Michael A. Persaud, a California man profiled in a Nov. 2014 KrebsOnSecurity story about a junk email artist currently flagged by anti-spam activists as one of the world’s Top 10 Worst Spammers, was reportedly raided by the FBI in connection with a federal spam investigation.
According to a June 9 story at ABC News, on April 27, 2016 the FBI raided the San Diego home of Persaud, who reportedly has been under federal investigation since at least 2013. The story noted that on June 6, 2016, the FBI asked for and was granted a warrant to search Persaud’s iCloud account, which investigators believe contained “evidence of illegal spamming’ and wire fraud to further [Persaud’s] spamming activities.”
Persaud doesn’t appear to have been charged with a crime in connection with this investigation. He maintains his email marketing business is legitimate and complies with the CAN-SPAM Act, the main anti-spam law in the United States which prohibits the sending of spam that spoofs that sender’s address or does not give recipients an easy way to opt out of receiving future such emails from that sender.
The affidavit that investigators with the FBI used to get a warrant for Persaud’s iCloud account is sealed, but a copy of it was obtained by KrebsOnSecurity. It shows that during the April 2016 FBI search of his home, Persaud told agents that he currently conducts internet marketing from his residence by sending a million emails in under 15 minutes from various domains and Internet addresses.
The affidavit indicates the FBI was very interested in the email address michaelp77x@gmail.com. In my 2014 piece Still Spamming After All These Years, I called attention to this address as the one tied to Persaud’s Facebook account — and to 5,000 or so domains he was advertising in spam. The story was about how the junk email Persaud acknowledged sending was being relayed through broad swaths of Internet address space that had been hijacked from hosting firms and other companies.
FBI Special Agent Timothy J. Wilkins wrote that investigators also subpoenaed and got access to that michaelp77x@gmail.com account, and found emails between Persaud and at least four affiliate programs that hire spammers to send junk email campaigns.
A spam affiliate program is a type of business or online retailer — such as an Internet pharmacy — that pays a third party (known as affiliates or spammers) a percentage of any sales that they generate for the program (for a much deeper dive on how affiliate programs work, check out Spam Nation).
When I wrote about Persaud back in 2014, I noted that his spam generally advertised the types of businesses you might expect to see pimped in junk email: payday loans, debt consolidation services, and various “nutraceutical” products.
Persaud did not respond to requests for comment. But in an email he sent to KrebsOnSecurity in November 2014, he said:
“I can tell you that my company deals with many different ISPs both in the US and overseas and I have seen a few instances where smaller ones will sell space that ends up being hijacked,” Persaud wrote in an email exchange with KrebsOnSecurity. “When purchasing IP space you assume it’s the ISP’s to sell and don’t really think that they are doing anything illegal to obtain it. If we find out IP space has been hijacked we will refuse to use it and demand a refund. As for this email address being listed with domain registrations, it is done so with accordance with the CAN-SPAM guidelines so that recipients may contact us to opt-out of any advertisements they receive.”
Persaud is currently listed as #10 on the World’s 10 Worst Spammers list maintained by Spamhaus, an anti-spam organization. In 1998, Persaud was sued by AOL, which charged that he committed fraud by using various names to send millions of get-rich-quick spam messages to America Online customers. In 2001, the San Diego District Attorney’s office filed criminal charges against Persaud, alleging that he and an accomplice crashed a company’s email server after routing their spam through the company’s servers.
Good article. I noticed that the new Flash player Updates are out there. Saw them 3:20PDT. The Adobe Distribution Page page will be decommissioned on Jun 30th
The new version of AIR has also now been released.
So much talent wasted on quick gains from crime. Oh, we can debate my use of the word “crime”, but any time you have hide what you are doing you know it’s wrong.
Brian, I wish you would also out the affiliate programs this person was working for. They should know that any large stream of new customers is suspect and should be checked for the source. When most of the traffic does not have a valid referrer, it’s most likely from a large spam mailing.
I don’t get much spam these days due to extensive IP range blocking bolstered by custom hand filtering. But if spam does get through the gauntlet, I report it. And if it’s affiliate spam, I click on the links and get the URL for the target site. Then I add the URL to the spam report so the affiliate company is included. Sure, it’s a little bit of work, but it sure does work to keep the amount of spam down (For all of us, I hope.).
Chris:
You mentioned that you “… obtain the URL (of the spam site) and report it…”
Who do you report these spam sites to? I see this as a positive activity and would do the same if I knew who to report them to.
Thanks!
There may be other ways to do this, but I forward every piece of spam or phishing e-mail received to the following at a minimum, with complete email header information:
spam@uce.gov
phishing-report@uscert.gov
reportphishing@apwg.org
If the true originator (or real “reply-to”) address is from a source which maintains a viable address for reporting such e-mail (most financial institutions and major e-mail client providers like gmail or outlook), I’ll include that in the forwarding list as well.
Should have clarified that if it’s a financial institution or other site which is being spoofed, I forward it to their reporting site, e.g. abuse@imf.org, spoof@paypal.com, or stop-spoofing@amazon.com. If the real reply-to address points toward an e-mail provider, I forward it to them to block that user’s account, e.g. abuse@gmail.com, abuse@outlook.com, etc.
