Thursday, September 18, 2008

Are spammers data mining the spamtraps and troublesome addresses?

A while back blogspot became a major headache for spam filtering. Spammers were using the free accounts to redirect hapless victims to their scam/pills/phising sites, bypassing the URIBL by using this whitelisted domain.

Thankfully, the URIBL added blogspot to the Grey list and allowed submitters to include the sub-domains in the Black list. The problem subsided, but the spammers had discovered a new source of really annoying URI and they were not going to give up that easily.

The spammers have since spread out to a number of free hosters, the most annoying for me is A unique sub-domain turns up in one of my spamtraps at the rate of around 1 per 5 minutes. Most of the domains or emails that turn up in my traps have already been submitted to the lists so I don't have to do much, however these livefilestore domains are always unique and no one else seems to submit the same ones as me.

This brings me back to a previous thought I had regarding these unilimited, unique sub-domains. Back when blogspot spams where at their peak, I noticed that within a day of submiting a sub-domain to the URIBL, the amount of spam received by that trap was reduced to a crawl.

I conducted an experiment at the time of only submitting blodpost sub-domains on a subset of the total spamtraps and was gobsmacked at the fall in the spam load on only the addresses from which I had reported. Just to make sure I wasn't seeing things, I submitted all the domains from all the spamtraps and observed the same dramatic fall on them all.

As a result of this, I stopped submitting blogspot domains to the URIBL for a while and wrote a script that clicked the "flag" button in the navigation bar instead. Spammers being what they are, the spam load on all the spamtraps (and quite a few new ones that still have me scratching my head) increased to the previous load over the next few months. The blogspot staff were relatively swift at removing the offending sites, and I still got my spam to train filters with ;)

Warp forward to the current day and the livefilestore sub-domains (the main domain of which has been listed in Black for over a month now). I seem to have an unlimited supply of spamtraps over quite a few domains since some moron decided to pick up the message ids in my posts to mailing lists and newsgroups as email addresses! For every email I have ever sent to a public forum, I get at least 5 distinct traps. I ended up configuring my mail server to just trap anything sent to an address that looks like a message id. They aren't even close to any legitimate email addresses on the domain so there is no possibility of a typo finding its way into a spamtrap.

The end result of which is that I have a lot of unique traps. Over the past few weeks, those traps have been getting mostly unique livefilestore sub-domains delivered to each of them. There have been a few repeats, but they mostly happen when an email is dilvered to more than one address in a single connection. Upon submission of these sub-domains, there was an increase in the spam load over all, but to different traps. By now, most of the addresses I had seen already, had a reported URI on them. It almost seemed like a systematic delivery to every single address to feel them out.

Following the weekend lull, the livefilestore domains started comming thick and fast across all the traps again. They still seem to end up in traps that have never seen spam before, but there are a larger quantity heading to previously well known addresses too. Tentatively probing further addresses while dumping crap on known "working"#1 addresses.

If only they knew that I only get a daily summary and everything else is handled by computer, never to be read by a human and hopefully helping countless humans from seeing their crap :P

So are spammers using unique sub-domains to data mine the location of the email addresses that report them? Are they using this to help increase the effectiveness of their spam runs by avoiding those who would report them? I probably haven't put my story forward well enough to tell, especially since I don't provide raw figures to play with (I don't have the metrics in place to gague things properly). Hopefully, I've put enough of an idea forward for someone to have a think about this and look at their data to see if the same idea fits there too.

... of course, that only works if someone reads this ;) As if!

#1 I permanently reject all messages sent to spamtraps