Spam Nation is cybersecurity journalist Brian Krebbs’ journey into the darker parts of the web. While most of us think of email spam as primarily a nuisance, Krebbs lays out all the ways that it’s a much bigger problem than we generally think it is. Before we start, you should know the word botnet. It is a network of infected home computers all around the world. The owners of those computers don’t even that their computers are infected. This way, even if the authorities manage to track down the origin of a piece of spam, they’ll only find some unwitting person.

Why is spam bad?

To quote Krebbs: “[…] spam is the primary vehicle for most cybercrime. Most people associate spam with junk email, which is something they don’t feel they need to care about, but the term also encompasses malicious email, including missives that bundle malicious software and disguise it as a legitimate-looking attachment, as well as phishing attacks designed to steal your banking credentials and other account information.”

So clearly, it’s not just junk email. And the worst part about it is that it’s pretty much impossible to recognize which pieces are just junk email and which ones are malicious attacks. Unless, of course, you know what you’re doing. And even then, tracking the attack is hard. A number of people have started doing spam for a living. It’s like any software project; you create a product and if there’s no one already who has ordered it, you put it up for sale where people who need it know how to look for it. And then people pay you to license it. All without ever technically breaking any laws anywhere. That’s for the people actually using your software to do.

Who’s making it?

Krebbs’ investigation was primarily focused on two Russian spam farmer companies, Rx-Promotion and GlavMed, and the people behind them. These involve the people who coordinate the botnet owners, the customers who provide the messages, and often also the payment providers. Legitimate banks and payment providers like PayPal don’t process payments for companies known to be involved in criminal enterprises. So often the people who use spam as advertising need payment processing from less reputable sources. And at least in the cases Krebbs talks about, the payment providers and the spam providers are very closely aligned.

The connections

For me, the biggest takeaway from this book is just how much we are all connected in the age of the internet. One of the things that makes spam so profitable worldwide is the US health care system. Yup, you read that right. Especially in the first decade of this millennium, the majority of the spam email going around in the world advertised cheap prescription drugs. Most of those drugs came from pharmacies that didn’t require prescriptions. At a fraction of the price that US pharmacies demand from people without insurance. And most of those drugs are exactly what it says on the tin. It’s usually pretty good for the people buying and selling. Too bad everyone else has to lose.

The American health care system is so very fucked up making it very profitable to spam in the service of illegal pharmacies. The fact that those illegal pharmacies pay so much makes it make more sense to maintain botnets which in turn means that it’s easier to send other kinds of spam as well. After all, you have that botnet just sitting there, making you money, and it could make you even more money, so might as well, right? Before I read this I never thought that the US healthcare system might affect me directly. I’m worried for my friends. But that’s not quite as direct. But here we are. Everything is connected.