Dodging filters makes for effective spamming

Spam is still 80 – 90% of global email volume, depending on which study look at. Most of that spam doesn’t make it to the inbox; ISPs reject a lot of it during the SMTP transaction and put much of rest of it in the bulk folder. But as the volumes of spam have grown, ISPs and filters are relying more and more on automation. Gone are the days when a team of people could manually review spam and tune filters. There’s just too much of it out there for it to be cost effective to manually review filters.
In some ways, though, automatic filters are easier to avoid than manual filters. Take a spam that I received at multiple addresses today. It’s an advertisement for lists to “meet my marketing needs.” I started out looking at this mail to walk readers through all of the reasons I distrusted this mail. But some testing, the same sorts of testing I do for client mails, told me that this mail was making it to the inbox at major ISPs.
What told me this mail was spam? Let’s look at the evidence.
listsellingspam_thumb

  • More than one email address of mine received the mail, including the contact address on this website. They’re clearly harvesting addresses.
  • The mail was from <sam.miller@eml-dbs.com> but signed Lynn Fox.
  • When I go to the eml-dbs.com website, I see a cookie cutter site with no real contact information (except for the address jerry.miller@eml-dbs.com).
  • The website offers “Wed Design.”
  • When I start looking at the sending IP address I find it is related to Directi.com, a company that doesn’t have a great track record when it comes to spam.
  • When I start looking at whois records, I find a maze of twisty little websites (a2zdbase.com, unitedesolutions.com, all mostly alike, all selling similar services).
  • The mail violates CAN SPAM by not having a physical address.
  • The mail is collecting opt-out requests using a gmail mailbox.

listsellingspam_thumb
This is a scratch-the-surface investigation I did looking at the mail in my own mailbox. I am convinced these folks are spammers and their mail is not opt-in and that any large ISP could safely block mail from them.
Determining this kind of mail is spam is even easier at ISPs or filtering companies. They have so much more data than I have. They can look at the number of non-existent addresses attempted, the number of traps hit, the number of complaints, and all sorts of other data. Then I discover that the mail is coming out of IP addresses related to Directi, who have a spotty history at best with hosting spammers.
For any person charged with making blocking decisions at a business domain, this information would be more than enough to manually block the IP address. Once that IP is blocked, it’s unlikely to ever get unblocked.
But most small businesses have outsourced their mail to companies like Google and Microsoft and these companies work by algorithm not by manual investigation. This means spammers like Sam-Lynn get away with obvious spam without suffering too much in the way of delivery failures. The IP address that sent this mail has a great reputation with Senderscore. The IP isn’t listed on Spamhaus’ list. The IP has a good reputation for sending mail at Senderbase.
Spammers have put a lot of energy into modifying their spamming to avoid automated blocks. They clean lists using services that remove all dead addresses. They attempt to clean off spamtraps using a variety of techniques. They remove complainers at the major ISPs. Right now these techniques are effective and are letting spam directly into the inbox.
I don’t expect this type of spam will always get inbox delivery, but it does for now. But filters will catch up and filters will compensate. And then the spammers will spend a lot of time trying to dodge those filters and get back to the inbox. It’s an escalating process and all our inboxes suffer for it.

Related Posts

Return Path on Content Filtering

Return Path have an interesting post up about content filtering. I like the model of 3 different kinds of filters, in fact it’s one I’ve been using with clients for over 18 months. Spamfiltering isn’t really about one number or one filter result, it’s a complex interaction of lots of different heuristics designed to answer the question: do recipients want this kind of mail?

Read More

Hunting the Human Representative

Yesterday’s post was inspired by a number of questions I’ve fielded recently from people in the email industry. Some were clients, some were colleagues on mailing lists, but in most cases they’d found a delivery issue that they couldn’t solve and were looking for the elusive Human Representative of an ISP.
There was a time when having a contact inside an ISP was almost required to have good delivery. ISPs didn’t have very transparent systems and SMTP rejection messages weren’t very helpful to a sender. Only a very few ISPs even had postmaster pages, and the information there wasn’t always helpful.
More recently that’s changed. It’s no longer required to have a good relationship at the ISPs to get inbox delivery. I can point to a number of reasons this is the case.
ISPs have figured out that providing postmaster pages and more information in rejection messages lowers the cost of dealing with senders. As the economy has struggled ISPs have had to cut back on staff, much like every other business out there. Supporting senders turned into a money and personnel sink that they just couldn’t afford any longer.
Another big issue is the improvement in filters and processing power. Filters that relied on IP addresses and IP reputation did so for mostly technical reasons. IP addresses are the one thing that spammers couldn’t forge (mostly) and checking them could be done quickly so as not to bottleneck mail delivery. But modern fast processors allow more complex information analysis in short periods of time. Not only does this mean more granular filters, but filters can also be more dynamic. Filters block mail, but also self resolve in some set period of time. People don’t need to babysit the filters because if sender behaviour improves, then the filters automatically notice and fall off.
Then we have authentication and the protocols now being layered on top of that. This is a technology that is benefiting everyone, but has been strongly influenced by the ISPs and employees of the ISPs. This permits ISPs to filter on more than just IP reputation, but to include specific domain reputations as well.
Another factor in the removal of the human is that there are a lot of dishonest people out there. Some of those dishonest people send mail. Some of them even found contacts inside the ISPs. Yes, there are some bad people who lied and cheated their way into filtering exceptions. These people were bad enough and caused enough problems for the ISPs and the ISP employees who were lied to that systems started to have fewer and fewer places a human could override the automatic decisions.
All of this contributes to the fact that the Human Representative is becoming a more and more elusive target. In a way that’s good, though; it levels the playing field and doesn’t give con artists and scammers better access to the inbox than honest people. It means that smaller senders have a chance to get mail to the inbox, and it means that fewer people have to make judgement calls about the filters and what mail is worthy or not. All mail is subject to the same conditions.
The Human Representative is endangered. And I think this is a good thing for email.

Read More

Not lazy, just annoyed

I don’t usually send in spam reports, but I submitted a couple in the last few weeks. Somehow an address of mine is on a bunch of rave / club lists in London. You want to know what is happening at London clubs this week? It’s all there in my spam folder.
This mail finally hit my annoyance threshold, so I’ve been submitting reports and complaints to the senders the last few weeks. The mail, with full headers, goes with an explanation that the address that received it was harvested off a website more than 5 years ago and never opted in to receive any mail.
One of the ISPs I sent the report to has a web form where the complainant and the customer can see the report and both can comment on it. The customer replied to my complaint on it.

Read More