Inside the seedy underworld of spammers and phishers
This week we announced some improvements to our reputation algorithm which helps us fight spam while still welcoming new customers without setting arbitrary sending limits. The biggest challenge in creating the reputation algorithm was how to distinguish between these good customers (who we love) and malicious spammers and phishers (who we hate). Turns out, despite their increasing sophistication, spammers and phishers exhibit many identifiable traits that we're going to expose today. It's a game of cat-and-mouse that we didn't ask to play, but we can hunt when we need to.
May 16 09:59:31 razor INFO PID:542 Thread-4 [razor.periodic.detected_by_scanners] SPAMMER! chaseupdate.com May 16 10:16:10 razor INFO PID:542 Thread-4 [razor.periodic.detected_by_scanners] SPAMMER! onlinechase.com May 16 15:04:16 razor INFO PID:542 Thread-4 [razor.periodic.detected_by_scanners] SPAMMER! work.com
The anatomy of two email attacks
Over the years, we've fought a lot of spammers (we even have nicknames for some of the worst repeat offenders), and we've noticed that there are two main patterns: spammers who try to use bot nets to delivery millions of untargeted spam emails (Rolex's, Viagra, Canadian pharmaceuticals) and phishers who orchestrate sophisticated and highly targeted attacks against a small number of victims. Here's what we learned about each:
Bot nets and the spammers who love them
It's well known that the "return on investment" for spammers is very low. They send millions of emails, hoping to get just a few hits. Even the cheapest bulk email providers aren't free, which means, like any business person, they need to think about keeping their costs low. Here's how these spammers prepare for an attack:
- They create a ton of free accounts, sending a small number of legitimate emails from each to simulate a new customer just trying out the system.
- They also create some paid accounts (using stolen credits) to diversify their profile, making their bot net harder to detect.
- Accounts are often created with free email addresses (e.g. @gmail.com or @yahoo.com) or with legitimate business domains that they've hijacked.
- Link shorteners (like bit.ly and t.co) and free subdomain hosters (like tumblr) are used liberally to conceal the destination of their links.
Once the spammer has amassed a bot net of sufficient size for their attack (could be dozens or even hundreds of accounts), they attack, sending the world AMAZING DEALS THAT YOU JUST CANT MISS!!!!!!!!
By using math and a lot of inputs like sending IPs, email content checks, and similarities in account details, we can shut down the entire bot-net almost immediately. Sorry world, you'll have to pay full price for your next watch.
Malicious Phishers think small is beautiful
The bot net spammers bet on the fact that if they can break through an email provider's defenses, they'll be able to send millions of messages with impunity. The malicious phishers take a different approach. These phishers are criminals pure and simple, and they are sophisticated, opting for highly targeted and low-volume attacks. Here's their MO:
- Only high quality stolen cards are used so that all checks match (name, address, zip, cvc code). Getting hands on these types of cards is tough, and indicates the sophistication of these criminals.
- Premium accounts are created with business email addresses and legitimate domains.
- All interactions with Mailgun are from clean IPs, reducing suspicion.
The problem with these phishers is that they look ideal. They've got everything that you could hope for in a customer: credit card that checks out, business email, good reputation. That's what makes them so dangerous.
They use their apparent legitimacy coupled with a little social engineering (more on that below) to pass by what they think email providers are looking for. Then they attack...not with millions of emails, but maybe just thousands. What's more, they're always A/B testing their content to see which gets more clicks (and which gets pass spam filters) making it even harder to detect since the content is different each time, even for the same attack.
The code at the top of the post is an example of one of these phishing attempts. 3 separate accounts were used to send emails with the subject "Chase: Security Recommendation". And we shut them down immediately ("Razor" in the code is what we call our little reputation algo).
With Razor and the data points we analyze on every message in real time, we are still able to thwart these attacks. These types of attacks are one of the big reasons that we built Razor in the first place. One popular approach to fighting spam is based on volume. First, for new customers, you limit how many emails they can send, until you slowly get to know them and increase their sending limit. Additionally, if that customer ever has a spike in volume above their average level, you look at them with suspicion and limit them again. The problem is that none of this helps with a spammer sending only dozens of malicious emails. Volume-based protection is a blunt knife that harms good senders and doesn't stop the bad. The only answer to the problem is a lot of research, data analysis and sophisticated algorithms. We could go into this more but then we risk giving away too much information to the enemy.
