Bill Waggoner, a longtime email marketer who the Las Vegas Review Journal called a “spam king” in 2003, recently found himself in an ironic situation: He became so inundated with robocalls that he was forced to change his phone number.
“I'm hitting ‘Do Not Call,’ ‘Do Not Call,’ ‘Do Not Call,’ ‘Do Not Call,’ and they still call every single day,” said Waggoner, who PC World once dubbed the “Viceroy of Viagra,” and who insisted on a striking number of occasions during our conversation that he sends emails only to people who voluntarily enter their email addresses into, in his words, “thousands of web sites all over the internet.”
“It's like dude, come on,” Waggoner said of the robocalls. “It's ridiculous."
For a while, spam — unsolicited bulk messages sent for commercial or fraudulent purposes — seemed to be fading away. The 2003 CAN-SPAM Act mandated unsubscribe links in email marketing campaigns and criminalized attempts to hide the sender’s identity, while sophisticated filters on what were then cutting-edge email providers like Gmail buried unwanted messages in out-of-sight spam folders. In 2004, Microsoft co-founder Bill Gates told a crowd at the World Economic Forum that “two years from now, spam will be solved.” In 2011, cybersecurity reporter Brian Krebs noted that increasingly tech savvy law enforcement efforts were shutting down major spam operators — including SpamIt.com, alleged to be a major hub in a Russian digital criminal organization that was responsible for an estimated fifth of the world’s spam. These efforts meant that the proportion of all emails that are spam has slowly fallen to a low of about 50 percent in recent years, according to Symantec research.
“I am harassed by a faceless entity that I cannot track down.”
But it’s 2017, and spam has clawed itself back from the grave. It shows up on social media and dating sites as bots hoping to lure you into downloading malware or clicking an affiliate link. It creeps onto your phone as text messages and robocalls that ring you five times a day about luxury cruises and fictitious tax bills. Networks associated with the buzzy new cryptocurrency system Ethereum have been plagued with spam. Facebook recently fought a six-month battle against a spam operation that was administering fake accounts in Bangladesh, Indonesia, Saudi Arabia, and other countries. Last year, a Chicago resident sued the Trump campaign for allegedly sending unsolicited text message spam; this past November, ZDNet reported that voters were being inundated with political text messages they never signed up for. Apps can be horrid spam vectors, too — TechCrunch writer Jordan Crook wrote in April about how she idly downloaded an app called Gather that promptly spammed everyone in her contact list. Repeated mass data breaches that include contact information, such as the Yahoo breach in which 3 billion user accounts were exposed, surely haven’t helped. Meanwhile, you, me, and everyone we know is being plagued by robocalls. “There is no recourse for me,” lamented Troy Doliner, a student in Boston who gets robocalls every day. “I am harassed by a faceless entity that I cannot track down.”
“I think we had a really unique set of circumstances that created this temporary window where spam was in remission,” said Finn Brunton, an assistant professor at NYU who wrote Spam: A Shadow History of the Internet, “and now we’re on the other side of that, with no end in sight.”
The first generation of spam was mostly advertising, but this new incarnation is largely driven by the higher payoffs in crime, according to 10 experts in telephony and digital security who spoke to The Outline. “Even if everyone in the entire population of the world were going bald and had erectile dysfunction simultaneously, there’s still more money in account takeover and identity theft,” said Adam Levin, the founder of security firm CyberScout and the author of Swiped, a 2015 book about identity theft.
We talked to an infamous spammer on our daily podcast, The Outline World Dispatch. Subscribe on Apple Podcasts or wherever you listen.
Robocalls are perhaps the most ubiquitous symptom of the new spam paradigm. In 2015, the Federal Trade Commission received 3.5 million complaints about unwanted telemarketing calls; Last year, it racked up 5.3 million. YouMail, a robocall blocker, estimated there were 29 billion robocalls placed to Americans in 2016. Robocalls can come from political groups, who are exempt from the Do Not Call registry in the United States, from sellers of dubious goods like home security systems that ignore the Do Not Call registry, or from scammers who claim to represent resort sweepstakes, credit card financing, and tech support groups in a bid to steal credit card information.
The first generation of spam was mostly advertising, but this new incarnation is largely driven by the higher payoffs in crime.