I report spam to spamcop.net
Chris,
By your reply it sounds like you think that an “Affiliate program” is where a legit company is offering a commission for new customers, which spammers take advantage of by getting links in front of millions of people at a time. In the context of spam the affiliate programs are actual spam clearinghouses, they knly ever deal with spammers. Also, the companies behind the spam are rarely legit in any shape or form, often taking advantage of illegal banking methods and illegal import/export methods as a standard.
As Brian mentioned, Spam Nation is a great read if you are interested in these things.
that’s a broad brush to paint all affiliate programs with, you know that Amazon.com is a large affiliate program, right?
Certainly some purposely deal with spammers, but most do not.
We can now predict that nothing will happen for a couple years. Like Alan Ralsky, will he take that as an indication that he can continue questionable activities and become even more careless, until the Feds come to collect more than his computers?
My term for much internet “crime”: It’s “illegal-legal”. I’ve seen internet “crime” thrown around for years—more than a decade. It’s not criminal/illegal in my opinion or the opinion of these spammers when their spamming has been outed years ago yet allowed to continue spamming for years—many of the World’s 10 Worst Spammers listed by Spamhaus have been outed for many years.
“We can now predict that nothing will happen for a couple years. Like Alan Ralsky,…”
A couple of years???
Forget Ralsky. Consider the case of Sanford Wallace, who has only recently (and finally) been forced to actually answer for any of his prolific misdeeds… after more than a decade of a half.
These absurd delays in actually dealing with the problem of spam are part and parcel of the massive folly that was the YOU-CAN-SPAM Act, a (US) federal law that, due to the lobbying of is main backers, AOL and Microsoft, specifically and explicitly KILLED the much better California state anti-spam law AND which prohibited anybody except ISPs from suing spammers. The results were and are predictable. Individual ISPs, for the most part, have entirely insufficient incentives to actually ever sue spammers AND even on those very rare occasions when a huge one does, they virtually never bother with actually trying to collect on the judgements they win. (And the spammers all knos this, of course.)
The YOU-CAN-SPAM law was deliberately sabatoged, by AOL and Microsoft in particular, to eliminate the “private right of action” which would have allowed individual spam recipients to sue spammers. One can easily imagine all sorts of reasons why AOL and Microsoft might have wanted to do this, but in the end, I believe that these mega corporations were just plain elitist, and they felt that the power to sue based on internet misdeeds should be exclusively reserved to themselves, and no one else. Your democracy at work. (See also “Dred Scott” for yet another illustrious example of second class citizenship within these United States, fully approved, under law.)
Is that it ?? That must have been the shortest story i have ever read in here .Lame very Lame Brian
Congrats for your part for removing this sad thorn in the email world’s side. I’ll bet Mr Persaud is not smiling anymore like the picture you have in the article. I am trying to think of an appropriate punishment for this guy. Maybe spending his days chopping up old CDs for recyling? He should be banned from ever using the internet/email again.
Example, for his punishment: Filing reported spams, within controls, at spam@uce.gov, phishing-report@uscert.gov, etc, under the watchful eye of an electronic Spamhaus, etc monitoring device—he may have access to much incoming spam.
brain, you only do the security stuff because of the buzz you get from it… the thrill…. i looked it up before and i saw something about security professionals getting dopamine d2 and they need to be in power and got to do with security…. i also sent you your website and the doctor analyzed your personality and made an official diagnose of you of Asbergers. you have Asbergers brain.
Asperger’s? Shown to be a factor in manifestations of brilliance, Psych’s have shown, especially in males a link to the gonads in all who exercise power, it’s in the nature of the reproduction instinct, very primal driver of evolution. All a natural process & Asperger’s is another variant.
Asperger’s: Do a Google search “aspergers famous people” OMG Einstein, Gates– yeah him!, Tesla, well who the hell knew ? Anyone else with a low comprehension & sour grapes mentality want to attack the leading Journalist on IT security?
Am I the only one or does Persaud look like he could be the next Neal Caffrey of the FBI?
lol i remember this guy from bulkerforum.
it’s crazy how some of the old people i know are still active, while the smart oldschool blackhat’s have taken the quick $ to startup legit biz’s.
mike will be back in the game in a few months. the money is too easy.
Society does not want to stop the email abuse problem. If they did, it will not exist.
Ask Bill Gates (Who said in public almost ten years ago that he will solve the spam problem – which is a very very easy problem to solve – but multi nationals and others like reading your emails 🙂 SPAM is a great excuse to read all email…)
Writing articles about the FBI arresting one of the top 10 spammers on the planet (of which 7 are USA spammers) is cool, but wastes bits.
I also report public email spam (http://spamid.net/?spam=definitions) to SpamCop.net and list bulk to my ascams.com node.
