Trusted SF Member
Joined: 19 May 2004
Location: Centerville, South Dakota
|Posted: Sun Feb 06, 2005 12:37 am Post subject: Book Review - Inside the Spam Cartel
Inside the Spam Cartel
Author(s): Spammer-X. Jeffrey Posluns-Technical Editor
Publisher: Syngress www.syngress.com
Date Published: 2004
Book Specifications: Softcover 413 pages
Publisher's Suggested User Level: Not Rated
Reviewer's Recommended User Level: Intermediate
Suggested Publisher Price: $49.95 US / $72.95 CDN
Amazon.com: Inside the Spam Cartel
Amazon.co.uk:Inside the Spam Cartel
Blurb from back cover:
"You may not know me, but it's likely that you have received at least one of the 10 to 20 million spam e-mails I send each week This is my story, my chance to tell the world how and why I became one of the world's most prolific spammers. I'll take you inside the Spam Cartel, showing real examples and techniques used to send spam, including how e-mail addresses are obtained, spam filters are evaded, and how money is made. I want you to understand how a spammer works and why I choose to work in one of the most hated industries in the world." -Spammer-X
Everybody that uses the Internet is impacted by spam in one way or another. For me, it is sorting through my mailbox over coffee; a scene I imagine played out in offices around the world. Stu Sjouwerman, founder of Sunbelt Software, and technical editor, says “It is a game of technical leapfrog.” We find a way to stop them, and they find away around it.
It’s a playground where millions of dollars are at stake. On one side is government legislation and public outrage. On the other side is greed, represented by Spammer-X.
By explaining spam forensics, exposing weaknesses in filtering systems, and educating system administrators and law enforcement officials, Spammer-X proposes to show us how to fight back against spam.
Spammer- X starts out by letting us get inside his head. He is pretty much a normal person like everyone else, except for the fact that he can make $1500 an hour from the privacy of his own home. That part really grabbed me. When he points out that we are bombarded with spam everyday on billboards and television, you start to understand how he thinks. And it is true. Why do we put up with that?
When he talks about being stigmatized by his family and friends because of his chosen occupation, I almost feel sorry for him. Almost.
Chapters 2-6 gets us into the meat of the business, first describing the business aspects, the harvesting of email addresses, creating a sure-fire sales-pitch, and most importantly to Spammer-X, getting paid.
One of the highlights of this section for me was the methods and history of techniques in which spam is sent. Most of us are aware of the Messenger Service and Instant Messaging techniques, but those of us outside the computer security profession are probably not very familiar with Botnets or CGI hacking, which are both covered thoroughly. As a programmer, I was also quite interested in the sections that discussed finding flaws in existing Email servers and exploiting them.
Chapters 7-8 will probably be of the most interest to security professionals, because they go in depth to describe how spammers evade detection, and really represent the meat of the book. While we try filtering mail based on header and text analysis, blacklists, Bayesisan filters, and hash databases, the spammers are using proxy servers, registering thousands of domain names, using HTML, and injecting random data.
Chapter 9 is titled “Phishing and Scam Spam”, which seems out of place in the book, because the people that would most benefit from this chapter probably would never pick up this book in the first place. Still, it does contain useful information for identifying scams, although most of it is common sense.
Chapter 10 discusses attempts to regulate spam, and the Spammer’s view of such laws. We have all seen that current laws have done nothing to reduce the flood, in spite of high profile lawsuits brought about by Microsoft and others. Why is that? Because spammers will go through great lengths to get your email address, exploit software, and steal unused IP space. They don’t follow existing rules, so it is nothing to ignore a few more. The money to be made is just too great. This chapter is useful to Law Enforcement for identifying legal spam though.
Chapter 11 covers the techniques of analyzing spam, which at first glance seems to be a forensic study for tracking spam, but is actually more of an explanation how to create good advertisements that will get by filters. The rest of the chapter is an exercise in reading headers. I think that since this book is geared more towards advanced users that this part is somewhat redundant.
The next two chapters cover the costs and statistics related to junk e-mails. While I find them mildly interesting, the cynic in me realizes that they are deliberately presented in such a way to make it seem as though the financial impact is small compared to the costs of maintenance, upgrades and patching. In Spammer-X’s own example, he states that annual costs to him, just to delete spam, are about $15 (although he is heavily filtered). Based on some unscientific research I did, I estimate the cost to the average user to be somewhere between double and triple that amount. Taking that, times the roughly .8 billion users world-wide (stats taken from http://www.internetworldstats.com/stats.htm ), that represents between $24 and $36 billion in costs. That doesn’t even include costs for maintaining filters, bandwidth, etc.
Chapter 14 ponders the future of spam, and discusses the implications of Radio Frequency Identification tags (RFID), Spam over Internet Telephony (SPIT), legislation, and filtering techniques. As Stu Sjouwerman points out in the introduction, the new Sender ID initiative that is supposed to help reduce spam has already been proven ineffective, and it has not even been implemented yet.
The appendix shows tips and techniques for configuring Outlook and Exchange Server. Again, most industry professionals are probably aware of the techniques, but for those that are not, this section will be helpful in reducing costs associated with spam, providing they use these applications in the first place.
I like it. One of the features I like the best are the “Trade Secrets”, and the “Notes From The Underground” which are full of side notes and insights into the business of Spam. I found the book to be technically sound, and very informative. Even though some of the material is more suited towards the advance user, I think even beginners will come away with a good overview of how the industry works, and how to fight back. I couldn’t help feeling, however, that Spammer-X was trying to use this as a vehicle to legitimize himself to family and friends.
This book receives an honored SFDC Rating of 8/10.
Keywords: Inside the Spam Cartel
Security Forums Dot Com
This review is copyright 2005 by the author and Security-Forums Dot Com, and may not be reproduced in any form in any media without the express permission of the author, or Security-Forums Dot Com.