Spam coming from free email providers increasing

Spam coming from free email providers increasing

Summary: After analyzing three weeks of spam data between June 13 to July 3, 2008, Roaring Penguin Software Inc. found evidence that spam originating from the top three free email providers (Gmail, Yahoo Mail and Hotmail) is increasing, with spammers in favor of abusing Gmail's privacy preserving feature of not including the sender's original IP in outgoing emails :"Spammers are increasingly using free e-mail providers to avoid IP address-based reputation systems.


After analyzing three weeks of spam data between June 13 to July 3, 2008, Roaring Penguin Software Inc. foundSpam coming from free email providers increasing evidence that spam originating from the top three free email providers (Gmail, Yahoo Mail and Hotmail) is increasing, with spammers in favor of abusing Gmail's privacy preserving feature of not including the sender's original IP in outgoing emails :

"Spammers are increasingly using free e-mail providers to avoid IP address-based reputation systems. These systems track mail sent by various IP addresses and assign each IP address a rating. Some anti-spam software operates largely or exclusively on the basis of the IP address rating.

Roaring Penguin's data shows that over the three weeks from June 13 to July 3, 2008, the percentage of US-originated spam originating from the top 3 free e-mail providers (Yahoo, Google and Hotmail) rose from about 2% to almost 4%. Roaring Penguin believes that spammers are using Google's service in particular to send spam, relying on the fact that blacklisting Google's servers is impractical for most organizations. According to their data, the probability that an e-mail originating from a Google server is spam rose from 6.8% on June 13 to a whopping 27% on July 3."

Spammers and phishers are not just interested in the clean IP reputation of free email providers, they are also interested in taking advantage of the trust they have established among themselves through the use of DomainKeys and Sender ID Frameworks, and by abusing this through the bogus accounts that they've automatically registered by breaking the CAPTCHA based authentication, reach the widest possible audience and ensure the successful receipt of their spam/scam.

How are they managing to efficiently abuse these services, and is CAPTCHA breaking for the purpose of automatically registered bogus accounts to blame? The broken CAPTCHAs are only part of the problem. It all starts from the basics, in this case, the companies themselves admitting there's a problem and how committed they are in not just fighting incoming spam, but also, outgoing spam.

The whole quality and assurance process applied by spammers is nothing new, in fact phishers and malware authors have been putting more efforts into coming up with easier ways to measure the return on investment (ROI) for themselves, and to present clear performance data to those taking advantage of their services. Just because someone has successfully sent several million spam emails, doesn't mean that the messages didn't got filtered, and when they did, what number exactly. Coming up with in-depth spam campaign metrics, and processes for verification of delivery, are becoming a top priority for everyone involved in this underground ecosystem.

The problem of spam and phishing coming from free email providers, has had its peaks in the past two years, prompting popular spam blacklists such as SORBS and Spamcop to blacklist entire Gmail servers due to their inability to obtain the real sender's IP. It's a signal from the anti spam community, and since Gmail will continue not revealing the real sender's IP, something they've received a lot of criticism from anti spam vendor, but a lot of applause from privacy fighters, the best they can do is balance their incoming VS outgoing spam fighting strategy. Here's a comment from an anti-spam vendor commenting on the problem back in 2006 :

"Gmail has taken an extreme position on privacy that inhibits the antispam community from doing their job, and it's ticking people off," says Tom Gilles, co-founder of IronPort. Some 10% to 15% of the spam IronPort sees comes from free Web-mail accounts, too big a slice to turn a blind eye to. "From time to time, Gmail mail is getting blocked because spam is leaking out of their service," Gilles says. "Sometimes the babies get thrown out with the bath water, and that is the rub.

It's difficult to gauge how widespread the problem of missing Gmail is, since no blocking records are available, though experts worry it's growing along with the Gmail service. Gmail had 6.7 million visitors in February, up 4.1 million from a year ago, according to measurement firm comScore Networks, a jump that suggests lost email has yet to hurt the service's growth. Yahoo Mail is still nearly 10 times bigger, hosting 64.6 million visitors last month, and AOL and Hotmail are also orders of magnitude larger. The situation reveals again how the studiously iconoclastic search engine is wrangling with where to draw the line on Internet privacy. As in other recent cases, Google is taking a harder line than its peers."

Moreover, the abuse of the authentication at these free email providers, by either breaking the CAPTCHA images automatically, or outsourcing the process to human CAPTCHA breakers who earn cents to authenticate the registration process for the spammers to abuse, is clearly making an impact. For instance, underground services offering hundreds of thousands of pre-registered bogus accounts are popping up like mushrooms these days, and their maturity into a customer-tailored proposition offering everyone the possibility to pre-register bogus accounts at services and web sites that they are not currently targeting, speaks for the confidence they've built into their ability to deliver the goods. The most recent one which I covered in a previous post is continuing to automatically pre-register accounts with its inventory emptying and filling itself automatically in between the customer's feedback indicating the quality of the service. Here's a sample of their inventory as of the last five minutes :

  • - 270,565 pre-registered accounts
  • - 167,013 pre-registered accounts
  • - 159,892 pre-registered accounts

