Dodging filters makes for effective spamming
Spam is still 80 – 90% of global email volume, depending on which study look at. Most of that spam doesn’t make it to the inbox; ISPs reject a lot of it during the SMTP transaction and put much of rest of it in the bulk folder. But as the volumes of spam have grown, ISPs and filters are relying more and more on automation. Gone are the days when a team of people could manually review spam and tune filters. There’s just too much of it out there for it to be cost effective to manually review filters.
In some ways, though, automatic filters are easier to avoid than manual filters. Take a spam that I received at multiple addresses today. It’s an advertisement for lists to “meet my marketing needs.” I started out looking at this mail to walk readers through all of the reasons I distrusted this mail. But some testing, the same sorts of testing I do for client mails, told me that this mail was making it to the inbox at major ISPs.
What told me this mail was spam? Let’s look at the evidence.
- More than one email address of mine received the mail, including the contact address on this website. They’re clearly harvesting addresses.
- The mail was from <email@example.com> but signed Lynn Fox.
- When I go to the eml-dbs.com website, I see a cookie cutter site with no real contact information (except for the address firstname.lastname@example.org).
- The website offers “Wed Design.”
- When I start looking at the sending IP address I find it is related to Directi.com, a company that doesn’t have a great track record when it comes to spam.
- When I start looking at whois records, I find a maze of twisty little websites (a2zdbase.com, unitedesolutions.com, all mostly alike, all selling similar services).
- The mail violates CAN SPAM by not having a physical address.
- The mail is collecting opt-out requests using a gmail mailbox.
This is a scratch-the-surface investigation I did looking at the mail in my own mailbox. I am convinced these folks are spammers and their mail is not opt-in and that any large ISP could safely block mail from them.
Determining this kind of mail is spam is even easier at ISPs or filtering companies. They have so much more data than I have. They can look at the number of non-existent addresses attempted, the number of traps hit, the number of complaints, and all sorts of other data. Then I discover that the mail is coming out of IP addresses related to Directi, who have a spotty history at best with hosting spammers.
For any person charged with making blocking decisions at a business domain, this information would be more than enough to manually block the IP address. Once that IP is blocked, it’s unlikely to ever get unblocked.
But most small businesses have outsourced their mail to companies like Google and Microsoft and these companies work by algorithm not by manual investigation. This means spammers like Sam-Lynn get away with obvious spam without suffering too much in the way of delivery failures. The IP address that sent this mail has a great reputation with Senderscore. The IP isn’t listed on Spamhaus’ list. The IP has a good reputation for sending mail at Senderbase.
Spammers have put a lot of energy into modifying their spamming to avoid automated blocks. They clean lists using services that remove all dead addresses. They attempt to clean off spamtraps using a variety of techniques. They remove complainers at the major ISPs. Right now these techniques are effective and are letting spam directly into the inbox.
I don’t expect this type of spam will always get inbox delivery, but it does for now. But filters will catch up and filters will compensate. And then the spammers will spend a lot of time trying to dodge those filters and get back to the inbox. It’s an escalating process and all our inboxes suffer for it.