Analysing lead-gen spam

Yesterday I showed how major companies hire hard core spammers.
Today I’m going to show you some of the technical details as to how I found that data. This is a fairly quick and shallow analysis, the sort of thing I’d typically do for a client to help them decide whether the case was worth pursuing before expending too much money and time on investigation and legal paperwork. I’ve also done it using standard command line tools that are available on pretty much any unix command line (and windows, with a little effort).
There are several questions to answer about the email in question.

  1. Is it spam?
  2. Does it violate CAN-SPAM or other legislation?
  3. Who sent it?
  4. Did the sender know they were doing something wrong?
  5. Who is it advertising?
  6. Who paid for it?

1. Is it spam?
The mail was sent to someone who didn’t ask for it, so it’s spam.
Moreover, it was sent to an email address that hasn’t been publicly visible for over a decade, and hasn’t been used to sign up for anything at all for even longer. Even if Laura were to have signed up for the email there’s no way she would have used this email address. And there’s no way she would have signed up for it because, while we don’t discuss a lady’s age, she’s a long, long way from having any personal interest in the AARP.
There was no pretense in the email sent, nor the landing pages it went to, that the message was anything other than an unsolicited, prospecting lead-generation email – the email equivalent of cold-call telemarketing. And the only way the spammer would even have the email address would be if they’d bought a very, very old list of email addresses.
It’s spam.
2. Does it violate CAN-SPAM or other legislation?
My initial take on it is that it probably does, but there’s a lot of grey area involved. This is something I’d discuss as part of my initial legal strategy consult with a client, but isn’t something I’m going to touch on here beyond mentioning it.
3. Who sent it?
This is something that isn’t always clear from the email as it’s displayed to the end user. If you were to look at it in your mail client it claims that it was sent by “AARP Promotion”, the content of the mail shows no mention of anyone other than the AARP. The CAN-SPAM required unsubscription address given is that of the AARP:

AARP's offices are located at 601 E. Street NW, Washington DC 20049
Unsubscription link image from the spam
Given all that, and the wording of CAN-SPAM, describing the AARP as the sender is perfectly reasonable. They’re not the people who actually sent the spam, though, they just paid for it to be sent.
To find out who actually sent the spam we need to look at the headers and raw body of the spam. Open that up in a new browser window and take a look. We’ve colour-coded the various sections of the email – lets look at the headers, with the grey background.
The Received headers are added each time the email is sent from one mail server to another. I know that, for the email address this was sent to, mx03.nni.com is one of the ISPs mailservers. By starting at the top and following the series of Received headers down I know that this header …
Received: from mx1.denigradeelite.com (denigradeelite.com [216.155.42.18])
by localhost (mx03.nni.com [127.0.0.1]) (amavisd-new, port 10024)
with LMTP id 2IvVrU3z8poM for <deleted>;
Tue, 13 Apr 2010 15:56:53 -0400 (EDT)
… is the header that recorded the delivery from the spammer.
The interesting bit there is the IP address that the email was sent from: 216.155.42.18. If we look at the reverse DNS for that IP address it comes back as denigradeelite.com, which is the same domain that’s used everywhere else throughout the email (the From: address, the links in the mail and so on). That makes it very likely that the owner of that domain is also the owner of the IP address, as the reverse DNS can only be set up by the owner of the IP address, not by the owner of the domain. (It’s not unusual to see a spammer point domains at a server they’ve compromised, such as a trojaned Windows box on a fast cable modem, but they don’t have any way to set up the reverse DNS in that case. As they have here, we know that the domain and IP are operated by the same person).
We can look a bit closer, though. Checking the forward DNS for the domain used in the links in the spam we see it goes to the same IP address. And looking at the nameservers for that domain, they end up at the same IP address too.
So we know that the server it was sent from has the address 216.155.42.18, and that that server is run by the same entity that owns the domain denigradeelite.com. denigradeelite.com is a very odd looking domain name – it looks like the sort of names that are made up by snowshow spammers. Looking at the surrounding IP addresses we see more of the same. (And using some of our in-house tools there’s even more, but it’s just yet more of the same snowshoe behaviour.)
It looks like nni.com has a small infestation of incompetent snowshoe spammers. All those domains are registered by the same person. Usually spammers use fake contact information, such as Domains by Proxy, for their domains. In this case it looks like he didn’t. Regardless of how good your forensic skills or information source are there’s nothing quite as helpful as spammers being stupid.
So we know that the mail was sent by whoever paid for the domain registration for denigradeelite.com and whoever is paying for the server at 216.155.42.18. We’d need to issue some subpoenas to confirm it, but I’m pretty sure they’d end up pointing the finger at Andrew Talbot of Salt Lake City.
4. Did the sender know they were doing something wrong?
Looking at the source of the spam you can see several things. Some of them help demonstrate that the spammer knew what he was doing was wrong, while some of them just demonstrate that he was incompetent.
Incompetent first because, well, it’s funnier. Looking at the HTML part of the email (with the pale yellow background) he’s using Microsoft Word to generate the content. That’s… pretty much the worst way you can generate email content, as the HTML it generates is appallingly bad. That’s probably why it looks so bad in the mail client. For those lucky recipients using a plain text mail client, all they’ll see is the text/plain section with the green background – two obscure URLs and some text that manages to express a lot of illiteracy in just three words.
Looking at the headers at the top of the message you’ll see that our mail filters decided it was spam due to the use of the denigradeelite.com domain in the message. A smart spammer would have used any of a number of ploys to avoid having blacklisted domains being used. Andrew didn’t. Instead, Andrew added that domain to the message an additional 46 times. That’s the pale grey on pale yellow text labeled as “Random incompetence”.
OK, now to Andrew knowing that he’s doing a Bad Thing. We’ve already touched on some minor issues – Andrew is lying about who is sending the mail, claiming it’s coming from “AARP Promotions”, for instance. And there’s all the snowshoe-style behaviour we talked about earlier. But there’s much worse than that.
Andrew is using images for almost the entire content of the message. There’s nothing wrong with using images in commercial email – it’s a good practice, in general, for branding reasons if nothing else. But Andrew’s AARP spam is completely illegible with images turned off. That’s not a good practice, and is something very distinctive to naive spammers who think that if spam filters can’t read the text of their email, they won’t be able to block it. Even more distinctive, and pretty much unique to really scummy spammers, is including the (CAN-SPAM required) postal address solely as an image. Whether that even fulfills the CAN-SPAM requirement is unclear, but it’s something that only realio-trulio spammers do.