These is just the tip of the iceberg, with many other such services offering different inventories and using different tactics in the registration process. And while the companies themselves are keeping track of the latest developments in this ongoing abuse of their services, it's all a matter of drawing the line at a particular moment of time. For instance, a known to be malware infected IP that has repeatedly attempted to send hundreds of thousands of phishing and spam emails on behalf ot the botnet its participates in, shouldn't be trusted in any authentication or registration attempts if you're to take the radical approach, or have the end user warned about what's going on and why is she not allowed to use the site's services unless action is taken. The point is that, preventing automatic authentication abuse as a process is very similar to preventing click fraud, and fighting spam in general with the only different in the shift of perimeters from applying the techniques on incoming emails, to the authentication process in general.

Most of the human CAPTCHA breakers, and the automated programs will either abuse malware infected hosts as open proxies, or use open proxy lists in order to change their IP on every several registrations. Considering that the majority of malicious activity comes from well known bad parties are often blocked by default at the email gateway without even bothering to inspect the content in email messages coming from their networks/IPs, the same approach, activity from malware infected hosts should be challenged more aggressively than it is for the time being.

The increasing spam and phishing emails originating from legitimate email service providers is prone to increase, and fighting incoming spam should be balanced with fighting outgoing spam. Moreover, email spam is so Web 1.0, that the possibilities for abusing the joys offered by Web 2.0 services are slowly starting to materialize, with spammers being a step ahead of the filtering solutions.

Topics: Security, Google, Malware, Networking, Privacy, Servers

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Spam

    it is a problem, when recieve spam the TO: has additional accounts on my free email. there should be a way for the free email t block those sending to the same free email. it's CRAZY
  • Free E-mail services should be held responsible...

    for keeping their mail system clean. These networks are so large that it is impossible to manage them by an actual person. And every technology based solution will be hacked. G-mail, Yahoo, MSN and every other mail provider need to bear the same responsibility as the actual spammer. If they are not able to manage their networks they need to get out of the business.

    This issue was inevitable. It is impossible to manage networks of this size. These providers need to be black listed just like any other spammer.
    • RE: Free E-mail services should be held responsible...

      "for keeping their mail system clean."

      Quite correct. How do you propose that be done?

      "These providers need to be black listed just like any other spammer."

      Exactly what good is that going to do? Yes it will stop the spam from getting through, along with a HUGE amount of legitimate e-mail. This is the problem with blocking sites such as Google and Yahoo, etc. The answer has been given elsewhere, TRACK THE MONEY, and shut down the source of it. That will stop the spam. Using reactive methods such as blocking entire domains, blacklisting email addresses, helps to a certain degree, but in the end it fails, simply because it is not the best way to go.

      As an email user, I have accounts with both Google and Yahoo. I use Yahoo for all my public facing mail because their spam filtering is so efficient. What I call a bad month, spamwise, is more than 10 SPAMS in my INBOX for the month. I haven't had a bad month now for over 2 years (touch wood). Google is only used for private communications to a very select group of people.

      I would not be pleased to find that all my mail is being classed as spam simply because Google or Yahoo mail has been blacklisted as a spammer.
      • SORBS = Conceited B*$t*rd$

        SORBS blocked recently, and when I tried to complain, I was amazed at the ATTITIUDE I saw throughout the site. I sent a note to the maintainer, and he opped a worse attitude to me, so I called him on it. I consider people like him to be worse than spammers.
        • "I consider people like him to be worse than spammers. "

          SORBS didn't block gmail.

          SORBS LISTED gmail, and YOUR ISP, the one you pay money to, BLOCKED gmail based on the fact that SORBS listed them.

          Your ISP chose to use SORBS. You chose to use your ISP. Nowhere in this relationship does SORBS owe you anything whatsoever.

          You got attitude because you complained to the wrong people. SORBS isn't making you use their block list. Don't use it if you don't like it.

          Spammers are organized criminals. They are involved in highly organized and sophisticated criminal operations. Many of the spams you receive are sent by people with links to drugs, child pornography, and illegal weapons.

          If you honestly think some volunteer from SORBS who didn't let you railroad him is worse than the criminal scum who are responsible for the spamming problem to begin with, you have seriously warped priorities.
      • I agree, email providers are part of the problem

        I had an employer who arbitrarily blocked everything from my Yahoo email account. So, when I had a group of digital photos to send to them regarding a construction project, I had to ask one of my managers for his personal email account outside of the corporate email system because they did not allow attachments in their internal email system (my photos) nor would they accept email from my Yahoo account, where I could attach those photographs.

        In the end, by blacklisting my Yahoo mail and by blocking all attachments internally, they made modern communication almost impossible, I see this as an example of the kind of over-reaction that is happening.

