When spam eludes software, bring in the detectives

Last modified: May 31, 2004, 8:18 AM PDT

Sterling McBride spends a lot of time waiting for spammers to make a mistake. They usually do.

When he hunted down escaped prisoners for the United States Marshals Service, McBride learned the value of lying low until fugitives trip up, leaving small clues on their whereabouts. Now, as an investigator for Microsoft, McBride watches carefully for tidbits of data that link some of the 2 billion pieces of junk e-mail that Microsoft's Hotmail service receives each day with the people who send them.

Once he finds an electronic key to the spammer's identity--a real name, address or phone number--McBride uses all the tools of a regular detective: trailing suspects, subpoenaing their bank records and looking for disgruntled former associates to become informers. But first he must lift the cloak of anonymity provided by the Internet.

"The guys who do this are pretty tenacious," McBride said. "There are networks that are very well organized. But we have really started to figure out how they operate."

Spammers have been sending more junk e-mail than ever, despite a new federal antispam law that took effect Jan. 1. So far, few have been brought into court because it is hard to find them and link them to electronic offers of pills and pornography.

So the vanguard of the fight against spam has turned from software engineers who try to identify and block spam from e-mail in-boxes to investigators in private industry, like McBride, and an increasing number of prosecutors and law enforcement agents who are learning how to combine traditional detective work with cybersleuthing.

The Federal Bureau of Investigation is increasing its effort to investigate spammers, largely in response to the new law. In an unusual arrangement, the Direct Marketing Association has paid $500,000 to hire 15 investigators who work alongside agents from the FBI and other government agencies in a program known as Project Slam Spam.

Using information provided by Internet providers along with their own decoy computers and e-mail accounts, these investigators have built a database of more than 100 spammers. Increasingly they are actually purchasing pills and responding to offers of get-rich-quick schemes to track down the spammers.

"Initially you start to work backwards from the e-mail and find that to be a very frustrating route," said Daniel Larkin, chief of the FBI's Internet Crime Complaint Center, the unit that is coordinating Project Slam Spam. "That doesn't lead to a live body. We have collectively realized you have to go the other way and follow the money trail."

The project has built cases against 50 spammers, which it has started to refer to federal and state prosecutors. It hopes to orchestrate a coordinated sweep of spam prosecutions and civil cases later this year to highlight the seriousness of its antispam efforts, Larkin said.

Even before the new law took effect, there was an increase in both civil and criminal actions against spammers. Last week, Howard Carmack, who sent 825 million junk e-mail messages from his home in Buffalo, was sentenced to at least three and a half years in prison, in a case brought in 2003 by New York State for violations of identity theft and business records laws.

The big Internet service providers, especially America Online, a unit of Time Warner, and EarthLink, have been steadily suing spammers for the last few years, using trespass and computer crime laws.

A slow start for Microsoft
Microsoft is a relative latecomer to the tactic. Until recently, it hoped to rely mainly on software to identify and discard spam. But once it decided to take spammers to court, it moved after them with a vengeance, building what is probably the biggest operation in the world devoted to investigating and suing spammers.

Microsoft's 2-year-old "digital integrity" unit--which also fights online fraud, identity theft and spyware--employs more than 100 people around the world and has an annual budget of more than $10 million. Many investigators, including McBride, were former law enforcement officers and prosecutors hired originally to track down software counterfeiters who have shifted their attention to spam.



	For the latest breaking news, visit NYTimes.com Sign up to receive top headlines Get Dealbook, a daily corporate finance email briefing Search the jobs listings at NYTimes.com Search NYTimes.com:

Standing in a small conference room on Microsoft's vast campus earlier this spring, McBride, 38, explained how the techniques he learned in tracking down prison escapees have come in handy finding spammers. He unfurled a giant piece of paper covered with hundreds of tiny symbols--faces, trucks, computer screens, telephones--connected by a spider's web of multicolored lines.

The diagram was made with a software program used by police to keep track of organized crime investigations. The networks of people and companies that send junk e-mail solicitations are just as complicated, McBride said.

He pointed to a small icon of an envelope, representing junk e-mail promoting a Web site called Camania.com that lets users view people performing sexual acts in front of their Webcams. A line leads from the envelope icon to an icon for the Web site, which was registered in a fake name.

"They did a good job of hiding themselves," McBride said. "Everything was registered to post office boxes and there were phones that forwarded to other phones with voice mail."

But one icon on the diagram shows where the spammers slipped up. It is a real postal box that was associated with the Camania site. It turned out to be at a Mail Boxes Etc. in Kirkland, Wash., only a few minutes from Microsoft's headquarters.

Microsoft then hired outside investigators to stake out and follow whoever picked up the mail. It turned out to be Jason Cazes, who McBride said sells "MaxxLength" penis enlargement pills.

Eventually, McBride was able to collect sufficient evidence for Microsoft to file civil lawsuits last December against Cazes and two other people, accusing them of sending spam on behalf of Camania and MaxxLength.

A lawyer for Cazes, Mark Douglas Kimball, said Cazes was involved in running adult Web sites and a nutritional supplement business, but did not send any spam. Kimball said he was not aware that Microsoft had his client's mailbox watched, but said such a tactic was unnecessary because the ownership of the businesses was available in public records.

Spilling the beans
One of the most powerful tactics in criminal investigations--and one that Microsoft used in this case--was an informant familiar with the spam operation.

"Spammers are more than willing to rat each other out," McBride said.

In the last 15 months, Microsoft has filed 53 civil cases against spammers. Ten have resulted in court orders banning the defendant from further spamming, either because of a settlement or because the defendant did not show up in court. One case was dismissed. The rest are working their way through the Washington State courts.

If the amount of spam is any measure, the spammers have not been scared off.

But Timothy Cranton, the lawyer who runs the Microsoft digital integrity unit, argues that the private and government legal actions will ultimately make a difference.

"A lot of spammers think what they are doing is perfectly fine," Cranton said. Enforcing the federal law, he said, will show them "that what they are doing is not fine."

For years, an energetic community of amateur spam detectives has been trying to get Internet providers to kick spammers off their networks. Increasingly, those volunteers are trading tips with law enforcement agencies and Internet providers.

"We do a fair bit of work with Microsoft," said Steve Linford, the founder of Spamhaus, a prominent volunteer spam-investigating organization. "They are getting serious about fighting spam and putting their money where their mouth is."

By filing lawsuits known as "John Doe" suits, in which the identity of the defendant is not known, Internet providers are able to subpoena records from banks and others to determine the identity of spammers.

"The most useful information is who pays for various aspects of the spam operation," said David Bateman, a lawyer at Preston Gates & Ellis in Seattle who represents Microsoft in spam cases. "To spam, you need four or five things--a hosting service, a domain name, mailing software, mailing lists and so on. Each one you have to purchase from someone."

For example, Microsoft identified a series of advertisements for pornography and herbal supplements that were sent as e-mail messages to Hotmail accounts, directing recipients to Web sites on computers operated by a company called Isolate Networks, which was run by Dan Ivans in Chardon, Ohio. Ivans, 21, advertised what in the industry is called a bulletproof hosting service, a business that operates Web sites that are advertised through spam.

Microsoft filed a suit in June 2003 naming 20 "John Doe" spammers, which allowed it to obtain subpoenas for information about Ivans' business clients. Microsoft lawyers were also able to question Ivans, who is not a defendant in the suit, under oath.

With that information, Microsoft was able to amend the suit earlier this month to name seven people and two companies it said actually sent the spam.

"The real key is trying to figure out how to connect the virtual world" with "someone you can hold responsible for this," McBride said. Once you have the link, he said, "you can use all the tools of a normal investigation."