But wait! There’s more!
If you look at the source of the spam you’ll see a bunch of sections I’ve highlighted in bright red on pale yellow and labeled as “Hashbuster”. Hashbusters are something we’ve not talked about in much detail before, but they’re something only incredibly hard core spammers do. They’re sections of text, either random words or sections of text from books or webpages, that are added to spam in a way that’s not visible to the recipient. The idea is that by loading the email up with hundreds of “non-spammy” random words that will persuade spam filters to ignore all the other signs that an email is spam. This doesn’t work. This hasn’t worked in many years, and even then it didn’t work well. Using them is an absolutely solid, 100% certain, no question about it sign that the sender is spamming, knows they’re spamming, knows that their mail is unwanted, knows it’s likely to be blocked and will do absolutely anything, however wrong-headed, to get their spam in front of the recipients eyeballs. It’s also usually a sign that the spammer is both incompetent and is using obsolete spamware, but that’s the AARPs business problem, not ours.
In the vast majority of cases I’d mention Domains by Proxy and other ways to falsify domain registration at this point, as they’re a pretty sure sign that the sender knows what they’re doing is wrong. In this particular case, though, the spammer seems not to be smart enough to use false information in his domain registrations.
All in all, I’d have no problem testifying that Andrew is not only spamming, he’s also under no illusions about what he’s doing being spam.
5. Who is it advertising?
It’s clear from the content of the message that it’s advertising the AARP. Specifically it’s lead generation spam advertising for new members to sign up with them.
The advertised website is at aarpmembership.org. The landing page is a signup form for the AARP:
Landing page for AARP spam at aarpmembership.org
All the links on that page go to URLs at aarp.org.
If you fill in the form you end up at another page at aarpmembership.org:
After filling in the AARP spam web formAll the links on that page go to URLs at aarp.org too.
aarpmembership.org is hosted by SureClick, who advertise that one of their lead generation customers is the AARP.
There’s no question that it’s advertising the AARP.
6. Who paid for it?
When you click on one of the links in the spam it will take you to a landing page at aarpmembership.org. But it doesn’t take you there immediately – it bounces you through several other URLs first. The reason it does this is so that each link in the chain between the advertiser and the spammer can track that click, so that they can pay out on it if it leads to a signup.
So to track who is responsible for the spam, who paid for it, all we need to do is track the URLs that are redirected through.
First we go to the URL in the spam itself, hosted at denigradeelite.com, and we “click” on that link. We do that not with a web browser but using telnet, a simple network access tool that lets us do the web transaction “by hand”. In this case the query returns a webpage that contains a “meta-refresh” header that tells the browser to immediately load a page at www.afftrackinglinks.com.
So then we follow that link. Again, we don’t use a normal web browser. This time we use a commandline tool called “curl” that will run a web transaction, and print out the response it gets. This time instead of getting a web page returned, we get what’s called a “302 redirect” response. This doesn’t show a page at all, rather it tells the browser to immediately load the URL given in the Location: header of the response – a tracking URL at affiliate.sctracking.com.
And we keep on going. We follow that link, using curl again. Again we get a 302 redirect response. This time the Location: header points to a URL on www.aarpmembership.org.
And that’s where the chain of redirects ends, so that’s the URL we finally end up at.
So the spammer, denigradeelite.com, is sending clicks to afftrackinglinks.com. We know that afftrackinglinks.com is OfferWeb.net, as the domain registration for the two domains is identical.
Offerweb are then sending tracking links to affiliate.sctracking.com, who we can tell from their webpage are SureClick.
affiliate.sctracking.com are then sending the clicks to aarpmembership.org. We want to identify who is operating aarpmembership.org (which may be different from who originally registered it). We know that aarpmembership.org is hosted at 69.20.63.210. And we know that the operator of 69.20.63.210 claims that it’s smtp.sureclick.com. And we confirm that smtp.sureclick.com really is 69.20.63.210. So we know that the landing page and signup form is being operated by SureClick, who we know are selling lead-generation services to the AARP.
So either someone is working for free, or the AARP pays SureClick who pay OfferWeb who pay “Andrew Talbot” to send blatant, really badly done, spam on the behalf of the AARP.
You rush a spammer, you get rotten spam

