One of the more interesting bits of information which came to light as a result of the State of Virginia's trial and subsequent conviction against mega-spammer Jeremy James was just how much Jaynes was earning before the nice folks at the Virginia DA's office put an end to it.

Are you ready?

The answer is…

...somewhere between $400,000 and $750.00.

Per month.

That's right…as much as $750,000, and no less than $400,000, each and every month during the height of his spamming career.

This amount was paid collectively by somewhere between 10,000 and 17,000 individuals each month - the ones who replied to the 10million pieces of email which he sent out each day, advertising stock advice, computer software, and Federal Express refund processing work.

In order to maintain this frenetic financial pace, Jaynes ran 16 high speed Internet connections from his non-descript home in Raleigh, North Carolina.  He would use these to blast out the 10million pieces of spam a day, and then he would sit back and wait for the orders to role in.  And, amazingly, role in they did.

Explained Virginia Assistant Attorney General Russell McGuire: "When you're marketing to the world, there are enough idiots out there."

Fortunately, with Jaynes' conviction, there is one fewer at large in the world tonight.

As the authentication wars heat up, with Microsoft's Sender I.D. back in the ring and busting out all over at the Federal Trade Commission's email authentication summit, Earthlink has announced that it is taking Yahoo's Domain Keys out for a spin.

Unlike the other two leading contenders in the email authentication space, Sender I.D. and SPF, both of which focus on the publication of records by the sending email server containing declarations as to the sender's identity, Yahoo's offering works by including in the body of the email a special encrypted key - a digitally encoded signature - which, simply put, matches a key retained on the sending server.

While Domain Keys solves some problems which Sender I.D. and SPF don't (and vice versa), its primary barrier to entry as been that it is somewhat more complicated than the other two, requiring additional steps and resources on the part of ISPs who wish to adopt the technology.

As well as Earthlink's testing of Domain Keys, Gmail is already using it.  In addition, to a greater or lesser degree, all major ISPs have pledged to support all extant authentication schemes.

Google has this week indicated that they will be offering Gmail users POP access to their Gmail accounts.  What this means is that Gmail users will be able to download their email from the Gmail server on to their local computer, and using their email client of choice, such as Outlook or Eudora.

Of course, doing this negates some of the features which make Gmail so interesting:  the ability to use the Google search engine to search your email, the 1meg of storage, and, perhaps most importantly for our purposes, the ability to report spam with the click of a button. 

Moreover, how does this affect their spam reporting algorithms, and their ability to subsequently take action against those who spam the Gmail network?  One of the great advantages of having thousands, if not millions, of users all reporting the same spam to the same place is, as AOL and Cloudmark have demonstrated, that suddenly "I'll know it when I see it" becomes a whole lot more valid.  But with users downloading their email, instead of reading it on the server, suddenly spammers will find the spam they send to Gmail being downloaded, instead of reported.  The potential for them to get their spam in front of the eyes of Gmail users may well leap exponentially.

It will be interesting to see if the spam load in user's inboxes increases as people start POPing their Gmail.  And it bears watching.

The newest version of the MyDoom virus stll misappropriates its victim's computer, and downloads a malicious program to it which scrapes email addresses from the computer, and then spews spam to those addresses — but it does it all without the telltale email attachment which we have come to associate with email viruses.

Far more insidiously, this version of MyDoom simply needs the victim to click on a link contained in the email, and then, exploiting one of the more recently discovered Internet Explorer security holes, the payload program is downloaded from a remote site, triggered by the click on the linke.

The email containing the virus-bidding link is making the rounds in various forms, at least one of which appears to be an email from PayPal, and which tells the user "

Congratulations! PayPal has successfully charged $175 to your credit card. Your order tracking number is A866DEC0, and your item will be shipped within three business days.

To see details please click this link.

As always, the best  defense is to keep your virus-checker up-to-date, and be very very sure of the integrity of the sender of an email and/or the originating site before downloading a file, opening an attachment, or, now, clicking on a link.

Declan McCullagh, who is covering this week's Email Authentication Summit sponsored by the FTC, has a piece in today's CNET News in which he asks the question "Should Microsoft own anti-spam?"

