December 2016 in Spamtraps: ESPs

ESP mail seen in spamtraps, December 2016

ESP mail seen in spamtraps, December 2016

This month’s theme is “Fake ESPs and Dyn”. Otherwise, it’s mostly the usual suspects, with the exception of AWeber making an entry at #10 with a make-money-fast spammer.

93% of what Dyn is sending this month has to do with mailer-lite.com, a domain name registered anonymously in October 2016. The choice of this domain name is offensive to a Lithuanian ESP who have, over the past year, made good progress in the anti-spam/compliance department, and who aren’t even showing up on the top 30. The DNS suggests another ESP, probably fraudulently as well:

$ host mailer-lite.com
mailer-lite.com is an alias for app.sendloop.com.

Sendloop is a Turkish/US ESP of Octeth, Inc., founded by Cem and Mert Hurturk. They have a proper anti-spam policy and are sending so little to our spamtraps as not even to show up in the top 100. It seems unlikely that the adult dating spammer is them, or has anything to do with them – other than perhaps a grudge for having been terminated for spamming?

I am worried that the recent acquisition of Dyn by Oracle does not bode well for Dyn’s abuse handling. The spam that is being sent is the same type as was seen from Dyn starting in October already: adult dating (fraud?), with subject lines such as “Du hast eine neue Nachricht von X erhalten!” (German for “you have received a new message from X”), “Profil von X” (German for “The profile of X”), “Du har fått ett nytt meddelande från X” (Swedish for “you have received a new message from X”), “She is just a cute girl looking for a fuckbuddy”, and “X wants to meet you”.

The percentage of ESP sent mail vs all mail seen in the spamtraps is 3.1%. The amount of ESP mail was up 5% from last month, with the total amount of mail down 20% from last month.

The top ten this month consists of the usual suspects aside from Dyn and AWeber. The edge Dyn had over everybody else has been dulled and they’re now only just behind SMC (by a percent of a percent). AWeber has an ongoing problem with make-money-fast spammers (to an extent, combined with new TLDs such as .xyz, .club, .press, but not limited to them) that, in retrospect, was already evident last month when they were bubbling under at #11.

Bubbling under this month: Rackspace Mailgun (2.1%), Sailthru (1.4%).

RATING PARTICIPANT PERCENTAGE NOTES MOST PROMINENT CUSTOMER
0 All others 38.0%
1 SalesForce Marketing Cloud 10.17% ExactTarget bathandbodyworks (<7%)
2 Dyn 10.16% mailer-lite.com (93%)
3 SendGrid 8.6% wish.com (4%)
4 Experian 7.4% Target (<11%)
5 MailChimp 6.8% 7% Mandrill, 93% MC proper kakimo.se (1.4%)
6 Amazon SES 4.4% VetUK.co.uk (17%)
7 Constant Contact 3.9% Advisor Perspectives (44%)
8 Oracle Marketing Cloud 3.6% Responsys, Eloqua and RightNow Nordstrom (12%)
9 IBM Marketing Cloud 2.6% Silverpop, Unica carfaxconsumer.net (13%)
10 AWeber 3.1% goodies.xyz (9%)

Here’s the “relative badness” graph. It’s still completely skewed because of Dyn, and of course Digital Metrics is doing their usual bit.

I’ve made some retroactive adjustments to the MySMTP entry. They stay in the place in the chart they would be in with the usual counting method, but the bar reflects a rather different reality.


For the purposes of drawing the graph, [a-z]+@[a-z]+webmail\.com counts as one customer (171 separate entries, condensed into one), [a-z]+@phone[a-z]+mail\.com counts as one (58), [a-z]+@phoneweb[a-z]+\.com counts as one (177), and since it is possible that these regexes have matches within all, the final count of ([a-z]+@([a-z]+webmail|phone[a-z]+mail|phoneweb[a-z]+)\.com) is only 348 (which is great because it’s smaller than the number of all separate customers; counting them all separate would have meant MySMTP has a number of separate customers that is less than zero). That makes MySMTP the worst ESP of all, not very successfully hiding behind snowshoe spamming. (And before you ask: the [a-z]+ before @ matched the following strings: info, mailer, newsletter, noreplay and no-replay, in roughly equal proportions.

Update: Of course I need to redo this to disregard the LHS and count domain names only. Apologies, Hans Jul. It’s bad, but it’s not that bad. A list of the domain names that do not match the regex above will be posted as a comment.

Average amount of messages per separate customer of ESP, December 2016

Average amount of messages per separate customer of ESP, December 2016

Finally, the “top spamming customers” table.

