Saturday, March 21, 2009

Oh yes, you signed up for this. You did. Honest.

Honesty in marketing. You may have heard of it.

It may come as a surprise to some, but I generally do not spend much time on spam related matters. Occasionally I need to do some manual labor to keep spamd and spamassasin in trim, but at most times my little robot helpers just keep running, leaving my desktop essentially spam free.

That changed slightly late last month. Messages hawking the oddest wares started arriving, with a largish number of messages claiming that I had actually signed up to receive them:

You are receiving this message because on 2/26/2009 at 3:57 PM peter@bsdly.net 64.12.116.10 registered to receive messages from e-researchcouncil.com and its partners. To change your preferences with e-researchcouncil.com, go to the website and select "Contact Us" to review your options.


To give you an idea how likely that statement is to be true, consider this: The 64.12.116.10 address resolves back to somewhere in America Online's network, pretty much an ocean and then some away from where I'm usually located.

I assume entering my address into a few web forms is somebody's idea of a joke, and the net effect was that a number of spammy messages started appearing in my mailbox, starting on February 27th. Only about third of the messages contained that particular claim, and a typical message would contain headers like these:

X-From-Line: eHarmonyDating@BranchSprint.com Fri Feb 27 16:30:36 2009
Return-path: <3f5.4.73479158-21937306@BranchSprint.com>
Envelope-to: peter@bsdly.net
Delivery-date: Fri, 27 Feb 2009 19:15:13 +0100
Received: from [99.198.152.161] (helo=dns7-cronomagic-biz.BranchSprint.com)
by skapet.bsdly.net with esmtp (Exim 4.69)
(envelope-from <3f5.4.73479158-21937306@BranchSprint.com>)
id 1Ld7Eu-00074N-NF
for peter@bsdly.net; Fri, 27 Feb 2009 19:15:13 +0100
X-Gnus-Mail-Source: pop:peter@bsdly.net
Message-Id: <KKcbjdhdagmcfbVN@BranchSprint.com>
Reply-To: <eHarmonyDating@BranchSprint.com<
From: eHarmonyDating <eHarmonyDating@BranchSprint.com>
Subject: eHarmony could match you with the right singles
Date: Fri, 27 Feb 2009 16:30:36 GMT
X-Information: 73479158_21937306 ListZA251
X-Complaints-To: <complaints@BranchSprint.com>
To: <peter@bsdly.net>

My first impulse was, in case this is an honest mistake somewhere, let's try and play nice at first. That meant sending messages to the X-Complaints-To: addresses and waiting to see what would happen.

You should not be terribly surprised to hear that those addresses all turned out to be invalid, the messages undeliverable.

In the meantime, I went on collecting messages, and the amount of data I had accumulated was large enough that I could reach some preliminary conclusions.

It's obvious that in order to reach me, the messages would need to clear greylisting and avoid triggering too many of my spamassassin rules. That meant in turn that the messages were sent using real mail servers. So I started collecting the messages with that claim for further study. The messages were almost all sent from a few distinct subnets, all of them apparently fairly well stocked with real mailservers.

Based on data from the spam messages and whois lookups and the larger groupings of messages, the professional spammers are, for your convenience in case you want to visit them:

NN, LLC
4001 Kennett Pike
Suite 134-910
Greenville, DE 19807
US

Spiesigma PLC
P.O. BOX 243, 2221 S Webster Ave
Green Bay, WI 54301
US

GreenButtonMedia.com
5580 La Jolla Blvd # 73
La Jolla, CA 92037
US

AdSelectMedia.com
5482 Wilshire Blvd. #302
Los Angeles, CA 90036
US

BestOnlineGreetings.com
5482 Wilshire Blvd. #302
Los Angeles, CA 90036
US

MyPromotionNetwork.com
970 West Valley Parkway
Suite 604
Escondido, CA 92025

GreatTechsOnline.com
5580 La Jolla Blvd # 73
La Jolla, CA 92037
US

CrownVenturesMedia.com
7127 Hollister Ave., Suite 25A, #145
Goleta, CA 93117

Top Notch Media, Inc.
1735 Market Street · Suite A · PMB 429
Philadelphia, PA 19103-7588

In addition, some of the domain names used in the spam messages were registered via an anonymizing service whose whois data comes out as:

Dynamic Dolphin Privacy Protect
5023 W 120th Ave #233
Broomfield
null,80020

The spam volume from all of them swelled at roughly the same time, so it is likely that they cooperate on keeping their lists up to date.

So we see spammers evolving: They buy or rent real mail servers now and they have even started coordinating. Using greylisting has actually increased the cost of becoming a successful spammer.

At our end of the game, we stay ahead of their game thanks to tools like spamd, and several of us dump and share our greytrap lists. It is even possible to collect IP addresses and feed a large number at the time to spamdb, but after a little while I grew tired of the increased manual work decided it was time for a counterprank. Cleaning up after spammers is no fun, unless you can have little robot helpers do the heavy lifting.


The Counterprank: A Feedback Loop
Regular readers will remember that I have a collection of known bad addresses in my domains that I use for my greytrapping, all generated elsewhere, that has come in handy at times. Run of the mill spam operators tend to just suck in anything that looks like email addresses, and keeping the list available on the web has served us extremely well here.

