Dodging filters makes for effective spamming

Spam is still 80 – 90% of global email volume, depending on which study look at. Most of that spam doesn’t make it to the inbox; ISPs reject a lot of it during the SMTP transaction and put much of rest of it in the bulk folder. But as the volumes of spam have grown, ISPs and filters are relying more and more on automation. Gone are the days when a team of people could manually review spam and tune filters. There’s just too much of it out there for it to be cost effective to manually review filters.
In some ways, though, automatic filters are easier to avoid than manual filters. Take a spam that I received at multiple addresses today. It’s an advertisement for lists to “meet my marketing needs.” I started out looking at this mail to walk readers through all of the reasons I distrusted this mail. But some testing, the same sorts of testing I do for client mails, told me that this mail was making it to the inbox at major ISPs.
What told me this mail was spam? Let’s look at the evidence.
listsellingspam_thumb

  • More than one email address of mine received the mail, including the contact address on this website. They’re clearly harvesting addresses.
  • The mail was from <sam.miller@eml-dbs.com> but signed Lynn Fox.
  • When I go to the eml-dbs.com website, I see a cookie cutter site with no real contact information (except for the address jerry.miller@eml-dbs.com).
  • The website offers “Wed Design.”
  • When I start looking at the sending IP address I find it is related to Directi.com, a company that doesn’t have a great track record when it comes to spam.
  • When I start looking at whois records, I find a maze of twisty little websites (a2zdbase.com, unitedesolutions.com, all mostly alike, all selling similar services).
  • The mail violates CAN SPAM by not having a physical address.
  • The mail is collecting opt-out requests using a gmail mailbox.

listsellingspam_thumb
This is a scratch-the-surface investigation I did looking at the mail in my own mailbox. I am convinced these folks are spammers and their mail is not opt-in and that any large ISP could safely block mail from them.
Determining this kind of mail is spam is even easier at ISPs or filtering companies. They have so much more data than I have. They can look at the number of non-existent addresses attempted, the number of traps hit, the number of complaints, and all sorts of other data. Then I discover that the mail is coming out of IP addresses related to Directi, who have a spotty history at best with hosting spammers.
For any person charged with making blocking decisions at a business domain, this information would be more than enough to manually block the IP address. Once that IP is blocked, it’s unlikely to ever get unblocked.
But most small businesses have outsourced their mail to companies like Google and Microsoft and these companies work by algorithm not by manual investigation. This means spammers like Sam-Lynn get away with obvious spam without suffering too much in the way of delivery failures. The IP address that sent this mail has a great reputation with Senderscore. The IP isn’t listed on Spamhaus’ list. The IP has a good reputation for sending mail at Senderbase.
Spammers have put a lot of energy into modifying their spamming to avoid automated blocks. They clean lists using services that remove all dead addresses. They attempt to clean off spamtraps using a variety of techniques. They remove complainers at the major ISPs. Right now these techniques are effective and are letting spam directly into the inbox.
I don’t expect this type of spam will always get inbox delivery, but it does for now. But filters will catch up and filters will compensate. And then the spammers will spend a lot of time trying to dodge those filters and get back to the inbox. It’s an escalating process and all our inboxes suffer for it.

