An Unrepentant Spammer Considers the Risks

[InfoSec News <isn () c4i org>]

http://www.nytimes.com/2003/12/30/technology/30spam.html

By SAUL HANSELL
December 30, 2003

Alan Ralsky, according to experts in the field, has long been one of
the most prolific senders of junk e-mail messages in the world. But he
has not sent a single message over the Internet in the last few weeks.

He stopped sending e-mail offers for everything from debt repayment
schemes to time-share vacations even before President Bush, on Dec.  
16, signed the new Can Spam Act, a law meant to crack down on
marketers like Mr. Ralsky.

He plans to resume in January, he said, after he overcomes some
computer problems, and only after he changes his practices to include
in his messages a return address and other information required by the
law, the title of which stands for Controlling the Assault of
Non-Solicited Pornography and Marketing.

That is quite a switch for Mr. Ralsky, who has earned a reputation as
a master of cyberdisguise. By his own admission, he once produced more
than 70 million messages a day from domains registered with fake
names, largely by way of foreign countries - or sometimes even by way
of hijacked computers - so that the recipients could not trace the
mail back to him.

Most experts in junk e-mail, known as spam, have dismissed the new
federal law as largely ineffectual. And many high-volume e-mailers say
the law may even improve the situation for them because it wipes away
a handful of tougher state laws.

But Mr. Ralsky, who lives in a Detroit suburb, says the law's
potential penalties - fines of up to $6 million and up to five years
in jail - are making him rethink his business.

"Of course I'm worried about it," he said after the law was signed.  
"You would have to be stupid to try to violate this law."

No one is saying that e-mail in-boxes will be clean of spam any time
soon. But the world is getting to be a much more hostile place for
spammers, particularly those who send some of the most offensive
messages. The biggest threat is not so much the new law, though it is
expected to play a role in stepped-up enforcement, as the increased
willingness of prosecutors to go after spammers.

In recent weeks, federal and state authorities have finally gotten the
attention of spammers with a series of tough civil and criminal
actions.

"These suits sent a shock wave through the spam world," said Steve
Linford, the director of the Spamhaus Project, an organization that
tracks bulk e-mailers and tries to thwart their moves. "Lots of
spammers are asking, 'Are we next?' "

Some bulk e-mailers, like Scott Richter, who was a principal target of
a civil suit filed last week by the New York attorney general, Eliot
Spitzer, vow to continue. But Mr. Richter has lost some major clients,
including mainstream companies like Omaha Steaks.

Still, in the week after the suit was filed, Mr. Richter's company,
OptInRealBig.com, was actively sending e-mail messages promoting
dozens of products, including laser guns, breast enlargement pills and
Christian dating services.

Others say they have been beaten down by blacklists created by
antispammers and filtering systems run by Internet service providers.

"E-mail is not working any more," said Brendan Battles, a longtime
marketer who has sold CD-ROM's containing long lists of e-mail
addresses. "More people are mailing and you get less and less
response." Mr. Battles says he has virtually given up the business.

"E-mail marketing is a good thing," Mr. Battles said. "I create jobs.  
But the media has made e-mail out to be some sort of terrorist plot."

Not long ago, Mr. Ralsky, like many other bulk e-mailers, had high
hopes that the new federal law would help legitimize his operation.  
Just after Thanksgiving, he sat on a cream-colored couch in the
basement of his large home in Bloomfield Hills, Mich., an affluent
suburb of Detroit, talking of how he expected the new law to make his
business easier. He would identify himself, as required, and would
honor any requests to be removed from his mailing lists, he said. He
said that he was counting on Internet providers, in return, to stop
trying to block his messages.

But more recently, Mr. Ralsky said in a follow-up interview by
telephone, he has come to the conclusion that the law is more
one-sided than he originally thought. Internet providers, he figures,
will be able to tag and discard his mail with more certainty.

"The law was not written for a commercial e-mailer," he said. "I don't
think what they are doing is fair." He suggested that the law was
largely a plot by the big companies that connect homes and businesses
to the Internet to keep all the profits from online marketing for
themselves.

"I have never once been ashamed of what I do," he said. "I feel this
is a business that has afforded me and my customers a better way of
life."

At the age of 58, Alan Ralsky seems an incongruous character in an
industry largely made up of men from the Nintendo generation.

"I am the oldest spammer you know of," Mr. Ralsky said. "You have a
bunch of kids in their late 20's doing this with a lot more technical
knowledge than I have. But they don't have any business sense."

Mr. Ralsky started delivering newspapers in his native Skokie, Ill.,
at the age of 7 and has been working ever since. Both his parents are
deaf.