The professional spammers are apparently not quite that stupid, so the problem became a little different. They were able to sneak past greylisting and conventional content filtering. Also, they were apparently oblivious to email communication and as far as I can tell their Unsubscribe pages are not entirely believeable.

So it was a relief to find that places such as http://e-researchcouncil.com/ are very happy to accept any email addresss you can come up with. Time to enlist a few of our imaginary friends, drawn from the obvious source.

I did ponder the ethics for a few moments. After all, the forms included sentences such as "I certify that I am a US citizen", which was about as true as the assertion that I had signed up via an AOL proxy. But I did not ponder that matter for long. Moments later, most of the spam operators found themselves with new neighbors with odd names and foreign email addresses.

The net result is that the hosts start appearing automagically in the hourly dump of my list of greytrapped addresses and in the daily spamd activity report. With a little luck, we have succeeded in increasing the cost of spamming one tiny increment.



If you found this article useful, enjoyable or irritating, please drop me a line. Material related to this article is available via links from my web space. Some additional material will be made available for reasonable research purposes. If you want more extensive or non-trivial assistance, please contact me (via email or other means) to make arrangements.

Note that the list of greytrapped addresses is updated ten past every full hour, fetching it every minute like some Americans have started doing is not a good use of your resources.

18 comments:

  1. Send change of address forms to the post offices in the US for these spam businesses. Make their life as hard as they make ours.

    ReplyDelete
  2. Btw, your like to "FreeCode" contains an "&" in the URL which makes it invalid.

    Anyhow, interesting article.

    ReplyDelete
  3. Greylisting is becomming more and more useless, unfortunately. What the "spam bots" are doing now is sending the same message 2, 3 or 4 times to the same address FROM the same IP address. At some point the timer on the greylisting is going to expire and the next (or sometimes next 3) messages clear greylisting.

    ReplyDelete
  4. You probably won't be surprised to hear that the first address (NN, LLC) is a UPS Store mailbox.

    ReplyDelete
  5. Did you try sending a bounce message to 3f5.4.73479158-21937306@BranchSprint.com ? I've always wondered if that would have any effect.

    ReplyDelete
  6. Greg, the main argument against sending bounces in our context is that bounces consume significantly more bandwidth than just having the spam senders hang around in a one byte per second (or every few seconds if you're really evil) until they give up.

    ReplyDelete
  7. The La Jolla address isn't far from me. I might take a drive past there to see who/what it really is.

    ReplyDelete
  8. ok please sign your messages using DKIM

    also rate your messages using DKIM and bayesian...

    regards

    John Jones
    http://www.johnjones.me.uk

    ReplyDelete
  9. I don't know if you noticed... I decided to look at your spamd report log, and noticed you had ONE ip address(62.59.34.186) dedicated to you for over 12 days!

    ReplyDelete
  10. I don't know if you noticed... I decided to look at your spamd log to see what it collected and noticed you had ONE ip address(62.59.34.186) that spammed you continuously for over 12 days!

    Tom.

    ReplyDelete
  11. "Broomfield, null" appears to be actually Broomfield, Colorado.

    ReplyDelete
  12. Ethics aside, has anyone thought of hiring the RBN to SPAM/DDoS these people? (Just to annoy them)

    Fight fire with... Vodka... In Soviet Russia, fire fights you! (Sorry, had to be said).

    ReplyDelete
  13. I get plenty of bounce messages for spam that spammers send using my domain names.

    As I have SPF configured, there is no reason a remote domain needs to send a bounce message. They only need to check SPF and determine that the message did not really come from my domain.

    If I had my way, organizations would stop sending bounce messages and accept or reject all messages during the initial delivery transaction.

    ReplyDelete
  14. I gave up on greylisting and, instead, created firewall rules that block the sources. Since my email server is only for me and my family, I usually block the entire netblock of the spammer. :-) Any time I need a new email to come though, I'll get the MX records and unblock (if necessary) their netblock. More often than not, I don't have to do a thing.

    ReplyDelete
  15. So we see spammers evolving: They buy or rent real mail servers now and they have even started coordinating.

    Sanford Wallace did this 10 or so years ago. It's just that eventually his service provider would decide that killing the connection was a better option than having one's peers refusing any of your traffic.

    I guess that method of making people behave is no longer effective.

    ReplyDelete
  16. The Broomfield, CO address is also a UPS Store. We could get pics of the people picking up mail perhaps?

    ReplyDelete
  17. I have tried to resolve my spam problems but my problem is that the "spam" I get are bounce notices from Asia mostly. Someone is using my email address as the sender for whatever reason and I get floods of these at once from a variety of servers. I'm not sure how to resolve that issue so I disabled the related address for a month to test. Now I'm at 25% of the volume but still get about 40 a day. Really annoying. Any idea how to prevent such a fuss?

    ReplyDelete

Note: Comments are moderated. On-topic messages will be liberated from the holding queue at semi-random (hopefully short) intervals.

I invite comment on all aspects of the material I publish and I read all submitted comments. I occasionally respond in comments, but please do not assume that your comment will compel me to produce a public or immediate response.

Please note that comments consisting of only a single word or only a URL with no indication why that link is useful in the context will be immediately recycled so those poor electrons get another shot at a meaningful existence.

If your suggestions are useful enough to make me write on a specific topic, I will do my best to give credit where credit is due.