Do spammers change their tactics based upon recipient verification? Yes, they do.

Or, to be more precise, it sure looks like they do.

In my other post on the publicly available spam tool, I mentioned that I came across a page that allowed people to verify whether or not an email address is actually live.  The question naturally arises: do spammers clean up their email contact lists based upon whether or not the address is legitimate?

Spammers would have an incentive to do this - the fewer mails they have to send, the fewer resources they have to consume.  Spam blitzes depend on spammers sending out as much as possible in as small a window as possible.  The fewer the bots sending mail, the smaller the rate of spam detection.

Do we actually observe spammers changing their sending patterns?  I believe that we have evidence that they do.  Our customers have the option of doing Directory Services blocks.  The way that this works is that customers upload a list of legitimate email addresses to us.  When a message hits our network, we look up to see whether or not that email address is available (live).  If no such email address exists on the domain, we send back a 554 - Recipient Address Not Available.  These are called Directory Service Blocks, or DS blocks for short.

Recently, some customers have started using our DS services more actively.  When they do, they have said that the number of total spam blocks in their statistics drop dramatically, sometimes by a factor of 10.  Whereas before they were seeing 10 million spam blocks prior to using DS, now they are seeing only 1 million spam blocks.  That's a huge drop.  What gives?  (It's not a problem with our reporting mechanism, btw).

As it turns out, it looks like spammers are changing their behaviour based upon return codes.  DS blocks are our first level of spam blocks and then IP blocklists (which send 550s) are our second level.  What appears to be happening is the following:

  • If a spammer or bot gets 550'ed, they don't give up right away.  They move onto a different bot and continue to try to send the same spam.  The theory is that the bot is rejected but the email address is still good.
  • If a spammer gets 554'ed, they stop sending mail to that email address.  The theory is that the email address is not legitimate, so why bother sending mail?

If this is indeed what is going on, it shows a clever resilience amongst the spam and bot community that allow them to learn what is going on in response to their tactics, and  then change their tactics appropriately.  This doesn't surprise me, I have stated in the past (somewhere) that spammers are like antibiotic-resistant bacteria, evolving to deal with new threats and figuring out ways to survive.

Of course, if this hypothesis is correct, then it means that spammers are using very polluted lists, that is, emails to no where.  Looks like whoever sold them those lists didn't give them much quality.  That makes me feel a little better, taking the time to engage in a little schadenfreude.