        I think Yahoo, Gmail, and the other free email providers bear some responsibility in this. They could make it more difficult to use their systems for sending SPAM. One way they might slow down the spammers could be to limit the number of addresses in the TO;, CC:, and BCC: fields. They might also look for one sender sending identical messages to many groups of addresses (one way a spammer might get around an upper limit in the number of addresses per message). Sending identical messages repetitively should be limited. I think the free email providers may have to ability to spot email abuse now, and prevent the spreading of SPAM messages in any quantity. They just need to think a bit about where they should set their limits.
      • " I would not be pleased to find that all my mail is being classed as spam"

        You'd not be pleased, but so what? Nobody is obligated to accept your email.

        Having your email accepted is NOT a right, it's a privilege. A privilege that can be denied for any reason, or for no reason whatsoever.

        If someone wants to block all IP addresses that have a 13 in them because they're superstitious, they have the right to do so. Stupid? Sure, but still their right.

        If you use Yahoo or Gmail for critical personal business, then you're going to get burned sooner or later. You have to decide if the benefits outweigh the risks, but you don't get to decide for others what they must allow on their servers.
  • RE: Spam coming from free email providers increasing

    SPAM is all about money. Spammers do what they do
    because somebody somewhere is paying them to do it.
    The present practices for eliminating SPAM is reacting to
    an event that has already happened. Instead we should be
    proactive and act before the problem occurs. Instead of
    trying to track/find who's sending the SPAM, find out who's
    funding the scammer and prosecute them. The message
    will get across that this is not a viable or intelligent
    method of marketing their product and they'll stop paying
    the spammers. When this happens, most of the SPAM we
    experience every day will go away. It won't go away using
    any other method.
    • Not likely

      [i]Instead of trying to track/find who's sending the SPAM, find out who's funding the scammer and prosecute them.[/i]

      Uh-huh... And when that starts, watch the spammers move offshore and the clients begin to use front companies overseas to shield themselves from legal repercussions of being scumbags.
      Hallowed are the Ori
      • Alot of it

        Alot of the problems come from the whole referral system where by a good many aren't working in the capacity of being paid by the company - instead, using the referral schemes and generating their own money off that.

        There was a statistic that for something like every 1000 emails sent out, there is something like 30 people who will go and purchase the product. So think about it; if you sent out 100,000 emails, and 3,000 reply - then assume you make $10 off each sale; that is $30,000 in the hand for not much work.
        • Spam Response Rate

          Yeah...that's with legitimate advertising. I would put my guess that for every 1,000,000 mails that go out, maybe 30 buy the product. And even that's conservatively large. It doesn't matter - when you're using botnets and gmail to send out your spam, it costs only pennies to send out 10's of millions of emails.
  • RE: Spam coming from free email providers increasing

    We seem to be trying to solve a problem which essentially has no resolution - simply because of the weighing facts. 1) Providing privacy to email senders (GMail), 2) automated registration defense (CAPTCHAs) are breakable either by humans or technology, 3) SPAM == $, people will buy this crap so they'll never stop, 4) if you blacklist GMail and Hotmail, Yahoo! ... many of us will be screwed since we rely on these mail servers every day for inbound/outbound mail... legitimately.

    So what's the solution? I fear it's less obvious than the problem, and will continue that way for the forseeable future.
    Rafal.Los (RX8volution)
    • Spam coming from free email providers increasing

      My solution - I have blacklisted all foreign country domains. By doing so, I have cut the amount of Spam mail from 275+ a day down to about 30. I would love to blacklist Yahoo, but this would cut off 40% or so of our members.
  • Spams are from fake sources

    My scrutiny reveals that all the spams are from fake accounts, pretenting to be whatever: gmail, yahoo, hotmail, whatever. To understand where they are comming, you need to look at the sender's IP address as well as email servers, etc.

    I don't consider people sending me emails from gmail as spam since they don't belong to the category of "BULK" mails! Spams are bulk mails!
  • Gmail

    Google is the only provider that I know of, which still allows FREE POP access. Using programs freely available, you can send 100,000+ emails through them a day.

    At least Yahoo, and I believe, Hotmail, require you to pay for POP access, which I think iss why spammers are moving to Gmail.

    We got so tired of all of the spam, we now have blacklisted Yahoo, Google, Hotmail, and AOL.
    • Blacklisted Yahoo, Google, Hotmail, and AOL

      So, along with the spam, all legitimate emails from them get thrown out as well.
  • The FIX is quite SIMPLE !!

    Only allow emails to arrive in the inbox where it matches the name and/or address of a contact in their addressbook.
    • That's a severe remedy

      Your old buddy from school will never be able to get past your spam filter to reconnect with you -- even if he/she got your email from a friend.

      And when your bank sends you that overdue payment notice, you never know what email address it will come from (ex id=billing, accounting, whatever). But not to worry, the eviction notice will come via snail mail.

      Not to be snarky but it just defeats one of the key benefits of email.
    • That fixes nothing

      Spammers already fake the sender information, and it's quite common for them to fake the sender to look like it comes from the same domain as the recipient.

      There is no silver bullet. There is no magic solution.
      As long as we have countries who don't have good antispam laws, or don't enforce their laws, spam will continue to be the vast majority of email traffic.
  • RE: Spam coming from free email providers increasing

    POP access would allow you to *receive* 100,000+ spam messages a day, not send.