Wandering Thoughts archives

2012-12-29

SpamAttemptsAndWaste

Why I think that stupid spamming is actively wasteful

In reaction to my last entry, a commentator wrote:

You assume it's more cost efficient for the spammer to fix his system rather than just have a slightly higher percentage of broken addresses in his list than otherwise. I'd guess the broken addresses cost the spammer virtually nothing in resources or time.

I used to feel this way, that spamming was basically free, but I've shifted my views over time. My current belief is that in today's Internet environment, sending spam to addresses is not so cheap that it's pointless to measure and I actually suspect that modern spammers are often email-rate-limited and so sending to bad addresses directly displaces email that could go to potentially good addresses.

First off, let's take an easy case, that of people exploiting webmail systems via compromised accounts (as happened with us). Whether the spammers are using 'mules' to enter things by hand or they're driving the webmail systems by automation, it seems extremely likely that the spammer will have a relatively low sending rate limit (either the mules can only type and click so fast, or the webmail server software can and will only respond so fast). Thus, every clearly bad email address emailed to is a possibly good email address not mailed to.

(I'm making what I feel is the safe assumption that spammers have basically an infinite supply of potentially good email addresses they could spam.)

But let's suppose that the spammer has no message submission problems; they can stuff the queue with as much email to as many addresses as they want. The next limitation is the sending mailer itself. Spammers very often use compromised machines with whatever MTA setup the machine already has, a setup that is extremely unlikely to be set up for high sending volumes. The MTA will likely only be able to do DNS lookups and route messages so fast and make so many simultaneous delivery attempts at once, either through software limits or through machine capacity limits. Here again, bad addresses clearly displace potentially good ones.

(It's not uncommon for me to connect to the SMTP port on a machine that's sending out spam and have it report a temporary failure because of resources exceeded.)

Finally we have the actual delivery. Ignoring greylisting, I've seen clear evidence that large mail providers pay attention to delivery volumes and especially delivery volumes to bad addresses. Even here we've periodically seen temporary SMTP failures from the likes of GMail with messages to the effect of 'slow down, you're trying to send us too much too fast'. Every address a spammer tries to send to at such providers is one more point in their internal scoring systems for 'this IP is probably sending spam', and probably even more so for bad addresses; again bad addresses are displacing potentially productive ones and pushing the sending IP that much closer to when the provider will choke it off. Greylisting has similar but smaller effects (since it won't necessarily choke off future potentially good email addresses, just delay things). The effects of all of this is going to be magnified if the spammer is hijacking a compromised machine with a normal MTA that's set up for normal mail volumes.

You can build very custom infrastructure that has no problems with all of this (although you're still going to run into issues with destinations choking you off for too much volume). But I don't think most spammers these days are using anything that sophisticated, so all of those spammers are very likely to be email-rate-limited in their spamming.

SpamAttemptsAndWaste written at 01:59:18; Add Comment

2012-12-28

WastefulSpammer

A spammer that is not the brightest light in the box

I'm fond of saying that spammers are generally not stupid; they do what works and they're quite good at figuring out what that is. However, every so often a spammer comes along who quite clearly challenges or outright breaks this view.

Here's a snippet from a recent SMTP conversation that one of my machines logged:

remote from [208.86.167.19]
HELO postoffice.wieck.com
250 Hello postoffice.wieck.com
MAIL FROM:<REDACTED@wieck.com>
250 Ok (verified)
RCPT TO:<"d..."@REDACTED.org>
554 no such local user

What makes this stand out is the RCPT TO address. For those who've never run into this, this (without the quotes) is how Google's Usenet interface has presented poster email addresses for quite a while. Such addresses are deliberately obfuscated and have never worked; we can see how badly broken they are by the fact that they have to be quoted to make them RFC-legal even as RCPT TO addresses. Any vaguely smart spammer would not be dealing with these addresses.

Despite this, this spammer has wasted time and effort collecting these addresses and sending spam to them. This is a genuine waste; someone has carefully scraped and stored these addresses, someone else may have purchased them, and now someone is wasting resources attempting to deliver email to them (resources which could have been spent delivering spam to more viable addresses, ones that at least potentially could pay off). All of this is objectively stupid and worse, it's obviously so.

(3 comments.)
WastefulSpammer written at 02:54:01; Add Comment

(Previous month | Next month)
By day for December 2012: 28 29; before December; after December.

These are my WanderingThoughts
(About the blog)

Full index of entries
Recent comments

This is part of CSpace, and is written by ChrisSiebenmann.
Twitter: @thatcks

* * *

Categories: links, linux, programming, python, snark, solaris, spam, sysadmin, tech, unix, web

This is a DWiki.
GettingAround
(Help)

Search:
Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.