The mechanisms by which those calls reach your phone can be circuitous. Will Maxson, an assistant director of the FTC’s Division of Marketing Practices, described a complex system in which telemarketers, sometimes based in the United States, contract with robocall farms that are often based overseas and can be large operations or a single person with a computer. Those robocallers use auto dialers and internet telephony software to place large numbers of calls, often spoofing the number of origin to appear as though it were coming from a local area code. If a lead seems promising, sometimes the robocall farms will even transfer the call to a specialist back in the United States to seal the deal.
“You have a wide variety of clients for this,” Maxson said. “Some will be for outright frauds that are pitching you for something that doesn’t exist, but they could also be making calls on behalf of real products.”
The FTC has shut down a number of robocall scams. This summer it imposed steep fines on a group that offered bogus credit card refinancing, and earlier this year it forced two large operations to pay substantial fines and agree to stop robocalling. And in a raid last year, Indian authorities shut down a Mumbai scam operation that was reportedly netting nearly $150,000 per day by pretending to be the Internal Revenue Service.
Representatives from those busted organizations failed to reply to messages seeking comment. But an individual who posted on a blackhat hacker forum that he could sell a database of tens of millions of US phone numbers, complete with associated email and postal addresses, told me that though he himself is annoyed by robocalls, he does what he needs to in order to earn a living. He obtains phone numbers from data sellers and lead generation sites that offer users free stuff in exchange for giving up their contact information, he said, and insisted that though he’s been slapped with fines in the past, he now complies with laws governing the sale of phone numbers.
“I mean I see it as a tool to help marketers find the right person,” said that man, who identified himself as Brian Masin during a Skype chat interview.
Masin, who said he’s based in the DC metro area and made as much as $160,000 per year in the internet marketing business, though not all from selling phone numbers, also mused that “if you buy homesec[u]rity online then you deserve” to get “duped.”
In addition to the FTC, a number of app developers and people like telecom consultant Roger Anderson, who created a posse of phone bots designed to waste robocallers’ time by pretending to be human, have all taken up the fight — but today, the calls still persist.
The second coming of spam isn’t just robocalls, of course. It’s rampant on Twitter, for example, where vast botnets boost follower counts for money and push political propaganda. It crops up on Tinder and OkCupid, where bots with voluptuous profile pictures stumble through flirty banter — “I am totally a sex addict" — and inevitably send links to websites that demand credit card numbers. Ashley Madison, a hookup site for extramarital affairs that gained notoriety when its user data was stolen in 2015, harbored millions of “sexbot” accounts intended to sucker users into paying for premium membership.
The volume of spam email has leveled off overall, and Google says it can detect 99.9 percent of spam and phishing attempts in Gmail. But what email spam is left has become more sophisticated and criminal. According to a Symantec report, spam emails are more likely than ever to contain ransomware, which locks up a target’s computer until they pay up, usually in a cryptocurrency like bitcoin. Customized, legitimate-looking emails crafted specially to pilfer the financial information of specific individuals or companies, commonly known as “spear phishing,” are also on the rise. “As people share every morsel of their lives online, it makes more information available to people who exploit it,” Levin said. “They prey on the fact that we all have day jobs. We’re busy, and we’re distracted.”
The future of spam is uncertain. Platforms are constantly working to beat it back, but experts we spoke to agreed that for the time being, anti-spam efforts are likely to remain a cat-and-mouse game as disingenuous marketers find new mediums to exploit — especially in the face of rampant data collection and sharing by entities as small as a single hacker scraping email addresses and as large as Facebook and Google.
“The bulk of our lives online could be spammy.”
In the long term, Brunton, the NYU professor, imagines two potential futures for spam. In the first, advanced machine learning would become so adept at filtering out messages that aren’t worth our attention that the economic models of spam would collapse entirely. And the opposite of that spamless utopia would be a future in which a public that doesn’t see its attention as valuable could allow spam to gradually become normalized and omnipresent — an internet of bleating, personalized come-ons like the holograms in Minority Report.
“The bulk of our lives online could be spammy,” Brunton said. “Our whole experience could be monetized. We could just get used — forgive my language — to really shitty content all the time.”
It’s enough to make you long for a time when spam was simpler. Waggoner, the spam king, has never shied away from his critics — once he showed up to an FTC forum on spam dressed in black, like a character in The Matrix, with small dark glasses that he took off dramatically as he answered questions and occasionally sparred with a heckling audience.
Waggoner sees today’s robocallers and social media spammers as unprincipled; he insists, for example, that he’s never sold data to other marketers.
“Lazy,” he said. “No skill. It isn't like the good days, like when my career started off.”
Correction: An earlier version of this story referred to Jordan Crook by the wrong gender pronoun.
