to decrypt a message encrypted using PGP. Or take this discussion of BGP, from p. 64: "Each BGP router is given an Autonomous System (AS) number and each AS is unique and directly identifies the router by name.")

The first thing I thought while reading this book was how easy it still is for a spammer to do his work, in spite of the numerous spam filters and anti-spam machinations around. Spammers have become very adept at getting around spam filters to fill our mailboxes with unwanted commercial email. The book's author is a spammer himself and he points out, why aren't there laws against receiving junk mail in our mailboxes when that is (if not more so) just as annoying as spam email? And it seems that no matter how much energy is put into fighting spam, it will likely be around for a long time. So it really is a "cat and mouse game" between the spammers and the anti-spammer activists.

The author speaks of numerous ways that he and other spammers work, including getting around the spam filters, or finding domains to use to send spam that have been "abandoned" by bankrupt companies but never shut down. He speaks of "spackers," "hackers" who work with spammers to find e-mail lists to send spam out to. He also alludes to phishing or scam spams, even detailing his experience with answering one of the infamous "Nigerian 419 emails," pointing out how those scammers are able to dupe some people out of their money. He also makes it clear that he does not condone email scams. He also makes a point to refute the theories that say spam costs takes up time and lots of bandwidth, when it's clear no spammers will come forward to talk about the amount of time and bandwidth it really does take up. He speaks too of the future of spam (no it isn't going away), and even includes a short "spam FAQ."

While some might take the book's intent to be showing others "how to spam," the book's premise is of course more about "knowing the enemy." This is a book primarily of interest to network admins, security professionals and the like, but as an average computer user I still found this topic fascinating.