|
For many years, I have tracked spam from botnets and reported on it. I have analyzed those botnets’ distribution patterns by number of IPs, number of messages per email envelope and geographical distribution.
While spam from botnets is interesting, and the main source of spam, it is not the only source of spam. What about spam that originates from the MAGY sources?
MAGY stands for Microsoft (Hotmail/Outlook.com), AOL, Google (Gmail) and Yahoo. Spammers create botnets that go out, sign up for accounts on these services and then send spam from them. This continues until the service shuts them down.
Spammers also compromise legitimate MAGY users’ accounts. Whatever method they use to acquire the password to these accounts, they subsequently log in and send spam until the user notices and changes their password.
In either case, this is known as reputation hijacking. Spammers are betting that spam filters will not IP block these accounts because it would cause too many false positives.
I’ve tracked mail from these four sources using the same scripts I use to track mail from botnets. I take the IPs in the service’s SPF record and then record how much mail comes from these accounts. Below are some graphs of the total mail (not spam) from these services. Is there anything we can determine from these mailing patterns?
Before we continue, there are some things I must point out:
With that out of the way, what can we say about mail from MAGY? First up is Hotmail.
We can see that Hotmail uses a weekend sawtooth pattern—that is, during the week we see plenty of mail but it drops over the weekend. This means that most users are sending mail from Hotmail during the week but not on weekends.
Why is this?
It looks like people are sending from Hotmail at work but not from home on the weekends. Or possibly they do it at home but for some reason don’t send that much mail from Hotmail on the weekend.
Do people have better things to do than send email on weekends?
Next up is Yahoo, the same caveats as #1-3 apply here, too.
Yahoo has the same sawtooth pattern as Hotmail but we see a spike at the end of March that was not present with Hotmail, and a huge spike in early July. These correspond to spam outbreaks (both in Yahoo and Hotmail). Whereas Hotmail had the spike near the end of the month, Yahoo’s was near the beginning.
However, just like Hotmail, people aren’t sending as much mail on the weekend.
Next up is Gmail. Below is their mail distribution sending to us:
Just like Hotmail and Yahoo, Gmail has the same sawtooth pattern. But unlike Hotmail and Yahoo, there are no spiky blips aside from my script crashing. We haven’t seen any major spam campaigns from Gmail during this time.
Next is AOL:
As in the other three, there is the same sawtooth pattern, and a spiky blip in the middle of the Yahoo and Hotmail campaigns. This is evidence that spammers were rotating through those three services in July, but skipped Gmail. Interesting, the mail from AOL dropped off at the end of July and through the start of August but has since recovered.
So far, everyone pretty much looks the same. People send plenty of mail during the week but not so much on weekends. Weekends are roughly 35-40% the volume of weekdays.
But there is one exception to this pattern: Facebook. I collect statistics on mails from IPs on Facebook’s TXT record. Below is what Facebook looks like:
Aha!
The sawtooth pattern here does not exist. Instead, it is very erratic but gradually increasing upward (that blip at the end looks ugly, doesn’t it?). The summer months are really where we saw the largest gains, which corresponds to school finished for that part of the year.
Unlike the sawtooth pattern of MAGY, Facebook doesn’t care about weekends very much. However, Facebook is not just about sending personal mail like Hotmail or Yahoo. Instead, Facebook sends you all sorts of notifications depending on your settings:
But it doesn’t really matter what people are doing, all of their friends are logged onto Facebook during all the days of the week and doing stuff, and people are getting alerts about it. Whether or not they read all those alerts is another question.
But it does go to show that people use Facebook differently than they use their email accounts. Email is for certain times of the day, Facebook is for whenever.
Sponsored byRadix
Sponsored byVerisign
Sponsored byCSC
Sponsored byVerisign
Sponsored byDNIB.com
Sponsored byIPv4.Global
Sponsored byWhoisXML API
Something to look for: is there also an intra-day sawtooth pattern, high volume during the normal workday but not overnight? And is the sawtooth pattern legitimate mail, or is it dominated by spam?
I was thinking that one possible explanation is botnets running on workplace machines that’re turned on during the workday Monday-Friday and turned off overnight and on weekends. That’d produce exactly the patterns you’re seeing, and would explain why Facebook lacks that sawtooth (it doesn’t use a standard e-mail protocol for it’s mail). But to figure that out you’d have to look at the types of mail being sent and compare non-spam vs. spam volumes.
A lot of people don’t do as much email on weekends, they do cookouts and drink beer, catch up on sleep, go out to see movies, whatever. So you’re certainly going to see far less email on weekends, even for freemail / personal mail services.
The sawtooth will be much more pronounced if you examine your forefront mail sync / outbound mail patterns given your mostly corporate userbase.
Compare dates like superbowl, long holiday weekends etc and you’ll see email use drop like a stone across those days as well.
Facebook - a lot of this access is from phones / tablets that have a facebook app installed. They themselves send a ton of email from various apps, notifications etc and weekend use will actually spike because people use fb to plan say a movie or dinner date.