Social engineering is real...but also kind of funny sometimes
Committing fraud sometimes requires a little social engineering. Spammers see their accounts disabled and often try to endear themselves to our support team, hoping to get them re-enabled. This type of thing happens more than we like, but the epithets that invariably follow being caught can be amusing. It is somewhat satisfying knowing that the spammer has been defeated and can only come back with half-reasoned strings of a small number of curse words. Here are some typical exchanges (we have modified some of the details to protect the guilty).
Using an anonymous proxy
Spammer uses anonymous proxy to pretend to be in one country, while simultaneously insisting he is in another.
Spammer- Hello, today i test your SMTP, but it doesnt works, i pay with my Creditcard and i get a E-Mail with "OK Payment". My Email is: --------@----.de
Mailgun- hi there. what kind of emails you are going to send?
Spammer- Thanks for fast Replay. I Repair windows at Homes,Cars and many others. http://www.-------.de/ Thats my Site. I searched on google fast SMTPs, and see mailgun.net. so i´ll will test it, and bought 19$ - monthly
Mailgun- you need to create a custom domain first and setup DNS records for it
Spammer- I will only use SMTP from u. i dont understand what u mean. my Domain is from ----------
Mailgun- also, I'm just curious: your site is German and I see that you're located in UK. why is it so?
Spammer- im livin in Germany. im now at home
Mailgun-but I see that you're chatting with us from United Kingdom or you're using some anonymous proxy
Spammer- nonono im at home 100% in Germany. no i dont user proxy
Mailgun- well, as I told you shouldn't be using subdomain of mailgun.org to send emails. first you need to create a custom (first-level) domain in mailgun. then setup DNS records for your domain. and then we will enable your account
Spammer- Why i must pay for 2.Domain? i have a domain.
Mailgun- you don't need to: domains are free
Spammer- www.domain.de example is free?
Mailgun- so, since your primary domain is --------.de you need to create this domain in Mailgun. then setup DNS records for it since you own this domain and you'll be all set
Spammer- why you selling then subdomains? u wasting my time sir pls chargeback the 19$ to my CreditCard
Spammer- i dont use your Service
Mailgun- no prob. bye
Spammer- f* you ; )
Sending emails from an obviously fradulant domain, while pretending to be Amazon and Paypal
Spammer is at a loss for words (that have more than four letters) when asked to explain how Amazon and Paypal related to his business.
Spammer- Hello, i cant login to my Account
Mailgun- What is your account?
Mailgun- It was disabled due to spam and phishing scams being sent from the account. Emails purporting to be paypal as well as high bounce rates.
Spammer- lol, i paid for it, i get my money back?!
Mailgun- No. You do not get a refund when you use Mailgun for phishing or spamming. Are you saying this is not the case?
Spammer- No 100%! -----.com is my site men. i dont know what u mean with spam!
Mailgun- Please explain why you were using amazon and paypal in the content?
Spammer- haha ok f* u
Inability to set up DNS records for the domain they claim to control
Spammer fumbles when asked to configure DNS record for his domain and politely informs our team that some men find our support rep's mother attractive.
Spammer- hello. my SMTP not works! Why Support dont Answer.
Mailgun- could you please let me know your account
Mailgun- it was blocked
Spammer- why? I have tryed to call Phone-Support, but i cant from germany
Mailgun- our spam detection service detected it as suspicious. please create custom domain and configure DNS properly
Spammer- I have Domain but how i can configure DNS? can u tell me?
Mailgun- you need to create custom domain. please find all answers in our docs
Spammer- what i must type? A-records?
Mailgun- you can find all settings in the control panel
Spammer- I can't see there DNS
Mailgun- please create the custom domain first
Spammer- I have [domain-name-pretending-to-be-amazon].de
Mailgun- is your compay related to amazon?
Spammer- i sale about amazon eat, foods
Mailgun- that's not allowed according our terms of service
Spammer- MEN F* YOUR MUM
Mailgun- Ok, I'll delete your account
We hope you enjoyed this inside tour of spammers and scammers. If you're curious, you can read more details about Razor, our reputation system here.
Happy (legitimate) emailing,