Terry Zink: Security Talk

Discussing Internet security in (mostly) plain English

Mail from legitimate webmail sources

Mail from legitimate webmail sources

  • Comments 1

For many years, I have tracked spam from botnets and reported on it on this blog. I have analyzed those botnets’ distribution patterns by number of IPs, number of messages per email envelope and geographical distribution.

While spam from botnets is interesting, and the main source of spam, it is not the only source of spam. What about spam that originates from the MAGY sources?

MAGY stands for Microsoft (Hotmail/Outlook.com), AOL, Google (Gmail) and Yahoo. Spammers create botnets that go out, sign up for accounts on these services and then send spam from them. This continues until the service shuts them down.

Spammers also compromise legitimate MAGY users’ accounts. However they acquire the passwords to these accounts, they subsequently log in and send spam until the user notices and changes their password.

In either case, this is known as reputation hijacking. Spammers are betting that spam filters will not IP block these accounts because it would cause too many false positives.

I’ve tracked mail from these four sources using the same scripts I use to track mail from botnets. I take the IPs in the service’s SPF record and then record how much mail comes from these accounts. Below are some graphs of the total mail (not spam) from these services. Is there anything we can determine from these mailing patterns?

Before we continue, there are some things I must point out:

  1. In August, my script that counts these things up crashed and died for a few days. I don’t know why this is, but it mysteriously fixed itself without any intervention on my part.

  2. I have not included the spam percentage in these figures. My goal is to only look at volume patterns.

  3. I have only included six months worth of data – March through August 2012.

With that out of the way, what can we say about mail from MAGY?  First up is Hotmail.

image

We can see that Hotmail uses a weekend sawtooth pattern – that is, during the week we see plenty of mail but it drops over the weekend. This means that most users are sending mail from Hotmail during the week but not on weekends.

Why is this?

It looks like people are sending from Hotmail at work but not from home on the weekends. Or possibly they do it at home but for some reason don’t send that much mail from Hotmail on the weekend.

Do people have better things to do than send email on weekends?

Next up is Yahoo, the same caveats as #1-3 apply here, too.

image

Yahoo has the same sawtooth pattern as Hotmail but we see a spike at the end of March that was not present with Hotmail, and a huge spike in early July.  These correspond to spam outbreaks (both in Yahoo and Hotmail). Whereas Hotmail had the spike near the end of the month, Yahoo’s was near the beginning.

However, just like Hotmail, people aren’t sending as much mail on the weekend.

Next up is Gmail. Below is their mail distribution sending to us:

image

Just like Hotmail and Yahoo, Gmail has the same sawtooth pattern. But unlike Gmail and Yahoo, there are no spiky blips aside from my script crashing. We haven’t seen any major spam campaigns from Gmail during this time.

Next is AOL:

image

As in the other three, there is the same sawtooth pattern, and a spiky blip in the middle of the Yahoo and Hotmail campaigns. This is evidence that spammers were rotating through those three services in July, but skipped Gmail. Interesting, the mail from AOL dropped off at the end of July and through the start of August but has since recovered.

So far, everyone pretty much looks the same. People send plenty of mail during the week but not so much on weekends. Weekends are roughly 35-40% the volume of weekdays.

But there is one exception to this pattern: Facebook. I collect statistics on mails from IPs on Facebook’s TXT record. Below is what Facebook looks like:

image

Aha!

The sawtooth pattern here does not exist.  Instead, it is very erratic but gradually increasing upward (that blip at the end looks ugly, doesn’t it?). The summer months are really where we saw the largest gains, which corresponds to school finished for that part of the year.

Unlike the sawtooth pattern of MAGY, Facebook doesn’t care about weekends very much. However, Facebook is not just about sending personal mail like Hotmail or Yahoo. Instead, Facebook sends you all sorts of notifications depending on your settings:

  • Someone sent you a private message on Facebook
  • Someone tagged you in a photo
  • Sometime invited you to Farmville, or you have to take action
  • And a bunch of others

But it doesn’t really matter what people are doing, all of their friends are logged onto Facebook during all the days of the week and doing stuff, and people are getting alerts about it. Whether or not they read all those alerts is another question.

But it does go to show that people use Facebook differently than they use their email accounts. Email is for certain times of the day, Facebook is for whenever.

Leave a Comment
  • Please add 8 and 2 and type the answer here:
  • Post
  • Yeah, Email has become a vital part of everyday life.

Page 1 of 1 (1 items)