Attacking the sources of spam
September 5, 2008
When a new spam attack occurs, the nation's cyberdetectives call Gary Warner.
The University of Alabama at Birmingham (UAB) computer forensics researcher, who spends much of his time collecting and analyzing thousands of bogus e-mail messages, is in demand these days. He gets calls from overseas investigators, he speaks at conferences and he's working with federal law-enforcement officials to track down the root of the recent spam attacks pretending to be from CNN and MSNBC.
His goal is not to filter spam better, but to actually catch the criminals sending it.
"Spam is not a technical problem. We've been acting like it's a technical problem. It's a societal problem," Warner said. "Why aren't there more bank robbers? Because if you rob a bank, you go to jail. Why are there so many cybercriminals? Because they don't get caught and go to jail."
Warner doesn't like to talk about specific investigations — he said he doesn't want the bad guys to know who's tracking them — but he's part of the Birmingham FBI's cybercrimes task force and has worked on cases from around the world.
He said he was the first to identify the CNN scam last month. It sent out fake news alerts that directed recipients to infected Web sites. Last year, he helped conclude that some messages sent in support of presidential candidate Ron Paul were the work of a spammer.
"He's an impressive individual, obviously," said John Giordano, who manages security for a unit of SunGard, a software provider for banks, and is president of IntraGard, a group of cybersecurity professionals Warner also works with. "He's well known in the information-security arena nationally and internationally and does quite a lot with law enforcement."
Warner's database, the UAB Spam Data Mine, has collected more than 5 million spam messages. He also does extensive work on viruses, the malicious software called malware, and phishing, in which e-mailers try to trick people into handing over secure information. And he tracks other illegal activity on the Web, but says he's focusing on bogus e-mail in part because it's the root of so much identity theft.
Other researchers also collect and archive dangerous e-mail; the Federal Trade Commission has a huge computer, nicknamed "the spam fridge," that stores spam.
But Warner's system is different. The UAB Spam Data Mine breaks down each e-mail it gets into separate parts in the database, so messages are stored by date, by topic, by which Internet provider they came from, and so on. That makes it easy to search messages and provide evidence — and puts Warner in demand.
Warner said he recently received a request from a foreign law-enforcement agency that had a list of domain names involved in a big case and needed Warner's research team to check them out. Team members were able to find thousands of copies of e-mails, he said.
To get the e-mails, Warner uses the criminals' own methods. Many spammers generate random addresses for every real domain name in the hope of getting one right. For example, if your address is email@example.com, spammers may also try firstname.lastname@example.org or email@example.com. Wrong addresses kick back to the sender, so the spammers know when they've hit a live person.
Warner contacts the domain owners and asks them to reroute any incorrectly addressed e-mails to him. He even opens the false e-mails and clicks on the links to convince the spammer there's a potential sucker there.
"We've ended up with hundreds of e-mail addresses that have been advertised to the spam community as good ones to send spam to," Warner said. "While they may not be statistically representative — and we're doing some experiments to judge that — what we say [is] if there's any new kind of spam with any regularity, we're going to get it."
Warner also wants to show the public how big a problem spam and its attachments can be. Because Internet service providers, e-mail programs and companies all provide filters, most of us see only about 10 percent of the spam that comes to us, he said. In reality, about 94 percent of all e-mail sent is spam, malicious or not, Warner said.
"We've insulated people from the problem so they believe it's not a problem," he said. "But the truth is it was the No. 1 crime last year. Identity theft had more victims than any other crime in the United States."
As an instructor at UAB, Warner teaches classes for both the computer-science and the justice-sciences departments, hoping to help breed a new generation of criminal investigators.
"We say that we're training digital detectives for the 21st century," Warner said.
Warner is often referred to in vaunted terms by people he helps.
"Frequently people have called me a computer guru," he said. "And I say guru is an Indian word that means 'he who reads the manual.' "