Inside the seedy underworld of spammers and phishers

We announced some improvements to our reputation algorithm which helps us fight spam while still welcoming new customers without setting arbitrary sending limits. The biggest challenge in creating the reputation algorithm was how to distinguish between these good customers (who we love) and malicious spammers and phishers (who we hate). Turns out, despite their increasing sophistication, spam and phishing emails exhibit many identifiable traits that we’re going to expose today. It’s a game of cat-and-mouse that we didn’t ask to play, but we can hunt when we need to.

May 16 09:59:31 razor INFO PID:542 Thread-4 [razor.periodic.detected_by_scanners] SPAMMER! chaseupdate.com

May 16 10:16:10 razor INFO PID:542 Thread-4 [razor.periodic.detected_by_scanners] SPAMMER! onlinechase.com

May 16 15:04:16 razor INFO PID:542 Thread-4 [razor.periodic.detected_by_scanners] SPAMMER! work.com

Over the years, we’ve fought a lot of spammers (we even have nicknames for some of the worst repeat offenders), and we’ve noticed that there are two main patterns: spammers who try to use bot nets to delivery millions of untargeted spam emails (Rolex’s, Viagra, Canadian pharmaceuticals) and phishers who orchestrate sophisticated and highly targeted attacks against a small number of victims. Here’s what we learned about each:

It’s well known that the “return on investment” for spammers is very low. They send millions of emails, hoping to get just a few hits. Even the cheapest bulk email providers aren’t free, which means, like any business person, they need to think about keeping their costs low. Here’s how these cybercriminals prepare for an attack:

• They create a ton of free accounts, sending a small number of legitimate emails from each to simulate a new customer just trying out the system, this reduces the likelihood of their spam messages being flagged as suspicious emails right out of the gate.
• They also create some paid accounts (using stolen credits) to diversify their profile, making their bot net harder to detect.
• Accounts are often created with free email addresses (e.g. @gmail.com or @yahoo.com) or with legitimate business domains that they’ve hijacked so they appear as a trusted source.
• Link shorteners (like bit.ly and t.co) and free subdomain hosters (like tumblr) are used liberally to conceal the destination of their links; which are usually fake websites designed to mimic real web pages.

Once the spammer has amassed a bot net of sufficient size for their attack (could be dozens or even hundreds of accounts), they attack, sending the world a mass of unsolicited emails featuring AMAZING DEALS THAT YOU JUST CANT MISS!!!!!!!!

By using math and a lot of inputs like sending IPs, email content checks, and similarities in account details, we can shut down the entire bot-net almost immediately. Sorry world, you’ll have to pay full price for your next knock-off watch.

The bot net spammers bet on the fact that if they can break through an email provider’s defenses, they’ll be able to send millions of messages with impunity. The malicious phishers take a different approach. These phishers are criminals pure and simple, and they are sophisticated, opting for highly targeted and low-volume attacks. Here’s their MO:

• Only high-quality stolen credit cards are used so that all checks match (name, address, zip, cvc code). Getting hands on these types of cards is tough, and indicates the sophistication of these criminals and their skill in identity theft.
• Premium accounts are created with business email addresses and legitimate domains.
• All interactions with Mailgun are from clean IPs, reducing suspicion.

The problem with these phishers is that they look ideal. They’ve got everything that you could hope for in a customer: credit card numbers that check out, business email, and good overall reputation, heck, they’d probably be able to give us a legit social security number if we asked. That’s what makes them so dangerous.

They use their apparent legitimacy coupled with a little social engineering (more on that below) to pass by what they think email providers are looking for. Then they attack…not with millions of emails, but maybe just thousands. What’s more, they’re always A/B testing their content to see which gets more clicks (and which gets pass spam filters) making it even harder to detect since the content is different each time, even for the same attack.

The code at the top of the post is an example of one of these phishing attempts. 3 separate accounts were used to send emails with the subject “Chase: Security Recommendation”. And we shut them down immediately (“Razor” in the code is what we call our little reputation algo).

With Razor and the data points we analyze on every message in real time, we are still able to thwart these attacks. These types of attacks are one of the big reasons that we built Razor in the first place. One popular approach to fighting spam is based on volume. First, for new customers, you limit how many emails they can send, until you slowly get to know them and increase their sending limit. Additionally, if that customer ever has a spike in volume above their average level, you look at them with suspicion and limit them again. The problem is that none of this helps with a spammer sending only dozens of malicious emails. Volume-based protection is a blunt knife that harms good senders and doesn’t stop the bad. The only answer to the problem is a lot of research, data analysis, and sophisticated algorithms. We could go into this more but then we risk giving away too much information to the enemy.

Committing fraud sometimes requires a little social engineering. Spammers see their accounts disabled and often try to endear themselves to our support team, hoping to get them re-enabled. This type of thing happens more than we like, but the epithets that invariably follow being caught can be amusing. It is somewhat satisfying knowing that the spammer has been defeated and can only come back with half-reasoned strings of a small number of curse words. Here are some typical exchanges (we have modified some of the details to protect the guilty).

Spammer uses anonymous proxy to pretend to be in one country, while simultaneously insisting he is in another.

Sending emails from an obviously fraudulent domain, while pretending to be Amazon and PayPal

The spammer is at a loss for words (that have more than four letters) when asked to explain how Amazon and PayPal related to his business.

Inability to set up DNS records for the domain they claim to control

Spammer fumbles when asked to configure DNS record for his domain and politely informs our team that some men find our support rep’s mother attractive.

We hope you enjoyed this inside tour of spammers and scammers. If you’re curious, you can read more details about Razor, our reputation system here.

Happy (legitimate) sending,

The Mailgunners

Author: The Sinch Mailgun team The Sinch Mailgun team shares news, best practices, and strategies to take your products and apps to the next level using email. Subscribe to our newsletter to get all the articles in your inbox!