It's a good question, and the article shows, as predicted, that having failed to gain widespread acceptance for its Sender I.D. scheme by the people who actually have to implement any email authentication scheme, having only partially succeeded in attempting to undermine the ever-spreading adoption of the competing SPF scheme by borging it,  and having completely alienated the open source communities including Apache and Debian, Microsoft has taken it to the FTC Summit where they are pitching hard to have Sender I.D. nonetheless declared a, if not the, authentication standard.

And, when you get right down to it, it really doesn't matter if the people who actually know about these things - like the IT people, and the lawyers - voice strong concerns or even rejection of Sender I.D. because of those concerns - like how its licensing scheme and pending patents make it incompatible with life as we know it on the Internet.  If, as has always been their strong suit, Microsoft can convince the corporate decision-makers and the legislatures to see things their way, it's quite likely that Sender I.D. will become a, if not the, standard.   This, of course, would be quite a coupe for Microsoft.

The question which remains is whether or not it would be good for the rest of the Internet community.

An Australian court has sentenced a Sydney man to five years (and three months) in prison for perpetuating a Nigerian 419 scam.  

Astonishing as it may seem, Nick Marinellis bilked his victims out of $3.8 million dollars through the scam.

The Australian State Crime Command's Inspector Jennifer Thommeny explained that "There's a lot of gullible people out there that are very vulnerable and they think that this is the pot at the end of the rainbow."

And it was, but for Marinellis, not them.  At least until he was caught.

He'll be eligible for parole in 2008.

Despite the amount of time that they have now been around, challenge/response systems — anti-spam programs which quarantine rather than deliver the email you send to your intended recipient unless you are either listed on their whitelist, or answer a challenge email (hence the name) — still seem to cause more problems than they solve.

Leading challenge/response implementation system Mailblocks, despite being one of the major players in the space, still finds that its challenge emails end up in the spam folder at such places as Earthlink and AOL.  This of course means that the sender never sees the challenge, and so never responds, and their email is never delivered.

This is especially ironic given that Mailblocks was actually purchased by AOL in August. 

Said an AOL spokesman, "We had to relist the IP addresses that Mailblocks is using to send challenges."

As reported here last week, Google's Gmail service suffered a serious security hole which allowed anyone who knew a Gmail user's username, and the magic code, to access the user's entire Gmail account.

Said Google spokesperson Nathan Tyler, "Google was recently alerted to a potential security vulnerability affecting the Gmail service. We have since fixed this vulnerability, and all current and future Gmail users are protected"

According to Google only a handful of Gmail accounts were compromised.

The Hormel company, makers of the potted meat product known as 'Spam', and, indeed, inventors of the word "spam" decades before Al Gore even invented the Internet, let alone email, has decided that enough is enough, and that it's time to reclaim their brand.

Their offensive includes a series of advertisements in the United Kingdom, home to those wacky people who actually consider Spam food.

But some of their actions have been far more serious, including suing those who have used their trademark without permission.

While the giant food company has typically looked the other way at those using the word in all lowercase ("spam"), they have been much touchier about exact replicas of the product name ("Spam" and "SPAM").  Last year, in fact, Hormel sued SpamArrest for trademark infringement.  SpamArrest's CEO, Brian Cartmell, for his part declared that "Hormel is acting like a corporate cry baby."

The problem is, of course, that you can only be so lenient, and then you lose your trademark, so if Hormel hopes to retain their trademark, and revive their market, they need to take action.  Which is exactly what they are doing.

Microsoft has been lauded here on these pages for their diligent pursuit of spammers through the legal system. And with good cause, as they are taking down spammers left and right.

So it is with some irony that this week several sources are reporting that Microsoft's Steve Balmer is spamming people who are not customers, have never been customers, and are not ever going to be customers.  Including an active anti-spam activist who says that he never gave Microsoft the email address at which they are now spamming him. 

And it is with even more irony that MSNBC is reporting on it.  According to the report:

The letter was one of a series sent by Microsoft to the technology community as part of a worldwide campaign by Microsoft to combat the growing popularity of the Linux operating system and other open-sourcesoftware.

