Do spammers change their tactics based upon recipient verification? Yes, they do.

Or, to be more precise, it sure looks like they do.

In my other post on the publicly available spam tool, I mentioned that I came across a page that allowed people to verify whether or not an email address is actually live.  The question naturally arises: do spammers clean up their email contact lists based upon whether or not the address is legitimate?

Spammers would have an incentive to do this - the fewer mails they have to send, the fewer resources they have to consume.  Spam blitzes depend on spammers sending out as much as possible in as small a window as possible.  The fewer the bots sending mail, the smaller the rate of spam detection.

Do we actually observe spammers changing their sending patterns?  I believe that we have evidence that they do.  Our customers have the option of doing Directory Services blocks.  The way that this works is that customers upload a list of legitimate email addresses to us.  When a message hits our network, we look up to see whether or not that email address is available (live).  If no such email address exists on the domain, we send back a 554 - Recipient Address Not Available.  These are called Directory Service Blocks, or DS blocks for short.

Recently, some customers have started using our DS services more actively.  When they do, they have said that the number of total spam blocks in their statistics drop dramatically, sometimes by a factor of 10.  Whereas before they were seeing 10 million spam blocks prior to using DS, now they are seeing only 1 million spam blocks.  That's a huge drop.  What gives?  (It's not a problem with our reporting mechanism, btw).

As it turns out, it looks like spammers are changing their behaviour based upon return codes.  DS blocks are our first level of spam blocks and then IP blocklists (which send 550s) are our second level.  What appears to be happening is the following:

  • If a spammer or bot gets 550'ed, they don't give up right away.  They move onto a different bot and continue to try to send the same spam.  The theory is that the bot is rejected but the email address is still good.
  • If a spammer gets 554'ed, they stop sending mail to that email address.  The theory is that the email address is not legitimate, so why bother sending mail?

If this is indeed what is going on, it shows a clever resilience amongst the spam and bot community that allow them to learn what is going on in response to their tactics, and  then change their tactics appropriately.  This doesn't surprise me, I have stated in the past (somewhere) that spammers are like antibiotic-resistant bacteria, evolving to deal with new threats and figuring out ways to survive.

Of course, if this hypothesis is correct, then it means that spammers are using very polluted lists, that is, emails to no where.  Looks like whoever sold them those lists didn't give them much quality.  That makes me feel a little better, taking the time to engage in a little schadenfreude.

Comments (3)
  1. Kelson says:

    This doesn’t fit with my experience, which is that spammers (well, some spammers, anyway) continue to hammer the same non-valid addresses over and over for years on end.  We get spam sent to addresses that have been returning "User unknown" for 5 years or more.

    When you say that spam blocks drop by a factor of 10, are you including *both* DS blocking and spam blocking in the total?  With dictionary attacks and old addresses, I could definitely believe a domain might get 90% of its spam to addresses that don’t exist.  In that case, rejecting messages sent to invalid addresses would result in a 90% reduction in the spam that makes it to the filters, even before a single spammer reacts.

  2. tzink says:

    > When you say that spam blocks drop by a factor of

    > 10, are you including *both* DS blocking and spam

    > blocking in the total?

    Yes, we are.  Prior to this, we had IP blocks and spam filter blocks, and those were around 10 million.  Now, with DS blocks, the total of DS blocks + IP blocks + spam blocks is around 1 million.  So either our reporting infrastructure is wrong (and we checked it) or it’s a behavioural change.

    On the other hand, maybe we’re missing something here.  I’ll post something if anything changes.

  3. Al Iverson says:

    Nah, I don’t think you’re missing something per se, I think there are just different kinds of spammers out there. I just registered a domain that had been dead for a while but shows up on various millions CDs. I started to get gobs of spams within minutes of enabling an MX record. (That was last week some time.) Feel free to ping me if you want to know what domain and etc.

Comments are closed.

Skip to main content