Related Posts

Spammers aren't who you think they are

Shady direct marketers exploit CAN SPAM to continue spamming but protect themselves from the law. This is something I’ve been talking about for a while (TWSD), and it’s nice to see the mainstream press noticing the same thing.
HT: Box of Meat

Read More

And the ugly…

Getting back to my series on the good, the typical and the ugly in the ESP field, and there is some very ugly out there. I have 3 examples of the ugliness out there and what ESPs and legitimate senders are competing with.
The fake ESP
A spammer approached me early on in my consulting career, asking me to help him set up a fake ESP. He wanted to set up his corporate network so that to an outsider it would look like he was selling ESP services and thus had a large number of customers. There wouldn’t be any customers, however, all the mail would be coming from his company. When the blocking got bad enough, and it would as he would purchase addresses from anywhere, he would “disconnect” the responsible customer. My role was to help him come up with a plausible sounding acceptable use policy and then contact the ISPs when he “disconnected” the customer. I declined to participate in this scheme. This doesn’t appear to have stopped him, though, if the rumors I hear are to be believed.
Waterfalling
Related to the fake ESP scheme is waterfalling. Spammers acquire lists of email addresses and then begin the process of cleaning them by mailing. In some cases, they mail through fake ESPs, as above. In other cases, they actually spread their traffic out across legitimate ISPs. As they mail the lists through the ESPs, they remove unsubscribes, bounces and complaints. When the list reaches a set cleanliness, they move it to another ESP. They repeat this, gradually moving through cleaner and cleaner ESPs. Eventually, they move the list to their own network and sell mailings to it as an opt-in list. It’s not opt-in, it’s just cleansed of all negative responders.
The companies abusing ESPs to clean their lists do tarnish the reputation of ESPs. While the responsible ESPs do disconnect the waterfallers, they usually do so after problems are detected. That being said, there are some companies that are constantly looking for “partnerships” at ESPs and the ESPs turn them away during the sales cycles.
Affiliates
While not necessarily an ESP problem there are some large companies out there that hire spammers to send acquisition email for them. They also send their own mail, both marketing and transactional, through ESPs. The issue for ESPs come when the URL blocks happen and the bad reputation of their customer’s mail bleeds back to the ESPs IP addresses. The ESP becomes known as “one of those places that mails for X” and their reputation falls accordingly. In some cases, even if the mail through the ESP is clean and opt-in, the ESP finds itself blocklisted for just doing business with a company that hires spammers.
I’ve had a couple clients recommended to me by ESPs because the ESP was dealing with a persistent spam block around this particular customer. The mail the customer sent through the ESP was opt-in, but the client was using an extensive network of affiliates to send spam for them. I collected a lot of examples of their spam from various affiliates, even gave them a couple of examples from my own email addresses. One of those addresses has not been actively used in 6 years. My client tells me they talked to their affiliates and that the affiliate assured them I had signed up, I just forgot. The client chose to believe the affiliate over me, despite the fact that I had many other examples. That client lost their ESP (and good for the ESP) but is still sending spam. I just got one advertising their stuff yesterday, at the same address I gave to them years ago, all images, hashbusters, domain hidden behind proxy, coming from a snowshoer network.
All of the companies I’ve talked about here describe themselves as legitimate email marketers. Even the company telling me I opted in to their mail was defending themselves and their affiliates as legitimate email marketers.

Read More

Which is better UTF-8 or ISO-?

Someone asked today on a mailing list whether they should be using UTF-8 or “ISO” encoding for sending email. What’s the best choice depends on some of the details of the situation, but here’s the answer I gave:
UTF-8 will work for pretty much anything, as it’s just an 8 bit encoding scheme for Unicode (which is supposed to be the one character encoding to rule them all). It’s well supported in most languages and development environments – Windows has been native UTF-16 under the covers since the mid 90s, for instance – and typical messages that use mainstream glyphs should render well from utf-8 in most western MUAs and browsers.
There are still a very few old or broken clients out there that will not handle UTF-8 well but (outside the asian language market, where there’s still some non-ASCII, non-Unicode legacy usage) they’re typically ones that don’t really handle any character set encoding well and the only thing safe to send to them is either plain ASCII or whichever ASCII superset their OS happens to support natively (which is probably an argument for sending Windows-1252 codepage, but not a terribly strong one).
The various extended ASCIIs (such as ISO-8859-*) will only work for messages that are written solely using characters from that character set. If you have even one character in a message that cannot be expressed in ISO-8859-1, then you can’t use ISO-8859-1 to send that message.
ISO-8859-1 (aka Latin1) is fairly sloppy in some respects – it has no apostrophe, nor single quotes, for instance – but it can handle an awful lot of languages, from Kurdish to Swahili. It can’t handle Dutch, Estonian, Finnish, Hungarian and Welsh particularly well, nor can it show the Euro symbol (ISO-8859-14 or -15 are needed for some characters there).
A common problem is that many people (and the software they write) think that Windows uses Latin1. It doesn’t, it uses Windows-1252. If you accept messages written on Windows, using the Windows-1252 code page, and throw them out on the wire as ISO-8859-1 what you end up with is not quite right. It mostly works, as the two codepages overlap quite a bit, but they have different glyphs in the 0x80-0x9f range. So if you use single or double quotes (“smart quotes”), or the Euro symbol, or ellipses, or bullet, or the trademark symbol in your message they’ll be garbled. This is so common that some mail clients and web browsers will actually treat a document that claims to be ISO-8859-1 as Windows-1252, but that’s a bug workaround and not something it’s really safe to rely on.
If you’re doing personalized messages, and you’re sending one of them to Győző and one of them to Eiður then you may have to use different character sets for the two messages. If you’re talking about Győző and personalizing it for Eiður then you might find things break horribly.
Someone probably has some concrete data on mail client character set support, broken down by region and language, but my understanding is that this is a reasonable approach:

Read More