Application security

Former spam king Pitylak now trying to earn firms’ trust as anti-spam consultant

Just days after settling one suit with Microsoft and another by the Texas attorney general still pending against him, former spam king Ryan Pitylak is now offering his services to the anti-spam community.

The recent University of Texas graduate says that after years of bombarding millions of internet users with mortgage-related spam, he’s seen the light and wants to help cork the flow of spam. He announced Friday that he is now beginning his efforts in earnest as the president of his newly-formed consultancy, Pitylak Security.

"My decision to move into the anti-spam community and start a consulting company to help fight spam was a decision that I came across when I found out there was some interest in my skill set," Pitylak said. "I was looking for an outlet to help out the anti-spam community and based on that interest I decided to move forward with setting up this anti-spam consulting company."

Pitylak is best known for the spamming that helped fuel his extravagant lifestyle as a student in Austin. Once rated as the fourth most prolific spammer in the world by SpamHaus, he made his money by generating leads through unsolicited mail and selling them to mortgage companies across the U.S. At the height of his operations he made enough to buy a large house in one of Austin’s toniest neighborhoods - and a brand-new Jaguar to park out front. All this was his as he studied economics and philosophy at the university nearby, where most of his peers were living off of ramen noodles and dorm food.

His spam activities eventually caught up with him last year when the Texas Attorney General Greg Abbott filed a suit against him for violating the CAN-SPAM Act. Just a day after that, Pitylak was hit again with another law suit from Microsoft for sending spam over Microsoft networks. At the time, the company provided more than 20,000 example emails as evidence against him.

According to Tom Kelley, spokesperson for Abbott’s office, Pitylak sent millions of his unsolicited emails from addresses that made them look like they were coming from legitimate mortgage brokers and lenders. He had gone as far as filing paperwork for dozens of shell companies in California, Nevada and Texas to keep the enterprise running. The spoofed emails and fraudulent network of companies was enough ammunition for the attorney general to file suit.

Pitylak said that the proceedings with Microsoft and Texas were enough to begin a slow realization that he was on the wrong side of the spam battle.

"After I got sued, I really started to look at the impact that spam had on the public," he said. "I learned that spam really does create a big burden on the public. It really made me sit back and think about what business I was in and I really thought to myself that this wasn’t something that I wanted to be a part of anymore and that I actually would like to figure out some way to make things right and become a part of the anti-spam community."

But some of those already established in the security industry question the genuineness of Pitylak’s transformation into an anti-spam crusader.

"It sounds like he has some bills to pay and he’s trying to capitalize on his past criminal activities for that," said Dmitri Alperovitch, a research engineer with the anti-spam and email security firm CipherTrust.

There may be some truth to this: Pitylak admitted that he will have to sell his house and his car to pay off his law suit settlements. Though Microsoft declined to name the exact figure Pitylak agreed to settle the suit last week, Aaron Kornblum, Microsoft’s internet safety enforcement attorney gave a hint to the scope of damages they sought.

"I can’t get into too many of the details, [but] the dollar amount was generated by statutory damages available under the CAN-SPAM law and Washington state anti-spam law," Kornblum said. "For example, the Washington state law permits $1,000 per illegal e-mail and we had evidence of tens of millions of e-mails coming across our systems."

And there will likely be more punitive damages in Pitylak’s future as his lawyer begins to wrap up negotiations with the state of Texas in federal court this month.

In the meantime, Pitylak hopes to shift focus from his old life as a spam desperado to his new one as an anti-spam consultant. He says that he has already begun working with a large ISP - one that requires him to work under a non-disclosure agreement - to improve its anti-spam efforts.

Those at other security firms, however, wondered why any business would work with someone who once engaged in the very activities they are trying to protect against.

"The interesting thing about the security field is that more than selling any kind of product or service, you are marketing trust," said Phyllis Shneck, vice president of research integration at CipherTrust. "It is risky at best to invite the criminal element into that fold. If you bring someone in who already has the mental capability to defraud millions, even if they say they are on the good side now, that doesn’t make any sense given that there are hundreds of outfits [out there] to protect people who have built years and years of trust."

In addition to the trust issues associated with working with a former spam peddler, such a partnership also raises the issue of whether it is prudent to reward notoriety from illicit activities once the perpetrator has decided to move to the "good" side of the battle.

"Society needs to be careful not to send a message to internet criminals that legitimate rewards can be made on the back of their unsavory activities," said Graham Cluley, senior technology consultant for Sophos. "Firm action is required by the authorities to make it crystal clear to spammers that their activities are unacceptable."

Pitylak said that those who are against him have the right to feel that way, but he hopes he can earn the trust of businesses through the usefulness of the knowledge he has to provide.

"That’s some people’s perspective," he said. "I understand that people would have some issues regarding trust and it is a judgment call for people who meet me to make, but my goal is hoping people believe the intentions that I have and take the information that I can provide to help."

But some in the security sector wonder if that knowledge is even as significant as he claims. Some security technologists warned businesses that it doesn’t take the same technical know-how to send spam that it does to protect against it.

"The skills are quite different," Alperovitch said. "Just because you can download your own program and write up your own text and set up a website doesn’t mean you have the ability and the knowledge to do textual analysis to build reputation systems and the necessary tools to stop these messages."

Pitylak said that time will tell whether that is true or not. He said that he is already making in-roads in the short time that he’s been operating.

"I understand that some people might be skeptical about the value I may be able to bring, but I really have been able to bring value and it has been exciting for me that I’ve been able to do that," Pitylak said. "I’m already working with a major ISP to help their spam problem [and] I’ve already to start to make an impact on their operation and the strategy they’re taking."

An In-Depth Guide to Application Security

Get essential knowledge and practical strategies to fortify your applications.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds