A lot of people will assume that everything I did was because of the money. The truth is hacking and spamming was my greatest passion in life. The money was just a bonus and a measurement of my success. The battles I fought with Yahoo and Microsoft’s security team was some of the most fun and greatest moments of my life. Now, I might have given the impression that you can just create automated software, load some data, type a command, and become a successful spammer. It may have been like that in the very beginning, but if you thought Microsoft and Yahoo was going to just sit around and continue to allow me to have my way, you’re wrong.
The entire contact mail operation was a cat and mouse game. Microsoft and Yahoo would implement a security feature and I would figure out a way to beat it. For years, I was using the basic webmail protocol to login and fetch the users address book, to mail I would use good old port 25 better known as SMTP. The first security feature they implemented was CAPTCHA. CAPTCHA could be solved with an OCR or optical character recognition software. There were brilliant programmers out there that created and rented software that could actually read the distorted characters with a 60%+ success rate. There were also services out there to solve CAPTCHAs for you at a rate of $2 per 1,000 CAPTCHAs. I didn’t like either of these options.
Reverse engineering is probably one of my greatest strengths. It can be traced all the way back to my first operation on MySpace in 2007. I simply ask myself questions like; “How does this work?”, “How can I make this computer believe that I’m a human user?”. In this case, the question was how can I trick Hotmail into not showing me that CAPTCHA. The answer was literally in my hand, it was my phone. The developers overlooked implementing CAPTCHA on their mobile website. It was as simple as changing hotmail.com to m.hotmail.com. This would allow me to completely bypass CAPTCHA.
It wasn’t long before Microsoft caught on and realized the mistake they made. Within a few months they implemented CAPTCHA on their mobile website and even started locking the accounts. Now here’s the thing, I only needed to login to the hotmail website to pull the list of contacts in the address book. With Microsoft getting smarter, it was time to look at other options. I don’t remember exactly what sparked the idea, but there were a handful of websites that would allow you to import your address book and invite your friends to the website. These special websites were whitelisted and wouldn’t require a CAPTCHA. In fact, it would use the website’s IP address to login to your account. There were several websites like this, but the one I remember most is MySpace.
After months of battling with Microsoft and Yahoo, they finally implemented SMS verification. SMS verification was implemented by locking you out of your account until you added a cell phone number. If there was a suspicious attempt to login to your account, they would send a code to your phone and you would have to enter it to log in to your account. This would prevent guys like me from logging into your account unauthorized, or so they thought.
Like I said, it was a game of cat and mouse. Mobile applications were on the rise and these email providers didn’t miss the opportunity to join the game. Hotmail and Yahoo alike created their own email applications for Android and iPhone. This was new territory for the both of us. The thing about technology is it’s always ahead of security.
When I downloaded the apps, I found that you could login to any account without any kind of security. These mobile applications used entirely different servers and had zero security implemented. In other words, they were wide open. I mean there wasn’t even the standard rate limit request for an IP address. This was a game changer and allowed me to continue my operation for quite some time. While it didn’t only prolong my contact mail operation, it opened my eyes about reverse engineering other applications in the future.