Deliverability

Inside the seedy underworld of spammers and phishers

Turns out, despite their increasing sophistication, spammers and phishers exhibit many identifiable traits that we're going to expose today. Read more –

PUBLISHED ON

PUBLISHED ON

We announced some improvements to our reputation algorithm which helps us fight spam while still welcoming new customers without setting arbitrary sending limits. The biggest challenge in creating the reputation algorithm was how to distinguish between these good customers (who we love) and malicious spammers and phishers (who we hate). Turns out, despite their increasing sophistication, spam and phishing emails exhibit many identifiable traits that we’re going to expose today. It’s a game of cat-and-mouse that we didn’t ask to play, but we can hunt when we need to.

May 16 09:59:31 razor INFO PID:542 Thread-4 [razor.periodic.detected_by_scanners] SPAMMER! chaseupdate.com

May 16 10:16:10 razor INFO PID:542 Thread-4 [razor.periodic.detected_by_scanners] SPAMMER! onlinechase.com

May 16 15:04:16 razor INFO PID:542 Thread-4 [razor.periodic.detected_by_scanners] SPAMMER! work.com

The anatomy of two email attacks

Over the years, we’ve fought a lot of spammers (we even have nicknames for some of the worst repeat offenders), and we’ve noticed that there are two main patterns: spammers who try to use bot nets to delivery millions of untargeted spam emails (Rolex’s, Viagra, Canadian pharmaceuticals) and phishers who orchestrate sophisticated and highly targeted attacks against a small number of victims. Here’s what we learned about each:

Bot nets and the spammers who love them

It’s well known that the “return on investment” for spammers is very low. They send millions of emails, hoping to get just a few hits. Even the cheapest bulk email providers aren’t free, which means, like any business person, they need to think about keeping their costs low. Here’s how these cybercriminals prepare for an attack:

  • They create a ton of free accounts, sending a small number of legitimate emails from each to simulate a new customer just trying out the system, this reduces the likelihood of their spam messages being flagged as suspicious emails right out of the gate.

  • They also create some paid accounts (using stolen credits) to diversify their profile, making their bot net harder to detect.

  • Accounts are often created with free email addresses (e.g. @gmail.com or @yahoo.com) or with legitimate business domains that they’ve hijacked so they appear as a trusted source.

  • Link shorteners (like bit.ly and t.co) and free subdomain hosters (like tumblr) are used liberally to conceal the destination of their links; which are usually fake websites designed to mimic real web pages.

Once the spammer has amassed a bot net of sufficient size for their attack (could be dozens or even hundreds of accounts), they attack, sending the world a mass of unsolicited emails featuring AMAZING DEALS THAT YOU JUST CANT MISS!!!!!!!!

By using math and a lot of inputs like sending IPs, email content checks, and similarities in account details, we can shut down the entire bot-net almost immediately. Sorry world, you’ll have to pay full price for your next knock-off watch.

Learn more about common types of phishing scams, how to spot them, and how to stop them with our guide on common phishing email warning signs.

Malicious Phishers think small is beautiful

The bot net spammers bet on the fact that if they can break through an email provider’s defenses, they’ll be able to send millions of messages with impunity. The malicious phishers take a different approach. These phishers are criminals pure and simple, and they are sophisticated, opting for highly targeted and low-volume attacks. Here’s their MO:

  • Only high-quality stolen credit cards are used so that all checks match (name, address, zip, cvc code). Getting hands on these types of cards is tough, and indicates the sophistication of these criminals and their skill in identity theft.

  • Premium accounts are created with business email addresses and legitimate domains.

  • All interactions with Mailgun are from clean IPs, reducing suspicion.

The problem with these phishers is that they look ideal. They’ve got everything that you could hope for in a customer: credit card numbers that check out, business email, and good overall reputation, heck, they’d probably be able to give us a legit social security number if we asked. That’s what makes them so dangerous.

They use their apparent legitimacy coupled with a little social engineering (more on that below) to pass by what they think email providers are looking for. Then they attack…not with millions of emails, but maybe just thousands. What’s more, they’re always A/B testing their content to see which gets more clicks (and which gets pass spam filters) making it even harder to detect since the content is different each time, even for the same attack.

The code at the top of the post is an example of one of these phishing attempts. 3 separate accounts were used to send emails with the subject “Chase: Security Recommendation”. And we shut them down immediately (“Razor” in the code is what we call our little reputation algo).

With Razor and the data points we analyze on every message in real time, we are still able to thwart these attacks. These types of attacks are one of the big reasons that we built Razor in the first place. One popular approach to fighting spam is based on volume. First, for new customers, you limit how many emails they can send, until you slowly get to know them and increase their sending limit. Additionally, if that customer ever has a spike in volume above their average level, you look at them with suspicion and limit them again. The problem is that none of this helps with a spammer sending only dozens of malicious emails. Volume-based protection is a blunt knife that harms good senders and doesn’t stop the bad. The only answer to the problem is a lot of research, data analysis, and sophisticated algorithms. We could go into this more but then we risk giving away too much information to the enemy.

Learn more: Don’t be mistaken for a spammer. Following best practices cements your reputation as a trusted sender. It begins with email authentication basics.

Social engineering is real…but also kind of funny sometimes

Committing fraud sometimes requires a little social engineering. Spammers see their accounts disabled and often try to endear themselves to our support team, hoping to get them re-enabled. This type of thing happens more than we like, but the epithets that invariably follow being caught can be amusing. It is somewhat satisfying knowing that the spammer has been defeated and can only come back with half-reasoned strings of a small number of curse words. Here are some typical exchanges (we have modified some of the details to protect the guilty).

