Unsuspecting accomplices

Anyone with an inbox will tell you that the spam problem shows no sign of abating. Whether people identify and delete spam themselves or they have filtering in place that does it for them, spam impacts almost everyone that uses email.

The sentiment that spam is on the increase is supported by statistics. Twelve months ago the percentage of email MessageLabs intercepted as spam was 44.2 percent. By April 2004, that figure had risen to 67.6 percent.

Over time, spammers have developed a variety of ways to maximize the chances that unsolicited, unwanted emails reach their targets. From the early days of simple bulk emailing to the more recent use of open proxies and slave networks, spammers have been relentless in their desire to ensure that must-have bottles of herbal lobotomy tablets are offered to more people.

Today, the individuals behind spam are being forced to operate in an increasingly hostile environment. They should not be surprised that individual users, businesses, industry bodies, governments and political bodies have lost all patience with spam and are investing serious resources in combating the problem.

You would be forgiven for thinking that spammers would get the hint, that they would simply pack up and get a real job – but the die-hard devotees just find new ways to circumvent the obstacles put in their paths.

One spammer tactic is the use of a distributed email sending client, known as VirtualMDA. This piece of client software turns individual machines into background spam relays, allowing the spammer to route spam through the machine during idle time.

Anyone foolish enough to allow his machine to be used to spew spam will apparently be paid $5 to install the software and a further $1 for every hour of CPU time taken up by sending spam.

The company behind the tool – Sendmails Corporation – is based in New Hampshire. The man behind this operation is Brian Haberstroh, a man listed as an offender on the Register of Known Spam Operations.

It is easy to see what a spammer would get out of having software like VirtualMDA at their disposal. By recruiting other computer users to do the spamming for them, they are making dramatic bandwidth savings and are making it more difficult to block spam according to where it has been sent from. They are also shifting some of the legal liability from themselves to individual users who may not know better.

Haberstroh may claim that email marketing sent using VirtualMDA is opt-in only and is fully compliant with recent legislation – such as the spam-friendly CAN-SPAM Act – but this is an unsubstantiated assertion.

For the computer user eager to get his hands on some extra cash, there are a variety of pitfalls. Perhaps the most likely outcome is having the ISP that handles the account close it down, as most explicitly forbid the sending of bulk emails. It is also likely that seduced users will find themselves on IP blacklists and listed as spammers themselves.

According to the promoters of VirtualMDA the messages sent do not contravene recent legislation. This means these messages must contain a valid return email address and a mechanism for allowing people to unsubscribe (amongst other things).

However, it is no surprise to learn that numerous claims have been made stating that VirtualMDA advertisements do not abide by the law.

Email accounts with addresses kept strictly private have apparently been sent VirtualMDA messages – an indication that the emails have been sent by someone getting lucky at guessing the address. If this is the case, the computer users who allowed their machines to send the emails could be legally liable for distributing spam.

More interesting are the claims that the machines from which VirtualMDA material has been sent have been traced and their owners confronted. Disconcertingly, when questioned, the individuals assert that they have never even heard of VirtualMDA. If true, that would mean that the software was somehow installed on their machines without their knowledge.

The similarity between VirtualMDA's stated approach and the use of an open proxy slave army is striking – both offer a way for spammers to disseminate email without actually having to do it themselves. The perceived difference is that one seeks the permission of the user and compensates him for the use of his machine while the other is done without the user's knowledge. If VirtualMDA is being installed covertly, the two are more closely related than originally believed.

Undoubtedly, the attraction for many computer users is the prospect of earning money from simply leasing their otherwise idle machines. The concept – a fee for installing the software and cash for every hour of CPU time – is simple enough. But look beneath the surface and it is not so straightforward.

According to the VirtualMDA contract, no money is paid until $50 has been earned. According to Sendmails, no single PC using the software will send out more than 10,000 messages in a 24-hour period. In fact, many will only send around 1,000. For a modern PC, pumping out 1,000 messages takes only a few minutes, so it could be quite some time before $50 is due.

There is also a lack of clarity about what a CPU hour is. In one user's experience, the program had been running for 15 minutes but had only used 15 seconds of CPU time at two percent usage. Although it may appear that $1 will be paid for every hour, that "hour" could be much longer than 60 minutes.

The good news for businesses is that it is no harder to protect against spam sent via VirtualMDA than any other kind. Sophisticated anti-spam technology knows that if it looks, tastes and smells like spam then it probably is – irrespective of the point of origin.

The real victims are the foolishly deceived computer users. They start by believing they can make a quick and easy buck, but instead they become a member of the spammer community with nothing but a bad reputation to show for it.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.