Dodging filters makes for effective spamming

Spam is still 80 – 90% of global email volume, depending on which study look at. Most of that spam doesn’t make it to the inbox; ISPs reject a lot of it during the SMTP transaction and put much of rest of it in the bulk folder. But as the volumes of spam have grown, ISPs and filters are relying more and more on automation. Gone are the days when a team of people could manually review spam and tune filters. There’s just too much of it out there for it to be cost effective to manually review filters.
In some ways, though, automatic filters are easier to avoid than manual filters. Take a spam that I received at multiple addresses today. It’s an advertisement for lists to “meet my marketing needs.” I started out looking at this mail to walk readers through all of the reasons I distrusted this mail. But some testing, the same sorts of testing I do for client mails, told me that this mail was making it to the inbox at major ISPs.
What told me this mail was spam? Let’s look at the evidence.
listsellingspam_thumb

  • More than one email address of mine received the mail, including the contact address on this website. They’re clearly harvesting addresses.
  • The mail was from <sam.miller@eml-dbs.com> but signed Lynn Fox.
  • When I go to the eml-dbs.com website, I see a cookie cutter site with no real contact information (except for the address jerry.miller@eml-dbs.com).
  • The website offers “Wed Design.”
  • When I start looking at the sending IP address I find it is related to Directi.com, a company that doesn’t have a great track record when it comes to spam.
  • When I start looking at whois records, I find a maze of twisty little websites (a2zdbase.com, unitedesolutions.com, all mostly alike, all selling similar services).
  • The mail violates CAN SPAM by not having a physical address.
  • The mail is collecting opt-out requests using a gmail mailbox.

listsellingspam_thumb
This is a scratch-the-surface investigation I did looking at the mail in my own mailbox. I am convinced these folks are spammers and their mail is not opt-in and that any large ISP could safely block mail from them.
Determining this kind of mail is spam is even easier at ISPs or filtering companies. They have so much more data than I have. They can look at the number of non-existent addresses attempted, the number of traps hit, the number of complaints, and all sorts of other data. Then I discover that the mail is coming out of IP addresses related to Directi, who have a spotty history at best with hosting spammers.
For any person charged with making blocking decisions at a business domain, this information would be more than enough to manually block the IP address. Once that IP is blocked, it’s unlikely to ever get unblocked.
But most small businesses have outsourced their mail to companies like Google and Microsoft and these companies work by algorithm not by manual investigation. This means spammers like Sam-Lynn get away with obvious spam without suffering too much in the way of delivery failures. The IP address that sent this mail has a great reputation with Senderscore. The IP isn’t listed on Spamhaus’ list. The IP has a good reputation for sending mail at Senderbase.
Spammers have put a lot of energy into modifying their spamming to avoid automated blocks. They clean lists using services that remove all dead addresses. They attempt to clean off spamtraps using a variety of techniques. They remove complainers at the major ISPs. Right now these techniques are effective and are letting spam directly into the inbox.
I don’t expect this type of spam will always get inbox delivery, but it does for now. But filters will catch up and filters will compensate. And then the spammers will spend a lot of time trying to dodge those filters and get back to the inbox. It’s an escalating process and all our inboxes suffer for it.

Related Posts

We're gonna party like it's 1996!

Over on deliverability.com Dela Quist has a long blog post up talking about how changes to Hotmail and Gmail’s priority inbox are a class action suit waiting to happen.
All I can say is that it’s all been tried before. Cyberpromotions v. AOL started the ball rolling when they tried to use the First Amendment to force AOL to accept their unsolicited email. The courts said No.
Time goes on and things change. No one argues Sanford wasn’t spamming, he even admitted as much in his court documents. He was attempting to force AOL to accept his unsolicited commercial email for their users. Dela’s arguments center around solicited mail, though.
Do I really think that minor difference in terminology going to change things?
No.
First off “solicited” has a very squishy meaning when looking at any company, particularly large national brands. “We bought a list” and “This person made a purchase from us” are more common than any email marketer wants to admit to. Buying, selling and assuming permission are par for the course in the “legitimate” email marketing world. Just because the marketer tells me that I solicited their email does not actually mean I solicited their email.
Secondly, email marketers don’t get to dictate what recipients do and do not want. Do ISPs occasionally make boneheaded filtering decisions? I’d be a fool to say no. But more often than not when an ISP blocks your mail or filters it into the bulk folder they are doing it because the recipients don’t want that mail and don’t care that it’s in the bulk folder. Sorry, much of the incredibly important marketing mail isn’t actually that important to the recipient.
Dela mentions things like bank statements and bills. Does he really think that recipients are too stupid to add the from address to their address books? Or create specific filters so they can get the mail they want? People do this regularly and if they really want mail they have the tools, provided by the ISP, to make the mail they want get to where they want it.
Finally, there is this little law that protects ISPs. 47 USC 230 states:

Read More

Bad Neighborhoods on the Internet

Of the 42,000 Internet Service Providers (ISPs) surveyed, just 20 were found to be responsible for nearly half of all the internet addresses that send spam.

Read More

Botnets and viruses and phishing, oh my!

MessageLabs released their monthly report on email threats yesterday. Many media outlets picked up and reported that 41% of spam was from a the Rustock botnet.
Other highlights from the report include:

Read More