A Day in The Life of a Spammer

UPDATE: Richard Cunningham is like many twenty somethings in the United States — he enjoys
hanging out at the bars with friends, motorcycling, hiking and buying the latest
electronic gadgets. He regularly puts in 12-hour days from his home office and is
respected by peers in his industry.

But his industry is about as unconventional as it gets. And if the
anti-spam community discovered who he really was, it would go
out of its way to make life as difficult as possible for a guy who profits
from flooding your e-mail inbox.

“Richard Cunningham” more than likely isn’t his real name; he won’t say one
way or another. But that’s the name that appears on the WHOIS record for
Spamsoft.biz, a domain he owns. He’s also attributed as the owner of Sencode.com,
though a WHOIS query of that domain reveals the site’s owner
information is protected by a RegisterFly.com service called ProtectFly.

Cunningham’s identity is even murkier in the online forums he frequents.
In those, he’s known as “dollar” or
“swank.” He communicates mostly via online boards like
SpecialHam.com and private message boards, or with instant messaging clients
like AIM and ICQ.

There are many names attributed to Cunningham.
But only one is common in nearly every language and known by every person who’s
ever owned a computer with an Internet connection: spammer.

The moniker isn’t one Cunningham, or anyone else in the business of bulk e-mail
distribution, is fond of, understandably so, as he claims to send only
legitimate e-mails. Bulk mailing, he said, has been lumped into the same
category as illegal spam, which sports spoofed e-mail addresses or peddles in a
variety of unsavory markets like porn and Internet scams, such as the
Nigerian spam scam.

“The anti-spam community and media tends to like to blame us for all of it
and if you notice, a lot of the time the so-called spam-related cases were,
in fact, not spam related but scam related,” Cunningham said in an e-mail interview.
“Notice how they try to say spammers are the culprits? It’s another scheme
to put a bad image to bulk-mail marketing; I investigate and turn in
every single bit of these types of e-mails and operations I come across, as I
cannot stand them either.”

The Birth of a Bulk E-Mailer

When kids dream of what they want to be when they grow up, bulk e-mail marketer probably
doesn’t rank as high as fireman or astronaut. So how does one become one of the great Scourges of the Internet?

Like many people in his
generation, Cunningham grew up around computers and the Internet —
participating on BBSes and playing video
games. Cunningham said running with the wrong crowd and coming from a troubled family life,
along with getting tired of dreary nine to five work as a dish washer,
telemarketer and telephone order operator, prompted him to start looking for
other ways of making money “without worrying about Johnny Law or
stressing myself working for the man.”

The Internet of the 1990s provided for anyone with interest
a plethora of money schemes that ranged from MLMs (multi-level marketing or network marketing)
to referral programs creating “set and forget”
business opportunity Web sites.

Cunningham moved on to Unsolicited Commercial
E-mails (UCE) and mass-mailing software programs. Seeing that many of his
programmer friends were making good money with homegrown applications,
mainly targeted at AOL because of the ISP’s difficulty keeping up with
blocking technology, he began running his own spamming operations.

He also began to experiment with other mailing programs, such as Stealth Mass
Mailer, Send-Safe, Golden Launcher and Desktop Super Server, putting aside
some money each time and investing in other marketing schemes. In the
waning years of the 20th century, Cunningham migrated from promoting
others’ products to running his own affiliate programs, designing his own
marketing software and lending his services to other bulk-mail
providers. It was an evolution brought about by the changing times and the
growing clamor over junk e-mails and rise of the anti-spam community.

“The payoff for spam is not like it was in the old days,” he said. “It has
changed tremendously over the years as more and more people got into the
business, technology changed and people got wiser. In reality, you’d
assume the more surfers, the more money, but it doesn’t pan out that way any
more; it’s harder to make a living mailing now, and that’s a fact.”

For his part, Cunningham claims the only products he deals with range from
legal advertisements for herbal supplements or leads programs, a marketing
strategy that matches people to a particular product. He said he’s a firm
believer in responsible bulk e-mailing — using valid forms and valid
“Remove” links and processing them; in other words, keeping “your campaigns
nice and clean,” he said.

When he does send out bulk e-mail campaigns of his own, which Cunningham
said he does less these days than in years past, he sends between 30 million and 60
million General Internet (GI) e-mails a day for three or four days at a
time. GIs are “shot in the dark” e-mail addresses that are culled from e-mail
harvesting software, whose use does not target any particular demographic.

Ray Everett-Church is the co-founder of the Coalition Against Unsolicited
Commercial E-mail (CAUCE), a group that spends much of its time trying to
steer businesses and organizations away from marketing campaigns that could
be construed as spamming.

He rejects the claim that any group or individual,
whether or not they abide by the CAN-SPAM Act requirements, that conducts spam blitzes
does so legitimately. For an e-mail to be legitimate in his eyes, the marketer must have
had some prior business relationship to the recipient or the recipient has opted to receive
the specific type of e-mails (called opt-in).

“At some level, the folks who are engaged in a business where they are
sending out massive volumes that they couldn’t possibly have the permission
of all those recipients for, they know full well that they are not engaged
in legitimate or responsible non-spamming activities,” he said. “You don’t
typically come up with 60 million e-mail addresses through a permission-based
process.”

Everett-Church does believe that companies, and people, can be persuaded to steer their
business away from activities that are causing all the fuss. He points to
none other than Walt Rines, a notorious spammer in the 90s and a former
associate of spam king Sanford Wallace. Rines built and sold a
rather robust e-mail marketing architecture, he said, to a group of buyers
who turned it into TargetMail, a fairly reputable e-mail marketing services
company.

“There’s nothing more powerful than enlightened self-interest,” Everett-Church said.
“If you look at e-mail marketing and the tremendous opportunities that are
in that space, and you look at spamming, you see that they are not compatible
as far as longevity and long-term growth and opportunity.”

Cashing In (page 2 of 3)

Cunningham said the costs associated with bulk-mail or spamming
campaigns are considerable. He presented what is entailed in two common
set-ups that bulk mailers use in their campaigns.

One is called a proxy mail campaign. This calls for one server for hosting ($600-$1,000 a month);
a proxy mailing server ($300-$750 a month); a proxy subscription ($500 a month); mailing
software ($500 a copy); and a list of recipients’ e-mail addresses ($25 to $50
per million). Using the high end of each range, the initial cost of getting this campaign
off the ground would run $2,800. Most bulk-mailers, Cunningham said, send from two to six servers, buy or
harvest millions and millions of e-mail addresses and use multiple copies of
mailing software because of the click-through rates.

The direct mail campaign requires one server for hosting ($350-$600); a direct
mailing server ($250-$750); one to three domains for advertising ($25-$75);
valid return e-mail addresses ($25-$75); and direct mailing software
($800-$3,200). The initial cost for this campaign runs $4,700.

But when these costs are offset with the potential payoff from sales
leads, it is easy to see why many people, and businesses, aren’t put off
by the negative goodwill they receive for the business they conduct.

According to Cunningham’s figures on mortgage leads, he can get a
click-through rate for his messages from anywhere between 1:60 to 1:240, which
means that one person will respond for every 60 to 240 e-mails; for AOL
e-mail addresses the click-through rate is as favorable as 1:19. His
commission rate varies from $8 to $20 per lead.

The returns are pretty respectable for GI e-mail campaigns. Cunningham said that, on average, he makes anywhere from $40 – $200 per million mortgage lead e-mails sent out on a GI blast, with a $20 commission (Translation: two to 10 people out of one million translate into paying customers). To extrapolate, for a 240 million e-mail campaign, he can expect to make $9,600 – $48,000, on average, and dependent on the commission rate.

Cunningham wouldn’t say exactly how much he makes in a year. But he did say it’s
a six-digit figure. And yes, he said, he does pay his taxes.

Fighting Backlash

Nevertheless, his work has made him enemies. The bane of his existence, of course, is
the anti-spam community, which is often quite zealous in its efforts to put spammers, legitimate
bulk mailers and scammers alike out of business

Earlier this year, an individual e-mailed SpamCop, an anti-spam discussion site,
accusing Cunningham of sending Viagara, porn and easy-diploma advertisements to their inbox.
The e-mail read, “this guy should be in jail, he’s a real animal.”

The more hardcore RBLs block the entire domains
of Web hosting companies who do business with bulk-mailers. And

Cunningham claims others have gone so far as to threaten spammers’ families,
throw bricks through their windows and send them excrement through the
mail.

“They are nothing more than kooky Net trolls out to profit and glorify
themselves off a so-called problem more so than actually attempting to fix
the so-called problem,” he said. “They do not scare me, and the likes of
them are cowards hiding behind a computer screen.”

He’s not above tweaking members of the anti-spam community. His user
profile on the SpecialHam.com forum features a picture of a can of
Spam with cartoon character Homer Simpson drooling in the foreground.
The caption beneath the picture reads, “I would like to give a big ‘f***
you’ out to all of my favorite anti’s reading this profile. ;)”

You CAN-SPAM. Get Used to It (page 3 of 3)

All of his bulk-mailing campaigns are legal
thanks to the CAN-SPAM Act, which went into law in January. Four months after its passage, the
legislation has received lukewarm
reviews
from e-mail security outfits and the federal agencies charged
with enforcing the it.

Eight months later, it seems the United States has turned into the
largest spam haven in the world. E-mail security firm CipherTrust last week
reported that, while both the United States and South Korea represent
only 28 percent each of the IP addresses
used to send spam, a whopping 86 percent of the total spam volume comes from
the United States, with South Korea a distant second at 3 percent. The U.S. numbers
jumped enough during last year to indicate the CAN-SPAM Act had some effect on
the numbers, a CipherTrust official said, though it could be a short-term
spike as spammers test how far they can push the letter of the law.

Cunningham said spam is only going to get worse, not better, with time. More
legitimate bulk mailers and established companies will take advantage of the
CAN-SPAM’s wording: as long as the e-mail doesn’t use spoofed
IP addresses, contains an
Internet-based opt-out mechanism and includes a legitimate physical mailing address and
indication in the subject line that it’s an advertisement, then it is legal.

“Some spammers will go legit and some spammers won’t,” Cunningham said. “Some
spammers will stop and some will continue to pursue this lucrative business
practice.”

Jennifer Martin, a CipherTrust spokeswoman, said many spammers are
already finding ways to make it harder for the enforcement arms of the
CAN-SPAM Act to prosecute. She said the company’s already run into cases
where spam includes a legitimate e-mail address with an Internet-based
opt-out option. But, she continued, the server hosting the opt-out link returns a message
saying the unsubscribe option is out of order and to instead send the request by
regular mail to a postal address.

Not many computer users are experienced enough to know that the unsubscribe
process needs to be entirely electronic, Martin said, and so they don’t report it
to the authorities or their ISP.

Not everyone takes to that point of view, especially among the e-mail
marketing industry. Officials at the Direct Marketing Association (DMA), a
trade association that conducts interactive
and database marketing, say they have an entirely different impression of the effectiveness of the
CAN-SPAM Act.

Louis Mastria, DMA director of public and international affairs, said
the organization has been working with the FBI for the past year, donating technical and funding resources to aid law
enforcement officials. He said the response he’s gotten from federal
agents, the men and women actually responsible for enforcing the
legislation, have nothing but good things to say about the new law.

“What we’ve heard over and over again is that law enforcement feels like
this is a boon to them, because, prior to the passage of this act, it used to
be a very subjective thing. You would have to find out if they were
spamming, and it came down to intent. Intent is a little harder to
prove,” he said. “Under the CAN-SPAM Act, it’s black and white. You’ve
either included an Internet-based opt-out or you haven’t; you’ve either
included a physical address or you haven’t. So on its face, e-mail can
be judged spam very easily, and prosecutions can be built rather quickly. The
chances of success on prosecutions are significantly higher under the
CAN-SPAM Act.”

Still, enforcement of the act is getting off to a slow start, though Mastria
expects the number of cases to increase soon. In the two years leading up to the CAN-SPAM Act,
the FTC brought only 54 spam cases,
according to an attorney at the commission in an
interview last fall.

The problem with spammers using falsified information is the fact they are
so hard to track down, officials say, and they aren’t worried about breaking
the law in the first place. In one case, the FTC spent four months tracking
down one spammer’s identity in an investigation that took one year and
spanned two continents.

Phyllis Schneck, CipherTrust vice president of strategic development,
said the fact that more than 85 percent of spam is coming out of the United States
leads her to believe the arrests will pick up in time.

“I would expect to see more prosecutions and more court cases, but it goes
to the policy and enforcement piece of CAN-SPAM,” Schneck said. “You can have
technology and you can have policy, but at one point you need to show that
you’re going to enforce it.”

What Does It Really Cost in the End?

Like many others, Cunningham takes the stand common among both legitimate
bulk-mailers and illegal scammers alike: If you don’t like it, delete it.
That stand is one side of the central argument surrounding spam — the cost
to the end user.

For network administrators, ISPs and business executives alike, the cost of
spam is measured in terms of time wasted hitting the “delete mail” and
the money spent in bandwidth to download the messages. There are numerous “spam
calculators” on the Web that show just how much those costs are, like those
at Computer Mail
Services
, NetworkWorldFusion and MX Logic.

“You’ve got to take into consideration the use of advertisements, promotions
and more,” Cunningham said. “You would be surprised at how many of these
providers send their own advertisements and some even work
deals in the background with e-mail marketers.”

He declined to say who these providers are, saying that many “take
extra precautions to make sure this is never exposed.”

Despite the negative perception his job brings him, Cunningham doesn’t see
himself going “legitimate” and back to a nine-to-five job any time soon.

“I enjoy
what I do and I enjoy conversations with others in the industry,” he said.
“As long as it makes me money, I’ll continue to do it.”

Updates prior version with figures provided by Cunningham on average e-mail campaign returns.

News Around the Web