Related Posts

The death of IP based reputation

Back in the dark ages of email delivery the only thing that really mattered to get your email into the inbox was having a good IP reputation. If your IP sent good mail most of the time, then that mail got into the inbox and all was well with the world. All that mattered was that good IP reputation. Even better for the people who wanted to game the system and get their spam into the inbox, there were many ways to get around IP reputation.
Every time the ISPs and spam filtering companies would work out a way to block spam using IP addresses, spammers would figure out a way around the problem. ISPs started blocking IPs so spammers moved to open relays. Filters started blocking open relays, so spammers moved to open proxies. Filters started blocking mail open proxies so spammers created botnets. Filters started blocking botnets, so spammers started stealing IP reputation by compromising ESP and ISP user accounts.  Filters were constantly playing catchup with the next new method of getting a good IP reputation, while still sending spam.
While spammers were adapting and subverting IP based filtering a number of other things were happening. Many smart people in the email space were looking at improving authentication technology. SPF was the beginning, but problems with SPF led to Domains Keys and DKIM. Now we’re even seeing protocols (DMARC) layered on top of DKIM. Additionally, the price of data storage and processing got cheaper and data mining software got better.
The improvement in processing power, data mining and data storage made it actually feasible for ISPs and filtering companies to analyze content at standard email delivery speeds. Since all IPv4 addresses are now allocated, most companies are planning for mail services to migrate to IPv6. There are too many IPv6 IPss to rely on IP reputation for delivery decisions.
What this means is that in the modern email filtering system, IPs are only a portion of the information filters look at when making delivery decisions. Now, filters look at the overall content of the email, including images and URLs. Many filters are even following URLs to confirm the landing pages aren’t hosting malicious software, or isn’t content that’s been blocked before. Some filters are looking at DNS entries like nameservers and seeing if those nameservers are associated with bad mail. That’s even before we get to the user feedback, in the form of “this is spam” or “this is not spam” clicks, which now seem to affect both content, domain and IP reputation.
I don’t expect IP reputation to become a complete non-issue. I think it’s still valuable data for ISPs and filters to evaluate as part of the delivery decision process. That being said, IP reputation is so much less a guiding factor in good email delivery than it was 3 or 4 years ago. Just having an IP with a great reputation is not sufficient for inbox delivery. You have to have a good IP reputation and good content and good URLs.
Anyone who wants good email delivery should consider their IP reputation, but only as one piece of the delivery strategy. Focusing on a great IP reputation will not guarantee good inbox delivery. Look at the whole program, not just a small part of it.

Read More

More information on arrests

Terry Zink has a more detailed post on some of the spammer arrests and takedowns that have happened recently.
In addition to the events I mentioned yesterday, authorities arrested an Armenian man suspected of running the Bredolab botnet. Unfortunately, the arrest has not stopped the spam with the malware payload.
These are issues that many ISP abuse and postmaster desks deal with on a daily basis. Their filtering schemes and policies are in place to protect customers from the mob, and criminals. I don’t think enough marketers and senders understand exactly how much the ISPs are dealing with and why many ISPs don’t really care that “mail is taking 12 hours to get to the inbox.” They are dealing with much more important things.

Read More

Turn it all the way up to 11

I made that joke the other night and most of the folks who heard it didn’t get the reference. It made me feel just a little bit old.
Anyhow, Mickey beat me to it and posted much of what I was going to say about Ken Magill’s response to a very small quote from Neil’s guest post on expiring email headers last week.
I, too, was at that meeting, and at many other meetings where marketers and the folks that run the ISP spam filters end up in the same room. I don’t think the marketers always understand what is happening inside the postmaster and filtering desks on a day to day basis at the ISPs. Legitimate marketing? It’s a small fraction of the mail they deal with. Ken claims that marketing pays the salaries of these employees and they’d be out of a job if marketing didn’t exist. Possibly, but only in the context that they are paid to keep their employers servers up and running so that the giant promises made by the marketing team of faster downloads and better online experiences actually happen.
If there wasn’t an internet and there weren’t servers to maintain, they’d have good jobs elsewhere. They’d be building trains or designing buildings or any of the thousands of other jobs that require smart technical people.
Ken has no idea what these folks running the filters and keeping your email alive deal with on a regular basis. They deal with the utter dregs and horrors of society. They are the people dealing with unrelenting spam and virus and phishing attacks bad enough to threaten to take down their networks and the networks of everyone else. They also end up dealing with law enforcement to deal with criminals. Some of what they do is deal with is unspeakable, abuse and mistreatment of children and animals. These are the folks who stand in front of the rest of us, and make the world better for all of us.
They should be thanked for doing their job, not chastised because they’re doing what the people who pay them expect them to be doing.
Yes, recipients want the mail they want. But, y’know, I bet they really don’t want all the bad stuff that the ISPs protect against. Ken took offense at a statement that he really shouldn’t have. ISPs do check their false positive rates on filtering, and those rates are generally less than 1% of all the email that they filter. Marketers should be glad they’re such a small part of the problem. They really don’t want to be a bigger part.

Read More