"It was a wonderful thing that I had deaf parents," he said. "I was
proud of them and tried to be as helpful as I could, but you do grow
up fast."

After a stint in the Army, Mr. Ralsky had a career as an insurance
agent and sales manager. Then things began to go awry. In 1992, he
served 50 days in jail on a charge related to failing to deliver
documents to a group of investors. Two years later he was convicted of
falsifying documents that defrauded banks and was ordered to pay
$74,000 in restitution.

"I was in a bad business with bad partners," he said.

In 1995, he discovered e-mail messaging.

"I took my last thousand bucks and I bought a thousand dollars worth
of spam," Mr. Ralsky recalls. From the e-mail messages he was able to
send for that amount of money, he said, "I got nothing, but I said,
'You know what, there is something to this. It can take a small guy
and make him the equal of a Fortune 500 company.' "

His first real customer was in the business of selling remote backup
systems for computers. The fee was $1,000 to send a million e-mail
messages. He found 400 customers for his client. Soon Mr. Ralsky
hooked up with a time-share promoter, sending out offers of three-day,
two-night Florida vacations.

"From there it just got bigger and bigger and better," Mr. Ralsky
said. Travel clubs and time-share offers are a staple of his business,
as are debt consolidation services and e-books on how to win
government grants. He says he does not deal in pills or pornography.

Mr. Ralsky's mailing list now exceeds 150 million names. Unlike many
high-volume mailers, Mr. Ralsky does not claim to send only to people
who ask to receive marketing pitches. He says he sees nothing wrong
with sending unsolicited mail. He insists, though, that he has always
honored requests for removal from his list, something now required by
the new law.

"If someone is mad, all they need to do is unsubscribe," he said. "If
you don't want to get it, I don't want to send it to you."

This claim is impossible to verify, because nothing in Mr. Ralsky's
e-mail messages indicates that they are from him. Anyone who
unsubscribed from one of his mailings had no way to know if he stopped
sending messages or doubled his mailings to them, as some spammers do.

That will change if he identifies himself, as he says he will to
comply with the new law.

As Mr. Ralsky's business has grown, so has the backlash. Antispam
organizations, like Spamhaus and the Spam Protection Early Warning
System, work diligently to identify the addresses from which Mr.  
Ralsky is sending e-mail messages and to urge Internet providers to
evict him from their networks.

And in 2001, Verizon Online, a unit of Verizon Communications, sued
Mr. Ralsky, claiming he violated its policies by sending spam messages
by the millions to its Internet customers. Last year, Mr. Ralsky
settled the suit, paying an unspecified amount of damages and agreeing
not to send mail to Verizon Internet customers again.

Mr. Ralsky then redoubled his efforts to use fake names and other
techniques so his e-mail could not be easily traced.

"I have changed the way we mail totally," he said. The spam fighters,
he added, "have no idea what I'm mailing. They could never pinpoint it
and say this is from Al Ralsky."

Mr. Ralsky said that he was uncomfortable about this deception, but
that he had no choice. "Is putting bogus information in your
registrations the right way to do business?" he asked. "No. But the
Internet world has forced me to do that."

He has done business in two dozen countries, and has never visited any
of them. He buys mailing lists from people in Sweden and India. And
these days, he says, he sends his mail from computers in China and
three other countries.

"I have been hosted in strange places in the world," he said. "For
some reason the I.S.P.'s out of this country are a lot more liberal."

But, he acknowledges, they are not necessarily more reliable.

"You get good and bad in this business, and I have had all sorts of
people try to rip me off," he said.

Mr. Ralsky also acknowledged that he had used "open proxies"-
computers with improperly configured software that allow spammers to
relay messages without the knowledge of the computer owner.

"I personally hate mailing with proxies," he said. "It's rough. But
you do what you got to do."

Even before the new law was passed and the prosecutors stepped up
their actions, Mr. Ralsky said the business was getting harder. It was
taking more mail to get the same response. His target is to earn $500
in profit for every million e-mail messages sent; his commission is
often 40 percent of the price of each product sold.

And the cost of his carefully arranged international network is going
up, even more so now.

"The Chinese have decided that they will follow the law," he said. "We
will have to put in our address and a real 'unsubscribe' list,'' at an
added cost, he said, of $3,000 a month.

For all the obstacles, Mr. Ralsky said that he did not intend to stop
sending bulk e-mail in some form.

"There is too much money involved," he said. "I'm a survivor. And when
you are a survivor, you find a way to make it happen."




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.