By Mark Ward
Technology Correspondent, BBC News website
An investigation into a seemingly routine series of spam messages has revealed how sophisticated the business of online crime has become.
The junk mail was touting all kinds of drugs
The story begins with the junk mail messages themselves that were sent during April and May of 2006.
Outwardly, said Patrick Peterson, chief technology officer of security firm Ironport who led the investigation, the messages hawking pharmaceuticals looked like the billions of other junk mail messages swilling around the net.
The only initial point of interest about them was that they were appearing in bigger numbers than most spam runs.
Every day for 14 days the spammers behind the junk mail campaign pumped out more than 100m messages.
The spam got more interesting when Mr Peterson and his colleagues took a closer look. Many of the junk messages had, hidden within them, text from JRR Tolkien's classic work The Hobbit.
This text was included, said Mr Peterson, in an attempt to convince spam filters that the messages were genuine and not junk. Many spam messages use excerpts from novels or other works in this way.
Analysis of the junk mail revealed that there were more than 2,000 variations in the content of the messages making up the spam run. Over the course of the weeks when the spam was being sent a new variant of message was despatched every 12 minutes.
The sheer scale of the spamming operation became clearer when Mr Peterson started tracking where the spam was being sent from.
Analysis of the net addresses where the e-mail messages originated showed that more than 100,000 hijacked home computers spread across 119 nations had been used to despatch the junk mail.
To try to beat anti-spam techniques that look up the net address from which spam originates to see if it that location has a reputation as a spammer, many of the machines used to send the mail had been recently hijacked. Analysis showed that many had only been taken over in the last 30 days, said Mr Peterson.
"We ran the sources of this and found out a massive distribution of countries," Mr Peterson told the BBC News website, "it's very much centred in Europe."
This widespread, sophisticated infrastructure involved more than 1500 web domains that acted as the web shops for the drugs advertised in the junk messages.
Many of the domains were hosted by firms that advertise themselves as providing "bullet proof" hosting that will resist attempts to shut down the sites - no matter what information is on the website.
Behind the scenes was a sophisticated network of computers that handled the traffic generated when people clicked on links in messages and directed them to the right site.
Anyone clicking on the links in the junk mail messages would get re-directed to one of the 1500 domains - each one of which was made to look like a real organisation.
"They were trying to make it look as legitimate as possible," he said.
If you have an e-mail account, you probably get spam
On some of the fake pharmacies, said Mr Peterson, the spammers had gone to the trouble of creating fake biographies for the supposed founders of the online shop. When an Ironport employee went to check the supposed real world location of one shop they found a vacant lot.
Using a one-time use credit card, Mr Peterson bought some pharmaceuticals from one of the web shops and was amazed when a package arrived in the post.
"When we have done this in the past it's been clear that they just want to rip people off," he said. Before now most spammers have been happy to take credit card details and cash and do nothing to fulfil orders.
Instead, with this spam network, the orders were fulfilled by a pharmaceutical firm in India. The drugs received have now been sent for testing to see just what they contain.
"The complexity is what's amazing to see," said Mr Peterson.
IronPort was planning to continue its investigation, he said, to see if it will be possible to determine just who is behind the net-spanning spam operation. Information has also been passed to the FBI to help its investigation into a US-based hosting firm that has been implicated in a lot of spam and scam campaigns.