Using an anonymous proxy

Spammer uses anonymous proxy to pretend to be in one country, while simultaneously insisting he is in another.

Spammer- Hello, today i test your SMTP, but it doesnt works, i pay with my Creditcard and i get a E-Mail with “OK Payment”. My Email is: ——–@—-.de Mailgun- hi there. what kind of emails you are going to send? Spammer- Thanks for fast Replay. I Repair windows at Homes,Cars and many others. http://www.——-.de/ Thats my Site. I searched on google fast SMTPs, and see mailgun.net. so i´ll will test it, and bought 19$ – monthly Mailgun- you need to create a custom domain first and setup DNS records for it Spammer- I will only use SMTP from u. i dont understand what u mean. my Domain is from ———- Mailgun- also, I’m just curious: your site is German and I see that you’re located in UK. why is it so? Spammer- im livin in Germany. im now at home Mailgun-but I see that you’re chatting with us from United Kingdom or you’re using some anonymous proxy Spammer- nonono im at home 100% in Germany. no i dont user proxy Mailgun- well, as I told you shouldn’t be using subdomain of mailgun.org to send emails. first you need to create a custom (first-level) domain in mailgun. then setup DNS records for your domain. and then we will enable your account Spammer- Why i must pay for 2.Domain? i have a domain. Mailgun- you don’t need to: domains are free Spammer- www.domain.de example is free? Mailgun- so, since your primary domain is ——–.de you need to create this domain in Mailgun. then setup DNS records for it since you own this domain and you’ll be all set Spammer- why you selling then subdomains? u wasting my time sir pls chargeback the 19$ to my CreditCard Mailgun- sure Spammer- i dont use your Service Mailgun- no prob. bye Spammer- f* you ; )

Sending emails from an obviously fraudulent domain, while pretending to be Amazon and PayPal

The spammer is at a loss for words (that have more than four letters) when asked to explain how Amazon and PayPal related to his business.

Spammer- Hello, i cant login to my Account Mailgun- What is your account? Spammer- —–@—–.com Mailgun- It was disabled due to spam and phishing scams being sent from the account. Emails purporting to be paypal as well as high bounce rates. Spammer- lol, i paid for it, i get my money back?! Mailgun- No. You do not get a refund when you use Mailgun for phishing or spamming. Are you saying this is not the case? Spammer- No 100%! —–.com is my site men. i dont know what u mean with spam! Mailgun- Please explain why you were using amazon and paypal in the content? Spammer- haha ok f* u

Inability to set up DNS records for the domain they claim to control

Spammer fumbles when asked to configure DNS record for his domain and politely informs our team that some men find our support rep’s mother attractive.

Spammer- hello. my SMTP not works! Why Support dont Answer. Mailgun- could you please let me know your account Spammer- ——–@hotmail.de Mailgun- it was blocked Spammer- why? I have tryed to call Phone-Support, but i cant from germany Mailgun- our spam detection service detected it as suspicious. please create custom domain and configure DNS properly Spammer- I have Domain but how i can configure DNS? can u tell me? Mailgun- you need to create custom domain. please find all answers in our docs Spammer- what i must type? A-records? Mailgun- you can find all settings in the control panel Spammer- I can’t see there DNS Mailgun- please create the custom domain first Spammer- I have [domain-name-pretending-to-be-amazon].de Mailgun- is your compay related to amazon? Spammer- i sale about amazon eat, foods Mailgun- that’s not allowed according our terms of service Spammer- MEN F* YOUR MUM Mailgun- Ok, I’ll delete your account

We hope you enjoyed this inside tour of spammers and scammers. If you’re curious, you can read more details about Razor, our reputation system here.

Happy (legitimate) sending,

The Mailgunners

Keep me posted! Get our news and tips every week.

Send me the newsletter. I expressly agree to receive the newsletter and know that I can easily unsubscribe at any time.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Related readings

The golden age of scammers: AI-powered phishing

Long live the prince of Nigeria, he had a good run. Gone is the age where scammers wield the same mediocre power as a snake oil salesman, reliant on their own persuasion and...

Read more

What are SMTP commands and what do you need to know about them?

Why do we need SMTP commands and what do they do? Well, we use SMTP (Simple Mail Transfer Protocol) commands to communicate with email servers. These commands are...

Read more

What is SMTP and how does it work?

SMTP, though a pillar of email delivery, often gets lost in the jumble of tech terms and acronyms. But if you're ready to send impactful emails, this is one of those acronyms that...

Read more

Popular posts

Email inbox.

Build Laravel 10 email authentication with Mailgun and Digital Ocean

When it was first released, Laravel version 5.7 added a new capability to verify user’s emails. If you’ve ever run php artisan make:auth within a Laravel app you’ll know the...

Read more

Mailgun statistics.

Sending email using the Mailgun PHP API

It’s been a while since the Mailgun PHP SDK came around, and we’ve seen lots of changes: new functionalities, new integrations built on top, new API endpoints…yet the core of PHP...

Read more

Statistics on deliverability.

Here’s everything you need to know about DNS blocklists

The word “blocklist” can almost seem like something out of a movie – a little dramatic, silly, and a little unreal. Unfortunately, in the real world, blocklists are definitely something you...

Read more

See what you can accomplish with the world's best email delivery platform. It's easy to get started.Let's get sending
CTA icon