According to the report the email, which purportedly comes directly from Steven Ballmer, says in part "I'm writing to you and other business decision makers and information technology professionals today to share some of the data around these key issues, and to provide examples of customers who opted to go with the Windows platform rather than Linux."

Of course, as also reported here, Microsoft is known for being rabidly anti-open-source. 

Microsoft's response?  That "Ballmer's e-mail did not violate federal anti-spam regulations."

Not only is that not the right answer, but according to the reports there are legal experts who disagree, especially because in order to unsubscribe from the mailings you have to jump through more hoops than anticipated by the requirements of CAN-SPAM.

Noted legal expert David Sorkin called the email "a clear violation of CAN-SPAM".

For their part, Microsoft spokesman Sean Sundwall said the company "never, ever" uses outside lists for its mailings, and then went on to say that he didn't know how the anti-spammer's unoffered email address ended up on their mailing list.

"He said that database includes millions of names collected from a variety of sources, including registrations for products or Microsoft-sponsored conferences, names provided to Microsoft representatives at trade shows or requests to receive company newsletters."

Odd…he didn't mention any of them actually asking to be placed on a Microsoft mailing list. 

I wonder why.

The Federal Trade Commission will be hosting its Email Authentication Summit next week, on November 9th, and 10th.

While this summit is likely to be less explosive than was the FTC's spam summit, emotions are still running high over the jockeying for position between SPF and Microsoft's resurrected Sender I.D., and you can be sure that they will both be there,  personified, and waving their hand in the air and saying "pick me!  Pick me!".

While it is likely too late to sign up to speak, anyone interested in attending, or just wanting more information, can find what they need at the FTC website.

The Virginia spam trial of brother and sister Jeremy Jaynes, and Jessica Degroot has resulted in felony convictions for Jaynes and Degroot.  A third defendant, Richard Rutkowski, was aquitted.

Under the jury verdict, Jaynes will serve nine years in prison, and Degroot will pay a $7,500 fine.

But don't break out the champagne just yet, as the judge is considering a motion by the defense to set aside the verdict.  He had previously indicated that he has had reservations about the case.

I am reprinting below part of the text of a new spam making the rounds.  The spam purports to come from an "official antispam corporation" which controls all of the spam databases, and tells you that if you don't "click on the link below" to be removed from all of the spam databases,  you will not have the right to complain about spam(!).

Of course, this is a scam, designed to get you to confirm your email address (and who knows, ultimately, what else).  But it's entirely conceivable that people will be taken in by this, especially with the possibility of a "Do Not Email" database being in the news recently.

At least one version of the email has the subject line "(Username), Official N0tification", and starts out by saying:

We are an official antispam corporation and we aim to end spam by year 2005.

Your e-mail address has been determined to be included in several spam mailings. Even if you register a new e-mail address, it will shortly be overwhelmed with unsolicited mail.
We now maintain and control those junk mail databases and we are kindly asking you to remove your e-mail address from those databases by clicking the link below.

If you do not remove your e-mail address, you will NOT have the right to complain about spam in the future and your e-mail address will be treated as voluntarily participating in marketing mailings, also known as junk mail or spam."

Now you know.  Don't fall for it!

The Washington Post is reporting on the phenomena of pop-up video spam on Instant Messenger.  Only it isn't spam (or "spim", as instant messenger spam is now known) as we traditionally think of it, because in fact AOL sold the advertising space to the advertiser.

The pop-up in question is an anti Kerry/Edwards ad.  When you start Instant Messenger, an icon appears at the top of your buddy list, and when you click on it, it pops up the video (hence the name "pop-up video").

Ok, so far it's definitely not like spam, because you have to click on the icon.

But according to the report, the 30-second video relaunches itself every time you restart Instant Messenger.

And that, by most definitions, is spam…not to mention annoying.

Dear Readers,

Best wishes to you all for a happy Halloween!

And remember to make sure that all of your virus definitions and security measures are fully up-to-date.  This is traditionally a night for making mischief, and the Internet is no exception. 

When a mischief-maker comes a'knocking on your computer's door tonight, be sure that your computer security works a treat, so that there will be no unpleasant trick for you.

Happy Halloween!