RATING CUSTOMER ESP % OF THIS ESP % OF ALL ESP MAIL IN SPAMTRAPS
1 mailer-lite.com (anonymous “adult dating” affiliate spammers) Dyn 93% 9.5%
2 Advisor Perspectives Constant Contact 44% 1.7%
3 VetUK.co.uk Amazon SES 17% 0.7%
4 Target Experian 10% 0.7%
5 bathandbodyworks.com Salesforce Marketing Cloud 7% 0.7%

2 Responses to December 2016 in Spamtraps: ESPs

  1. Appendix: list of MySMTP customer domains that do not match the “phoneWHATEVERmail”, “WHATEVERwebmail” and “phonewebWHATEVER” dot com regex. Snowshoe in plentiful evidence, but not quite as easy to turn into regexes.

    12346eu.xyz advmail.net agenziacertificata.com alanyafun.us amazingoffers247.com andersonandvines.com auditelroma.com aussie4u.co.uk aussqt.com austrate.us back-static.com back-turn.com beamtower.com beattheodds.today bestselection247.com blueskyclick.com calmdirectly.com chousernow.com christmastopia.com clearchannelmediagroup.com cleverdigital.com coffemedia.com comeplayop.com commodorebasic.com contactmail.eu course-fashion.com crazydeals247.com creekterm.com crewmood.com crusernow.com dakkd.com dataprocessweb.com delicate-sleek.com delicatesleek.com detailsbeam.com dm.dk drakula-esp.com e12-employment-hub.com e12-findemployers.net e12-findingajob.info earthandme.xyz earthsweeps.xyz easy-little.com economyevent.com emaillistfinder.com emailvalidation.eu e-mailwebmail.com essentialmarketing.co e-visa.us extremist-nation.com falsing.dk figure-shine.com figure-star.com financetopics.net firmcan.com forward-brands.com forward-market.com geniquia.com glide-beam.com glide-course.com glide-creek.com glidedelicate.com gradetour.com grade-track.com happyinamail.com hasamx.com hensleymedia.com hitechtopics.com housernow.com hr-insider.com huipputarjouxet.com humbledude.com hundredpercentbest.com id.apple.com info2app.com inviocelere.it itcontenthub.com itnextgentrends.com jeffzter.co.uk jefterz.com jhhda.com jjkkqqq.com journey-slip.com journey-team.com jp.org kattaauutiset-fi.com kavuei.com kridls.com late-banner.com lawmakercan.com lee.com letter-soft.com letterspan.com leveldirectly.com lokaleportalen.dk luckyno7.me mailcot.eu mailprix.net mailserver-ads.com mailservertoday.com mailverify.eu mailwart.net marketbrands-mb.com marketingtopics.com mausernow.com mediadry.com membercan.com midiscape.com milanoeditore.com mombioq.com more-shift.com morestill.com mousernow.com move-directly.com move-run.com move-shine.com movesleek.com move-stream.com msm.12deal.com my.stroll.com nationalamazingoffers.com nationalbestselection.com nationalpopularstuff.com nationcan.com nextpolish.com nextquickly.com nextraffle.com next-shine.com next-sleek.com nice-crew.com pairsimple.com pair-soon.com pausernow.com phonee-mailmail.com place-back.com planetamazing247.com polish-quickly.com polish-sleek.com promote-brands.com punditcan.com quicklystatic.com quickly-still.com quickly-tour.com quicklytower.com quickly-travel.com quicklyvelvet.com quickly-word.com realextatedesk.com redtz.dk rhodesweek.us roll-beam.com roll-creek.com roll-details.com roll-gloss.com sectorcan.com secure.brain-ware.com share-score.com share-soon.com sharestatic.com shine-glide.com shine-gloss.com shine-glow.com shopbeautiful.eu simple-shine.com skickanyhetsbrev.org sleek-beam.com sleekbeam.com sleekcreek.com sleek-move.com slickdealsplus.com soft-beam.com soft-details.com soft-next.com soft-proceed.com softquickly.com soft-sleek.com soon-more.com soonnice.com span-glide.com spanglide.com span-letter.com spanletter.com stream-sleek.com stream-talk.com streamterm.com style-beam.com style-course.com super-machine.com sverigesradio.se techleaderessentials.com technologyinsights.org term-creek.com termdelicate.com term-details.com termdetails.com theaussiepost.com thegapinthemiddle.com topdeal10.com toyouremail.com travelbirdsverige.se unignitable.top unioncan.com usercan.com usernowable.com usernowaholic.com usernowel.com usernowient.com usernowy.com venusmailtrack.com viewercan.com virksomhedslokaler.dk web-windows.com whitepapersdirect.net word-course.com word-move.com word-proceed.com word-quickly.com x-hamster.us

  2. Based on identical message subjects, the following customers are clearly one and the same:

    • aussqt.com dakkd.com hasamx.com humbledude.com jeffzter.co.uk jefterz.com jhhda.com jjkkqqq.com kavuei.com kridls.com mombioq.com theaussiepost.com

Leave a Reply

Go back to top