Wandering Thoughts archives

The case of the Twitter spam I don't understand

It's probably not news to anyone on Twitter that Twitter has spammers (every popular service has spammers, it's a rule of nature). In fact Twitter has several forms of spam, mostly revolving around drawing your attention with @-mentions. Much of what these spammers are up to is pretty immediately obvious and thus uninteresting, which is the state of affairs I'm used to. With pretty much all forms of spam on all services, it's almost always pretty obvious what the spammer is up to and what benefit they hope to get out of their spamming.

But not always. Every so often I run into something that is clearly spammy, where the people involved are up to no good, but I don't understand what exactly they get out of their activities. On Twitter the spam I don't understand is certain sorts of follow-spamming, where accounts follow me without any attempt to message me or otherwise get my attention (some follow spam has relatively obvious purposes, for example to get me to look at the account's profile to see some advertising there). When I run into a situation like this, what it says to me is that I don't fully understand the service I'm using and its environment, and the spammers do. If spammers see some advantage to following my Twitter account without me ever following them back, then they understand Twitter better than I do; there's something about the situation that I'm missing.

(As I've said before, spammers are not stupid in the aggregate. If there are a bunch of spammers doing something, it is because it works; it achieves results that they want.)

The corollary to this is that if you run a service and you see spammers doing something mysterious on it that you don't understand, you probably have a problem. Unless you're absolutely sure that the spammer actions are having no effect at all on your service (ie the only thing they're doing is creating logfile entries in private logs), you should assume that the spammers have spotted something clever that you've missed.

(In my case I'm not sure I care enough about Twitter to go digging into what the follow spammers are up to. Note that Twitter is clearly aware that follow spamming is a potential problem, as I've noticed that I don't always get the email notices about Twitter accounts following mine.)

An interesting experience with IP-based SMTP blocks

As I've mentioned before, I still run a mailer on my office workstation. Since it gets almost no real email any more, I've become more and more aggressive about using kernel level IP-based blocks on my SMTP port and applying them to relatively large network areas when other bits of my anti-spam heuristics detect something they don't like from an IP address in the area (this follows a familiar pattern). I also reboot my workstation relatively frequently (Fedora releases a lot of kernel updates) and when I do this, all of the current blocks are re-established from scratch. This gives me an interesting way to assess how active various sources are; I can simply look at who bubbles up to the top of the packets-blocked counts.

Before I started paying attention to this recently, I expected the result to be roughly correlated with the size of the network area I was blocking. This may be generally true, but there are some sources that stand out as unusually active. In particular one source has been on top of my most packets dropped lists for quite a while now, and with remarkable consistency; I can reboot my machine and they show up to bang on the door again almost immediately.

(This is not a good sign for various reasons.)

So today I would like to give, well, something to 81.92.112.0/20, a netblock assigned to one 'Emailvision'. According to their website, they are an 'Email & Social Marketing' firm; I have not looked for details, because there is a limit to how much I am willing to read from the website of anyone who calls themselves that. This is especially the case when the entire reason I know about them is that I have received unsolicited email from their address range.

On somewhat further investigation, it looks as if they are some sort of mailing list management firm that people use to send out bulk email of all sorts. Bulk email being bulk email, they attract spammers. Service providers being service providers, not taking these people's money (or noticing when they clearly have dirty lists) is unprofitable.

And so they remain the top source of rejected packets sent to my machine's SMTP port, as they have been for some time. I don't expect this to change any time soon.

(They do seem to send a certain amount of email to our regular mail system, from a variety of origin domains. On a casual inspection, our spam filtering system doesn't seem to consider it spam, which is what I would sort of expect in this situation.)