Some Indians are balking at a law that, in an attempt to fight spam, limits… (Kainaz Amaria, Bloomberg )
NEW DELHI — A few years ago, Ankur Suri saw a friend beaten up by fellow classmates after he emailed pornography to female friends — or rather, his computer had.
In desperation, the friend went to authorities, who declined to investigate because they didn't really understand the problem of how his computer had been infected by malicious spam.
"I'd rather go to Google or Facebook than deal with the Indian law," said Suri, 25.
India recently notched a dubious distinction, beating the U.S. to become the leading spewer of spam email, according to the British Internet security firm Sophos Ltd. Nearly 10% of such emails is now sent from Indian computers, up from 7% in 2010, and many of the spammers don't even realize they're doing it.
"This is one record India doesn't want so much," said Sanjay Katkar, chief technology officer with Quick Heal, a security firm.
India is virgin territory for spam spewers as the country's burgeoning economy, improved broadband and rapidly expanding middle class add an estimated 7 million computer users a month, many inexperienced and using pirated software or old operating systems.
These Indians aren't just potential victims. As a certain percentage of newbies click on questionable email attachments or links to dodgy websites, Internet criminals next door or thousands of miles away take remote control of their systems, turning their machines into what Sophos calls "spam-spewing zombies" and what geeks call a "bot," short for Web robot.
Ruchika Shishodia, 29, a public relations employee who lives in Gurgaon, outside New Delhi, said she sometimes uses pirated software and often notices her system slowing to a crawl for no obvious reason. She isn't particularly worried that it might have morphed into a bot, but is irked by a deluge of junk mail, especially those offering penis enlargement services or touting dubious financial offers.
"Only a moron would fall for most of these," she said. "If I fell for anything, I'd probably go for the 'Make money while sitting at home' pitches."
Ankit Fadia, a "legal hacker" who tests corporate and government networks for weaknesses on a contract basis, estimates that half of the India-generated spam is created in the country by willing spammers, with the rest originating elsewhere and routed through Indian bots. Tracking it back through a string of zombies in various nations is difficult.
"While the spam originates from a location in India, it's very difficult to find where the actual fingers on the keyboard are," said Shantanu Ghosh, Symantec's managing director in India.
A host of companies in India handles "digital marketing" for local and foreign clients, using unsolicited emails to target website and cellphone users. At Brainpulse Technologies' bare-bones offices outside Delhi, dozens of twentysomethings at cheap wooden desks in dented cubicles design Web pages and mass marketing campaigns for foreign clients. A company selling point: Our unsolicited bulk mail campaigns are well crafted, allowing them to sneak past most email filters.
"If the emails reach your inbox, it's email marketing; if not, it ends up in your spam folder," said Vishwajeet Bhattcharya, the company's senior business development manager. "I don't know spammers. We work legally."
Although most spam these days comes from zombie computers in Asia and Latin America, its preferred targets are users in the U.S. and Europe, where incomes are relatively high and credit card use widespread.
Once an Indian computer is corrupted, it may be linked with hundreds, even thousands, of bots in what is known as a "botnet," controlled by a "bot herder." Botnets can be exploited directly. Alternately, they can be leased or sold to scammers who use the zombie computers to spew junk mail, which includes relatively benign ads for fake designer bags and Rolex watches, hoaxes, financial scams and identity theft and "phishing" emails that solicit bank or credit card details.
The cost of leasing a network of 100 bots capable of generating 500 to 1,000 emails per minute is about $2,000 a month. Buying a few hundred might cost $1 apiece, the Moscow-based Internet security firm Kaspersky Lab said, noting that a botnet with 100,000 zombie computers sold a few years ago for $36,000.
Although malicious emails account for only 4% to 5% of spam, their numbers are growing exponentially because they're so profitable.
"Spam is becoming increasingly malicious," said Graham Cluley, Sophos' senior technology consultant. "They recognize that the best way to monetize isn't necessarily by offering fake Viagra or false degrees."