Large File Size Spammers Part 2: A Case Study

Not too long ago we published an article going over the general landscape of large file size spam (

In this article we will present a case study identifying a particular hosting provider whose network has been consistently sending out large file size spam. The purpose of this article is to illustrate how some basic observations can be used to identify patterns that can infer and prevent future occurrences of this spam. Admittedly, such patterns can never be used as condemning support for malicious activity. However, at the very least, it should raise a flag for further inspection.	x4	x8	x8	x9	x29	x18	x19	x28	x14	x24	x25	x29	x20	x23	x21	x23	x28	x20	x20	x21	x8	x9	x7	x10	x7	x6	x6	x10	x7	x5	x4	x46	x42	x86	x37	x10	x14	x14	x12	x14	x3	x7	x5

The data presented above is just part of a subset of the last 2 months (April-May 2018) of large file size spam that we have detected from this one provider (actually, this type of spam is sent from many hosted networks all over the world). The number after the ‘x’ represents the number of unique ISPs reporting the associated IP as having sent to an excessive number of invalid users (email accounts which do not exist). Some of these IPs may have their PTR records updated by now, while others still contain the ‘throwaway’ domain.

There are some simple patterns that we can observe from the above data:

1) A particular domain usually has multiple IPs associated with with it.
2) These multiple IPs are in consecutive order.
3) It starts with a 2 part PTR record (domain.tld), subsequent IPs are 3 part (subdomain.domain.tld).
4) These servers are capable of sending email.

Of course, these patterns are not enough to implicate anything, but it is a start. We can take an extra step and see what patterns we can find within the WHOIS records for these domains.

5) All of these domains have the same registrar.
6) All of these domains are fairly new, with a registration date ranging from Sept2017 to Jan2018.

Side Note:
Speaking of WHOIS in this reasearch, let’s take a small step back and mention something most readers are probably aware of; that is, we now live in a post-GDPR world. What this means is that the above (points 5 and 6) are the few useful information fields left from this resource.

In the past we may have been able to find patterns in registrant details, such as all the domains having the same registrant, address, etc. Of course, this information can be faked, but whether the information is authentic or not does not matter in this case. As long as we see a pattern it may be another indicator of suspicious activity, regardless of it being of small significance or not. For example, it has been mentioned quite often that when the privatization of registrant details became an option (pre-GDPR), ironically, the main adopters were the Spammers themselves. In a pre-GDPR world, if we were to see that every one of these domains had privatized registrant information, we can suspect that the registrant has something to hide.

The above 6 points should be enough information for a hosting provider to raise a red flag and inspect the IPs further. They most likely have the data to see whether similar behavioral patterns in the past (namely, new domains across multiple PTR records with mail servers) have a high probability of malicious behavior. What are the chances that a new domain, with no website or company information, requires multiple mail servers for a legitimate use? Solutions depend on many factors, though it is not something we will touch upon in this article.

As always, it is our opinion that the onus rests on the provider. We have been detecting the exact same activity from this network for a long time, and it seems like nothing has been done on their end even though the pattern is always the same. Our philosophy is that spam should be blocked before it gets a chance to reach any mail boxes. Action after the fact is not enough, especially in a case like this when the pattern of behavior is consistently the same. The hosting provider has more data to work with, which can aid in preventing future occurrences of this activity before it hits the tens to hundreds of thousands of mail boxes. Are we to blame the Spammers who behave this way, or the hosting providers who seemingly turn a blind eye to this blatant behavior? And what do you do when complaints to a provider go unanswered.

Stay tuned for a series on calling out certain hosting providers, and asking the pointed questions…

a) Are they profiting from known spamming behavior?
b) Are they simply turning a blind eye?
c) Are they unable to legitimately detect and/or stop this behavior?
d) Is spamming, affiliate email marketing, using throwaway domains a legitimate use of IPv4 space (ARIN)?
e) If it is so easy to detect, why is law enforcement not all over the operators?

This entry was posted in Informative and tagged , , , , , , . Bookmark the permalink.

Leave a Reply