Digging into outbound spammers and confirming what I suspected

Yesterday, I started digging through statistics of users who use our network to send out spam.  Most of them are not doing it intentionally, but some are hostile.  What sorts of behavior characteristics do these senders conform to?  There are are a couple.

  1. Spammers are very likely to send a lot of mail.

    People who send outbound spam – mostly compromised accounts from an edu – are more likely to send a lot of mail.  You might be saying “Well, no kidding.”  But before you scoff, consider this:

    I went through all of our outbound mail stats this past week.  I did a quick visual inspection of the types of senders.  There are a few senders who send a lot of messages, and lots and lots (and lots and lots) of senders who send a few messages.  The overwhelming majority of spammers send lots of mail.  They are heavily concentrated in the senders who have high volumes of mail.

    This doesn’t mean that everyone who sends lots of outbound mail is a spammer. Rather, if you are trying to find someone who is sending outbound spam, the first place you ought to look is for accounts sending a lot of mail.

  2. Spammers are not likely to send out small amounts of spam.

    This is the corollary to point (1).  Spammers are not found very often in small mailers.  Now before you scoff yet again, my big worry was that spammers came in two kinds – the type that sent floods of spam and the type that send only small amounts of spam.  The types that send small amounts of spam would be harder to detect due to the tiny volumes.

    But because of my research, spammers just don’t send tiny bits of mail from a lot of compromised accounts; at least in our network, they compromise an account and send tons of spam.  They don’t waste it by sending only little bits.

    Thus, to summarize: on our network, spammers are overwhelmingly represented in the accounts that send tons and tons of mail, and almost no where to be found in the smaller senders and thus trying to stay under the radar.  However, the majority of accounts that send lots of mail are not spammers; sorting between these two is art of outbound spam filtering and is what makes outbound spam control so challenging.

  3. The exception to the rule is freebie spammers

    The exception to the rule above are what I call freebie spammers.  We have a service called Office 365 that spammers sign up for and abuse (we know what you’re doing, you ass of a spammer).  These types of accounts have much lower sending limits and spammers will hit those limits (and have experimented, trying to find those limits) and then get banned, discard the account, and move on.

    Freebie spammers do not send in high volumes from a single account.  They sign up, spam, get banned, and repeat.  This contrasts from our paid-service which conforms to rules (1) and (2) above.

    So to summarize: if spammers compromise paid accounts, they will spam in large volumes.  If they acquire free accounts with low throttles, they will send in small amounts.

That’s what I have discovered about spammers who utilize reputation hijacking.

Comments (2)

  1. RichardDeanHill says:

    I hate spammers with a purple passion