December 2016 in Spamtraps: ESPs

ESP mail seen in spamtraps, December 2016

ESP mail seen in spamtraps, December 2016

This month’s theme is “Fake ESPs and Dyn”. Otherwise, it’s mostly the usual suspects, with the exception of AWeber making an entry at #10 with a make-money-fast spammer.

93% of what Dyn is sending this month has to do with, a domain name registered anonymously in October 2016. The choice of this domain name is offensive to a Lithuanian ESP who have, over the past year, made good progress in the anti-spam/compliance department, and who aren’t even showing up on the top 30. The DNS suggests another ESP, probably fraudulently as well:

$ host is an alias for

Sendloop is a Turkish/US ESP of Octeth, Inc., founded by Cem and Mert Hurturk. They have a proper anti-spam policy and are sending so little to our spamtraps as not even to show up in the top 100. It seems unlikely that the adult dating spammer is them, or has anything to do with them – other than perhaps a grudge for having been terminated for spamming?

I am worried that the recent acquisition of Dyn by Oracle does not bode well for Dyn’s abuse handling. The spam that is being sent is the same type as was seen from Dyn starting in October already: adult dating (fraud?), with subject lines such as “Du hast eine neue Nachricht von X erhalten!” (German for “you have received a new message from X”), “Profil von X” (German for “The profile of X”), “Du har fått ett nytt meddelande från X” (Swedish for “you have received a new message from X”), “She is just a cute girl looking for a fuckbuddy”, and “X wants to meet you”.

The percentage of ESP sent mail vs all mail seen in the spamtraps is 3.1%. The amount of ESP mail was up 5% from last month, with the total amount of mail down 20% from last month.

The top ten this month consists of the usual suspects aside from Dyn and AWeber. The edge Dyn had over everybody else has been dulled and they’re now only just behind SMC (by a percent of a percent). AWeber has an ongoing problem with make-money-fast spammers (to an extent, combined with new TLDs such as .xyz, .club, .press, but not limited to them) that, in retrospect, was already evident last month when they were bubbling under at #11.

Bubbling under this month: Rackspace Mailgun (2.1%), Sailthru (1.4%).

0 All others 38.0%
1 SalesForce Marketing Cloud 10.17% ExactTarget bathandbodyworks (<7%)
2 Dyn 10.16% (93%)
3 SendGrid 8.6% (4%)
4 Experian 7.4% Target (<11%)
5 MailChimp 6.8% 7% Mandrill, 93% MC proper (1.4%)
6 Amazon SES 4.4% (17%)
7 Constant Contact 3.9% Advisor Perspectives (44%)
8 Oracle Marketing Cloud 3.6% Responsys, Eloqua and RightNow Nordstrom (12%)
9 IBM Marketing Cloud 2.6% Silverpop, Unica (13%)
10 AWeber 3.1% (9%)

Here’s the “relative badness” graph. It’s still completely skewed because of Dyn, and of course Digital Metrics is doing their usual bit.

I’ve made some retroactive adjustments to the MySMTP entry. They stay in the place in the chart they would be in with the usual counting method, but the bar reflects a rather different reality.

For the purposes of drawing the graph, [a-z]+@[a-z]+webmail\.com counts as one customer (171 separate entries, condensed into one), [a-z]+@phone[a-z]+mail\.com counts as one (58), [a-z]+@phoneweb[a-z]+\.com counts as one (177), and since it is possible that these regexes have matches within all, the final count of ([a-z]+@([a-z]+webmail|phone[a-z]+mail|phoneweb[a-z]+)\.com) is only 348 (which is great because it’s smaller than the number of all separate customers; counting them all separate would have meant MySMTP has a number of separate customers that is less than zero). That makes MySMTP the worst ESP of all, not very successfully hiding behind snowshoe spamming. (And before you ask: the [a-z]+ before @ matched the following strings: info, mailer, newsletter, noreplay and no-replay, in roughly equal proportions.

Update: Of course I need to redo this to disregard the LHS and count domain names only. Apologies, Hans Jul. It’s bad, but it’s not that bad. A list of the domain names that do not match the regex above will be posted as a comment.

Average amount of messages per separate customer of ESP, December 2016

Average amount of messages per separate customer of ESP, December 2016

Finally, the “top spamming customers” table.

1 (anonymous “adult dating” affiliate spammers) Dyn 93% 9.5%
2 Advisor Perspectives Constant Contact 44% 1.7%
3 Amazon SES 17% 0.7%
4 Target Experian 10% 0.7%
5 Salesforce Marketing Cloud 7% 0.7%

2 Responses to December 2016 in Spamtraps: ESPs

  1. Appendix: list of MySMTP customer domains that do not match the “phoneWHATEVERmail”, “WHATEVERwebmail” and “phonewebWHATEVER” dot com regex. Snowshoe in plentiful evidence, but not quite as easy to turn into regexes.

  2. Based on identical message subjects, the following customers are clearly one and the same:


Leave a Reply

Go back to top