Spam isn't going away

steve
Industry
March 23, 2018

I got a piece of B2B spam last week that showed in several different ways why spam isn’t going away any time soon.
Systemic problems dealing with abuse at scale at Google. Ethics problems at Cloudflare. Problems dealing with abuse at scale at Amazon. Cultural problems in India, several times over.
Buckle up.

The spam content

The spam email itself looks pretty much like any business email. Slightly excessive use of bold, but more restrained than much of the legitimate email I get, both 1:1 and bulk. It’s trying to sell me inexpensive, outsourced software development.
Even the signature at the bottom is fairly restrained compared to many:

Other than my knowing that this isn’t email I asked for, and that it went to an email address I wouldn’t have given out, I can’t tell from the content that it’s not legitimate. Nor can the spam filter in my mail client, nor can spamassassin (“X-Spam-Status: No, score=-2.689“). It’s delivered right to my inbox.

New York? Probably not.

“Lisa Ross” and a New York area code. But “Private Ltd.” is not a US style company name. Let’s see who they really are.

Meet OnGraph Technologies of Noida, Uttar Pradesh, India.
I’m not suggesting that Lisa Ross and her New York phone number are entirely fake, but I can’t find any independent sign of her existence via, e.g., LinkedIn and the New York business address they provide is a shared office building mostly used by medical offices, and suite 304 seems to have at least five different businesses being operated out of it, judging from Google search. It’s either a single US salesweasel or a mail drop and a VoIP number.
So they’re an Indian company, about which more later. Let’s look at who is providing them service.

Google

The spam is being sent from mail-oi0-x242.google.com, presumably Google Apps. It’s squeaky clean technically, passes SPF, has valid DKIM and it’s even DMARC aligned, coming in from a Google ipv6 address that as far as I can tell has a decent sending reputation (SenderScore has never heard of it, but SenderBase thinks it has a good reputation).
It’s Google. There’s probably quite a lot of wanted email coming from there, so there’s no risk of it being blocked by recipients.
And this isn’t an actual user sending mail through Google. It’s a third-party app designed for spammers that connects to Google to parasitically take advantage of Google’s delivery infrastructure and reputation to send spam with little risk of it being blocked or filtered.
As I understand Google’s policy on people doing this it’s, pretty much, that it’s OK to use Google apps this way and that the level of complaints due to this is low enough that it’s not something they tend to take any action on. And, at the scale they’re working at, I don’t blame them. They’re not making much profit margin on each Gmail account and only a little more on Google Apps – spending enough to mitigate outbound abuse more effectively than they currently do at scale would eat into their $26B profit.
A third-party app for spamming, you say?

SalesHandy

SalesHandy provide a web app designed for spamming. They’re based out of Gujerat, India (of which more later). Their web infrastructure is all hosted by CloudFlare (of which more later), and their domain is registered through GoDaddy (of which, yes, more later).
They sell a bunch of services, including spamming via Gmail or Google Apps, link and open tracking for that spam, and a variety of address acquisition methods.
Their preferred acquisition method for high quality, targeted addresses is to buy their chrome extension, findthat.email (hosted at Amazon EC2), subscribe to their service and harvest them from LinkedIn:

By entering the job title in the search bar and choosing the “People” tab. You can find up to 10 email addresses on a page. And keep moving to the next page. Within a matter of minutes, you can collect hundreds of email addresses.

Alternatively, for spammers who want bigger lists, they suggest using their software’s “find emails in bulk” option:

Make a list of prospects with their first name, last name and company domain.
Upload this list to Find That Email’s bulk find feature
Find email addresses
You might be thinking, how long will it take to find 5000 names and company domains. A solid trick is to get the help of a Filipino virtual assistant, who you can pay $2/hr to collect names.

SalesHandy sure aren’t going to take any action to stop spam being sent – that’s their business.

OnGraph

They’re the spammers. They don’t care.
Their inbound email is all handled by Google. Their web infrastructure is hosted by both Amazon and CloudFlare.

Amazon EC2

Amazon do more than selling you so many things online that the limiting factor is how fast you can recycle their cardboard boxes.
They also offer a very solidly engineered cloud hosting environment, EC2. It’s huge. Half the companies you can think of are hosted there, including most of Netflix’s infrastructure. They let you spin up virtual machines, use them, then destroy them and charge you just for the minutes you use them.
All of which is great, but also very ripe for abuse. When EC2 first started it was a horrible source of spam, but by 2009 or so almost everybody was just blocking all email coming from EC2 network space – this is the main thing that triggered the business of ESPs with APIs aimed at web developers such as sendgrid. Eventually Amazon throttled down to almost nothing outbound email from EC2, and set up their own ESP – Amazon SES – to siphon off some of the profits from providing EC2 users with a channel to send email.
That fixed the problem of spam being literally sent from EC2 quite effectively. But it’s still a pretty safe place to host abuse related websites. They do have an email address that accepts reports of abuse, which is handled by a bot that checks to see if you mention a valid EC2 IP address and sends a friendly reply if you do. But I’ve reported “bad” websites on their network and they’ve still been there, at the same IP address, when I’ve checked weeks later. I suspect that as long as the content itself isn’t illegal there’d need to be quite a high volume of complaints to provoke action. Again, it would be expensive to mitigate abuse at this scale, eating into their $180B profits. And as the vast majority of sites hosted are at worst harmless no third party is going to filter them en-masse – that’d just be silly.
So no help there.

CloudFlare

CloudFlare host websites, so as to hide the people who operate them and protect them from being taken down. If you ask them about that, they’ll agree with most of it, but tell you at tedious length that they don’t host websites, they just provide the public IP address and TLS certificates for websites and proxy the traffic to the real webserver elsewhere.
Whatever. They’re the only people who can effectively take down a website that they’re ~~hosting~~ proxying. And, as a matter of policy and deep personal belief, they don’t. They do, however, dox anyone who reports abuse to them to the abusive websites. That applies to Nazis, White Supremacists and some of the nastiest hate sites on the Internet. They’re certainly not going to care about B2B spammers or spamware vendors.
Definitely no help there.

GoDaddy

I’m picking on GoDaddy because they’re ahead of the curve on hiding or falsifying data about domain ownership, but most domain registrars are comparable.
If anything, GoDaddy used to be a riskier place to register a domain that was going to be used abusively than most registrars as their abuse enforcement was inconsistent – sometimes serious issues were ignored, other times a domain would be yanked for no particularly obvious reason. They’ve gotten more in line with other registrars recently, though, and while I’m sure they’re responsive to subpoenas and law enforcement requests abuse reports are mostly ignored. (I just spot-checked and an abusive domain I told them about in mid-December is still up and spamming. I never got a response from GoDaddy).
Currently whois results from GoDaddy look, at best, like this:

Registrant Name: ******** ******** (see Notes section below on how to view unmasked data)
Registrant Organization: Ikigai Infotech LLP
Registrant Street: 810 Shree Balaji Heights
Registrant Street: Nr. Tanisq showroom
Registrant City: Ahmedabad
Registrant State/Province: Gujarat
Registrant Postal Code: 380009
Registrant Country: IN
Registrant Phone: +**.**********
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: ********@*****.***
Registry Admin ID: Not Available From Registry
Notes:
WHOIS consumers who are now receiving masked data can visit:
https://whois.godaddy.com to look up the unmasked data. You can also
get whitelisted, to get unmasked data via Port 43. Find instructions
on how to apply for whitelisting here:
https://www.godaddy.com/help/masking-contact-information-shared-via-whois-automated-access-points-27421

(They have fixed the whois lookup URL, but the whitelisting URL is still broken).
The registrar issue is going to get worse as, driven partly by European adoption of GDPR, registrars are likely to be hiding all information about the identity of a domain owner from everyone but law enforcement and maybe some security companies.
So no help there.

India

Why mention the country that both the spammer and the company they use to send spam through are based in?
Because a lot of spam, B2B spam in particular, comes from India. And none of the providers there seem to care.
It appears to be a cultural problem from the top of the country down.
I regularly get spam from Narendra Modi, the Prime Minister of India, or at least spam sent on his behalf by the Indian Prime Minister’s Office. It’s sent to a variety of email addresses, harvested from various places (and one that was stolen from a US government database).
Which entity actually sends the spam from the Prime Minister? nic.in – the department of the Indian Government responsible for most of their internet backbone, messaging and IT.
No help there either.

So?

There will be increasing volumes of B2B spam being sent for the foreseeable future, and there doesn’t seem to be much we can do to change that.
If your career involves filtering inbound spam – consumer, smb or enterprise – it seems your skills will be in demand for a long while yet.

Social media connections are not opt-ins

It seems silly to have to say this, but connecting on social media is not permission to add an address to your newsletter or mailing list or prospecting list or spam list. Back in 2016, I wrote:

Reaching targets, the wrong way

I’ve been increasingly annoyed by these drip automation campaigns. You know the ones I mean. Senders use some software to find some flimsy pretext to send a mail. Then there emails drop every few days. Sometimes this cycle goes on for months. Most of these messages violate CAN SPAM. It’s annoying. It’s illegal. It is spam.
I can even opt out of most of these messages, they don’t offer that ability.

Google and Amazon and B2B spam

Many of the operational goals of a commercial spammer aren’t related to email delivery at all, rather they revolve around optimizing ROI and minimizing costs. That’s even more true when the spammer isn’t trying to sell their own product, rather they’re making money by sending spam for other companies.
Most legitimate network providers pay at least lip service to not allowing abusive behaviour such as spam from their networks, so a spammer has to make a few choices about what infrastructure to use to optimize their costs.
They can be open about who they are and what they do, and host with a reputable network provider, and build out mailservers much as any legitimate ESP would do. But eventually they’ll get blacklisted by one of the more reputable reputation providers – leading to little of their mail being delivered, and increasing the pressure on their provider to terminate them. They social engineer their provider’s abuse desk, and drag their feet, and make small changes, but eventually they’ll need to move to another provider. Both the delaying tactics and the finally moving are expensive.
Or they can host with a network provider who doesn’t care about abuse from their network, and do the same thing. But they’ll still get blacklisted and, unlike on a more reputable network, they’re much less likely to get any benefit of the doubt from any reputation providers.
Every time they get blacklisted they can move to a new network provider. That’s easy to do if your infrastructure is virtual machine based and moving providers just involves buying a new hosting account. But as anyone who’s heard the phrase “ramping-up” knows mail from new network space is treated with suspicion, and as they’re continually moving their mail won’t reach the inbox much.
Preemptively spreading the sources of your spam across many different IP addresses on different providers, and sending spam out at low enough levels from each address that you’re less likely to be noticed is another approach. This is snowshoe spam and spam filters are getting better at detecting it.
What to do? In order to get mail delivered to the inbox the spammer needs to be sending from somewhere with a good reputation, ideally intermingled with lots of legitimate email, so that the false-positive induced pain of blocking the mailstream would be worse than their spam. That’s one reason a lot of spammers send through legitimate ESPs. They’re still having to jump from provider to provider as they’re terminated, but now they’re relying on the delivery reputation of the shared IP pools at each new ESP they jump to. But that still takes work to move between ESPs. And ESP policy enforcement people talk to each other…
As a spammer you want your mail to be sent from somewhere with good reputation, somewhere you can use many different accounts, so your spam is spread across many of them, flying below the radar. Ideally you wouldn’t have any documented connection to those accounts, so your activity won’t show up on any aggregated monitoring or reporting.
If nothing in the mail sent out identifies you there is nowhere for recipients to focus their ire. And if recipients can’t tell that the hundreds of pieces of spam in their inbox came from a single spammer, they’re much less likely to focus efforts on blocking that mail stream.
Over the past couple of years I’ve seen a new approach from dedicated B2B spammers, the sort who sell “buy and upload a list, blast out something advertising your company, track responses, send multiple mails over a series of weeks” services to salespeople. They’re the ones who tend to have glossy, legitimate websites, talking about “lead nurturing”, “automated drip campaigns” or “outreach automation”.
They have each of their customers sign up for gmail or google apps accounts, or use their existing google apps accounts, and then the spammer funnels the spam sent on behalf of that customer through that google account. There’s no obvious connection between the spammer and the google account so there’s no risk to the spammer. Google is fairly unresponsive to spam complaints, so as long as the volume sent by each customer isn’t spectacularly high it’s going to be well below Google automation’s threshold of notice.
Google do record where mail that’s injected into their infrastructure in this way comes from, in the Received headers. But the spammers run their sending infrastructure – list management, message composition, tracking and so on – on anonymous, throwaway virtual machines hosted on Amazon’s EC2 cloud, so there’s nothing in the email that leads back to the spammer.
And, for recipients, that’s a problem. Spam filters aren’t going to block this sort of mail, as they can’t easily tell it is this sort of mail. It’s coming from Google MTAs, just like a lot of legitimate mail does. In terms of sheer volume it’s dwarfed by botnet sourced mail or dubious B2B manufacturing spam out of Shenzhen. But, unlike most of that, it’s in your inbox, in front of your eyeballs and costing you time and focus. And that’s much more expensive than network infrastructure or mailbox storage space.
I’m not sure what, if anything, Google or Amazon can do about it at scale, but it’s something that’s going to need to be dealt with eventually.
Meanwhile, if you receive some marginally personalized mail from a sales rep, one attempting to look like 1:1 mail, look at the headers. If you see something like this …