“Writing articles about the FBI arresting one of the top 10 spammers on the planet…”
To be clear, nobody has been arrested here… certainly not Persaud. The story is that the FBI visited him and may perhaps have taken some of his hard drives and/or copies thereof, and/or they perhaps have obtained copies of some of his e-mail traffic (which, under current law, may or may not have even required them to get a warrant.. they could have obtained the e-mails with just an NSL and no warrant at all).
At this point, unless Brian has some more specific information (which he is ready to spill the beans on) it isn’t even clear that Persaud is even a “target” of whatever FBI investigation is currently ongoing. He might perhaps not even be THE target himself. We just don’t know.
Brian,
As you mentioned, Persaud was found to have been using what amounts to STOLEN (hijacked) IP address space to spam from. That was all the way back in November, 2014. As you publically documented at the time, the address space in question was actually hijacked (and then leased to Persuad) by a crooked fly-by-night Bulgarian company calling itself “MEGA-SPRED”, and numerous officials of RIPE (the European IP address allocation authority) were made abundantly aware of this unambiguously crooked operation at that time, i.e. Nov. 2014. (The records indicate that MEGA-SPRED *never* had any actual IP address space to call its own, and existed only and exclusively to fradulently hijack IP blocks that belonged to other parties.)
Fast forward now to June, 2016 and guess what… nobody at RIPE ever saw fit to even cancel the registration for MEGA-SPREADs RIPE-registered Autonomous System Number (ASN) AS201640. The RIPE registration for that is still alive and well and valid, and MEGA-SPRED is *still* a member in good standing of the so-called “RIPE community”. Note that this is true *even though* everybody at RIPE has known everything there is to know about these crooks for more than a year and a half AND also even though every contact e-mail address for the ASN registration in question has been totally dead, defunct, non-functional, and undeliverable for more than a year and a half. (See below.)
This is a perfect illustration of RIPE’s “see no evil, hear no evil, speak no evil” mentality.
RIPE and RIPE NCC, at the behest of a small handful of hard-right reactionary “libertarians” among their membership, strives at every turn not to know, and not even to ask too many questions about anything, and declines to react even when ample proof of things up to and including rank criminality come to their attention. In short, RIPE is the Mossack Fonseca of the Internet. As long as the proper fees are paid, their blind eye can be counted on by every criminal from the Isle of Man to Cyprus to Moscow.
The FBI may currently be investigating Persaud, but in the grand scheme of things he is only a small-fry. Unfortunately, RIPE is protected by powerful friends, and thus will never be investigated by anybody for its role in innumerable fradulent activities on the Internet, of which Persaud is, in the end, only a modest example. (I can assure you that vastly worse stuff than spamming is happening on the Internet every day, significant chunks of which are effectively condoned by RIPEs wanton and deliberate and self-imposed blindness.)
Below is the current, valid, and active RIPE registration record for AS201640 (MEGA-SPRED):
aut-num: AS201640
as-name: MEGA-SPRED
remarks: ——–> For abuse abuse@grimhosting.com <-|
remarks: —————————–
org: ORG-MSL23-RIPE
import: from AS200002 accept ANY
export: to AS200002 announce AS201640
sponsoring-org: ORG-NL38-RIPE
admin-c: BS8186-RIPE
tech-c: BS8186-RIPE
status: ASSIGNED
mnt-by: RIPE-NCC-END-MNT
mnt-by: TR3948-MNT
mnt-routes: TR3948-MNT
created: 2014-08-27T11:30:34Z
last-modified: 2016-04-14T08:45:32Z
source: RIPE
organisation: ORG-MSL23-RIPE
org-name: MEGA – SPRED LTD
org-type: OTHER
address: Bogomil Simeonov
address: Bulgaria, Sofia
e-mail: admin@grimhosting.com
abuse-c: AR24037-RIPE
abuse-mailbox: abuse@grimhosting.com
mnt-ref: TR3948-MNT
mnt-by: TR3948-MNT
created: 2014-08-22T16:06:53Z
last-modified: 2014-11-17T16:34:22Z
source: RIPE
person: Bogomil Simeonov
address: Bulgaria, Sofia
phone: +359 876 766 016
e-mail: admin@grimhosting.com
abuse-mailbox: abuse@grimhosting.com
nic-hdl: BS8186-RIPE
mnt-by: TR3948-MNT
created: 2014-09-06T17:25:07Z
last-modified: 2014-09-06T17:25:45Z
source: RIPE
By the way, here is Mr. MEGA-SPRED himself. According to his social media pages, these days he works as checker at a place called “Supermarket LIFE” (translated from the Russian). But he still maintains an interest in e-mail marketing, a evidenced by his LinkedIn profile…
https://twitter.com/simeonovbogomil
https://www.facebook.com/people/Bogomil-Simeonov/100009160038786
https://bg.linkedin.com/in/bogomil-simeonov-354754104
https://plus.google.com/112454929946410830878/posts
http://www.warriorforum.com/members/bogomil-simeonov.html
Security, security, security. Its all everyone ever talks about now. All because there are some nasty people out there going out of their way trying to ruin people companies and lives. I could rant about this all day so I will leave it there but you guys know what I mean.